Monday, March 30, 2020

Azure Traffic Manager (DNS Based Load Balancing)

Architecture Diagram:

Multi-region Traffic Manager Deployment


Summary

There are different options to load balance traffic in Microsoft Azure. These options work differently from each other, have a different feature set and support different scenarios. They can each be used in isolation, or be stacked as shown in this architecture. Azure Load Balancer works at the transport layer (Layer 4). It provides network-level distribution of traffic across instances of an application running in the same Azure virtual network within a region. Application Gateway works at the application layer (Layer 7). It acts as a reverse-proxy service, terminating the client connection and forwarding requests to back-end endpoints. Traffic Manager works at the DNS level. It uses DNS responses to direct end user traffic to globally distributed endpoints. Clients then connect to those endpoints directly. This blog article demonstrates a sample architecture with some end-to-end verification steps. Azure documentation link here


Test Drive


http://nncolors.trafficmanager.net
http://nncolorseast.eastus.cloudapp.azure.com/
http://nncolorswest.westus.cloudapp.azure.com

Custom domain:
http://nncolorstm.penguintrails.com/

DNS Checker  (Validate DNS resolution from all over the world)
https://dnschecker.org/#CNAME/nncolors.trafficmanager.net

Scribble:


Routing Methods:

Detailed documentation on the routing methods here. The method used in this blog article is performance based active/active region deployment and end users gets the closes endpoint with lowest latency.

End Points


Azure supports different type os endpoints with traffic manager.   Detailed documentation here. Here we use external IPv4 endpoints to demonstrate that services can be hosted outside of Azure either on-premises or with another hosting provider.

Validations:

Global DNS Validation:
DNS Checker  (Validate DNS resolution from all over the world)
https://dnschecker.org/#CNAME/nncolors.trafficmanager.net

End User : DNS validation

nehali@nn-linux-dev:~$ dig +noall +answer +nocomments  nncolorstm.penguintrails.com
nncolorstm.penguintrails.com. 5 IN      CNAME   nncolors.trafficmanager.net.
nncolors.trafficmanager.net. 5  IN      CNAME   nncolorseast.eastus.cloudapp.azure.com.
nncolorseast.eastus.cloudapp.azure.com. 10 IN A 52.150.45.51
nehali@nn-linux-dev:~$



End Point : Web Server side packet capture:

nehali@nn-red-vm:~$ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:3a:8e:22:50 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.4/24 brd 172.16.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:3aff:fe8e:2250/64 scope link
       valid_lft forever preferred_lft forever

nehali@nn-red-vm:~$

Original Source IP :

  71.184.73.96.1503 > 172.16.2.4.80: Flags [P.], cksum 0x375e (correct), seq 7939:8506, ack 5980, win 1303, options [nop,nop,TS val 30891632 ecr 3629512936], length 567: HTTP, length: 567
        GET / HTTP/1.1
        Host: nncolors.trafficmanager.net
        Connection: keep-alive
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        If-None-Match: "49-59cd37191e857-gzip"
        If-Modified-Since: Thu, 23 Jan 2020 19:14:00 GMT

16:33:42.428291 IP (tos 0x0, ttl 64, id 53784, offset 0, flags [DF], proto TCP (6), length 479)
    172.16.2.4.80 > 71.184.73.96.1503: Flags [P.], cksum 0x40fe (incorrect -> 0x6c6b), seq 5980:6407, ack 8506, win 501, options [nop,nop,TS val 3629513117 ecr 30891632], length 427: HTTP, length: 427
        HTTP/1.1 200 OK
        Date: Thu, 30 Apr 2020 16:33:42 GMT
        Server: Apache/2.4.29 (Ubuntu)
        Last-Modified: Thu, 23 Jan 2020 19:14:00 GMT
        ETag: "49-59cd37191e857-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 93
        Keep-Alive: timeout=5, max=86
        Connection: Keep-Alive
        Content-Type: text/html


Custom Domain:
   71.184.73.96.3682 > 172.16.2.4.80: Flags [P.], cksum 0x1ab0 (correct), seq 6248:6816, ack 4699, win 1102, options [nop,nop,TS val 30905342 ecr 3629650041], length 568: HTTP, length: 568
        GET / HTTP/1.1
        Host: nncolorstm.penguintrails.com
        Connection: keep-alive
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        If-None-Match: "49-59cd37191e857-gzip"
        If-Modified-Since: Thu, 23 Jan 2020 19:14:00 GMT

