How to implement multi-website on single Azure Application Gateway WAF
11 min read
How to implement multi-website on single Azure Application Gateway WAF
The below architecture diagram describes how Application Gateway helps in routing different websites with different domains hosted on different servers from the same Application Gateway and how the requests can be filtered and accepted/blocked based on the type of traffic. This can be achieved with the help of the below Application Gateway and WAF configurations.
In the above architecture, we have 3 websites hosted on 3 different types of architectures where www.domain01.com site is hosted on 2 servers, www.domain02.com site on a single server and the www.domain03.com site is hosted on 3 server architecture.
In order for the Application Gateway to properly route traffic to the sites based on the incoming request, we will implement the below configurations.
- Backend Pools: This is the configuration where we configure the servers/services of each site. For our architecture, we will configure 3 backend pools as below.
- Domain01-BackendPool: Here, we add 2 VMs hosting domain01.com as the targets.
- Domain02-BackendPool: Here, we add the VM hosting domain02.com as the target.
- Domain03-BackendPool: Here, we add 3 VMs hosting domain03.com as the targets.
- HTTP Settings: Here, we configure the ports where we will be sending HTTP and HTTPS request.
- HTTP: In this setting, we configured HTTP traffic to be routed to 80 port.
- HTTPS: In this setting, we configured HTTPS traffic to be routed to 443 port.
- Listeners: Here we configure the HTTP and HTTPS listeners for each website’s separately.
- HTTP01: This is the HTTP listener for domain01.com
- HTTS01: This is the HTTPS listener for domain01.com
- HTTP02: This is the HTTP listener for domain02.com
- HTTS02: This is the HTTPS listener for domain02.com
- HTTP03: This is the HTTP listener for domain03.com
- HTTS03: This is the HTTPS listener for domain03.com
Note: We need to create/upload the SSL certificate of each website while creating HTTPS listener.
- Rules: This is configuration which will play the major role of routing the traffic based on the incoming traffic request.
- HTTP01: This rule will route incoming traffic of domain01.com (HTTP01 Listener) to Domain01-BackendPool HTTP backend target.
- HTTPS01: This rule will route incoming traffic of domain01.com (HTTPS01 Listener) to Domain01-BackendPool HTTPS backend target.
- HTTP02: This rule will route incoming traffic of domain02.com (HTTP02 Listener) to Domain02-BackendPool HTTP backend target.
- HTTPS02: This rule will route incoming traffic of domain02.com (HTTPS02 Listener) to Domain02-BackendPool HTTPS backend target.
- HTTP03: This rule will route incoming traffic of domain03.com (HTTP03 Listener) to Domain03-BackendPool HTTP backend target.
- HTTPS03: This rule will route incoming traffic of domain03.com (HTTPS03 Listener) to Domain03-BackendPool HTTPS backend target.
- Web Application Firewall: This is the configuration for the Firewall. Here, we configured the Tier as ‘WAF’ and the Firewall status is enabled and mode is selected as Prevention. The prevention mode will block all unwanted requests coming to the application gateway based on the Rule set which is applied on the WAF i.e. OWASP 3.0.
Note: The Application Gateway WAF implementation will be based on the architecture of the backend development/production environment. The settings will largely vary based on the backend environment architecture.
For information on the list of WAF rules which are part of OWASP 3.0, Click HERE.
Safi is the founder and chief editor of ZoomTutorials Blog, a leading tutorials and technology blogging site specializing in DevOps, SysAdmin and Cloud Technologies to help IT professionals in their day to day work. He is a Senior Cloud and DevOps Solutions Engineer at a leading eCommerce development Company and has more than 8 years of SysAdmin experience working with Fortune 500 companies to solve their most important IT backbones. Safi lives in Hyderabad with his wife and a son.
Hi,
I have the following scenario:
A gateway and a vm scale set which are of course in the same network. I have a domain and a subdomain which I need to map.
For the gateway I just have a Public IP set and the default cloudapp.azure.com domain. I have 2 backend pools, one for domain and subdomain. Each domain has a separate Rule and each rule a separate Listener and all the Rules have the same Backend targets.
https://prnt.sc/ubwncj
https://prnt.sc/ubwnq1
https://prnt.sc/ubwnw0
https://prnt.sc/ubwnzw
https://prnt.sc/ubwo8t
https://prnt.sc/ubwopl
https://prnt.sc/ubwot9
https://prnt.sc/ubwowo
https://prnt.sc/ubwozt
For some reason, it will not load the page when I put the specific domains in place for my listeners.
If I put here one of my domains, https://prnt.sc/ubwl1s it will just not work. Am I missing something in the DNS?
Also, how did you generate the certificates? Did you use let’s encrypt?
Did you generate the certificate after mapping the domains specifically on a server and then just exported the certificate from there after changing the ip to the gateway?
I would really appreciate if you can help. Thanks
Hello Demian,
Can we schedule screen sharing session to troubleshoot and fix the issue. The screenshots do provide some inputs but it’s not completely clear to provide you a solution.
Hope you understand.
Thanks!
[email protected]
Hi,
I just sent you my details via email. Thank you for your help.
BR,
Flavius