What's the recommended way to setup SSL/TLS with AKS for a .NET Core website that uses SignalR?
From what I can tell Azure Front Door doesn't work because it doesn't support Websockets.
And AKS doesn't have a service like AWS does for doing SSL/TLS.
Do I really have to use a ngnix proxy on top to make this work?
Also, looks like same problem for gRPC in .NET Core and Azure. Basically no way to hose gRPC on Azure at all right now.
Suggestions?
Application Gateway provides native support for WebSocket across all gateway sizes. There is no user-configurable setting to selectively enable or disable WebSocket support. see Overview of WebSocket support in Application Gateway.
With the application gateway, you can create listeners on port 80/443 to support WebSocket traffic and health probe supports for HTTP and HTTPS protocols. APP GW also support SSL offload and end to end SSL traffic.
There are two options for App GW conjunction with AKS. One is simply to put the APP GW in front of the internal or public Loadbalancers with AKS, see this blog. Another better one currently is using Application Gateway Ingress Controller. This is supported by Application Gateway v2 only.
For more references:
Expose a WebSocket server
How to configure Azure Application Gateway work with AKS via SSL.
Related
I have Azure service fabric cluster created on local test environment & deployed microservice based web apis, it working well without any issues. But would like to enable HTTPS traffic on cluster level and want to stop HTTP requests
https://mytestsf.westus.cloudapp.azure.com:8800/ => expecting this one to work
http://mytestsf.westus.cloudapp.azure.com:8800/ => expecting this one NOT to work
Is Support only for HTTPS traffic can be done on Azure service fabric level? if yes, how?
P.S: This service fabric cluster not having any external network component like traffic manager or application gateway in front of it as it is local test environment.
Follow the documentation - add an HTTPS endpoint using Kestrel - Azure Service Fabric.
I have a Azure APIM setup that receives the website request and forwards it to the respective microservice node. The website supports only http requests and now I wish to change this to HTTPS/SSL.
The app server on the microservice node does not support SSL, so I have couple of options:
On microservice node - change to another app server that supports SSL
OR On microservice node - Add a web server (nginx) which does the SSL and forwards the request to the app server (both web server and app server will be on the same node)
OR Configure SSL at the Azure API management layer
I prefer to use option 3 so that the microservice node is responsible only to serve requests and the HTTPS/SSL bit is handled by the Azure API management layer. This documentation seems to suggest how this can be achieved for both SSL termination at the gateway and end to end SSL. However, there are 2 problems:
This article is about application gateway - and I am looking for similar solution with API management (API gateway).
If I wish to use the end to end SSL mode, and not the SSL termination mode (which terminates SSL at gateway), then my app server will need to have SSL feature?
How to add end to end SSL support to a microservice via Azure API management layer without app server having to support SSL?
API Management (APIM) is acting as a reverse proxy - much like nginx in your example. APIM supports SSL by default and can do SSL termination.
APIM will also talk to your backend service without without any issues - all you need to do is select "http" for the backend instead of "https".
So I am looking at using Azure App Gateway to overcome a set of legacy servers (Win2003) that will not support TLS 1.2 and therefore come March+ 2020 the client browsers will not be able to access the site.
So my question is can I use AZ App Gateway to terminate the SSL and route traffic onto a set of Windows Load Balanced servers in our datacentres?
Has anyone done this before?
You can certainly do this, but Azure Front Door would be a better option, I believe (if you trust IP restrictions, I think that would be the only way to secure endpoints). They would allow you to offload SSL and offer some other nice features. And you don't have to create site-to-site vpn and maintain it.
I would like to setup my apps with High Availability and Security in mind and thinking of using the Azure Application Gateway to provide WAF and Load Balancing (Layer-7) capabilities. I couldn't find any concrete information from official documentation that this is a supported setup (using App Service as AG backends). The official documentation only states VMs:
https://learn.microsoft.com/en-us/azure/application-gateway/overview
Here's a simplified architecture.
Does anyone have first-hand experience with this setup?
Azure Application gateway support app services as the backend. If you want to use the High Availability of app service, you could target two app services in the same backend pool, then the APP GW frontend receiving traffic will go round-robin to the backends in the pool. You could get more details from Configure App Service with Application Gateway
If you just want to host multi-site in the same Azure application gateway, then each site will direct to each backend pool, you could follow this tutorial: Create and configure an application gateway to host multiple web sites using the Azure portal
My application gateway/WAF is setup end to end ssl, does any one know if it can just passthrough requests to like an app server for a desktop client if the Public FQDN is resolving to the app gateway or would i need another device for this?
if this is possible how would i go about doing it with Azure's App GW / WAF?
if not any reccomenations on Virt Applicances.
Application Gateway now supports re-encrypt SSL traffic but passthrough is not supported.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-ssl