We have deployed our website recently using an application gateway but the bandwidth (125 CU) isn't enough to handle the very high traffic of the website.
We are thinking about switching the application gateway by a Frontdoor since it looks like its bandwidth is higher however we don’t know if there are anything we should know by using this method. (security, best pratice, cost, ...)
Our website is host in 2 same App service Plan (with 4 to 5 App Service in each of theme) in the same region.
Please help
Why don't you guys use actual firewall (not Azure WAF, rather something like PaloAlto, Fortigate, Cisco FTD etc) for this. Not only it will work as application gateway but will also provide you security and save you from a lot of attacks. It is fairly simple to deploy a firewall from market place, and vendor support is also great. Depending on how good you negotiate the price difference will be marginal.
Related
We have an application that we are hosting in multiple environments in Microsoft Azure. We want to route the traffic based on subdomains, like xxx.mydomain.com should go to the webapp that I have in North Europe and yyy.mydomain.com and zzz.mydomain.com should go to the webapp that I have in the East US.
I know it sounds like simple DNS, but it is more than that. Because:
I need to be able to add or update entries dynamically using code so an API should be available for that.
A normal DNS entry has a 24 hours time to live meaning that if I want to move my app from one environment to another, for up to 24 hours, users will hit both environments.
I expect to have hundreds of thousands of subdomains. Azure DNS has a limit of 25,000 entries.
I've looked into Azure Traffic Manager. It doesn't seem to have an option for traffic based on subdomains.
Also, I've looked at Azure Application Gateway. It seems to be the correct choice and it supports API's, but I cannot find the limits for subdomains.
Any suggestions?
From the criteria, it seems you're looking for a load-balancer/proxy/application-delivery-controller solution that's controllable through an API. I'll add my 5 cents here, as we've just gone through very similar problem. However these are more of a suggestion to look for answers elsewhere then Azure.
Azure
Azure Traffic Manager or Azure Application Gateway have limits which you can't fit in. For example in Azure Application Gateway with 200 rules, you could potentially host only 200 HTTPS site, the moment you need to serve HTTP & HTTPS, you're limited to 100 sites per application gateway. You'd need to split your solution across multiple subscriptions in order to fit subscription wide limits. Also the application gateway API is a bit too convoluted for my liking.
Azure DNS is also a bit problematic, as DNS records can last up to 24 hours. You'd therefore loose the ability to switch/route traffic to a different origin instantly.
Self-hosted
You could look into more old school solutions, run HAProxy or Nginx and programmatically modify their configuration(text files) on the fly and reload the configuration. HAPRoxy also has a socket "API" that can simplify the configuration modification and reload for you.
There's also a new set of service mesh controllers such as Kong, which can run in the cloud natively and are meant for service mesh solutions, however Kong offers a simple API, where you could manage/route traffic easily.
SaaS
If you're into buying this as a Service, Edge Cloud providers such as Cloudflare, Fastly or others are indeed "one big proxy server" and it is possible to configure them programmatically to route traffic to different origins, it's what they do after all.
Azure Application Gateway is indeed perhaps one of the best options for your scenario.
As you already said, it has an api that you could use to dynamically add rules based on your subdomains.
The limits for Application Gateway only allow for 200 rules per gateway.
But you can have 1000 gateways per subscription so if you could chain the gateways, that will give you roughly 200.000 rules.
The Microsoft documentation doesn't show that you can request an increase in these limits but maybe if you ask really nice the might allow it.
Maybe this is not the answer to your question but it might be an answer.
If anyone interested, we've ended up using Azure DNS. We have contacted Microsoft and they confirmed that they can increase the quota to 500,000 which is more than enough for us. :)
I have been researching for a couple days and looking at pluralsight courses but I Can't seem to find a decent answer on how to setup a proper Azure infrastructure.
I have a client app, api backend, and a database as a core of my overall application. I know I need 2 different Web App services and an SQL database.
I also have a need to only allow access to all 3 from our company's IP address.
I'm getting lost with all the VNET and VPN talk and I am wondering if that is even required. Is it considered good to do IP restrictions and call it a day? Should I add an Application Gateway infront of the client application none the less?
If VNETs are required, is it a must to do site-to-site? (don't think we have the authority to do that) If not, how do we access the backend services like the database and API if everything is locked down?
Any help is appreciated because there is too much information and I can't seem to make sense of any of it.
Thanks
It depends a lot on both the purpose of your client application, web application and database, as well as the capabilities that currently exist within your organisation. Have you had a look at the references architectures Microsoft has as a starting point ?
If you are looking at a fairly simple application, deployed to Azure with minimal internal only use, then use something like this reference architecture: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn. You can actually simplify that a little further by removing the load balancers etc if you think traffic will be generally low.
If you are looking for an external application that can only be managed internally, you should adopt something similar to this reference architecture: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server. Maybe even add a VPN component to the management jump box similar to this architecture: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn.
Even this, however may be too complicated for your use case. If your application is pretty basic, is secured using username/password or identity federation, and has low risk data associated with it, then just the basic web application architecture would do fine, just read through the various considerations here: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/basic-web-app
I have a Django based web application hosted on Azure provisioned virtual machines (Ubuntu OS). My application recently experienced a DDoS attack and we were helpless against it.
The problem is that once traffic hits the server - even if it's blocked at a firewall or throttled in my webserver - the traffic is already consuming my network bandwidth. I can do nothing about it. This needs to be blocked "upstream", in the routing gear servicing my server.
Is there any DDoS protection Azure can offer me? Or at the very least, make recommendations as to how I might deploy my application so that it's more resistant to these attacks? Please advise.
