Azure Network Application Gateway
This page shows how to write Terraform and Azure Resource Manager for Network Application Gateway and write them securely.
azurerm_application_gateway (Terraform)
The Application Gateway in Network can be configured in Terraform with the resource name azurerm_application_gateway
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_application_gateway" "positive1" {
name = "example-appgateway"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
waf_configuration {
resource "azurerm_application_gateway" "positive1" {
name = "example-appgateway"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
waf_configuration {
resource "azurerm_application_gateway" "appgateway" {
name = local.appgateway
resource_group_name = azurerm_resource_group.spoke.name
location = azurerm_resource_group.spoke.location
sku {
resource "azurerm_application_gateway" "network" {
name = "example-appgateway"
resource_group_name = "example-resourceGroup"
location = "example --West-US"
sku {
resource "azurerm_application_gateway" "app-gateway" {
name = "appgateway"
resource_group_name = azurerm_resource_group.demo.name
location = var.location
sku {
resource "azurerm_application_gateway" "network" {
name = "example-appgateway"
resource_group_name = "example-resourceGroup"
location = "example --West-US"
sku {
resource "azurerm_application_gateway" "network" {
name = "example-appgateway"
resource_group_name = "example-resourceGroup"
location = "example --West-US"
sku {
resource "azurerm_application_gateway" "network" {
name = "example-appgateway"
resource_group_name = "example-resourceGroup"
location = "example --West-US"
sku {
resource "azurerm_application_gateway" "negative1" {
name = "example-appgateway"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
waf_configuration {
resource "azurerm_application_gateway" "app-gateway" {
name = "appgateway"
resource_group_name = azurerm_resource_group.demo.name
location = var.location
sku {
Parameters
-
enable_http2
optional - bool -
firewall_policy_id
optional - string -
id
optional computed - string -
location
required - string -
name
required - string -
resource_group_name
required - string -
tags
optional - map from string to string -
zones
optional - list of string -
authentication_certificate
list block -
autoscale_configuration
list block-
max_capacity
optional - number -
min_capacity
required - number
-
-
backend_address_pool
list block-
fqdns
optional - list of string -
id
optional computed - string -
ip_addresses
optional - list of string -
name
required - string
-
-
backend_http_settings
list block-
affinity_cookie_name
optional - string -
cookie_based_affinity
required - string -
host_name
optional - string -
id
optional computed - string -
name
required - string -
path
optional - string -
pick_host_name_from_backend_address
optional - bool -
port
required - number -
probe_id
optional computed - string -
probe_name
optional - string -
protocol
required - string -
request_timeout
optional - number -
trusted_root_certificate_names
optional - list of string -
authentication_certificate
list block -
connection_draining
list block-
drain_timeout_sec
required - number -
enabled
required - bool
-
-
-
custom_error_configuration
list block-
custom_error_page_url
required - string -
id
optional computed - string -
status_code
required - string
-
-
frontend_ip_configuration
list block-
id
optional computed - string -
name
required - string -
private_ip_address
optional computed - string -
private_ip_address_allocation
optional computed - string -
public_ip_address_id
optional computed - string -
subnet_id
optional computed - string
-
-
frontend_port
set block -
gateway_ip_configuration
list block -
http_listener
list block-
firewall_policy_id
optional - string -
frontend_ip_configuration_id
optional computed - string -
frontend_ip_configuration_name
required - string -
frontend_port_id
optional computed - string -
frontend_port_name
required - string -
host_name
optional - string -
host_names
optional - set of string -
id
optional computed - string -
name
required - string -
protocol
required - string -
require_sni
optional - bool -
ssl_certificate_id
optional computed - string -
ssl_certificate_name
optional - string -
custom_error_configuration
list block-
custom_error_page_url
required - string -
id
optional computed - string -
status_code
required - string
-
-
-
identity
list block-
identity_ids
required - list of string -
type
optional - string
-
-
probe
list block-
host
optional - string -
id
optional computed - string -
interval
required - number -
minimum_servers
optional - number -
name
required - string -
path
required - string -
pick_host_name_from_backend_http_settings
optional - bool -
port
optional - number -
protocol
required - string -
timeout
required - number -
unhealthy_threshold
required - number -
match
list block-
body
optional - string -
status_code
optional - list of string
-
-
-
redirect_configuration
set block-
id
optional computed - string -
include_path
optional - bool -
include_query_string
optional - bool -
name
required - string -
redirect_type
required - string -
target_listener_id
optional computed - string -
target_listener_name
optional - string -
target_url
optional - string
