{Azure Application Gateway} チュートリアル: Azure portal を使用して TLS 終端でアプリケーション ゲートウェイを構成する

https://learn.microsoft.com/ja-jp/azure/application-gateway/create-ssl-portal
https://learn.microsoft.com/ja-jp/cli/azure/network/application-gateway?view=azure-cli-latest
https://tekitoumemo.hatenablog.com/entry/2018/04/11/220701


前提: Let's Encrypt で無料SSL証明書作成済(RSA)


-- 1. Azureログイン

az login --use-device-code
az account show

az version

az configure --list-defaults
az configure --defaults location=japaneast
az configure --list-defaults

 

az group list
az upgrade

 


-- 2. アプリケーションゲートウェイ作成

 

 

cat <<-'EOF' > providers.tf

terraform {
  required_version = ">=1.2"
  
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
    random = {
      source = "hashicorp/random"
      version = "~> 3.0"
    }
  }
}

provider "azurerm" {
  features {}
}

EOF

 


cat <<-'EOF' > main.tf


resource "azurerm_resource_group" "rg9999999" {
  name     = "rg9999999"
  location = "japaneast"
}

resource "azurerm_virtual_network" "vnet01" {
  name                = "vnet01"
  resource_group_name = azurerm_resource_group.rg9999999.name
  location            = azurerm_resource_group.rg9999999.location
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "subnet01" {
  name                 = "subnet01"
  resource_group_name  = azurerm_resource_group.rg9999999.name
  virtual_network_name = azurerm_virtual_network.vnet01.name
  address_prefixes     = ["10.0.0.0/24"]
}

resource "azurerm_subnet" "subnet02" {
  name                 = "subnet02"
  resource_group_name  = azurerm_resource_group.rg9999999.name
  virtual_network_name = azurerm_virtual_network.vnet01.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_public_ip" "pip01" {
  name                = "pip01"
  resource_group_name = azurerm_resource_group.rg9999999.name
  location            = azurerm_resource_group.rg9999999.location
  allocation_method   = "Static"
  sku                 = "Standard"
}


resource "azurerm_network_interface" "nic" {
  count               = 2
  name                = "nic${count.index+1}"
  location            = azurerm_resource_group.rg9999999.location
  resource_group_name = azurerm_resource_group.rg9999999.name

  ip_configuration {
    name                          = "nicipconfig${count.index+1}"
    subnet_id                     = azurerm_subnet.subnet02.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "random_password" "password" {
  length  = 16
  special = true
  lower   = true
  upper   = true
  numeric = true
}


resource "azurerm_windows_virtual_machine" "vm" {
  count               = 2
  name                = "vm${count.index+1}"
  resource_group_name = azurerm_resource_group.rg9999999.name
  location            = azurerm_resource_group.rg9999999.location
  size                = "Standard_DS1_v2"
  admin_username      = "azureuser"
  admin_password      = random_password.password.result

  network_interface_ids = [
    azurerm_network_interface.nic[count.index].id,
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }


  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2019-Datacenter"
    version   = "latest"
  }
}

resource "azurerm_virtual_machine_extension" "vmext" {
  count                = 2
  name                 = "vmext${count.index+1}-ext"
  virtual_machine_id   = azurerm_windows_virtual_machine.vm[count.index].id
  publisher            = "Microsoft.Compute"
  type                 = "CustomScriptExtension"
  type_handler_version = "1.10"

  settings = <<SETTINGS
    {
        "commandToExecute": "powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"
    }
SETTINGS

}


resource "azurerm_application_gateway" "ag01" {
  name                = "ag01"
  resource_group_name = azurerm_resource_group.rg9999999.name
  location            = azurerm_resource_group.rg9999999.location

  sku {
    name     = "Standard_v2"
    tier     = "Standard_v2"
    capacity = 1
  }

  gateway_ip_configuration {
    name      = "ag01ipconfig"
    subnet_id = azurerm_subnet.subnet01.id
  }

  frontend_port {
    name = "fp01"
    port = 80
  }

  frontend_ip_configuration {
    name                 = "fic01"
    public_ip_address_id = azurerm_public_ip.pip01.id
  }

  http_listener {
    name                           = "lis01"
    frontend_ip_configuration_name = "fic01"
    frontend_port_name             = "fp01"
    protocol                       = "Http"
  }

