Azure Application Gateway - check health on subset of backend nodes - azure

I have a service fabric cluster that hosts some number of identical applications. The application has two main components - a stateless service that hosts web api (it listens on unique port number) and an actor service.
In front of it there is an application gateway instance with multisite listeners to reach proper application instance based on the url. The scale set for the service faberic cluster is set as backend pool for the application gateway.
For each application I have separate http settings with a unique backend port to reach. One of the configuration options for a listener is a health probe that check the web api health, by default on each backend node.
There is no problem when the api is deployed on each node on the backend, but when the api is deployed only on subset of nodes, for the nodes without it the health probe reports this app as unhealthy.
Is there a supported way to configure the application gateway health probe to check health only on a subset of backend nodes. For apps running on a service fabric cluster like in my case it will be strongly desired.

I recommend that you use a reverse proxy on the cluster for this. You can use the built-in reverse proxy, or Traefik for this.
This ensures that all incoming traffic is routed to the services.
It does introduce an additional network hop, so there is a performance impact.

Related

How do make my microservices only accessible by the api gateway

I would like to know how I can protect my Nodejs microservices so only the API gateway can access it. Currently the microservices are exposed on a unique port on my machine and can be access directly without passing through the gateway. That defeats the purpose of the gateway to serve as the only entry point in the system for secure and authorized information exchange.
The microservices and the gateway are currently built with Nodejs and express.
The plan is to eventually deploy it on the cloud (digital ocean). I'd appreciate any response. Thanks.
Kubernetes can solve this problem.
Kubernetes manages containers where each container can be a micro service.
While connecting your micro services to your gateway server, you can choose to only allow foreign connections to your gateway server. You would have a load balancer / nginx in your kubernetes cluster that redirects request to your gateway server.
Kubernetes has many other features such as:
service discovery: each of your micro service's IP could potentially change on restart/deployment unless you have static IP for all ur services. service discovery solves this problem.
high availability & horizontal scaling & zero downtime: you can configure to have several replicas for each of your service. So when one of the service goes down there still are other replicas alive to deal with the remaining requests. This also helps with CICD. With something like github action, you can make a smooth CICD pipeline. When you deploy a new docker image(update a micro service), kubernetes will launch a new container first and then kill the old container. So you have zero down time.
If you are working with micro services, you should definitely have a deep dive into kubernetes.

Azure Traditional Load Balancer VS Azure Application Gateway response latency?

Environment Details: I have an application hosted in two azure environments for two clients. The application contains ASP.NET web API backend and Angular Frontend. Both applications hosted on two web servers (Windows VM). I'm using LB in the first environment (Environment 1) and using AGW in the second environment (Environment 2).
Problem: The issue that I'm having is, environment 1 API request response time is faster than the environment 2. Below is the screenshot of the browser inspect window for the same request.
According to the timing tab, environment 1 has a fast response time than environment 2.
Question: My question is whether this response time difference due to using LB and AGW?
The biggest difference between Azure load balancer and Azure application gateway is that they works at the different layer at OSI Model. Azure Load Balancer is a high-performance, low-latency Layer 4 load-balancing service (inbound and outbound) for all UDP and TCP
protocols. This might make a quick request and response relatively.
Application Gateway provides application delivery controller (ADC) as
a service, offering various Layer 7 load-balancing capabilities. Use
it to optimize web farm productivity by offloading CPU-intensive SSL
termination to the gateway.
Azure Load Balancer is a high-performance, low-latency Layer 4
load-balancing service (inbound and outbound) for all UDP and TCP
protocols. It is built to handle millions of requests per second while
ensuring your solution is highly available. Azure Load Balancer is
zone-redundant, ensuring high availability across Availability Zones.
For more references:
Overview of load-balancing options in Azure
Azure — Difference between Azure Load Balancer and Application Gateway

