App gateway -- Cue Intro -------------------------------------------------------------------------- Hi, and welcome back to the network in the cloud series as we open the door to azure application gateway. Application gateway is a web application load balancer offering both web application firewall services, or WAF as it's sometimes called, as well as web application load balancing. It can proxy web connections for a single site or web-application as a stand alone proxy. It can also be used to proxy web connections for multiple web sites or web applications. This configuration is more commonly referred to as 'multi-tenant'. Azure Application gateway will route only web traffic. It cannot route non-web traffic, such as SMTP or FTP, due to its web application specific capability. It is for this reason that the app gateway is commonly referred to as a layer-7 gateway. ------------------------------------------------------------------------------------ Application gateways come in two varieties: The first is an external Application Gateway which is accessible from the conventional web. External application gateways can be placed anywhere so long as they route directly to the internet. External application gateways must be accessible from the web and will not function if routed through a network virtual appliance such as a palo alto firewall. The other type of application gateway is an internal Application Gateway. A hub and spoke, or 'traditional' cloud topology allows for internal web applications to be positioned behind a network virtual appliance, such as a palo alto firewall, for increased security and privacy. Internal Application Gateways are incapable of being accessed through the conventional web as they have private virtual IPs and support private link connections. -------------------------------------------------------------------------------------- There are two versions of the application gateway, version 1 and version 2. Each of these versions has its own network security group requirements. Both require Virtual network permissions to be allocated. Users that operate application gateways need to have at the very least, JOIN/ACTION, permission on the VNET or subnet. This applies to managed identities for ingress controllers. Network Contributor role already supports this permission, so you'll need to check if your users are associated with the correct RBAC roles. Version 1 of the application gateway requires inbound rules for network security groups to be configured with a source port of any to a range of destination ports from 65503-65534. Version 2 of the application gateway requires inbound rules for the network security groups to be configured with a source port of any to a range of destination ports 65200-65535. Azure load balancer probes also need to be allowed using the azure load balancer service tag. This is created by default for NSGs, you must remember not to overwrite it with a Deny rule. Outbound Rules allow traffic from anything in the subnet to the internet for all destinations. It must be configured this way and should not be overwritten with a deny rule. ----------------------------------------------------------- Before you begin to implement your application gateway you must consider: Which version of the application gatway do you wish to use? You may want to integrate WAF support, or you may want to configure the gateway as a load balancer without WAF. Version 1 of the application gateway will natively support an internal gateway configuration. Version 2 of the application gateway is currently recommended by microsoft, and while it can support internal gateway configuration, this is currently accomplished in the private preview mode which will expire when support for internal gateways is fully achieved. Internal Gateway support for version 2 may fully feature by the time you view this video. Microsoft currently recommends a /24 subnet address space. That is 254 usable addresses for each impllementation of the application gateway. Each application gateway uses one private IP per instance, plus another private IP address if a private frontend is configured. Azure also reserves five IP addresses in each subnet for internal use - the first four addresses and the last Ip address. That means that for 10 application gateway instances without a private frontend you will need at least 15 addresses. Version 1 of the application gateway can support 32 instances. Version 2 of the application gateway can support 125 instances. Thanks again for joining me as we continue to learn more about cloud computing and application gateway. -------------------------------------------------------------- Cue Outro.