Speaker:
- Amit Srivastava, Principal Program Manager, Microsoft
Mission Critical HTTP Applications
- Always On
- Secure
- Scalable
- Telemetry
- Polygot – variety of backed, IaaS, PaaS, on-prem
Many things to think about.
What Azure Pieces Can We Use?
- WAG
- AFD
- CDN
- WAF
- Azure Load Balancer
- Azure Traffic Manager
WAG
Regional ADS as a service. A full reverse proxy. It terminates the incoming connection and creates a new one to the web server.
- Platform managed: built-in HA and sclability
- Layer 7 load balancing: URL path, host based, round robin, session affinity, redirection
- Security and SSL management: WAF, SSL Offload, SSL re-encryption, SSL policy
- Public or ILB: Public internet, internal or both.
- Flexible backends: VMs, VMSS, AKS, public IP, cloud services, ALB/ILB, On-premises
- Rich diagnostics: Azure monitor, log analytics, network watcher, RHC, more
Standard v2 SKU in GA
- Available in 26 regions
- Built-in zone redundancy
- Static VIP
- HTTP header/cookies insertion/modification
- Increased scale limits 20 -> 100 listeners
- Key vault integration and autorenewal of SSL certs (GA)
- AKS ingress controller (GA)
Autoscaling and performance improvements:
- Grow and shrink based on app traffic requirements
- 5 x better SSL offloads performance
- 500-50,000 connections/sec with RSA 2048 bit certs
- 30,000, 3,000,000 persistent connections
- 2,500 – 250,0000 HTTP req/sec
- 75% reduction in provisioning time ~5mins
Key Vault Integration in v2 GA
- Front end TLS cert integrated with Azure Key Vault
- Utilizes user-assigned management identity for access control on key vault
- Use certificate or secrets on Key Vault
- Pools every 4 hours to enable automatic cert renewal – you can force a poll if you need to
- Manual override or specific certificate version retrieval
WAG v2 Header Rewrites
- Manipulate request and response headers and cookies
- Strip port from x-forwarded-for header
- Add security headers like HSTS and X-XSS-Protection
- Common header manipulation ex: HOST, SERVER
- Conditional header rewrites … something
Ingress Controller
- Ingress controller for 1+ AKS clusters at one time
- Deployed using HELM – newer easier options by EOY
- Utilized pod-AAD for ARM authentication
- Tighter integration with AKS add-on support upcoming
- Supports URI-path based, host based, SSL termination, SSL re-encryption, redirection, custom health probes, draining, cookie affinity.
- Support for Let’s Encrypt provided TLS certs
- WAF fully supported with custom listener policies
- Support for multiple AKS as backend
- Support for mixed mode- both AKS and other backend types on the same application gateway.
Application Gateway Wildcard Listener
- Managed preview
- Support for wildcard characters in listener host name
- Supports * and ? characters in host name
- Associate wildcard or SAN certs to serve HTTPS
Telemetry Enhancements
- GA
- Diagnostics Log Enhancements
- TLS protocol version, cipher spec selected.
- Backend target server, response code, latency.
- Metrics Enahncements
- Backend response status code
- RPS/healthy node
- End-to-end latency
- Backend latency
- Backend connect, first byte, and last byte latency.
Azure Monitor Insights for Application Gateway
- Public Preview
- Sign health and metric console for your entire cloud network#
- No agent/configuration required
- Visualize the structure and functional dependencies
- More
AKS Demo
He loads a Helm YAML config to the AKS cluster. Now the AKS cluster can configure listers, backend pools, rules, etc for the containers/services running on the cluster. Pretty cool.
Azure WAF
Cloud native WAF
- Unified WAF offering
- Protect your apps at network edge or in region uniformly
- Public preview:
- Microsoft threat intelligence
- Protect apps against automated attacks
- Manage good/bad bots with Azure BotManager RuleSet
- Site and URI pathc specific WAF policies
- Customise WAF policies at regional WAF for finer grained protection at each host/listener or URI path level
- Geo-filtering on regional WAF
- Microsoft threat intelligence
WAF
- HA, scalable fully platform managed
- Auto-scaling support
- New RuleSet CRS 3.1 added, will soon be the default
- Integration with Azure Sentinel SIEM
- Performance and concurrency enhancements
- More
WAF Policy Enhancements
- Assign different policies to different sites behind the same WAF
- Increased configurability
- Per-URI policy
Geo Filtering Public Preview
- Block, allow, log countries.
- Easily configurable in WAF policy
- Geo data refreshed weekly
Only in special Portal URI at the moment – normal Azure Portal soon.
Bot Protection (Public Preview)
- Stuff