diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index c13a9cd295..e0a8603a84 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -5,140 +5,333 @@ "name": { "value": "<>-az-apgw-x-001" }, - "sku": { - "value": "WAF_v2" - }, - "vNetName": { - "value": "adp-<>-az-vnet-x-001" - }, - "subnetName": { - "value": "<>-az-subnet-x-007" - }, - "vNetResourceGroup": { - "value": "validation-rg" - }, - "frontendPrivateIpAddress": { - "value": "10.0.8.6" - }, - "frontendPublicIpResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-apgw" - }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, - "sslCertificateKeyVaultSecretId": { - "value": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/9b670bb436e04eae9acd9b93dca269b6" // ID must be updated for new certificates + "webApplicationFirewallConfiguration": { + "value": { + "enabled": true, + "firewallMode": "Detection", + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0", + "disabledRuleGroups": [], + "requestBodyCheck": true, + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 100 + } }, - "backendPools": { + "enableHttp2": { + "value": true + }, + "backendAddressPools": { "value": [ { - "backendPoolName": "appServiceBackendPool", - "backendAddresses": [ - { - "fqdn": "aghapp.azurewebsites.net" - } - ] + "name": "appServiceBackendPool", + "properties": { + "backendAddresses": [ + { + "fqdn": "aghapp.azurewebsites.net" + } + ] + } }, { - "backendPoolName": "privateVmBackendPool", - "backendAddresses": [ - { - "ipAddress": "10.0.0.4" + "name": "privateVmBackendPool", + "properties": { + "backendAddresses": [ + { + "ipAddress": "10.0.0.4" + } + ] + } + } + ] + }, + "backendHttpSettingsCollection": { + "value": [ + { + "name": "appServiceBackendHttpsSetting", + "properties": { + "port": 443, + "protocol": "Https", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": true, + "requestTimeout": 30 + } + }, + { + "name": "privateVmHttpSetting", + "properties": { + "port": 80, + "protocol": "Http", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": false, + "requestTimeout": 30, + "probe": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/probes/privateVmHttpSettingProbe" } - ] + } } ] }, - "backendHttpConfigurations": { + "frontendIPConfigurations": { "value": [ { - "backendHttpConfigurationName": "appServiceBackendHttpsSetting", - "port": 443, - "protocol": "https", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "probeEnabled": false + "name": "private", + "properties": { + "privateIPAddress": "10.0.8.6", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-007" + } + } }, { - "backendHttpConfigurationName": "privateVmHttpSetting", - "port": 80, - "protocol": "http", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "probeEnabled": true + "name": "public", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-apgw" + } + } } ] }, - "probes": { + "frontendPorts": { "value": [ { - "backendHttpConfigurationName": "privateVmHttpSetting", - "protocol": "http", - "host": "10.0.0.4", - "path": "/", - "interval": 60, - "timeout": 15, - "unhealthyThreshold": 5, - "minServers": 3, - "body": "", - "statusCodes": [ - "200", - "401" - ] + "name": "port443", + "properties": { + "port": 443 + } + }, + { + "name": "port4433", + "properties": { + "port": 4433 + } + }, + { + "name": "port80", + "properties": { + "port": 80 + } + }, + { + "name": "port8080", + "properties": { + "port": 8080 + } } ] }, - "frontendHttpsListeners": { + "httpListeners": { "value": [ { - "frontendListenerName": "public443", - "frontendIPType": "Public", - "port": 443 + "name": "public443", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/public" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port443" + }, + "sslCertificate": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/sslCertificates/<>-az-apgw-x-001-ssl-certificate" + }, + "protocol": "https", + "hostNames": [], + "requireServerNameIndication": false + } + }, + { + "name": "private4433", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/private" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port4433" + }, + "sslCertificate": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/sslCertificates/<>-az-apgw-x-001-ssl-certificate" + }, + "protocol": "https", + "hostNames": [], + "requireServerNameIndication": false + } }, { - "frontendListenerName": "private4433", - "frontendIPType": "Private", - "port": 4433 + "name": "httpRedirect80", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/public" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port80" + }, + "protocol": "Http", + "hostNames": [], + "requireServerNameIndication": false + } + }, + { + "name": "httpRedirect8080", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/private" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port8080" + }, + "protocol": "Http", + "hostNames": [], + "requireServerNameIndication": false + } + } + ] + }, + "gatewayIPConfigurations": { + "value": [ + { + "name": "apw-ip-configuration", + "properties": { + "subnet": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-007" + } + } } ] }, - "frontendHttpRedirects": { + "probes": { "value": [ { - "frontendIPType": "Public", - "port": 80, - "frontendListenerName": "public443" + "name": "privateVmHttpSettingProbe", + "properties": { + "protocol": "Http", + "host": "10.0.0.4", + "path": "/", + "interval": 60, + "timeout": 15, + "unhealthyThreshold": 5, + "pickHostNameFromBackendHttpSettings": false, + "minServers": 