initial commit

Author: George Wallace

articles/application-gateway/application-gateway-backend-ssl.md

@@ -12,7 +12,7 @@
    ms.topic="hero-article"
    ms.tgt_pltfrm="na"
    ms.workload="infrastructure-services"
-   ms.date="09/26/2016"
+   ms.date="10/11/2016"
    ms.author="amsriva"/>
 
 # Enabling SSL Policy and end to end SSL on Application Gateway
@@ -21,26 +21,29 @@
 
 Application gateway supports SSL termination at the gateway, after which traffic typically flows unencrypted to the backend servers. This allows web servers to be unburdened from costly encryption/decryption overhead. However for some customers unencrypted communication to the backend servers is not an acceptable option. This could be due to security/compliance requirements or the application may only accept secure connection. For such applications, application gateway now supports end to end SSL encryption.
 
-End to end SSL allows you to securely transmit sensitive data to the backend encrypted while availing benefits of Layer 7 load balancing features which application gateway provides, such as cookie affinity, URL-based routing, support for routing based on sites or ability to inject X-Forwarded-* headers.
+End to end SSL allows you to securely transmit sensitive data to the backend encrypted still taking advantage of the benefits of Layer 7 load balancing features which application gateway provides, such as cookie affinity, URL-based routing, support for routing based on sites or ability to inject X-Forwarded-* headers.
 
-When configured with end to end SSL communication mode, application gateway terminates user SSL sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using backend server's public key certificate before transmitting request to the backend. End to end SSL is enabled by setting protocol setting in BackendHTTPSetting to Https, which is then applied to a backend pool. Each backend server in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication.
+When configured with end to end SSL communication mode, application gateway terminates user SSL sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting request to the backend. End to end SSL is enabled by setting protocol setting in BackendHTTPSetting to Https, which is then applied to a backend pool. Each backend server in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication.
 
-![imageURLroute](./media/application-gateway-multi-site-overview/multisite.png)
+![end to end ssl scenario][1]
 
-In this example, requests for https://contoso.com can be routed to ContosoServerPool over HTTP, and https://fabrikam.com will be routed to FabrikamServerPool over HTTPS using end to end SSL.
+In this example, requests using TLS1.2 will be routed to backend servers in Pool1 using end to end SSL.
 
 ## End to end SSL and white listing of certificates
 
-Application gateway only communicates with known backend instances, which have whitelisted their certificate with the application gateway. To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway. Only connections to known and white listed backend is then allowed and remaining result in a gateway error. Self-signed certificates are for test purposes only and not recommended for production workloads. Such certificates must also be white listed with the application gateway as described above before they can be used.
+Application gateway only communicates with known backend instances that have whitelisted their certificate with the application gateway. To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway. Only connections to known and white listed backends are then allowed. The remaining backends will result in a gateway error. Self-signed certificates are for test purposes only and not recommended for production workloads. Such certificates must also be white listed with the application gateway as described above before they can be used.
 
 ## Application Gateway SSL Policy
 
-Application gateway also supports user configurable SSL negotiation policies, which allow customers finer grained control over SSL connections at the application gateway.
+Application gateway supports user configurable SSL negotiation policies, which allow customers more control over SSL connections at the application gateway.
 
-1. SSL 2.0 and 3.0 are forced disabled for all Application Gateways. They are not configurable at all.
-2. SSL policy definition gives you option to disable any of the following 3 protocols - TLSv1_0, TLSv1_1, TLSv1_2.
-3. If no SSL policy is defined all three (TLSv1_0, TLSv1_1, TLSv1_2) would be enabled.
+1. SSL 2.0 and 3.0 disabled by default for all Application Gateways. They are not configurable at all.
+2. SSL policy definition gives you option to disable any of the following 3 protocols - TLSv1\_0, TLSv1\_1, TLSv1\_2.
+3. If no SSL policy is defined all three (TLSv1\_0, TLSv1\_1, TLSv1_2) are be enabled.
 
