powershell – UseIT | Roman Levchenko

How to stop Azure Application Gateway

I often makes demo setups in my Azure subscription that has spending limits, so I have to gracefully shutdown all “hungry” resources to save some money such as VMs , Application Gateways and etc. To stop VMs, you can simply use the Azure Portal start/stop buttons, however, Azure Portal doesn’t allow you to stop application gateway. In such cases, Azure PowerShell helps.

Open the Azure Cloud Shell or local PowerShell with Az module installed and use the following:

# Get Azure Application Gateway
$appgw=Get-AzApplicationGateway -Name <appgw_name> -ResourceGroupName <rg_name>

# Stop the Azure Application Gateway
Stop-AzApplicationGateway -ApplicationGateway $appgw

# Start the Azure Application Gateway (optional)
Start-AzApplicationGateway -ApplicationGateway $appgw

Azure Portal updates the Application Gateway:

Azure Portal - Application Gateway Stopping

Verify the application gateway has stopped state. You will only billed for the public IP assigned to the stopped Application Gateway (saves money significantly):

Azure Portal - Stopped Azure Application Gateway

Start the application gateway (optional):

Azure Portal - Application Gateway Running State

Azure Policy: Deny HTTP listeners (Application Gateway)

Here is the second Azure Policy example in addition to the first one . The following policy is quiet simple and denies creation of HTTP listeners for Application Gateways, so only HTTPS Listeners are allowed:

#Version1
{
  "mode": "All",
  "policyRule": {
    "if": {
      "anyof": [
        {
          "not": {
            "field": "Microsoft.Network/applicationGateways/httpListeners[*].protocol",
            "notEquals": "Http"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

#Version2
{
  "mode":"All"
  "policyRule": {
    "if": {

        "not": {

            "equals": "Https",

            "field": "Microsoft.Network/applicationGateways/httpListeners[*].protocol"

        }

    },

    "then": {

        "effect": "deny"

    }
},
"parameters": {}
}

To assign the policy by using PowerShell:

# Create the Policy Definition (Subscription scope)
$policyrules = "URI here"
$policyparams = "URI here (optional)"
$definition = New-AzPolicyDefinition -Name 'Deny HTTP Listeners' -Policy $policyrules  -Parameter $policyparams -Mode All

# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzResourceGroup -Name 'mvphero'

# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Deny HTTP Listeners' -DisplayName 'Deny Application Gateway HTTP Listeners' -Scope $scope.ResourceId -PolicyDefinition $definition

%d bloggers like this: