Azure – Networking – Part 6 – Azure Application Gateway Features

Hello Friends,

Let’s continue with Azure Application Gateway in this articles. In our last article we have discussed about a very important topic of Networking is Azure Application Gateway . In this article we will discuss more about Azure Application Gateway Features . If you have missed our previous articles, please check it in following links.

Part 1 – Basics of Azure Networking

Part 2 – Azure Virtual Network (VNet)

Part 3 – Subnet in Azure Network

Part 4 – Network Security Group (NSG) in Azure

Part 5 – Basics of Azure Application Gateway

Azure Application Gateway is a popular service, because of its robust features. Let’s go through it’s most popular features.

Web Application Firewall (WAF) :
Web application firewall (WAF) is an application firewall for HTTP applications.

Figure 1 : Azure – Web Application Firewall
  • Web application firewall (WAF) is an application firewall for HTTP applications.
  • WAF creates a set of rules designed to protect our website.
  • Rule save applications, from common attacks, such as cross-site scripting (XSS), SQL injection, file inclusion, and security misconfigurations by inspecting HTTP/S traffics.
  • WAF is capable to filter the content of specific web applications.
  • Traditional F/W provide security from Layer 3 to layer 4 (IP,Ports in network layer).
  • WAF provides security from layer 5 to layer 7 ( Http/s till application layer)
Figure 2 : Azure – Firewall In 7 Layer

Connection Draining :
Application Gateway provide Connection Draining feature to improve the availability of backend instances. This feature maintaining the back-end pool instances. Like, if a back-end instance fails health checks, the connection draining feature will not send any new requests to the unhealthy instance and remove the instance from the back-end pool and keep checking the health report for removed instances till received a good health report. It added back the removed instance to the back-end pool once it get ready with good health.

We can perform maintenance or replacement of back-end instances without impacting our customers’ experience. This feature is also helping to scale up the instances as per the requirement.

URL Based Routing :
A URL Path Based Routing allows application gateway to route our traffic to back-end server pools based on URL Paths of the request. Due to this feature the routing the traffic to its destination is very accurate.

Figure 3 : Azure AG – URL Based Routing

As in the above figure, there are three different backend pools to serve request from the client. We need to configure a path-based routing rule to achieve URL based routing. Set the Name, Path, Backend Pool and http setting at the time of rule configuration. Once we done with rule configuration we are ready to go and all path will redirect to accurate backend pools.

For example requests for http://MSTechs.com/video/* are routed to Video-BackEndpool , and http:// MSTechs .com/images/* are routed to Image-BackEndpool. APPGateway-BackEndpool is selected if none of the path patterns match.

Redirection :
Redirection is a common feature of application gateway. It supports automatic redirection from HTTP to HTTPS and vice-verse, so all the communication between application and user will be on encrypted path. This feature also supports to redirect from any port to any other port based on the defined rules. It has ability to redirect the traffic to external site as well.

Cookie Based Session Affinity :
If we want to keep user session on same server then Cookie Based Session Affinity is very helpful feature. If we activate Cookie Based Session Affinity feature, application gateway will redirect all the subsequent request/traffic from a particular user session to same server for processing on which user was start with. This feature is optional and can be configure later if required.

SSL Termination :
In application gateway SSL termination can be done in a different device other than the web server. It allow communication with backend instances un-encrypted. SSL Termination at application gateway, remove the encryption and decryption overhead from web server. So the processing time is became faster and the response time is less. It isn’t always acceptable by the business, so there is also an option for end to end SSL communication. SSL termination allows servers to handle a large volume of simultaneous connections, or sessions, and cookies.

SSL termination, a form of SSL Offloading. SSL offloading is the process of removing the SSL based encryption from incoming traffic that a web server receives to relieve it from decryption of data. Security Socket Layer (SSL) is a protocol that ensures the security of HTTP traffic and HTTP requests on the internet. (Text from MS Doc)

Custom Error Page :
Application gateway can display a custom error page when a request can’t reach the backend. If an error raised from the backend servers, then custom error page won’t display.

Custom error pages are supported for the following two scenarios.
1) Maintenance page
2) Unauthorized access page.

Custom error pages can be defined at the Global level and in sthe Listener level. In global level the error page applies to traffic for all the Web  applications deployed on that application gateway. Creating global level custom error pages from the Azure portal is currently not supported but we can use Azure PowerShell to configure a global custom error page.

Figure 4 : Azure AG – URL Based Routing

Multi-Site Hosting :
This Multi-Site Hosting feature of application gateway allows us to configure more than one web site on the same application gateway instance. It helps to configure more efficient topology for our deployment by adding up-to 100 websites for one application gateway. So we can add up-to 100 listeners to handle those 100 web sites. each website can have its own back-end pool.

Rewrite HTTP Headers :
Application Gateway also provide a feature Rewrite HTTP headers . HTTP headers allows a client and server to pass additional information with  request or response. This feature allows us to add, remove, or update HTTP request and response headers while the request and response packets move between the client and back-end pools. We can also add conditions, to ensure that the specified headers are rewritten only when certain conditions are met. An application gateway inserts four additional headers to all requests before it forwards the requests to the backend. These headers are x-forwarded-for, x-forwarded-proto, x-forwarded-port, and x-original-host. The format for x-forwarded-for header is a comma-separated list of IP:port.  If session affinity is enabled as an option, then it adds a gateway-managed affinity cookie (Referenced from MS Doc). Please check this link, if you want to know more on Http Header Rewrite.

Web-socket and HTTP/2 Traffic :
WebSockets/ HTTP 2.0 provide a persistent connection between a client and server that both parties can use to start sending data at any time. Client and Server communicate over that same TCP connection for the life-cycle of  WebSocket connection. Server can push information to the client (which does not allow direct HTTP).

I hope this article gives a basic understanding about Application Gateway features and In my next article, we will discuss on how to configure WAF.

Thanks for reading  🙂 

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.

Stay tuned on Knowledge-Junction, will come up with more such articles.

Advertisements

Comments

One comment on “Azure – Networking – Part 6 – Azure Application Gateway Features”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.