Azure Network Application Gateway

This page shows how to write Terraform and Azure Resource Manager for Network Application Gateway and write them securely.

azurerm_application_gateway (Terraform)

The Application Gateway in Network can be configured in Terraform with the resource name azurerm_application_gateway. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

positive.tf#L1
resource "azurerm_application_gateway" "positive1" {
  name                = "example-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  waf_configuration {
positive.tf#L1
resource "azurerm_application_gateway" "positive1" {
  name                = "example-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  waf_configuration {
appgateway.tf#L9
resource "azurerm_application_gateway" "appgateway" {
  name                = local.appgateway
  resource_group_name = azurerm_resource_group.spoke.name
  location            = azurerm_resource_group.spoke.location

  sku {
application_gateway.tf#L1
resource "azurerm_application_gateway" "network" {
  name                = "example-appgateway"
  resource_group_name = "example-resourceGroup"
  location            = "example --West-US"

  sku {
app_gateway.tf#L1
resource "azurerm_application_gateway" "app-gateway" {
  name                = "appgateway"
  resource_group_name = azurerm_resource_group.demo.name
  location            = var.location

  sku {
application_gateway.tf#L1
resource "azurerm_application_gateway" "network" {
  name                = "example-appgateway"
  resource_group_name = "example-resourceGroup"
  location            = "example --West-US"

  sku {
application_gateway.tf#L1
resource "azurerm_application_gateway" "network" {
  name                = "example-appgateway"
  resource_group_name = "example-resourceGroup"
  location            = "example --West-US"

  sku {
application_gateway.tf#L1
resource "azurerm_application_gateway" "network" {
  name                = "example-appgateway"
  resource_group_name = "example-resourceGroup"
  location            = "example --West-US"

  sku {
negative.tf#L1
resource "azurerm_application_gateway" "negative1" {
  name                = "example-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  waf_configuration {
app_gateway.tf#L1
resource "azurerm_application_gateway" "app-gateway" {
  name                = "appgateway"
  resource_group_name = azurerm_resource_group.demo.name
  location            = var.location

  sku {

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Manages an Application Gateway.

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_security_rule

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/applicationGateways (Azure Resource Manager)

The applicationGateways in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/applicationGateways. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

arm-create-application-gateway-no-ddos-protection.json#L223
        "type": "Microsoft.Network/applicationGateways",
        "location": "[parameters('location')]",
        "dependsOn": [
          "[variables('virtualNetworkName')]",
          "[variables('publicIPAddressName')]"
        ],
arm-create-application-gateway.json#L227
        "type": "Microsoft.Network/applicationGateways",
        "location": "[parameters('location')]",
        "dependsOn": [
          "[variables('virtualNetworkName')]",
          "[variables('publicIPAddressName')]"
        ],
deploy.appgw.json#L24
            "type": "Microsoft.Network/applicationGateways",
            "apiVersion": "2018-12-01",
            "name": "[parameters('applicationGatewayName')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "sku": {
appgateway.json#L21
            "type": "Microsoft.Network/applicationGateways",
            "apiVersion": "2019-06-01",
            "name": "[parameters('applicationGateways_sf_agt_name')]",
            "location": "centralus",
            "properties": {
                "provisioningState": "Succeeded",
appGatewayNestedTemplate.json#L92
            "type": "Microsoft.Network/applicationGateways",
            "apiVersion": "2019-06-01",
            "name": "[variables('name_appGateway')]",
            "location": "[parameters('location')]",
            "properties": {
                "sku": {
appGatewayNestedTemplate.json#L93
            "type": "Microsoft.Network/applicationGateways",
            "apiVersion": "2019-06-01",
            "name": "[variables('name_appGateway')]",
            "location": "[parameters('location')]",
            "properties": {
                "sku": {
appGwDeploy.json#L139
      "type": "Microsoft.Network/applicationGateways",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[parameters('appGtwyPipDomainName')]"
      ],
      "properties": {
ag_template.json#L190
         "type":"Microsoft.Network/applicationGateways",
         "dependsOn":[
            "[resourceId('Microsoft.Network/publicIPAddresses/','ag_pub_ip')]"
         ],
         "tags":{
            "colony-space-id":"2630148b-8c7e-4003-9d3f-a646c9616009",
azuredeploy-jira-gtwy.json#L162
            "type": "Microsoft.Network/applicationGateways",
            "apiVersion": "2018-08-01",
            "name": "[concat(variables('namespace'), 'appgateway')]",
            "location": "[parameters('location')]",
            "condition": "[empty(parameters('sslPfxCertificatePassword'))]",
            "properties": {
cluster-appgateway-template.json#L91
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2019-06-01",
      "location": "[variables('location')]",
      "dependsOn": [
        "[concat('Microsoft.Network/publicIPAddresses/', variables('publicIpAddressName'))]"
      ],

