shanhix1 · Apr 19, 2018
diff --git a/‎articles/application-gateway/media/tutorial-ssl-cli/application-gateway-nginx.PNG
15.2 KB b/‎articles/application-gateway/media/tutorial-ssl-cli/application-gateway-nginx.PNG
15.2 KB
diff --git a/‎articles/application-gateway/media/tutorial-ssl-cli/application-gateway-secure.png
120 KB b/‎articles/application-gateway/media/tutorial-ssl-cli/application-gateway-secure.png
120 KB
diff --git a/‎articles/application-gateway/media/tutorial-ssl-powershell/application-gateway-iistest.PNG
15.2 KB b/‎articles/application-gateway/media/tutorial-ssl-powershell/application-gateway-iistest.PNG
15.2 KB
diff --git a/‎articles/application-gateway/media/tutorial-ssl-powershell/application-gateway-secure.png
120 KB b/‎articles/application-gateway/media/tutorial-ssl-powershell/application-gateway-secure.png
120 KB
diff --git a/‎articles/application-gateway/media/waf-overview/WAF1.png
56.8 KB b/‎articles/application-gateway/media/waf-overview/WAF1.png
56.8 KB
diff --git a/‎articles/application-gateway/media/waf-overview/diagnostics.png
47.5 KB b/‎articles/application-gateway/media/waf-overview/diagnostics.png
47.5 KB
diff --git a/‎articles/application-gateway/media/waf-overview/figure1.png
45 KB b/‎articles/application-gateway/media/waf-overview/figure1.png
45 KB
diff --git a/‎articles/application-gateway/media/waf-overview/waf2.png
45.8 KB b/‎articles/application-gateway/media/waf-overview/waf2.png
45.8 KB
diff --git a/‎articles/application-gateway/ssl-overview.md
Lines changed: 45 additions & 0 deletions b/‎articles/application-gateway/ssl-overview.md
Lines changed: 45 additions & 0 deletions
diff --git a/‎articles/application-gateway/tutorial-multiple-sites-cli.md
Lines changed: 262 additions & 0 deletions b/‎articles/application-gateway/tutorial-multiple-sites-cli.md
Lines changed: 262 additions & 0 deletions
@@ -0,0 +1,45 @@
+---
+title: Enabling end to end SSL on Azure Application Gateway | Microsoft Docs
+description: This page provides an overview of the Application Gateway end to end SSL support.
+documentationcenter: na
+services: application-gateway
+author: amsriva
+manager: rossort
+editor: amsriva
+
+ms.assetid: 3976399b-25ad-45eb-8eb3-fdb736a598c5
+ms.service: application-gateway
+ms.devlang: na
+ms.topic: hero-article
+ms.tgt_pltfrm: na
+ms.custom: H1Hack27Feb2017
+ms.workload: infrastructure-services
+ms.date: 07/19/2017
+ms.author: amsriva
+
+---
+# Overview of end to end SSL with Application Gateway
+
+Application gateway supports SSL termination at the gateway, after which traffic typically flows unencrypted to the backend servers. This feature allows web servers to be unburdened from costly encryption and decryption overhead. However for some customers unencrypted communication to the backend servers is not an acceptable option. This unencrypted communication could be due to security requirements, compliance requirements, or the application may only accept a secure connection. For such applications, application gateway supports end to end SSL encryption.
+
+## Overview
+
+End to end SSL allows you to securely transmit sensitive data to the backend encrypted while still taking advantage of the benefits of Layer 7 load balancing features which application gateway provides. Some of these features are cookie-based session affinity, URL-based routing, support for routing based on sites, or ability to inject X-Forwarded-* headers.
+
+When configured with end to end SSL communication mode, application gateway terminates the SSL sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. End to end SSL is enabled by setting protocol setting in BackendHTTPSetting to HTTPS, which is then applied to a backend pool. Each backend server in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication.
+
+![end to end ssl scenario][1]
+
+In this example, requests using TLS1.2 are routed to backend servers in Pool1 using end to end SSL.
+
+## End to end SSL and whitelisting of certificates
+
+Application gateway only communicates with known backend instances that have whitelisted their certificate with the application gateway. To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway (not the root certificate). Only connections to known and whitelisted backends are then allowed. The remaining backends results in a gateway error. Self-signed certificates are for test purposes only and not recommended for production workloads. Such certificates have to be whitelisted with the application gateway as described in the preceding steps before they can be used.
+
+## Next steps
+
+After learning about end to end SSL, go to [enable end to end SSL on application gateway](tutorial-ssl-powershell.md) to create an application gateway using end to end SSL.
+
+<!--Image references-->
+
+[1]: ./media/ssl-overview/scenario.png
@@ -0,0 +1,262 @@
+---
+title: Create an application gateway that hosts multiple web sites - Azure CLI
+description: Learn how to create an application gateway that hosts multiple web sites using the Azure CLI.
