Introduction
Hi Guys! Welcome back to my blog. Today I’m going to work the lab demo with you about the configuration of the Azure Application Gateway and Virtual machine scale sets. VMSS is configured as the backend pool of App Gateway. This lab will walk you through the steps-by-steps guide of implementation in Azure cloud using Azure cli command line interface. I am not covering technical deep dive of theory concepts in this blog, basically when the public users browse the app gateway frontend IP, and the app gateway will analysis through its defined rules and forward its traffic to backend pool (VM scale sets) where your application or web app resides.
Application Gateway
Azure Application Gateway is layer 7 HTTP/HTTPS load balancing solutions which much different from Azure Standard Load balancer, it can only listen on Layer 4 ports TCP/UDP. App gateway has many features like path base routing, route traffic based on the URL path to the backend pool (for e.g. route the /image to one of the backend pool Azure VM and /video to VMSS. Moreover, App Gateway allow to enable the Web Application firewall is use for https public APP to prevent the malicious traffic. WAF protect many security features, one of them is SQL injection attack.
Application Gateways are ideal when you require some of the following features:
- Web-based traffic in any of HTTP, HTTPS, or WebSocket protocols
- TLS/SSL offloading
- Built-in web application firewall
- Cookie affinity for sticky sessions
This Lab will take you through a scenario of deploying a web application in Azure and creating and configuring an Application Gateway and load balance the web application’s traffic. The Lab uses the Azure CLI to create and configure resources in Azure. See here for more details. Azure Application Gateway documentation | Microsoft Learn
Virtual Machine Scale Set
Azure Virtual Machine Scale Sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide the following key benefits:
- Easy to create and manage multiple VMs
- Provides high availability and application resiliency by distributing VMs across availability zones or fault domains
- Allows your application to automatically scale as resource demand changes
- Works at large-scale
If you’re from AWS background, it is similar like Auto Scaling Group in AWS. VMSS scale out new VM/instance in the event of high workloads and monitor the metric. You can manually scale out or do the schedule scale out as well. The VM will be bringing up in your desired states using tools like ansible configuration management tool or define your customized image which created with AWS AMI or terraform HashiCorp packer.
Architecture Components
This demo will be created App gateway, VMSS, Vnet, 2 subnets, frontend public IP and network security group using Azure CLI. Basically, the users will browse (http) of the app gateway frontend ip address and app gateway redirect to backend pool as configured in the app gateway layer7 rule.
- Virtual network – myVnet001 – 10.0.0.0/16
- AppGateway Subnet – myAGSubnet – 10.0.1.0/24
- Backend Subnet – AppBackendSubnet -10.0.2.0/24
- Network Security Group – Allow all TCP -Attached to Backend pool.
As the demo, NSG is allowed all TCP protocol from any source to 10.0.2.0/24 as destination in this lab. Please be aware that in the production environment the security acl should allow explicitly to only required protocol and specific source/destination.
Prerequisite
- Working at the command line in Linux
- Installed Azure Cli, WSL or git bash(Git for windowOS)
- Azure AD user account with privileges role to deploy resources.
- Basic Azure concepts including resource groups, virtual networks, VMs, and the Azure CLI
Alma 9 OS is utilize in the VMSS pool as the replacement of RPM based CentOS. Predefined scripts are triggered to install apache web server and listening on port 80. This lab will deploy 2 VM in the VMSS group initially and shows load balancing of VMs at the end of the lab.
Deployment Steps
1. Install Azure CLI and authenticate by typing command “az login”
2. Use git bash or window subsystem for Linux (WSL)
- Type command wsl in command prompt. (required to install wsl)
- Type “az login” (prompt you to authenticate credential on web portal)
3. Paste below command to define resource group and parameter.
location=southeastasia
rgname=RG001
vnetname=myVNet001
gatewaysubnet=myAGSubnet
appgatewayname=APPGW001
# Create a resource group
az group create --name $rgname --location $location
4. Create network security group and NSG rule.
#create NSG
az network nsg create -g $rgname -n MyNsg -l $location
#create NSG rule
az network nsg rule create \
--name Allowhttpssh \
--nsg-name MyNsg \
--priority 110 \
--resource-group $rgname \
--access Allow \
--destination-address-prefixes 10.0.2.0/24 \
--destination-port-ranges '*' \
--direction Inbound \
--protocol Tcp \
--source-address-prefixes '*'
5. Create Vnet, subnets and Public IP address
# Create network resources
az network vnet create \
--name $vnetname \
--resource-group $rgname \
--location $location \
--address-prefix 10.0.0.0/16 \
--subnet-name $gatewaysubnet \
--subnet-prefix 10.0.1.0/24
az network vnet subnet create \
--name myBackendSubnet \
--resource-group $rgname \
--vnet-name $vnetname \
--address-prefix 10.0.2.0/24 \
--network-security-group MyNsg
az network public-ip create \
--resource-group $rgname \
--name myAGPublicIPAddress \
--sku Standard
6. Create application gateway
az network application-gateway create \
--name $appgatewayname \
--location $location \
--resource-group $rgname \
--vnet-name $vnetname \
--subnet $gatewaysubnet \
--capacity 1 \
--sku Standard_v2 \
--http-settings-cookie-based-affinity Disabled \
--frontend-port 80 \
--http-settings-port 80 \
--http-settings-protocol Http \
--public-ip-address myAGPublicIPAddress \
--routing-rule-type Basic \
--priority 1001
Sometime you may get error when copy and paste in bash due to command is too long try either with wsl or git bash bash shell.
7. Create VM scale sets and run the script at boot up
# Create a virtual machine scale set Alma 9 image
az vmss create \
--resource-group $rgname \
--name vmss \
--image solvedevops1643693563360:alma-linux-9:plan001:2023.06.02 \
--admin-username azureuser \
--admin-password P@ssw0rd123456 \
--authentication-type password \
--instance-count 2 \
--vnet-name $vnetname \
--subnet myBackendSubnet \
--vm-sku Standard_B1s \
--upgrade-policy-mode Automatic \
--app-gateway $appgatewayname \
--backend-pool-name appGatewayBackendPool \
--storage-sku Standard_LRS
#--custom-data custom-data.txt
# Install NGINX
az vmss extension set \
--publisher Microsoft.Azure.Extensions \
--version 2.0 \
--name CustomScript \
--resource-group $rgname \
--vmss-name vmss \
--settings '{ "fileUris": ["https://raw.githubusercontent.com/ConnecttheCloud/AWSTerraformLab1/main/userdata.sh"], "commandToExecute": "./userdata.sh" }'
8. To view the output of public IP address of APP GW and browse in browser.
# Get the IP address
az network public-ip show \
--resource-group $rgname \
--name myAGPublicIPAddress \
--query [ipAddress] \
--output tsv
Congratulations! You have successfully deployed VMSS and App GW with required infrastructure in Azure. Note down the Public IP which get from step 8 and browse it in the browser and refresh until seeing different private ip address and hostname to verify load balancing across 2 VMs.
Alright, now it is time to explore what you’ve created in Azure Resource Group and see all single resources and configurations to understand the technology and configurations. Especially go through the App Gateway and VMSS every configuration tabs.
Destroying Resources
Well done folks!! you did it. Before you go any further, let’s tidy up the resources that created on Azure not to be invoiced the surprised bills at the end of the month. Below command will delete the resource group in Azure.
az group delete -g $rgname -y
0 Comments