Azure Networking - #13 - Azure Front Door

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
did you ever stop to think about how you got here...I mean this video not in life to answer that would take a lot more time than what we have today but how did you get here well you typed into your app or your web browser and you got here and then when you found the video you clicked on it what you may not know is that there's dozens or hundreds of different pieces of technology that all work together in microseconds to get you right here so you could watch this video and you didn't have to figure it out or even know that it was all there it just works so if you want to be able to do stuff like this for your company and your customers and come with us as we take a look today at Azure Front Door I'm Dean Cefola and this is The Azure Academy. The azure front door service is designed to implement scalable and secure entry points for fast delivery of your global applications front door is a part of a family of technologies around Azure networking and that breaks down into these four areas connectivity monitoring protection and delivery and it's the area of delivery that we're looking at today as you can see we've got several different methods for getting things delivered to your customers so a CDN is a content delivery network this is much like the YouTube service traffic manager is a global DNS load balancer application gateway is a layer 7 load balancer that also acts as a Web Application Firewall and finally we have the azure load balancer this is a layer 4 resource that lets you scale your application and create highly available services from the backend that could be things like a clustered database for example now each one of these resources does have their place and probably could use their own video so if you're interested in one of those give me some comments below and I'll be happy to put that together where front-door fits in is kind of a little bit of all of that so then the question comes up which tool do I need to do my particular job if you are using a regional point of presence so you're in the azure East region or UK south region and in that region you need something that is non HTTP you or non HTTPS traffic what you want is an azure load balancer but if you instead want something that has a global point of presence but is not necessarily HTTP type traffic you can use Azure's Traffic Manager now if you need something regionally that is going to provide that layer 7 traffic which is HTTP or HTTPS then you're looking at the application gateway and finally if you need something with a global point of presence that runs at layer 7 now you're looking at as your front door but let's just think for a moment about how you get to where you want to go every application or website that you want to get to doesn't it's on-prem or in the cloud it's really physically somewhere and you get to that somewhere by traveling on this thing that we call the internet you open your web browser and you type in an address as soon as you hit enter what happens is your browser takes that address and does a DNS lookup it resolves that name into an IP address then it goes and retrieves what you've asked for and then it presents it to you in your browser or your application so here we have a web front-end of my application and that's running here in the US and if somebody else wants to access it there's only one place for them to go they've got to traverse the Internet to get from wherever they are to where my thing is over here in the US the problem is that there's no way to directly control traffic flow over the Internet even so your most optimal path may still take you halfway around the world how can we do this more efficiently well we could find a way to increase the speed of light or maybe discover a wormhole in fact that may be just what we need front door is an entry point into the Microsoft Azure global network now you're riding a Microsoft backbone where we have a lot of control over routing and we'll optimize that flow from the pop nearest to you back to the application giving the user a much more optimal experience and the scale limits of front-door are incredibly high in fact all of Microsoft's global services have been using it for years additionally front-door is a global service which means it's not in one single region so if there are any regional failures that happen the service will automatically redirect traffic to the next closest pop so that means resiliency is baked right into the cake so that's at the entry point of the front door service in the backend pool if there's some kind of issue we do have health probes that will detect those things so we can failover just as quickly let's take a look at the Azure Doc's and from the main page of our Doc's we'll scroll down and in our table of contents we'll go to networking and then right here in the middle of the screen we have as your front door and then we'll click this link in the overview for what is as your front door and here's where you can read all about the service and understand all the different features and characteristics just so you know where that is additionally over here in the samples we have a bunch of azure source manager templates and then you can select which one of these may be right in your environment and deploy that so you can see a quick way to get that up and running so with that let's go over to the azure portal and get to work we've got two sets of virtual machines here one is in East U.S. the other in U.K. south they are both running a web server and as you can see here at the bottom of the screen this is the one that is in U.S.East we also have our one in the U.K south and so I've put the text at the bottom of the default web page just so we can see where each of them is so now we want to take both of these systems that are in East us and at UK South and we want to have them run as a single global application so we're gonna use our front door so let's click the ad here to build a front door and then we'll click on that in our search and click create but I've already got a resource group for this where my web servers were so we'll use that as well as the East US region here I'll hit next so the setup here is really quite simple we'll go to add a new front-end and we have to give our front door a name I'll call it my global app and now we need to set our session affinity or Web Application Firewall now the Web Application Firewall is certainly a recommended thing to use because having a WAF is more secure than not having a laughs the default position that I would suggest is that you enable this however at this moment we actually can't enable this because we need a policy to go along with it so we'll come back to this in a moment but we will turn on session affinity this is where we're going to make a initial connection and then all these subsequent traffic will go back to that same back end and we'll click Add and that's it we've added a front end so let's add a back end and now I'll call it my global app back-end one and now we need to add a back end so we'll click our plus here and then we'll click the drop down for the back end host type and you can see that there