Merge pull request #109225 from vhorne/waf-qs-arm

megvanhuygen · web-flow · commit 131d5fb07577 · 2020-04-02T15:19:53.000-07:00
start arm qs deployment
diff --git a/articles/web-application-firewall/ag/quick-create-template.md b/articles/web-application-firewall/ag/quick-create-template.md
@@ -0,0 +1,94 @@
+---
+title: 'Quickstart: Create an Azure WAF v2 on Application Gateway - Resource Manager template'
+titleSuffix: Azure Application Gateway
+description: Learn how to use a Resource Manager template to create a Web Application Firewall v2 on Azure Application Gateway.
+services: web-application-firewall
+author: vhorne
+ms.service: web-application-firewall
+ms.topic: quickstart
+ms.date: 04/02/2020
+ms.author: victorh
+---
+
+# Quickstart: Create an Azure WAF v2 on Application Gateway - Resource Manager template
+
+In this quickstart, you use a Resource Manager template to create an Azure Web Application Firewall v2 on Application Gateway.
+
+[!INCLUDE [About Azure Resource Manager](../../../includes/resource-manager-quickstart-introduction.md)]
+
+[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+## Create a Web Application Firewall
+
+This template creates a simple Web Application Firewall v2 on Azure Application Gateway. This includes a public IP frontend IP address, HTTP settings, a rule with a basic listener on port 80, and a backend pool. A WAF policy with a custom rule is created to block traffic to the backend pool based on an IP address match type.
+
+### Review the template
+
+The template used in this quickstart is from [Azure Quickstart templates](https://github.com/Azure/azure-quickstart-templates/blob/master/ag-docs-wafv2/azuredeploy.json)
+
+:::code language="json" source="~/quickstart-templates/ag-docs-wafv2/azuredeploy.json" range="001-404" highlight="314-358":::
+
+Multiple Azure resources are defined in the template:
+
+- [**Microsoft.Network/applicationgateways**](/azure/templates/microsoft.network/applicationgateways)
+- [**Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies**](/azure/templates/microsoft.network/ApplicationGatewayWebApplicationFirewallPolicies)
+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses) : one for the application gateway, and two for the virtual machines.
+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups)
+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)
+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines) : two virtual machines
+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces) : two for the virtual machines
+- [**Microsoft.Compute/virtualMachine/extensions**](/azure/templates/microsoft.compute/virtualmachines/extensions) : to configure IIS and the web pages
+
+### Deploy the template
+
+Deploy Resource Manager template to Azure:
+
+1. Select **Deploy to Azure** to sign in to Azure and open the template. The template creates an application gateway, the network infrastructure, and two virtual machines in the backend pool running IIS.
+
+   <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fag-docs-wafv2%2Fazuredeploy.json"><img src="../media/quick-create-template/deploy-to-azure.png" alt="deploy to azure"/></a>
+
+2. Select or create your resource group.
+3. Select **I agree to the terms and conditions stated above** and then select **Purchase**. The deployment can take 10 minutes or longer to complete.
+
+## Validate the deployment
+
+Although IIS isn't required to create the application gateway, it's installed on the backend servers to verify if Azure successfully created a WAF v2 on the application gateway. 
+
+Use IIS to test the application gateway:
+
+1. Find the public IP address for the application gateway on its **Overview** page.![Record application gateway public IP address](../../application-gateway/media/application-gateway-create-gateway-portal/application-gateway-record-ag-address.png) Or, you can select **All resources**, enter *myAGPublicIPAddress* in the search box, and then select it in the search results. Azure displays the public IP address on the **Overview** page.
+2. Copy the public IP address, and then paste it into the address bar of your browser to browse that IP address.
+3. Check the response. A **403 Forbidden** response verifies that the WAF was successfully created and is blocking connections to the backend pool.
+4. Change the custom rule to **Allow traffic**.
+  Run the following Azure PowerShell script, replacing your resource group name:
+   ```azurepowershell
+   $rg = <your resource group name>
+   $AppGW = Get-AzApplicationGateway -Name myAppGateway -ResourceGroupName $rg
+   $pol = Get-AzApplicationGatewayFirewallPolicy -Name WafPol01 -ResourceGroupName $rg
+   $pol[0].customrules[0].action = "allow"
+   $rule = $pol.CustomRules
+   Set-AzApplicationGatewayFirewallPolicy -Name WafPol01 -ResourceGroupName $rg -CustomRule $rule
+   $AppGW.FirewallPolicy = $pol
+   Set-AzApplicationGateway -ApplicationGateway $AppGW
+   ```
+
+   Refresh your browser multiple times and you should see connections to both myVM1 and myVM2.
+
+## Clean up resources
+
+When you no longer need the resources that you created with the application gateway, delete the resource group. This removes the application gateway and all the related resources.
+
+To delete the resource group, call the `Remove-AzResourceGroup` cmdlet:
+
+```azurepowershell-interactive
+Remove-AzResourceGroup -Name <your resource group name>
+```
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Create an application gateway with a Web Application Firewall using the Azure portal](application-gateway-web-application-firewall-portal.md)
diff --git a/articles/web-application-firewall/media/quick-create-template/deploy-to-azure.png b/articles/web-application-firewall/media/quick-create-template/deploy-to-azure.png
diff --git a/articles/web-application-firewall/toc.yml b/articles/web-application-firewall/toc.yml
@@ -18,6 +18,14 @@
     items:
     - name: Web Application Firewall on Azure CDN
       href: ./cdn/cdn-overview.md
+- name: Quickstarts
+  expanded: true
+  items:
+  - name: Application Gateway
+    items:
+     - name: Deploy WAF v2 - ARM template
+       displayName: Resource Manager
+       href: ./ag/quick-create-template.md
 - name: Tutorials
   items:
   - name: Application Gateway
