Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 6c9b569

Browse files
George WallaceGeorge Wallace
authored andcommittedOct 11, 2016
initial commit
1 parent 1183707 commit 6c9b569

File tree

12 files changed

+57
-46
lines changed

12 files changed

+57
-46
lines changed
 

‎articles/application-gateway/application-gateway-backend-ssl.md

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
ms.topic="hero-article"
1313
ms.tgt_pltfrm="na"
1414
ms.workload="infrastructure-services"
15-
ms.date="09/26/2016"
15+
ms.date="10/11/2016"
1616
ms.author="amsriva"/>
1717

1818
# Enabling SSL Policy and end to end SSL on Application Gateway
@@ -21,26 +21,29 @@
2121

2222
Application gateway supports SSL termination at the gateway, after which traffic typically flows unencrypted to the backend servers. This allows web servers to be unburdened from costly encryption/decryption overhead. However for some customers unencrypted communication to the backend servers is not an acceptable option. This could be due to security/compliance requirements or the application may only accept secure connection. For such applications, application gateway now supports end to end SSL encryption.
2323

24-
End to end SSL allows you to securely transmit sensitive data to the backend encrypted while availing benefits of Layer 7 load balancing features which application gateway provides, such as cookie affinity, URL-based routing, support for routing based on sites or ability to inject X-Forwarded-* headers.
24+
End to end SSL allows you to securely transmit sensitive data to the backend encrypted still taking advantage of the benefits of Layer 7 load balancing features which application gateway provides, such as cookie affinity, URL-based routing, support for routing based on sites or ability to inject X-Forwarded-* headers.
2525

26-
When configured with end to end SSL communication mode, application gateway terminates user SSL sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using backend server's public key certificate before transmitting request to the backend. End to end SSL is enabled by setting protocol setting in BackendHTTPSetting to Https, which is then applied to a backend pool. Each backend server in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication.
26+
When configured with end to end SSL communication mode, application gateway terminates user SSL sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting request to the backend. End to end SSL is enabled by setting protocol setting in BackendHTTPSetting to Https, which is then applied to a backend pool. Each backend server in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication.
2727

28-
![imageURLroute](./media/application-gateway-multi-site-overview/multisite.png)
28+
![end to end ssl scenario][1]
2929

30-
In this example, requests for https://contoso.com can be routed to ContosoServerPool over HTTP, and https://fabrikam.com will be routed to FabrikamServerPool over HTTPS using end to end SSL.
30+
In this example, requests using TLS1.2 will be routed to backend servers in Pool1 using end to end SSL.
3131

3232
## End to end SSL and white listing of certificates
3333

34-
Application gateway only communicates with known backend instances, which have whitelisted their certificate with the application gateway. To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway. Only connections to known and white listed backend is then allowed and remaining result in a gateway error. Self-signed certificates are for test purposes only and not recommended for production workloads. Such certificates must also be white listed with the application gateway as described above before they can be used.
34+
Application gateway only communicates with known backend instances that have whitelisted their certificate with the application gateway. To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway. Only connections to known and white listed backends are then allowed. The remaining backends will result in a gateway error. Self-signed certificates are for test purposes only and not recommended for production workloads. Such certificates must also be white listed with the application gateway as described above before they can be used.
3535

3636
## Application Gateway SSL Policy
3737

38-
Application gateway also supports user configurable SSL negotiation policies, which allow customers finer grained control over SSL connections at the application gateway.
38+
Application gateway supports user configurable SSL negotiation policies, which allow customers more control over SSL connections at the application gateway.
3939

40-
1. SSL 2.0 and 3.0 are forced disabled for all Application Gateways. They are not configurable at all.
41-
2. SSL policy definition gives you option to disable any of the following 3 protocols - TLSv1_0, TLSv1_1, TLSv1_2.
42-
3. If no SSL policy is defined all three (TLSv1_0, TLSv1_1, TLSv1_2) would be enabled.
40+
1. SSL 2.0 and 3.0 disabled by default for all Application Gateways. They are not configurable at all.
41+
2. SSL policy definition gives you option to disable any of the following 3 protocols - TLSv1\_0, TLSv1\_1, TLSv1\_2.
42+
3. If no SSL policy is defined all three (TLSv1\_0, TLSv1\_1, TLSv1_2) are be enabled.
4343

