Azure Application Gateway

Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Tutorial: Enable the ingress controller add-on for a new AKS cluster with a new application gateway instance Article02/04/2025 In this article -->You can use the Azure CLI to enable the application gateway ingress controller (AGIC) add-on for a new Azure Kubernetes Services (AKS) cluster.In this tutorial, you'll create an AKS cluster with the AGIC add-on enabled. Creating the cluster will automatically create an Azure application gateway instance to use. You'll then deploy a sample application that will use the add-on to expose the application through application gateway.The add-on provides a much faster way to deploy AGIC for your AKS cluster than previously through Helm. It also offers a fully managed experience.In this tutorial, you learn how to:Create a resource group.Create a new AKS cluster with the AGIC add-on enabled.Deploy a sample application by using AGIC for ingress on the AKS cluster.Check that the application is reachable through application gateway.If you don't have an Azure subscription, create an Azure free account before you begin.PrerequisitesUse the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.Create a resource groupIn Azure, you allocate related resources to a resource group. Create a resource group by using az

Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Create and use Web Application Firewall v2 custom rules on Application Gateway Article04/06/2023 In this article -->The Web Application Firewall (WAF) v2 on Azure Application Gateway provides protection for web applications. This protection is provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). In some cases, you may need to create your own custom rules to meet your specific needs. For more information about WAF custom rules, see Custom web application firewall rules overview.This article shows you some example custom rules that you can create and use with your v2 WAF. To learn how to deploy a WAF with a custom rule using Azure PowerShell, see Configure Web Application Firewall custom rules using Azure PowerShell.The JSON snippets shown in this article are derived from a ApplicationGatewayWebApplicationFirewallPolicies resource.NoteIf your application gateway is not using the WAF tier, the option to upgrade the application gateway to the WAF tier appears in the right pane.Example 1You know there's a bot named evilbot that you want to block from crawling your website. In this case, you block on the User-Agent evilbot in the request headers.Logic: p$variable = New-AzApplicationGatewayFirewallMatchVariable ` -VariableName RequestHeaders ` -Selector User-Agent$condition = New-AzApplicationGatewayFirewallCondition ` -MatchVariable $variable ` -Operator Contains ` -MatchValue "evilbot" ` -Transform Lowercase ` -NegationCondition $False$rule = New-AzApplicationGatewayFirewallCustomRule ` -Name blockEvilBot ` -Priority 2 ` -RuleType MatchRule ` -MatchCondition

ID, and the Microsoft application ID. To prevent this, modify your profile configuration .xml file to include both the custom application ID and the Microsoft application ID.NoteThis step is necessary for P2S gateway configurations that use a custom audience value and your registered app is associated with the Microsoft-registered Azure VPN Client app ID. If this doesn't apply to your P2S gateway configuration, you can skip this step.To modify the Azure VPN Client configuration .xml file, open the file using a text editor such as Notepad.Next, add the value for applicationid and save your changes. The following example shows the application ID value c632b3df-fb67-4d84-bdcf-b95ad541b5c8.Example {customAudienceID} ID value}/ ID value}/ c632b3df-fb67-4d84-bdcf-b95ad541b5c8 Import VPN client profile configuration filesNoteWe're in the process of changing the Azure VPN Client fields for Azure Active Directory to Microsoft Entra ID. If you see Microsoft Entra ID fields referenced in this article, but don't yet see those values reflected in the client, select the comparable Azure Active Directory values.On the Azure VPN Client page, select Import.Navigate to the folder containing the file that you want to import, select it, then click Open.On this screen, notice the connection values are populated using the values in the imported VPN client configuration file.Verify that the Certificate Information value shows DigiCert Global Root G2, rather than the default or blank. Adjust the value if necessary.Notice the Client Authentication values align with the values that were used to configure the VPN gateway for Microsoft Entra ID authentication. This field must reflect the