3, + "match": { + "statusCodes": [ + "200", + "401" + ] + } + } + } + ] + }, + "redirectConfigurations": { + "value": [ + { + "name": "httpRedirect80", + "properties": { + "redirectType": "Permanent", + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/public443" + }, + "includePath": true, + "includeQueryString": true, + "requestRoutingRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/requestRoutingRules/httpRedirect80-public443" + } + ] + } }, { - "frontendIPType": "Private", - "port": 8080, - "frontendListenerName": "private4433" + "name": "httpRedirect8080", + "properties": { + "redirectType": "Permanent", + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/private4433" + }, + "includePath": true, + "includeQueryString": true, + "requestRoutingRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/requestRoutingRules/httpRedirect8080-private4433" + } + ] + } } ] }, - "routingRules": { + "requestRoutingRules": { "value": [ { - "frontendListenerName": "public443", - "backendPoolName": "appServiceBackendPool", - "backendHttpConfigurationName": "appServiceBackendHttpsSetting" + "name": "public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/public443" + }, + "backendAddressPool": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendAddressPools/appServiceBackendPool" + }, + "backendHttpSettings": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" + } + } + }, + { + "name": "private4433-privateVmHttpSetting-privateVmHttpSetting", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/private4433" + }, + "backendAddressPool": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendAddressPools/privateVmBackendPool" + }, + "backendHttpSettings": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" + } + } }, { - "frontendListenerName": "private4433", - "backendPoolName": "privateVmBackendPool", - "backendHttpConfigurationName": "privateVmHttpSetting" + "name": "httpRedirect80-public443", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/httpRedirect80" + }, + "redirectConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/redirectConfigurations/httpRedirect80" + } + } + }, + { + "name": "httpRedirect8080-private4433", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/httpRedirect8080" + }, + "redirectConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/redirectConfigurations/httpRedirect8080" + } + } } ] }, - "roleAssignments": { + "sku": { + "value": "WAF_v2" + }, + "sslCertificates": { "value": [ { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "name": "<>-az-apgw-x-001-ssl-certificate", + "properties": { + "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate02/40b9b1a7a69e48cfa1e36f24b97b8799" + } } ] }, @@ -156,6 +349,16 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] } } } diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index 1e9db49110..b8c7ca2933 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -1,6 +1,76 @@ -@description('Required. The name to be used for the Application Gateway.') +@description('Required. Name of the Application Gateway.') +@maxLength(24) param name string +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + +@description('Optional. Authentication certificates of the application gateway resource.') +param authenticationCertificates array = [] + +@description('Optional. Upper bound on number of Application Gateway capacity.') +param autoscaleMaxCapacity int = -1 + +@description('Optional. Lower bound on number of Application Gateway capacity.') +param autoscaleMinCapacity int = -1 + +@description('Optional. Backend address pool of the application gateway resource.') +param backendAddressPools array = [] + +@description('Optional. Backend http settings of the application gateway resource.') +param backendHttpSettingsCollection array = [] + +@description('Optional. Custom error configurations of the application gateway resource.') +param customErrorConfigurations array = [] + +@description('Optional. Whether FIPS is enabled on the application gateway resource.') +param enableFips bool = false + +@description('Optional. Whether HTTP2 is enabled on the application gateway resource.') +param enableHttp2 bool = false + +@description('Optional. The resource Id of an associated firewall policy.') +param firewallPolicyId string = '' + +@description('Optional. Frontend IP addresses of the application gateway resource.') +param frontendIPConfigurations array = [] + +@description('Optional. Frontend ports of the application gateway resource.') +param frontendPorts array = [] + +@description('Optional. Subnets of the application gateway resource.') +param gatewayIPConfigurations array = [] + +@description('Optional. Enable request buffering.') +param enableRequestBuffering bool = false + +@description('Optional. Enable response buffering.') +param enableResponseBuffering bool = false + +@description('Optional. Http listeners of the application gateway resource.') +param httpListeners array = [] + +@description('Optional. Load distribution policies of the application gateway resource.') +param loadDistributionPolicies array = [] + +@description('Optional. PrivateLink configurations on application gateway.') +param privateLinkConfigurations array = [] + +@description('Optional. Probes of the application gateway resource.') +param probes array = [] + +@description('Optional. Redirect configurations of the application gateway resource.') +param redirectConfigurations array = [] + +@description('Optional. Request