-
-
request_routing_rule
set block-
backend_address_pool_id
optional computed - string -
backend_address_pool_name
optional - string -
backend_http_settings_id
optional computed - string -
backend_http_settings_name
optional - string -
http_listener_id
optional computed - string -
http_listener_name
required - string -
id
optional computed - string -
name
required - string -
redirect_configuration_id
optional computed - string -
redirect_configuration_name
optional - string -
rewrite_rule_set_id
optional computed - string -
rewrite_rule_set_name
optional - string -
rule_type
required - string -
url_path_map_id
optional computed - string -
url_path_map_name
optional - string
-
-
rewrite_rule_set
list block-
id
optional computed - string -
name
required - string -
rewrite_rule
list block-
name
required - string -
rule_sequence
required - number -
condition
list block-
ignore_case
optional - bool -
negate
optional - bool -
pattern
required - string -
variable
required - string
-
-
request_header_configuration
list block-
header_name
required - string -
header_value
required - string
-
-
response_header_configuration
list block-
header_name
required - string -
header_value
required - string
-
-
url
list block-
path
optional - string -
query_string
optional - string -
reroute
optional - bool
-
-
-
-
sku
list block -
ssl_certificate
list block-
data
optional - string -
id
optional computed - string -
key_vault_secret_id
optional - string -
name
required - string -
password
optional - string -
public_cert_data
optional computed - string
-
-
ssl_policy
list block-
cipher_suites
optional - list of string -
disabled_protocols
optional - list of string -
min_protocol_version
optional - string -
policy_name
optional - string -
policy_type
optional - string
-
-
timeouts
single block -
trusted_root_certificate
list block -
url_path_map
list block-
default_backend_address_pool_id
optional computed - string -
default_backend_address_pool_name
optional - string -
default_backend_http_settings_id
optional computed - string -
default_backend_http_settings_name
optional - string -
default_redirect_configuration_id
optional computed - string -
default_redirect_configuration_name
optional - string -
default_rewrite_rule_set_id
optional computed - string -
default_rewrite_rule_set_name
optional - string -
id
optional computed - string -
name
required - string -
path_rule
list block-
backend_address_pool_id
optional computed - string -
backend_address_pool_name
optional - string -
backend_http_settings_id
optional computed - string -
backend_http_settings_name
optional - string -
firewall_policy_id
optional - string -
id
optional computed - string -
name
required - string -
paths
required - list of string -
redirect_configuration_id
optional computed - string -
redirect_configuration_name
optional - string -
rewrite_rule_set_id
optional computed - string -
rewrite_rule_set_name
optional - string
-
-
-
waf_configuration
list block-
enabled
required - bool -
file_upload_limit_mb
optional - number -
firewall_mode
required - string -
max_request_body_size_kb
optional - number -
request_body_check
optional - bool -
rule_set_type
optional - string -
rule_set_version
required - string -
disabled_rule_group
list block-
rule_group_name
required - string -
rules
optional - list of number
-
-
exclusion
list block-
match_variable
required - string -
selector
optional - string -
selector_match_operator
optional - string
-
-
Explanation in Terraform Registry
Manages an Application Gateway.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/applicationGateways (Azure Resource Manager)
The applicationGateways in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/applicationGateways
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('virtualNetworkName')]",
"[variables('publicIPAddressName')]"
],
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('virtualNetworkName')]",
"[variables('publicIPAddressName')]"
],
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2018-12-01",
"name": "[parameters('applicationGatewayName')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[parameters('applicationGateways_sf_agt_name')]",
"location": "centralus",
"properties": {
"provisioningState": "Succeeded",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[variables('name_appGateway')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[variables('name_appGateway')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[parameters('appGtwyPipDomainName')]"
],
"properties": {
"type":"Microsoft.Network/applicationGateways",
"dependsOn":[
"[resourceId('Microsoft.Network/publicIPAddresses/','ag_pub_ip')]"
],
"tags":{
"colony-space-id":"2630148b-8c7e-4003-9d3f-a646c9616009",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2018-08-01",
"name": "[concat(variables('namespace'), 'appgateway')]",
"location": "[parameters('location')]",
"condition": "[empty(parameters('sslPfxCertificatePassword'))]",
"properties": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"location": "[variables('location')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIpAddressName'))]"
],
Parameters
name
required - stringtype
required - stringapiVersion
required - stringlocation
required - stringResource location.
