## Description This solution deploys a secure Azure Application Gateway with an integrated Web Application Firewall to protect against common attacks. SSL certificates are centrally managed in Azure Key Vault and accessed via a managed identity for precise control. The entire setup is hosted in isolated virtual networks with strict security rules, delivering a scalable, highly available platform that meets modern security standards. **N.B:** - The Terraform code is automatically generated with best practices and contains variables that you can customize to fir your needs. - You have full control to change, add, delete resources or their configuration. The newly generated code will reflect these changes. - You can replace some resources with Terraform modules. > terraform apply status: successful > ## Architecture components | **Component** | **Description** | |--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Resource Group** | Container for all deployed resources. | | **Virtual Networks (VNets)** | Separate VNets for the Application Gateway and App Service, ensuring network isolation. | | **Subnets** | Dedicated subnets for the Application Gateway (with Key Vault service endpoints) and for the App Service (with delegated permissions). | | **Application Gateway** | Secure load balancing and SSL/TLS termination point, integrated with a Web Application Firewall (WAF) for enhanced protection. | | **Web Application Firewall (WAF)** | Integrated into the Application Gateway to block common attacks using OWASP rules and custom policies. | | **Azure Key Vault** | Securely stores SSL certificates and secrets; access is restricted via firewall rules and managed identities. | | **User-Assigned Managed Identity** | Grants the Application Gateway secure, role-based access to Key Vault without exposing credentials. | | **Private Endpoint & DNS** | Provides private connectivity to Key Vault, ensuring that access remains within the Azure network and reducing exposure to the public internet. | | **Azure App Service** | Hosts the web application; integrated with the Application Gateway for seamless delivery of content. | | **Network Security Groups (NSGs)** | Enforce strict inbound/outbound traffic rules on subnets to protect resources from unauthorized access. | ## Requirements | Name | Configuration | | --- | --- | | Terraform | all versions | | Provider | AZURE| | Provider version | >= 4.17 | | Access | Admin access | ## How to use the architecture Clone the architecture and modify the following variables according to your needs: | **Variable** | **Description** | |-----------------------------------|---------------------------------------------------------------------------------------------------------------| | backend_address_pool_name | Name of the backend address pool for the Application Gateway. | | cert_pwd | Password for the SSL certificate (PFX) file. | | env | Environment identifier (e.g., dev, prod). | | frontend_ip_configuration_name | Name of the frontend IP configuration for the Application Gateway. | | frontend_port_name_http | Name of the HTTP frontend port for the Application Gateway. | | frontend_port_name_https | Name of the HTTPS frontend port for the Application Gateway. | | http_setting_name | Name of the HTTP settings for backend communication. | | https_settings_name | Name of the HTTPS settings for backend communication. | | listener_name_http | Name of the HTTP listener on the Application Gateway. | | listener_name_https | Name of the HTTPS listener on the Application Gateway. | | location | Azure region where the resources are deployed. | | office_ip | Office IP address range for access control. | | path | File path or deployment path as required. | | prefix_name | Common prefix to be used for naming resources. | | privatednszonekv_name | Name of the private DNS zone used for Key Vault private link resolution. | | probe_name | Name of the health probe for the Application Gateway. | | projet_name | Project name identifier. | | redirect_configuration_name | Name of the redirect configuration for the Application Gateway. | | repo_branch | Git branch used for source control integration. | | repo_url | URL of the Git repository for the web application source code. | | request_routing_rule_name_http | Name of the request routing rule for HTTP traffic. | | request_routing_rule_name_https | Name of the request routing rule for HTTPS traffic. | | snet_appgw_adress_space | Address space for the subnet dedicated to the Application Gateway. | | snet_apps_adress_space | Address space for the subnet hosting the App Service. | | snet_pep_adress_space | Address space for the subnet used by the Private Endpoint. | | ssl_certificate_name | Name (or file name) of the SSL certificate (PFX file) used for HTTPS termination. | | tags | Map of tags applied to all resources for organization and management. | | vnet_appgw_adress_space | Address space for the virtual network that hosts the Application Gateway. | | vnet_apps_adress_space | Address space for the virtual network that hosts the App Service. | | | | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)