4444
## Next steps
4545

46-
After learning about end to end SSL and SSL policy, go to [enable end to end SSL on application gateway](application-gateway-end-to-end-ssl-powershell.md) to create an application gateway with ability to send traffic to backend in encrypted form.
46+
After learning about end to end SSL and SSL policy, go to [enable end to end SSL on application gateway](application-gateway-end-to-end-ssl-powershell.md) to create an application gateway with ability to send traffic to backends in encrypted form.
47+
48+
<!--Image references-->
49+
[1]: ./media/application-gateway-backend-ssl/scenario.png

‎articles/application-gateway/application-gateway-create-gateway-arm-template.md

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,15 @@
1313
ms.topic="article"
1414
ms.tgt_pltfrm="na"
1515
ms.workload="infrastructure-services"
16-
ms.date="09/06/2016"
16+
ms.date="10/11/2016"
1717
ms.author="gwallace"/>
1818

1919

2020
# Create an application gateway by using the Azure Resource Manager template
2121

22-
Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway has the following application delivery features: HTTP load balancing, cookie-based session affinity, and Secure Sockets Layer (SSL) offload.
22+
Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises.
23+
Application Gateway provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others.
24+
To find a complete list of supported features, visit [Application Gateway Overview](application-gateway-introduction.md)
2325

2426
> [AZURE.SELECTOR]
2527
- [Azure portal](application-gateway-create-gateway-portal.md)
@@ -123,11 +125,11 @@ Check the subscriptions for the account.
123125

124126
Get-AzureRmSubscription
125127

126-
You are prompted to authenticate with your credentials.<BR>
128+
You are prompted to authenticate with your credentials.
127129

128130
### Step 3
129131

130-
Choose which of your Azure subscriptions to use. <BR>
132+
Choose which of your Azure subscriptions to use.
131133

132134

133135
Select-AzureRmSubscription -Subscriptionid "GUID of subscription"
@@ -152,6 +154,7 @@ To deploy the Azure Resource Manager template you downloaded by using Azure CLI,
152154
### Step 1
153155

154156
If you have never used Azure CLI, see [Install and configure the Azure CLI](../xplat-cli-install.md) and follow the instructions up to the point where you select your Azure account and subscription.
157+
155158
### Step 2
156159

157160
Run the **azure config mode** command to switch to Resource Manager mode, as shown below.
@@ -212,7 +215,7 @@ If you want to configure SSL offload, see [Configure an application gateway for
212215

213216
If you want to configure an application gateway to use with an internal load balancer, see [Create an application gateway with an internal load balancer (ILB)](application-gateway-ilb.md).
214217

215-
If you want more information about load balancing options in general, see:
218+
If you want more information about load balancing options in general, visit:
216219

217220
- [Azure Load Balancer](https://azure.microsoft.com/documentation/services/load-balancer/)
218221
- [Azure Traffic Manager](https://azure.microsoft.com/documentation/services/traffic-manager/)

‎articles/application-gateway/application-gateway-create-gateway-arm.md

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,15 @@
1212
ms.topic="hero-article"
1313
ms.tgt_pltfrm="na"
1414
ms.workload="infrastructure-services"
15-
ms.date="09/06/2016"
15+
ms.date="10/11/2016"
1616
ms.author="gwallace"/>
1717

1818

1919
# Create, start, or delete an application gateway by using Azure Resource Manager
2020

21-
Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway has the following application delivery features: HTTP load balancing, cookie-based session affinity, and Secure Sockets Layer (SSL) offload.
21+
Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises.
22+
Application Gateway provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others.
23+
To find a complete list of supported features, visit [Application Gateway Overview](application-gateway-introduction.md)
2224

