Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Create the Application Gateway resources

You are now ready to create an Application Gateway instance to expose your application to the internet. You will also need to create a WAF policy, when you use the WAF_v2 sku for Application Gateway. You can use the following guidance to perform this task:

An Application Gateway resource needs a dedicated subnet to be deployed into, however, you already created this subnet at the beginning of this exercise.

Step by step guidance

  1. An Application Gateway instance also needs a public IP address, which you will create next by running the following commands from the Git Bash shell:

    APPLICATION_GATEWAY_PUBLIC_IP_NAME=pip-$APPNAME-app-gw
    az network public-ip create \
        --resource-group $RESOURCE_GROUP \
        --location $LOCATION \
        --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \
        --allocation-method Static \
        --sku Standard \
        --dns-name $DNS_LABEL
    
  2. In addition, an Application Gateway instance also needs to have access to the self-signed certificate in your Key Vault. To accomplish this, you will create a managed identity associated with the Application Gateway instance and retrieve the object ID of this identity.

    APPGW_IDENTITY_NAME=id-$APPNAME-appgw
    az identity create \
        --resource-group $RESOURCE_GROUP \
        --name $APPGW_IDENTITY_NAME
    
    APPGW_IDENTITY_CLIENTID=$(az identity show --resource-group $RESOURCE_GROUP --name $APPGW_IDENTITY_NAME --query clientId --output tsv)
    APPGW_IDENTITY_OID=$(az ad sp show --id $APPGW_IDENTITY_CLIENTID --query id --output tsv)
    
  3. You can now reference the object ID when granting the get and list permissions to the Key Vault secrets and certificates.

    az keyvault set-policy \
        --name $KEYVAULT_NAME \
        --resource-group $RESOURCE_GROUP \
        --object-id $APPGW_IDENTITY_OID \
        --secret-permissions get list \
        --certificate-permissions get list
    

    It might be that this step fails with an unauthorized in case you use a subscription that has additional policy settings and when you run these steps from a codespace. To recover from this error, re-execute these steps in a cloud shell. This should succeed.

    In order for this implementation to work, the Application Gateway instance requires access to certificate and secrets in the Azure Key Vault instance.

  4. Next, you need to retrieve the ID of the self-signed certificate stored in your Key Vault (you will use it in the next step of this task).

    KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show --name $CERT_NAME_IN_KV --vault-name $KEYVAULT_NAME --query sid --output tsv)
    
  5. Before you can create the Application Gateway, you will also need to create the WAF policy for the gateway.

     WAF_POLICY_NAME=waf-$APPNAME-$UNIQUEID
     az network application-gateway waf-policy create \
         --name $WAF_POLICY_NAME \
         --resource-group $RESOURCE_GROUP
    
  6. With all relevant information collected, you can now provision an instance of Application Gateway.

    APPGW_NAME=agw-$APPNAME-$UNIQUEID
    
    az network application-gateway create \
        --name $APPGW_NAME \
        --resource-group $RESOURCE_GROUP \
        --location $LOCATION \
        --capacity 2 \
        --sku WAF_v2 \
        --frontend-port 443 \
        --http-settings-cookie-based-affinity Disabled \
        --http-settings-port 8080 \
        --http-settings-protocol Http \
        --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \
        --vnet-name $VIRTUAL_NETWORK_NAME \
        --subnet $APPLICATION_GATEWAY_SUBNET_NAME \
        --servers $AKS_MC_LB_INTERNAL_FE_IP1 \
        --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \
        --identity $APPGW_IDENTITY_NAME \
        --priority "1" \
        --waf-policy $WAF_POLICY_NAME
    

    Wait for the provisioning to complete. This might take about 5 minutes.