Automate Stop and Start of Azure Application Gateway

7 min read

In this article, I will show you how to automate the stop and start of Azure Application Gateway with the new Az PowerShell module, so you can schedule it to run based on your needs and save money.

Introduction

Azure Application Gateway manages the requests that client applications can send to a web app. Application Gateway routes traffic to a pool of web servers based on the URL of a request. This is known as application-layer routing. The pool of web servers can be Azure virtual machines, Azure virtual machine scale sets, Azure App Service, and even on-premises servers.

The web application firewall (WAF) is an optional component of the Application Gateway that handles incoming requests before they reach a listener. The web application firewall checks each request for many common threats, based on the Open Web Application Security Project (OWASP). These include SQL-injection, Cross-site scripting, Command injection, HTTP request smuggling, HTTP response splitting, Remote file inclusion, Bots, crawlers, and scanners, and HTTP protocol violations and anomalies. WAF is enabled on your Application Gateway by selecting the WAF tier when you create a gateway.

Microsoft charges the application gateways based on the amount of time (per hour) that the gateway is provisioned and available, as well as the amount of data processed by the application gateways. Additionally, the v2 SKU of Application Gateway pricing model is driven by consumption and is no longer attached to instance counts or sizes. The v2 SKU pricing has two components (Fixed price per hour or partial hour, and Capacity Unit price which is also consumption-based cost that is charged in addition to the fixed cost). As you can see, the price could go up very quickly.

For detailed information regarding the price of Application Gateway v2 for Standard and Web Application Firewall, please see the official pricing page here.

What about if you have an application that does not require to be available 24h/7d, or you want to test your web application with Application Gateway before you put it in production, and you are limited on budget. Can you save costs?

The answer is YES!

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Static public IP address with Standard SKU – you can create a new public IP by running the following Azure CLI command: az network public-ip create -n pip-agw-v2 -g resourceGroupName –allocation-method Static –sku Standard
  3. Application Gateway v2 up and running (Standard or WAF) – If you don’t have an Application Gateway, you can follow the step by step guide and create one here.

Create an Azure Automation Account

First, I need to create an Azure automation resource with Run As Account. Run As accounts in Azure Automation are used to provide authentication for managing resources in Azure with the Azure cmdlets. When you create a Run As Account, it creates a new service principal user in Azure Active Directory and assigns the Contributor role to this user at the subscription level. So it would make sense to look into changing RBAC settings for the subscription or resource groups if you want to limit that. Also, all users that have access to the Automation Account will also have the opportunity to use this Azure Run As Account.

Open the Azure portal, click All services found in the upper left-hand corner. In the list of resources, type Automation. As you begin typing, the list filters based on your input. Select Automation Accounts. Click +Add

Select the desired Subscription, Resource group, and the Location for the automation account and then click ‘Create‘.

Import Az Modules from Gallery

In the next step, you need to import the required Az PowerShell modules from the Modules gallery.

In your list of Automation Accounts, select the account that you created in the previous step. Select the Modules gallery under the Shared Resources section.

Then you need to import the following modules from the Modules gallery in the order given below:

  1. Az.Accounts
  2. Az.Network
  3. Az.Automation

The Az Automation and Az Network modules are dependent on Az Accounts, so make sure that Az Accounts module is imported first.

Create PowerShell Runbooks

In this step, you can create multiple Runbooks based on which set of Azure Application Gateways you want to automate. PowerShell Runbooks are based on PowerShell. You directly edit the code of the Runbook using the text editor in the Azure portal. You can also use any offline text editor and import the Runbook into Azure Automation.

In this example, I will create two Runbooks as PowerShell type, the first Runbook is to ‘Stop‘ and the second one is to ‘Start‘ the Application Gateway for a specific Subscription / Resource Group.

You can create as many Runbooks as you want based on your scenario.

Edit The Runbook

Once you have the Runbook created, you need to Edit the Runbook, then write or add the script to choose which Azure Application Gateway you want to manage. Of course, you can be creative and automate other components as well.