routing rules of the application gateway resource.') +param requestRoutingRules array = [] + +@description('Optional. Rewrite rules for the application gateway resource. ') +param rewriteRuleSets array = [] + @description('Optional. The name of the SKU for the Application Gateway.') @allowed([ 'Standard_Small' @@ -18,100 +88,104 @@ param sku string = 'WAF_Medium' @maxValue(10) param capacity int = 2 -@description('Optional. Enables HTTP/2 support.') -param http2Enabled bool = true - -@description('Required. PublicIP Resource ID used in Public Frontend.') -param frontendPublicIpResourceId string - -@metadata({ - description: 'Optional. The private IP within the Application Gateway subnet to be used as frontend private address.' - limitations: 'The IP must be available in the configured subnet. If empty, allocation method will be set to dynamic. Once a method (static or dynamic) has been configured, it cannot be changed' -}) -param frontendPrivateIpAddress string = '' - -@description('Required. The name of the Virtual Network where the Application Gateway will be deployed.') -param vNetName string +@description('Optional. SSL certificates of the application gateway resource.') +param sslCertificates array = [] -@description('Required. The name of Gateway Subnet Name where the Application Gateway will be deployed.') -param subnetName string - -@description('Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed.') -param vNetResourceGroup string = resourceGroup().name - -@description('Optional. The Subscription ID of the Virtual Network where the Application Gateway will be deployed.') -param vNetSubscriptionId string = subscription().subscriptionId - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} - -@description('Optional. Application Gateway IP configuration name.') -param gatewayIpConfigurationName string = 'gatewayIpConfiguration01' - -@description('Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners.') -param sslCertificateName string = 'sslCertificate01' +@description('Optional. Ssl cipher suites to be enabled in the specified order to application gateway.') +@allowed([ + 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' + 'TLS_RSA_WITH_AES_128_CBC_SHA' + 'TLS_RSA_WITH_AES_128_CBC_SHA256' + 'TLS_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_RSA_WITH_AES_256_CBC_SHA' + 'TLS_RSA_WITH_AES_256_CBC_SHA256' + 'TLS_RSA_WITH_AES_256_GCM_SHA384' +]) +param sslPolicyCipherSuites array = [ + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' +] -@description('Optional. Secret ID of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners.') -param sslCertificateKeyVaultSecretId string = '' +@description('Optional. Ssl protocol enums.') +@allowed([ + 'TLSv1_0' + 'TLSv1_1' + 'TLSv1_2' +]) +param sslPolicyMinProtocolVersion string = 'TLSv1_2' -@description('Required. The backend pools to be configured.') -param backendPools array +@description('Optional. Ssl predefined policy name enums.') +@allowed([ + 'AppGwSslPolicy20150501' + 'AppGwSslPolicy20170401' + 'AppGwSslPolicy20170401S' + '' +]) +param sslPolicyName string = '' -@description('Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools.') -param backendHttpConfigurations array +@description('Optional. Type of Ssl Policy.') +@allowed([ + 'Custom' + 'Predefined' +]) +param sslPolicyType string = 'Custom' -@description('Optional. The backend HTTP settings probes to be configured.') -param probes array = [] +@description('Optional. SSL profiles of the application gateway resource.') +param sslProfiles array = [] -@description('Required. The frontend http listeners to be configured.') -param frontendHttpListeners array = [] +@description('Optional. Trusted client certificates of the application gateway resource.') +param trustedClientCertificates array = [] -@description('Required. The frontend HTTPS listeners to be configured.') -param frontendHttpsListeners array = [] +@description('Optional. Trusted Root certificates of the application gateway resource.') +param trustedRootCertificates array = [] -@description('Optional. The http redirects to be configured. Each redirect will route http traffic to a predefined frontEnd HTTPS listener.') -param frontendHttpRedirects array = [] +@description('Optional. URL path map of the application gateway resource.') +param urlPathMaps array = [] -@description('Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration.') -param routingRules array +@description('Optional. Application gateway web application firewall configuration.') +param webApplicationFirewallConfiguration object = {} -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location +@description('Optional. A list of availability zones denoting where the resource needs to come from.') +param zones array = [] @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @maxValue(365) param diagnosticLogsRetentionInDays int = 365 -@description('Optional. Resource ID of the diagnostic storage account.') +@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticStorageAccountId string = '' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') +@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. ') param diagnosticEventHubAuthorizationRuleId string = '' -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticEventHubName string = '' -@allowed([ - 'CanNotDelete' - 'NotSpecified' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = 'NotSpecified' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') -param