I am new on azure.
I have multiple web apps on my azure subscription. Strangely, I have found two of them have the same external IP. They are now sharing any resources with each other. How this is possible, and how to change it, if there is away?
Azure App Services are deployed to scale units. A scale unit is a collection of servers inside an azure datacenter. A default scale unit can contain up to 1000 servers (or more). Servers inside a scale unit can have different roles, the most important are the worker role and the front end role. Servers with the worker role run customers applications while servers with the front end role act as load balancer and distribute incoming requests to the applications running on the servers with the worker role.
It is important to note here that each scale unit has only one inbound virtual IP address. This means that when you are running applications in an app service plan these applications do not only share the IP with other applications of this app service plan, but also with applications from other customers whose apps run inside the scale unit.
For SSL connections, usually SNI (Server Name Indication) is used, which is supported by all major web browsers.
Now if you want to get a dedicated IP address for your web app, there are two ways you can achieve this:
When using a custom domain, you can bind a certificate with IP SSL to your app service. In this case, the app service generates a static IP address for you and you have to remap the A record of your custom domain to this new address. Beware that your IP address can change when you delete this binding.
Use an App Service environment which enables to run your apps in your own Azure Virtual Network. To make use of this you need to pay for an isolated app service plan which can be quite cost intensive.
Related
To clarify what I'm not asking about, there's alot of documentation about using endpoints to expose apps in a App Service Plan to a vnet, which is useful for private communication between vnet hosted VMs or other resources outside the app service plan.
What I'm asking about is specifically communication between two apps inside the same app service plan. So if we had PlanA, and AppB and AppC both deployed to that plan, then if PlanA scales to two instances, each instance would have both AppB and AppC inside it. Very similar to an IIS farm hosting multiple applications.
If I want to disable public access for AppC, but still allow AppB to call AppC(imagine if AppC is a API service and AppB is a front end web app), is that possible? How would you resolve that call if the AppC doesn't have a public IP? Would the domain appC.azurewebsites.net resolve to a privateIP that AppB can access?
The fact that two app services run in one app service plan means only that these app services can share the same set of computing resources (CPU, memory, etc.) and it does provide any network isolation or private IP addresses within an app service plan.
If you want to keep the existing setup and restrict access to AppC, you can whitelist IP addresses of AppB as follows:
Go to the AppB in Azure Portal, click Properties and copy the list of Outbound IP addresses.
Go to the AppC, click Networking -> Access Restrictions and deny access to everything apart from the outbound IP addresses you copied in step 1.
The domain appC.azurewebsites.net will still have a public IP address but Azure will only allow accessing it from the IP addresses you configured and return 403 error to any other client.
However, if you want to have a truly private endpoint and more granular control over routing configuration, then consider integrating your app services with Azure virtual network as described here. Virtual networks are not limited to VMs, they can be used for app services too.
In Azure, I have 3 Web Apps (for simplicity):
Frontend website
Endpoint 1
Endpoint 2
The frontend website requests data from an endpoint.
Both endpoints are synchronized all the time (outside the scope of this question), but sometimes I need to do some maintenance on them, which gives me some downtime.
Can I somehow setup a loadbalancer only my frontend website can see, and get any of the online endpoints - like this:
The last line of this article says Internal Load Balancers might be the fit:
Can I use ILB on PaaS services (Web/Worker roles)?
ILB is designed to work with web/worker roles as well, and it is available from SDK 2.4 onwards.
Does anyone know of a guide, or have tried making this with Web Apps?
I dont think this is something you can achieve "natively" with load balancers. App Services are not actually bound to the VNet. Previously you could only use point-to-site vpn to connect them to vnet, right now there is a new vnet integration feature in preview which might allow you to use internal load balancers, but I doubt that, because they (load balancers) only allow to use virtual machines\scale sets\availability sets as backend pools.
Application gateways can be bound to the App Services. And they can be internal as well. You'd also need to restrict App Service(s) to receive traffic from anything that is not you Application gateway.
