I have 1 Webapp running under same App service plan. As I am using a premium Azure app service plan with 15 instances, We are consuming only 10 percent of CPU. So to increase more availability and responsiveness of our app, I was planning to deploy one more instance of same app with a different name under same App service plan.
So now I am running my-app and my-app01 under 1 app service plan. Now I want to distibute the incoming traffic between this 2 apps.
As this app's are running under on app service, they are running on same location. So Azure Traffic manager doesn't allow the endpoints from same location. To by pass this I have used Traffic manager nested nedpoint to list my both app endpoints under one traffic manager.
then I have added my custom domain name to traffic manager as a CNAME record mapping.
myapp.abhisqs.com -> abhisq.trafficmanager.net -> (my-app.azurewebsites.net , my-app01.azurewebsites.net)
After doing this I am not able to open my app by hitting https://myapp.abhisqs.com/pages/default.aspx from Url, it was throwing 403 error. So I added a hostname(myapp.abhisqs.com) and SSL binding for my-app. Then I was able to open my app by using the https://myapp.abhisqs.com/pages/default.aspx.
So Now my other app instance my-app01 doesn't have a Hostname and SSL binding, So if my primary app (my-app) is off, then I am not able to open the app UI ( fails with error 403). Also from Azure portal I am not able to add host name and SSL binding to my second app which is running under same app service plan. It throws error "the host name 'myapp.abhisqs.com' is alredy configured for my-app so first remove that then configure with this."
So my question is what is best way to have multiple apps under same service plan, load balanced under one single custom domain name.
Related
I have an application gateway running with a web application in a App service plan. The application gateway listens and passes requests to the backend, which is the web app. There is a health probe implemented that works fine.
The web app was reachable fine until I scaled up the Service plan. Suddenly the health probe timed out reaching the backend and I got a 502 bad gateway error in the browser trying to reach the web application. After hours the website suddenly was back and the backend was healthy again. I was under the impression that you could scale up and down the App plan without any noticeable effect on the website, but it seems the gateway was not playing along.
Did I configure something wrong or should this work like I assumed?
I tried to reproduce the same in environment create app service running with application gateway and got a 502 error.
The number of TCP connections allowed by the plan standard while is an older it contains the double make sure while scaling up and down in app service try to remain in same tier so that inbound IP will wait for sometimes and then scale back.
Try to update your default setting in configuration ->General setting-> ARR Affinity Off. Either your application isn't stateful, or the session state is kept on a distant service like a cache or database. And try to Run your application with a minimum of 2-3 instances to prevent from failure.
You can make use of app service diagnostics gives you the right information to more easily
For Reference:
Get started with autoscale in Azure - Azure Monitor| Microsoft
Guide to Running Healthy Apps - Azure App Service
And I got the same error in application gateway as well to avoid the issue
In your virtual network -> service endpoint -> Add endpoint Microsoft.web in default subnet
.
I am trying to understand better how Azure App Service Plan (ASP) load-balances the traffic when multiple/different App Services are deployed in it.
Let's assume my ASP is made of 2 nodes (VMs or instances) and I deploy 2 apps (total 4 app instances running) and with following URL:
https://app1.azurewebsites.net
https://app2.azurewebsites.net
I know that there are ASP front-ends acting as load balancers. So here if I understand correctly it is like when I have a web-server hosting different web-sites and address distinction is based on virtual hostnames (which are the URL above). Right?
App Service is a multitenant service, so it uses the host header in the request to route the request to the correct endpoint. The default domain name of App Services, *.azurewebsites.net (say, contoso.azurewebsites.net), is different from the application gateway's domain name (say, contoso.com). ref.1
When using App Service, you can scale your apps by scaling the App Service plan they run on. When multiple apps are run in the same App Service plan, each scaled-out instance runs all the apps in the plan.
Apps are allocated to available App Service plan using a best effort approach for an even distribution across instances. While an even distribution is not guaranteed, the platform will make sure that two instances of the same app will not be hosted on the same App Service plan instance.
The platform does not rely on metrics to decide on worker allocation. Applications are rebalanced only when instances are added or removed from the App Service plan.
You can also now do Per-app scaling, which can be enabled at the App Service plan level to allow for scaling an app independently from the App Service plan that hosts it. This way, an App Service plan can be scaled to 10 instances, but an app can be set to use only five. ref.2
what is the recommended best practice for using Azure Application Gateway with redundant app services (in either different regions or availability sets)? I've had some issues recently where our app service would occasionally go down for a couple minutes (due to maintenance in msft's data center) and I'd like to have our app gateway redirect load to another instance or app service when this happens.
Currently traffic is handled as such: public request -> app.example.com -> app gateway -> app.example.com -> backend app service.
I've been unable to add a second app service because when I attempt to do so I get the error "Hostname is already being used in the following App: myappservicename. Please remove the Hostname from myfirstappservice, and try again" when I attempt to add the custom domain to a second app service. It seems my custom domain would need to be added to each individual app service in order for traffic to be routed properly to my backend web app. Or is there another way I should have traffic configured?
You should bind your custom domain to your app gateway only and add your two app services into a backend pool so that the traffic could be:
public request -> app.example.com -> app gateway ->backend pool(handled by one of your 2 app services)
which meets your requirement.
I first created the App Service Plan and App service and later created the App Services Environment. Now I want to change the App Service Plan to use the newly configured ASE, but not able to change it. I created another App Service Plan to use the ASE, but then it was not visible under the Change App Service Plean within App Services.
I created another App Service Plan to use the ASE, but then it was not visible under the Change App Service Plean within App Services.
If apps have already been deployed into existing App Service Plan. Unfortunately there is no straight way option to move to an ASE.
All you can do is to clone it into a new ASP which has been deployed into your ASE or redeploy the app in ASE.
Follow this for more information : Cloning an existing App to an App Service Environment
I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal