Microsoft Azure Front Door Deep Dive

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Fantastic content and walk through as always.

👍︎︎ 2 👤︎︎ u/absoluteloki89 📅︎︎ Oct 26 2021 🗫︎ replies

Captions

hey everyone in this video i want to explore azure front door why we have it how it works as always this is useful please like subscribe comment and share and don't forget to hit that bell icon to get notified of new content so as a provider of some service i want to make sure that my customers my partners whoever that may be can always reliably get to my service so what that typically means is as i think about offering my service i want to offer it from different places in azure for example i would think about well i want to make sure i offer it from different regions so i could think about hey i might have an instance in kind of east u.s i also might have an instance in maybe west u.s you kind of get the idea i'd have it in different places i might even want to offer it for example in on-premises locations it might be in some other cloud and if i think about hey i have those in multiple locations from a resiliency perspective in case one of them is unavailable in terms of simply hey a proximity maybe i have some in europe so if my customers are in europe i want to go to an instance that's in europe so they get a lower latency so they get a better overall performance so these are all i can think about these as origins these are places that are offering the service that i want to make available now if i think about my end user so those are kind of where my content is then obviously i have some kind of end user and what i don't want to have to do is give that end user a bunch of different urls hey if you're traveling on the east coast go to this one if you're on west coast go to that one hey if it doesn't work we'll try this one instead that's a terrible end user experience so what i really want to think about is some kind of global load balancing solution the idea that i can give them a single endpoint and that service whatever that might be will take care of directing them to maybe whichever one is closest to them that is healthy that is responding to some kind of health probe that this global load balancer solution is actually doing now there are solutions like traffic manager traffic manager works through dns it will really work for anything but it's all based around dns records and then i have to think about the time to live of those dns records there are things like the azure global load balancer that's a layer 4 solution so it understands tcp udp but doesn't understand things like https so i can't offload it can't do cookie based affinity it doesn't understand the idea of the url so there's limitations to the functionality it can actually do so what i actually want to think about for azure front door which is our focus is the service i'm actually offering i'm thinking of this as kind of h ttp maybe s http 2. so i'm thinking layer 7. so that's kind of the key point for what we're dealing with here so when i think of azure front door azure front door is a global layer 7 load balancing solution now i drew the idea of these origins the reality is for azure front door that origin can actually be any public ip or public resolvable dns name now when i talk about azure front door there is kind of the the v1 and now these v2 skus these standard and premium so additionally if i'm using the premium v2 sku it also supports private endpoints so remember a private endpoint is essentially an ip address from our virtual network that represents some service so ordinarily that service might have a public ip but with private endpoints it is available through this ip on my virtual network it's a ip from a subnet that i specify so for the premium v2 not only can it point to public ips and publicly resolvable dns names it can also have private endpoints as origins for where this azure front door is actually going to go and talk to so that's kind of a key point okay so we we get that idea hey there's services i'm offering i want this kind of global load balancer so how does azure front door actually work well i can think about microsoft run one of the biggest networks in the world i can think about this huge global network and it does connect obviously to all of the kind of azure regions but it also has lots of kind of points of presence all around the world now these kind of edge locations are used for different things some of these edge locations might connect to different internet service providers i makes it part of the internet the internet is just a bunch of routed networks for example maybe that's how i get to my on premises maybe i'm using it as a meet me for express routes or a private connectivity to my on-premises but some of them are also used as part of a content delivery network so i can think about the pops these points of presence is this content delivery network so the content delivery network is all about hey this geographically distributed set of content so i if i have some static content maybe images other media files whatever it might be i can deploy that or cache it in the content delivery network so it's now globally available and the benefit of that is now hey my customers wherever they may be can go and get to it from somewhere local to them so this content delivery network that microsoft runs well hey guess what these points of presence are the same ones we're using for front door so when we have front door we call them edges but they are the same locations it's the same thing so if we were to go and look at for example the content delivery network locations so if we look at the azure cdn we can see all of the different places the cities where that content delivery network is actually present so you can see there's a massive number of those well if i go and look at the azure front door list of locations um yeah it looks very very similar it's the same list so where we have the content delivery network pops they are also used by azure front door so it's that same set of things okay so that's great how does it actually work so azure front door does a number of actually different things so we're going to create this azure front door front end endpoint and the first thing that does is it's available via any cast so i can think about we have all these points of presence so what front door is actually going