Azure Network Interface Application Gateway Backend Address Pool Association
This page shows how to write Terraform and Azure Resource Manager for Network Interface Application Gateway Backend Address Pool Association and write them securely.
azurerm_network_interface_application_gateway_backend_address_pool_association (Terraform)
The Interface Application Gateway Backend Address Pool Association in Network can be configured in Terraform with the resource name azurerm_network_interface_application_gateway_backend_address_pool_association. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "nicagw" {
network_interface_id = azurerm_network_interface.nic.id
ip_configuration_name = var.name-ipconfig-nic
backend_address_pool_id = azurerm_application_gateway.agw.backend_address_pool[0].id
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "dk-01-appg-be-pool-assoc-vm1" {
network_interface_id = azurerm_network_interface.dk-01-vm1-net-interface.id
ip_configuration_name = azurerm_network_interface.dk-01-vm1-net-interface.ip_configuration[0].name
backend_address_pool_id = azurerm_application_gateway.dk-01-appg.backend_address_pool[0].id
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "this" {
backend_address_pool_id = var.backend_address_pool_id
ip_configuration_name = var.ip_configuration_name
network_interface_id = var.network_interface_id
dynamic "timeouts" {
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "this" {
backend_address_pool_id = var.backend_address_pool_id
ip_configuration_name = var.ip_configuration_name
network_interface_id = var.network_interface_id
dynamic "timeouts" {
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = azurerm_network_interface.net-interface.id
ip_configuration_name = "dev-webserver"
backend_address_pool_id = var.backend_address_pool_id
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "app" {
network_interface_id = azurerm_network_interface.app.id
ip_configuration_name = "ipconfig"
backend_address_pool_id = azurerm_application_gateway.agw.backend_address_pool[0].id
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = var.nic_id
ip_configuration_name = var.ipconfig_name
backend_address_pool_id = var.appgw_beid
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = var.nic_id
ip_configuration_name = var.ipconfig_name
backend_address_pool_id = var.appgw_beid
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = var.nic_id
ip_configuration_name = var.ipconfig_name
backend_address_pool_id = var.appgw_beid
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "nic" {
for_each = ({
for k, v in local.vm_nic_keys :
k => v
if v.app_gw_enabled
})
Parameters
-
backend_address_pool_idrequired - string -
idoptional computed - string -
ip_configuration_namerequired - string -
network_interface_idrequired - string -
timeoutssingle block
Explanation in Terraform Registry
Manages the association between a Network Interface and a Application Gateway's Backend Address Pool.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/applicationGateways (Azure Resource Manager)
The applicationGateways in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/applicationGateways. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('virtualNetworkName')]",
"[variables('publicIPAddressName')]"
],
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('virtualNetworkName')]",
"[variables('publicIPAddressName')]"
],
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2018-12-01",
"name": "[parameters('applicationGatewayName')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[parameters('applicationGateways_sf_agt_name')]",
"location": "centralus",
"properties": {
"provisioningState": "Succeeded",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[variables('name_appGateway')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[variables('name_appGateway')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[parameters('appGtwyPipDomainName')]"
],
"properties": {
"type":"Microsoft.Network/applicationGateways",
"dependsOn":[
"[resourceId('Microsoft.Network/publicIPAddresses/','ag_pub_ip')]"
],
"tags":{
"colony-space-id":"2630148b-8c7e-4003-9d3f-a646c9616009",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2018-08-01",
"name": "[concat(variables('namespace'), 'appgateway')]",
"location": "[parameters('location')]",
"condition": "[empty(parameters('sslPfxCertificatePassword'))]",
"properties": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"location": "[variables('location')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIpAddressName'))]"
],
Parameters
namerequired - stringtyperequired - stringapiVersionrequired - stringlocationrequired - stringResource location.
tagsoptional - stringResource tags.
propertiesrequiredskuoptionalnameoptional - stringName of an application gateway SKU.
tieroptional - stringTier of an application gateway.
capacityoptional - integerCapacity (instance count) of an application gateway.
sslPolicyoptionaldisabledSslProtocolsoptional - arraySsl protocols to be disabled on application gateway.
policyTypeoptional - stringType of Ssl Policy.
policyNameoptional - stringName of Ssl predefined policy.
cipherSuitesoptional - arraySsl cipher suites to be enabled in the specified order to application gateway.
minProtocolVersionoptional - stringMinimum version of Ssl protocol to be supported on application gateway.
