Windows Azure Application Gateway

Windows Azure Application Gateway

This article describes three main functions of Windows Azure Application Gateway: Http load balancing, cookie-based session connection, and SSL Uninstall.

Azure Application Gateway)

Prerequisites, create a subnet for the application gateway in the virtual network, using the AppGateway-1 subnet in this article.

 

New-AzureApplicationGateway-Name WinAppGW-VnetName AppGatewayVnet-Subnets AppGateway-1

# Create a new application gateway named WinAppGW, placed in the virtual network AppGatewayVnet subnet AppGateway-1

# The Gateway fee is not charged at this time. Billing starts when the gateway is successfully started.

Get-AzureApplicationGateway

# Obtain the gateway details

 

Start-AzureApplicationGateway-Name WinAppGW

# Try to start the gateway and prompt "unable to start because no configuration is made"

 

In this case, we first configure the "Http Load Balancing" function.

 

[Part.1] HTTP load balancing (Http load balancing)

1. Compare Azure Load balancer with Azure Application Gateway

Azure Load Balancer, working at the transport layer, TCP/UDP, provides layer-4 Load balancing

Azure Application Gateway provides Http traffic routing rules to further load balance layer-7 http traffic

 

2. Through configuration, Application Gateway can route Http traffic to virtual machines, cloud services, web apps, and external IP addresses.

 

3. experiment process:

 

Use two VMS as the backend web server cluster: winappgatevm-1 (10.0.0.4) and winappgatevm-2 (10.0.1.4)

 

 

 

To manage and configure the application gateway, you must use the xml file below to configure load balancing on port 80:

 

 

FrontendPort1

80

 

 

 

BackendPool1

10.0.0.4

10.0.1.4

 

 

 

 

BackendSetting1

80

Http

Disabled

 

 

 

HTTPListener1

FrontendPort1

Http

 

 

 

HttpLBRule1

Basic

BackendSetting1

HTTPListener1

BackendPool1

 

 

 

 

# Use Azure Powershell to upload an xml file to the application gateway to complete the configuration.

Set-AzureApplicationGatewayConfig-Name WinAppGW-ConfigFile D: \ web-80app.xml

# The corresponding parameter is the application gateway name and the path of the xml file

 

# After the gateway is set, run the following command to start the Gateway:

Start-AzureApplicationGateway-Name WinAppGW

 

# Obtain the gateway details. The public IP address of the Gateway has been generated: 139.217.27.22

Get-AzureApplicationGateway-Name WinAppGW

 

I previously configured two simple websites on the winappgatevm-1 (10.0.0.4) and winappgatevm-2 (10.0.1.4), with the page refreshing, we found that the polling Load Balancing has taken effect.

 

 

 

[Part.2] Cookie Based Session Affinity (Based on cookie Session connection)

1. application scenarios: Some applications require the same user to connect to the same background virtual machine, such as the shopping cart application, web mail server, and cookie-based session connection function, the same client session can request a route to the same backend server.

 

2. experiment process:

 

To test the cookie-based session connection, we use the following xml file:

 

Xml file reference:

 

FrontendPort1

80

 

 

 

BackendPool1

10.0.0.4

10.0.1.4

 

BackendSetting1

80

Http

Enabled

 

HTTPListener1

FrontendPort1

Http

HttpLBRule1

Basic

BackendSetting1

HTTPListener1

BackendPool1

Follow the Azure Powershell command in Part.1 to upload the configuration. We found that my PC can access 139.217.27.22.

Capture the packet that accesses 139.217.27.22. The returned http packet containing Set-cookie is as follows: ARRAffinity = packets \ r \ n

 

Then, when I access 139.217.27.22 again, My http request carries the cookie returned by the server, which causes me to constantly refresh and only access the server accessed for the first time. The Cookie is still ARRAffinity = b2b030bd049b3ae07c0c65419246492734f60ad3ec994bb9cb6414062dc14199 \ r \ n

 

[Part.3] SSL Offload (SSL Offload)

The Application Gateway performs SSL encryption and decryption. the SSL Session between the client and the App Gateway does not need to be set up with all the web servers in the background, all SSL behaviors and SSL certificates are uniformly managed and maintained on the App Gateway device, which is equivalent to detaching the SSL encryption task for the backend VM, releases the resources consumed by the backend VM on SSL encryption.

First, you need a server *. pfx certificate issued by the CA. We will not describe it here.

# Upload a certificate to the Application Gateway

Add-AzureApplicationGatewaySslCertificate-Name WinAppGW-CertificateName GWCert-Password qwer1234! -CertificateFile D: \ httpscert. pfx

# Specify the gateway name, Certificate Name, password, and certificate path respectively.

 

Configure the xml file as follows:

FrontendPort1

443

BackendPool1

10.0.0.4

10.0.1.4

BackendSetting1

80

Http

Disabled

HTTPListener1

FrontendPort1

Https

GWCert

HttpLBRule1

Basic

BackendSetting1

HTTPListener1

BackendPool1

# Configure the application gateway through modified xml to make our certificate take effect

Set-AzureApplicationGatewayConfig-Name WinAppGW-ConfigFile D: \ ssloffloadhttplb. xml

Access https: // 139.217.27.22/, which is accessible and supports Server Load balancer. The certificate is a self-signed certificate that you have created manually. It is not trusted and does not affect the https test access.

 

 

[Part.4] Detail Enhancement

1. Gateway size: Small, Medium and Large

Small is only used for testing.

2. Restrictions

Global: One subscribes to 50 application gateways and each application gateway can have up to 10 instances (the number of backend virtual machines ).

China: one subscription of 10 application gateways

For details about how to modify the gateway size and backend instance real number, refer:

Update-AzureApplicationGateway-Name "WinAppGW"-InstanceCount 5-GatewaySize "Large"-Description "Updated application gateway"

 

3. Monitoring

The application gateway sends a probe message every 30 seconds to monitor the health status of the backend server. The return code is 200-399 to confirm that the http service is normal. If a backend server fails to respond in a timely manner, the VMS in the background will be removed from the healthy instance pool until they can respond to probe detection in a timely manner.

 

4. xml reference configurations that enable both http 80 load balancing and https 443 load balancing:

FrontendPort1

80

FrontendPort2

443

BackendPool1

10.0.0.4

10.0.1.4

BackendSetting1

80

Http

Disabled

HTTPListener1

FrontendPort1

Http

HTTPListener2

FrontendPort2

Https

GWCert

HttpLBRule1

Basic

BackendSetting1

HTTPListener1

BackendPool1

HttpLBRule2

Basic

BackendSetting1

HTTPListener2

BackendPool1