 ## Next steps
 
-After learning about end to end SSL and SSL policy, go to [enable end to end SSL on application gateway](application-gateway-end-to-end-ssl-powershell.md) to create an application gateway with ability to send traffic to backend in encrypted form.
+After learning about end to end SSL and SSL policy, go to [enable end to end SSL on application gateway](application-gateway-end-to-end-ssl-powershell.md) to create an application gateway with ability to send traffic to backends in encrypted form.
+
+<!--Image references-->
+[1]: ./media/application-gateway-backend-ssl/scenario.png

articles/application-gateway/application-gateway-create-gateway-arm-template.md

@@ -13,13 +13,15 @@
    ms.topic="article"
    ms.tgt_pltfrm="na"
    ms.workload="infrastructure-services"
-   ms.date="09/06/2016"
+   ms.date="10/11/2016"
    ms.author="gwallace"/>
 
 
 # Create an application gateway by using the Azure Resource Manager template
 
-Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway has the following application delivery features: HTTP load balancing, cookie-based session affinity, and Secure Sockets Layer (SSL) offload.
+Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. 
+Application Gateway provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others. 
+To find a complete list of supported features, visit [Application Gateway Overview](application-gateway-introduction.md)
 
 > [AZURE.SELECTOR]
 - [Azure portal](application-gateway-create-gateway-portal.md)
@@ -123,11 +125,11 @@ Check the subscriptions for the account.
 
 	Get-AzureRmSubscription
 
-You are prompted to authenticate with your credentials.<BR>
+You are prompted to authenticate with your credentials.
 
 ### Step 3
 
-Choose which of your Azure subscriptions to use. <BR>
+Choose which of your Azure subscriptions to use.
 
 
 	Select-AzureRmSubscription -Subscriptionid "GUID of subscription"
@@ -152,6 +154,7 @@ To deploy the Azure Resource Manager template you downloaded by using Azure CLI,
 ### Step 1
 
 If you have never used Azure CLI, see [Install and configure the Azure CLI](../xplat-cli-install.md) and follow the instructions up to the point where you select your Azure account and subscription.
+
 ### Step 2
 
 Run the **azure config mode** command to switch to Resource Manager mode, as shown below.
@@ -212,7 +215,7 @@ If you want to configure SSL offload, see [Configure an application gateway for
 
 If you want to configure an application gateway to use with an internal load balancer, see [Create an application gateway with an internal load balancer (ILB)](application-gateway-ilb.md).
 
-If you want more information about load balancing options in general, see:
+If you want more information about load balancing options in general, visit:
 
 - [Azure Load Balancer](https://azure.microsoft.com/documentation/services/load-balancer/)
 - [Azure Traffic Manager](https://azure.microsoft.com/documentation/services/traffic-manager/)

articles/application-gateway/application-gateway-create-gateway-arm.md

@@ -12,13 +12,15 @@
    ms.topic="hero-article"
    ms.tgt_pltfrm="na"
    ms.workload="infrastructure-services"
-   ms.date="09/06/2016"
+   ms.date="10/11/2016"
    ms.author="gwallace"/>
 
 
 # Create, start, or delete an application gateway by using Azure Resource Manager
 
-Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway has the following application delivery features: HTTP load balancing, cookie-based session affinity, and Secure Sockets Layer (SSL) offload.
+Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. 
+Application Gateway provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others. 
+To find a complete list of supported features, visit [Application Gateway Overview](application-gateway-introduction.md)
 
 > [AZURE.SELECTOR]
 - [Azure portal](application-gateway-create-gateway-portal.md)
@@ -29,14 +31,13 @@ Azure Application Gateway is a layer-7 load balancer. It provides failover, perf
 
 This article walks you through the steps to create, configure, start, and delete an application gateway.
 
-
 >[AZURE.IMPORTANT] Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Resource Manager and classic. Make sure that you understand [deployment models and tools](../azure-classic-rm.md) before working with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article. This document covers creating an application gateway by using Azure Resource Manager. To use the classic version, go to [Create an application gateway classic deployment by using PowerShell](application-gateway-create-gateway.md).
 
 
 ## Before you begin
 
 1. Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. You can download and install the latest version from the **Windows PowerShell** section of the [Downloads page](https://azure.microsoft.com/downloads/).
-2. If you have an existing virtual network, either select an existing empty subnet or create a subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway. 
+2. If you have an existing virtual network, either select an existing empty subnet or create a subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway.
 3. The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.
 
