Jump to content
Sign in to follow this  
  • entries
    355
  • comments
    0
  • views
    77919

Securely scale your Web Apps with Azure Front Door

Sign in to follow this  
proximagr

0 views

Securely scale your Web Apps with Azure Front Door

There is a big buzz out there about Azure Front Door.  Is it a Load Balancer? A CDN? A Traffic Manager? A Web Application Firewall ? A Reverse Proxy? An Application Gateway?

So, what is Azure Front Door?

Azure Front Door actually is all the above and more. It is a global service, that routes web traffic based on performance and availability. A Layer 7 multi-region load balancer with Web Application Firewall (WAF) capabilities, DDoS protection & CDN.

Azure Front Door is the entry point, the edge, of all Microsoft’s WAN. All Microsoft services, like Office 365 & Bing, are using Azure Front Door.

The services that Azure Front door provides are:

  • Accelerate application performance
  • Increase application availability with smart health probes
  • URL-based routing
  • Multi-site hosting
  • URL redirection
  • Session affinity
  • SSL termination
  • Custom Domain & certificate management
  • Security via custom WAF rules
  • DDoS protection
  • URL rewrite
  • IPv6 and HTTP/2 support

At Azure Front Door documentation there is a paragraph that can help to understand the difference between Azure Front Door and other publishing / load balancing Azure solutions and where to use each.

Azure provides a suite of fully managed load-balancing solutions for your scenarios. If you are looking for a DNS based global routing and do not have requirements for Transport Layer Security (TLS) protocol termination (“SSL offload”) or per-HTTP/HTTPS request, application-layer processing, review Traffic Manager. If you are looking for load balancing between your servers in a region, for application layer, review Application Gateway and for network layer load balancing, review Load Balancer. Your end-to-end scenarios might benefit from combining these solutions as needed.

For pricing information, see Front Door Pricing.

How to scale your web apps with Front Door

Create two simple Azure Web apps. Check this guide for a simple guide on how to create Azure App Service: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/

One at West Europe:

img_5dd79fad4b322.png

and one at North Europe:

img_5dd79fc74bcc4.png

Using FTP, I deployed an one-page html site at both regions. I change the text of both site to say “This Web Site is located at North Europe Azure Datacenter”

img_5dd7a2737d275.png

and “West Europe” to the other.

img_5dd7ba6661201.png

Then create a Front Door. Search for Front Door at Azure marketplace and Create one.

img_5dd79fffca8a4.png

This is a high level diagram of the Front Door with two Web Apps design that we will create

img_5dd79e8c9b7aa.png

The “create a Front Door” wizard will start and we can configure it step by step. First we will create a Frontend host by clicking the + at the Step 1

img_5dd7babc592e6.png

At the frontend host we will create the URL that our apps will be available. I added the papostolidis.azurefd.net. of course later you can add your custom domain and add a CNAME to route the traffic to the Front Door.

img_5dd7bb2f78f9b.png

Then, at the Backend pools (Step 2), press the + to add the web apps. add a name for the backend pool, like “myapps” and press + ADD a backend to add the apps.

img_5dd7bbda1c10b.png

Select host type, you can add app service, cloud service, storage and custom host (URL). I selected the app service.

img_5dd7bc085289b.png

Select the subscription and the app service and add the correct ports for http and https traffic.

The priority defines if the traffic will be routed to the host with the lower priority number (e.g. 1) and if that host fails will route to the next host with bigger priority number (e.g. 2). If you add the same priority to more than one host then it will follow the weight number.

The weight number defines the percentage of requests that will be routed to each host.

img_5dd7bc3865179.png

The same way add the second web app

img_5dd7bd8cde5ca.png

Finally select a path, protocol and interval for the probe that will do health checks to the app to define if it is active or not.

img_5dd7bd4fa75fb.png

The third step is to add the routing rules. At the routing rules you can specify:

  • The accepted protocol, http or https.
  • the frontend host for this rule
  • the patterns that the route will accept, like www.e-apostolidis.gr/mysite/* or just /* ro root.
  • Route type forward or redirect.
  • The backend pool that this rule will direct the traffic
  • The protocol that the traffic will be forwarded. Here we define the SSL Offload if we select HTTPs for frontend accepted protocol and HTTP for backend.
  • URL Rewrite rules
  • Caching, for static content caching like CDN.

img_5dd7bdd890234.png

Once all steps are completed we can move on and create the Front Door

img_5dd7befef279d.png

When the Front Door is ready, we can see the URL at the Overview.

img_5dd7bff85a758.png

And browse our web app using the Front Door URL:

img_5dd7c0882cc52.png

How to protect your web apps with Front Door

Right now we scaled our web apps. If we use each app’s URL we can still access the app. The first security step is to lock the web apps to be accessed only through the Front Door URL.

Checking the Azure Front Door FAQ page, https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq it lists the Front Door’s address rance.

Front Door’s IPv4 backend IP space: 147.243.0.0/16

Go to the App Service, at the Networking section, select “Configure Access Restrictions”

img_5dd7c3a96a722.png

Add an allow access restriction with the IP range of the Front Door.

img_5dd7c3e09a6e6.png

Automatically a Deny rule will be created for everything else.

img_5dd7c415b3175.png

Add the rule to both web apps and then try to access the apps with their direct links.

img_5dd7c480eeac7.png

Now on, we can access the apps only by using the Front Door URL:

img_5dd7c4b47e4ba.png

This is a high level diagram after the restrictions

img_5dd79e46db56b.png

At the next article, we will see how to add Web Application Firewall (WAF) Rules to Front Door, Stay Tuned!! 

Share

The post Securely scale your Web Apps with Azure Front Door appeared first on Apostolidis IT Corner.


Sign in to follow this  


0 Comments


Recommended Comments

There are no comments to display.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...