Azure Network Interface Application Gateway Backend Address Pool Association
This page shows how to write Terraform and Azure Resource Manager for Network Interface Application Gateway Backend Address Pool Association and write them securely.
azurerm_network_interface_application_gateway_backend_address_pool_association (Terraform)
The Interface Application Gateway Backend Address Pool Association in Network can be configured in Terraform with the resource name azurerm_network_interface_application_gateway_backend_address_pool_association
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "nicagw" {
network_interface_id = azurerm_network_interface.nic.id
ip_configuration_name = var.name-ipconfig-nic
backend_address_pool_id = azurerm_application_gateway.agw.backend_address_pool[0].id
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "dk-01-appg-be-pool-assoc-vm1" {
network_interface_id = azurerm_network_interface.dk-01-vm1-net-interface.id
ip_configuration_name = azurerm_network_interface.dk-01-vm1-net-interface.ip_configuration[0].name
backend_address_pool_id = azurerm_application_gateway.dk-01-appg.backend_address_pool[0].id
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "this" {
backend_address_pool_id = var.backend_address_pool_id
ip_configuration_name = var.ip_configuration_name
network_interface_id = var.network_interface_id
dynamic "timeouts" {
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "this" {
backend_address_pool_id = var.backend_address_pool_id
ip_configuration_name = var.ip_configuration_name
network_interface_id = var.network_interface_id
dynamic "timeouts" {
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = azurerm_network_interface.net-interface.id
ip_configuration_name = "dev-webserver"
backend_address_pool_id = var.backend_address_pool_id
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "app" {
network_interface_id = azurerm_network_interface.app.id
ip_configuration_name = "ipconfig"
backend_address_pool_id = azurerm_application_gateway.agw.backend_address_pool[0].id
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = var.nic_id
ip_configuration_name = var.ipconfig_name
backend_address_pool_id = var.appgw_beid
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = var.nic_id
ip_configuration_name = var.ipconfig_name
backend_address_pool_id = var.appgw_beid
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "example" {
network_interface_id = var.nic_id
ip_configuration_name = var.ipconfig_name
backend_address_pool_id = var.appgw_beid
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "nic" {
for_each = ({
for k, v in local.vm_nic_keys :
k => v
if v.app_gw_enabled
})
Parameters
-
backend_address_pool_id
required - string -
id
optional computed - string -
ip_configuration_name
required - string -
network_interface_id
required - string -
timeouts
single block
Explanation in Terraform Registry
Manages the association between a Network Interface and a Application Gateway's Backend Address Pool.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/applicationGateways (Azure Resource Manager)
The applicationGateways in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/applicationGateways
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('virtualNetworkName')]",
"[variables('publicIPAddressName')]"
],
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('virtualNetworkName')]",
"[variables('publicIPAddressName')]"
],
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2018-12-01",
"name": "[parameters('applicationGatewayName')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[parameters('applicationGateways_sf_agt_name')]",
"location": "centralus",
"properties": {
"provisioningState": "Succeeded",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[variables('name_appGateway')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"name": "[variables('name_appGateway')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"type": "Microsoft.Network/applicationGateways",
"location": "[parameters('location')]",
"dependsOn": [
"[parameters('appGtwyPipDomainName')]"
],
"properties": {
"type":"Microsoft.Network/applicationGateways",
"dependsOn":[
"[resourceId('Microsoft.Network/publicIPAddresses/','ag_pub_ip')]"
],
"tags":{
"colony-space-id":"2630148b-8c7e-4003-9d3f-a646c9616009",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2018-08-01",
"name": "[concat(variables('namespace'), 'appgateway')]",
"location": "[parameters('location')]",
"condition": "[empty(parameters('sslPfxCertificatePassword'))]",
"properties": {
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-06-01",
"location": "[variables('location')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIpAddressName'))]"
],
Parameters
name
required - stringtype
required - stringapiVersion
required - stringlocation
required - stringResource location.
tags
optional - stringResource tags.
properties
requiredsku
optionalname
optional - stringName of an application gateway SKU.
tier
optional - stringTier of an application gateway.
capacity
optional - integerCapacity (instance count) of an application gateway.
sslPolicy
optionaldisabledSslProtocols
optional - arraySsl protocols to be disabled on application gateway.
policyType
optional - stringType of Ssl Policy.
policyName
optional - stringName of Ssl predefined policy.
