Infrastructure Setup¶
One-Click Deployment¶
Deploy all lab infrastructure with a single click:
Deploy to Azure Button
After pushing this repository to GitHub, update the URL above with your actual GitHub organization/username. The button opens the Azure Portal with the Bicep template pre-loaded.
Alternative: Deploy via CLI¶
Prerequisites¶
| Requirement | Version | Install Link |
|---|---|---|
| Azure CLI | 2.60+ | Install |
| PowerShell | 7.0+ | Install |
| Bicep CLI | Included with Azure CLI | โ |
| Azure Subscription | Contributor access | โ |
Step 1: Login to Azure¶
Step 2: Deploy Infrastructure¶
Script: deploy.ps1
Deployment Time
The deployment takes approximately 15-25 minutes. All outputs are saved to .lab-outputs.json.
Step 3: Verify Deployment¶
You should see:
| Resource Type | Name |
|---|---|
| Virtual Network | waf-workshop-vnet |
| Public IP Address | waf-workshop-appgw-pip |
| Application Gateway | waf-workshop-appgw |
| WAF Policy | waf-workshop-appgw-waf-policy |
| App Service Plan | waf-workshop-asp |
| Web App (x2) | waf-workshop-web1-xxx, waf-workshop-web2-xxx |
| Front Door Profile | waf-workshop-fd-xxx |
| Front Door WAF Policy | waf-workshop-fd-waf-policy |
| Traffic Controller (AGC) | waf-workshop-agc |
| Log Analytics Workspace | waf-workshop-law |
Step 4: Test Connectivity¶
# Get Application Gateway URL
$appgwFqdn = az network public-ip show -g rg-waf-workshop `
-n waf-workshop-appgw-pip --query dnsSettings.fqdn -o tsv
# Test
curl "http://$appgwFqdn"
You should see a response from one of the backend web apps.
Pre-populate WAF Logs¶
Run Before Lab 03
The analysis labs require WAF log data. Run the traffic simulator before starting Lab 03.
Generate Traffic Against Application Gateway¶
Script: simulate-waf-traffic.ps1
cd scripts/
.\simulate-waf-traffic.ps1 `
-TargetUrl "http://<your-appgw-fqdn>" `
-DurationMinutes 15 `
-RequestsPerSecond 3 `
-AttackRatio 30
Generate Traffic Against Front Door¶
Open a second terminal and run simultaneously:
.\simulate-waf-traffic.ps1 `
-TargetUrl "https://<your-fd-endpoint>.azurefd.net" `
-DurationMinutes 15 `
-RequestsPerSecond 3 `
-AttackRatio 30
Log Ingestion Delay
WAF logs take 5-10 minutes to appear in Log Analytics after traffic is generated.
Verify Logs Are Available¶
Navigate to Log Analytics workspace โ Logs and run:
AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where TimeGenerated > ago(30m)
| count
You should see 500+ events before starting the analysis labs.
Architecture Diagram¶
graph TB
Internet((Internet)) --> AppGW[Application Gateway<br/>WAF v2]
Internet --> FD[Front Door<br/>Premium]
AppGW --> Web1[Web App 1]
AppGW --> Web2[Web App 2]
FD --> Web1
FD --> Web2
AppGW -.-> LAW[Log Analytics<br/>Workspace]
FD -.-> LAW
AGC[AGC<br/>Containers] -.-> LAW
LAW -.-> Sentinel[Microsoft Sentinel]
LAW -.-> Copilot[Copilot for Security]
subgraph "Resource Group: rg-waf-workshop"
AppGW
FD
Web1
Web2
AGC
LAW
end
style AppGW fill:#0078D4,color:white
style FD fill:#0078D4,color:white
style LAW fill:#107C10,color:white
style Sentinel fill:#FFB900,color:black
style Copilot fill:#FFB900,color:black
Cost Estimate¶
| Resource | Pricing Model | Approximate Cost/Day |
|---|---|---|
| Application Gateway WAF v2 | $0.443/hour (base) + capacity units | ~$11 |
| Front Door Premium | $330/month base | ~$11 |
| App Service Plan (B1 Linux) | $13.14/month | ~$0.50 |
| Log Analytics (PerGB2018) | $2.76/GB ingested | ~$1-3 |
| Public IPs (Standard) | $0.005/hour | ~$0.12 |
| AGC Traffic Controller | Usage-based | ~$1-2 |
| Total | ~$25-30/day |
Source: Application Gateway Pricing ยท Front Door Pricing ยท Azure Pricing Calculator
Remember to Clean Up!
These resources cost ~$750-900/month if left running. Always delete when finished: