Load Balancing in Azure - Subdomains AND SignalR - azure

I am creating a standard multi-tenant site that has the following structure:
example.com
tenant1.example.com
tenant2.example.com
The hosting is Azure web apps. Tenants are generated dynamically (there could be many) and the site includes real-time components, so utilises Azure SignalR. The site will have a wildcard SSL/TLS certificate to enable the subdomain structure.
Rather than going direct to the app service in one region, I'd like to put a load balancer in front of this and route traffic to regional clusters, or maybe even isolated instances for larger clients. It would also be good to have the DDOS protection that comes in-built with these things.
Azure Front Door was my first investigation, this can handle wildcard certificates but doesn't support SignalR.
Application Gateway was my next investigation, this can handle SignalR, but doesn't support wilcard certificates.
In terms of DDOS attacks, it seems we can enable a form of protection directly on the web apps. However, to me, this seems like it would throttle an attack rather than provide (low-cost) protection, as I believe a load balancer would.
How can I load balance this situation please?

Related

Is there any need for a firewall for an Azure Web App?

I understand that Azure Web Apps as a PaaS offering are inherently more secure than if hosting on your own VM ... but does that mean a firewall solution is not required at all?
Azure offers a few solutions, but anything acting as a firewall seems expensive - so we are wondering if we can just do without one.
Not required as long as you are secured login for sensitive data and enabled CORN rules. For other protections you can definitely add to your subscription like firewall and DDoS protection.
It is not required; however, depending on the type of application you are building it is greatly encouraged, if not required by specific industries.
Depending on your architecture and/or approach and if cost is a concern I'd recommend Azure FrontDoor w/ Web Application Firewall (WAF) enabled. This will cover additional security for your application at a reasonable cost as well as potentially server as a Traffic/Manager Load balancer.

Azure SubDomain Link to Appservice

I have domain example.com I bought in azure.And I have two appservices app1 and app2.
I can link example.com to app1
But I want to link example.com/one to app1(appservices)
and example.com/two to app2(appservices).
Can anyone plz suugest me how to do this in Microsoft Azure
Using Azure Application Gateway and creating the relevant routing rules would be a good way to do this.
Here's a quick screenshot from Microsoft Docs which talks about a similar scenario..
Do know that there is price associated with it (and a lot of other features). So you may need to evaluate a bit.
Application Gateway Pricing
You will need to assign the custom domain to a load balancer. Azure App Gateway supports URL based routing. Since Azure App Services are multi-tenant you will need to follow these docs to configure App Gateway with an App Server. This is a great solution for single region applications.
If you need mutli-region support, check out our new Azure Front Door Service. Azure Front Door Service enables you to define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global (multi-region) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs, and content that reach a global audience with Azure.

Is Azure WebApp automatically rate limited / DOS protected?

I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
As far as I know, we could use Dynamic IP Restrictions in web app.
The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
About how to config this feature. We could remote connect to the azure web app IIS and set it.
About how to remote connect web app IIS, you could refer to this article.
More details, you could also refer to this blog.

Why use a Reverse Proxy to front an Azure Website?

What are some legitimate use-cases for fronting an Azure "Web App" service with a reverse proxy (i.e. ARR)?
I'm specifically interested in security considerations. For the purposes of this question, let's assume load balancing is handled by the Azure load balancer and the proxy would not perform any additional features such as caching or compression.
The Azure Load Balancer is a Layer-4 component. ARR is a Layer-7 router, therefore it can do sticky sessions (instance affinity) and health checking.
In App Service it also does TLS offloading, which is pretty nice since your application code only has to deal with plain HTTP. More on that here: https://stackoverflow.com/a/38726543/4148708
If you don't need/want any of that, then by all means, go to Cloud Services, VM Scale Sets or vanilla VMs.

Traffic manager with multiple endpoints in same location

I'm trying to add web app endpoints from the same location, to an azure traffic manager, when I try to do this, it tells me that App Service will use load balancing to do this for me, when we apps are in the same location.
My understanding is that load balancing is for distributing requests between multiple VMs on one web app. The plan was to use out single DNS and allow traffic manager to determine which endpoint to go to using round-robin or failover. How will load balancing know to direct to one of the web apps from this single address?
Azure Web Apps already have built in load balancing between instances within the web app. So for example if you have a web app with 10 instances under the endpoint: tester.azurewebsites.net, Azure load balances appropriately across those instances.
When you bring in traffic manager, that is looking for different endpoints to facilitate between. Incoming requests will be routed based on proximity to endpoints it is managing, load and if the endpoint is available. Traffic Manager takes care of all of those complexities for you.
This allows you to have a single endpoint myapp.azurewebsites.net; which may route to myapp-west.azurewebsites.net and myapp-east.azurewebsites.net. That routing as I indicated is based on proximity, load and availability.
How it actually works is the magic sauce of Azure Traffic Manager. I use it in production and it has been working very well for me. I primarily use it for routing based on proximity, and have yet to experience a failure on a web app to test a production failover reroute.
Hope that helps!

Resources