Cloud Notes: Azure Application Gateway

Published: 2023-04-08

Intro

Azure Application Gateway is a Layer 7 load balancing service for HTTP/S and HTTP2 traffic.

Features

Application Gateways have the following characteristics.

  • Application Gateway is a Regional service.
  • There are 2x versions (SKU's) available: v1 and v2.
  • Supports both Public and/or Private IP addressing for the Frontend.
  • Supports Virtual Machines (VMs), VM Scale Sets (VMSS), App Service, IP Address or FQDNs as Backend pool members.
  • Optionally, can be deployed with Web Application Firewall (WAF) functionality.
  • Can load balance across Availability Zones (AZs) within a Region.
  • Supports both Host and Path based routing.
  • Multi-Site hosting is supported. IE an App Gateway can be the Frontend for multiple different websites.
  • Supports both TLS termination and End-to-End TLS encryption.

v1 v2 Comparison

v2 App Gateways have the same features as v1 App Gateways with some additional functionality.

v1

ParameterDescription
HTTP/S/2Support for HTTP, HTTPS and HTTP2 traffic.
URL path based routingRoute to a backend pool based on a URL path such as /images/* or /videos/*.
Multi-site hostingHost multiple web application frontends on a single App Gateway.
Web Application Firewall (WAF)Pre-defined rules to protect web applications from common exploits and malicious attacks.
TLS termination and End-to-End encryptionTLS traffic can be terminated on the frontend (Termination) and optionally continue through to the backend host (End-to-End). Note: App Gateway proxies the TLS connection and does not pass it directly through to the backend host.
Session affinityUtilizes a cookie for session stickyness to a Backend server for a flow.
Connection drainingAllows for graceful removal of backend pool members.
Custom error pagesUse custom error pages instead of displaying default error pages.
WebsocketsEnabled by default and cannot be disabled.
Static/Dynamic VIP frontendStatic or Dynamic VIP address.
Public/Private VIP frontentSupport either private and/or public addressing for the frontend

v2

ParameterDescription
v1 featuresWith some differences.
AutoscalingDynamically scale in/out to meet traffic demands.
Zone redundancyCan span multiple Availability Zones (AZs).
AKS Ingress ControllerCan be used as an Ingress for Azure Kubernetes Service (AKS) clusters.
Azure Key Vault integrationCan access TLS certificates stored in Azure Key Vault without having to load them on the App Gateway.
Rewrite HTTP headers URLAdd, remove, or update HTTP request and response headers.
Rewrite URLRewrite URLs, query string parameters and host name.
Web Application Firewall (WAF)Custom rules to protect web applications from common exploits and malicious attacks.
Static VIP frontendStatic VIP address that does not change. Note: There is no option to have a dynamic IP address.
Public/Private VIP frontentPrivate only frontend VIP is currently in preview.

Listeners

Listeners determine which traffic is load balanced using the following parameters.

  • IP Addreess - X.X.X.X
  • Port number - 80/443
  • Protocol - HTTP/S/2
  • Host - www.stratuslabs.net

There are 2 types of Listeners: Basic and Multi-Site.

Basic

Basic listeners have the following characteristics.

  • Used for hosting a single website.
  • Single domain support.
  • Single DNS mapping to an IP address.

Multi-Site

Multi-Site listeners have the following characteristics.

  • Used for hosting a single website.
  • Multiple domains/hostnames support.
  • Can host 100+ sites on a single App Gateway.
  • Limited to 5 hostnames per-listener.
Note
TLS certificates are attached to listeners and used for TLS termination.

Rules

Rules determine how to Route traffic to a Backend and have the following characteristics.

  • HTTP settings, such as TLS termination of the Backend connection are defined.
  • Backend Targets are selected.
  • Backend Health Probes are attached to Rules.
  • Host-based, Path-based, Redirection and URL rewrite configuration are defined.

Health Probes

Health Probes are used to monitor Backend health at the application layer and have the following characteristics.

  • Resources considered unhealthy are automatically removed from the pool. Once healthy again, they are automatically added back into the pool.
  • A default health probe is automatically configured to make a HTTP GET request to the IP or FQDN configured in the backend pool.
  • Custom health probes allow you to define granular controls on how health probes operate.

Architecture

The following diagrams show a command Application Gateway deployment architecture.

The following points summarize the above diagram.

  • A multi-site Application Gateway (AGW) is hosting www.stuff.net and www.things.net
  • Users browse to the domain and DNS resolves to the Public IP address (PIP) of the AGW.
  • The Listener tied to each domain determines if the AGW is load balance the traffic. The Listener also points to the Routing rule used for the Backend pool.
  • Routing rules determine how traffic is routed to the backend pool.
  • Backend Pool members serve traffic for their respective domains.

Considerations

Application Gateways have the following considerations.

  • Application Gateways are deployed into a dedicated Subnet within a Virtual Network (VNet).
  • Multiple App Gateways can be deployed in the Subnet. However, The Subnet cannot be shared with Non Application Gateway Resources.
  • v1 and v2 App Gateways cannot share the same Subnet.
  • v1 App Gateways require a minimum /26 subnet.
  • It is recommended to install v2 App Gateways in a /24 Subnet to ensure sufficient address space is available for scaling.
  • A maximum of 40 listeners are recommended per Application Gateway.