https://learn.microsoft.com/ja-jp/azure/application-gateway/create-ssl-portal
https://learn.microsoft.com/ja-jp/cli/azure/network/application-gateway?view=azure-cli-latest
https://tekitoumemo.hatenablog.com/entry/2018/04/11/220701
前提: Let's Encrypt で無料SSL証明書作成済(RSA)
-- 1. Azureログイン
az login --use-device-code
az account show
az version
az configure --list-defaults
az configure --defaults location=japaneast
az configure --list-defaults
az group list
az upgrade
-- 2. アプリケーションゲートウェイ作成
cat <<-'EOF' > providers.tf
terraform {
required_version = ">=1.2"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
provider "azurerm" {
features {}
}
EOF
cat <<-'EOF' > main.tf
resource "azurerm_resource_group" "rg9999999" {
name = "rg9999999"
location = "japaneast"
}
resource "azurerm_virtual_network" "vnet01" {
name = "vnet01"
resource_group_name = azurerm_resource_group.rg9999999.name
location = azurerm_resource_group.rg9999999.location
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "subnet01" {
name = "subnet01"
resource_group_name = azurerm_resource_group.rg9999999.name
virtual_network_name = azurerm_virtual_network.vnet01.name
address_prefixes = ["10.0.0.0/24"]
}
resource "azurerm_subnet" "subnet02" {
name = "subnet02"
resource_group_name = azurerm_resource_group.rg9999999.name
virtual_network_name = azurerm_virtual_network.vnet01.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_public_ip" "pip01" {
name = "pip01"
resource_group_name = azurerm_resource_group.rg9999999.name
location = azurerm_resource_group.rg9999999.location
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_network_interface" "nic" {
count = 2
name = "nic${count.index+1}"
location = azurerm_resource_group.rg9999999.location
resource_group_name = azurerm_resource_group.rg9999999.name
ip_configuration {
name = "nicipconfig${count.index+1}"
subnet_id = azurerm_subnet.subnet02.id
private_ip_address_allocation = "Dynamic"
}
}
resource "random_password" "password" {
length = 16
special = true
lower = true
upper = true
numeric = true
}
resource "azurerm_windows_virtual_machine" "vm" {
count = 2
name = "vm${count.index+1}"
resource_group_name = azurerm_resource_group.rg9999999.name
location = azurerm_resource_group.rg9999999.location
size = "Standard_DS1_v2"
admin_username = "azureuser"
admin_password = random_password.password.result
network_interface_ids = [
azurerm_network_interface.nic[count.index].id,
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter"
version = "latest"
}
}
resource "azurerm_virtual_machine_extension" "vmext" {
count = 2
name = "vmext${count.index+1}-ext"
virtual_machine_id = azurerm_windows_virtual_machine.vm[count.index].id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.10"
settings = <<SETTINGS
{
"commandToExecute": "powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"
}
SETTINGS
}
resource "azurerm_application_gateway" "ag01" {
name = "ag01"
resource_group_name = azurerm_resource_group.rg9999999.name
location = azurerm_resource_group.rg9999999.location
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 1
}
gateway_ip_configuration {
name = "ag01ipconfig"
subnet_id = azurerm_subnet.subnet01.id
}
frontend_port {
name = "fp01"
port = 80
}
frontend_ip_configuration {
name = "fic01"
public_ip_address_id = azurerm_public_ip.pip01.id
}
http_listener {
name = "lis01"
frontend_ip_configuration_name = "fic01"
frontend_port_name = "fp01"
protocol = "Http"
}
backend_address_pool {
name = "bap01"
}
backend_http_settings {
name = "bhs01"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 60
}
request_routing_rule {
name = "rrr01"
rule_type = "Basic"
http_listener_name = "lis01"
backend_address_pool_name = "bap01"
backend_http_settings_name = "bhs01"
priority = 1
}
}
resource "azurerm_network_interface_application_gateway_backend_address_pool_association" "nicbap01" {
count = 2
network_interface_id = azurerm_network_interface.nic[count.index].id
ip_configuration_name = "nicipconfig${count.index+1}"
backend_address_pool_id = one(azurerm_application_gateway.ag01.backend_address_pool).id
}
EOF
cat <<-'EOF' > outputs.tf
output "gateway_frontend_ip" {
value = "http://${azurerm_public_ip.pip01.ip_address}"
}
EOF
terraform init -upgrade
terraform fmt
terraform -version
terraform plan -out main.tfplan
terraform apply main.tfplan
echo $(terraform output -raw gateway_frontend_ip)
terraform plan -destroy -out main.destroy.tfplan
terraform apply main.destroy.tfplan
az group list
az group delete \
--name NetworkWatcherRG \
--yes
-- 3. SSL 証明書のアップロード
pfxファイルを使用する
pem -> pfx変換
openssl pkcs12 -export -in cert2.pem -inkey privkey2.pem -out cert2.pfx
az network application-gateway ssl-cert list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway ssl-cert create \
--gateway-name ag01 \
--name cert01 \
--resource-group rg9999999 \
--cert-file cert2.pfx
-- 4. リスナー変更
az network application-gateway list \
--resource-group rg9999999
az network application-gateway http-listener list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway rule list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway http-settings list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway address-pool list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway frontend-ip list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway frontend-port list \
--gateway-name ag01 \
--resource-group rg9999999
リスナー0個にはできないため、先にHTTPSリスナーを追加
-- 4.1 HTTPSリスナー作成
フロントエンドポート作成
az network application-gateway frontend-port list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway frontend-port create \
--gateway-name ag01 \
--name fp02 \
--resource-group rg9999999 \
--port 443
リスナー作成
az network application-gateway http-listener list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway http-listener create \
--frontend-port fp02 \
--frontend-ip fic01 \
--gateway-name ag01 \
--name lis02 \
--resource-group rg9999999 \
--ssl-cert cert01 \
ルール作成
az network application-gateway rule list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway rule create \
--gateway-name ag01 \
--name rrr02 \
--resource-group rg9999999 \
--address-pool bap01 \
--http-listener lis02 \
--http-settings bhs01 \
--rule-type Basic \
--priority 2
-- 4.2 HTTPリスナー削除
ルール削除
az network application-gateway rule list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway rule delete \
--gateway-name ag01 \
--name rrr01 \
--resource-group rg9999999
リスナー削除
az network application-gateway http-listener list \
--gateway-name ag01 \
--resource-group rg9999999
az network application-gateway http-listener delete \
--gateway-name ag01 \
--name lis01 \
--resource-group rg9999999
-- 5. 動作確認
hostsファイルの設定
証明書の変換
openssl x509 -outform der -in cert2.pem -out cert2.crt
証明書のインポート