Skip to content

Commit 8b35b55

Browse files
JamesJBarnettJamesJBarnett
authored
Merge pull request #308522 from mbender-ms/patch-228290
application Gateway | Major update | Revise ARM template for Application Gateway configuration
2 parents c239efe + a35612c commit 8b35b55

1 file changed

Lines changed: 270 additions & 80 deletions

File tree

articles/application-gateway/mutual-authentication-arm-template.md

Lines changed: 270 additions & 80 deletions
Original file line numberDiff line numberDiff line change
@@ -42,100 +42,290 @@ This template creates:
4242
- SSL certificate and SSL profile for client certificate passthrough.
4343
- HTTPS listener and routing rule.
4444
- Backend pool pointing to an app service.
45+
Please update the template with your configuration details and include a valid SSL certificate.
4546

4647
### Parameter file: `deploymentParameters.json`
4748

4849
```json
4950
{
50-
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
51-
"contentVersion": "1.0.0.0",
52-
"parameters": {
53-
"addressPrefix": { "value": "10.0.0.0/16" },
54-
"subnetPrefix": { "value": "10.0.0.0/24" },
55-
"skuName": { "value": "Standard_v2" },
56-
"capacity": { "value": 2 },
57-
"adminUsername": { "value": "ubuntu" },
58-
"adminSSHKey": { "value": "<your-ssh-public-key>" },
59-
"certData": { "value": "<Base64-encoded-PFX-data>" },
60-
"certPassword": { "value": "<certificate-password>" }
61-
}
51+
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
52+
"contentVersion": "1.0.0.0",
53+
"parameters": {
54+
"addressPrefix": {
55+
"value": "10.0.0.0/16"
56+
},
57+
"subnetPrefix": {
58+
"value": "10.0.0.0/24"
59+
},
60+
"skuName": {
61+
"value": "Standard_v2"
62+
},
63+
"capacity": {
64+
"value": 2
65+
},
66+
"adminUsername": {
67+
"value": "ubuntu"
68+
},
69+
"adminSSHKey": {
70+
"value": "<your-ssh-public-key>"
71+
},
72+
"certData": {
73+
"value": "<Base64-encoded-PFX-data>"
74+
},
75+
"certPassword": {
76+
"value": "<certificate-password>"
77+
}
78+
}
6279
}
6380

6481
```
6582
### Template file: deploymentTemplate.json
6683

67-
```
84+
``` json
6885
{
69-
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
70-
"contentVersion": "1.0.0.0",
71-
"parameters": {
72-
"addressPrefix": { "type": "String", "defaultValue": "10.0.0.0/16" },
73-
"subnetPrefix": { "type": "String", "defaultValue": "10.0.0.0/24" },
74-
"skuName": { "type": "String", "defaultValue": "Standard_v2" },
75-
"capacity": { "type": "Int", "defaultValue": 2 },
76-
"adminUsername": { "type": "String" },
77-
"adminSSHKey": { "type": "SecureString" },
78-
"certData": { "type": "String" },
79-
"certPassword": { "type": "SecureString" }
80-
},
81-
"variables": {
82-
"applicationGatewayName": "mtlsAppGw",
83-
"publicIPAddressName": "mtlsPip",
84-
"virtualNetworkName": "mtlsVnet",
85-
"subnetName": "appgwsubnet"
86-
},
87-
"resources": [
88-
{
89-
"type": "Microsoft.Network/virtualNetworks",
90-
"apiVersion": "2024-07-01",
91-
"name": "[variables('virtualNetworkName')]",
92-
"location": "[resourceGroup().location]",
93-
"properties": {
94-
"addressSpace": { "addressPrefixes": [ "[parameters('addressPrefix')]" ] },
95-
"subnets": [
96-
{
97-
"name": "[variables('subnetName')]",
98-
"properties": {
99-
"addressPrefix": "[parameters('subnetPrefix')]",
100-
"delegations": [
101-
{
102-
"name": "Microsoft.Network/applicationGateways",
103-
"properties": { "serviceName": "Microsoft.Network/applicationGateways" }
104-
}
105-
]
86+
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
87+
"contentVersion": "1.0.0.0",
88+
"parameters": {
89+
"addressPrefix": {
90+
"defaultValue": "10.0.0.0/16",
91+
"type": "String",
92+
"metadata": {
93+
"description": "Address prefix for the Virtual Network"
94+
}
95+
},
96+
"subnetPrefix": {
97+
"defaultValue": "10.0.0.0/24",
98+
"type": "String",
99+
"metadata": {
100+
"description": "Subnet prefix"
101+
}
102+
},
103+
"skuName": {
104+
"defaultValue": "Standard_Medium",
105+
"type": "String",
106+
"metadata": {
107+
"description": "Sku Name"
108+
}
109+
},
110+
"capacity": {
111+
"defaultValue": 2,
112+
"type": "Int",
113+
"metadata": {
114+
"description": "Number of instances"
115+
}
116+
},
117+
"adminUsername": {
118+
"type": "String"
119+
},
120+
"adminSSHKey": {
121+
"type": "securestring"
122+
},
123+
"certData": {
124+
"type": "String",
125+
"metadata": {
126+
"description": "ssl cert data"
106127
}
107-
}
108-
]
109-
}
128+
},
129+
"certPassword": {
130+
"type": "SecureString",
131+
"metadata": {
132+
"description": "ssl cert password"
133+
}
134+
}
135+
},
136+
"variables": {
137+
"applicationGatewayName": "mtlsAppGw",
138+
"idName": "identity",
139+
"publicIPAddressName": "mtlsPip",
140+
"virtualNetworkName": "mtlsVnet",
141+
"subnetName": "appgwsubnet",
142+
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]",
143+
"subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]",
144+
"publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]",
145+
"applicationGatewayID": "[resourceId('Microsoft.Network/applicationGateways',variables('applicationGatewayName'))]",
146+
"apiVersion": "2025-03-01",
147+
"identityID": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',variables('idName'))]",
148+
"backendSubnetId": "[concat(variables('vnetID'),'/subnets/backendsubnet')]"
110149
},
111-
{
112-
"type": "Microsoft.Network/applicationGateways",
113-
"apiVersion": "2025-03-01",
114-
"name": "[variables('applicationGatewayName')]",
115-
"location": "[resourceGroup().location]",
116-
"properties": {
117-
"sku": { "name": "[parameters('skuName')]", "tier": "[parameters('skuName')]", "capacity": "[parameters('capacity')]" },
118-
"sslCertificates": [
119-
{
120-
"name": "sslCert",
121-
"properties": { "data": "[parameters('certData')]", "password": "[parameters('certPassword')]" }
122-
}
123-
],
124-
"sslProfiles": [
125-
{
126-
"name": "sslPassthrough",
150+
"resources": [
151+
{
152+
"type": "Microsoft.Network/virtualNetworks",
153+
"name": "[variables('virtualNetworkName')]",
154+
"apiVersion": "2024-07-01",
155+
"location": "[resourceGroup().location]",
156+
"properties": {
157+
"addressSpace": {
158+
"addressPrefixes": [
159+
"[parameters('addressPrefix')]"
160+
]
161+
},
162+
"subnets": [
163+
{
164+
"name": "[variables('subnetName')]",
165+
"properties": {
166+
"addressPrefix": "[parameters('subnetPrefix')]",
167+
"delegations": [
168+
{
169+
"name": "Microsoft.Network/applicationGateways",
170+
"properties": {
171+
"serviceName": "Microsoft.Network/applicationGateways"
172+