cipherSuites
optional - arraySsl cipher suites to be enabled in the specified order to application gateway.
minProtocolVersion
optional - stringMinimum version of Ssl protocol to be supported on application gateway.
gatewayIPConfigurations
optional arrayproperties
optionalsubnet
optionalid
required - stringResource ID.
name
optional - stringName of the IP configuration that is unique within an Application Gateway.
authenticationCertificates
optional arrayproperties
optionaldata
optional - stringCertificate public data.
name
optional - stringName of the authentication certificate that is unique within an Application Gateway.
trustedRootCertificates
optional arrayproperties
optionaldata
optional - stringCertificate public data.
keyVaultSecretId
optional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
name
optional - stringName of the trusted root certificate that is unique within an Application Gateway.
trustedClientCertificates
optional arrayproperties
optionaldata
optional - stringCertificate public data.
name
optional - stringName of the trusted client certificate that is unique within an Application Gateway.
sslCertificates
optional arrayproperties
optionaldata
optional - stringBase-64 encoded pfx certificate. Only applicable in PUT Request.
password
optional - stringPassword for the pfx file specified in data. Only applicable in PUT request.
keyVaultSecretId
optional - stringSecret Id of (base-64 encoded unencrypted pfx) 'Secret' or 'Certificate' object stored in KeyVault.
name
optional - stringName of the SSL certificate that is unique within an Application Gateway.
frontendIPConfigurations
optional arrayproperties
optionalprivateIPAddress
optional - stringPrivateIPAddress of the network interface IP Configuration.
privateIPAllocationMethod
optional - stringThe private IP address allocation method.
subnet
optionalid
required - stringResource ID.
publicIPAddress
optionalid
required - stringResource ID.
privateLinkConfiguration
optionalid
required - stringResource ID.
name
optional - stringName of the frontend IP configuration that is unique within an Application Gateway.
frontendPorts
optional arrayproperties
optionalport
optional - integerFrontend port.
name
optional - stringName of the frontend port that is unique within an Application Gateway.
probes
optional arrayproperties
optionalprotocol
optional - stringThe protocol used for the probe.
host
optional - stringHost name to send the probe to.
path
optional - stringRelative path of probe. Valid path starts from '/'. Probe is sent to <Protocol>://<host>:<port><path>.
interval
optional - integerThe probing interval in seconds. This is the time interval between two consecutive probes. Acceptable values are from 1 second to 86400 seconds.
timeout
optional - integerThe probe timeout in seconds. Probe marked as failed if valid response is not received with this timeout period. Acceptable values are from 1 second to 86400 seconds.
unhealthyThreshold
optional - integerThe probe retry count. Backend server is marked down after consecutive probe failure count reaches UnhealthyThreshold. Acceptable values are from 1 second to 20.
pickHostNameFromBackendHttpSettings
optional - booleanWhether the host header should be picked from the backend http settings. Default value is false.
minServers
optional - integerMinimum number of servers that are always marked healthy. Default value is 0.
match
optionalbody
optional - stringBody that must be contained in the health response. Default value is empty.
statusCodes
optional - arrayAllowed ranges of healthy status codes. Default range of healthy status codes is 200-399.
port
optional - integerCustom port which will be used for probing the backend servers. The valid value ranges from 1 to 65535. In case not set, port from http settings will be used. This property is valid for Standard_v2 and WAF_v2 only.
name
optional - stringName of the probe that is unique within an Application Gateway.
backendAddressPools
optional arrayproperties
optionalbackendAddresses
optional arrayfqdn
optional - stringFully qualified domain name (FQDN).
ipAddress
optional - stringIP address.
name
optional - stringName of the backend address pool that is unique within an Application Gateway.
backendHttpSettingsCollection
optional arrayproperties
optionalport
optional - integerThe destination port on the backend.
protocol
optional - stringThe protocol used to communicate with the backend.
cookieBasedAffinity
optional - stringCookie based affinity.
requestTimeout
optional - integerRequest timeout in seconds. Application Gateway will fail the request if response is not received within RequestTimeout. Acceptable values are from 1 second to 86400 seconds.
probe
optionalid
required - stringResource ID.
authenticationCertificates
optional arrayid
required - stringResource ID.
trustedRootCertificates
optional arrayid
required - stringResource ID.
connectionDraining
optionalenabled
required - booleanWhether connection draining is enabled or not.
