Azure AD App Proxy Deep Dive

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video I want to talk about Azure ad application proxy or at proxy for short a great solution for getting us access to applications that were on our on-premises Network without having to worry about maybe more Legacy types of Technology so if we take a step back if we think that while we're adopting a lot of cloud services today there's still a large number of things running in our Network now obviously if I'm running in the cloud there are many ways to make them available to the internet if it was just something running in a VM I can use things like Azure app Gateway web application firewall if it's a native service it often has a public endpoint I can add things like front door for Global balancing with again a web application firewall there are many options to make it available I'm going to focus more on hey I've got things in my local network so I can consider well I've got my existing on-premises Network let's say for example I've got a couple of apps so I'm going to say hey I've got app one foreign over here and give myself some space for later on I will have an app too so they're sitting on our on-premises Network and we want access to it now when people just were in the office they were on this same local network there was no issue but as people have pushed more from working from home working from anywhere covid had a huge push how do we still keep people having access to the applications now one option I can have a VPN so I could absolutely deploy in my network a virtual private Network solution and remember what we have is ultimately the person is sitting somewhere outside the network and they're sitting on their machine so I could have a VPN now obviously with a VPN I essentially have to make a hole here to allow communication to come in but then sure the user can establish something like a point to site VPN connection which makes them exist as though they're on the network another option could be some kind of reverse proxy solution but again I have to open up some hole in my network to again allow some inbound connections so both of these Solutions require me to accept inbound I can have dmz's I can segregate my network but ultimately we try to avoid this it's not a pleasant situation for us to be in if I've got to have some whole opened out to the internet and then I have to worry about how do I secure that how do I stop people doing bad things so as we have this big shift to the cloud we've also had this shift of zero trust I don't even like the idea of well just because I'm got some IP that's on the network that's all I care about the big shift if we really think about what's Happening Here is it's all going to Identity now when I think of azure and many other Solutions if I think of well what is our identity solution for all of our identities they live in Azure active directory now those identities could be synchronized from on-premises they could be Cloud only they could be driven by external HR systems there's many different things I can do there but the fact is the identity itself have shifted and our way of securing things is we constantly re-evaluate we constantly check the health and so I don't want to just rely on this network construct also most applications today are web protocol based https for example so how can I make them externally available in an identity Centric way and as you're going to guess the solution I'll do this in slightly different colors we can focus on the components is at proxy so Azure ad app proxy provides this ability to expose our I'm going to say on-premises applications technically it could be in some Cloud virtual Network and for some reason I don't want to use maybe just saying client at Gateway or low balances maybe I want to take advantage of some of the features we're going to talk about in at proxy to expose so what I'm focusing on the fact that it's in an on-premises Network technically it doesn't have to be I'm going to be able to use the same Concepts we're going to focus on even if these apps were running in Virtual networks but I wanted to expose them via app proxy to take advantage of those capabilities so at proxy is all about providing this secure zero trust remote access solution for those applications and the best part is I don't have to open up these holes to accept inbound Communications it's all going to flow that direction so let let's talk about at a higher level how this thing is going to function so we have the app proxy service now obviously if I want to be able to communicate to applications running on my network that there has to be some way for those to communicate so the way it works is there's going to be some Azure ad at proxy connectors so on premises or on the network where the things are we want to expose I'm going to deploy connectors so I'm going to have these connectors installed and I'm really thinking about n number I.E more than one more than one for resiliency purposes more than one for scale purposes so I'm going to add multiple connectors these need Network line of sight to the application I want to expose these are what's going to be doing that communication for me and all these require is an outbound 443 that's all it has to do because what's going to happen here is these connectors essentially are going to make a tunnel outbound in this way so it's going out to 443 that is the direction of the connection I do not have to have any inbound ports open at all so I deploy these connectors we're going to go into more detail about this so the next thing I have to do is I want to expose app one so what I would do