gatewayIPConfigurationsoptional arraypropertiesoptionalsubnetoptionalidrequired - stringResource ID.
nameoptional - stringName of the IP configuration that is unique within an Application Gateway.
authenticationCertificatesoptional arraypropertiesoptionaldataoptional - stringCertificate public data.
nameoptional - stringName of the authentication certificate that is unique within an Application Gateway.
trustedRootCertificatesoptional arraypropertiesoptionaldataoptional - stringCertificate public data.
keyVaultSecretIdoptional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
nameoptional - stringName of the trusted root certificate that is unique within an Application Gateway.
trustedClientCertificatesoptional arraypropertiesoptionaldataoptional - stringCertificate public data.
nameoptional - stringName of the trusted client certificate that is unique within an Application Gateway.
sslCertificatesoptional arraypropertiesoptionaldataoptional - stringBase-64 encoded pfx certificate. Only applicable in PUT Request.
passwordoptional - stringPassword for the pfx file specified in data. Only applicable in PUT request.
keyVaultSecretIdoptional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
nameoptional - stringName of the SSL certificate that is unique within an Application Gateway.
frontendIPConfigurationsoptional arraypropertiesoptionalprivateIPAddressoptional - stringPrivateIPAddress of the network interface IP Configuration.
privateIPAllocationMethodoptional - stringThe private IP address allocation method.
subnetoptionalidrequired - stringResource ID.
publicIPAddressoptionalidrequired - stringResource ID.
privateLinkConfigurationoptionalidrequired - stringResource ID.
nameoptional - stringName of the frontend IP configuration that is unique within an Application Gateway.
frontendPortsoptional arraypropertiesoptionalportoptional - integerFrontend port.
nameoptional - stringName of the frontend port that is unique within an Application Gateway.
probesoptional arraypropertiesoptionalprotocoloptional - stringThe protocol used for the probe.
hostoptional - stringHost name to send the probe to.
pathoptional - stringRelative path of probe. Valid path starts from '/'. Probe is sent to <Protocol>://<host>:<port><path>.
intervaloptional - integerThe probing interval in seconds. This is the time interval between two consecutive probes. Acceptable values are from 1 second to 86400 seconds.
timeoutoptional - integerThe probe timeout in seconds. Probe marked as failed if valid response is not received with this timeout period. Acceptable values are from 1 second to 86400 seconds.
unhealthyThresholdoptional - integerThe probe retry count. Backend server is marked down after consecutive probe failure count reaches UnhealthyThreshold. Acceptable values are from 1 second to 20.
pickHostNameFromBackendHttpSettingsoptional - booleanWhether the host header should be picked from the backend http settings. Default value is false.
minServersoptional - integerMinimum number of servers that are always marked healthy. Default value is 0.
matchoptionalbodyoptional - stringBody that must be contained in the health response. Default value is empty.
statusCodesoptional - arrayAllowed ranges of healthy status codes. Default range of healthy status codes is 200-399.
portoptional - integerCustom port which will be used for probing the backend servers. The valid value ranges from 1 to 65535. In case not set, port from http settings will be used. This property is valid for Standard_v2 and WAF_v2 only.
nameoptional - stringName of the probe that is unique within an Application Gateway.
backendAddressPoolsoptional arraypropertiesoptionalbackendAddressesoptional arrayfqdnoptional - stringFully qualified domain name (FQDN).
ipAddressoptional - stringIP address.
nameoptional - stringName of the backend address pool that is unique within an Application Gateway.
backendHttpSettingsCollectionoptional arraypropertiesoptionalportoptional - integerThe destination port on the backend.
protocoloptional - stringThe protocol used to communicate with the backend.
cookieBasedAffinityoptional - stringCookie based affinity.
requestTimeoutoptional - integerRequest timeout in seconds. Application Gateway will fail the request if response is not received within RequestTimeout. Acceptable values are from 1 second to 86400 seconds.
probeoptionalidrequired - stringResource ID.
authenticationCertificatesoptional arrayidrequired - stringResource ID.
trustedRootCertificatesoptional arrayidrequired - stringResource ID.
connectionDrainingoptionalenabledrequired - booleanWhether connection draining is enabled or not.
drainTimeoutInSecrequired - integerThe number of seconds connection draining is active. Acceptable values are from 1 second to 3600 seconds.