 ## What is required to create an application gateway?
@@ -45,7 +46,7 @@ This article walks you through the steps to create, configure, start, and delete
 - **Back-end server pool settings:** Every pool has settings like port, protocol, and cookie-based affinity. These settings are tied to a pool and are applied to all servers within the pool.
 - **Front-end port:** This port is the public port that is opened on the application gateway. Traffic hits this port, and then gets redirected to one of the back-end servers.
 - **Listener:** The listener has a front-end port, a protocol (Http or Https, these values are case-sensitive), and the SSL certificate name (if configuring SSL offload).
-- **Rule:** The rule binds the listener, the back-end server pool and defines which back-end server pool the traffic should be directed to when it hits a particular listener. 
+- **Rule:** The rule binds the listener, the back-end server pool and defines which back-end server pool the traffic should be directed to when it hits a particular listener.
 
 ## Create an application gateway
 
@@ -62,7 +63,7 @@ Make sure that you are using the latest version of Azure PowerShell. More info i
 ### Step 1
 
 Log in to Azure
-	
+
 	Login-AzureRmAccount
 
 You are prompted to authenticate with your credentials.
@@ -181,6 +182,7 @@ Create an application gateway with all configuration items from the preceding st
 	$appgw = New-AzureRmApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Location "West US" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig  -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku
 
 ### Step 9
+
 Retrieve DNS and VIP details of the application gateway from the public IP resource attached to the application gateway.
 
 	Get-AzureRmPublicIpAddress -Name publicIP01 -ResourceGroupName appgw-rg  
@@ -201,20 +203,14 @@ Use **Stop-AzureRmApplicationGateway** to stop the application gateway.
 
 	Stop-AzureRmApplicationGateway -ApplicationGateway $getgw  
 
-
 Once the application gateway is in a stopped state, use the **Remove-AzureRmApplicationGateway** cmdlet to remove the service.
 
-
 	Remove-AzureRmApplicationGateway -Name $appgwtest -ResourceGroupName appgw-rg -Force
 
-
-
 >[AZURE.NOTE] The **-force** switch can be used to suppress the remove confirmation message.
 
-
 To verify that the service has been removed, you can use the **Get-AzureRmApplicationGateway** cmdlet. This step is not required.
 
-
 	Get-AzureRmApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg
 
 

articles/application-gateway/application-gateway-create-gateway-cli.md

@@ -14,7 +14,7 @@
    ms.topic="article"
    ms.tgt_pltfrm="na"
    ms.workload="infrastructure-services"
-   ms.date="09/09/2016"
+   ms.date="10/11/2016"
    ms.author="gwallace" />
 
 # Create an application gateway by using the Azure CLI
@@ -101,7 +101,7 @@ The IP addresses used for the backend are the IP addresses for your backend serv
 
     azure network application-gateway create -n AdatumAppGateway -l eastus -g AdatumAppGatewayRG -e AdatumAppGatewayVNET -m Appgatewaysubnet -r 134.170.185.46,134.170.188.221,134.170.185.50 -y c:\AdatumAppGateway\adatumcert.pfx -x P@ssw0rd -z 2 -a Standard_Medium -w Basic -j 443 -f Enabled -o 80 -i http -b https -u Standard
 
-
+> [AZURE.NOTE] For a list of parameters that can be provided during creation run the following command **azure network application-gateway create --help**.
 
 This example creates a basic application gateway with default settings for the listener, backend pool, backend http settings, and rules. It also configures SSL offload. You can modify these settings to suit your deployment once the provisioning is successful.
 If you already have your web application defined with the the backend pool in the preceding steps, once created, load balancing begins.

articles/application-gateway/application-gateway-create-gateway-portal.md

@@ -14,7 +14,7 @@
    ms.topic="article"
    ms.tgt_pltfrm="na"
    ms.workload="infrastructure-services"
-   ms.date="09/09/2016"
+   ms.date="10/11/2016"
    ms.author="gwallace" />
 
 # Create an application gateway by using the portal
@@ -65,7 +65,8 @@ Next fill out the basic information about the application gateway. When complete
 The information needed for the basic settings is:
 
