Ever heard of the azure application gateway? No… I understand. It is (strangely enough) a component that is often overlooked. In essence, what does it do? Look at it as a load balancer on security steroids. The basic form will help you in terms of SSL offloading, where the advanced form will turn it into a WAF.
Now, when do we use it? The last case I used it was when I was setting up Rancher on Azure. This is by far the best container management software out there! Though it has one downside, it does not provide SSL by itself. So you need to look at an external solution for that. Often people fall back to things like haproxy or nginx. Though with Azure, we have a great (managed) service called the “Application Gateway”. So why not use that one? 😉
Let us take a look at the Azure configuration for our Application Gateway. So I’ve configured it to have one node (use more for production!) and to act as a WAF. Here I’ve enabled to firewall and set it to “Prevention”.
In terms of networking, I have one VNET with three subnets ;
- SUBNET000 : My application payload resides here
- SUBNET254 : This is typically my DMZ subnet.
- SUBNETAGW01 : An application gateway requires his/her own subnet…
And here we can see that both workloads are seperated in terms of subnets. So I can lock it down with NSGs!
Now back to the application gateway. I have the node in my backend pool.
And my http settings have a custom probe…
Why did I configure this as follows… Check my last post! 😉 The default probe will check the root “/” and this will return a value that is not within the acceptable range, due to not being logged in. When we trigger the login page, we will get a status code within the acceptable range.
And we’ve added the certificate the the HTTPS Listener config.
So now we have a nice & secure rancher deployment!
In need of certificates? You have several options ;
- https://letsencrypt.org/ – Free, an alternative / custom integration is needed on your web server, does not work with the application gateway
- https://www.startssl.com/ – Free, the common approach is done here
- https://www.digicert.com/ – Paid, one I often come across in enterprises
So feel free to choose what you like…. For this demo, I used StartSSL and that worked great.