Skip to content

App Gateway

Azure Application Gateway Deployment Manual

1. Introduction

This manual provides documentation for deploying an Azure Application Gateway using Terraform. The Application Gateway is a critical component for managing and securing web traffic to applications hosted in Azure.

Provisioning using Terraform

This repo shared-infra contain the code to provision application gateway.

Notes

remember to enable application gateway default is true, since we are using kubernetes cluster and the repo is reg1-shared-infra for that to provison, we keep this false always. use tfvars to add this variables.

appgw_enabled = false

Terraform file contains 1. Public Ip: Provisioning of public ip for Application Gateway. 2. Identity: Created userasigned Application Identity which can be associated to app gateway and key vault access policy. for policy attach goto [key_vault.tf]. 3. Application Gateway: Provisioning of Application gateway contains, public ip configuration, backend pool, ssl certificate [stored on kv], ssl policy,backend protocol setting(backend_http_settings), listener, routing rules and health probe.

2. Resource Configuration

Public IP Address

The code deploys an Azure Public IP Address with the following characteristics:

  • Name: "appgw-${var.tags.environment}-${var.common_tags.region}-001-pip"
  • Allocation Method: Static
  • SKU: Standard

User-Assigned Identity

The code creates a User-Assigned Identity with the following configuration:

  • Name: "appgw-identity-${var.tags.environment}-${var.common_tags.region}-001"

Azure Application Gateway

The Azure Application Gateway is configured as follows:

  • Name: "appgw-${var.tags.environment}-${var.common_tags.region}-001"
  • SKU: WAF_v2 (Web Application Firewall, version 2)
  • Tier: WAF_v2
  • Capacity: 2
  • Identity: User-Assigned Identity
  • Gateway IP Configuration: Utilizes the previously created Public IP Address
  • Frontend Port: Configured to listen on port 443
  • Frontend IP Configuration: Links to the Public IP Address
  • Backend Address Pool: Configured for backend services
  • SSL Certificate: Uses a certificate from Azure Key Vault
  • SSL Policy: Specifies a predefined SSL policy with TLSv1.2
  • Backend HTTP Settings: Defines settings for the backend services
  • HTTP Listeners: Configure listeners for HTTP traffic
  • Request Routing Rules: Define routing rules to direct traffic
  • Probes: Specify probes for health monitoring

3. Resource Details

Public IP Address

The Azure Public IP Address is essential for accessing the Application Gateway from the internet. It is assigned a static IP address to ensure consistency.

Identity

A User-Assigned Identity is created for the Application Gateway, allowing it to securely access other Azure resources.

Application Gateway

The Application Gateway serves as a load balancer and provides security features like Web Application Firewall (WAF) to protect web applications. It is configured with listener, SSL termination, routing rules, and health probes.

4. Benefits

  • Enhanced security for web applications with the Web Application Firewall (WAF).
  • Load balancing and traffic routing capabilities for improved application availability.
  • Centralized SSL certificate management from Azure Key Vault.
  • Efficient management of backend services with private endpoints.
  • Implemented access controls and audit logging for the Application Gateway resources.

5. Security Best Practices

  • Ensure regular updates to SSL/TLS policies.
  • Regularly review and update WAF rules to protect against new threats.

6. Example Usage

Here is an example of how to use the provided Terraform code:

# Define the Azure Public IP Address
resource "azurerm_public_ip" "pip" {
  name                = "appgw-${var.tags.environment}-${var.common_tags.region}-001-pip"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  allocation_method   = "Static"
  sku                 = "Standard"
}
# Define the User-Assigned Identity
resource "azurerm_user_assigned_identity" "appgw_identity" {
  name                = "appgw-identity-${var.tags.environment}-${var.common_tags.region}-001"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  tags                = merge(var.tags, var.common_tags)
}
# Define the Azure Application Gateway
resource "azurerm_application_gateway" "appgw" {
  name                = "appgw-${var.tags.environment}-${var.common_tags.region}-001"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  firewall_policy_id  = azurerm_web_application_firewall_policy.waf.id

  sku {
    name     = "WAF_v2"
    tier     = "WAF_v2"
    capacity = 2
  }
  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.appgw_identity.id]
  }
  gateway_ip_configuration {
    name      = "appgw-${var.tags.environment}-${var.common_tags.region}-001-ip"
    subnet_id = module.vnet.vnet_subnets[4]
  }
}

Ensure that you adapt the resource names and configurations as per your organization's requirements and naming conventions.

This manual provides an overview of the Azure Application Gateway deployment and serves as a reference for deploying and managing the resources using Terraform in Reg-1. It is essential to customize the configurations and guidelines based on specific needs and policies.