As I mentioned earlier, in this example, I want to stop my application gateway at night and then start it in the morning until the development of my web application is completed. The script as follows:

<# 
.DESCRIPTION
A Runbook example which stop Azure Application Gateway in a specific Azure subscription using the Run As Account (Service Principal in Azure AD)

.NOTES
Filename : Stop-AzApplicationGateway
Author   : Charbel Nemnom
Version  : 1.0
Date     : 27-August-2020
Updated  : 28-August-2020

.LINK
To provide feedback or for further assistance please visit:
https://charbelnemnom.com
#>

Param (
    [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()]
    [String] $AzureSubscriptionId,

    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $rgName,

    [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]
    [String] $ApplicationGateway
)

$connectionName = "AzureRunAsConnection"

Try {
    #! Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection = Get-AzAutomationConnection -Name $connectionName
    Write-Output "Logging in to Azure..."
    Connect-AzAccount -ServicePrincipal `
         -TenantId $servicePrincipalConnection.TenantId `
         -ApplicationId $servicePrincipalConnection.ApplicationId `
         -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
     }
Catch {
    If (!$servicePrincipalConnection) {
        $ErrorMessage = "Connection $connectionName not found..."
        throw $ErrorMessage
     }
    Else {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}

Set-AzContext -SubscriptionId $AzureSubscriptionId

$agw = Get-AzApplicationGateway -name $ApplicationGateway -ResourceGroupName $rgName
Stop-AzApplicationGateway -ApplicationGateway $agw

Write-Output ("")

This script will stop the Application Gateway (Stop-AzApplicationGateway). The second Runbook is exactly the same except that it will start the Application Gateway (Start-AzApplicationGateway).

Save the script in the CMDLETS pane as shown in the figure below.

Then test the script using “Test Pane” to verify it’s working as intended before you publish it.

Once the test is completed, publish the Runbook by clicking on ‘Publish‘.

Now you want to repeat the same steps as described here to create the second Runbook to ‘Start‘ the application gateway.

Schedule the Runbook

In the final step, you need to schedule the Runbook to run based on your desired runtime schedule.

Within the same Runbook that you create in the previous step, select Schedules and then click + Add schedule.

So, if you need to schedule a daily stop, then you create a new schedule based that looks similar to below:

While scheduling the Runbook, you can pass on the required parameters for the PowerShell script. In my example, I need to specify the Azure Subscription ID, Resource Group Name, and Application Gateway Name. Once done, click OK.

Now you want to repeat the same steps as described here to schedule the second Runbook to ‘Start‘ the application gateway based on your desired schedule. My schedules look like this:

Monitor the Runbook

You can monitor the success or failure of these Runbooks using the ‘Jobs‘ tab under ‘Process Automation‘. In my example, the ‘Stop‘ Runbook completed successfully on August 27, 2020, @ 8:00 PM, and the ‘Start‘ Runbook completed on August 28, 2020, @ 7:00 AM.

That’s it there you have it!

Can I use Azure CLI?

Yes, you can use Azure CLI to stop and start the Application Gateway.

For example, you can either install the latest Azure CLI version 2.10.1 on your machine, or jump over the Cloud Shell (https://shell.azure.com), or use the Azure Cloud Shell Connector in Windows Terminal.

Login to Azure and set the desired subscription by running the following commands:

#! Login to Azure
az login
az account set --subscription "Subscription-ID-Here"
$rgname = "ResourceGroupName"
$appgw = "AppGatewayName"
#! Show current status
az network application-gateway show -g $rgname -n $appgw -o table
#! Stop Application Gateway with Azure CLI
az network application-gateway stop -g $rgname -n $appgw
#! Start Application Gateway with Azure CLI
az network application-gateway start -g $rgname -n $appgw

As a side note, running Runbooks with Azure CLI is not supported yet in Azure Automation, please add your vote here.

Summary

In this article, I showed you how to schedule and automate the stop and start of the Azure Application Gateway using PowerShell and Azure CLI so you can schedule it based on your needs and save costs.

Azure Application Gateway provides an application delivery controller (ADC) as a service. It offers various layer 7 load-balancing capabilities for your applications. This service is highly available, scalable, and fully managed by Azure. To learn more about Application Gateway, see What is Azure Application Gateway?

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

About Charbel Nemnom 559 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.