Group create. The following example creates a resource group named myResourceGroup in the East US location (region):az group create --name myResourceGroup --location eastusDeploy an AKS cluster with the add-on enabledYou'll now deploy a new AKS cluster with the AGIC add-on enabled. If you don't provide an existing application gateway instance to use in this process, you'll automatically create and set up a new application gateway instance to serve traffic to the AKS cluster.NoteThe application gateway ingress controller add-on supports only application gateway v2 SKUs (Standard and WAF), and not the application gateway v1 SKUs. When you're deploying a new application gateway instance through the AGIC add-on, you can deploy only an application gateway Standard_v2 SKU. If you want to enable the add-on for an application gateway WAF_v2 SKU, use either of these methods:Enable WAF on application gateway through the portal.Create the WAF_v2 application gateway instance first, and then follow instructions on how to enable the AGIC add-on with an existing AKS cluster and existing application gateway instance.In the following example, you'll deploy a new AKS cluster named myCluster by using Azure CNI and managed identities. The AGIC add-on will be enabled in the resource group that you created, myResourceGroup.Deploying a new AKS cluster with the AGIC add-on enabled without specifying an existing application gateway instance will automatically create a Standard_v2 SKU application gateway instance. You'll need to specify a name and subnet address space for the new application gateway instance. The address space must be from 10.224.0.0/12 prefix used by the AKS virtual network without overlapping with 10.224.0.0/16 prefix used by the AKS subnet. In this tutorial, use myApplicationGateway for the application gateway name and 10.225.0.0/16 for its subnet address space.az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keysNotePlease ensure the identity used by AGIC has the proper permissions. A list of permissions needed by the identity can be found here: Configure Infrastructure - Permissions. If a custom role is not defined with the required permissions, you may use the Network Contributor role.# Get application gateway id from AKS addon profileappGatewayId=$(az aks

Group. You can configure the default group using az configure --defaults group=. Optional Parameters--aad-admin-group-object-ids Comma-separated list of aad group object IDs that will be set as cluster admin. The ID of an Azure Active Directory tenant. The name of a subnet in an existing VNet into which to deploy the virtual nodes. User account to create on node VMs for SSH access. Comma-separated key-value pairs to specify custom headers. Resource ID of Azure Monitor Private Link scope for Monitoring Addon. --api-server-authorized-ip-ranges Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools. Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon. Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon. Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon. Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon. Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Specify an existing user assigned identity for control plane's usage in order to manage cluster resource group. --assign-kubelet-identity Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR. Grant the 'acrpull' role assignment to the ACR specified by name or resource ID. Specify the upgrade channel for autoupgrade. Accepted values: node-image, none, patch, rapid, stable--azure-keyvault-kms-key-id Identifier of Azure Key Vault key. --azure-keyvault-kms-key-vault-network-access Network Access of Azure Key Vault. Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used. Accepted values: Private, Public--azure-keyvault-kms-key-vault-resource-id Resource ID of Azure Key Vault. --azure-monitor-workspace-resource-id Resource ID of the Azure Monitor Workspace. --ca-profile --cluster-autoscaler-profile Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile. Secret associated with the service principal. This argument is required if --service-principal is specified. The crg id used to associate the new cluster with the existed Capacity Reservation Group resource. --data-collection-settings Path to JSON file containing data collection settings for Monitoring addon. Path to JSON file containing Microsoft Defender profile configurations. --disable-acns-observability Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns". Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns". Disable AzureDisk CSI Driver. Disable AzureFile CSI Driver. If set to true, getting static credential will be disabled for this cluster. Disable public fqdn feature for private cluster. Disable Kubernetes Role-Based Access Control. --disable-snapshot-controller Disable CSI Snapshot Controller. Prefix for hostnames that are created. If not specified, generate a hostname using

Configure --defaults group=. Optional Parameters Send custom headers. When specified, format should be Key1=Value1,Key2=Value2. Resource ID of Azure Monitor Private Link scope for Monitoring Addon. Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon. Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon. Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon. Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon. Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Use with ingress-azure addon. --data-collection-settings Path to JSON file containing data collection settings for Monitoring addon. A comma separated list of resource IDs of the DNS zone resource to use with the web_application_routing addon. --enable-high-log-scale-mode Enable High Log Scale Mode for Container Logs. Accepted values: false, true--enable-msi-auth-for-monitoring Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key). Accepted values: false, true Enable secret rotation. Use with azure-keyvault-secrets-provider addon. Enable SGX quote helper for confcom addon. Enable syslog data collection for Monitoring addon. Accepted values: false, true Do not wait for the long-running operation to finish. Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon. The subnet name for the virtual node to use. The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. Global Parameters Increase logging verbosity to show all debug logs. Show this help message and exit. Only show errors, suppressing warnings. Output format. Accepted values: json, jsonc, none, table, tsv, yaml, yamlc Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID. Increase logging verbosity. Use --debug for full debug logs. az aks get-credentials Get access credentials for a managed Kubernetes cluster. By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details. az aks get-credentials --name --resource-group [--admin] [--context] [--file] [--format] [--overwrite-existing] [--public-fqdn] Examples Get access credentials for a managed Kubernetes cluster. (autogenerated) az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup Required Parameters Name of the managed cluster. Name of resource group. You can configure the default group using az configure --defaults group=. Optional Parameters Get cluster administrator credentials. Default: cluster user credentials. On clusters with Azure Active Directory integration, this bypasses normal Azure AD authentication and can be used if you're permanently blocked by not having access to a valid Azure AD group with access to your cluster. Requires 'Azure Kubernetes Service Cluster Admin' role. If specified, overwrite the default context name. The --admin parameter takes