The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure App Service - Web Apps!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Monitoring Azure Web Apps RRS feed

  • Question

  • I put this in the web apps forum bc it's more a question for developers than the networking side.

    Trying to figure out the optimal architecture for an application stack that uses serverless code (functions, APIs, Azure Web Apps, etc.) for a client. The goal is to distribute this across two Azure regions for HA/DR capabilities. In terms of monitoring this stack, what would be the better way to go: Traffic Manager or Application Gateway? Using the App Gateway would open the possibility of also using the WAF (which is a great security tool), but if the Traffic Manager can monitor all of these APIs and Web Apps on its own using the health monitors, then why really use the App Gateway (in terms of health monitoring)?

    Say one part of the application stack failed, for example: one of the APIs didn't work for whatever reason. Which load balancer would be better at handling that detection? The APIs are currently called via DNS name with a ssl cert on it.

    Wednesday, October 31, 2018 6:09 PM

Answers

  • As I specialize with Azure App Services, my below response will be biased towards those products. Others may have other ideas with Azure Functions or other products.

    Azure Traffic Manager (ATM) will ping the root of the web app by default. You can select the location within the web app that the health ping is directed to. If the response is anything higher than an HTTP 3XX status code, the endpoint will be marked as unhealthy and traffic will stop routing to that endpoint. In this regard, if the web worker still continues to give out 200-300 status codes but some part of the API is directly broken, ATM might not see an issue and continue routing traffic to the worker. ATM is a DNS based service that monitors for healthy HTTP status codes. If your failing API will also generate HTTP 400-500 status codes, then this solution should be good enough.

    In regard to an app gateway, this is a different type of load balancing due to it being layer 7. I am unable to find any documentation that supports the claim that Azure App Services can be load balanced/failed over using an App Gateway. It could provide you the ability to setup a WAF. I have seen customers setup health probs for their app services before but never with mixing in load balancing.

    If you're after a WAF though, you can simply use ATM and a 3rd party WAF such as Barracuda's WAF. As far as I am aware, this still requires you to use an App Service Environment [ASE] (premium offering on app services with an increase of cost due to receiving dedicated hardware). With that being said, I also believe an App Gateway WAF can only be used with an Internally Load Balance ASE (ILB ASE). So with either option, you'll likely need an ILB ASE or an ASE to use a WAF. Do keep in mind that Azure provides security upfront but most of that is controlled by Microsoft so a WAF may not be necessary unless you have strict security requirements.

    Please let us know if you have additional questions or concerns on this matter.

    Thursday, November 1, 2018 7:53 AM
    Moderator

All replies

  • As I specialize with Azure App Services, my below response will be biased towards those products. Others may have other ideas with Azure Functions or other products.

    Azure Traffic Manager (ATM) will ping the root of the web app by default. You can select the location within the web app that the health ping is directed to. If the response is anything higher than an HTTP 3XX status code, the endpoint will be marked as unhealthy and traffic will stop routing to that endpoint. In this regard, if the web worker still continues to give out 200-300 status codes but some part of the API is directly broken, ATM might not see an issue and continue routing traffic to the worker. ATM is a DNS based service that monitors for healthy HTTP status codes. If your failing API will also generate HTTP 400-500 status codes, then this solution should be good enough.

    In regard to an app gateway, this is a different type of load balancing due to it being layer 7. I am unable to find any documentation that supports the claim that Azure App Services can be load balanced/failed over using an App Gateway. It could provide you the ability to setup a WAF. I have seen customers setup health probs for their app services before but never with mixing in load balancing.

    If you're after a WAF though, you can simply use ATM and a 3rd party WAF such as Barracuda's WAF. As far as I am aware, this still requires you to use an App Service Environment [ASE] (premium offering on app services with an increase of cost due to receiving dedicated hardware). With that being said, I also believe an App Gateway WAF can only be used with an Internally Load Balance ASE (ILB ASE). So with either option, you'll likely need an ILB ASE or an ASE to use a WAF. Do keep in mind that Azure provides security upfront but most of that is controlled by Microsoft so a WAF may not be necessary unless you have strict security requirements.

    Please let us know if you have additional questions or concerns on this matter.

    Thursday, November 1, 2018 7:53 AM
    Moderator
  • App Gateway does support Web Apps as a backend: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview & https://docs.microsoft.com/en-us/azure/application-gateway/create-web-app

    The difficulty with this scenario is the following:

    I can see that the TM can help from the client side and fail over to the second region if some piece of this stack is marked down. The TM could then redirect the login to the other region. That would work. What does not work in this scenario is that if one API endpoint is not working in region (there are about a dozen of them for this particular application), then how will that work from the application perspective? For example, this app also uses the API Manager to handle the logic of opening calls to the APIs, getting info from the Key Vault and using tokens to verify who has access to what from Azure AD. If one API is down in region, then how would the APIM know that and then use another instance of the API that is down (either in region or in the other region)? I don't see any documentation explaining that scenario. 


    Thursday, November 1, 2018 12:50 PM
  • I think this is the scenario here: https://serverfault.com/questions/914045/scaled-out-app-service-seems-to-scale-poorly-directs-all-traffic-to-an-instance

    Basically, just scale out to at least two instances per region and hope for the best. I don't see that you have much control over it in terms of failover. 

    Thursday, November 1, 2018 1:24 PM
  • Vegas577, looking around, I believe the below 3rd party blog might highlight what you are trying to achieve with using ATM and App Gateway with a WAF.

    Part 1: https://www.cameronvetter.com/2018/03/09/using-azure-application-gateway-wafs-to-secure-azure-web-apps-and-traffic-manager-for-geo-redundancy/

    Part 2: https://www.cameronvetter.com/2018/05/23/using-azure-application-gateway-wafs-to-secure-azure-web-apps-with-traffic-manager-for-geo-redundancy-part-2/

    In regards to the API aspect, you mentioned API Manager. Are you referring to the Azure API Management product? If so, you do have the ability to use APIM with multiple regions, as highlighted in the below blog.

    https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-deploy-multi-region

    Monday, November 5, 2018 11:18 PM
    Moderator