Application Gateway vs Front Door - azure

I am working on following architecture.
We are following hub and spoke topologies
We are looking at having two Application Gateways (1 in the Hub and 1 in the Lab)
a. They really need an App Gateway in the HUB?
b. And Whether customer can consider having may be Azure Front Door in replacement for the App Gateway.
Has anyone done any critical research around this, any case studies or reference Architecture on the same? Any thought?

Azure Application gateway is a regional load-balancing service that distributes traffic within virtual networks across virtual machines (VMs) or zonal and zone-redundant service endpoints within a region.
Whereas Azure Front Door is a global load-balancing service that distributes traffic across regional backends, clouds, or hybrid on-premises services to the closest available backend.
If your hub and spokes are in the same region and you want to load balance traffic between them, you can go with Azure Application gateway.
Refer : https://learn.microsoft.com/en-us/azure/architecture/high-availability/ref-arch-iaas-web-and-db
If your hub and spokes are in different regions and you want to load balance traffic between them, you can go with Azure Front Door.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/signalr/#azure-front-door
If you would like to load balance or route traffic within a virtual network or internally, you can use a combination of Application gateway and Front Door OR use the latest Azure Front Door Premium tier where you can enable Private Link to connect to origins behind an internal load balancer over a private endpoint.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/multi-saas/multitenant-saas
https://learn.microsoft.com/en-us/azure/frontdoor/private-link
So, it all comes down to your requirement. You can configure any of the below:
1 Application gateway to load balance the traffic in the same region
1 Azure Front Door to load balance traffic between different regions
2 Application gateways and 1 Azure Front Door Classic to load balance
internal traffic in different regions
1 Azure Front Door Premium with private endpoint to load balance internal traffic in different
regions

Related

Azure Frontdoor or traffic manager

Just wanted the recommendations in using azure frontdoor or azure traffic manager for my 2 different web apps hosted on different regions? Can we use both together?
Both Azure front door and traffic manager are deployed in a region agnostic way by azure to help load balance instances between region pairs. If you are hosting web applications using azure app service, the recommend solution for load balancing between regions is Front Door since your traffic is Http(s). (whereas a traffic manager would work nice if you are running virtual machines in different regions and want to load balance between them)
And if you want to further load balance traffic between different web apps in the same region, use an azure application gateway. (your front door directs user traffic to a region, and within that region, the application gateway directs traffic to a healthy web app.)
You can read this for a decision tree of the load balancing options provided by microsoft : https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview#decision-tree-for-load-balancing-in-azure
IMHO you should use the one that makes more sense. Traffic Manager you can work with different algorithms when routing to the right region, while Front Door you don't have this flexibility.
On the other hand, Front Door offers some features like Web Application Firewall (WAF) and SSL Offloading that may be interesting in your scenario.

azure application gateway behind azure front door multiple websites domains ssl

Infrastructure]1
Info picture - all servers should have the same configurations and websites and ports.
The goal is that on all virtual servers in VMSS are running the different websites ( www.xxx.com , www.yyy.com , wwww.zzz.com )
The SSL termination should be done at Front Door that is clear to me.
Questions: Where should i place the public ip? What should i configure that all websites are running and avaiable for users in application pool? I don't find a tutorial which describes my infrastructure. Could someone help me in this case?
Please help me thanks.
Front Door is global load-balancing services which distribute traffic from your end users across your regional backends.
Load Balancers and Application Gateways are regional load-balancing services which provide the ability to distribute traffic to virtual machines (VMs) within a virtual network (VNETs) or service endpoints within a region.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite#choosing-a-global-load-balancer
Here is an example of Microsoft Azure DR architecture with Application Gateway, Front Door, Load Balancer and Traffic Manager.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-lb-with-azure-app-delivery-suite
Considering your solution, you should configure SSL on FrontDoor and configure Application Gateway as backend.
Application Gateway should have VMSS configured as backend.