tags
optional - stringResource tags.
properties
requiredsku
optionalname
optional - stringName of an application gateway SKU.
tier
optional - stringTier of an application gateway.
capacity
optional - integerCapacity (instance count) of an application gateway.
sslPolicy
optionaldisabledSslProtocols
optional - arraySsl protocols to be disabled on application gateway.
policyType
optional - stringType of Ssl Policy.
policyName
optional - stringName of Ssl predefined policy.
cipherSuites
optional - arraySsl cipher suites to be enabled in the specified order to application gateway.
minProtocolVersion
optional - stringMinimum version of Ssl protocol to be supported on application gateway.
gatewayIPConfigurations
optional arrayproperties
optionalsubnet
optionalid
required - stringResource ID.
name
optional - stringName of the IP configuration that is unique within an Application Gateway.
authenticationCertificates
optional arrayproperties
optionaldata
optional - stringCertificate public data.
name
optional - stringName of the authentication certificate that is unique within an Application Gateway.
trustedRootCertificates
optional arrayproperties
optionaldata
optional - stringCertificate public data.
keyVaultSecretId
optional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
name
optional - stringName of the trusted root certificate that is unique within an Application Gateway.
trustedClientCertificates
optional arrayproperties
optionaldata
optional - stringCertificate public data.
name
optional - stringName of the trusted client certificate that is unique within an Application Gateway.
sslCertificates
optional arrayproperties
optionaldata
optional - stringBase-64 encoded pfx certificate. Only applicable in PUT Request.
password
optional - stringPassword for the pfx file specified in data. Only applicable in PUT request.
keyVaultSecretId
optional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
name
optional - stringName of the SSL certificate that is unique within an Application Gateway.
frontendIPConfigurations
optional arrayproperties
optionalprivateIPAddress
optional - stringPrivateIPAddress of the network interface IP Configuration.
privateIPAllocationMethod
optional - stringThe private IP address allocation method.
subnet
optionalid
required - stringResource ID.
publicIPAddress
optionalid
required - stringResource ID.
privateLinkConfiguration
optionalid
required - stringResource ID.
name
optional - stringName of the frontend IP configuration that is unique within an Application Gateway.
frontendPorts
optional arrayproperties
optionalport
optional - integerFrontend port.
name
optional - stringName of the frontend port that is unique within an Application Gateway.
probes
optional arrayproperties
optionalprotocol
optional - stringThe protocol used for the probe.
host
optional - stringHost name to send the probe to.
path
optional - stringRelative path of probe. Valid path starts from '/'. Probe is sent to <Protocol>://<host>:<port><path>.
interval
optional - integerThe probing interval in seconds. This is the time interval between two consecutive probes. Acceptable values are from 1 second to 86400 seconds.
timeout
optional - integerThe probe timeout in seconds. Probe marked as failed if valid response is not received with this timeout period. Acceptable values are from 1 second to 86400 seconds.
unhealthyThreshold
optional - integerThe probe retry count. Backend server is marked down after consecutive probe failure count reaches UnhealthyThreshold. Acceptable values are from 1 second to 20.
pickHostNameFromBackendHttpSettings
optional - booleanWhether the host header should be picked from the backend http settings. Default value is false.
minServers
optional - integerMinimum number of servers that are always marked healthy. Default value is 0.
match
optionalbody
optional - stringBody that must be contained in the health response. Default value is empty.
statusCodes
optional - arrayAllowed ranges of healthy status codes. Default range of healthy status codes is 200-399.
port
optional - integerCustom port which will be used for probing the backend servers. The valid value ranges from 1 to 65535. In case not set, port from http settings will be used. This property is valid for Standard_v2 and WAF_v2 only.
name
optional - stringName of the probe that is unique within an Application Gateway.
backendAddressPools
optional arrayproperties
optionalbackendAddresses
optional arrayfqdn
optional - stringFully qualified domain name (FQDN).
ipAddress
optional - stringIP address.
name
optional - stringName of the backend address pool that is unique within an Application Gateway.
backendHttpSettingsCollection
optional arrayproperties
optionalport
optional - integerThe destination port on the backend.
protocol
optional - stringThe protocol used to communicate with the backend.
cookieBasedAffinity
optional - stringCookie based affinity.
requestTimeout
optional - integerRequest timeout in seconds. Application Gateway will fail the request if response is not received within RequestTimeout. Acceptable values are from 1 second to 86400 seconds.