2325
> [AZURE.SELECTOR]
2426
- [Azure portal](application-gateway-create-gateway-portal.md)
@@ -29,14 +31,13 @@ Azure Application Gateway is a layer-7 load balancer. It provides failover, perf
2931

3032
This article walks you through the steps to create, configure, start, and delete an application gateway.
3133

32-
3334
>[AZURE.IMPORTANT] Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Resource Manager and classic. Make sure that you understand [deployment models and tools](../azure-classic-rm.md) before working with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article. This document covers creating an application gateway by using Azure Resource Manager. To use the classic version, go to [Create an application gateway classic deployment by using PowerShell](application-gateway-create-gateway.md).
3435
3536

3637
## Before you begin
3738

3839
1. Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. You can download and install the latest version from the **Windows PowerShell** section of the [Downloads page](https://azure.microsoft.com/downloads/).
39-
2. If you have an existing virtual network, either select an existing empty subnet or create a subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway.
40+
2. If you have an existing virtual network, either select an existing empty subnet or create a subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway.
4041
3. The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.
4142

4243
## What is required to create an application gateway?
@@ -45,7 +46,7 @@ This article walks you through the steps to create, configure, start, and delete
4546
- **Back-end server pool settings:** Every pool has settings like port, protocol, and cookie-based affinity. These settings are tied to a pool and are applied to all servers within the pool.
4647
- **Front-end port:** This port is the public port that is opened on the application gateway. Traffic hits this port, and then gets redirected to one of the back-end servers.
4748
- **Listener:** The listener has a front-end port, a protocol (Http or Https, these values are case-sensitive), and the SSL certificate name (if configuring SSL offload).
48-
- **Rule:** The rule binds the listener, the back-end server pool and defines which back-end server pool the traffic should be directed to when it hits a particular listener.
49+
- **Rule:** The rule binds the listener, the back-end server pool and defines which back-end server pool the traffic should be directed to when it hits a particular listener.
4950

5051
## Create an application gateway
5152

@@ -62,7 +63,7 @@ Make sure that you are using the latest version of Azure PowerShell. More info i
6263
### Step 1
6364

6465
Log in to Azure
65-
66+
6667
Login-AzureRmAccount
6768

6869
You are prompted to authenticate with your credentials.
@@ -181,6 +182,7 @@ Create an application gateway with all configuration items from the preceding st
181182
$appgw = New-AzureRmApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Location "West US" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku
182183

183184
### Step 9
185+
184186
Retrieve DNS and VIP details of the application gateway from the public IP resource attached to the application gateway.
185187

186188
Get-AzureRmPublicIpAddress -Name publicIP01 -ResourceGroupName appgw-rg
@@ -201,20 +203,14 @@ Use **Stop-AzureRmApplicationGateway** to stop the application gateway.
201203

202204
Stop-AzureRmApplicationGateway -ApplicationGateway $getgw
203205

204-
205206
Once the application gateway is in a stopped state, use the **Remove-AzureRmApplicationGateway** cmdlet to remove the service.
206207

207-
208208
Remove-AzureRmApplicationGateway -Name $appgwtest -ResourceGroupName appgw-rg -Force
209209

210-
211-
212210
>[AZURE.NOTE] The **-force** switch can be used to suppress the remove confirmation message.
213211
214-
215212
To verify that the service has been removed, you can use the **Get-AzureRmApplicationGateway** cmdlet. This step is not required.
216213

217-
218214
Get-AzureRmApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg
219215

220216

‎articles/application-gateway/application-gateway-create-gateway-cli.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
ms.topic="article"
1515
ms.tgt_pltfrm="na"
1616
ms.workload="infrastructure-services"
17-
ms.date="09/09/2016"
17+
ms.date="10/11/2016"
1818
ms.author="gwallace" />
1919