+services: application-gateway
+author: vhorne
+manager: jpconnock
+
+ms.service: application-gateway
+ms.topic: tutorial
+ms.workload: infrastructure-services
+ms.date: 3/22/2018
+ms.author: victorh
+ms.custom: mvc
+#Customer intent: As an IT administrator, I want to use Azure CLI to configure Application Gateway to host multiple web sites , so I can ensure my customers can acess the web information they need.
+---
+# Tutorial: Create an application gateway that hosts multiple web sites using the Azure CLI
+
+You can use the Azure CLI to [configure the hosting of multiple web sites](multiple-site-overview.md) when you create an [application gateway](overview.md). In this tutorial, you define backend address pools using virtual machines scale sets. You then configure listeners and rules based on domains that you own to make sure web traffic arrives at the appropriate servers in the pools. This tutorial assumes that you own multiple domains and uses examples of *www.contoso.com* and *www.fabrikam.com*.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> * Set up the network
+> * Create an application gateway
+> * Create backend listeners
+> * Create routing rules
+> * Create virtual machine scale sets with the backend pools
+> * Create a CNAME record in your domain
+
+![Multi-site routing example](./media/tutorial-multiple-sites-cli/scenario.png)
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+[!INCLUDE [cloud-shell-try-it.md](../../includes/cloud-shell-try-it.md)]
+
+If you choose to install and use the CLI locally, this quickstart requires that you are running the Azure CLI version 2.0.4 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install Azure CLI 2.0](/cli/azure/install-azure-cli).
+
+## Create a resource group
+
+A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using [az group create](/cli/azure/group#create).
+
+The following example creates a resource group named *myResourceGroupAG* in the *eastus* location.
+
+```azurecli-interactive 
+az group create --name myResourceGroupAG --location eastus
+```
+
+## Create network resources 
+
+Create the virtual network and the subnet named *myAGSubnet* using [az network vnet create](/cli/azure/network/vnet#az_net). You can then add the subnet that's needed by the backend servers using [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create). Create the public IP address named *myAGPublicIPAddress* using [az network public-ip create](/cli/azure/public-ip#az_network_public_ip_create).
+
+```azurecli-interactive
+az network vnet create \
+  --name myVNet \
+  --resource-group myResourceGroupAG \
+  --location eastus \
+  --address-prefix 10.0.0.0/16 \
+  --subnet-name myAGSubnet \
+  --subnet-prefix 10.0.1.0/24
+
+az network vnet subnet create \
+  --name myBackendSubnet \
+  --resource-group myResourceGroupAG \
+  --vnet-name myVNet \
+  --address-prefix 10.0.2.0/24
+
+az network public-ip create \
+  --resource-group myResourceGroupAG \
+  --name myAGPublicIPAddress
+```
+
+## Create the application gateway
+
+You can use [az network application-gateway create](/cli/azure/application-gateway#create) to create the application gateway. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings. The application gateway is assigned to *myAGSubnet* and *myAGPublicIPAddress* that you previously created. 
+
+```azurecli-interactive
+az network application-gateway create \
+  --name myAppGateway \
+  --location eastus \
+  --resource-group myResourceGroupAG \
+  --vnet-name myVNet \
+  --subnet myAGsubnet \
+  --capacity 2 \
+  --sku Standard_Medium \
+  --http-settings-cookie-based-affinity Disabled \
+  --frontend-port 80 \
+  --http-settings-port 80 \
+  --http-settings-protocol Http \
+  --public-ip-address myAGPublicIPAddress
+```
+
+It may take several minutes for the application gateway to be created. After the application gateway is created, you can see these new features of it:
+
+- *appGatewayBackendPool* - An application gateway must have at least one backend address pool.
+- *appGatewayBackendHttpSettings* - Specifies that port 80 and an HTTP protocol is used for communication.
+- *appGatewayHttpListener* - The default listener associated with *appGatewayBackendPool*.
+- *appGatewayFrontendIP* - Assigns *myAGPublicIPAddress* to *appGatewayHttpListener*.
+- *rule1* - The default routing rule that is associated with *appGatewayHttpListener*.
+
+### Add the backend pools
+
+Add the backend pools that are needed to contain the backend servers using [az network application-gateway address-pool create](/cli/azure/application-gateway#az_network_application_gateway_address_pool_create).
+
+```azurecli-interactive
+az network application-gateway address-pool create \
+  --gateway-name myAppGateway \
+  --resource-group myResourceGroupAG \
+  --name contosoPool
+
+az network application-gateway address-pool create \
+  --gateway-name myAppGateway \
+  --resource-group myResourceGroupAG \
+  --name fabrikamPool
+```
+
+### Add backend listeners
+
+Add the backend listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/application-gateway#az_network_application_gateway_http_listener_create).