probe
optionalid
required - stringResource ID.
authenticationCertificates
optional arrayid
required - stringResource ID.
trustedRootCertificates
optional arrayid
required - stringResource ID.
connectionDraining
optionalenabled
required - booleanWhether connection draining is enabled or not.
drainTimeoutInSec
required - integerThe number of seconds connection draining is active. Acceptable values are from 1 second to 3600 seconds.
hostName
optional - stringHost header to be sent to the backend servers.
pickHostNameFromBackendAddress
optional - booleanWhether to pick host header should be picked from the host name of the backend server. Default value is false.
affinityCookieName
optional - stringCookie name to use for the affinity cookie.
probeEnabled
optional - booleanWhether the probe is enabled. Default value is false.
path
optional - stringPath which should be used as a prefix for all HTTP requests. Null means no path will be prefixed. Default value is null.
name
optional - stringName of the backend http settings that is unique within an Application Gateway.
httpListeners
optional arrayproperties
optionalfrontendIPConfiguration
optionalid
required - stringResource ID.
frontendPort
optionalid
required - stringResource ID.
protocol
optional - stringProtocol of the HTTP listener.
hostName
optional - stringHost name of HTTP listener.
sslCertificate
optionalid
required - stringResource ID.
sslProfile
optionalid
required - stringResource ID.
requireServerNameIndication
optional - booleanApplicable only if protocol is https. Enables SNI for multi-hosting.
customErrorConfigurations
optional arraystatusCode
optional - stringStatus code of the application gateway customer error.
customErrorPageUrl
optional - stringError page URL of the application gateway customer error.
firewallPolicy
optionalid
required - stringResource ID.
hostNames
optional - arrayList of Host names for HTTP Listener that allows special wildcard characters as well.
name
optional - stringName of the HTTP listener that is unique within an Application Gateway.
sslProfiles
optional arrayproperties
optionaltrustedClientCertificates
optional arrayid
required - stringResource ID.
sslPolicy
optionaldisabledSslProtocols
optional - arraySsl protocols to be disabled on application gateway.
policyType
optional - stringType of Ssl Policy.
policyName
optional - stringName of Ssl predefined policy.
cipherSuites
optional - arraySsl cipher suites to be enabled in the specified order to application gateway.
minProtocolVersion
optional - stringMinimum version of Ssl protocol to be supported on application gateway.
clientAuthConfiguration
optionalverifyClientCertIssuerDN
optional - booleanVerify client certificate issuer name on the application gateway.
name
optional - stringName of the SSL profile that is unique within an Application Gateway.
urlPathMaps
optional arrayproperties
optionaldefaultBackendAddressPool
optionalid
required - stringResource ID.
defaultBackendHttpSettings
optionalid
required - stringResource ID.
defaultRewriteRuleSet
optionalid
required - stringResource ID.
defaultRedirectConfiguration
optionalid
required - stringResource ID.
pathRules
optional arrayproperties
optionalpaths
optional - arrayPath rules of URL path map.
backendAddressPool
optionalid
required - stringResource ID.
backendHttpSettings
optionalid
required - stringResource ID.
redirectConfiguration
optionalid
required - stringResource ID.
rewriteRuleSet
optionalid
required - stringResource ID.
firewallPolicy
optionalid
required - stringResource ID.
name
optional - stringName of the path rule that is unique within an Application Gateway.
name
optional - stringName of the URL path map that is unique within an Application Gateway.
requestRoutingRules
optional arrayproperties
optionalruleType
optional - stringRule type.
priority
optional - integerPriority of the request routing rule.
backendAddressPool
optionalid
required - stringResource ID.
backendHttpSettings
optionalid
required - stringResource ID.
httpListener
optionalid
required - stringResource ID.
urlPathMap
optionalid
required - stringResource ID.
rewriteRuleSet
optionalid
required - stringResource ID.
redirectConfiguration
optionalid
required - stringResource ID.
name
optional - stringName of the request routing rule that is unique within an Application Gateway.
rewriteRuleSets
optional arrayproperties
optionalrewriteRules
optional arrayname
optional - stringName of the rewrite rule that is unique within an Application Gateway.
ruleSequence
optional - integerRule Sequence of the rewrite rule that determines the order of execution of a particular rule in a RewriteRuleSet.
conditions
optional arrayvariable
optional - stringThe condition parameter of the RewriteRuleCondition.
pattern
optional - stringThe pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.
ignoreCase
optional - booleanSetting this parameter to truth value with force the pattern to do a case in-sensitive comparison.
negate
optional - booleanSetting this value as truth will force to check the negation of the condition given by the user.
actionSet
optionalrequestHeaderConfigurations
optional arrayheaderName
optional - stringHeader name of the header configuration.
headerValue
optional - stringHeader value of the header configuration.
responseHeaderConfigurations
optional arrayheaderName
optional - stringHeader name of the header configuration.
headerValue
optional - stringHeader value of the header configuration.
urlConfiguration
optionalmodifiedPath
optional - stringUrl path which user has provided for url rewrite. Null means no path will be updated. Default value is null.
modifiedQueryString
optional - stringQuery string which user has provided for url rewrite. Null means no query string will be updated. Default value is null.
reroute
optional - booleanIf set as true, it will re-evaluate the url path map provided in path based request routing rules using modified path. Default value is false.
name
optional - stringName of the rewrite rule set that is unique within an Application Gateway.
redirectConfigurations
optional arrayproperties
optionalredirectType
optional - stringHTTP redirection type.
targetListener
optionalid
required - stringResource ID.
targetUrl
optional - stringUrl to redirect the request to.
includePath
optional - booleanInclude path in the redirected url.
includeQueryString
optional - booleanInclude query string in the redirected url.
requestRoutingRules
optional arrayid
required - stringResource ID.
urlPathMaps
optional arrayid
required - stringResource ID.
pathRules
optional arrayid
required - stringResource ID.
name
optional - stringName of the redirect configuration that is unique within an Application Gateway.
webApplicationFirewallConfiguration
optionalenabled
required - booleanWhether the web application firewall is enabled or not.
firewallMode
required - stringWeb application firewall mode.
ruleSetType
required - stringThe type of the web application firewall rule set. Possible values are: 'OWASP'.
ruleSetVersion
required - stringThe version of the rule set type.
disabledRuleGroups
optional arrayruleGroupName
required - stringThe name of the rule group that will be disabled.
rules
optional - arrayThe list of rules that will be disabled. If null, all rules of the rule group will be disabled.
requestBodyCheck
optional - booleanWhether allow WAF to check request Body.
maxRequestBodySize
optional - integerMaximum request body size for WAF.
maxRequestBodySizeInKb
optional - integerMaximum request body size in Kb for WAF.
fileUploadLimitInMb
optional - integerMaximum file upload size in Mb for WAF.
exclusions
optional arraymatchVariable
required - stringThe variable to be excluded.
selectorMatchOperator
required - stringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
selector
required - stringWhen matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.
firewallPolicy
optionalid
required - stringResource ID.
enableHttp2
optional - booleanWhether HTTP2 is enabled on the application gateway resource.
enableFips
optional - booleanWhether FIPS is enabled on the application gateway resource.
autoscaleConfiguration
optionalminCapacity
required - integerLower bound on number of Application Gateway capacity.
maxCapacity
optional - integerUpper bound on number of Application Gateway capacity.
privateLinkConfigurations
optional arrayproperties
optionalipConfigurations
optional arrayproperties
optionalprivateIPAddress
optional - stringThe private IP address of the IP configuration.
privateIPAllocationMethod
optional - stringThe private IP address allocation method.
subnet
optionalid
required - stringResource ID.
primary
optional - booleanWhether the ip configuration is primary or not.
name
optional - stringThe name of application gateway private link ip configuration.
name
optional - stringName of the private link configuration that is unique within an Application Gateway.
customErrorConfigurations
optional arraystatusCode
optional - stringStatus code of the application gateway customer error.
customErrorPageUrl
optional - stringError page URL of the application gateway customer error.
forceFirewallPolicyAssociation
optional - booleanIf true, associates a firewall policy with an application gateway regardless whether the policy differs from the WAF Config.
zones
optional - arrayA list of availability zones denoting where the resource needs to come from.
identity
optionaltype
optional - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
userAssignedIdentities
optional - undefinedThe list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Frequently asked questions
What is Azure Network Application Gateway?
Azure Network Application Gateway is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Application Gateway?
For Terraform, the Checkmarx/kics, leonidweinbergcx/mykics and fortunkam/aks-public-cluster source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the RaymondHartog/init-yapl-demo, RaymondHartog/init-yapl-demo and Mski89/Nested source code examples are useful. See the Azure Resource Manager Example section for further details.