Intro
My notes on this service
Documentation
Tips and Tidbits
Azure Application Gateway is a REGIONAL web traffic load balancer that enables you to manage traffic to your web applications.
Application Gateway routes traffic to a pool of web servers based on the URL of a request
Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.
Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
This type of routing is known as application layer (OSI layer 7) load balancing
Azure provides a suite of fully managed load-balancing solutions for your scenarios.
If you are looking to do DNS based global routing and do not have requirements for Transport Layer Security (TLS) protocol termination ("SSL offload"), per-HTTP/HTTPS request or application-layer processing, review Traffic Manager.
If you need to optimize global routing of your web traffic and optimize top-tier end-user performance and reliability through quick global failover, see Front Door.
To do network layer load balancing, review Load Balancer.
Deployment of an Azure Application Gateway requires a dedicated subnet
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.
Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
SQL injection and cross-site scripting are among the most common attacks.
Application Gateway operates as an application delivery controller (ADC).
It offers Secure Sockets Layer (SSL) termination, cookie-based session affinity, round- robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.
Load Balancing
Understand Azure load balancing - Pay attention to the global vs regional use and the type of traffic.
The following table summarizes the Azure load balancing services by these categories:
Service | Global/regional | Recommended traffic |
---|---|---|
Azure Front Door | Global | HTTP(S) |
Traffic Manager | Global | non-HTTP(S) |
Application Gateway | Regional | HTTP(S) |
Azure Load Balancer | Regional | non-HTTP(S) |
SSL Termination
Tutorial: Configure an application gateway with TLS termination using the Azure portal
The following image shows how incoming traffic from a client to Application Gateway over SSL is decrypted and then re-encrypted when it's sent to a server in the backend pool.
The listener can use an SSL certificate to decrypt the traffic that enters the gateway.
The listener then uses a rule that you define to direct the incoming requests to a backend pool.
The backend pool has an HTTP setting that references a certificate used to authenticate the backend servers.
The gateway re-encrypts the traffic by using this certificate before sending it to one of your servers in the backend pool.
If you're using Azure App Service to host the backend application, you don't need to install any certificates in Application Gateway to connect to the backend pool.
All communications are automatically encrypted
Application Gateway Routing
The gateway routes requests to a selected web server in the back-end pool, using a set of rules configured for the gateway to determine where the request should go.
There are two primary methods of routing traffic, path-based routing and multiple site hosting.
Path-based routing enables you to send requests with different paths in the URL to a different pool of back-end servers.
Multiple site hosting enables you to configure more than one web application on the same application gateway instance. In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site.
MultiSite Hosting
Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners.
up to 100+ websites to one application gateway
Each website can be directed to its own backend pool.
For example, three domains, http://contoso.com , http://fabrikam.com , and http://adatum.com , point to the IP address of the application gateway.
You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.
You can also define wildcard host names in a multi-site listener
0 Comments