in Azure AED I'm going to say okay well I'm going to add app one price Apple education but I'm going to say well I want to use Azure ad app proxy there's some nuances around this and we're going to get into that so I've deployed the connectors and now I'm going to go and add my application now what this does is when I add the application as part of this configuration well there's what is the internal URL how does it actually talk to it then it's going to expose via app proxy and endpoint a name that the client talks to so for this app one yes it corresponds to an internal URL but it's going to offer now an external endpoint via app proxy and so the user at this end device well they go and talk to that endpoint maybe I'd send it also you add you're going to deploy the connectors first you go and add the applications then the flow is well the user tries to talk to that external endpoint now it's integrated with Azure active directory so it wants a token so it will redirect the user to authenticate to Azure ads they try and connect it's going to say no no go and so they will go and authenticate to Azure ad which will generate them a token which they will then give back to at proxy so it's going to make them do that Authentication and this authentication actually I'm going to tidy this up just a little bit so I want a little bit of space so that Authentication is really important because now it's going and talking to Azure ID saying hey I need a token so Azure ID is going to be able to do a lot of checks for things that we need so we have to do that authentication for this to actually work so it's going to make them go and authenticate but it's got that token over here that it can then go and give to Azure 80 at proxy so it's gone through that authentication stage so I could think about okay they made the request they go through the authentication and now what will happen is at proxy service has this tunnel that's been established to these connectors so it can now on that user's behalf send the request through the tunnel and that connector well it has line of sight now there were some clever things we can actually do here if we want to we're going to talk about this in more detail but these on-premises applications now on premises I also have things like active directory there are different ways these applications may handle authentication maybe it's Windows integrated authentication so Kerberos and so this is an Azure ad claim and a token which is going to be meaningless so one of the things that can optionally happen is this connector could actually go into a kerbos constrained delegation get a Kerberos ticket from ad and then with that I can go and present it to the application which will send me the data back so this whole flow of all of the different things happening so got that communication this was kind of step five flow and then it will send the response backup this connection and ultimately finally send the data back to the user to the user all of this is basically transparent but what it's enabled me to do is from an end experience I've accessed an internal app using purely an external URL I've not exposed any ports out to the internet from my internal Network and I'm taking advantage of azure active directory for that authentication and as we're going to see later on the authorization as well now this authentication is optional this is called a pre-authentication with Azure active directory I don't have to do that this is purely optional so maybe I should put in a little square bracket to show it it's optional I could do pass through pass through exactly as the name suggests so this is kind of a pre-alph I have to do that I could totally just just pass it through but this is definitely recommended this ability to tie into Azure ID for the identity and all of the key things that that means think of conditional access think of that risk-based assessment is really powerful we want to move to this zero trust world and think of what are all the signals coming in before I grant access to some resource now I guess I should quickly say so obviously this Azure ID app proxy is therefore a fully cloud-based managed service I need an Azure adp1 or above license so a P1 or P2 so that comes with things like E3 and E5 but all of this I just configure through Azure active directory and it is actually very very simple to set up so with that said hey it's very very simple to set up but maybe we should talk about what exactly is that setup so the first thing we have to do is I have to get these connectors that really is step one so this is an agent connector that I deploy on my network that has line of sight to the Target applications I want to expose and what I actually do is I create a group of connectors so when I think about what I'm actually doing here in in app proxy one of the configurations I have is something called a connector group and we call this connector group one and what I'm actually doing is when I think about hey I'm adding all of these multiple connectors in number well when I add them I put them in a specific connector group because I can have more than one connector group and the reason I might do that well think about there's different applications I want to expose maybe some applications more general purpose so I have a bunch of connectors and a general connector group that he used for app one or app2 and app3 so as part of the configuration up here I actually tell the app which connector group that it's going to be offered via but maybe I have a super super important application critical and that application I want to make sure it doesn't have some Noisy Neighbor