In the Azure Application Gateway UI, when creating a HTTP Setting, there's a tickbox called "Use for App service":
I'm trying to replicate this HTTP Setting in PowerShell using the following command:
Add-AzureRmApplicationGatewayBackendHttpSettings -Name $MaintenanceToggleHTTPSetting -ApplicationGateway $AppGW -Protocol Http -Port 80 -Probe $probe
Having checked the documentation, I can't find any parameter to replicate this.
Is it possible? Is it a combination of other parameters perhaps?
It seems there is no parameter for Use for App service option in the powershell command.
Besides, I found something weird, on my portal, I choose the Use for App service option ->Save, exit and enter again, then the option will not be chosen. Not sure if I do it right, if not, please correct me.
Also, I catch the request with choose the option/not choose via F12, after comparing, I find the request body is the same.
Edit:
We need to choose the pick hostname from backend address option in probe, then the Use for App service option will be saved.
Here is a specific powershell script as a supplement for the ansewer of #dunc, if someone waht to use Use for App service option, you could refer to it. For more details, refer to #dunc 's answer.
$AppGw = Get-AzureRmApplicationGateway -Name "joygateway" -ResourceGroupName "joywebapp"
$probe = Get-AzureRmApplicationGatewayProbeConfig -Name "testprobe" -ApplicationGateway $AppGw
Add-AzureRmApplicationGatewayBackendHttpSettings -Name "testsetting" -ApplicationGateway $AppGW -Protocol Http -Port 80 -Probe $probe -PickHostNameFromBackendAddress -CookieBasedAffinity "Disabled"
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw
Check in the portal:
I had a response from Microsoft this, which I have tested and confirmed:
The checkbox ‘Use for App service’ is a wrapper for 2 checkboxes followed by it.
So when you configure both checkboxes below it to ‘on’, this “use for App service” becomes active.
Basically, set the -Probe and -PickHostNameFromBackendAddress parameters when creating the HttpSettings. This ticks the "Use for App service" tickbox in the UI.
Related
I'm working on setting up an application getaway with a group of backend app services. I am in the final configuration steps of configuring a listener, but first I need to set Application Gateway to support key vault reference certificates. I follow this guide from the official Microsoft documentation: Key Vault Azure Role-Based Access Control Permissions Model
via azure powershell, but i get this series of errors. In the case of getAzApplicationGateway, I have already verified that the name in which my resource is located is correct. As for get-AzApplicationGateweyIdentity and Add-Az-ApplicationGatewaySslCertifacate, I get: Cannot bind argument to parameter 'ApplicationGateway' because it is null. I can't find the cause for this error, am I entering the wrong argument?
Your first command in the posted snippet "Get-AzApplicationGateway" doesn't find your gateway.
At least in the snipped provided you don't give -name and -ResourceGroupName as strings, meaning in " ".
Wenn I run your commands with strings where they are required it works just fine
When I ran the below command directly, I got the same error.
$appgw = Get-AzApplicationGateway -Name YourApplicationGatewayName -ResourceGroupName YourRGName
First, we need to create an Application Gateway.
Create a Managed Identity.
After creating the ApplicationGateway and ManagedIdentity, now run the below commands.
$appgw = Get-AzApplicationGateway -Name YourApplicationGatewayName -ResourceGroupName YourRGName
Set-AzApplicationGatewayIdentity -ApplicationGateway $appgw -UserAssignedIdentityId "/subscriptions/YourSubscriptionID/resourceGroups/YourRGName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyYourManagedIdentityName"
Create a KeyVault and certificate by following the steps from the document and run the below command to
$secret = Get-AzKeyVaultSecret -VaultName "YourKeyVaultName" -Name "YourCertificateName"
Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $secretId -ApplicationGateway $appgw -Name $secret.Name
Before running the below command make sure you have created the Access policy with Get selected on Secret permissions and provided the created Managed Identity.
Set-AzApplicationGateway -ApplicationGateway $appgw
I'm trying to set up a rule in my Azure Application Gateway which applies a longer timeout limit on certain requests to allow a service to serve requests/data without a timeout.
The rule is configured with path-based routing so it should only kick in if requests contain a specific path prefix.
I believe that my rule is not being executed however, because it sits lower down in the list of rules from the more general rule.
Is there a way to set the priority within the Azure Portal, or can this only be done when managing this configuration via power shell scripts?
At this moment in time you can't set rule priority through the Azure Portal for an existing Application Gateway. You will need to set a priority on all of your existing rules through Powershell/Azure CLI, then you will be able to manage them through the portal. Note that this only applies to Application Gateway V2.
In order to do that, you can loop over all your existing rules and set them a unique priority between 1 and 20000 (1 = highest priority, 20000=lowest priority). Here's an example of such Powershell script:
Connect-AzAccount -Tenant 'TENANT-GUID-HERE'
$AppGW = Get-AzApplicationGateway -Name "APP-GATEWAY-NAME-HERE" -ResourceGroupName "RESSOURCE-GROUP-HERE"
$Rules = Get-AzApplicationGatewayRequestRoutingRule -ApplicationGateway $AppGW
$i = 1000
foreach ($Rule in $Rules) {
$Rule.Priority = $i
$i++
}
Set-AzApplicationGateway -ApplicationGateway $AppGw
Then, if the script succeeds, you will now be able to manage rules priorities on the Portal (look for the "Priority" textbox while adding or modifying a rule).