roleAssignments array = [] - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') -param cuaId string = '' - @description('Optional. The name of logs that will be streamed.') @allowed([ 'ApplicationGatewayAccessLog' @@ -132,6 +206,13 @@ param metricsToEnable array = [ 'AllMetrics' ] +var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + var diagnosticsLogs = [for log in logsToEnable: { category: log enabled: true @@ -151,244 +232,82 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { } }] -var applicationGatewayResourceId = az.resourceId('Microsoft.Network/applicationGateways', name) -var subnetResourceId = az.resourceId(vNetSubscriptionId, vNetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', vNetName, subnetName) -var frontendPublicIPConfigurationName = 'public' -var frontendPrivateIPConfigurationName = 'private' -var frontendPrivateIPDynamicConfiguration = { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: subnetResourceId - } -} -var frontendPrivateIPStaticConfiguration = { - privateIPAllocationMethod: 'Static' - privateIPAddress: frontendPrivateIpAddress - subnet: { - id: subnetResourceId - } -} -var redirectConfigurationsHttpRedirectNamePrefix = 'httpRedirect' -var httpListenerhttpRedirectNamePrefix = 'httpRedirect' -var requestRoutingRuleHttpRedirectNamePrefix = 'httpRedirect' -var wafConfiguration = { - enabled: true - firewallMode: 'Detection' - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - disabledRuleGroups: [] - requestBodyCheck: true - maxRequestBodySizeInKb: '128' -} -var sslCertificates = [ - { - name: sslCertificateName - properties: { - keyVaultSecretId: sslCertificateKeyVaultSecretId - } - } -] -var frontendPorts = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpPorts), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsPorts), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirectPorts)) -var httpListeners = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpListeners_var), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsListeners_var), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirects_var)) -var redirectConfigurations = (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRedirectConfigurations) -var requestRoutingRules = concat(httpsRequestRoutingRules, (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRequestRoutingRules)) +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : null +@description('Optional. Resource tags.') +param tags object = {} -var backendAddressPools = [for backendPool in backendPools: { - name: backendPool.backendPoolName - type: 'Microsoft.Network/applicationGateways/backendAddressPools' - properties: { - backendAddresses: contains(backendPool, 'BackendAddresses') ? backendPool.BackendAddresses : [] - } -}] -var probes_var = [for probe in probes: { - name: '${probe.backendHttpConfigurationName}Probe' - type: 'Microsoft.Network/applicationGateways/probes' - properties: { - protocol: probe.protocol - host: probe.host - path: probe.path - interval: contains(probe, 'interval') ? probe.interval : 30 - timeout: contains(probe, 'timeout') ? probe.timeout : 30 - unhealthyThreshold: contains(probe, 'timeout') ? probe.unhealthyThreshold : 3 - minServers: contains(probe, 'timeout') ? probe.minServers : 0 - match: { - body: contains(probe, 'timeout') ? probe.body : '' - statusCodes: probe.statusCodes - } - } -}] -var backendHttpConfigurations_var = [for backendHttpConfiguration in backendHttpConfigurations: { - name: backendHttpConfiguration.backendHttpConfigurationName - properties: { - port: backendHttpConfiguration.port - protocol: backendHttpConfiguration.protocol - cookieBasedAffinity: backendHttpConfiguration.cookieBasedAffinity - pickHostNameFromBackendAddress: backendHttpConfiguration.pickHostNameFromBackendAddress - probeEnabled: backendHttpConfiguration.probeEnabled - probe: bool(backendHttpConfiguration.probeEnabled) ? json('{"id": "${applicationGatewayResourceId}/probes/${backendHttpConfiguration.backendHttpConfigurationName}Probe"}') : null - } -}] -var frontendHttpsPorts = [for frontendHttpsListener in frontendHttpsListeners: { - name: 'port${frontendHttpsListener.port}' - properties: { - Port: frontendHttpsListener.port - } -}] -var frontendHttpsListeners_var = [for frontendHttpsListener in frontendHttpsListeners: { - name: frontendHttpsListener.frontendListenerName - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpsListener.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpsListener.port}' - } - Protocol: 'https' - SslCertificate: { - id: '${applicationGatewayResourceId}/sslCertificates/${sslCertificateName}' - } - } -}] -var frontendHttpPorts = [for frontendHttpListener in frontendHttpListeners: { - name: 'port${frontendHttpListener.port}' - properties: { - Port: frontendHttpListener.port - } -}] -var frontendHttpListeners_var = [for frontendHttpListener in frontendHttpListeners: { - name: frontendHttpListener.frontendListenerName - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpListener.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpListener.port}' - } - Protocol: 'http' - } -}] -var httpsRequestRoutingRules = [for routingRule in routingRules: { - name: '${routingRule.frontendListenerName}-${routingRule.backendHttpConfigurationName}-${routingRule.backendHttpConfigurationName}' - properties: { - RuleType: 'Basic' - httpListener: { - id: '${applicationGatewayResourceId}/httpListeners/${routingRule.frontendListenerName}' - } - backendAddressPool: { - id: '${applicationGatewayResourceId}/backendAddressPools/${routingRule.backendPoolName}' - } - backendHttpSettings: { - id: '${applicationGatewayResourceId}/backendHttpSettingsCollection/${routingRule.backendHttpConfigurationName}' - } - } -}] -var frontendHttpRedirectPorts = [for frontendHttpRedirect in frontendHttpRedirects: { - name: 'port${frontendHttpRedirect.port}' - properties: { - Port: frontendHttpRedirect.port - } -}] -var frontendHttpRedirects_var = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpRedirect.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpRedirect.port}' - } - Protocol: 'http' - } -}] -var httpRequestRoutingRules = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' - properties: { - RuleType: 'Basic' - httpListener: { - id: '${applicationGatewayResourceId}/httpListeners/${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' - } - redirectConfiguration: { - id: '${applicationGatewayResourceId}/redirectConfigurations/${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' - } - } -}] -var httpRedirectConfigurations = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' - properties: { - redirectType: 'Permanent' - includePath: true - includeQueryString: true - requestRoutingRules: [ - { - id: '${applicationGatewayResourceId}/requestRoutingRules/${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' - } - ] - targetListener: { - id: '${applicationGatewayResourceId}/httpListeners/${frontendHttpRedirect.frontendListenerName}' - } - } -}] +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } -resource applicationGateway 'Microsoft.Network/applicationGateways@2021-03-01' = { +resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = { name: name location: location - identity: identity tags: tags - properties: { - sku: { - name: sku - tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) - capacity: capacity - } - gatewayIPConfigurations: [ - { - name: gatewayIpConfigurationName - properties: { - subnet: { - id: subnetResourceId - } - } - } - ] - frontendIPConfigurations: [ - { - name: frontendPrivateIPConfigurationName - type: 'Microsoft.Network/applicationGateways/frontendIPConfigurations' - properties: empty(frontendPrivateIpAddress) ? frontendPrivateIPDynamicConfiguration : frontendPrivateIPStaticConfiguration - } - { - name: frontendPublicIPConfigurationName - properties: { - publicIPAddress: { - id: frontendPublicIpResourceId - } - } - } - ] - sslCertificates: empty(sslCertificateKeyVaultSecretId) ? null : sslCertificates + identity: identity + properties: union({ + authenticationCertificates: authenticationCertificates + autoscaleConfiguration: autoscaleMaxCapacity > 0 && autoscaleMinCapacity > 0 ? { + maxCapacity: autoscaleMaxCapacity + minCapacity: autoscaleMinCapacity + } : null backendAddressPools: backendAddressPools - probes: probes_var - backendHttpSettingsCollection: backendHttpConfigurations_var + backendHttpSettingsCollection: backendHttpSettingsCollection + customErrorConfigurations: customErrorConfigurations + enableHttp2: enableHttp2 + firewallPolicy: !empty(firewallPolicyId) ? { + id: firewallPolicyId + } : null + forceFirewallPolicyAssociation: !empty(firewallPolicyId) + frontendIPConfigurations: frontendIPConfigurations frontendPorts: frontendPorts + gatewayIPConfigurations: gatewayIPConfigurations + globalConfiguration: { + enableRequestBuffering: enableRequestBuffering + enableResponseBuffering: enableResponseBuffering + } httpListeners: httpListeners + loadDistributionPolicies: loadDistributionPolicies + privateLinkConfigurations: privateLinkConfigurations + probes: probes redirectConfigurations: redirectConfigurations requestRoutingRules: requestRoutingRules - enableHttp2: http2Enabled - webApplicationFirewallConfiguration: startsWith(sku, 'WAF') ? wafConfiguration : null - } - dependsOn: [] + rewriteRuleSets: rewriteRuleSets + sku: { + name: sku + tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) + capacity: autoscaleMaxCapacity > 0 && autoscaleMinCapacity > 0 ? null : capacity + } + sslCertificates: sslCertificates + sslPolicy: { + cipherSuites: sslPolicyCipherSuites + minProtocolVersion: sslPolicyMinProtocolVersion + policyName: empty(sslPolicyName) ? null : sslPolicyName + policyType: sslPolicyType + } + sslProfiles: sslProfiles + trustedClientCertificates: trustedClientCertificates + trustedRootCertificates: trustedRootCertificates + urlPathMaps: urlPathMaps + webApplicationFirewallConfiguration: webApplicationFirewallConfiguration + }, (enableFips ? { + enableFips: enableFips + } : {}), {}) + zones: zones } resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 0256d3e85d..b8b279b20f 100644 --- a/arm/Microsoft.Network/applicationGateways/readme.md +++ b/arm/Microsoft.Network/applicationGateways/readme.md @@ -1,100 +1,313 @@ -# Application Gateways `[Microsoft.Network/applicationGateways]` +# Network Application Gateways `[Microsoft.Network/applicationGateways]` -This template deploys an application gateway. +This module deploys Network ApplicationGateways. -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.Network/applicationGateways` | 2021-03-01 | +| `Microsoft.Network/applicationGateways` | 2021-05-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `backendHttpConfigurations` | array | | | Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools. | -| `backendPools` | array | | | Required. The backend pools to be