to do is firstly make it available via anycast what any cast means is hey there's an ip address that represents my service but instead of the normal kind of hey that ip address is available in one place it's being advertised through all of these points of presence and so wherever i am i'm going to go to the one that's closest to it so straight away that gives me some nice benefit and performance improvement that hey i'm going to go to a place close to me the next thing it does though is in addition to any cast it uses split tcp so what does this mean so if i think of a regular kind of connection so let's say this user for a second and what we'll actually do let's move them over a little bit so this user um we are talking to this point over here so ordinarily what would happen is as part of that communication it would say okay i go to here over this and then back that's to establish the tcp then i have to establish the tls once again there's kind of some back and forth there and then i'm constantly going back and forth with various requests for content and then i get the various responses so all of the time it's going back and forth all the way to this back end origin so it takes a certain amount of time it's going to introduce a certain amount of latency so the first thing that happens is with front door and that split tcp is now imagine i have another user so let's draw another user in here make this user purple so let's say i'm sitting here the split tcp now says when i'm establishing that initial tcp session well it's actually established with that edge then the tls is established with the edge and then when i'm requesting content it typically is requested in small chunks hey i make some requests and at this point it will go to whichever back end is closest but it will get kind of a big chunk of data so a bigger chunk of it it gets that response back and then can send the responses but you can see here i'm improving the overall performance because now all of that initial setting up of the session is local and then when i'm doing requests hey it's intelligent enough to say hey i'm requesting this part the content but i'll maybe go and get this bigger chunk so i'm ready and can serve up those futures smaller requests and give those responses with a much better performance straight away so without any caching or anything else i'm improving that overall end user's performance but it is layer seven so if i think about okay we are having those additional capabilities i can do other things so now i can think about yes front door anycast available at all those edge locations front door split tcp giving this great performance but additionally now as well i can add in things like hey i can do ssl offload because we're layer 7 we understand those things i can do caching so now the first user goes and does some requests and yes it has to go to the back end to get the data to serve it up but the second user that asks for that same content well that gets pre-cached so it's going to be even a better performance for that next person we can do things like compression so i can actually reduce the amount of data i can do cookie based affinity and these things will all look very familiar if i look at app gateway which is a layer 7 regional solution it does all of the same things and one of the other nice things i can do here is things like a url rewrite so i can actually change the url and i can even do a redirect i get a whole bunch of very nice layer 7 capabilities through this so that's the the basic kind of fundamentals of what we're doing with azure front door so i can think about hey i have instances of services which can really be anywhere yes they can be in azure any kind of service that offers a public endpoint but it could be any public endpoint on premises other clouds just has to be publicly accessible ip or publicly resolvable dns name if i'm using kind of that v2 premium sku i can also have private endpoints so now let's kind of put this into reality so that's how it works at a theoretical level let's actually kind of see this so the first thing i'm going to do is i'm going to create an instance of azure front door so i go ahead and i create my azure front door and i'm going to say instance you'll also kind of see references when i think about kind of a profile but it's a particular instantiation of azure front door now one of the things that's interesting and it makes sense most services in azure when we create them we pick a region well remember azure front door the whole point of this is it's global so i don't pick a region i say hey i want to create an azure front door instance i don't pick any region because it's global so it's going to kind of be available everywhere now there are various components that go into this particular instance which i'm going to talk about and there's certain scale limitations so if we actually dive into this for a second if we look these are all the service limits for the v2 and again i'm focusing on the v2 there is also kind of the current ga azure front door but i'm focusing on the future the v2 the standard and premium i don't know what the current one's going to be called maybe it's going to be classic i don't know some some name but understand so we can see here the skew limits for both the standard and the premium so these are important to understand because as we start creating these my ultimate goal is to just have one azure front door instance if i can i don't want to create multiple ones but these scale numbers well these could be reasons that hey i have to create additional instances of them so understand all these limits all of these are linked in the description below and one of the interesting things is this v2 sku really combines a whole set of additional features so we had front door before but what this v2 is doing is combining features of the content delivery network that was kind of separate before and it's combining things like the the waft the web application firewall and those other security capabilities to come into this all up v2 offering standard does have waff you can turn on but it's only custom rules i create whereas premium has a whole set of standard rule sets it has bot protection it has that private link support in fact there's an article that goes through the feature comparison of the standard and the premium and really the big difference comes