Create an application gateway with SSL termination using the Azure CLI

You can use the Azure CLI to create an application gateway with a certificate for SSL termination. For backend servers, you can use a virtual machine scale set . In this example, the scale set contains two virtual machine instances that are added to the default backend pool of the application gateway.

In this article, you learn how to:

  • Create a self-signed certificate
  • Set up a network
  • Create an application gateway with the certificate
  • Create a virtual machine scale set with the default backend pool

If you prefer, you can complete this procedure using Azure PowerShell.

If you don't have an Azure subscription, create a free account before you begin.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

If you choose to install and use the CLI locally, this article requires you to run the Azure CLI version 2.0.4 or later. To find the version, run az --version. If you need to install or upgrade, see Install Azure CLI.

Create a self-signed certificate

For production use, you should import a valid certificate signed by trusted provider. For this article, you create a self-signed certificate and pfx file using the openssl command.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out appgwcert.crt

Enter values that make sense for your certificate. You can accept the default values.

openssl pkcs12 -export -out appgwcert.pfx -inkey privateKey.key -in appgwcert.crt

Enter the password for the certificate. In this example, Azure123456! is being used.

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using az group create.

The following example creates a resource group named myResourceGroupAG in the eastus location.

az group create --name myResourceGroupAG --location eastus

Create network resources

Create the virtual network named myVNet and the subnet named myAGSubnet using az network vnet create. You can then add the subnet named myBackendSubnet that's needed by the backend servers using az network vnet subnet create. Create the public IP address named myAGPublicIPAddress using az network public-ip create.

az network vnet create \
  --name myVNet \
  --resource-group myResourceGroupAG \
  --location eastus \
  --address-prefix 10.0.0.0/16 \
  --subnet-name myAGSubnet \
  --subnet-prefix 10.0.1.0/24

az network vnet subnet create \
  --name myBackendSubnet \
  --resource-group myResourceGroupAG \
  --vnet-name myVNet \
  --address-prefix 10.0.2.0/24

az network public-ip create \
  --resource-group myResourceGroupAG \
  --name myAGPublicIPAddress \
  --allocation-method Static \
  --sku Standard

Create the application gateway

You can use az network application-gateway create to create the application gateway. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings.

The application gateway is assigned to myAGSubnet and myAGPublicIPAddress that you previously created. In this example, you associate the certificate that you created and its password when you create the application gateway.

az network application-gateway create \
  --name myAppGateway \
  --location eastus \
  --resource-group myResourceGroupAG \
  --vnet-name myVNet \
  --subnet myAGsubnet \
  --capacity 2 \
  --sku Standard_v2 \
  --http-settings-cookie-based-affinity Disabled \
  --frontend-port 443 \
  --http-settings-port 80 \
  --http-settings-protocol Http \
  --public-ip-address myAGPublicIPAddress \
  --cert-file appgwcert.pfx \
  --cert-password "Azure123456!"

It may take several minutes for the application gateway to be created. After the application gateway is created, you can see these new features of it:

  • appGatewayBackendPool - An application gateway must have at least one backend address pool.
  • appGatewayBackendHttpSettings - Specifies that port 80 and an HTTP protocol is used for communication.
  • appGatewayHttpListener - The default listener associated with appGatewayBackendPool.
  • appGatewayFrontendIP - Assigns myAGPublicIPAddress to appGatewayHttpListener.
  • rule1 - The default routing rule that is associated with appGatewayHttpListener.

Create a virtual machine scale set

In this example, you create a virtual machine scale set that provides servers for the default backend pool in the application gateway. The virtual machines in the scale set are associated with myBackendSubnet and appGatewayBackendPool. To create the scale set, you can use az vmss create.

az vmss create \
  --name myvmss \
  --resource-group myResourceGroupAG \
  --image UbuntuLTS \
  --admin-username azureuser \
  --admin-password Azure123456! \
  --instance-count 2 \
  --vnet-name myVNet \
  --subnet myBackendSubnet \
  --vm-sku Standard_DS2 \
  --upgrade-policy-mode Automatic \
  --app-gateway myAppGateway \
  --backend-pool-name appGatewayBackendPool

Install NGINX

az vmss extension set \
  --publisher Microsoft.Azure.Extensions \
  --version 2.0 \
  --name CustomScript \
  --resource-group myResourceGroupAG \
  --vmss-name myvmss \
  --settings '{ "fileUris": ["https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/install_nginx.sh"],
  "commandToExecute": "./install_nginx.sh" }'

Test the application gateway

To get the public IP address of the application gateway, you can use az network public-ip show.

az network public-ip show \
  --resource-group myResourceGroupAG \
  --name myAGPublicIPAddress \
  --query [ipAddress] \
  --output tsv

Copy the public IP address, and then paste it into the address bar of your browser. For this example, the URL is: https://52.170.203.149.

Secure warning

To accept the security warning if you used a self-signed certificate, select Details and then Go on to the webpage. Your secured NGINX site is then displayed as in the following example:

Test base URL in application gateway

Clean up resources

When no longer needed, remove the resource group, application gateway, and all related resources.

az group delete --name myResourceGroupAG --location eastus

Next steps

Create an application gateway that hosts multiple web sites