On my on premise servers, we have two set of web apis:
service.xxxx.net/chartdata/data
service.xxxx.net/chartimage/image
We are in the process of moving our sites to azure (as two web apps). The big boss wants to keep the url structure on azure. I did some research and seems application gateway can achieve that.
However, when setting up an application gateway, I need to provide vnet and subnet information. As it is just two web apps, I don't really have a vnet.
So this makes me wonder if application gateway is indeed the right choice or not? Maybe there is something else?
App gateway is the right solution for a single region.
You need to create Vnet for the App Gateway not for the web apps. You can check this tutorial:
https://learn.microsoft.com/en-us/learn/modules/load-balance-web-traffic-with-application-gateway/
https://learn.microsoft.com/en-us/learn/modules/load-balance-web-traffic-with-application-gateway/5-exercise-create-configure-application-gateway
For multiple regions, Azure Front Door is a the right one: https://azure.microsoft.com/en-us/services/frontdoor/
Related
I want to protect a number of Azure App Services with Web Application Firewall.
I was able to make it work with one app and on the way to adding the other apps.
Is there any recommended way or things to consider given the fact that some of these apps talk to each other?
If AppA queries AppB, I understand that the call would not be routed through the internet since it's all between azure IPs, is that right?
But would that skip the Application Gateway?
I have domain example.com I bought in azure.And I have two appservices app1 and app2.
I can link example.com to app1
But I want to link example.com/one to app1(appservices)
and example.com/two to app2(appservices).
Can anyone plz suugest me how to do this in Microsoft Azure
Using Azure Application Gateway and creating the relevant routing rules would be a good way to do this.
Here's a quick screenshot from Microsoft Docs which talks about a similar scenario..
Do know that there is price associated with it (and a lot of other features). So you may need to evaluate a bit.
Application Gateway Pricing
You will need to assign the custom domain to a load balancer. Azure App Gateway supports URL based routing. Since Azure App Services are multi-tenant you will need to follow these docs to configure App Gateway with an App Server. This is a great solution for single region applications.
If you need mutli-region support, check out our new Azure Front Door Service. Azure Front Door Service enables you to define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global (multi-region) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs, and content that reach a global audience with Azure.
Hello I have 3 different web app. Each web app has a different application with a different endpoint. I need to replicate all of these app services in multiples region. My question is. Do I need to have one Traffic manager for each replication application?
The other alternative that I had was. I could have one traffic manager in front of all applications, and Behind the traffic manager but ahead of the all application for integrating all app service in a one, I could have one API gateway. In that case, I suppose that I could have only one traffic manager instead of three.
Does somebody have one recommendation for this type of architecture?
Azure traffic manager is designed as a global service,not bound to a location. If you have 3 webapps located in different regions, use one traffic manager to route all requests will be ok. This reference architecture will be helpful: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/multi-region
I have two app services. One for UI and one for web api. I need to create a DNS so that I should be able to access like www.example.com/ui and www.example.com/api. Please let me know anyone how to achieve this without virtual directory concept.
Thanks
You cannot achieve this purely with DNS. DNS knows nothing about routes, only domain names. So www.example.com must resolve to one service, which should be your reverse proxy, maybe Application Gateway?
Here's the tutorial on hosting two apps behind Application Gateway: Tutorial: Create an application gateway that hosts multiple web sites using the Azure CLI.
Multiple-site hosting enables you to configure more than one web site on the same application gateway instance. This feature allows you to configure a more efficient topology for your deployments by adding up to 20 web sites to one application gateway. Each web site can be directed to its own pool. For example, application gateway can serve traffic for contoso.com and fabrikam.com from two server pools called ContosoServerPool and FabrikamServerPool.
We have an application running in Azure that consists of the following:
A Web App front end, which talks to…
A WebApi running as a Web App as well, which can (as well as a couple other services) talk to…
A Cloud Service load balanced set of VMs which Are hosting an Elasticsearch cluster.
Additionally we have the scenario were dev’s whitelist their IPs so that their localhost version of the API can hit the VMs as well.
We have locked down our Elasticsearch VM’s by adding ACLs to the exposed end point. I whitelisted the outbound IPs that were listed on my App Services. I was under the mistaken impression that these were unique to my Api. It turns out that these are shared across the scale unit in Azure. Other services running in the same scale unit, could, if they knew the endpoint, access the data exposed on the endpoint in my cluster. I need to lock this down, and I am trying to find the easiest way. These are the things I am looking at, and I would appreciate advice and/or redirection.
Elastic Shield: Not being considered. This is a product by Elastic
that is designed to secure ES. This is ideal, but at the moment it
is out of scope (due to the cost and overhead)
List item
Elastic plugins: Not being considered. The main plugins (such as
Jetty) appear to be abandoned.
Azure VPN. I originally tried to set this up, but ran into too many
difficulties. The ACLs seemed to give me what I need without much
difficulty. I am not sure if I can set this up now. The things I
don’t know are:
I don’t think I can move existing VMs into a new VPN.
I think you have to recreate the VMs in that VPN from the get go
Could I move my Web App into the VPN? How does that work?
This would prob break my developer scenario as the localhost API
would not be able to access the VPN, right?
Add a certificate to requests: It would be ideal if I could have
requests require a cert or a header token. I assume to do this I
would need to create a proxy that would run on the VMs and do the
validation before forwarding the request on to my Elasticsearch.
Anything else? Is there another option I have not thought of?
Thanks!
~john
You can create a VPN point-to-site connecting your Web App with your IaaS VMs. This is the best solution because you will be able to use just internal IPs on your IaaS.
The easiest way to do that using Azure Portal is create a Web App and, create a new VPN and VNet using "setup" option at "Your Web App" -> Settings -> Networking -> VNET Integration -> Setup -> Create New Virtual Network.
After that, create your IaaS inside this new VNet.
You also can create a ARM template to create Web App, IaaS, VPN and everything that you need. Take a look at my ARM template to create PHP+MySQL using Web App and MariaDB Cluster connected by VPN: https://github.com/juliosene/azure-webapp-php-mariadb