+
+```azurecli-interactive
+az network application-gateway http-listener create \
+  --name contosoListener \
+  --frontend-ip appGatewayFrontendIP \
+  --frontend-port appGatewayFrontendPort \
+  --resource-group myResourceGroupAG \
+  --gateway-name myAppGateway \
+  --host-name www.contoso.com
+
+az network application-gateway http-listener create \
+  --name fabrikamListener \
+  --frontend-ip appGatewayFrontendIP \
+  --frontend-port appGatewayFrontendPort \
+  --resource-group myResourceGroupAG \
+  --gateway-name myAppGateway \
+  --host-name www.fabrikam.com   
+  ```
+
+### Add routing rules
+
+Rules are processed in the order they are listed, and traffic is directed using the first rule that matches regardless of specificity. For example, if you have a rule using a basic listener and a rule using a multi-site listener both on the same port, the rule with the multi-site listener must be listed before the rule with the basic listener in order for the multi-site rule to function as expected. 
+
+In this example, you create two new rules and delete the default rule that was created when you created the application gateway. You can add the rule using [az network application-gateway rule create](/cli/azure/application-gateway#az_network_application_gateway_rule_create).
+
+```azurecli-interactive
+az network application-gateway rule create \
+  --gateway-name myAppGateway \
+  --name contosoRule \
+  --resource-group myResourceGroupAG \
+  --http-listener contosoListener \
+  --rule-type Basic \
+  --address-pool contosoPool
+
+az network application-gateway rule create \
+  --gateway-name myAppGateway \
+  --name fabrikamRule \
+  --resource-group myResourceGroupAG \
+  --http-listener fabrikamListener \
+  --rule-type Basic \
+  --address-pool fabrikamPool
+
+az network application-gateway rule delete \
+  --gateway-name myAppGateway \
+  --name rule1 \
+  --resource-group myResourceGroupAG
+```
+
+## Create virtual machine scale sets
+
+In this example, you create three virtual machine scale sets that support the three backend pools in the application gateway. The scale sets that you create are named *myvmss1*, *myvmss2*, and *myvmss3*. Each scale set contains two virtual machine instances on which you install IIS.
+
+```azurecli-interactive
+for i in `seq 1 2`; do
+
+  if [ $i -eq 1 ]
+  then
+    poolName="contosoPool"
+  fi
+
+  if [ $i -eq 2 ]
+  then
+    poolName="fabrikamPool"
+  fi
+
+  az vmss create \
+    --name myvmss$i \
+    --resource-group myResourceGroupAG \
+    --image UbuntuLTS \
+    --admin-username azureuser \
+    --admin-password Azure123456! \
+    --instance-count 2 \
+    --vnet-name myVNet \
+    --subnet myBackendSubnet \
+    --vm-sku Standard_DS2 \
+    --upgrade-policy-mode Automatic \
+    --app-gateway myAppGateway \
+    --backend-pool-name $poolName
+done
+```
+
+### Install NGINX
+
+```azurecli-interactive
+for i in `seq 1 2`; do
+
+  az vmss extension set \
+    --publisher Microsoft.Azure.Extensions \
+    --version 2.0 \
+    --name CustomScript \
+    --resource-group myResourceGroupAG \
+    --vmss-name myvmss$i \
+    --settings '{ "fileUris": ["https://raw.githubusercontent.com/davidmu1/samplescripts/master/install_nginx.sh"],
+  "commandToExecute": "./install_nginx.sh" }'
+
+done
+```
+
+## Create a CNAME record in your domain
+
+After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create. 
+
+```azurecli-interactive
+az network public-ip show \
+  --resource-group myResourceGroupAG \
+  --name myAGPublicIPAddress \
+  --query [dnsSettings.fqdn] \
+  --output tsv
+```
+
+The use of A-records is not recommended because the VIP may change when the application gateway is restarted.
+
+## Test the application gateway
+
+Enter your domain name into the address bar of your browser. Such as, http://www.contoso.com.
+
+![Test contoso site in application gateway](./media/tutorial-multiple-sites-cli/application-gateway-nginxtest1.png)
+
+Change the address to your other domain and you should see something like the following example:
+
+![Test fabrikam site in application gateway](./media/tutorial-multiple-sites-cli/application-gateway-nginxtest2.png)
+
+## Clean up resources
+
+When no longer needed, remove the resource group, application gateway, and all related resources.
+
+```azurecli-interactive
+az group delete --name myResourceGroupAG --location eastus
+```
+
+## Next steps
+
+In this tutorial, you learned how to:
+
+> [!div class="checklist"]
+> * Set up the network
+> * Create an application gateway
+> * Create backend listeners
+> * Create routing rules
+> * Create virtual machine scale sets with the backend pools
+> * Create a CNAME record in your domain
+
+> [!div class="nextstepaction"]
+> [Create an application gateway with URL path-based routing rules](./tutorial-url-route-cli.md)