Application Gateway Components

Frontend IP

• IP address associated with an application gateway is called frontend IP address
• We can associate:
  • Public IP only
  • Both public and private IPs
• We can block access to public IP in intranet scenario (on-premise networks are connected using ExpressRoute or VPN)
• Normally Frontend IP is mapped to a domain (FQDN)

Listener

• A listener is a logical entity that checks for incoming connection requests
• Listener uses “listener configuration”, and listener configuration consists of:
  • IP address
  • Port: A port is where a listener listens for the client request (1 to 65199)
  • Protocol: HTTP, HTTPS, HTTP/2, and WebSocket (By default, HTTP/2 support is disabled)
  • Hostname
• A listener accepts a request if the protocol, port, hostname, and IP address associated with the request match the same elements associated with the listener configuration
• We can use multiple listeners and there must be at least one listener

Listener Types

• Basic: listens to a single domain site
• Multi-site: to configure routing based on host name or domain name for more than one web application on the same application gateway (a.com, b.com, c.com all 3 domains can be mapped to Application Gateway Public IP)

Request routing rule

• Routing rule determines how the request received on the listener should be routed to the backend
• Routing rule binds the listener, the back-end server pool, and the backend HTTP settings
• Request routing rule defines which backend server pool to forward it to
• The request routing rule also determines if the headers in the request are to be rewritten
• Routing rule types:
  • Basic: All requests on the associated listener are forwarded to the associated backend pool
  • Path-based:
    • Requests on the associated listener to a specific backend pool, based on the URL in the request
    • It applies the path pattern only to the URL path, not to its query parameters
    • If the URL path on a listener request doesn’t match any of the path-based rules, it routes the request to the default backend pool and HTTP settings
• Request routing rule also allows you to redirect traffic on the application gateway

HTTP setting

• Determines how traffic will go to backend server
• Application gateway routes traffic to the backend servers based on https setting (port number, protocol, and other settings)
  • Wether traffic backend server is encrypted or unencrypted
  • Same server, different ports
  • Determine whether a user session is to be kept on the same server by using the cookie-based session affinity
  • Gracefully remove backend pool members by using connection draining
• Associates probe to monitor the backend health

Backend pool

• A logical entity that represents a pool (set) of actual backend server
• backend pool routes request to backend servers, which serve the request
• Backend pools can contain:
  • NICs
  • Virtual machine scale sets
  • Public IP addresses
  • Internal IP addresses (VNet peering or connectd on-premises servers)
  • FQDN
  • Multitenant backends (such as App Service)

Health probe

• A pining mechanism or probe that continously checks and ensures that backend server is ok
• Health monitoring of backend servers
• Application gateway monitors the health of all resources in its backend pool and automatically removes unhealthy ones

TLS Termination

• Also known as TLS off-loading
• TLS termination means traffic after Application Gateway typically flows unencrypted to the backend servers
• Application gateway’s TLS termination allows web servers to be unburdened from costly encryption and decryption overhead
• Supports end to end TLS encryption
• Details: https://docs.microsoft.com/en-us/azure/application-gateway/TLS-overview

Web Application Firewall

• Web Application Firewall (WAF) is a service that provides centralized protection for web applications from CVE (common vulnerabilities and exploits)
• WAF is add-on on top of Application Gateway when we select “WAF_v2” SKU
• WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets
• It has integrated web application firewall (WAF)
  • WAF protects common web security vulnerabilities
  • Example of web security vulnerabilities: cross-site scripting, SQL injection etc.

AGIC

• AGIC stands for “Application Gateway Ingress Controller”
• AGIC allows us to use Application Gateway as the ingress for AKS
• Ingress controller runs as a pod within the AKS cluster and consumes Kubernetes Ingress Resources
• Ingress controller converts Kubernetes Ingress to an Application Gateway configuration, which allows the gateway to load-balance traffic to the Kubernetes pods

URL-based Routing

• Routing traffic to back-end server pools based on URL Paths of the request is called URL-based Routing
  • https://hovermind.com/images/*: route to VM storing images
  • https://hovermind.com/videos/*: route to VM storing videos
• URL-based Routing is also known as layer-7 load-balancing

Multiple-site Hosting

• Application Gateway can serve multiple domains
  • Multiple domains will be mapped to public IP of application gateway (DNS “A” records)
  • We can configure routing based on host name or domain name for more than one web application on the same application gateway
  • Need to create multiple multi-site listeners and configure each listener for the respective port and protocol setting
• Similarly, multiple subdomains of the same parent domain can be hosted on the same application gateway deployment
• In AKS yaml manifest, we can use different subdomains or domains as host in of ingress resources

Redirection

• Application Gateway supports automatic HTTP to HTTPS redirection
• Redirection capabilities
  • Global redirection
  • Path-based redirection
  • Redirect to an external sit

Session Affinity

• Session Affinity is the process of linking an HTTP request from an end user to backend pool (application instance) in order to maintain an “active” user session
  • It maintains a client request to a single server
  • Cookie-based session affinity feature is useful when we want to keep a user session on the same server
• Application Gateway uses gateway-managed cookies to direct subsequent traffic from a user session to the same server for processing

Connection Draining

• Connection draining is a process of ensuring that existing, in-progress requests are given time to complete before removing or terminating backend pools
  • Connection draining helps you achieve graceful removal of backend pool members during planned service updates
  • Application Gateway ensures all deregistering instances of a backend pool don’t receive any new request while allowing existing requests to complete within a configured time limit
• Connection draining is enabled via the backend http setting and can be applied to all members of a backend pool during rule creation

Header Rewrite

• Rewriting the HTTP header allows us to add, modify, or remove content from HTTP header of request or response
• Application Gateway has the capability to add, remove, or update HTTP request and response headers
• We can also rewrite URLs, query string parameters and host name