down to this area here and it really is about this kind of advanced security so this private link offering standard only has custom rules but again the premium has those additional built in w asp standard rule sets and i get bot protection with the premium as well so those are really the key differences and i think also we see yeah there's a security report down at the bottom and this kind of shows a nice picture of what i was just talking about so what these new v2 skus are doing it's combining the idea of the old azure front door that great intelligent layer 7 routing with the content delivery network and the azure web application firewall that's really what it's focused around and as i was saying i want to try and focus if i can on just having one instance of azure front door the reasons i might create additional instances are scale hey i need to go beyond what i can do with a single instance it could just be manageability the sets of various routes and the rules i'm creating it could also be just from a hang out different departments and those departments want to be able to manage completely separately so those might be reasons i would create additional instances of azure front door but if we go and think about the actual components so the first ones are origin groups these are the things that are actually offering the content so i'm going to have these origin groups and i can create multiple origin groups so i can kind of think about these really as the back ends things that are offering this content and again i might have a different set of back ends i can have multiple origin groups the key point of this remember is publicly accessible now if these are or private endpoints if it's the v2 premium if this was a typical azure service most likely this is probably going to be an azure app gateway that's a very common pattern remember azure app gateway is a regional so it exists within a region layer 7 load balancer so it's super super logical in terms of architecture to have hey layer 7 azure app gateways distributing to the instances within the region and i have multiple of those and then front door to balance between those azure app gate instances so that would give me that nice kind of resiliency and distribution within region and then that geo distribution of those services but it does not have to be there's no hey i have to use that it's just a very common pattern it could be storage account a web app kubernetes instances really anything you want and it's using health probes to check hey it's there and it's healthy so let's take a quick look at this if we jump over for a second and if i go and look at my so i've created a front door again if i did create you can pick hey a front door standard premium if i do a quick create it's not going to ask me for a region it's literally just going to hey i want a resource group a name a tier and it's going to set up some an endpoint i.e a front end to which things can connect to and an origin so saying it can point to us it's going to get you up and running with a very basic configuration but i'm actually going to go and look at one i've created already so mine is just a standard and if i go to my origin groups right here i can see hey yep i've got a default origin group which is the one it helped me create and i can kind of see okay there's a root attached to that but if i select my default origin group you can see i've got two origins both of these are actually uh azure websites i'm actually using azure container instances for this so i'm hosting two azure container instances in two different regions that's hosting my actual content you can see i've got health probe configurations it's just checking http and i'm doing a very basic check on the route to make sure it's actually configuring how it's doing that load balancing between them and if i do add an origin you can see there's a whole bunch of kind of azure services that it just natively understands in addition to public ip addresses i can actually point to traffic manager because remember traffic manager offers a publicly resolvable dns name or custom so all of these different things i can add as an origin to this particular origin group or i can just go and add a new origin group so a new name so a new set of origins maybe it's offering a different service so i can go and set up these various origin groups now one of the things i can do within these origin groups if i go back to that add an origin or you can see it here as well i do have priority and weight so the whole point of these is the priority would be useful if hey i had a certain set i wanted to use first but then if it wasn't available go and use a lower priority one the weighting is useful if i want to control the distribution so if i have a higher weight i'll get a greater percentage of the request coming in so that weight can actually be really useful if maybe hey i'm actually rolling over to a new version of my service or something so what i could do in terms of kind of deployment patterns i could actually think about hey as i've got my new version initially it has a fairly low weight so it's got some of the people going to it as i gain confidence i could start increasing its weight so it gets more and start lowering the weight of the other one so it's actually a way to maybe do like a ring deployment canary deployment to start bringing things over to that so that can be a really nice thing to do and that's it so it's just some publicly accessible thing so then i need the azure front door endpoint so now i think about okay we have the front end endpoint slash kind of domains some of the language is a little bit strange right now uh in the portal it's i think mainly the original v1 portal and they're starting to pull some things over i would fully expect i'm showing you this now i think some of the naming is probably going to change some of the layout is probably going to change but the concepts will be the same so now i create an endpoint now what happens here is you get some default azure front door name so you get some kind of x dot um azure that's wrong let's go back i'm still this is the new whiteboard i'm still learning my way around it azure fd.net so it's going to give you some name but then i can add my own custom dns names and i can add multiple ones to it likewise i can create additional front end endpoints so i would now get a new