The Azure Application Gateway is more than just a load balancer. Learn about the other capabilities of this gateway service, including SSL offload, sticky sessions, and end-to-end SSL.
- [Instructor] An Azure Application Gateway is a dedicated virtual appliance that leverages the application delivery controller, ADC, as a service. The Azure Application Gateway provides a number of services including load balancing, cookie affinity, SSL offlaod, URL routing, and to end SSL, Web Application Firewall, multisite routing, and health monitoring. We're going to talk about each of these in a little bit more depth through this lesson.
Let's go ahead and start off with load balancing. The application gateway uses round-robin load balancing. It can only be used for HTTP and HTTPS traffic. It operates at layer seven of the OSI model. Inbound traffic is routed to the back end, and this back end could contain virtual machines, web apps, and external IP, or if you're using the classic portal, a Cloud service. Let's talk about SSL offload. Using the service, we'll reduce the load on the back-end servers because the application gateway removes the SSL encryption And decryption processing from the back-end web servers.
Unencrypted requests ae forwarded to the back-end server, and the responses are then reencrypted by the application gateway when being returned to the client. Next we have Cookie-Based Session Affinity. This ensures all user requests are sent to the same instance during the session. Sometimes you'll hear these being referred to as sticky sessions. A good example of one we would want to use sticky sessions is for our online shopping cart. When we enable a sticky session, the client submits a request, the application gateway, then forwards the request to a back-end instance.
That back-end instance responds back to the client. The next time the client makes a request within that session, the application gateway then directs that traffic back to that same instance. This will continue throughout the session. We've already talked about the benefits of offloading SSL. There will be times when you will need that full end to end encryption. End to end SSL does not support SSL 2.0 or 3.0. These are actually disabled by default, and you can not even enable them because these protocols are no longer considered secure.
You can use, TLsv1.0 through to 1.2. You will require a certificate in order to use end to end SSL. Let's take a look at our example. We have a request by out client. It comes into the application gateway. The application gateway will forward the traffic to a specific pool based on the policy rules. A new SSL connection is made and reencrypts the traffic using the certificates. We also have URL-based Content Routing which allows us to use different servers for different traffic.
It contains two rules. We have the basic rule which is the round-robin method of load balancing. In addition to the basic rule, we also have the path-based rule, and this includes round-robin plus the path pattern. Let's go ahead and take a look at this in action. We have our users. They're making a request for mycompany.com. If the path contains mycompany.com/images, then, that traffic will be directed to the images pool. If it has anything other than images, then the traffic will be directed toward default pool and our example here of web servers.
This provides load balancing across the pools. Next, we have multisite routing which allows up to 20 websites to be available through one application gateway. Traffic is directed based on the host header information. Let's take a look at our example. We have our user. They are making a request. If the request, is for mycompany.com, then the traffic is directed to the my company pool. If the request is for yourcompany.com, the traffic will be directed to your company pool.
The application gateway also includes health monitoring. The health of the servers are monitored, and traffic will not be routed to any unhealthy server. There is advanced diagnostics. The application gateway also includes a Web Application Firewall which protects against common attacks such as cross-scripting and SQL injection. Finally, the application gateway supports WebSocket traffic. As you can see, the Azure Application Gateway is not just for load balancing your applications, but also includes other services to control and protect your application data.
Before we leave his chapter, I'd like to quickly review the three different load balancers that we've covered. We've covered the Azure Load Balancer, the Application Gateway, and Traffic Manager. The Azure Load Balancer works at layer four of the OSI model. Application Gateway is at layer seven, and Traffic Manager uses DNS. The supported protocols include any for the Azure Load Balancer. The Application Gateway only works with HTTP, HTTPS, and WebSocket. The Traffic Manager will support any protocol as well.
- Designing virtual machines
- Selecting appropriate VM SKUs
- Designing template deployment
- Deploying ARM templates via PowerShell and CLI
- Designing for availability
- Designing Azure Virtual Networks
- Azure VPN and ExpressRoute architecture and design