Specifically, I am looking to write an automation runbook for changing a Function App's HTTP Version from it's 1.1 default to 2.0. I know there is a simple way to do this via CLI commands, but I'm trying to get a working solution using a powershell runbook.
So far, I've been able to find the setting by doing...
$FA = Get-AzFunctionApp -Name <foo> -ResourceGroupName <bar>
$FA.Config.Http20Enabled
False
I've attempted to alter $FA and then pipe it through Update-AzFunctionApp...
$FA.Config.Http20Enabled = $True
$FA | Update-AzFunctionApp
with no success.
Not sure if I'm close to the right solution but I can't seem to find any Azure functionality that changes platform settings in this way. Any insight would be much appreciated!
I was able to find a solution to my original question. Instead of using the AzFunctionApp cmdlets, I used AzResource.
$FA = Get-AzResource -ResourceGroupName <foo> -Name <bar> -ResourceType Microsoft.Web/sites/config -ApiVersion 2021-02-01
$FA.Properties.http20Enabled = $True
Set-AzResource -ResourceId $FA.ResourceId -Properties $FA.Properties
I presume other config settings can be changed along with the property I needed.
I found (as well as the Azure CLI) you can use the PowerShell cmdlets for Web Apps. These work on Azure Functions too!
For simple examples, perhaps to just toggle a feature you can call Set-AzWebApp in one line. Here are two examples:
(1) to enable HTTPS only:
Set-AzWebApp -Name $functionName -ResourceGroupName $rg -HttpsOnly $true
Or (2) to disable FTP/FTPs:
Set-AzWebApp -Name $functionName -ResourceGroupName $rg -FtpsState "Disabled"
For more complex property changes, like enabling HTTP 2.0. You can do this in just a few more lines of PowerShell. See for example:
$funcAsApp = Get-AzWebApp -Name $functionName -ResourceGroupName $rg
$funcAsApp.SiteConfig.Http20Enabled = $true
$funcAsApp | Set-AzWebApp
For more information see the MSDN help here: https://learn.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-6.6.0
I am having trouble uploading a new SSL pfx certificate onto my WAF V2 application gateway. I currently have 3 basic wildcard listeners setup (*.contoso.com *.fabrikam.com and *.adatum.com for example) and I would like to update the certificate associated with *.contoso.com.
The problem with using the UI is that if I attempt to update and save the certificate on the listener I get an error message indicating "This Basic HTTP listener cannot use the same frontend port as an existing listener". I understand this is likely because using multiple basic listeners is still in preview and can only be setup via powershell or ARM templates. I originally setup the gateway via ARM templates.
I instead attempted to update the listener's certificate using powershell. I first uploaded the pfx cert to a key vault. I then created a user managed identity with azure role assignments for both the app gateway and the key vault. After, I ran the following powershell commands from inside the portal's CLI but got the resulting error message.
PS > Select-AzureRmSubscription -Scope CurrentUser -SubscriptionName "Pay-As-You-Go"
PS > $appgw = Get-AzApplicationGateway -ResourceGroupName "myresourcegroup" -Name "myappgateway"
PS > $secret = Get-AzKeyVaultSecret -VaultName "mykeyvault" -Name "contoso-cert"
PS > $secretId = $secret.Id
PS > set-AzApplicationGatewaySSLCertificate -Name "contoso-cert" -ApplicationGateway $appgw -KeyVaultSecretId $secretId
PS > Set-AzApplicationGateway -ApplicationGateway $appgw
Set-AzApplicationGateway: Application Gateway 'myappgateway' requires a 'UserAssigned' Identity with 'get' access policy to the referenced KeyVault. Please provide so by using top level 'Identity' property.
Why am I unable to update the certificate on the basic listener using powershell? Is there any alternative option I can try in order to set the certificate? Please help
Pretty sure I came across this same issue when looking at the Wildcard Listeners Preview in App Gateway.
I don't have a test environment configured in such a way that I can try this for you at the moment, but I believe the solution was to create a Multisite HTTPS listener (instead of basic) with an arbitrary FQDN, and using the same SSL cert as the one you want to update. Then use that listener to update the SSL cert (you could probably even update the cert at the same time as you create the listener).
Let us know how you get on!
I want to modify the IIS Web application Handler mappings permissions.
I did this manually like below.
Open IIS , Site/Web application, Clicked Handler Mappings, in Actions Clicked “Edit Feature Permissions “, then uncheck/Check the Script.
I want to automate this using PowerShell.
I can read the permission status using the below code.
Get-WebConfigurationProperty -Filter /system.webServer/handlers -name accesspolicy -PSPath IIS:\ -Location 'Default Web Site/WebApplication’
I tried same way to modify the permission using below code. But this is not working. Could anyone please let me know What I did wrong here.
Set-WebConfigurationProperty -Filter /system.webServer/handlers -name accesspolicy -value "Script" -PSPath IIS:\ -Location 'Default Web Site/WebApplication’ –Force
I think you're very close, but you're aiming for ISAPI-dll, not individual handlers. Here is the code for individual handlers (I'm still using ISAPI-dll as an example):
Set-WebConfiguration "/system.webServer/handlers/add[#name='ISAPI-dll']/#requireAccess" -Value "Execute" -PSPath "IIS:/sites/Default Web Site"
Here is the code to enable access for all handlers (including ISAPI-dll):
Set -WebConfiguration "/system.webServer/handlers/#AccessPolicy" -value "Read, Script, Execute"
Leave the -PSPath part out to do it at the server level.
Remove "Execute" to disable ISAPI-dll.
Also, this link may serve as a useful reference.