hostNameoptional - stringHost header to be sent to the backend servers.
pickHostNameFromBackendAddressoptional - booleanWhether to pick host header should be picked from the host name of the backend server. Default value is false.
affinityCookieNameoptional - stringCookie name to use for the affinity cookie.
probeEnabledoptional - booleanWhether the probe is enabled. Default value is false.
pathoptional - stringPath which should be used as a prefix for all HTTP requests. Null means no path will be prefixed. Default value is null.
nameoptional - stringName of the backend http settings that is unique within an Application Gateway.
httpListenersoptional arraypropertiesoptionalfrontendIPConfigurationoptionalidrequired - stringResource ID.
frontendPortoptionalidrequired - stringResource ID.
protocoloptional - stringProtocol of the HTTP listener.
hostNameoptional - stringHost name of HTTP listener.
sslCertificateoptionalidrequired - stringResource ID.
sslProfileoptionalidrequired - stringResource ID.
requireServerNameIndicationoptional - booleanApplicable only if protocol is https. Enables SNI for multi-hosting.
customErrorConfigurationsoptional arraystatusCodeoptional - stringStatus code of the application gateway customer error.
customErrorPageUrloptional - stringError page URL of the application gateway customer error.
firewallPolicyoptionalidrequired - stringResource ID.
hostNamesoptional - arrayList of Host names for HTTP Listener that allows special wildcard characters as well.
nameoptional - stringName of the HTTP listener that is unique within an Application Gateway.
sslProfilesoptional arraypropertiesoptionaltrustedClientCertificatesoptional arrayidrequired - stringResource ID.
sslPolicyoptionaldisabledSslProtocolsoptional - arraySsl protocols to be disabled on application gateway.
policyTypeoptional - stringType of Ssl Policy.
policyNameoptional - stringName of Ssl predefined policy.
cipherSuitesoptional - arraySsl cipher suites to be enabled in the specified order to application gateway.
minProtocolVersionoptional - stringMinimum version of Ssl protocol to be supported on application gateway.
clientAuthConfigurationoptionalverifyClientCertIssuerDNoptional - booleanVerify client certificate issuer name on the application gateway.
nameoptional - stringName of the SSL profile that is unique within an Application Gateway.
urlPathMapsoptional arraypropertiesoptionaldefaultBackendAddressPooloptionalidrequired - stringResource ID.
defaultBackendHttpSettingsoptionalidrequired - stringResource ID.
defaultRewriteRuleSetoptionalidrequired - stringResource ID.
defaultRedirectConfigurationoptionalidrequired - stringResource ID.
pathRulesoptional arraypropertiesoptionalpathsoptional - arrayPath rules of URL path map.
backendAddressPooloptionalidrequired - stringResource ID.
backendHttpSettingsoptionalidrequired - stringResource ID.
redirectConfigurationoptionalidrequired - stringResource ID.
rewriteRuleSetoptionalidrequired - stringResource ID.
firewallPolicyoptionalidrequired - stringResource ID.
nameoptional - stringName of the path rule that is unique within an Application Gateway.
nameoptional - stringName of the URL path map that is unique within an Application Gateway.
requestRoutingRulesoptional arraypropertiesoptionalruleTypeoptional - stringRule type.
priorityoptional - integerPriority of the request routing rule.
backendAddressPooloptionalidrequired - stringResource ID.
backendHttpSettingsoptionalidrequired - stringResource ID.
httpListeneroptionalidrequired - stringResource ID.
urlPathMapoptionalidrequired - stringResource ID.
rewriteRuleSetoptionalidrequired - stringResource ID.
redirectConfigurationoptionalidrequired - stringResource ID.
nameoptional - stringName of the request routing rule that is unique within an Application Gateway.
rewriteRuleSetsoptional arraypropertiesoptionalrewriteRulesoptional arraynameoptional - stringName of the rewrite rule that is unique within an Application Gateway.
ruleSequenceoptional - integerRule Sequence of the rewrite rule that determines the order of execution of a particular rule in a RewriteRuleSet.
conditionsoptional arrayvariableoptional - stringThe condition parameter of the RewriteRuleCondition.
patternoptional - stringThe pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.
ignoreCaseoptional - booleanSetting this parameter to truth value with force the pattern to do a case in-sensitive comparison.
negateoptional - booleanSetting this value as truth will force to check the negation of the condition given by the user.