You can use traffic manager\front door for this sort of load balancing, but the endpoints won't be private
If two logic apps are there in two different regions and I want to do load balancing between these two how to do this.
Through some source, I got to know that it is possible through API management but they have not mentioned how to do this.
So, how to do load balancing between two logic apps?
Well...why do you want to do this? "Load Balancing" especially with LogicApps is fundamentally different on Azure than on-premise or self hosted. It's not wrong, just different ;)
What they were probably referring to was Azure Load Balancer which appears as a Networking Service, not APIM.
This, you can use to distribute requests as you would with traditional load balancers.
Since you want to load balance across regions I would look into Azure Traffic Manager. Traffic Manager is a DNS load balancer that sits outside/above Azure regions and allows you to have traffic balanced based on various performance profiles (i.e. Weighted, Performance, etc.)
High Level / General steps are:
Setup Logic Apps in 2 Regions
Create and register public dns domain for the logic apps - apps.foo.com (done outside Azure typically)
Point your DNS record for apps.foo.com to Azure Traffic Manager
Add endpoints to Azure Traffic Manager for Logic App in Region 1 and Logic App in Region 2 and setup your traffic manager profile
Calls to the Logic App start with the custom DNS domain get routed to ATM which then distributes to the regions based on your configured profile.
We have a third party product run as a windows service, expose as a web service. The goal is to dynamically provision the service instances in business peak hours.
Just to run the thought with you guys,
- I've already deployed the service on multiple vm, configured the vm in the same cloud service Availability Sets, configured azure to turn on/off vm instances based on cpu use
- I am to configure a separate vm, run iss arr there, add points to the endpoints on the vm configured above, with the hope ARR balanced the requests to the back-end vm dynamically
Will this work? What's the best practice for the IaaS scale? Any thoughts? Truly appreciate the input.
If I have understood correctly, you just need to use the built in load balancer of the cloud service. Create a load balance set for your endpoint. For example, if you want to balace the incoming traffic to port 80 in your application all you have to do is to create a LB-set for this port and configure this set to all the VMs in the Cloud Service.
The Azure Load Balancer randomly distributes a specific type of
incoming traffic across multiple virtual machines or services in a
configuration known as a load-balanced set. For example, you can
spread the load of web request traffic across multiple web servers or
web roles.
Configure a load-balanced set
Azure load balancing for virtual machines
No matter if VMs are up or down, once it turns on and if the endpoint is configured in the same LB-set, it will automatically start responding to requests once port 80 is online (IIS started and is returning STATUS 200 OK, for example). So, answering your question: yes, it will work with auto-scale or manuallying turning on/off vms.
I have a Cloud Service that is connected to a LAN through a virtual network. I have a web role that machines on the LAN will be hitting for tasks like telling the cloud service that data needs to be refreshed. It it possible to have and endpoint that's load-balanced, but that only accepts traffic through the virtual network?
Well... you have a few things to think about.
You could set up your own load balancer in a separate role, which then does the load balancing. You'd probably want two instances to deal with high availability, and if there was any stateful/sticky-session data you'd need to sync it between your two load balancers. OR...
Now: If your code needing load-balancing lived in a Virtual Machine, rather than in a web/worker role, you could take advantage of the brand-new IP-level endpoint ACL feature introduced at TechEd. With this feature, you can have an endpoint that allows/blocks traffic based on source IP address. So you could have a load-balanced endpoint balancing traffic between a few virtual machines, and you could then limit access to, say, your LAN machines, and even add your existing Cloud Service (web/worker) VIP so that your web and worker role instances could access the service, all through the endpoint without going through the VPN. This way, you'd get to take advantage of Azure's built-in load balancer, while at the same time providing secure access for your app's services.
You can see more details of endpoint ACLs here.
No. The load balancer for a cloud service is public only. You can't predict the ip addresses of the individual instances on the virtual network, so you can't even hook them into your own load balancer. Yes, you can do it with VMs (as David recommends) — but then you're doing old-school IIS, not a cloud service. I went through this in November 2012, and was unable to find a decent solution.