We have 2 Azure VMs running IIS and hosting 50+ .Net web applications (Webforms, MVC, WCF & ASMX). Both of the 2 VMs are identical and all sites are configured using a hostname ([subdomain].domain.com) on port 443 and requiring SSL.
11 of these sites are legacy and require afinity because of session state, all other sites don't and can be randomly loadbalanced.
All of the sites run perfectly on each of the 2 servers.
Now we would like to put an Application Gateway in front of the 2 VMs to provide loadbalancing, https redirect, WAF, ...
Can we configure 1 Application Gateway to do all this and make sure the affinity is only valid for those 11 sites and not for all of them and also do the https redirect?
Or do we need to configure 2 Application Gateways, 1 for the 11 affinity-dependent sites and 1 for the remaining and then have dns point to 1 of the Gateways?
In Application gateway you can create 100 Listeners (For WAF enabled
SKUs). So you should be able to accommodate your setup with one
Application gateway.
When you are creating HTTP settings, you can choose whether to
enable Cookie based affinity or not.
Application gateway has all the feature you requested, like HTTP to
HTTPS redirection, WAF protection.
So you should be able to deploy an Application Gateway and configure to make your setup work.
Related
I have 3 app services on Azure, like
app1.azurewebsites.net
app2.azurewebsites.net
app3.azurewebsites.net
And I have created an Application gateway in front of them, with WAF enabled.
And I'm going to setup 3 custom domain and SSL certificate for each of the app service.
What I want to achieve is like below:
visit https://app1.mydomain.com=>Application Gateway=>app1.azurewebsites.net
visit https://app2.mydomain.com=>Application Gateway=>app2.azurewebsites.net
visit https://app3.mydomain.com=>Application Gateway=>app3.azurewebsites.net
Is this possible with only 1 application gateway to support multiple domain? Or I must purchase 3 gateways, which is 3 times cost. Basically I only want to use the WAF to protect my site.
Your ask is possible with one Application Gateway.
Here is the configuration that you need to set up.
Listener 1 (app1.mydomain.com) --> HTTP Setting 1 (Check Use App Service check box) --> Backend Pool 1(app1.azurewebsites.net)
Listener 2 (app2.mydomain.com) --> HTTP Setting 2 (Check Use App Service check box) --> Backend Pool 2(app2.azurewebsites.net)
Listener 3 (app3.mydomain.com) --> HTTP Setting 3 (Check Use App Service check box) --> Backend Pool 3(app3.azurewebsites.net)
So, you need 3 Listener , 3 HTTP Settings, 3 Backend Pool and 3 rules.
You need to create probes for each HTTP Setting and you enable HTTPS protocol and also check pick hostname from Backend HTTP Settings.
Reference: https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
I have two app services. One for UI and one for web api. I need to create a DNS so that I should be able to access like www.example.com/ui and www.example.com/api. Please let me know anyone how to achieve this without virtual directory concept.
Thanks
You cannot achieve this purely with DNS. DNS knows nothing about routes, only domain names. So www.example.com must resolve to one service, which should be your reverse proxy, maybe Application Gateway?
Here's the tutorial on hosting two apps behind Application Gateway: Tutorial: Create an application gateway that hosts multiple web sites using the Azure CLI.
Multiple-site hosting enables you to configure more than one web site on the same application gateway instance. This feature allows you to configure a more efficient topology for your deployments by adding up to 20 web sites to one application gateway. Each web site can be directed to its own pool. For example, application gateway can serve traffic for contoso.com and fabrikam.com from two server pools called ContosoServerPool and FabrikamServerPool.
I have developed 2 applications in spring boot with embedded tomcat. I have one cloud server (Azure) and i have run both the applications in that server. First app running in port 80 and other one in 81. I have domain name registration in GoDaddy For example First app is www.abc.com and the second one is www.xyz.com. How do i configure in azure console that when request comes from www.abc.com then port 80 should serve the request else request would be served by 81. Please help me out configuring deployment.
You should be able to accomplish this by implementing User Defined Routes
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Additionally, Azure offers Load Balancers and Traffic Mangers that you could implement as well to manage the traffic.
https://azure.microsoft.com/en-us/services/load-balancer/
https://azure.microsoft.com/en-us/services/traffic-manager/
Is it possible to setup Azure Application Gateway to use one server as fallback if the first server is unhealthy?
We currently have this setup in our path-based rules:
/images/* -> server 1 (only server in pool 1)
/* -> server 2 (only server in pool 2)
If we take down server 1, images will return 502 gateway error even if server 2 should be able to handle it. I expected unhealthy servers to be temporarily removed from the path-based rules until they are healthy.
Yes, It's possible to use Application Gateway to achieve that.But you need to add the two VMs in one backend pool.
Just go to one backend pool and then add the second VM into the pool. Then click save.
Also,it's necessary to configure VNet and probe, etc.
More about how to use Application Gateway to offer various layer 7 load balancing capabilities for VMs, refer to this document.
I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?
At the moment thats not possible, but is in the pipeline of product development of the azure product team.