azure fd.net name that i specify and once again i can add additional kind of custom domain so even though it's one instance of azure front door hey look i can have multiple sets of origins that are offering a service i can have multiple endpoints that i would give customers that i can then do different things with and once again i have full configuration of this so if we jump over once more this time instead of looking at the origins we can actually go firstly i'll go to endpoint manager and what we see here is we can see my name so savtecfd01.azurefd.net and if i copy that and we just go to it first of all so there's my service it's my standard bad father app where it's being run on two azure container instances in different regions and it's redirecting me to those so that's been pushed out it is available but you'll notice it's also got this additional name bf afd dot on board to azure.com now i also added a second endpoint and again i gave it a name so this time it was bf afd2 then it adds its standard bit at the end and likewise i could add additional custom names i could add another endpoint i would give it a name so i can add as many endpoints as i want that i'm then going to be able to use to have different rules assigned different routing assigned go into different groups of origins i.e things offering my service now if i go to domains this is where i can add my own custom domain now i have added bfd dot on board to azure.com so i've already gone and actually added that and what we can see if i just go over to this if i go http s dot because it works that's https the certificate is good if i go and look yep looks valid i can see oh okay it created me i didn't create this cert it did this for me and that's a really nice feature of this so it will give me a microsoft managed certificate and it will manage that life cycle as well so this is a great feature of actually using these custom domains with azure front door so once it was approved you can see i've associated it with an endpoint so that first one we see a certificate state is deployed and traffic is being delivered now when you add a new domain additionally it's going to be sort of saying hey pending and if you click that it's going to tell you a text record you have to add to your dns zone it will not validate just because you have a c name pointing to it so if i go look at my dns config we can see hey look here is my bfd afd it's a c name and sure enough it points to my azure front door instance over here but that's not enough to validate it you actually have to go and create this text record so here you can see i've got this dns off dot bf afd it's a text record and it gives you a text string that you have to enter and that's what it's going to use to actually validate hey i own that domain and will then add it as a custom name and then it will go and create the ssl cert for you and associate it with it the reason it uses a text record rather than a cname alias well i think it's more secure but also imagine i already had this service running well i can't validate the name by pointing it to my front door because it's not ready yet i don't want to point to some service i'm setting up so by using the text record it lets azure front door validate that yes you own it without actually having to have the record pointing to front door at this time so hey i can do the validation yep that text record has been added for front door that proves you own that dns zone because you were able to add that record i'm not going to go and let you associate it with an endpoint create the cert it's ready to go and then in the future once it's up and ready you could change that cname record to point to front door so that's why it's a text record not just checking that cname alias and again that managed lifecycle certificate is huge so then kind of again for all of these you get this nice cert that's fully managed by microsoft you can bring your own if you want to you don't have to use that but that is a phenomenal feature and then once you've got that once you've got that custom dns name you just add it to the endpoint so in the portal all i would have to do at this point is once that dns name was validated i can just go back to my kind of in this case i go to my endpoint manager and you would see kind of got my domains there if i click edit endpoint i can do add and i could select a domain that i've not already specified so i validated it now i'd be able to go and um select it or i could do kind of add a new domain and do that all in one go or from the domain itself i mean if i remember correctly once it's validated i could go and associate it from here so you've got this associate link says multiple ways i can go and make that with the endpoint but now that name is using the endpoint again some of this naming i think is going to change in the portal as this kind of goes to ga but the concept will remain the same okay so this is great we have this idea that we have the front ends for azure front door i have multiple with my custom names with my nice managed certs i have my groups of origins that are providing the service how do i link those things together and the way i link those things together is essentially we have routes and i can have multiple routes so i could have kind of a route 1 could say hey from this particular custom domain go to that set of origins i might have a route 2 that hey from this one go to that set of origins and then i can also have a whole set of rules rule 1 rule 2 which is where i can do clever things like real url rewrite url redirection i could look for hey if someone's trying to do a put request don't allow it i could have certain rate limiting things i can do a whole bunch of super cool things in here and the whole point of these routes is they're really kind of based on hey what is that domain on the front end so i'm looking at that i'm looking at the protocol so is it kind of http https and then the url path so i'm looking at all those things so yes i can do path based routing as part of this so those are used to pick hey the route and then i can have rules within there so if we go and look at that part now one of the things that's interesting right now in the portal is i i can't see routes i can see it in the endpoint manager so if i go to the endpoint manager and i say edit endpoint and then i can go to my routes i can see my route and i could say configure so notice i can say hey is this particular route enabled or disabled i can select the domains that it is applying to so currently i have it applying to both that kind of default azure front door generated name and my custom name i added so that's why i'm picking the domains this is where i can pick the path and then i can pick the protocol so those are the three things i'm really using to say hey is this route applying and then once i've picked that route supplying then i can do things for example here hey redirect all of it to https which origin group do i want to send it to do i want to send it to a certain path forwarding protocol http only https match do i want to enable caching what do i do with query string caching do i want to turn on compression do i have certain rules that i want to apply to this so here this is where hey if i had rules available i could actually link various rules to this so what are the rules so firstly i could add a new route this is where i'll give it a route name which domains i want to match on maybe it's a now a specific path so i could dump the star and just do a certain path and then i could pick certain things in there but for my rule sets i can create rules now i created a very silly rule and i've not associated it with any route but i basically checked for hey based on a geographic match if i could also do iop match it's not a certain geography it's not a certain ip and i'm checking for united kingdom and then i'm overriding the origin group from the regular route to send it to a specific origin group but i could also if i just do add a new rule look all the different conditions device type http version request cookies args query strings remote address request body request file name a huge list request method request path request protocol request url so request method hey look if it equals a put for example well maybe as a condition so it's an action i might redirect the url i might rewrite the url i might modify saying about the request so i have all these different things i can do so this is where you can start to see hey i can do the url redirect i can do the url rewrite i could do things like rate limiting i have all those capabilities actually regulates more waff but i have all those different capabilities that i can do within these rule sets configurations and again once i've created the rules what i would then do is as part of the routes and if i go and edit this you should be able to then go and select as you can see here language redirect i could now associate those rules with a particular route click update and now that would be used so that's how i kind of bring all the various parts together and that's really all that is to it so it's actually not super complicated but that's super powerful so the idea of groups of origins i have my cut i'm going to use a custom name i'm not going to want to probably use the azure fd.net my custom names i get those nice certs if i want them then i have different routes that do that mapping based on the domain the pros called url path to groups of origins but as we saw using the rules i could do things like overwrite the origin group maybe on a certain path i could rewrite elements i could redirect i could modify headers i can really do anything i want as part of that traffic flow so it's super powerful the last part is kind of the whole web application firewall component now just quickly before i talk about web application firewall what about distributed denial of service so today i get kind of the basic and distributed denial of service protection there's obviously the standard kind of version as well today i cannot use the standard ddos offering with azure front door so i get the basic ddos protection as really kind of any other service but i cannot apply standard what i can apply is the web application firewall so optionally i can turn on waff now waf has its own huge sets of protections again if i do standard i can only do custom rules if i do premium we get those standard ow asp rule sets i also get things like the bot protection but i can do the geo filtering the rate limiting um i have all those managed raw configurations and that waf actually applies right here at the edge as do all of those nice rules that i'm doing with azure front door so one of the great things about this is it's not like it's doing overhead of my origins on the whatever resources providing the service all of that intelligence both of azure front door and of waff will be applying at the edge so before it starts getting onto network and consuming resources this is where i'm doing that protection the web application firewall i can just turn on if i want to obviously it costs more money but also all of those rules with the azure front door as well so this is the service i mean that's how it works that's how it kind of all fits together it's actually very simple in terms of the components but this is hugely powerful if i think about look if really i want to make some geographically resilient service i can't just have it in one region so i have to think about instances in multiple regions maybe i am using other clouds maybe i'm using on-premises it doesn't matter so as it's publicly addressable ip address or publicly resolvable dns name or if it's the premium i can use private endpoints into my vnet then i have these nice azure front door names these front end endpoints these domains that i then map to those various origins with my routes and then i can use the rules to do all of that maybe custom override url path redirections rewriting hosts headers etc etc and again i would think about hey probably i want waff at the edge to help give me protection from those bots those types of injection attacks do that rate limiting capabilities give me that really nice not only geographical balancing between my instances but also adding additional protection and for my service so that's uh azure front door i hope this was useful as always a lot of work goes into preparing and creating these so subscribe and like really would be appreciated but until next time good luck and take care you

Info

Channel: John Savill's Technical Training

Views: 10,388

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, networking, azure front door

Id: DHiZbIks9i0

Channel Id: undefined

Length: 40min 21sec (2421 seconds)

Published: Tue Oct 26 2021