Microsoft AZ-700: Design Azure Application Gateway

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 5: Load balance HTTP(S) traffic in Azure – Unit 2: Design Azure Application Gateway

Azure Application Gateway processes traffic to web apps on a pool of servers. Includes load balancing HTTP and inspecting traffic using web app FW. Includes encrypting traffic between users and app gateway, and traffic between app servers and app gateway.

App Gateway provides load balancing HTTP traffic and web app firewall. Provides support for TLS/SSL encryption between users and app gateway, app servers and app gateway.

Uses round-robin process for load balancing to back-end pool. Session stickiness ensures requests in same session routed to same back-end server. Important for e-commerce apps

  • Features
    • Support for HTTP/HTTPS/HTTP2/WebSocket protocols
    • Web App FW to protect against web app vulnerabilities
    • End-to-end request encryption
    • Autoscaling to dynamically adjust capacity as web traffic load change
    • Connection draining allows graceful removal of back-end pool members during planned updates
  • Public or Private IP
  • Listeners
  • App Gateway routes to backend pool per rule
  • Backends
    • VM
    • VM Scale Set
    • IP Address
    • App Service
  • Health Probes to monitor Backends
  • Application Gateway components
    • Front-end IP
      • Public
      • Private
      • Both
      • Cannot have more than one of each
    • Listener
      • One or more to receive incoming request
      • Accepts traffic on specified combo of
        • Protocol
        • Port
        • Host
        • IP
      • Routes request to back-end pool of servers based on routing rules
      • Basic or Multisite
        • Basic
          • Only routes based on path in URL
        • Multisite
          • Can also route using hostname of URL
      • Can handle TLS/SSL certificates
    • Routing Rules
      • Binds listener to back-end pool
      • Specifies how to interpret hostname and path elements
      • Has associated set of HTTP settings
        • Indicate whether/how traffic is encrypted between App Gateway and back-end servers
      • Additional config info
        • Protocol
        • Session stickiness
        • Connection draining
        • Request timeout
        • Health Probes
  • Load balancing in Application Gateway
    • App Gateway automatically balances requests in each back-end pool using round-robin
    • Works with OSI L7 routing based on hostnames and paths
    • In comparison, others such as Azure Load Balancer are at L4 based on IP addr of target
    • Possible to configure session stickiness
  • Web Application Firewall
    • Web App Firewall (WAF) optional
    • Handles incoming requests before they reach a listener
    • Checks for common threats based on Open Web Application Security Project (OWASP)
    • Common threats
      • SQL-Injection
      • Cross-site scripting
      • Command injection
      • HTTP request smuggling
      • HTTP response splitting
      • Remote file inclusion
      • Bots
      • Crawlers
      • Scanners
      • HTTP proto violations/anomalies
    • OWASP defines set of rules for detection
    • Called Core Rule Set (CRS)
    • CRS under constant review
    • WAF supports
      • CRS 3.2
      • CRS 3.1 (default)
      • CRS 3.0
      • CRS 2.2.9
    • Can customize FW for elements in request to examine and limit size of messages
  • Back-end Pools
    • Collection of web servers
      • VMs
      • VM Scale-set
      • App Service
      • On-prem servers
    • Each has associated load balancer
    • Provide IP or Name of each webserver when configuring
    • All servers in pool should have identical configurations
    • If using TLS/SSL – HTTP setting references certificated used to auth back-end pool servers
      • Gateway re-encrypts using certificate before sending to server
    • If using App Service no need to install certificated in Gateway
      • Communication automatically encrypted – App Gateway trusts because Azure manages them
    • App Gateway uses rule to specify how to direct messages received to back-end pool.
    • If using TLS/SSL must configure rule
      • Server expect traffic through HTTPS
      • Certificate used to encrypt traffic and auth connection to server
  • Application Gateway Routing
    • When gateway routes request it uses rule set configured for the gateway to determine path
    • Path-Based routing
      • Sends requests with diff URL to diff pools
    • Multiple-site routing
      • Configures more than one web app on same gateway
      • Register multiple DNS names (CNAME) for IP of app gateway specifying name of each site
      • App gateway uses separate listeners for requests to each site
      • Listener passes request to diff rule for routing to diff back-end pools
      • Useful for supporting multitenant apps
      • Features
        • Redirection
          • Used to another site or from HTTP to HTTPS
        • Rewrite HTTP Headers
          • HTTP headers allow client and server to pass parameter info with request or response
        • Custom error pages
          • App gateway allows custom error pages
  • TLS/SSL Termination
    • Offloads CPU-intensive termination from servers
    • No need to install certificates/configure TLS/SSL on server
    • If end-to-end encryption needed App gateway can decrypt on gateway using private key, then re-encrypt with public key of service in back-end pool
    • Traffic enters gateway through front-end port
      • Open many ports possible
    • Listener first thing traffic meets entering gateway through port
    • Listener set up to listen for specific host name and port on an IP
    • Listener can use TLS/SSL cert to decrypt
    • Then uses rule defined to direct request to back-end pool
    • Exposure of web app through gateway = no direct connection of servers to web
    • Exposes only port 80 or 443 on gateway
  • Health Probes
    • Determine which servers are available
    • App gateway uses prove to send request
    • Server returns HTTP response with status code between 200 and 399 as healthy
    • Default probe waits 30 second if custom probe not created
  • Autoscaling
    • Supported and scales up/down based on traffic load patterns
    • Removes requirement to choose deployment size or instance count during provisioning
  • WebSocket and HTTP/2 traffic
    • Native support for these
    • Enables full duplex communication between server and client over long-run TCP connection
    • More interactive between server and client and can be bidirectional without polling as required in HTTP-based implementations
    • These has low overhead and can reused same TCP connection for multiple request/response
    • Work over port 80 and 443
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-azure-application-gateway/

Leave a Reply

Your email address will not be published.