  backend_address_pool {
    name = "bap01"
  }

  backend_http_settings {
    name                  = "bhs01"
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 60
  }

  request_routing_rule {
    name                       = "rrr01"
    rule_type                  = "Basic"
    http_listener_name         = "lis01"
    backend_address_pool_name  = "bap01"
    backend_http_settings_name = "bhs01"
    priority                   = 1
  }
}


resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "nicbap01" {
  count                   = 2
  network_interface_id    = azurerm_network_interface.nic[count.index].id
  ip_configuration_name   = "nicipconfig${count.index+1}"
  backend_address_pool_id = one(azurerm_application_gateway.ag01.backend_address_pool).id
}

 


EOF

 

 


cat <<-'EOF' > outputs.tf

output "gateway_frontend_ip" {
  value = "http://${azurerm_public_ip.pip01.ip_address}"
}

EOF


terraform init -upgrade
terraform fmt
terraform -version

terraform plan -out main.tfplan
terraform apply main.tfplan 

echo $(terraform output -raw gateway_frontend_ip)

 

 

terraform plan -destroy -out main.destroy.tfplan
terraform apply main.destroy.tfplan

 

az group list

az group delete \
--name NetworkWatcherRG \
--yes

 

 


-- 3. SSL 証明書のアップロード

pfxファイルを使用する

pem -> pfx変換

openssl pkcs12 -export -in cert2.pem -inkey privkey2.pem -out cert2.pfx

 

 

az network application-gateway ssl-cert list \
--gateway-name ag01 \
--resource-group rg9999999


az network application-gateway ssl-cert create \
--gateway-name ag01 \
--name cert01 \
--resource-group rg9999999 \
--cert-file cert2.pfx

 

 

-- 4. リスナー変更


az network application-gateway list \
--resource-group rg9999999

az network application-gateway http-listener list \
--gateway-name ag01 \
--resource-group rg9999999


az network application-gateway rule list \
--gateway-name ag01 \
--resource-group rg9999999


az network application-gateway http-settings list \
--gateway-name ag01 \
--resource-group rg9999999


az network application-gateway address-pool list \
--gateway-name ag01 \
--resource-group rg9999999

 


az network application-gateway frontend-ip list \
--gateway-name ag01 \
--resource-group rg9999999

az network application-gateway frontend-port list \
--gateway-name ag01 \
--resource-group rg9999999


リスナー0個にはできないため、先にHTTPSリスナーを追加

-- 4.1 HTTPSリスナー作成

フロントエンドポート作成

az network application-gateway frontend-port list \
--gateway-name ag01 \
--resource-group rg9999999


az network application-gateway frontend-port create \
--gateway-name ag01 \
--name fp02 \
--resource-group rg9999999 \
--port 443


リスナー作成
az network application-gateway http-listener list \
--gateway-name ag01 \
--resource-group rg9999999

 

az network application-gateway http-listener create \
--frontend-port fp02 \
--frontend-ip fic01 \
--gateway-name ag01 \
--name lis02 \
--resource-group rg9999999 \
--ssl-cert cert01 \


ルール作成
az network application-gateway rule list \
--gateway-name ag01 \
--resource-group rg9999999

az network application-gateway rule create \
--gateway-name ag01 \
--name rrr02 \
--resource-group rg9999999 \
--address-pool bap01 \
--http-listener lis02 \
--http-settings bhs01 \
--rule-type Basic \
--priority 2

 

-- 4.2 HTTPリスナー削除

ルール削除

az network application-gateway rule list \
--gateway-name ag01 \
--resource-group rg9999999

az network application-gateway rule delete \
--gateway-name ag01 \
--name rrr01 \
--resource-group rg9999999 

リスナー削除

az network application-gateway http-listener list \
--gateway-name ag01 \
--resource-group rg9999999


az network application-gateway http-listener delete \
--gateway-name ag01 \
--name lis01 \
--resource-group rg9999999

 


-- 5. 動作確認

curl http://192.0.2.1

curl https://192.0.2.1

curl -k https://192.0.2.1

 


hostsファイルの設定

証明書の変換

openssl x509 -outform der -in cert2.pem -out cert2.crt

証明書のインポート