2020
# Create an application gateway by using the Azure CLI
@@ -101,7 +101,7 @@ The IP addresses used for the backend are the IP addresses for your backend serv
101101

102102
azure network application-gateway create -n AdatumAppGateway -l eastus -g AdatumAppGatewayRG -e AdatumAppGatewayVNET -m Appgatewaysubnet -r 134.170.185.46,134.170.188.221,134.170.185.50 -y c:\AdatumAppGateway\adatumcert.pfx -x P@ssw0rd -z 2 -a Standard_Medium -w Basic -j 443 -f Enabled -o 80 -i http -b https -u Standard
103103

104-
104+
> [AZURE.NOTE] For a list of parameters that can be provided during creation run the following command **azure network application-gateway create --help**.
105105
106106
This example creates a basic application gateway with default settings for the listener, backend pool, backend http settings, and rules. It also configures SSL offload. You can modify these settings to suit your deployment once the provisioning is successful.
107107
If you already have your web application defined with the the backend pool in the preceding steps, once created, load balancing begins.

‎articles/application-gateway/application-gateway-create-gateway-portal.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
ms.topic="article"
1515
ms.tgt_pltfrm="na"
1616
ms.workload="infrastructure-services"
17-
ms.date="09/09/2016"
17+
ms.date="10/11/2016"
1818
ms.author="gwallace" />
1919

2020
# Create an application gateway by using the portal
@@ -65,7 +65,8 @@ Next fill out the basic information about the application gateway. When complete
6565
The information needed for the basic settings is:
6666

6767
- **Name** - The name for the application gateway.
68-
- **SKU size** - This setting is the size of the application gateway, available options are (Small, Medium, and Large).
68+
- **Tier** - This is the tier of the application gateway. Two tiers are available, **WAF** and **Standard**. WAF enables the web application firewall feature.
69+
- **SKU size** - This setting is the size of the application gateway, available options are (**Small**, **Medium**, and **Large**). *Small is not available when WAF tier is chosen*
6970
- **Instance count** - The number of instances, this value should be a number between 2 and 10.
7071
- **Resource group** - The resource group to hold the application gateway, it can be an existing resource group or a new one.
7172
- **Location** - The region for the application gateway, it is the same location at the resource group. *The location is important as the virtual network and public IP must be in the same location as the gateway*.

‎articles/application-gateway/application-gateway-create-gateway.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,14 @@
1212
ms.topic="hero-article"
1313
ms.tgt_pltfrm="na"
1414
ms.workload="infrastructure-services"
15-
ms.date="09/02/2016"
15+
ms.date="10/11/2016"
1616
ms.author="gwallace"/>
1717

1818
# Create, start, or delete an application gateway
1919

20-
Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway has the following application delivery features: HTTP load balancing, cookie-based session affinity, and Secure Sockets Layer (SSL) offload.
20+
Azure Application Gateway is a layer-7 load balancer. It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises.
21+
Application Gateway provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others.
22+
To find a complete list of supported features, visit [Application Gateway Overview](application-gateway-introduction.md)
2123

2224
> [AZURE.SELECTOR]
2325
- [Azure Portal](application-gateway-create-gateway-portal.md)
@@ -31,7 +33,7 @@ This article walks you through the steps to create, configure, start, and delete
3133
## Before you begin
3234

3335
1. Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. You can download and install the latest version from the **Windows PowerShell** section of the [Downloads page](https://azure.microsoft.com/downloads/).
34-
2. If you have an existing virtual network, either select an existing empty subnet or create a new subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway.
36+
2. If you have an existing virtual network, either select an existing empty subnet or create a new subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway unless vnet peering is used. To learn more visit [Vnet Peering](../virtual-network/virtual-network-peering-overview.md)
3537
3. Verify that you have a working virtual network with a valid subnet. Make sure that no virtual machines or cloud deployments are using the subnet. The application gateway must be by itself in a virtual network subnet.
3638
3. The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.
3739

0 commit comments

Comments
 (0)
Please sign in to comment.