are many different items that we could add here now in our case since we're using virtual machines but I'm going to select a public IP since I've got that and then that also gives us the ability here to select the particular public IP addresses that we already so I've got that selected and of course we could tweak these items further if we want to and this will be enabled that way this particular back-end will be running so we'll click Add and then we'll go and add our second one so we'll choose a public IP again and this time we'll choose our UK public IP and click Add now we have also our health probes and this is just like any other load balancer web app gateway where you want to be able to detect that your back-end resources these VMs are actually healthy and if they're not healthy we're going to mark them as unhealthy and stop sending traffic to them so the / air indicates that this is the route so the default web page in this case I am NOT currently using HTTPS so I'll set this for HTTP and you've got two different probe methods here head and get and if you use head here then you're not going to need anything in the response body which is a little simpler so I'll leave that and then it'll check in 30-second increments that's the default and then we come down to the load balancing and this is where we check the sample size so it's gonna do for health checks two of them must be successful in order to call the back end healthy and then the latency here zero means check it as fast as possible so if you need to add in some extra latency because of your connections then you can add that right here so we'll click Add and now we have our back end now we need our routing rules so we'll click the plus four that I'll call it my global app routing with one and then for the protocols so since my back-end only supports HTTP I'll select that and then you also have the option of selecting any one of the front ends that you have because I've only got one of them and now we have to look at the patterns to match for our routing rules so we'll get a bunch of stuff coming in from the front end what is it that we want to route against the default is this / because that's the default page so it's saying /* which is default and anything else so basically all traffic is going to be routed through this rule once something matches our rule set which in this case is everything how do we want the system to deal with it should we forward the traffic to our back-end like have here as default or should we set this to be redirected to somewhere then of course you can set your particular redirect type and all of the details but I'll just leave this on forward my back-end pool is already selected and I'll choose HTTP only and our last two options here are URL rewrite and caching now the URL rewrite has to do with taking the incoming request and then writing a custom forwarder to send it to the back end for example I'm using the default path so I could rewrite that to say instead of / make this /foo and then send that to the back end instead of just / in my case I don't need that because I don't have anything else there anyway and then we have caching now front door does not put a cap on any files that you're going to be serving up so what they're going to use is a technique that's called chunking and chunking is where we take all of these files that we're dealing with and we break them into eight mega byte chunks and then we'll serve those up so when the chunk comes into the front door environment it's cached and then served up to the user if you enable caching now if you do enable caching you also get the option of changing your query behaviors now the default mode for queries here is to ignore query strings and in either case we're not going to modify your query so no matter which one you choose your query will still be passed but in the cache every unique URL every one of those queries will be treated like its own asset with its own cache then you can also choose to enable or disable dynamic file compression and the particularly list of files that we will compress is not something that you can modify at this point though if you need to know more about those file types you can go to the tooltip here on caching and click more and then go to file compression and there is the list of files that we currently support so I'm not going to enable caching again I have a very simple site here and we'll just hit add and we have finished our configuration so we'll now hit next and I'll add some tags so my application is my global app this is my lab environment and I'll put in a cost center so we know who's paying for these resources I'm will click next and then we can review our details here and you can also save the arm template if you like so that you can reuse this and then hit create now that our front door is finished building you can see we've got resources into East us in UK south and then global or our front door who will click on our front door and check it out so at the top we've got the basic information along with the front doors front end host address we've got the big buttons in the center for the front door designer and Web Application Firewall and they're also on the left in the settings section and then at the bottom we have metrics here and we can show that from 1 hour to 30 days a and then we'll see our request counts size back end request counts and current health status and you can dig more into the metrics over in the monitoring section to select the particular metric that you're interested in and of course you can always zoom in just like you can in any of the azure metrics and you can combine this with as yours log Analytics event hub or storage account by setting up diagnostic settings which I have already done and I'm setting that data to one of my log analytic workspaces and you can check that data out in your logs and so I'll just go to search through the logs here and pull the last 500 results and there we go and then of course you can dig into each one of these around your application and you can even need to create charts and graphs as well as set up alerts and thresholds from here lower them off through a web hook to something like ServiceNow or some other ticketing system or take them out of azure using the azure event hub and send them to another monitoring tool so if we go to the front-door designer this basically is the same thing that we went through during the build where we can create delete or modify any of the systems in our front door and then at the very top we also have a Settings button and this is where you can make sure that your back-end search subject name matches in the front door as well as your timeout setting I'll hit cancel because I don't have those at the moment and the one other button here is the purge button and this is if you're using caching where you can flush all of the data out of cache now before we get into the Web Application Firewall component here I do want to show you that the front door is working so you remember this was our web page initially we had our UK South and our Azure East US now if I open a new page because I'm located in the east us this is now my front door pointing at the east us I've got another browser here and this one has a VPN so it looks like I'm sitting in Europe so when I go to front door this time now I'm talking to the pop in UK South okay so our front door is working and it is geo-locating and the last thing we'll do today is go into the Web Application Firewall now you remember I said originally we could not initiate this because we didn't have a WAF policy and we still need to create one before we can apply it so at our search at the top will type in WAF and then we'll select the Web Application Firewall policy and we'll click to create one so in the create experience we first have to select what our policy is for and we can choose either a front door or a web app gateway or an azure CDN so we'll choose front door and then we have to select our subscription and resource group where our front door is located and then we need to give our policy a name and I'll just call it my global app and my policy state will be enabled and we'll hit next now we have two modes that we can set up our wife policy in and that is detection or prevention though detection is going to be the reporting without actually preventing anything of course whereas prevention is going to have some teeth behind it and stop things when we don't want them so the nice thing about this is it allows you to first detect your normal behaviors and then once you've found your baseline then you can set it to prevention mode which would then block anything that is non-standard then you can add a redirect URL here if you would like as well as state your code and you could put in a response body so that people know what has happened and we'll just hit manage rules for right now and then what you can do is enable some or all of the rule set and if we hit expand all there is quite a lot here and this follows the OWASP categories OWASP stands for the open web application security project they categorized types of attacks have recommended ways to prevent against them and if you're interested more in that you can click on our documentation link I'll hit next then you can also add some custom rules if you would like I'll add a rule here for the UK and I'll give it a priority level of one which is the highest level rule that there is at all geolocation mapped this I've selected four countries in Europe because I'm not exactly sure where my VPN is going to route me through and will deny all of that traffic and click Add not only my instituting the OWASP rule set but I'm also now saying if you happen to be in the UK I'm going to block you from being able to access my site and then we'll click Next and associate this to a front-end and we have our front door selected here and then we can select whichever front-end we want this rule to apply to and then we'll click Next to add our tags and we'll just use the same tags as before and review and create then of course we can download this template and reuse it but we'll hit create and back in our global app resource group we have a new resource here and this is a global resource of our WAF policy and inside the policy here it's basically just what we looked at in the creation experience we can set our policy setting to be detection or prevention and just to save time I flipped it over to prevention so you can see that experience you can also edit your rule set here as well as your custom rule set and then we can see which front end we are associated with the back in our browser we've of course got our original VMs and they are still up and running as well as our front door hitting the east US no problem there and here's that other browser that's currently going to UK South because my VPN has me located in Europe but if I flip over to being in Asia and we refresh we can see our request is blocked by the Web Application Firewall and back in our logs we can see that we've got some rights going on here as well as a web application firewall log right and if we open that log we can see that this was for our global app as well as the IP address that we were coming from and our action was blocked because our mode is prevention and there was a rule set that matched so that they don't come on to my back end and cause me to do more computing on my side of things so hope that you've enjoyed this first look at the azure front door and this is a great tool to scale the front end of your applications just keep in mind that when you do you may also need to scale up your back-end services to meet all that new traffic and there's certainly more that we can get into and more complex scenarios so if you're interested in seeing some of that give me some comments down below so if you thought that this video was good please do give us a thumbs up so that we know that you enjoyed it and while you're down there go ahead and click that subscribe button if you haven't done that already join us here at the Azure Academy where we're all just trying to learn about Azure and be a part of our discussion in the comments below either give us some feedback on this video questions or you make some comments things you'd like to see us improve or suggestions for future videos we're always looking to make what the community is interested in and this video was from a request of several of our viewers and if you like to receive an email when our newest video comes out which is about once a week you can click on that notification bell as well thanks very much for joining us today and we'll see you in the next video happy learning
Info
Channel: Azure Academy
Views: 21,058
Rating: undefined out of 5
Keywords: AzureFrontDoor, Azure FrontDoor, Azure Front Door, azure front door, The Azure Academy, AzureAcademy, Azure Academy, azure academy, FrontDoor, MSIgnite, Azure, CDN, Microsoft, Network, AzureCDN, Azure CDN, Akamai, FastTrack, Fast Track, yt:cc=on, microsoft ignite, microsoft, sharepoint, Microsoft Azure, AzureGovernance, Azure Governance, ARM, Template, ARM Templates, Automation, AzureRM, Azure Cloud Adoption Framework, azure CAF, microsoft azure, azure tips and tricks, Azure governance
Id: 6PK88DDU3K4
Channel Id: undefined
Length: 19min 44sec (1184 seconds)
Published: Sun Mar 15 2020
Related Videos
AZ-104 Microsoft Azure Administrator Associate Certification SUPER Study Cram
John Savill's Technical Training
48K
Azure Networking - #14 - Azure Load Balancer
Azure Academy
11K
Azure Key Vault Deep Dive (AZ-500)
John Savill's Technical Training
16K
Azure Networking - #12 - Azure NAT Gateway
Azure Academy
16K
Picking the right Azure Load Balancing Solution
John Savill's Technical Training
8.6K
AZ-900 Episode 10 | Networking Services | Virtual Network, VPN Gateway, CDN, Load Balancer, App GW
Adam Marczak - Azure for Everyone
164K
Azure AD - #1 - Overview
Azure Academy
88K
Microsoft Azure Front Door Deep Dive
John Savill's Technical Training
10K
Azure Front Door explained in plain english
azuremonk - cloud in plain english
11K
Microsoft Azure Application Gateway Deep Dive
John Savill's Technical Training
15K
Disaster Recovery in Microsoft Azure
John Savill's Technical Training
8.6K
AWS Networking Fundamentals
Amazon Web Services
251K
Front Door Azure Tutorial | Comparison & Configuration
Meet Kamal Today - Cloud Mastery
179
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.