Understanding Outbound Data Transfer for Azure App Service Plan

For the purpose of migrating a very small business web application from on-premise to Azure PAAS service environment, We have identified the below tentative solution..
Use Azure Storage Account to Host the front end (Angular SPA).
Use App Service Plan to run the Back-End Spring Boot Application.
Use Application Gateway V2 (with WAF) as public end point which will re-route traffic to both Storage account and App Service (SSL will be hosted in Gateway as it is the public endpoint)
Use Azure SQL Server as database.
Use VPN gateway Site to Site connection from Azure service to on-premise for out going SFTP file transfer.(very small in size).
But it seems App Service Plan will not be placed within the Application VNET, and hence a VNET integration from Azure service to Application VNET is first required to enable the VPN connectivity. Ours is a very small application with no HA or other multi zone/region requirements, hence using dedicated ASE (Azure Service Environment) is not feasible for us. Since the communication with App Service is not going to be local to application VNET, we are trying to under stand the concept of term 'Out bound data transfer (specifically which are charged and not)' in Azure networking, with respect to the above PAAS services.
Does the traffic from Application Gateway (in Application VNET) to Azure Service (Plan) are considered outbound data transfer?
If there a VNET integration is in place from Azure Service to application VNET, does the traffic going out of Azure service to application VNET is considered outbound data transfer?
From this article, we know that
Outbound data transfer: The first 5 GB per month of outbound data
transfer is free for all Azure zones, but following that the Azure
pricing tiers will kick in based on various slabs (5–10 TB, then 40TB,
100TB, 350TB, and then everything above 500 TB).
This charge should be considered if the applications deployed in Azure
are accessed over the internet. For example, when downloading data
from Azure storage accounts or websites, accessing VMs over RDP and
SSH will incur charges as data is being transferred out of an Azure
data center.
Another scenario where these charges will be applied is with hybrid
connectivity through VPN or ExpressRoute. For VPNs, the outbound data
from the VPN Gateways will be billed at outbound data charge rates.
For ExpressRoute, outbound data transfers are chargeable for metered
data plans, and the cost will vary based on the selected plan.
To your questions:
The traffic from Application Gateway (in Application VNET) to Azure Service (Plan) would be considered outbound data transfer
because if the backend pool is a public endpoint (azure app service), the application gateway uses its frontend public IP to reach the server. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity. Read How an application gateway routes a request. Also, it would be charged if you have an application getaway and app service plan in different regions.
With VNet integration, the app service is connected to both a VNet and the Internet. The traffic going out of Azure service to application VNET would not be considered outbound data transfer
because the traffic usually goes over the Azure backbone network and the VMs that hosting your web app is assigned a private IP address from that integrated subnet. These IP addresses are used for outbound connectivity. You would also be charged if deployed all resources across regions(for this, you may use gateway-required VNet integration).
If you're interested, you could read that other Azure services can reduce your cloud costs.

Azure Load Balancing Solution - Application Gateway or Azure Load Balancer

Note: I'm still in learning phase.
Question: For the scenario described below, in the Load Balancing Settings for the two VMs for the FrontEnd subnet should I choose Application Gateway or Azure Load Balancer?
In Azure portal, when I create the VMs for FrontEnd, the Networking tab of the wizard, gives me two choices shown below:
Why the confusion:
For Load Balancing Internet Traffic to VMs, this tutorial does not choose Application Gateway. But the 5th bullet of the following scenario seems to indicate I should choose Application Gateway
Scenario
This tutorial from official Azure team describes designing an infrastructure for a simple online store as follows:
The above configuration incorporates:
A cloud-only virtual network with two subnets (FrontEnd and BackEnd)
Azure Managed Disks with both Standard and Premium disks
Four availability sets, one for each tier of the online store
The virtual machines for the four tiers
An external load balanced set for HTTPS-based web traffic from the Internet to the web servers
An internal load balanced set for unencrypted web traffic from the web servers to the application servers
A single resource group
you can use both, its a matter of your needs. load balancer just forwards traffic to your vms, while application gateway can do path based routing, ssl offloading, has WAF capabilities, and so on. But it costs a lot more and is clunky.
Looking at the bullet points you've listed, your case will work with both of these solutions.
ps. Like Rahul mentioned, load balancer works on level 4 and is not HTTP aware, Application Gateway is a level 7 load balancer.

Can we have a single application gateway for all VMSS created in different regions?

Can we have a single Application Gateway for all VMSS created in different regions?
If yes please share the possible options.
As the comment mentioned, we could not have a single Application gateway for all VMSS created in a different region since Application Gateway is always deployed in a virtual network subnet and it directly supports to deploy the VMSS as the backends in the same region and virtual network as the Application gateway.
As a workaround, you could use a public IP address as the backend for communicating with instances outside of the virtual network as long as there is IP connectivity. Read more details about backend pools. So you may use a public-facing load balancer associated with the VMSS.
Furthermore, you also could use Traffic Manager to distribute traffic across multiple Application Gateways in different datacenters. Or use Azure Front Door Service provides a scalable and secure entry point for fast delivery of your global web applications.

Resources