A Web Application Firewall is employed to enhance security by inspecting and filtering traffic. Configuration entails defining custom rules and policies to protect against common web application vulnerabilities.
This deploys the module in its simplest form.
#----------Testing Use Case -------------
# Application Gateway + WAF Enable routing traffic from your application.
# Assume that your Application runing the scale set contains two virtual machine instances.
# The scale set is added to the default backend pool need to updated with IP or FQDN of the application gateway.
# The example input from https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-manage-web-traffic-cli
#----------All Required Provider Section-----------
terraform {
required_version = ">= 1.9, < 2.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
random = {
source = "hashicorp/random"
version = ">= 3.5.0, < 4.0.0"
}
}
}
provider "azurerm" {
features {}
}
# This ensures we have unique CAF compliant names for our resources.
module "naming" {
source = "Azure/naming/azurerm"
version = "0.3.0"
suffix = ["agw"]
}
# This allows us to randomize the region for the resource group.
module "regions" {
source = "Azure/avm-utl-regions/azurerm"
version = "0.11.0"
}
# This allows us to randomize the region for the resource group.
resource "random_integer" "region_index" {
max = length(module.regions.regions) - 1
min = 0
}
module "application_gateway" {
source = "../../"
# Backend address pool configuration for the application gateway
# Mandatory Input
backend_address_pools = {
appGatewayBackendPool = {
name = "appGatewayBackendPool"
ip_addresses = ["100.64.2.6", "100.64.2.5"]
}
}
# Backend http settings configuration for the application gateway
# Mandatory Input
backend_http_settings = {
appGatewayBackendHttpSettings = {
name = "appGatewayBackendHttpSettings"
port = 80
protocol = "Http"
path = "/"
request_timeout = 30
connection_draining = {
enable_connection_draining = true
drain_timeout_sec = 300
}
}
# Add more http settings as needed
}
# frontend port configuration block for the application gateway
# WAF : This example NO HTTPS, We recommend to Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.
# WAF : Please refer kv_selfssl_waf_https_app_gateway example for HTTPS configuration
frontend_ports = {
frontend-port-80 = {
name = "frontend-port-80"
port = 80
}
}
gateway_ip_configuration = {
subnet_id = azurerm_subnet.backend.id
}
# Http Listerners configuration for the application gateway
# Mandatory Input
http_listeners = {
appGatewayHttpListener = {
name = "appGatewayHttpListener"
host_name = null
frontend_port_name = "frontend-port-80"
}
# # Add more http listeners as needed
}
location = azurerm_resource_group.rg_group.location
# provide Application gateway name
name = module.naming.application_gateway.name_unique
# Routing rules configuration for the backend pool
# Mandatory Input
request_routing_rules = {
routing-rule-1 = {
name = "rule-1"
rule_type = "Basic"
http_listener_name = "appGatewayHttpListener"
backend_address_pool_name = "appGatewayBackendPool"
backend_http_settings_name = "appGatewayBackendHttpSettings"
priority = 100
}
# Add more rules as needed
}
resource_group_name = azurerm_resource_group.rg_group.name
# WAF : Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.
# Ensure that you have a WAF policy created before enabling WAF on the Application Gateway
# The use of an external WAF policy is recommended rather than using the classic WAF via the waf_configuration block.
app_gateway_waf_policy_resource_id = azurerm_web_application_firewall_policy.azure_waf.id
autoscale_configuration = {
min_capacity = 2
max_capacity = 3
}
# WAF : Monitor and Log the configurations and traffic
diagnostic_settings = {
example_setting = {
name = "${module.naming.application_gateway.name_unique}-diagnostic-setting"
workspace_resource_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
log_analytics_destination_type = "Dedicated" # Or "AzureDiagnostics"
# log_categories = ["Application Gateway Access Log", "Application Gateway Performance Log", "Application Gateway Firewall Log"]
log_groups = ["allLogs"]
metric_categories = ["AllMetrics"]
}
}
enable_telemetry = var.enable_telemetry
public_ip_address_configuration = {
public_ip_name = "${module.naming.public_ip.name_unique}-pip"
}
# WAF : Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.
sku = {
# Accpected value for names Standard_v2 and WAF_v2
name = "WAF_v2"
# Accpected value for tier Standard_v2 and WAF_v2
tier = "WAF_v2"
# Accpected value for capacity 1 to 10 for a V1 SKU, 1 to 100 for a V2 SKU
capacity = 0 # Set the initial capacity to 0 for autoscaling
}
tags = {
environment = "dev"
owner = "application_gateway"
project = "AVM"
}
# Optional Input
# Zone redundancy for the application gateway ["1", "2", "3"]
zones = ["1", "2", "3"]
}
The following requirements are needed by this module:
The following resources are used by this module:
- azurerm_log_analytics_workspace.log_analytics_workspace (resource)
- azurerm_resource_group.rg_group (resource)
- azurerm_subnet.backend (resource)
- azurerm_subnet.frontend (resource)
- azurerm_subnet.private_ip_test (resource)
- azurerm_subnet.workload (resource)
- azurerm_virtual_network.vnet (resource)
- azurerm_web_application_firewall_policy.azure_waf (resource)
- random_integer.region_index (resource)
No required inputs.
The following input variables are optional (have default values):
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
The following outputs are exported:
Description: ID of the Backend Subnet
Description: Name of the Backend Subnet
Description: ID of the Frontend Subnet
Description: Name of the Frontend Subnet
Description: ID of the Azure Log Analytics Workspace
Description: Name of the Azure Log Analytics Workspace
Description: ID of the Private IP Test Subnet
Description: Name of the Private IP Test Subnet
Description: ID of the Azure Resource Group
Description: Name of the Azure Resource Group
Description: ID of the Azure Virtual Network
Description: Name of the Azure Virtual Network
Description: ID of the Workload Subnet
Description: Name of the Workload Subnet
The following Modules are called:
Source: ../../
Version:
Source: Azure/naming/azurerm
Version: 0.3.0
Source: Azure/avm-utl-regions/azurerm
Version: 0.11.0
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.