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • location required - string

    Resource location.

  • tags optional - string

    Resource tags.

  • properties required
      • sku optional
          • name optional - string

            Name of an application gateway SKU.

          • tier optional - string

            Tier of an application gateway.

          • capacity optional - integer

            Capacity (instance count) of an application gateway.

      • sslPolicy optional
          • disabledSslProtocols optional - array

            Ssl protocols to be disabled on application gateway.

          • policyType optional - string

            Type of Ssl Policy.

          • policyName optional - string

            Name of Ssl predefined policy.

          • cipherSuites optional - array

            Ssl cipher suites to be enabled in the specified order to application gateway.

          • minProtocolVersion optional - string

            Minimum version of Ssl protocol to be supported on application gateway.

      • gatewayIPConfigurations optional array
          • properties optional
              • subnet optional
                  • id required - string

                    Resource ID.

          • name optional - string

            Name of the IP configuration that is unique within an Application Gateway.

      • authenticationCertificates optional array
          • properties optional
              • data optional - string

                Certificate public data.

          • name optional - string

            Name of the authentication certificate that is unique within an Application Gateway.

      • trustedRootCertificates optional array
          • properties optional
              • data optional - string

                Certificate public data.

              • keyVaultSecretId optional - string

                Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.

          • name optional - string

            Name of the trusted root certificate that is unique within an Application Gateway.

      • trustedClientCertificates optional array
          • properties optional
              • data optional - string

                Certificate public data.

          • name optional - string

            Name of the trusted client certificate that is unique within an Application Gateway.

      • sslCertificates optional array
          • properties optional
              • data optional - string

                Base-64 encoded pfx certificate. Only applicable in PUT Request.

              • password optional - string

                Password for the pfx file specified in data. Only applicable in PUT request.

              • keyVaultSecretId optional - string

                Secret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.

          • name optional - string

            Name of the SSL certificate that is unique within an Application Gateway.

      • frontendIPConfigurations optional array
          • properties optional
              • privateIPAddress optional - string

                PrivateIPAddress of the network interface IP Configuration.

              • privateIPAllocationMethod optional - string

                The private IP address allocation method.

              • subnet optional
                  • id required - string

                    Resource ID.

              • publicIPAddress optional
                  • id required - string

                    Resource ID.

              • privateLinkConfiguration optional
                  • id required - string

                    Resource ID.

          • name optional - string

            Name of the frontend IP configuration that is unique within an Application Gateway.

      • frontendPorts optional array
          • properties optional
              • port optional - integer

                Frontend port.

          • name optional - string

            Name of the frontend port that is unique within an Application Gateway.

      • probes optional array
          • properties optional
              • protocol optional - string

                The protocol used for the probe.

              • host optional - string

                Host name to send the probe to.

              • path optional - string

                Relative path of probe. Valid path starts from '/'. Probe is sent to <Protocol>://<host>:<port><path>.

              • interval optional - integer

                The probing interval in seconds. This is the time interval between two consecutive probes. Acceptable values are from 1 second to 86400 seconds.