}
173+
}
174+
]
175+
}
176+
},
177+
{
178+
"name": "backendSubnet",
179+
"properties": {
180+
"addressPrefix": "10.0.2.0/24"
181+
}
182+
}
183+
]
184+
}
185+
},
186+
{
187+
"type": "Microsoft.Network/publicIPAddresses",
188+
"sku": {
189+
"name": "Standard"
190+
},
191+
"name": "[variables('publicIPAddressName')]",
192+
"apiVersion": "2024-07-01",
193+
"location": "[resourceGroup().location]",
127194
"properties": {
128-
"clientAuthConfiguration": {
129-
"VerifyClientAuthMode": "Passthrough",
130-
"VerifyClientCertIssuerDN": false,
131-
"VerifyClientRevocation": "None"
132-
}
195+
"publicIPAllocationMethod": "Static"
133196
}
134-
}
135-
]
136-
}
137-
}
138-
]
197+
},
198+
{
199+
"type": "Microsoft.Network/applicationGateways",
200+
"name": "[variables('applicationGatewayName')]",
201+
"apiVersion": "[variables('apiVersion')]",
202+
"location": "[resourceGroup().location]",
203+
"properties": {
204+
"sku": {
205+
"name": "Standard_v2",
206+
"tier": "Standard_v2",
207+
"capacity": 3
208+
},
209+
"sslCertificates": [
210+
{
211+
"name": "sslCert",
212+
"properties": {
213+
"data": "[parameters('certData')]",
214+
"password": "[parameters('certPassword')]"
215+
}
216+
}
217+
],
218+
"sslPolicy": {
219+
"policyType": "Predefined",
220+
"policyName": "AppGwSslPolicy20220101"
221+
},
222+
"sslProfiles": [
223+
{
224+
"name": "sslnotrustedcert",
225+
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', variables('applicationGatewayName')), '/sslProfiles/sslnotrustedcert')]",
226+
"properties": {
227+
"clientAuthConfiguration": {
228+
"VerifyClientCertIssuerDN": false,
229+
"VerifyClientRevocation": "None",
230+
"VerifyClientAuthMode": "Passthrough"
231+
}
232+
}
233+
}
234+
],
235+
"gatewayIPConfigurations": [
236+
{
237+
"name": "appGatewayIpConfig",
238+
"properties": {
239+
"subnet": {
240+
"id": "[variables('subnetRef')]"
241+
}
242+
}
243+
}
244+
],
245+
"frontendIPConfigurations": [
246+
{
247+
"name": "appGatewayFrontendIP",
248+
"properties": {
249+
"PublicIPAddress": {
250+
"id": "[variables('publicIPRef')]"
251+
}
252+
}
253+
}
254+
],
255+
"frontendPorts": [
256+
{
257+
"name": "port2",
258+
"properties": {
259+
"Port": 444
260+
}
261+
}
262+
],
263+
"backendAddressPools": [
264+
{
265+
"name": "pool2",
266+
"properties": {
267+
"BackendAddresses": [
268+
{
269+
"fqdn": "headerappgw-hsa5gjh8fpfebcfd.westus-01.azurewebsites.net"
270+
}
271+
]
272+
}
273+
}
274+
],
275+
"backendHttpSettingsCollection": [
276+
{
277+
"name": "settings2",
278+
"properties": {
279+
"Port": 80,
280+
"Protocol": "Http"
281+
}
282+
}
283+
],
284+
"httpListeners": [
285+
{
286+
"name": "listener2",
287+
"properties": {
288+
"FrontendIPConfiguration": {
289+
"Id": "[concat(variables('applicationGatewayID'), '/frontendIPConfigurations/appGatewayFrontendIP')]"
290+
},
291+
"FrontendPort": {
292+
"Id": "[concat(variables('applicationGatewayID'), '/frontendPorts/port2')]"
293+
},
294+
"Protocol": "Https",
295+
"SslCertificate": {
296+
"Id": "[concat(variables('applicationGatewayID'), '/sslCertificates/sslCert')]"
297+
},
298+
"sslProfile": {
299+
"id": "[concat(variables('applicationGatewayID'), '/sslProfiles/sslnotrustedcert')]"
300+
}
301+
}
302+
}
303+
],
304+
"requestRoutingRules": [
305+
{
306+
"Name": "rule2",
307+
"properties": {
308+
"RuleType": "Basic",
309+
"priority": 2000,
310+
"httpListener": {
311+
"id": "[concat(variables('applicationGatewayID'), '/httpListeners/listener2')]"
312+
},
313+
"backendAddressPool": {
314+
"id": "[concat(variables('applicationGatewayID'), '/backendAddressPools/pool2')]"
315+
},
316+
"backendHttpSettings": {
317+
"id": "[concat(variables('applicationGatewayID'), '/backendHttpSettingsCollection/settings2')]"
318+
}
319+
}
320+
}
321+
]
322+
},
323+
"dependsOn": [
324+
"[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
325+
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
326+
]
327+
}
328+
]
139329
}
140330
```
141331

@@ -198,4 +388,4 @@ az deployment group create \
198388

199389
## Security notice
200390

201-
This solution is classified as **Microsoft Confidential**. Please ensure you follow your organization’s security and data handling best practices when deploying and managing this solution.
391+
This solution is classified as **Microsoft Confidential**. Please ensure you follow your organization’s security and data handling best practices when deploying and managing this solution.

0 commit comments

Comments
 (0)