I have an Azure WebRole, which publishes a WCF Service with PerSession setting. This means, session needs to be preserved for a long time... This is because of synch-framework and cannot be changed.
Now I have the problem when I want to use Multi-Instances on that Web Role (Classic Azure Cloud Service)
Can I configure an Application Gateway with endpoints not to the Public WebRole but to each Instances, so that the Gateway handles the Balancing?
How?
Thanks
Technically, the Application Gateway support for multi-tenant backends, you could configure an IP address or FQDN of your instances in the backends. Here is a quickstart: Direct web traffic with Azure Application Gateway - Azure portal
However, the Application Gateway is known as application layer (OSI layer 7) load balancing which enables you to manage traffic to your web applications. Perhaps the traditional layer 4 load balancer is better for balancing WCF Service. Moreover, In Cloud Services, you get a load balancer automatically configured when you create the service. You could get more explanation in this question.
Ref: Get started creating an internal load balancer (classic) for cloud services
Related
I would like to setup my apps with High Availability and Security in mind and thinking of using the Azure Application Gateway to provide WAF and Load Balancing (Layer-7) capabilities. I couldn't find any concrete information from official documentation that this is a supported setup (using App Service as AG backends). The official documentation only states VMs:
https://learn.microsoft.com/en-us/azure/application-gateway/overview
Here's a simplified architecture.
Does anyone have first-hand experience with this setup?
Azure Application gateway support app services as the backend. If you want to use the High Availability of app service, you could target two app services in the same backend pool, then the APP GW frontend receiving traffic will go round-robin to the backends in the pool. You could get more details from Configure App Service with Application Gateway
If you just want to host multi-site in the same Azure application gateway, then each site will direct to each backend pool, you could follow this tutorial: Create and configure an application gateway to host multiple web sites using the Azure portal
I have an environment setup with multiple azure web apps across multiple Azure service plans.
I'm now retrospectively trying to add an azure WAF between the wider internet and the websites.
I have created a WAF, but am now struggling to understand whether it is currently possible to continue to use the *.azurewebsites.net app addresses and route traffic through the WAF?
Is it possible to use the built in *.azurewebsites.net app service addresses as the external entry point to the Azure WAF?
I think I understand your question, what you need to do is route the traffic to the application gateway add azure web app as the backend to the application gateway.
https://learn.microsoft.com/en-us/azure/application-gateway/create-web-app
you cannot azure *.azurewebsites.net as an endpoint for application gateway
I have configured an Application Gateway in front of multiple Azure Web App backend pools as per this article.
In addition to providing a WAF, I use the Application Gateway to offload the SSL connection to the backend pools. I have configured the backend pools to use the FQDN of the App Service instances as they're not currently deployed into a VNET.
Based on the following scenario:
Request to custom.com:443 ---> Application Gateway ---> custom.azurewebsites.net:80
My concern is that the connection from the Application Gateway to the Web App is unencrypted over port 80 and I haven't found anywhere that describes this connectivity as happening over the Azure backbone network. Is there any risk that this traffic could be sniffed and compromised?
Spoke to Microsoft support who said the traffic from my Application Gateway to my Web App will stay on the Microsoft backbone.
He also pointed me to the following knowledge article; which states:
If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in.
I am creating a network with 2 app services, containing 2 slots each
I know the load balancers are designed to work with VM's, but I am wondering if it is possible to place a load balencer on these 2 app services to balance the load between them, Is it possible to do so??
When you Scale your Web App you add instances of your current pricing tier and Azure deploys your Web App package to each of them.
There's a Load Balancer over all your instances, so, traffic is automatically load balanced between them. You shouldn't need a Virtual Machine for this and you don't need to configure any extra Traffic Manager.
You may want to refer: scale your app in Azure App Service for more details.
but I am wondering if it is possible to place a load balencer on
these 2 app services to balance the load between them, Is it possible
to do so??
According to your description, maybe you are looking for Azure application gateway(layer 7).
Azure application gateway works at the application layer (Layer 7 in the OSI network reference stack). It acts as a reverse-proxy service, terminating the client connection and forwarding requests to back-end endpoints.
Azure application gateway support HTTP, HTTPS and Websockets.
Here is the features offered by each service:
More information about Application gateway, please refer to this article.
Maybe little late but I guess this what you are looking at
Scale Out- A scale out operation is the equivalent of creating multiple copies of your web site and adding a load balancer to distribute the demand between them. When you scale out a web site in Windows Azure Web Sites there is no need to configure load balancing separately since this is already provided by the platform.
https://azure.microsoft.com/en-us/blog/scaling-up-and-scaling-out-in-windows-azure-web-sites/
We are currently running a virtual network with a web cluster (2 servers) hosting our front end .NET web application and a service cluster (2 servers) hosting our internal .NET WCF service which then connects to the database.
So at the moment we have one external IP which points to www.ourwebsite.com which is load balanced over our web cluster. We then have an internal load balancer on an internal IP which points to wcf.outwebsite.local using an internal DNS server so all the traffic to the back end remains in our private virtual network.
We are looking to deploy this onto azure app service premium in an internal network. We would use 2 app pools, 1 for the front end application and one for the backend WCF service so they can scale independently of each other what I cant work out is how we can set internal URL's or IP addresses for the back end WCF service and ensure that they cant be accessed by the outside world.
Does any one know if this is possible in azure app service so we can secure internal services as I cant find anything in there documentation about it?
I guess you are referring to Azure App Service Environment.
You can control inbound requests via Network Security Gateways. See this article:
https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-control-inbound-traffic/