Azure Application Gateway

Owned by Aaron Gabriel (Deactivated)
Last updated: 14 December 2023 by Aaron Gabriel (Deactivated)
6 min read

 

 

An application gateway is a web traffic load balancer that enables you to manage traffic to your web application. Learn more about application gateway

An application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the application gateway. More information Azure virtual network and dedicated subnet

Prerequisites:

  1. An Azure account with an active subscription

  2. Azure Event Hubs connection string and an Azure Storage Account connection string. To learn more about how to create and configure Event Hub and Storage account, see the article Event Hub and Storage Account Creation

  3. An External log source is created for Azure. To learn more about how to create external log source refer to this article Microsoft Azure Log Source

Create an Application Gateway

You can use these instructions to configure the application gateway.

Sign in to the Azure portal with your Azure account.

  1. On the Azure portal menu or from the Homepage, select Create a resource. The New window appears.

  2. Select Networking and then select the Application Gateway in the Featured list.


Basics tab

On the Basics tab, enter the following application gateway settings:

  1. Subscription: your subscription that will be charged for the resource(s)

  2. Resource Group: The resource group containing your resources

  3. Application gateway name: descriptive name to identify this resource (app-gateway-engineering)

  4. Region: The region to deploy this resource into

  5. Tier: Standard V2 (determined by risk - V2 includes auto-scaling, WAF includes web-application firewall - this can be changed after initial deployment)

  6. Enable autoscaling: Yes (determined by risk and cost)

    1. minimum scale units: 0

    2. maximum scale units: 2

    3. Availability zone: Zones 1

  7. HTTP2: Disabled (default - HTTP2 may lead to some additional application development or service troubleshooting)

  8. Virtual network: Engineering-subnet-2 (this virtual network must multiple subnets where one is dedicated to application gateway(s))

  9. Subnet: security_engineering-public02 (dedicated subnet)

  10. Select Next: Frontends to continue


Frontends Tab

  1. On the Frontends tab, verify, Frontend IP address type is set to Public (maybe Public, Private, Both - dependent on implementation and routing)

    1. Add new if you do not have a free public IP (this may incur additional costs)

  2. Choose Create new for the Public IP address and enter following for the public IP address name, and then select OK.

    1. Name: engineering-app-gateway-public-ip

    2. SKU: Standard (Basic, Standard - may not be able to choose)

    3. Assignment: Static (Dynamic, Static - may not be able to choose)

    4. Availability zone: 1 (limited to those that are chosen in Basic settings)

  3. Select Next: Backends to continue

Backends tab

The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant back-ends like Azure App Service.

In this example, you'll add a virtual machine (VM) as the target backend with your application gateway. If you don't have any existing VM provisioned, you can follow the Microsoft docs link here to create VM and test application gateway.

  1. On the Backends tab, Add a backend pool

  2. In the Add a backend pool window that opens, enter the following values to create a backend pool:

    1. Name: engineering-backend-pool

    2. Add backend pool without targets: No

    3. Backend targets:

      1. Virtual machine: name of your virtual machine (multiple if available)

  3. In the Add a backend pool window, select Add to save the backend pool configuration and return to the Backends tab

  4. Backend pool: engineering-backend-pool

  5. On the Backends tab, select Next: Configuration.

Configuration tab

On the Configuration tab, you'll connect the frontend and backend pool you created using a routing rule.

  1. Select Add a rule in the Routing rules

  2. In the Add a routing rule window that opens, enter the following

    1. Rule name: app-gateway-route-rule-http

      1. Listener:

    2. On the Backend targets tab, to enter the following details

  3. For the HTTP setting, enter the following details

    1. Select Create new to create a new HTTP setting

  4. On the Add a routing rule window, select Add to save the routing rule and return to the Configuration tab.

  5. Select Next: Tags to continue

Tags

Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups

  1. Enter following details

  2. Select Next: Review + create

Review + create

Review the settings on the Review + create tab, and then select Create to create the virtual network, the public IP address, and the application gateway.

It may take several minutes for Azure to create the application gateway. Wait until the deployment finishes successfully before moving on to the next section.



Resources successfully created.

  1. Microsoft.Resources/deployments: OK

  2. Microsoft.Network/applicationGateways: OK

  3. Microsoft.Network/publicIPAddresses: OK

Application gateway with a Web Application Firewall (WAF)

You can also create an application gateway with a Web Application Firewall (WAF). Follow the Microsoft docs link here.

 

Enable Event Hub

  1. Navigate to the resource

  2. Click on Add Diagnostic settings

  3. Enter Diagnostic settings name engineering_logs

  4. From Category details section, under the log, select below option:

    1. ApplicationGatewayAccessLog

    2. ApplicationGatewayPerformanceLog

    3. ApplicationGatewayFirewallLog

  5. Choose option Stream to an event hub and select below information

    1. Subscription: Armor TDE (where this resource will be billed to)

    2. Event hub namespace: armoreventhubnamespace (the name of the event hub namespace

    3. Event hub name: armor-logs

    4. Event hub policy name: armor-logs (depends on risk and permissions - this may be defined by another user/group within your organization)


Verify Connection In AMP

To learn more about "Search For Collected Logs In Kibana (BETA)" see the article here

  1. Click Discover to take you to the log search screen

  2. Armor platform assigned a unique identifier to each log source. For e.g 1024-event_hub_name-consumer_group. Search with this unique identifier


Webhook Tagging:

To learn more about Webhook Tagging, see the article here.

Cloud-based logs (e.g. Azure Application Gateway) are assigned unique identifiers from the Armor platform and require a log into AMP to gain access to them. The identifiers can be accessed from the "HOSTNAME" column at https://portal.armor.com/security/log-management?activeTab=tab-External-Sources.



The tags endpoint is then called with a unique identifier. e.g. (1024-event_hub_name-consumer_group)

POST /tags/1024-event_hub_name-consumer_group //Request Body: { "tags": [ {"Key":"id","Value":"companyX"}, {"Key":"index","Value":"production"} ] }

If the full resourceId (1024-event_hub_name-consumer_group) is not found, the Organization Id (1024) is referenced for tags information.



Troubleshooting common issues

Validate logs are flowing for the Application Gateway. Refer below steps from Microsoft docs to verify application gateway

  1. Install IIS for testing

  2. Test the application gateway