Windows Azure Application Gateway
This article describes three main functions of Windows Azure Application Gateway: Http load balancing, cookie-based session connection, and SSL Uninstall.
Azure Application Gateway)
Prerequisites, create a subnet for the application gateway in the virtual network, using the AppGateway-1 subnet in this article.
New-AzureApplicationGateway-Name WinAppGW-VnetName AppGatewayVnet-Subnets AppGateway-1
# Create a new application gateway named WinAppGW, placed in the virtual network AppGatewayVnet subnet AppGateway-1
# The Gateway fee is not charged at this time. Billing starts when the gateway is successfully started.
Get-AzureApplicationGateway
# Obtain the gateway details
Start-AzureApplicationGateway-Name WinAppGW
# Try to start the gateway and prompt "unable to start because no configuration is made"
In this case, we first configure the "Http Load Balancing" function.
[Part.1] HTTP load balancing (Http load balancing)
1. Compare Azure Load balancer with Azure Application Gateway
Azure Load Balancer, working at the transport layer, TCP/UDP, provides layer-4 Load balancing
Azure Application Gateway provides Http traffic routing rules to further load balance layer-7 http traffic
2. Through configuration, Application Gateway can route Http traffic to virtual machines, cloud services, web apps, and external IP addresses.
3. experiment process:
Use two VMS as the backend web server cluster: winappgatevm-1 (10.0.0.4) and winappgatevm-2 (10.0.1.4)
To manage and configure the application gateway, you must use the xml file below to configure load balancing on port 80:
FrontendPort1
80
BackendPool1
10.0.0.4
10.0.1.4
BackendSetting1
80
Http
Disabled
HTTPListener1
FrontendPort1
Http
HttpLBRule1
Basic
BackendSetting1
HTTPListener1
BackendPool1
# Use Azure Powershell to upload an xml file to the application gateway to complete the configuration.
Set-AzureApplicationGatewayConfig-Name WinAppGW-ConfigFile D: \ web-80app.xml
# The corresponding parameter is the application gateway name and the path of the xml file
# After the gateway is set, run the following command to start the Gateway:
Start-AzureApplicationGateway-Name WinAppGW
# Obtain the gateway details. The public IP address of the Gateway has been generated: 139.217.27.22
Get-AzureApplicationGateway-Name WinAppGW
I previously configured two simple websites on the winappgatevm-1 (10.0.0.4) and winappgatevm-2 (10.0.1.4), with the page refreshing, we found that the polling Load Balancing has taken effect.
[Part.2] Cookie Based Session Affinity (Based on cookie Session connection)
1. application scenarios: Some applications require the same user to connect to the same background virtual machine, such as the shopping cart application, web mail server, and cookie-based session connection function, the same client session can request a route to the same backend server.
2. experiment process:
To test the cookie-based session connection, we use the following xml file:
Xml file reference:
FrontendPort1
80
BackendPool1
10.0.0.4
10.0.1.4
BackendSetting1
80
Http
Enabled
HTTPListener1
FrontendPort1
Http
HttpLBRule1
Basic
BackendSetting1
HTTPListener1
BackendPool1
Follow the Azure Powershell command in Part.1 to upload the configuration. We found that my PC can access 139.217.27.22.
Capture the packet that accesses 139.217.27.22. The returned http packet containing Set-cookie is as follows: ARRAffinity = packets \ r \ n
Then, when I access 139.217.27.22 again, My http request carries the cookie returned by the server, which causes me to constantly refresh and only access the server accessed for the first time. The Cookie is still ARRAffinity = b2b030bd049b3ae07c0c65419246492734f60ad3ec994bb9cb6414062dc14199 \ r \ n
[Part.3] SSL Offload (SSL Offload)
The Application Gateway performs SSL encryption and decryption. the SSL Session between the client and the App Gateway does not need to be set up with all the web servers in the background, all SSL behaviors and SSL certificates are uniformly managed and maintained on the App Gateway device, which is equivalent to detaching the SSL encryption task for the backend VM, releases the resources consumed by the backend VM on SSL encryption.
First, you need a server *. pfx certificate issued by the CA. We will not describe it here.
# Upload a certificate to the Application Gateway
Add-AzureApplicationGatewaySslCertificate-Name WinAppGW-CertificateName GWCert-Password qwer1234! -CertificateFile D: \ httpscert. pfx
# Specify the gateway name, Certificate Name, password, and certificate path respectively.
Configure the xml file as follows:
FrontendPort1
443
BackendPool1
10.0.0.4
10.0.1.4
BackendSetting1
80
Http
Disabled
HTTPListener1
FrontendPort1
Https
GWCert
HttpLBRule1
Basic
BackendSetting1
HTTPListener1
BackendPool1
# Configure the application gateway through modified xml to make our certificate take effect
Set-AzureApplicationGatewayConfig-Name WinAppGW-ConfigFile D: \ ssloffloadhttplb. xml
Access https: // 139.217.27.22/, which is accessible and supports Server Load balancer. The certificate is a self-signed certificate that you have created manually. It is not trusted and does not affect the https test access.
[Part.4] Detail Enhancement
1. Gateway size: Small, Medium and Large
Small is only used for testing.
2. Restrictions
Global: One subscribes to 50 application gateways and each application gateway can have up to 10 instances (the number of backend virtual machines ).
China: one subscription of 10 application gateways
For details about how to modify the gateway size and backend instance real number, refer:
Update-AzureApplicationGateway-Name "WinAppGW"-InstanceCount 5-GatewaySize "Large"-Description "Updated application gateway"
3. Monitoring
The application gateway sends a probe message every 30 seconds to monitor the health status of the backend server. The return code is 200-399 to confirm that the http service is normal. If a backend server fails to respond in a timely manner, the VMS in the background will be removed from the healthy instance pool until they can respond to probe detection in a timely manner.
4. xml reference configurations that enable both http 80 load balancing and https 443 load balancing:
FrontendPort1
80
FrontendPort2
443
BackendPool1
10.0.0.4
10.0.1.4
BackendSetting1
80
Http
Disabled
HTTPListener1
FrontendPort1
Http
HTTPListener2
FrontendPort2
Https
GWCert
HttpLBRule1
Basic
BackendSetting1
HTTPListener1
BackendPool1
HttpLBRule2
Basic
BackendSetting1
HTTPListener2
BackendPool1