problem with the connector groups being busy with some other application so what I can do here is I can deploy some other connectors so maybe I'll deploy another set of connectors over here again n number of connectors and what I'm going to do is I'm going to create a connector group 2. and I can give them better names than this obviously but I'll say connect to group two these connectors I'm going to add to this specific connector group and it may be what I'm doing is well that was app one well maybe I'm also going to go ahead maybe I'm also adding app to and app2 is this super important app and it's going to use connector group 2. so at one and three and four and five they can use this general purpose this super critic way I want it to have its own connector group so I can go and again deploy multiple connectors and put those in now how do I deploy these connectors so if we jump over to the portal I'm going to use the enter portal again this is exposed in the regular just the portal.azure.com if you come and look at Azure ad but what we're going to do is we're going to go and look at under applications so we're going to Applications we're going to look over here at Enterprise apps so it goes my Enterprise applications we can see in the menu we have application proxy now as part of application proxy the first thing you're going to see is this hey download connector service you click this what it's going to kick off once you accept the terms and actually notice the requirements Windows Server 2012 R2 or later so Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 I do not believe this has currently been tested on Windows Server 2022 so probably would avoid that for now but you're basically go and download this and what it's given me is this installer and all I do is on the the Windows Server box that is going to run this connector I run so this is a Windows Server box I run that executable it's going to ask me to authenticate so it's going to authenticate to Azure ID I do that one time and that's it for the configuration it will set up I think two services on the back end one of them is actually the connector service one of them is a connector update service and they're just going to run quite happily in the background and that's it that's the entire setup run the XC authenticate once and now it will be registered with your Azure ad app proxy service so repeat this on multiple separate boxes now could I install the connector service on the app one boxes you can they're going to stop you doing it obviously realize it's using a certain amount of resource so depending on what the app is doing you may have resource contention so typically you'll deploy these as separate instances but if it was a really really light work maybe I had three app one boxes well maybe it's not that busy yes you could install multiple connectors on each of those at back ends as well it's up to you but typically there'll be just these separate deployments being a lightweight environment yes I could install the connector on application or some other infrastructure service I have running in my my environment it doesn't have to be dedicated just to the connector so I've installed the connectors I've authenticated so now it shows up in app proxy now I also have created let's get another look over here remember I can create connect to groups so I can just go and create a connector group um so connect to group three and I could select what connectors that I've added I want to be part of that connect to group so if I selected that for example I've got these different options available to me and hey I could actually go and just create that connector group at this point but then I would hit create but I've already got two I don't want that you notice I've actually got two connector groups configured now I only have one connector for each of them that's not the good thing to do normally you would have multiple connectors for each connector group but this is just a little lad playing around so I have my default connector group with one connect to a net and I have my critical connector group where I have a dedicated connector just for this very very doggo critical app uh connector group now I can move these if I select the connector I can change what connector group I want it to be part of so if I just go and add my connectors they'll align to the default but I can just go and select it and then move it to whichever connected group I actually want so it is super super simple to reconfigure and move those around based on what I actually need okay great so at this point we have this set up I got my connector groups I got my connectors they're establishing their outbound flow there's nothing inbound I'm not opening up any ports remember it's establishing an outbound connection now I want to make an app available so it's very very simple all I need to know is what is the internal URL and I'm going to pick a name for how it will be exposed on this external endpoint for the particular apps there's going to be this external endpoint that represents the application it's probably easier just to show it so if we jump back over again it's an Enterprise app so what I would do is if I go back to my Enterprise applications let's close that go to my Enterprise apps and if I hit new application create my own one of the options I have here is configure at proxy so I'm adding my oh and I'm going to use app proxy for it so I could put in and we call it test one create now notice it doesn't actually ask me a lot give it a name so I'll call it test one what is the internal URL so this is what is that connector going to connect to so what it's asking me here is this request is going to be sent to the connector so what is the name that the connector will go and look up in its internal DNS to establish the connection to so the internal name is hey if I was sitting on this network what would I connect to so maybe it's doggo.savotech.net is the internal name so that's what that thing is so I go back I'd put in it doesn't have to actually be https and my example isn't so it could just be um some regular doggo 2 Dot saviletech.net and notice it's generating an external URL for you and it's gonna by default be the name of your tenant.ms at proxy.net so it's showing you what that full external name would be now you can absolutely change this I could change this to be a name savvotech.net now realize it's still making it available via the MS at proxy so what it's saying is hey look if you want a custom name for the external URL sure we can do that you're going to have to go and add an alias a c name that says hey for the name you want it to be test one you need to add a cname record to your public DNS that points to test1-7techlab.ms proxy.net now the reason I might want to do this and the reason it needs to know is because it is using https it is going to be encrypted and so it's going to need a certificate to do that so you couldn't just create that alias in your DNS and go and talk to test1.7tech.net https because it is it's expecting that Ms at proxy.net name the fully qualified domain name you're trying to talk to will not match the name it is expecting you're going to be sending it hey test1.7tech.net it's msat proxy it's SSL so it's for Ms at proxy it will fail so the reason it has to know if you want to use an alias over here is so that certificate it uses will match the name it's going to be sent so if you do eat that and you don't have a current certificate configured for that name you've added to your Azure ID you'll have to upload a certificate for that name so it can do that so essentially what you're doing in that case is kind of a split brain DNS most likely and maybe have saviletech.net down here as my internal DNS that's not public facing and I'm creating a split brain a public saviletech.net Zone which has completely different records and I'm going to create a c name that says hey test points to this external endpoint regular Ms approximately I don't have to do that at all but that's one of the options you have if you wanted to make it and that's one of the options you have if you wanted users to not have to think about what this external name thing is I can just make it use think that's more familiar however I'm actually going to stop doing this for a second and I'm going to go and look at an app I've already configured so if I minor dogos so my doggo app and if we go to app proxy we can see so my internal URL was dogos.savletech.net it's external name is dogos savoteklab dot MS proxy.net so those are the two very very basic things you have now also you have to assign users to it so I've assigned John savill to be able to use this application otherwise by default I've not made it generally available people won't be able to access now also we have this idea of pre-authentication and this is what I was talking about so I've got pre-authentication turned on so I'm using Azure ad I could have done pass-through in which case hey it just sends it through but I don't want to do that I actually want to take advantage of the Azure active directory doing this so this whole idea of the pre-authentication is one of the huge values we get here because it doesn't matter what the application natively does because we're going through at proxy I'm saying Hey I want you to pre-authenticate the request make them auth with Azure active directory and then hey what connector group am I using now there are some Advanced options and we're going to ignore these for right now but just when I say ignore them there are a couple of interesting translation options that we kind of see we'll come back for that but this pre-authentication with Azure active directory so if I try and access the application well let's just do that so if I try and access the application and we go to this it didn't actually prompt me I'm already authenticated in but what we could actually do is if we do a private window and we go to that it makes me off so now and have to authenticate in and this app itself knows nothing at all about Azure active directory um no there we go so we have access to our doggo application I just wanted you to see it would maybe go through the Authentication so great okay it made me authenticate but it's now an Azure ad Enterprise app and where I really care is if I now go to my protect and secure conditional access so I'm jumping over here doggo's is now an application so I can create a new policy and when I go and look at my cloud applications they're there so suddenly yes I'm pre-authenticating with Azure active directory but I can also now apply conditional access for everything I'm doing so I could now had conditions hey if the users at risk the device platform location I could add controls hey I want them to do an MFA I want the device to be marked as compliant so I suddenly get all of these amazing capabilities even though the app itself this app has zero clue about Azure ID it has zero clue about conditional access it a zero clue about risk but because we're doing this pre-authentication the app now is an Enterprise application for Azure active directory and what that lets me now do is we'll think of some of the powerful things we have and honestly the biggest one here is we now have this wall around these requests of conditional access so not only is it going to make them authenticate it's going to do authorization specific to app one or doggo's and it will make them adhere to that hey I want you to do an MFA hey I've detected some elevated risk whatever that is I now gain those benefits so if I think of that zero trust world I'm not caring about the Network anymore I'm caring about the health of the identity I'm talking about all of the signals that we're getting in user risks sign in Risk all of the information about this will now be enforced as part of access to the application and that really is huge like this for me and this is why I think you may even want to use Azure ID app proxy even if you had this app running in a virtual Network in the cloud it still might be a more Legacy app and doesn't understand all of the cloud identity providers so I still might want to expose it using Azure ad at proxy to get the benefit of what app proxy does through that pre-authentication of azure ad and through then leveraging things like conditional access as part of that so that that really is a massive feature now the other configuration I have here let me just go back to my doggo application it's obviously we could do conditional access but if we go back to doggos I couldn't think of a better application and that gives me an excuse to put my dog in a video um so we've done this pre-authentication great but we also have as part of the configuration you have single sign-on now we have different options for the single sign-on now what mine is configured on is header based now there are many different ones available to me so as part of my application the other thing I can configure here is hey I want to do single signal now obviously I could do saml based Samuel is a more Cloud native capability if my application speaks saml then I can select saml Azure ad will populate claims in a saml token at proxy will just pass that saml token on to the connector which will pass it onto the app so I can absolutely just do saml I could do windows integrated Authentication kubros so this is where hey I have my app my app is used to speaking active directory and integrated it understands nothing about Cloud protocols so we can configure it to do Kerberos base so that Windows integrated all so what will happen now is I can still say how and do single sign-on the user is still authenticating with an Azure ad account but now this connector will impersonate the user so kobos constrained delegation to active directory active directory will give it a Kerberos token which it will then pass to the app so as far as the app is concerned it has a token from Bob whoever's using the computer so it's still a seamless it's still a single sign-on experience but the connector has done it now if I do this the connector needs some special permissions the sort of the it's now impersonating users so there the documentation walks through it if we quickly so not the docs page if I look at the docs page for the prerequisites of using Kerberos based SSO so the connector and the server have to be domain joined and it has to have this token groups Global and Universal attribute so basically this is letting it do this curb boss constrained delegation the apps have to have service principal names because again it's all focused now around that ability for one identity to be able to impersonate the others so it's just a little bit obviously they're security issues with doing that and so that's why if I want to do that curb Ross based that Windows integrated off there's a few extra things I have to do on the connectors to let it go and impersonate and get tokens on behalf of this user over here I can do header based that's what I've done in my little test so we've header based the application expects maybe some username maybe even a password which I could go and fetch for some attribute maybe just other attributes it expects those to be in the header of the request so what will happen here is the app proxy service will populate the request headers with the values I tell it it needs as part of that header based SSO send it through and send it to the application I can configure whatever I want and this is what I did in my demo so if we go and look at my example hey doggo that's Oliver by the way my other dog is Eddie he doesn't like getting his picture taken as often he's less photogenic so if we go over to here so I did header based authentication obviously it's using Azure ID there are others I could have leveraged and now I can figure the headers so if I do edit I added two I want user display name and use a UPN that map to user values display name and user principal name but I can add others I can pick a name I can pick attributes that exist for the user I could do transformations So based on attributes based on directory schema extensions from other apps I've added I can add whatever values I want I can directly hook into a directory schema extension I could also add group headers so I could populate certain group memberships for example so that they're part of into that header but I just added two values user display name and user principal name and what I did for my doggo application if we go and look at my app is yes I just made a picture of my dog this is just very simple node.js app but it dumps out the request header at the bottom so I dump out the headers oh why is it doing that okay I'm having trouble zoom in for some reason and if you look there are my values now just dumping them out the screen is not terribly useful but my point is I wanted to show you that when I do that header based SSO based on what I configure it's passing it as part of the request