actionSetoptionalrequestHeaderConfigurationsoptional arrayheaderNameoptional - stringHeader name of the header configuration.
headerValueoptional - stringHeader value of the header configuration.
responseHeaderConfigurationsoptional arrayheaderNameoptional - stringHeader name of the header configuration.
headerValueoptional - stringHeader value of the header configuration.
urlConfigurationoptionalmodifiedPathoptional - stringUrl path which user has provided for url rewrite. Null means no path will be updated. Default value is null.
modifiedQueryStringoptional - stringQuery string which user has provided for url rewrite. Null means no query string will be updated. Default value is null.
rerouteoptional - booleanIf set as true, it will re-evaluate the url path map provided in path based request routing rules using modified path. Default value is false.
nameoptional - stringName of the rewrite rule set that is unique within an Application Gateway.
redirectConfigurationsoptional arraypropertiesoptionalredirectTypeoptional - stringHTTP redirection type.
targetListeneroptionalidrequired - stringResource ID.
targetUrloptional - stringUrl to redirect the request to.
includePathoptional - booleanInclude path in the redirected url.
includeQueryStringoptional - booleanInclude query string in the redirected url.
requestRoutingRulesoptional arrayidrequired - stringResource ID.
urlPathMapsoptional arrayidrequired - stringResource ID.
pathRulesoptional arrayidrequired - stringResource ID.
nameoptional - stringName of the redirect configuration that is unique within an Application Gateway.
webApplicationFirewallConfigurationoptionalenabledrequired - booleanWhether the web application firewall is enabled or not.
firewallModerequired - stringWeb application firewall mode.
ruleSetTyperequired - stringThe type of the web application firewall rule set. Possible values are: 'OWASP'.
ruleSetVersionrequired - stringThe version of the rule set type.
disabledRuleGroupsoptional arrayruleGroupNamerequired - stringThe name of the rule group that will be disabled.
rulesoptional - arrayThe list of rules that will be disabled. If null, all rules of the rule group will be disabled.
requestBodyCheckoptional - booleanWhether allow WAF to check request Body.
maxRequestBodySizeoptional - integerMaximum request body size for WAF.
maxRequestBodySizeInKboptional - integerMaximum request body size in Kb for WAF.
fileUploadLimitInMboptional - integerMaximum file upload size in Mb for WAF.
exclusionsoptional arraymatchVariablerequired - stringThe variable to be excluded.
selectorMatchOperatorrequired - stringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
selectorrequired - stringWhen matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.
firewallPolicyoptionalidrequired - stringResource ID.
enableHttp2optional - booleanWhether HTTP2 is enabled on the application gateway resource.
enableFipsoptional - booleanWhether FIPS is enabled on the application gateway resource.
autoscaleConfigurationoptionalminCapacityrequired - integerLower bound on number of Application Gateway capacity.
maxCapacityoptional - integerUpper bound on number of Application Gateway capacity.
privateLinkConfigurationsoptional arraypropertiesoptionalipConfigurationsoptional arraypropertiesoptionalprivateIPAddressoptional - stringThe private IP address of the IP configuration.
privateIPAllocationMethodoptional - stringThe private IP address allocation method.
subnetoptionalidrequired - stringResource ID.
primaryoptional - booleanWhether the ip configuration is primary or not.
nameoptional - stringThe name of application gateway private link ip configuration.
nameoptional - stringName of the private link configuration that is unique within an Application Gateway.
customErrorConfigurationsoptional arraystatusCodeoptional - stringStatus code of the application gateway customer error.
customErrorPageUrloptional - stringError page URL of the application gateway customer error.
forceFirewallPolicyAssociationoptional - booleanIf true, associates a firewall policy with an application gateway regardless whether the policy differs from the WAF Config.
zonesoptional - arrayA list of availability zones denoting where the resource needs to come from.
identityoptionaltypeoptional - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
userAssignedIdentitiesoptional - undefinedThe list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Frequently asked questions
What is Azure Network Interface Application Gateway Backend Address Pool Association?
Azure Network Interface Application Gateway Backend Address Pool Association is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Interface Application Gateway Backend Address Pool Association?
For Terraform, the Manuss20/azure.samples, makevoid/azure-terraform-swarm-template and kevinhead/azurerm source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the RaymondHartog/init-yapl-demo, RaymondHartog/init-yapl-demo and Mski89/Nested source code examples are useful. See the Azure Resource Manager Example section for further details.