How to achieve High Availability for multiple App Services in Azure

I have 2 same Web App and I have added them to application gateway's backed pool in Azure.
I have one domain for the application Gateway and I can bind only one web app to it.
Is there any way to add 2 Web App with the same domain of application gateway?
If not, then any other way to achieve high availability for Web Apps?
I want that if one Web App is not reachable, the traffic should go to other Web App. The Web Apps are not stateless and therefore ruled out the use of Traffic Manager Profile due to lack of Session Persistence.
I have gone through various questions mentioned below on the same topic, but none is related or have satisfactory solution.
- DNS: High Availability with Azure Web Apps + Traffic Manager
- Achieving High Availability using Azure Traffic Manager
- Is it possible that one domain name has multiple corresponding IP addresses?
For App Service, Application Gateway cannot be used for Load balancing Purpose. You can use Application Gateway as WAF. In your scenario, as Thomas stated, AFD would be the best option.
You can leverage the priority option which can be configured while adding App Service to the backend pool to achieve your ask.
You can assign priorities to your different backends when you want to use a primary service backend for all traffic, and provide backups in case the primary or the backup backends are unavailable.
In this case, when the probe to the Primary goes down, then the traffic will be routed to the secondary Web App.
Reference: https://learn.microsoft.com/en-in/azure/frontdoor/front-door-routing-methods

Azure Application Gateway fallback not working

Is it possible to setup Azure Application Gateway to use one server as fallback if the first server is unhealthy?
We currently have this setup in our path-based rules:
/images/* -> server 1 (only server in pool 1)
/* -> server 2 (only server in pool 2)
If we take down server 1, images will return 502 gateway error even if server 2 should be able to handle it. I expected unhealthy servers to be temporarily removed from the path-based rules until they are healthy.
Yes, It's possible to use Application Gateway to achieve that.But you need to add the two VMs in one backend pool.
Just go to one backend pool and then add the second VM into the pool. Then click save.
Also,it's necessary to configure VNet and probe, etc.
More about how to use Application Gateway to offer various layer 7 load balancing capabilities for VMs, refer to this document.

Load balancer for Azure Service Fabric Cluster on-premises

As developers we wrote microservices on Azure Service Fabric and we can run them in Azure in some sort of PaaS concept for many customers. But some of our customers do not want to run in the cloud, as databases are on-premises and not going to be available from the outside, not even through a DMZ. It's ok, we promised to support it as Azure Service Fabric can be installed as a cluster on-premises.
We have an API-gateway microservice running inside the cluster on every virtual machine, which uses the name resolver, and requests are routed and distributed accordingly, but the API that the API gateway microservice provides is the entrance for another piece of client software which our customers use, that software runs outside of the cluster and have to send requests to the API.
I suggested to use an Load Balancer like HA-Proxy or Nginx on a seperate machine (or machines) where the client software send their requests to and then the reverse proxy would forward it to an available machine inside the cluster.
It seems that is not what our customer want, another machine as load balancer is not an option. They suggest: make the client software smarter to figure out which host to go to, in other words: we should write our own fail-over/load balancer inside the client software.
What other options do we have?
Install Network Load Balancer Feature on each of the virtual machine to give the cluster a single IP address, is this even possible? Something like https://www.poweradmin.com/blog/configuring-network-load-balancing-in-windows-server/
Suggest an API gateway outside the cluster, like KONG https://getkong.org/
Something else ?
PS: The client applications do not send many requests per second, maybe a few per minute.
Very similar problem, we have a many services and Service Fabric Cluster that runs on-premises. When it's time to use the load balancer we install IIS on the same machine where Service Fabric cluster runs. As the IIS is a good load balancer we use IIS as a reverse proxy only for API Gateway. Kestrel hosting is using for other services that communicate by HTTP. The API gateway microservice is the single entry point for all clients and has always static URI inside SF, we used that URI to configure IIS
If you do not have possibility to use IIS then look at Using nginx as HTTP load balancer
You don't need another machine just for HTTP forwarding. Just use/run it as a service on the cluster.
Did you consider using the built in Reverse Proxy of Service Fabric? This runs on all nodes, and it will forward http calls to services inside the cluster.
You can also run nginx as a guest executable or inside a Container on the cluster.
We have also faced the same situation when started working with service fabric cluster. We configured Application Gateway as Proxy but it would not provide the function like HTTP to HTTPS redirection.
For that, we configured Nginx Instead of Azure Application Gateway as Proxy to Service Fabric Application.

Resources