              • timeout optional - integer

                The probe timeout in seconds. Probe marked as failed if valid response is not received with this timeout period. Acceptable values are from 1 second to 86400 seconds.

              • unhealthyThreshold optional - integer

                The probe retry count. Backend server is marked down after consecutive probe failure count reaches UnhealthyThreshold. Acceptable values are from 1 second to 20.

              • pickHostNameFromBackendHttpSettings optional - boolean

                Whether the host header should be picked from the backend http settings. Default value is false.

              • minServers optional - integer

                Minimum number of servers that are always marked healthy. Default value is 0.

              • match optional
                  • body optional - string

                    Body that must be contained in the health response. Default value is empty.

                  • statusCodes optional - array

                    Allowed ranges of healthy status codes. Default range of healthy status codes is 200-399.

              • port optional - integer

                Custom port which will be used for probing the backend servers. The valid value ranges from 1 to 65535. In case not set, port from http settings will be used. This property is valid for Standard_v2 and WAF_v2 only.

          • name optional - string

            Name of the probe that is unique within an Application Gateway.

      • backendAddressPools optional array
          • properties optional
              • backendAddresses optional array
                  • fqdn optional - string

                    Fully qualified domain name (FQDN).

                  • ipAddress optional - string

                    IP address.

          • name optional - string

            Name of the backend address pool that is unique within an Application Gateway.

      • backendHttpSettingsCollection optional array
          • properties optional
              • port optional - integer

                The destination port on the backend.

              • protocol optional - string

                The protocol used to communicate with the backend.

              • cookieBasedAffinity optional - string

                Cookie based affinity.

              • requestTimeout optional - integer

                Request timeout in seconds. Application Gateway will fail the request if response is not received within RequestTimeout. Acceptable values are from 1 second to 86400 seconds.

              • probe optional
                  • id required - string

                    Resource ID.

              • authenticationCertificates optional array
                  • id required - string

                    Resource ID.

              • trustedRootCertificates optional array
                  • id required - string

                    Resource ID.

              • connectionDraining optional
                  • enabled required - boolean

                    Whether connection draining is enabled or not.

                  • drainTimeoutInSec required - integer

                    The number of seconds connection draining is active. Acceptable values are from 1 second to 3600 seconds.

              • hostName optional - string

                Host header to be sent to the backend servers.

              • pickHostNameFromBackendAddress optional - boolean

                Whether to pick host header should be picked from the host name of the backend server. Default value is false.

              • affinityCookieName optional - string

                Cookie name to use for the affinity cookie.

              • probeEnabled optional - boolean

                Whether the probe is enabled. Default value is false.

              • path optional - string

                Path which should be used as a prefix for all HTTP requests. Null means no path will be prefixed. Default value is null.

          • name optional - string

            Name of the backend http settings that is unique within an Application Gateway.

      • httpListeners optional array
          • properties optional
              • frontendIPConfiguration optional
                  • id required - string

                    Resource ID.

              • frontendPort optional
                  • id required - string

                    Resource ID.

              • protocol optional - string

                Protocol of the HTTP listener.

              • hostName optional - string

                Host name of HTTP listener.

              • sslCertificate optional
                  • id required - string

                    Resource ID.

              • sslProfile optional
                  • id required - string

                    Resource ID.

              • requireServerNameIndication optional - boolean

                Applicable only if protocol is https. Enables SNI for multi-hosting.

              • customErrorConfigurations optional array
                  • statusCode optional - string

                    Status code of the application gateway customer error.

                  • customErrorPageUrl optional - string

                    Error page URL of the application gateway customer error.

              • firewallPolicy optional
                  • id required - string

                    Resource ID.

              • hostNames optional - array

                List of Host names for HTTP Listener that allows special wildcard characters as well.

          • name optional - string

            Name of the HTTP listener that is unique within an Application Gateway.

      • sslProfiles optional array
          • properties optional
              • trustedClientCertificates optional array
                  • id required - string

                    Resource ID.

              • sslPolicy optional
                  • disabledSslProtocols optional - array

                    Ssl protocols to be disabled on application gateway.

                  • policyType optional - string

                    Type of Ssl Policy.

                  • policyName optional - string

                    Name of Ssl predefined policy.

                  • cipherSuites optional - array

                    Ssl cipher suites to be enabled in the specified order to application gateway.

                  • minProtocolVersion optional - string

                    Minimum version of Ssl protocol to be supported on application gateway.

              • clientAuthConfiguration optional
                  • verifyClientCertIssuerDN optional - boolean

                    Verify client certificate issuer name on the application gateway.

          • name optional - string

            Name of the SSL profile that is unique within an Application Gateway.

      • urlPathMaps optional array
          • properties optional
              • defaultBackendAddressPool optional
                  • id required - string

                    Resource ID.

              • defaultBackendHttpSettings optional
                  • id required - string

                    Resource ID.

              • defaultRewriteRuleSet optional
                  • id required - string

                    Resource ID.

              • defaultRedirectConfiguration optional
                  • id required - string

                    Resource ID.

              • pathRules optional array
                  • properties optional
                      • paths optional - array

                        Path rules of URL path map.

                      • backendAddressPool optional
                          • id required - string

                            Resource ID.

                      • backendHttpSettings optional
                          • id required - string

                            Resource ID.

                      • redirectConfiguration optional
                          • id required - string

                            Resource ID.

                      • rewriteRuleSet optional
                          • id required - string

                            Resource ID.

                      • firewallPolicy optional
                          • id required - string

                            Resource ID.

                  • name optional - string

                    Name of the path rule that is unique within an Application Gateway.

          • name optional - string

            Name of the URL path map that is unique within an Application Gateway.

      • requestRoutingRules optional array
          • properties optional
              • ruleType optional - string

                Rule type.

              • priority optional - integer

                Priority of the request routing rule.

              • backendAddressPool optional
                  • id required - string

                    Resource ID.

              • backendHttpSettings optional
                  • id required - string

                    Resource ID.

              • httpListener optional
                  • id required - string

                    Resource ID.

              • urlPathMap optional
                  • id required - string

                    Resource ID.

              • rewriteRuleSet optional
                  • id required - string

                    Resource ID.

              • redirectConfiguration optional
                  • id required - string

                    Resource ID.

          • name optional - string

            Name of the request routing rule that is unique within an Application Gateway.

      • rewriteRuleSets optional array
          • properties optional
              • rewriteRules optional array
                  • name optional - string

                    Name of the rewrite rule that is unique within an Application Gateway.

                  • ruleSequence optional - integer

                    Rule Sequence of the rewrite rule that determines the order of execution of a particular rule in a RewriteRuleSet.

                  • conditions optional array
                      • variable optional - string

                        The condition parameter of the RewriteRuleCondition.

                      • pattern optional - string

                        The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.

                      • ignoreCase optional - boolean

                        Setting this parameter to truth value with force the pattern to do a case in-sensitive comparison.

                      • negate optional - boolean

                        Setting this value as truth will force to check the negation of the condition given by the user.

                  • actionSet optional
                      • requestHeaderConfigurations optional array
                          • headerName optional - string

                            Header name of the header configuration.

                          • headerValue optional - string

                            Header value of the header configuration.

                      • responseHeaderConfigurations optional array
                          • headerName optional - string

                            Header name of the header configuration.

                          • headerValue optional - string

                            Header value of the header configuration.

                      • urlConfiguration optional
                          • modifiedPath optional - string

                            Url path which user has provided for url rewrite. Null means no path will be updated. Default value is null.

                          • modifiedQueryString optional - string

                            Query string which user has provided for url rewrite. Null means no query string will be updated. Default value is null.