drainTimeoutInSec
required - integerThe number of seconds connection draining is active. Acceptable values are from 1 second to 3600 seconds.
hostName
optional - stringHost header to be sent to the backend servers.
pickHostNameFromBackendAddress
optional - booleanWhether to pick host header should be picked from the host name of the backend server. Default value is false.
affinityCookieName
optional - stringCookie name to use for the affinity cookie.
probeEnabled
optional - booleanWhether the probe is enabled. Default value is false.
path
optional - stringPath which should be used as a prefix for all HTTP requests. Null means no path will be prefixed. Default value is null.
name
optional - stringName of the backend http settings that is unique within an Application Gateway.
httpListeners
optional arrayproperties
optionalfrontendIPConfiguration
optionalid
required - stringResource ID.
frontendPort
optionalid
required - stringResource ID.
protocol
optional - stringProtocol of the HTTP listener.
hostName
optional - stringHost name of HTTP listener.
sslCertificate
optionalid
required - stringResource ID.
sslProfile
optionalid
required - stringResource ID.
requireServerNameIndication
optional - booleanApplicable only if protocol is https. Enables SNI for multi-hosting.
customErrorConfigurations
optional arraystatusCode
optional - stringStatus code of the application gateway customer error.
customErrorPageUrl
optional - stringError page URL of the application gateway customer error.
firewallPolicy
optionalid
required - stringResource ID.
hostNames
optional - arrayList of Host names for HTTP Listener that allows special wildcard characters as well.
name
optional - stringName of the HTTP listener that is unique within an Application Gateway.
sslProfiles
optional arrayproperties
optionaltrustedClientCertificates
optional arrayid
required - stringResource ID.
sslPolicy
optionaldisabledSslProtocols
optional - arraySsl protocols to be disabled on application gateway.
policyType
optional - stringType of Ssl Policy.
policyName
optional - stringName of Ssl predefined policy.
cipherSuites
optional - arraySsl cipher suites to be enabled in the specified order to application gateway.
minProtocolVersion
optional - stringMinimum version of Ssl protocol to be supported on application gateway.
clientAuthConfiguration
optionalverifyClientCertIssuerDN
optional - booleanVerify client certificate issuer name on the application gateway.
name
optional - stringName of the SSL profile that is unique within an Application Gateway.
urlPathMaps
optional arrayproperties
optionaldefaultBackendAddressPool
optionalid
required - stringResource ID.
defaultBackendHttpSettings
optionalid
required - stringResource ID.
defaultRewriteRuleSet
optionalid
required - stringResource ID.
defaultRedirectConfiguration
optionalid
required - stringResource ID.
pathRules
optional arrayproperties
optionalpaths
optional - arrayPath rules of URL path map.
backendAddressPool
optionalid
required - stringResource ID.
backendHttpSettings
optionalid
required - stringResource ID.
redirectConfiguration
optionalid
required - stringResource ID.
rewriteRuleSet
optionalid
required - stringResource ID.
firewallPolicy
optionalid
required - stringResource ID.
name
optional - stringName of the path rule that is unique within an Application Gateway.
name
optional - stringName of the URL path map that is unique within an Application Gateway.
requestRoutingRules
optional arrayproperties
optionalruleType
optional - stringRule type.
priority
optional - integerPriority of the request routing rule.
backendAddressPool
optionalid
required - stringResource ID.
backendHttpSettings
optionalid
required - stringResource ID.
httpListener
optionalid
required - stringResource ID.
urlPathMap
optionalid
required - stringResource ID.
rewriteRuleSet
optionalid
required - stringResource ID.
redirectConfiguration
optionalid
required - stringResource ID.
name
optional - stringName of the request routing rule that is unique within an Application Gateway.
rewriteRuleSets
optional arrayproperties
optionalrewriteRules
optional arrayname
optional - stringName of the rewrite rule that is unique within an Application Gateway.
ruleSequence
optional - integerRule Sequence of the rewrite rule that determines the order of execution of a particular rule in a RewriteRuleSet.
conditions
optional arrayvariable
optional - stringThe condition parameter of the RewriteRuleCondition.
pattern
optional - stringThe pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.
ignoreCase
optional - booleanSetting this parameter to truth value with force the pattern to do a case in-sensitive comparison.
negate
optional - booleanSetting this value as truth will force to check the negation of the condition given by the user.