Current, Azure provides DDOS protection at the network level, but not at the application level. So, if you are receiving a bunch of ACK requests, for example, this should be blocked by the platform itself.
For app level DDOS protection, you need to consider an upstream provider such as Incapsula or Silverline. Integrating them is quite easy. See https://www.incapsula.com/blog/how-to-add-incapsula-to-your-microsoft-azure-instance.html for an example.
Essentially, you will setup Incapsula and configure it with the DNS label of the web app (something.azurewebsites.net). Your DNS (www.domain.com) will then point to the incapsula service and they will handle the rest.
Please note that separating the DDOS from the service still allows for an attack against the service itself (ie: if someone hits something.azurewebsites.net then Incapsula will not protect this traffic).
Hope that helps!
First: Azure allows for IP-whitelisting (or blacklisting), so you can add malicious IP addresses to your block-list on incoming traffic (port 80/443 for instance). And you can modify IP addresses / ranges programmatically. This should prevent traffic from hitting your web app. Note: This is specific to Azure Virtual Machines, which you're using.
Second: Azure provides the Azure Security Center, which is designed to detect such things as DoS attacks, intrusion attacks, etc. Not that it solves your problem, but it can be used for alerting you to issues.
Using incapsula will be the right answer for you , since incapsula hides your origin ip and mitigate the attack before it even reached Azure.
in addition it provides CDN and cache which helped us save on bandwidth costs on AWS and make our application work faster.
I have my website (abc.azurewebsites.net) hosted to Azure Web Apps using Visual Studio.
Now after 1 month I am facing problems with traffic management. My CPU is always 90 - 95% as the number of requests is too high.
Does anyone know how to add Traffic Management in this web app without changing the domain abc.azurewebsites.net? Is it hard coded in my application?
I thought of changing the web app to a Virtual Machine but now as it's already deployed I am scared of domain loss.
When you Scale your Web App you add instances of your current pricing tier and Azure deploys your Web App package to each of them.
There's a Load Balancer over all your instances, so, traffic is automatically load balanced between them. You shouldn't need a Virtual Machine for this and you don't need to configure any extra Traffic Manager.
I can vouch that my company is using Azure Web Apps to manage more than 1000 concurrent users making thousands of requests with just 2-3 instances. It all depends on what your application does and what other resources does it access too, if you implemented or not a caching strategy and what kind of data storage you are using.
High CPU does not always mean high traffic, it's a mix of CPU and Http Queue Length that gives you an idea of how well your instances are handling traffic.
Your solution might implementing a group of things:
Performance tweak your application
Add caching strategies (distributed cache like Azure Redis is a good option)
Increase Web App instances by configuring Auto-Scaling based on HTTP Queue Length / CPU.
You should not have to change your domain to autoscale a Web App, but you may have to change your pricing tier. Scaling to multiple instance is available at Basic pricing tier, and autoscaling starts at Standard tier. Custom domains are allowed at these levels but you don't have to change your domain if you don't want to.
Here is the overview of scaling a web app https://azure.microsoft.com/en-us/documentation/articles/web-sites-scale/
Adding a Virtual Machine (VM) is very costly as compared to adding instance. On top of it, Redundancy (recommended) for the VMs, adding NIC etc will blow up the cost. Maintenance is another challenge. PAAS (webApp etc) is always a better option than IAAS.
Serverless offerings like Azure Functions can also be thought of. They support http trigger and scale up really well.
I have a mobile application that communicates with a REST based web-service. The web-service lives behind the firewall and talks to other systems. Currently this web-service requires a firewall port to be opened and a SSL cert generated for each installation. Mobile apps sends login credentials so web-services can login to custom back-end systems.
Recently a customer approached us asking how could we deploy this to 50 offices. As we don't want to say modify every firewall in every office, we're looking for options.. This is a list of possible solutions and my thoughts on each one:
Open firewall port and expose https webservice - This is our current
solution but we dont want to have to contact 50 network admins and explain why we need to do this.
VPN - Too heavy weight, complex and expensive, we only need access
to one server. Does not solve problem as firewall needs to be
modified.
Microsoft Azure Hybrid Connection Manager - This provides a managed
service where the Azure cloud will expose an end point. Azure will
also expect connections from a easy to install application that
lives behind the firewall. When a REST call is made to the cloud
end-point, the request is forward down socket that was initiated by
the software behind the firewall. This does what we want but as its
a Microsoft Solution there might impose other requirements that our
customers might not want. Currently the simple Hybrid Connection Manager is free. But for how long?
Jscape MFT Gateway - Similar to Azure but you can host their server anywhere. Not that expensive but is not opensource.
Netty - A async java library/toolkit where this type of application could easily be build. Client and server apps would need to be build and deployed. Dont know what we dont know about Netty.
MDM, AirWatch, BlackBerry BES - A MDM based solution would work expect that MDM's are centrally managed and are not often in every office where the backend services are located. Airwatch has an AppTunnle but im not sure about the specifics.
At this point the Microsoft and Jscape systems are possible solutions.
But most likely these solutions will require us to modify the mobile software to work around issues such as:
How does the user know which server to login to? A locator service
needs to be built such that, an email address is used to lookup their
office, or they need to select their office location from a list.
While the connection is SSL many company might want some additional protection since network login information will be send down the pipe.
How is load balancing and fail-over managed?
So, at this point i'm looking for more options. The best option would be a commercial product that offers some level of customization. Second, would like a well used open-source product that could be installed in Aws and customized.
Thanks
The best approach we found was to use the PUTTY API and setup a reverse proxy.