Intro
My notes on this service
Documentation
Tips and Tidbits
Azure Application Gateway is a REGIONAL web traffic load balancer that enables you to manage traffic to your web applications.
Application Gateway routes traffic to a pool of web servers based on the URL of a request
Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.
Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
This type of routing is known as application layer (OSI layer 7) load balancing
Azure provides a suite of fully managed load-balancing solutions for your scenarios.
If you are looking to do DNS based global routing and do not have requirements for Transport Layer Security (TLS) protocol termination ("SSL offload"), per-HTTP/HTTPS request or application-layer processing, review Traffic Manager.
If you need to optimize global routing of your web traffic and optimize top-tier end-user performance and reliability through quick global failover, see Front Door.
To do network layer load balancing, review Load Balancer.
Deployment of an Azure Application Gateway requires a dedicated subnet
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.
Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
SQL injection and cross-site scripting are among the most common attacks.
Application Gateway operates as an application delivery controller (ADC).
It offers Secure Sockets Layer (SSL) termination, cookie-based session affinity, round- robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.
Load Balancing
Understand Azure load balancing - Pay attention to the global vs regional use and the type of traffic.
The following table summarizes the Azure load balancing services by these categories:
Service | Global/regional | Recommended traffic |
|---|---|---|
Azure Front Door | Global | HTTP(S) |
Traffic Manager | Global | non-HTTP(S) |
Application Gateway | Regional | HTTP(S) |
Azure Load Balancer | Regional | non-HTTP(S) |
SSL Termination
Tutorial: Configure an application gateway with TLS termination using the Azure portal
The following image shows how incoming traffic from a client to Application Gateway over SSL is decrypted and then re-encrypted when it's sent to a server in the backend pool.
The listener can use an SSL certificate to decrypt the traffic that enters the gateway.
The listener then uses a rule that you define to direct the incoming requests to a backend pool.
The backend pool has an HTTP setting that references a certificate used to authenticate the backend servers.
The gateway re-encrypts the traffic by using this certificate before sending it to one of your servers in the backend pool.
If you're using Azure App Service to host the backend application, you don't need to install any certificates in Application Gateway to connect to the backend pool.
All communications are automatically encrypted
Application Gateway HTTP settings configuration
The application gateway routes traffic to the back-end servers by using the configuration that you specify here.
After you create an HTTP setting, you must associate it with one or more request-routing rules.
Host name override
This capability replaces the host header in the incoming request on the application gateway with the host name that you specify.
For example, if www.contoso.com is specified in the Host name setting, the original request *
https://appgw.eastus.cloudapp.azure.com/path1is changed to *https://www.contoso.com/path1when the request is forwarded to the back-end server.
Application Gateway support for multi-tenant back ends such as App service
In multi-tenant architectural designs in web servers, multiple websites are running on the same web server instance.
Hostnames are used to differentiate between the different applications which are hosted.
By default, application gateway does not change the incoming HTTP host header from the client and sends the header unaltered to the back end.
This setting lets you configure an optional custom forwarding path to use when the request is forwarded to the back end.
Any part of the incoming path that matches the custom path in the override backend path field is copied to the forwarded path.
TLS termination and end to end TLS with multi-tenant services
TLS termination and end to end TLS with multi-tenant services
Both TLS termination and end to end TLS encryption is supported with multi-tenant services.
For TLS termination at the application gateway, TLS certificate continues to be required to be added to the application gateway listener.
However, in case of end to end TLS, trusted Azure services such as Azure App service web apps do not require allowing the backends in the application gateway.
Therefore, there is no need to add any authentication certificates.
Notice that in the above image, there is no requirement to add authentication certificates when App service is selected as backend.
Application Gateway Routing
The gateway routes requests to a selected web server in the back-end pool, using a set of rules configured for the gateway to determine where the request should go.
There are two primary methods of routing traffic, path-based routing and multiple site hosting.
Path-based routing enables you to send requests with different paths in the URL to a different pool of back-end servers.
Multiple site hosting enables you to configure more than one web application on the same application gateway instance. In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site.
MultiSite Hosting
Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners.
up to 100+ websites to one application gateway
Each website can be directed to its own backend pool.
For example, three domains, http://contoso.com , http://fabrikam.com , and http://adatum.com , point to the IP address of the application gateway.
You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.
You can also define wildcard host names in a multi-site listener
0 Comments