                          • reroute optional - boolean

                            If set as true, it will re-evaluate the url path map provided in path based request routing rules using modified path. Default value is false.

          • name optional - string

            Name of the rewrite rule set that is unique within an Application Gateway.

      • redirectConfigurations optional array
          • properties optional
              • redirectType optional - string

                HTTP redirection type.

              • targetListener optional
                  • id required - string

                    Resource ID.

              • targetUrl optional - string

                Url to redirect the request to.

              • includePath optional - boolean

                Include path in the redirected url.

              • includeQueryString optional - boolean

                Include query string in the redirected url.

              • requestRoutingRules optional array
                  • id required - string

                    Resource ID.

              • urlPathMaps optional array
                  • id required - string

                    Resource ID.

              • pathRules optional array
                  • id required - string

                    Resource ID.

          • name optional - string

            Name of the redirect configuration that is unique within an Application Gateway.

      • webApplicationFirewallConfiguration optional
          • enabled required - boolean

            Whether the web application firewall is enabled or not.

          • firewallMode required - string

            Web application firewall mode.

          • ruleSetType required - string

            The type of the web application firewall rule set. Possible values are: 'OWASP'.

          • ruleSetVersion required - string

            The version of the rule set type.

          • disabledRuleGroups optional array
              • ruleGroupName required - string

                The name of the rule group that will be disabled.

              • rules optional - array

                The list of rules that will be disabled. If null, all rules of the rule group will be disabled.

          • requestBodyCheck optional - boolean

            Whether allow WAF to check request Body.

          • maxRequestBodySize optional - integer

            Maximum request body size for WAF.

          • maxRequestBodySizeInKb optional - integer

            Maximum request body size in Kb for WAF.

          • fileUploadLimitInMb optional - integer

            Maximum file upload size in Mb for WAF.

          • exclusions optional array
              • matchVariable required - string

                The variable to be excluded.

              • selectorMatchOperator required - string

                When matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.

              • selector required - string

                When matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.

      • firewallPolicy optional
          • id required - string

            Resource ID.

      • enableHttp2 optional - boolean

        Whether HTTP2 is enabled on the application gateway resource.

      • enableFips optional - boolean

        Whether FIPS is enabled on the application gateway resource.

      • autoscaleConfiguration optional
          • minCapacity required - integer

            Lower bound on number of Application Gateway capacity.

          • maxCapacity optional - integer

            Upper bound on number of Application Gateway capacity.

      • privateLinkConfigurations optional array
          • properties optional
              • ipConfigurations optional array
                  • properties optional
                      • privateIPAddress optional - string

                        The private IP address of the IP configuration.

                      • privateIPAllocationMethod optional - string

                        The private IP address allocation method.

                      • subnet optional
                          • id required - string

                            Resource ID.

                      • primary optional - boolean

                        Whether the ip configuration is primary or not.

                  • name optional - string

                    The name of application gateway private link ip configuration.

          • name optional - string

            Name of the private link configuration that is unique within an Application Gateway.

      • customErrorConfigurations optional array
          • statusCode optional - string

            Status code of the application gateway customer error.

          • customErrorPageUrl optional - string

            Error page URL of the application gateway customer error.

      • forceFirewallPolicyAssociation optional - boolean

        If true, associates a firewall policy with an application gateway regardless whether the policy differs from the WAF Config.

  • zones optional - array

    A list of availability zones denoting where the resource needs to come from.

  • identity optional
      • type optional - string

        The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

      • userAssignedIdentities optional - undefined

        The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Frequently asked questions

What is Azure Network Application Gateway?

Azure Network Application Gateway is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Application Gateway?

For Terraform, the Checkmarx/kics, leonidweinbergcx/mykics and fortunkam/aks-public-cluster source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the RaymondHartog/init-yapl-demo, RaymondHartog/init-yapl-demo and Mski89/Nested source code examples are useful. See the Azure Resource Manager Example section for further details.