configured. | +| `authenticationCertificates` | array | `[]` | | Optional. Authentication certificates of the application gateway resource. | +| `autoscaleMaxCapacity` | int | `-1` | | Optional. Upper bound on number of Application Gateway capacity. | +| `autoscaleMinCapacity` | int | `-1` | | Optional. Lower bound on number of Application Gateway capacity. | +| `backendAddressPools` | array | `[]` | | Optional. Backend address pool of the application gateway resource. | +| `backendHttpSettingsCollection` | array | `[]` | | Optional. Backend http settings of the application gateway resource. | | `capacity` | int | `2` | | Optional. The number of Application instances to be configured. | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | -| `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `customErrorConfigurations` | array | `[]` | | Optional. Custom error configurations of the application gateway resource. | +| `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. | -| `frontendHttpListeners` | array | `[]` | | Required. The frontend http listeners to be configured. | -| `frontendHttpRedirects` | array | `[]` | | Optional. The http redirects to be configured. Each redirect will route http traffic to a predefined frontEnd HTTPS listener. | -| `frontendHttpsListeners` | array | `[]` | | Required. The frontend HTTPS listeners to be configured. | -| `frontendPrivateIpAddress` | string | | | Optional. The private IP within the Application Gateway subnet to be used as frontend private address. | -| `frontendPublicIpResourceId` | string | | | Required. PublicIP Resource ID used in Public Frontend. | -| `gatewayIpConfigurationName` | string | `gatewayIpConfiguration01` | | Optional. Application Gateway IP configuration name. | -| `http2Enabled` | bool | `True` | | Optional. Enables HTTP/2 support. | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub | +| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub | +| `enableFips` | bool | | | Optional. Whether FIPS is enabled on the application gateway resource. | +| `enableHttp2` | bool | | | Optional. Whether HTTP2 is enabled on the application gateway resource. | +| `enableRequestBuffering` | bool | | | Optional. Enable request buffering. | +| `enableResponseBuffering` | bool | | | Optional. Enable response buffering. | +| `firewallPolicyId` | string | | | Optional. The resource Id of an associated firewall policy. | +| `frontendIPConfigurations` | array | `[]` | | Optional. Frontend IP addresses of the application gateway resource. | +| `frontendPorts` | array | `[]` | | Optional. Frontend ports of the application gateway resource. | +| `gatewayIPConfigurations` | array | `[]` | | Optional. Subnets of the application gateway resource. | +| `httpListeners` | array | `[]` | | Optional. Http listeners of the application gateway resource. | +| `loadDistributionPolicies` | array | `[]` | | Optional. Load distribution policies of the application gateway resource. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `logsToEnable` | array | `[ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog]` | `[ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog]` | Optional. The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | -| `name` | string | | | Required. The name to be used for the Application Gateway. | -| `probes` | array | `[]` | | Optional. The backend HTTP settings probes to be configured. | +| `name` | string | | | Required. Name of the Application Gateway. | +| `privateLinkConfigurations` | array | `[]` | | Optional. PrivateLink configurations on application gateway. | +| `probes` | array | `[]` | | Optional. Probes of the application gateway resource. | +| `redirectConfigurations` | array | `[]` | | Optional. Redirect configurations of the application gateway resource. | +| `requestRoutingRules` | array | `[]` | | Optional. Request routing rules of the application gateway resource. | +| `rewriteRuleSets` | array | `[]` | | Optional. Rewrite rules for the application gateway resource. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `routingRules` | array | | | Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration. | | `sku` | string | `WAF_Medium` | `[Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2]` | Optional. The name of the SKU for the Application Gateway. | -| `sslCertificateKeyVaultSecretId` | string | | | Optional. Secret ID of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners. | -| `sslCertificateName` | string | `sslCertificate01` | | Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners. | -| `subnetName` | string | | | Required. The name of Gateway Subnet Name where the Application Gateway will be deployed. | -| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `sslCertificates` | array | `[]` | | Optional. SSL certificates of the application gateway resource. | +| `sslPolicyCipherSuites` | array | `[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]` | `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` | Optional. Ssl cipher suites to be enabled in the specified order to application gateway. | +| `sslPolicyMinProtocolVersion` | string | `TLSv1_2` | `[TLSv1_0, TLSv1_1, TLSv1_2]` | Optional. Ssl protocol enums. | +| `sslPolicyName` | string | | `[AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, ]` | Optional. Ssl predefined policy name enums. | +| `sslPolicyType` | string | `Custom` | `[Custom, Predefined]` | Optional. Type of Ssl Policy. | +| `sslProfiles` | array | `[]` | | Optional. SSL profiles of the application gateway resource. | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `trustedClientCertificates` | array | `[]` | | Optional. Trusted client certificates of the application gateway resource. | +| `trustedRootCertificates` | array | `[]` | | Optional. Trusted Root certificates of the application gateway resource. | +| `urlPathMaps` | array | `[]` | | Optional. URL path map of the application gateway resource. | | `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | -| `vNetName` | string | | | Required. The name of the Virtual Network where the Application Gateway will be deployed. | -| `vNetResourceGroup` | string | `[resourceGroup().name]` | | Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed. | -| `vNetSubscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Subscription ID of the Virtual Network where the Application Gateway will be deployed. | +| `webApplicationFirewallConfiguration` | object | `{object}` | | Optional. Application gateway web application firewall configuration. | +| `zones` | array | `[]` | | Optional. A list of availability zones denoting where the resource needs to come from. | -### Parameter Usage: `backendPools` +### Parameter Usage: `authenticationCertificates` ```json -"backendPools": { +"authenticationCertificates": { "value": [ { - "backendPoolName": "appServiceBackendPool", - "backendAddresses": [ + "id": "string", + "name": "string", + "properties": { + "data": "string" + } + } + ] +} +``` + +### Parameter Usage: `backendAddressPools` + +```json +"backendAddressPools": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddresses": [ { - "fqdn": "aghapp.azurewebsites.net" + "fqdn": "string", + "ipAddress": "string" } - ] - }, + ] + } + } + ] +} +``` + +### Parameter Usage: `backendHttpSettingsCollection` + +```json +"backendHttpSettingsCollection": { + "value": [ { - "backendPoolName": "privateVmBackendPool", - "backendAddresses": [ + "id": "string", + "name": "string", + "properties": { + "affinityCookieName": "string", + "authenticationCertificates": [ { - "ipAddress": "10.0.0.4" + "id": "string" } - ] + ], + "connectionDraining": { + "drainTimeoutInSec": "int", + "enabled": "bool" + }, + "cookieBasedAffinity": "string", + "hostName": "string", + "path": "string", + "pickHostNameFromBackendAddress": "bool", + "port": "int", + "probe": { + "id": "string" + }, + "probeEnabled": "bool", + "protocol": "string", + "requestTimeout": "int", + "trustedRootCertificates": [ + { + "id": "string" + } + ] } + } ] } ``` -### Parameter Usage: `backendHttpConfigurations` +### Parameter Usage: `customErrorConfigurations` ```json -"backendHttpConfigurations": { +"customErrorConfigurations": { "value": [ { - "backendHttpConfigurationName": "appServiceBackendHttpsSetting", - "port": 443, - "protocol": "https", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "probeEnabled": false - }, + "customErrorPageUrl": "string", + "statusCode": "string" + } + ] +} +``` + +### Parameter Usage: `frontendIPConfigurations` + +```json +"frontendIPConfigurations": { + "value": [ { - "backendHttpConfigurationName": "privateVmHttpSetting", - "port": 80, - "protocol": "http", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "probeEnabled": true + "id": "string", + "name": "string", + "properties": { + "privateIPAddress": "string", + "privateIPAllocationMethod": "string", + "privateLinkConfiguration": { + "id": "string" + }, + "publicIPAddress": { + "id": "string" + }, + "subnet": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `frontendPorts` + +```json +"frontendPorts": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "port": "int" + } + } + ] +} +``` + +### Parameter Usage: `gatewayIPConfigurations` + +```json +"gatewayIPConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "subnet": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `httpListeners` + +```json +"httpListeners": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "customErrorConfigurations": [ + { + "customErrorPageUrl": "string", + "statusCode": "string" + } + ], + "firewallPolicy": { + "id": "string" + }, + "frontendIPConfiguration": { + "id": "string" + }, + "frontendPort": { + "id": "string" + }, + "hostName": "string", + "hostNames": [ "string" ], + "protocol": "string", + "requireServerNameIndication": "bool", + "sslCertificate": { + "id": "string" + }, + "sslProfile": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `loadDistributionPolicies` + +```json +"loadDistributionPolicies": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "loadDistributionAlgorithm": "string", + "loadDistributionTargets": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddressPool": { + "id": "string" + }, + "weightPerServer": "int" + } + } + ] } + } + ] +} +``` + +### Parameter Usage: `privateLinkConfigurations` + +```json +"privateLinkConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "ipConfigurations": [ + { + "id": "string", + "name": "string", + "properties": { + "primary": "bool", + "privateIPAddress": "string", + "privateIPAllocationMethod": "string", + "subnet": { + "id": "string" + } + } + } + ] + } + } ] } ``` @@ -105,76 +318,285 @@ This template deploys an application gateway. "probes": { "value": [ { - "backendHttpConfigurationName": "privateVmHttpSetting", - "protocol": "http", - "host": "10.0.0.4", - "path": "/", - "interval": 60, - "timeout": 15, - "unhealthyThreshold": 5, - "minServers": 3, - "statusCodes": [ - "200", - "401" + "id": "string", + "name": "string", + "properties": { + "host": "string", + "interval": "int", + "match": { + "body": "string", + "statusCodes": [ "string" ] + }, + "minServers": "int", + "path": "string", + "pickHostNameFromBackendHttpSettings": "bool", + "port": "int", + "protocol": "string", + "timeout": "int", + "unhealthyThreshold": "int" + } + } + ] +} +``` + +### Parameter Usage: `redirectConfigurations` + +```json +"redirectConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "includePath": "bool", + "includeQueryString": "bool", + "pathRules": [ + { + "id": "string" + } + ], + "redirectType": "string", + "requestRoutingRules": [ + { + "id": "string" + } + ], + "targetListener": { + "id": "string" + }, + "targetUrl": "string", + "urlPathMaps": [ + { + "id": "string" + } ] } + } ] } ``` -### Parameter Usage: `frontendHttpsListeners` +### Parameter Usage: `requestRoutingRules` ```json -"frontendHttpsListeners": { +"requestRoutingRules": { "value": [ { - "frontendListenerName": "public443", - "frontendIPType": "Public", - "port": 443 - }, + "id": "string", + "name": "string", + "properties": { + "backendAddressPool": { + "id": "string" + }, + "backendHttpSettings": { + "id": "string" + }, + "httpListener": { + "id": "string" + }, + "loadDistributionPolicy": { + "id": "string" + }, + "priority": "int", + "redirectConfiguration": { + "id": "string" + }, + "rewriteRuleSet": { + "id": "string" + }, + "ruleType": "string", + "urlPathMap": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `rewriteRuleSets` + +```json +"rewriteRuleSets": { + "value": [ { - "frontendListenerName": "private4433", - "frontendIPType": "Private", - "port": 4433 + "id": "string", + "name": "string", + "properties": { + "rewriteRules": [ + { + "actionSet": { + "requestHeaderConfigurations": [ + { + "headerName": "string", + "headerValue": "string" + } + ], + "responseHeaderConfigurations": [ + { + "headerName": "string", + "headerValue": "string" + } + ], + "urlConfiguration": { + "modifiedPath": "string", + "modifiedQueryString": "string", + "reroute": "bool" + } + }, + "conditions": [ + { + "ignoreCase": "bool", + "negate": "bool", + "pattern": "string", + "variable": "string" + } + ], + "name": "string", + "ruleSequence": "int" + } + ] } + } ] } ``` -### Parameter Usage: `frontendHttpRedirects` +### Parameter Usage: `sslCertificates` ```json -"frontendHttpRedirects": { +"sslCertificates": { "value": [ { - "frontendIPType": "Public", - "port": 80, - "frontendListenerName": "public443" - }, + "id": "string", + "name": "string", + "properties": { + "data": "string", + "keyVaultSecretId": "string", + "password": "string" + } + } + ] +} +``` + +### Parameter Usage: `sslProfiles` + +```json +"sslProfiles": { + "value": [ { - "frontendIPType": "Private", - "port": 8080, - "frontendListenerName": "private4433" + "id": "string", + "name": "string", + "properties": { + "clientAuthConfiguration": { + "verifyClientCertIssuerDN": "bool" + }, + "sslPolicy": { + "cipherSuites": [ "string" ], + "disabledSslProtocols": [ "string" ], + "minProtocolVersion": "string", + "policyName": "string", + "policyType": "string" + }, + "trustedClientCertificates": [ + { + "id": "string" + } + ] } + } ] } ``` -### Parameter Usage: `routingRules` +### Parameter Usage: `trustedClientCertificates` ```json -"routingRules": { +"trustedClientCertificates": { "value": [ { - "frontendListenerName": "public443", - "backendPoolName": "appServiceBackendPool", - "backendHttpConfigurationName": "appServiceBackendHttpsSetting" - }, + "id": "string", + "name": "string", + "properties": { + "data": "string" + } + } + ] +} +``` + +### Parameter Usage: `trustedRootCertificates` + +```json +"trustedRootCertificates": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "data": "string", + "keyVaultSecretId": "string" + } + } + ] +} +``` + +### Parameter Usage: `urlPathMaps` + +```json +"urlPathMaps": { + "value": [ { - "frontendListenerName": "private4433", - "backendPoolName": "privateVmBackendPool", - "backendHttpConfigurationName": "privateVmHttpSetting" + "id": "string", + "name": "string", + "properties": { + "defaultBackendAddressPool": { + "id": "string" + }, + "defaultBackendHttpSettings": { + "id": "string" + }, + "defaultLoadDistributionPolicy": { + "id": "string" + }, + "defaultRedirectConfiguration": { + "id": "string" + }, + "defaultRewriteRuleSet": { + "id": "string" + }, + "pathRules": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddressPool": { + "id": "string" + }, + "backendHttpSettings": { + "id": "string" + }, + "firewallPolicy": { + "id": "string" + }, + "loadDistributionPolicy": { + "id": "string" + }, + "paths": [ "string" ], + "redirectConfiguration": { + "id": "string" + }, + "rewriteRuleSet": { + "id": "string" + } + } + } + ] } + } ] } ``` @@ -241,7 +663,7 @@ You can specify multiple user assigned identities to a resource by providing add ## Template references -- [Applicationgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/applicationGateways) +- [Applicationgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/applicationGateways) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) diff --git a/arm/Microsoft.Network/applicationGateways/version.json b/arm/Microsoft.Network/applicationGateways/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/applicationGateways/version.json +++ b/arm/Microsoft.Network/applicationGateways/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" }