Azure Application Gateway : Often overlooked…

Introduction

Ever heard of the azure application gateway? No… I understand. It is (strangely enough) a component that is often overlooked. In essence, what does it do? Look at it as a load balancer on security steroids. The basic form will help you in terms of SSL offloading, where the advanced form will turn it into a WAF.

 

kvaes-application-gateway-azure

 

Use Case

Now, when do we use it? The last case I used it was when I was setting up Rancher on Azure. This is by far the best container management software out there! Though it has one downside, it does not provide SSL by itself. So you need to look at an external solution for that. Often people fall back to things like haproxy or nginx. Though with Azure, we have a great (managed) service called the “Application Gateway”. So why not use that one? 😉

 

Deepdive

Let us take a look at the Azure configuration for our Application Gateway. So I’ve configured it to have one node (use more for production!) and to act as a WAF. Here I’ve enabled to firewall and set it to “Prevention”.

2016-10-19-12_17_29-configuration-microsoft-azure

In terms of networking, I have one VNET with three subnets ;

  • SUBNET000 : My application payload resides here
  • SUBNET254 : This is typically my DMZ subnet.
  • SUBNETAGW01 : An application gateway requires his/her own subnet…

2016-10-19-12_20_40-subnets-microsoft-azure

And here we can see that both workloads are seperated in terms of subnets. So I can lock it down with NSGs!

2016-10-19-12_20_52-connected-devices-microsoft-azure

Now back to the application gateway. I have the node in my backend pool.

2016-10-19-12_17_44-program-manager

And my http settings have a custom probe…

2016-10-19-12_17_57-program-manager

Why did I configure this as follows… Check my last post! 😉 The default probe will check the root “/” and this will return a value that is not within the acceptable range, due to not being logged in. When we trigger the login page, we will get a status code within the acceptable range.

2016-10-19-12_18_31-program-manager

And we’ve added the certificate the the HTTPS Listener config.

2016-10-19-12_18_13-program-manager

So now we have a nice & secure rancher deployment!

2016-10-19-12_26_15-program-manager

 

Certificates?

In need of certificates? You have several options ;

So feel free to choose what you like…. For this demo, I used StartSSL and that worked great.

 

Advertisements

One thought on “Azure Application Gateway : Often overlooked…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s