16:35:59.524620 IP (tos 0x0, ttl 64, id 35656, offset 0, flags [DF], proto TCP (6), length 479)
    172.16.2.4.80 > 71.184.73.96.3682: Flags [P.], cksum 0x40fe (incorrect -> 0xbd26), seq 4699:5126, ack 6816, win 501, options [nop,nop,TS val 3629650213 ecr 30905342], length 427: HTTP, length: 427
        HTTP/1.1 200 OK
        Date: Thu, 30 Apr 2020 16:35:59 GMT
        Server: Apache/2.4.29 (Ubuntu)
        Last-Modified: Thu, 23 Jan 2020 19:14:00 GMT
        ETag: "49-59cd37191e857-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 93
        Keep-Alive: timeout=5, max=89
        Connection: Keep-Alive
        Content-Type: text/html


Monday, March 23, 2020

XFF headers with Azure Front Door

Architecture

XFF Headers with Azure Front Door and Azure Application Gateway

Overview

This blog post is inspired by one of my recent partner engagements where we took a closer look at how XFF headers work with Azure Front Door and Application Gateway in the design.  Detailed documentation on Azure front door here and detailed link on HTTP header support here.  I've done a another blog on Azure Front door architecture. This blog covers just the XFF headers.


Configuration Snippet:

In the Azure Front door designer, the backend pool is configured with a host header of app1.penguintrails.com and backed host is the application gateway listening on tcp/8080

Front Door Side Configuration

Application Gateway listener


Validations:


End User DNS Resolution:

nehali@nn-linux-dev:~$ dig +noall +answer +nocomments  nncolorsfd.penguintrails.com
nncolorsfd.penguintrails.com. 60 IN     CNAME   nncolors.azurefd.net.
nncolors.azurefd.net.   299     IN      CNAME   t-0001.t-msedge.net.
t-0001.t-msedge.net.    44      IN      CNAME   Edge-Prod-BL2r3.ctrl.t-0001.t-msedge.net.
Edge-Prod-BL2r3.ctrl.t-0001.t-msedge.net. 143 IN CNAME standard.t-0001.t-msedge.net.
standard.t-0001.t-msedge.net. 67 IN     A       13.107.246.10


Host Header: app1.penguintrails.com

Packet Captures on the Red VM:

Result:
Two comma separated IPs in XFF header! First IP inserted by Azure Front Door and the second IP inserted by the Azure Application Gateway. First IP matches the actual Client IP and the second IP is the IP of the AFD instance.


nn-red-vm:~$ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:3a:8e:22:50 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.4/24 brd 172.16.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:3aff:fe8e:2250/64 scope link
       valid_lft forever preferred_lft forever

nehali@nn-red-vm:~$


    172.16.253.6.38108 > 172.16.2.4.80: Flags [P.], cksum 0x753a (correct), seq 4622:5672, ack 2808, win 37, options [nop,nop,TS val 3732356603 ecr 1648501819], length 1050: HTTP, length: 1050
        GET / HTTP/1.1
        X-FORWARDED-PROTO: http
        X-FORWARDED-PORT: 8080
        X-Forwarded-For: 71.184.73.96, 147.243.165.11:33844
        X-Original-URL: /
        Connection: keep-alive
        Host: app1.penguintrails.com
        X-ORIGINAL-HOST: app1.penguintrails.com
        Cache-Control: max-age=0
        Via: 1.1 Azure
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        If-Modified-Since: Thu, 23 Jan 2020 19:14:00 GMT
        If-None-Match: "49-59cd37191e857-gzip"
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64
        Upgrade-Insecure-Requests: 1
        X-Azure-ClientIP: 71.184.73.96
        X-Azure-Ref: 0D3KpXgAAAAClQkTCWGMSTpl6RhyH0uXkQk9TMzFFREdFMDQxMAA2NzhjZDdlMi0yMjFlLTQwN2QtOGNmZS1lZTgxMjE0NzU4ZmU=
        X-Forwarded-Host: nncolorsfd.penguintrails.com
        X-Azure-RequestChain: hops=1
        X-Azure-SocketIP: 71.184.73.96
        X-Azure-FDID: 678cd7e2-221e-407d-8cfe-ee81214758fe

12:24:46.973700 IP (tos 0x0, ttl 64, id 20651, offset 0, flags [DF], proto TCP (6), length 479)
    172.16.2.4.80 > 172.16.253.6.38108: Flags [P.], cksum 0x58fd (incorrect -> 0xf02c), seq 2808:3235, ack 5672, win 501, options [nop,nop,TS val 1648502048 ecr 3732356603], length 427: HTTP, length: 427
        HTTP/1.1 200 OK
        Date: Wed, 29 Apr 2020 12:24:46 GMT
        Server: Apache/2.4.29 (Ubuntu)
        Last-Modified: Thu, 23 Jan 2020 19:14:00 GMT
        ETag: "49-59cd37191e857-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 93
        Keep-Alive: timeout=5, max=92
        Connection: Keep-Alive
        Content-Type: text/html