header to the back end service and those values so I could have injected a password so that could have been an attribute in Azure ID I could have extensions going and hooking into that different ways I can have that but then the consuming service could look at the request header and take whatever values it wants and use them so I can pass things through via Azure adx proxin has even shown me her yet we're coming in Via Azure ad proxy and I have that information just available to me so the header base again think of all the different types of application you have hugely powerful to hey I can integrate with those apps I can even do password um based off wherein the app just expects a username password now the way this would work is it's it's password vaulting there's going to be an extension and that we actually add you've probably seen it before there's a my apps extension for your browser and that can do things like helping you with the vaulting so the first time you access it it would prompt you for the username password then it would volt it and it would never ask you again for all of these I can do token augmentation so one of the cool things Azure ID has is the ability to add custom claims and I can do that for a custom claims provider so I write some restful endpoint Target that can go and talk to a SQL database a postgres database another ldap doesn't matter and returns claims so Azure ID can be configured to use a custom claims provider again it's just a rest endpoint that it's going to send a bit of information to and then I send claims back that it can add into the token so I can use that as part of it so that's like a really nice capability that I can take advantage of but so far if you think about it done it we have got some external endpoint you saw me talk to that it's doing all of this magic and single sign-on via the connector groups that I have configured for the various applications and I'm I'm there I've solved the problem this has existed for a really really long time like there is nothing new about Azure radiac proxy and doing this but things have evolved a little bit we were used to the idea of app one being this monolithic thing they didn't really speak to anything else well now we have these complex apps and now you get these non-monolithic apps instead they're broken down into microservices so now you may totally out of the scenario where this app well it actually talks to that app and vice versa now this was fine when the access was internal I could absolutely just bounce around and talk to each other and there's no issue and now on some external thing and maybe the at reference is the internal name but I'm sitting out here would it it would fail or maybe it would make me authenticate again and break the entire flow now if I was on a VPN it wouldn't matter because I remember I'm on the network but if I'm just using App proxy and I'm doing all this mapping it's going to break things also think of things like the cross-origin resource sharing cause where I might have apps actually using different domain names that wouldn't traditionally be allowed so translation is a challenge for us the fact that we're using these different names so it would be nice is if I didn't do that what would be nice if I could actually just have the internal name leveraged so can we do that so remember if we go back and look at our environment my application has this external name but it's actually just http doggos .savletech.net so if I try and take that internal name and paste it notice what happened here it worked and it sends it to that external one what mystical magic is going on here well the Mystic Magic is the icon the my apps extension I'm signed in and if I look at my settings company internal URL redirection is on so when I'm populating those apps with Azure ID at proxy what's actually happening is it's telling the my apps extension so I've got this extension installed it's telling it hey actually these are the apps available to you and by the way the internal name of this app is at one dot internal.net so if you type that internal name hey I'll convert it to the external name that you can actually get to for you so that suddenly solves a huge huge challenge people don't even have to worry about that external name anymore if they're used to maybe working internally they can use the same URL now also my apps will publish this like they'd see it in the my apps list they could just click doggos and go straight to it but its extension is really powerful in the I can now just carry on using this that would also work with that cause across origin resource access if I have mobile devices if I use the edge browser as well as I'm authenticated with the user from the tenant that will work as well so this cross-origin resource sharing capability will be really powerful that internal redirection will be really really useful but what if in the body of the response it has a link to the internal name or does some referencing well this is only doing rewrite of the header this is only doing rewrite from when I type it in the portal what about if as part of the response sent there's internal references in here and I need the body changed as well how can I do that well if we jump back over if we go to those advanced settings remember we always had this translate URLs in the header option but let's also translate URLs in the application body now for this we're going to jump to a different application we're going to do doggo's IIs so this is just a really plain vanilla IIs application however on this one I have turned on translate URLs in application body now it's giving you a warning here the reason it's giving you a warning is because now think about what it has to do on this other application so on this application 2 I am configuring this body internal URL rewrite but that now means that everything gets serving up it has to go through and check the body of every communication see is there an internal URL in that if there is I need to modify and map it to the external so it's going to add latency so it's warning you hey look we can absolutely do this thing but it may impact the performance of the application it's going to add a bit of latency because now I have to scan every response and then rewrite things if there is actually a header in there but we can see this so if I go to a different application let's jump over here so this application is doggo's IIs so it's a different app and there's another Oliver picture down there now if we look at this application remember this is doing this translate URLs in the application body and for this application it just has a name of more dogos.savletech.net and I use a custom port for this one I wanted to show you can even do custom pause so this is actually 8080 externally and just to show something really cool even if I do that internal name and the internal pool in the browser it still does that redirection because of that fantastic my apps internal URL redirection so I'm using the app and it has a link more.goes here now this link well if I look at the source for this application so let's go and look at the source for a second this is the page so the page is an internal reference doggo's dot saviletech.net that's what the response contained but if we actually look at this page here let's um let's I guess we could if we copy copy the link so what is that link and I won't press enter notice it has changed it it's changed it to the external if we look at the page Source there's probably another way of doing this it's translated it so it has put the external name remember what it was sent this is the page it was sent the internal but because I checked that box to do the rewrite it changed it to that external name so now what would happen is if I actually went to the page and clicked it I I just go when I work and I've still got all those same options configured in there so that solves all of the problems so again even more complicated scenarios now even if hey they're talking um they're referencing other applications through a combination of hey maybe just want to use the internal name or the my apps extension solve as that but even if the maybe the headers or even the body now I can rewrite that as well so it can still go and work through the external names now obviously if I published it as an internal name remember if I change that default extension from the MS proxy to my internal name and I had those C Name Records I wouldn't need to do that translation because it would be the same name externally and internally so that would be a different way to solve that problem but if I didn't do that this rewrite option solves that issue and that's really what I wanted to cover you have a final thing I would say is if I am doing highly performant applications there is a performance enhancement I can do when I'm using App proxy and it's really about using Azure front door so my Azure front door is that Global balancing solution one of the really nice things about front door is if I had for example front door and if I think globally throughout the world there's all these endpoints everywhere the idea front door would be well hey if I'm an application accessing saying on app proxy well front door would accelerate it greatly because now my TCP my TLS would all be established and terminated at this Point that's very close to my machine and then it would go and talk to approxy and this could be like a 60 to 70 performance Improvement because now that TCP that TLS is terminated very closely here it can really accelerate My overall performance so this is completely optional but if I am thinking hey I really want to accelerate as much as possible and that that front door hooking may be really useful so that was it and that's all I wanted to cover so the whole point here is what Azure radioact proxy does is yes it's going to make my internal applications available externally but I think maybe a bigger part of that is it shifts to this zero trust idea that now it's going to focus not on the network path I don't have to expose pools it's going to use the identity to control the access and once I've done that identity then I can apply conditional access to add constraints and conditions before I can get the access and no matter what a technology the app is using for its own auth Samuel kobos header base just password entry it can work through this and it can do all that work for me and give me a really nice single Salon experience for the user I can create different connectors and groups of connectors and assign them to different apps if different apps need maybe a higher priority to ensure they always have the scale they require and then finally hey we have the great rewrite internal URL redirection and if I want to really improve the performance if it's really critical I can always tack on front door at the front to offload and get that TCP TLS connection is close to that endpoint as possible that was it as always I hope this was useful until next video take care foreign
Info
Channel: John Savill's Technical Training
Views: 25,371
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, identity
Id: dcAY-qrzTYA
Channel Id: undefined
Length: 51min 57sec (3117 seconds)
Published: Mon Apr 17 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.