actionSet
optionalrequestHeaderConfigurations
optional arrayheaderName
optional - stringHeader name of the header configuration.
headerValue
optional - stringHeader value of the header configuration.
responseHeaderConfigurations
optional arrayheaderName
optional - stringHeader name of the header configuration.
headerValue
optional - stringHeader value of the header configuration.
urlConfiguration
optionalmodifiedPath
optional - stringUrl path which user has provided for url rewrite. Null means no path will be updated. Default value is null.
modifiedQueryString
optional - stringQuery string which user has provided for url rewrite. Null means no query string will be updated. Default value is null.
reroute
optional - booleanIf set as true, it will re-evaluate the url path map provided in path based request routing rules using modified path. Default value is false.
name
optional - stringName of the rewrite rule set that is unique within an Application Gateway.
redirectConfigurations
optional arrayproperties
optionalredirectType
optional - stringHTTP redirection type.
targetListener
optionalid
required - stringResource ID.
targetUrl
optional - stringUrl to redirect the request to.
includePath
optional - booleanInclude path in the redirected url.
includeQueryString
optional - booleanInclude query string in the redirected url.
requestRoutingRules
optional arrayid
required - stringResource ID.
urlPathMaps
optional arrayid
required - stringResource ID.
pathRules
optional arrayid
required - stringResource ID.
name
optional - stringName of the redirect configuration that is unique within an Application Gateway.
webApplicationFirewallConfiguration
optionalenabled
required - booleanWhether the web application firewall is enabled or not.
firewallMode
required - stringWeb application firewall mode.
ruleSetType
required - stringThe type of the web application firewall rule set. Possible values are: 'OWASP'.
ruleSetVersion
required - stringThe version of the rule set type.
disabledRuleGroups
optional arrayruleGroupName
required - stringThe name of the rule group that will be disabled.
rules
optional - arrayThe list of rules that will be disabled. If null, all rules of the rule group will be disabled.
requestBodyCheck
optional - booleanWhether allow WAF to check request Body.
maxRequestBodySize
optional - integerMaximum request body size for WAF.
maxRequestBodySizeInKb
optional - integerMaximum request body size in Kb for WAF.
fileUploadLimitInMb
optional - integerMaximum file upload size in Mb for WAF.
exclusions
optional arraymatchVariable
required - stringThe variable to be excluded.
selectorMatchOperator
required - stringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
selector
required - stringWhen matchVariable is a collection, operator used to specify which elements in the collection this exclusion applies to.
firewallPolicy
optionalid
required - stringResource ID.
enableHttp2
optional - booleanWhether HTTP2 is enabled on the application gateway resource.
enableFips
optional - booleanWhether FIPS is enabled on the application gateway resource.
autoscaleConfiguration
optionalminCapacity
required - integerLower bound on number of Application Gateway capacity.
maxCapacity
optional - integerUpper bound on number of Application Gateway capacity.
privateLinkConfigurations
optional arrayproperties
optionalipConfigurations
optional arrayproperties
optionalprivateIPAddress
optional - stringThe private IP address of the IP configuration.
privateIPAllocationMethod
optional - stringThe private IP address allocation method.
subnet
optionalid
required - stringResource ID.
primary
optional - booleanWhether the ip configuration is primary or not.
name
optional - stringThe name of application gateway private link ip configuration.
name
optional - stringName of the private link configuration that is unique within an Application Gateway.
customErrorConfigurations
optional arraystatusCode
optional - stringStatus code of the application gateway customer error.
customErrorPageUrl
optional - stringError page URL of the application gateway customer error.
forceFirewallPolicyAssociation
optional - booleanIf true, associates a firewall policy with an application gateway regardless whether the policy differs from the WAF Config.
zones
optional - arrayA list of availability zones denoting where the resource needs to come from.
identity
optionaltype
optional - stringThe type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
userAssignedIdentities
optional - undefinedThe list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Frequently asked questions
What is Azure Network Interface Application Gateway Backend Address Pool Association?
Azure Network Interface Application Gateway Backend Address Pool Association is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Interface Application Gateway Backend Address Pool Association?
For Terraform, the Manuss20/azure.samples, makevoid/azure-terraform-swarm-template and kevinhead/azurerm source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the RaymondHartog/init-yapl-demo, RaymondHartog/init-yapl-demo and Mski89/Nested source code examples are useful. See the Azure Resource Manager Example section for further details.