I have 3 app services on Azure, like
app1.azurewebsites.net
app2.azurewebsites.net
app3.azurewebsites.net
And I have created an Application gateway in front of them, with WAF enabled.
And I'm going to setup 3 custom domain and SSL certificate for each of the app service.
What I want to achieve is like below:
visit https://app1.mydomain.com=>Application Gateway=>app1.azurewebsites.net
visit https://app2.mydomain.com=>Application Gateway=>app2.azurewebsites.net
visit https://app3.mydomain.com=>Application Gateway=>app3.azurewebsites.net
Is this possible with only 1 application gateway to support multiple domain? Or I must purchase 3 gateways, which is 3 times cost. Basically I only want to use the WAF to protect my site.
Your ask is possible with one Application Gateway.
Here is the configuration that you need to set up.
Listener 1 (app1.mydomain.com) --> HTTP Setting 1 (Check Use App Service check box) --> Backend Pool 1(app1.azurewebsites.net)
Listener 2 (app2.mydomain.com) --> HTTP Setting 2 (Check Use App Service check box) --> Backend Pool 2(app2.azurewebsites.net)
Listener 3 (app3.mydomain.com) --> HTTP Setting 3 (Check Use App Service check box) --> Backend Pool 3(app3.azurewebsites.net)
So, you need 3 Listener , 3 HTTP Settings, 3 Backend Pool and 3 rules.
You need to create probes for each HTTP Setting and you enable HTTPS protocol and also check pick hostname from Backend HTTP Settings.
Reference: https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
Related
We are trying to build a cloud service on Azure. We have 3 webrole instances running. What are the possible ways to proxy the requests that we get on a webrole to some other webrole.
For Example,
I have the following 2 web roles running: webrole0, webrole1.
I get a request on webrole0. Based on some parameters either webrole0 can serve the request or the request needs to be proxied to webrole1. How do I make this proxying of the request possible?
If you are looking for the path based routing you can go with Azure Application Gateway. If you want to route traffic to web roles based on the request parameters, you need to go with third party NVAs like F5 to check if that satisfies your routing needs.
We have 2 Azure VMs running IIS and hosting 50+ .Net web applications (Webforms, MVC, WCF & ASMX). Both of the 2 VMs are identical and all sites are configured using a hostname ([subdomain].domain.com) on port 443 and requiring SSL.
11 of these sites are legacy and require afinity because of session state, all other sites don't and can be randomly loadbalanced.
All of the sites run perfectly on each of the 2 servers.
Now we would like to put an Application Gateway in front of the 2 VMs to provide loadbalancing, https redirect, WAF, ...
Can we configure 1 Application Gateway to do all this and make sure the affinity is only valid for those 11 sites and not for all of them and also do the https redirect?
Or do we need to configure 2 Application Gateways, 1 for the 11 affinity-dependent sites and 1 for the remaining and then have dns point to 1 of the Gateways?
In Application gateway you can create 100 Listeners (For WAF enabled
SKUs). So you should be able to accommodate your setup with one
Application gateway.
When you are creating HTTP settings, you can choose whether to
enable Cookie based affinity or not.
Application gateway has all the feature you requested, like HTTP to
HTTPS redirection, WAF protection.
So you should be able to deploy an Application Gateway and configure to make your setup work.
I have several app services that I want to use application gateway to sit in front of and route traffic to using URL Routing. For example:
api1-app-service
api2-app-service
website1-app-service
I would like to use the Application Gateway with a custom domain in front of it, and route the traffic like this:
test.app.com/api/something -> api1-app-service
test.app.com/api/different -> api2-app-service
test.app.com/ -> website1-app-service
I setup 3 different backend pools and a url routing rule that looks like this:
rule1 | /api/something* | backendPool1
rule2 | /api/different* | backendPool2
default rule | backendPool3
The problem I am having is that the direction here (https://blogs.msdn.microsoft.com/waws/2017/11/21/setting-up-application-gateway-with-an-app-service-that-uses-azure-active-directory-authentication/) says that the app service has to be setup with the custom domain that you are pointing to the application gateway (test.app.com in my example), but I can't configure test.app.com to go to multiple app services. I get an error that the hostname is already mapped to another app service (which is true, when trying to map to api2-app-service test.app.com is configured to api1-app-service). Is is possible to setup an application gateway in front of multiple app services?
It's possible to setup an application gateway in front of multiple app services.
If you want custom domains with your web app service, you could configure different custom domains in different App services. Probably, if you'd like to use the same custom domain, you could deploy multiple Applications in the same web app service with different virtual paths.
If you do not want custom domains in multiple App Services, you could use the default hostname *.azurewebsites.net. If so, the Application Gateway frontend will direct the client request to different backend pools based on the different routing rules. You could configure for the backend HTTP setting using -PickHostNameFromBackendAddress.
Ref: Hosting multiple sites in one Azure WebApp and create an application gateway with path-based routing rules.
After researching all day, I am fairly sure this isn't possible using just an Application Gateway and app services. I am going to containerize my app and then use the application gateway and see if that does what I want it to.
I followed the docs here https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-create-multisite-portal but still getting the error :
Azure Application Gateway error 502 - Web server received an invalid response while acting as a gateway or proxy server. There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, i
Any help?
About the 502 errors after configuring the application gateway, The main reasons are as follows.
NSG, UDR or Custom DNS is blocking access to backend pool members.
Back-end VMs or instances of virtual machine scale set are not responding to the default health probe.
Invalid or improper configuration of custom health probes.
Azure Application Gateway's back-end pool is not configured or empty.
None of the VMs or instances in virtual machine scale set are healthy.
Request time-out or connectivity issues with user requests.
References: Troubleshooting bad gateway errors in Application Gateway
Just a reminder, after you changing health probe, please check if you select the use custom probe.
Issue: Receiving 502 when you have Web App as the backend pool.
This is how the default probe from Application gateway looks like http/htpps://127.0.0.1:port/
But Web App doesn't respond to localhost, so Application gateway will be receiving 404 for the request sent and it will mark that Web Application unhealthy.
In your scenario, you need to create 3 backend pool where you add one web App in each pool. Then create HTTP setting and enable "Use App Service" check box.
How to enable Use App Service
Then create 3 separate rules to achieve your scenario.
Listener1(test.mydomain.com) ---> HTTP Settings (enable Use App Service) --> Backend Pool(test.mydomain.com)
Listener2(staging.mydomain.com) ---> HTTP Settings (enable Use App Service) --> Backend Pool (staging.mydomain.com )
Listener3(prod.mydomain.com) ---> HTTP Settings (enable Use App Service) --> Backend Pool (prod.mydomain.com)
Is it possible to setup Azure Application Gateway to use one server as fallback if the first server is unhealthy?
We currently have this setup in our path-based rules:
/images/* -> server 1 (only server in pool 1)
/* -> server 2 (only server in pool 2)
If we take down server 1, images will return 502 gateway error even if server 2 should be able to handle it. I expected unhealthy servers to be temporarily removed from the path-based rules until they are healthy.
Yes, It's possible to use Application Gateway to achieve that.But you need to add the two VMs in one backend pool.
Just go to one backend pool and then add the second VM into the pool. Then click save.
Also,it's necessary to configure VNet and probe, etc.
More about how to use Application Gateway to offer various layer 7 load balancing capabilities for VMs, refer to this document.