Sample Configuration File

To help you get started, the GitHub repository contains a sample configuration file named appgw-sample.xml that includes the following rules/objects:
  • Address objects—Two address objects, firewall-untrust-IP and internal-load-balancer-IP, which you will need to modify to match the IP addresses in your setup. You need to modify these address objects to use the private IP addresses assigned to eth1-VM-Series0 and eth1-VM-Series1 on the Azure portal.
  • Static route—The default virtual router on the firewall has a static route to 192.168.1.1, and this IP address is accurate if you use the default template values. If you have changed the Untrust subnet CIDR, you’ll need to update the IP address to match your setup. All traffic coming from the backend web servers, destined for the application gateway, uses this IP address as the next hop for delivering packets to the untrust interface on the firewall.
  • NAT Policy Rule—The NAT policy rule enables destination NAT and source NAT.
    • The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface (ethernet1/2), which is the firewall-untrust-IP address object. This rule translates the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and thus to the backend web servers.
    • The source NAT rule is for all traffic from the backend web server and destined to the untrust network interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall (ethernet1/2).
  • Security Policy Rule—Two Security policy rules are defined in the sample configuration file. The first rule allows all inbound web-browsing traffic and generates a log at the start of a session on the firewall. The second rule blocks all other traffic and generates a log at the start and end of a session on the firewall. You can use these logs to monitor all traffic to the web servers in this deployment.
  • Administrative User Credentials— The sample configuration file includes a username and password for logging in to the firewall, which is set to pandemo/demopassword. After you import the sample configuration, you must either change the password and set it to a strong, custom password or create a new administrator account and delete the pandemo account.

Related Documentation