 - **Name** - The name for the application gateway.
-- **SKU size** - This setting is the size of the application gateway, available options are (Small, Medium, and Large).
+- **Tier** - This is the tier of the application gateway. Two tiers are available, **WAF** and **Standard**. WAF enables the web application firewall feature.
+- **SKU size** - This setting is the size of the application gateway, available options are (**Small**, **Medium**, and **Large**). *Small is not available when WAF tier is chosen*
 - **Instance count** - The number of instances, this value should be a number between 2 and 10.
 - **Resource group** - The resource group to hold the application gateway, it can be an existing resource group or a new one.
 - **Location** - The region for the application gateway, it is the same location at the resource group. *The location is important as the virtual network and public IP must be in the same location as the gateway*.

articles/application-gateway/application-gateway-create-gateway.md

@@ -12,12 +12,14 @@
    ms.topic="hero-article"
    ms.tgt_pltfrm="na"
    ms.workload="infrastructure-services"
-   ms.date="09/02/2016"
+   ms.date="10/11/2016"
    ms.author="gwallace"/>
 
 # Create, start, or delete an application gateway
 
-Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway has the following application delivery features: HTTP load balancing, cookie-based session affinity, and Secure Sockets Layer (SSL) offload.
+Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. 
+Application Gateway provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others. 
+To find a complete list of supported features, visit [Application Gateway Overview](application-gateway-introduction.md)
 
 > [AZURE.SELECTOR]
 - [Azure Portal](application-gateway-create-gateway-portal.md)
@@ -31,7 +33,7 @@ This article walks you through the steps to create, configure, start, and delete
 ## Before you begin
 
 1. Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. You can download and install the latest version from the **Windows PowerShell** section of the [Downloads page](https://azure.microsoft.com/downloads/).
-2. If you have an existing virtual network, either select an existing empty subnet or create a new subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway.
+2. If you have an existing virtual network, either select an existing empty subnet or create a new subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway unless vnet peering is used. To learn more visit [Vnet Peering](../virtual-network/virtual-network-peering-overview.md)
 3. Verify that you have a working virtual network with a valid subnet. Make sure that no virtual machines or cloud deployments are using the subnet. The application gateway must be by itself in a virtual network subnet.
 3. The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.
 

articles/application-gateway/application-gateway-end-to-end-ssl-powershell.md

@@ -13,7 +13,7 @@
     ms.topic="article"
     ms.tgt_pltfrm="na"
     ms.workload="infrastructure-services"
-    ms.date="09/26/2016"
+    ms.date="10/11/2016"
     ms.author="gwallace"/>
 
 # Configure SSL Policy and end to end SSL with Application Gateway using PowerShell
@@ -24,6 +24,8 @@ Application Gateway supports end to end encryption of traffic. Application Gatew
 
 Another feature that application gateway supports is disabling certain SSL protocol versions. Application Gateway supports disabling the following protocol version; TLSv1.0, TLSv1.1 and TLSv1.2.
 
+> [AZURE.NOTE] SSL 2.0 and SSL 3.0 are disabled by default and cannot be enabled, they are considered unsecured and are not able to be used with Application Gateway
+
 ![scenario image][scenario]
 
 ## Scenario
@@ -39,9 +41,11 @@ This scenario will:
 
 ## Before you begin
 
-To configure end to end SSL with an application gateway, a certificate is required for the gateway and certificates are required for the backend servers. The gateway certificate is used to encrypt and decrypt the traffic sent to it via SSL. The gateway certificate needs to be in Personal Information Exchange (pfx) format. This file format allows for the private key to be exported which is required by the application gateway to perform the encryption and decryption of traffic. 
+To configure end to end SSL with an application gateway, a certificate is required for the gateway and certificates are required for the backend servers. The gateway certificate is used to encrypt and decrypt the traffic sent to it using SSL. The gateway certificate needs to be in Personal Information Exchange (pfx) format. This file format allows for the private key to be exported which is required by the application gateway to perform the encryption and decryption of traffic.
+
+For end to end ssl encryption the backend must be whitelisted with application gateway. This is done by uploading the public certificate of the backends to the application gateway. This ensures that the application gateway only communicates with known backend instances. This further secures the end to end communication.
 
-For end to end ssl encryption the backend must be whitelisted with application gateway. This is done by upload the public certificate of the backends to the application gateway. This ensures that the application gateway only communicates with known backend instances, tus securing the end to end communication. This process is described in the following steps:
+This process is described in the following steps:
 
 ## Create the Resource Group
 
@@ -67,14 +71,16 @@ Create a resource group (skip this step if you're using an existing resource gro
 
 ## Create a virtual network and a subnet for the application gateway
 
-The following example creates a virtual network and two subnets. One subnet is used to house the application gateway. The other subnet is used for the backend servers hosting the web application.
+The following example creates a virtual network and two subnets. One subnet is used to hold the application gateway. The other subnet is used for the backends hosting the web application.
 
 ### Step 1
 
 Assign an address range for the subnet be used for the Application Gateway itself.
 
     $gwSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'appgwsubnet' -AddressPrefix 10.0.0.0/24
 
+> [AZURE.NOTE] Subnets configured for application gateway should be properly sized. An application gateway can be configured for up to 10 instances, each instance takes 1 IP address from the subnet. Too small of a subnet can adversely affect scaling out an application gateway.
+
 ### Step 2
 
 Assign an address range to be used for the Backend address pool.
@@ -83,7 +89,7 @@ Assign an address range to be used for the Backend address pool.
 
 ### Step 3
 
-Create a virtual network with subnets defined in the preceding steps.
+Create a virtual network with the subnets defined in the preceding steps.
 
     $vnet = New-AzureRmvirtualNetwork -Name 'appgwvnet' -ResourceGroupName appgw-rg -Location "West US" -AddressPrefix 10.0.0.0/16 -Subnet $gwSubnet, $nicSubnet
 
@@ -125,7 +131,7 @@ Configure the back-end IP address pool with the IP addresses of the backend web
 
     $pool = New-AzureRmApplicationGatewayBackendAddressPool -Name 'pool01' -BackendIPAddresses 1.1.1.1, 2.2.2.2, 3.3.3.3
 
-> [AZURE.NOTE] A fully qualified domain name (FQDN) is also a valid value in place of an ip address for the backend servers.
+> [AZURE.NOTE] A fully qualified domain name (FQDN) is also a valid value in place of an ip address for the backend servers by using the -BackendFqdns switch.
 
 ### Step 4
 
@@ -153,7 +159,7 @@ Upload the certificate to be used on the ssl enabled backend pool resources.
 
     $authcert = New-AzureRmApplicationGatewayAuthenticationCertificate -Name 'whitelistcert1' -CertificateFile C:\users\gwallace\Desktop\cert.cer
 
-> [AZURE.NOTE] The certificate provided in this step should be the public key of the pfx cert present on the backend. This step whitelists the backend with the application gateway. 
+> [AZURE.NOTE] The certificate provided in this step should be the public key of the pfx cert present on the backend. This step whitelists the backend with the application gateway.
 
 ### Step 8
 
@@ -185,9 +191,9 @@ The following values are a list of protocol versions that can be disabled.
 - **TLSv1_1**
 - **TLSv1_2**
 
-The following example disables TLSv1\_0 and TLSv1\_1
+The following example disables TLSv1\_0.
 
-    $sslPolicy = New-AzureRmApplicationGatewaySslPolicy -DisabledSslProtocols TLSv1_0, TLSv1_1
+    $sslPolicy = New-AzureRmApplicationGatewaySslPolicy -DisabledSslProtocols TLSv1_0
 
 ## Create the Application Gateway
 
@@ -207,9 +213,9 @@ Retrieve the application gateway to update.
 
 ### Step 2
 
-Define an SSL policy. In the following example, TLSv1.0 is disabled.
+Define an SSL policy. In the following example, TLSv1.0 and TLSv1.1 are disabled.
 
-    Set-AzureRmApplicationGatewaySslPolicy -DisabledSslProtocols TLSv1_0 -ApplicationGateway $gw
+    Set-AzureRmApplicationGatewaySslPolicy -DisabledSslProtocols TLSv1_0, TLSv1_1 -ApplicationGateway $gw
 
 ### Step 3