This course covers the Architect ARM Networks part of the 70-534 exam, which is worth 5 - 10% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.
Welcome back. In this lesson I'll cover the Azure application load balancer named Application Gateway.
In a previous lesson, I covered the Azure load balancer. So you might be wondering how this is different. And that's a great question. The Azure load balancer is a Layer 4 load balancer. Which basically means, it's a networking load balancer.
It distributes TCP and UDP traffic without any consideration to higher level protocols such as FTP, HTTP, SMTP, et cetera. Application Gateway is considered a Layer 7 load balancer. Which means it's an application load balancer. In particular, used for web applications since it speaks HTTP.
Using a Layer 7 load balancer has some perks that Layer 4 doesn't offer. Namely, things like round robin load balancing, and a web application firewall. If you recall, in a previous lesson I mentioned user defined routes and I talked briefly about how you could route packets to a virtual appliance.
Well, Application Gateway is a dedicated virtual appliance, that is managed by Microsoft. Because it's a virtual appliance, it's basically a managed set of Azure VM's preloaded with software to filter and route all requests.
Let's take a look at the features. You get round robin load balancing, you have SSL termination which terminates the SSL connection on the virtual appliance and then forwards the request unencrypted. So if you're using web servers on the same V-Net this can be a viable option because it saves you the processing power on your web servers because they don't need to handle that encryption and decryption.
Application Gateway also supports end-to-end SSL if you need that by terminating at the virtual appliance like I mentioned a moment ago. However, it then re-encrypts the traffic before sending it to your servers. Because Application Gateway works at Layer 7 the HTTP requests can be directed based on the URL.
URL based routing allows you to direct requests to different backends. This sort of thing tends to work out well when you need to be able to scale different backend pools independently. Application Gateway also supports cookie based sticky sessions, which helps with transition from stateful to stateless applications.
It supports health monitoring and web sockets, and it also has a web application firewall. The firewall is offered as a separate SKU which distinguished it from the original appliance that didn't have the firewall.
The web application firewall which is often referred to as a WAF, allows you to filter out known attack patterns, without the need to handle it in your applications code. Now, that doesn't mean you should ignore security best practices in your code, however, it does allow you to have a second line of defense.
The WAF is configured by default, with the firewall rules from ModSecurity which includes rules for the OWASP top 10. Now, if you're not familiar with OWASP I recommend you check it out. The rules include things such as filtering for cross site scripting, SQL injection, misconfiguration detection and more. The end result is that requests that match known malicious signatures can either be detected or prevented.
Now, in detection mode, you can report on what's happening and in prevention mode it will block anything that it thinks is malicious and it will return a 403 HTTP status. So Application Gateway is a great way to manage your web based traffic and with the addition of the firewall, this is a great tool to consider putting in front of all your HTTP based apps.
Alright, that’s going to wrap up this lesson. In the next lesson I'm going to cover Traffic Manager. So, if you're ready to keep learning, then let's get started in the next lesson.
About the Author
Ben Lambert is the Director of Engineering and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps.
When he’s not building the first platform to run and measure enterprise transformation initiatives at Cloud Academy, he’s hiking, camping, or creating video games.