Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Использование Azure Front Door для предоставлен...

SECR 2019
November 15, 2019

Использование Azure Front Door для предоставления быстрых, масштабируемых и безопасных веб-приложений

Стамо Петков
Руководитель отдела “Microsoft технологии”, Information Services
SECR 2019

Эта сессия предназначена для разработчиков, которые планируют создавать глобальные приложения или уже предоставляют услуги за пределами России. Вы узнаете, что такое сеть доставки приложений (ADN) и зачем она вам нужна. Как использовать Azure Front Door Service для ускорения ваших приложений и Azure Web Application Firewall, чтобы сделать их более безопасными. Даже если вы не планируете использовать Azure, будет очень полезно узнать о таких вещах, как Anycast, Split TCP, Health probes и многие другие.

SECR 2019

November 15, 2019
Tweet

More Decks by SECR 2019

Other Decks in Programming

Transcript

  1. Using Azure Front Door to deliver fast, scalable and secure

    web applications Stamo Petkov Information Services Plc Software Engineering Conference Russia November 14-15, 2019. Saint-Petersburg
  2. 3 Stamo Petkov Information services Plc. Head of Microsoft Technologies

    department [email protected] [email protected] https://github.com/stamo http://bg.linkedin.com/in/stamopetkov https://www.facebook.com/stamo.petkov @stamo_petkov Contact
  3. Agenda 4 • Azure Front Door Service o Anycast o

    Split TCP o Health probes o Caching o Architecture • Azure Front Door application protection o Azure web application firewall (WAF) • Demo • Summary • Q&A
  4. Azure Front Door Service 6 Office 365 Azure Skype Bing

    Azure DevOps MSN OneDrive Xbox Cortana Windows Teams Build on the “battle-tested” platform used to power reliable and fast global services at Microsoft Front Door enables Bing to operate at scale with competitive performance while also scaling agile development across many independent microservices. “Azure DevOps has onboarded all of its microservices to the Azure Front Door Service over the past year. It provides us with significant benefits in terms of both performance and reliability.”
  5. Selecting the Front Door environment for traffic routing (Anycast) 7

    • Routing to the Azure Front Door environments leverages Anycast for both DNS (Domain Name System) and HTTP (Hypertext Transfer Protocol) traffic, so user traffic will go to the closest environment in terms of network topology (fewest hops) • Front Door organizes its environments into primary and fallback "rings“ • The outer ring has environments that are closer to users • The inner ring has environments that can handle the failover for the outer ring environment in case an issue happens • The outer ring is the preferred target for all traffic, but the inner ring is necessary to handle traffic overflow from the outer ring
  6. Connecting to Front Door environment 9 • Split TCP is

    a technique to reduce latencies and TCP problems by breaking a connection that would incur a high round-trip time into smaller pieces • One TCP connection with a large round-trip time (RTT) to application backend is split into two TCP connections • The short connection between the end user and the Front Door environment gets established over three short round trips • The long connection between the Front Door environment and the backend can be pre-established and reused across multiple end-user calls • The effect is multiplied when establishing a SSL/TLS (Transport Layer Security) connection as there are more round trips to secure the connection
  7. Make your apps faster, reduce backend load 11 Web Apps

    Mobile Apps API Apps Logic Apps Functions
  8. Identifying available backends in the backend pool 12 • In

    order to determine the health of each backend, each Front Door environment periodically sends a synthetic HTTP/HTTPS request to each of your configured backends • Front Door uses responses from these probes to determine the "best" backends to which it should route real client requests • A 200 OK status code indicates the backend is healthy. Everything else is considered a failure • Azure Front Door Service uses the same three-step process across all algorithms to determine health • Exclude disabled backends • Exclude backends that have health probes errors • Out of the set of healthy backends in the backend pool, Front Door additionally measures and maintains the latency (round-trip time) for each backend • If health probes fail for every backend in a backend pool, then Front Door considers all backends healthy and routes traffic in a round robin distribution across all of them
  9. Azure Front Door application protection 15 • Web applications are

    increasingly the targets of malicious attacks such as denial of service floods, SQL injection attacks, and cross- site scripting attacks • These malicious attacks may cause service outage and data loss, pose a significant threat to web application owners • Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at multiple layers of the application topology • A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators
  10. Azure web application firewall 16 • WAF for Front Door

    is a global and centralized solution • Provides centralized protection for your web applications that are globally delivered using Azure Front Door • Every incoming request for a WAF enabled web application delivered by Front Door is inspected at the network edge • Prevents malicious attacks close to the attack sources, before they enter virtual network and offers global protection at scale without sacrificing performance
  11. 17 Azure Front Door application protection Network DDoS protection •

    Built in with platform. Block attacks at Azure edge, only allow http(s) workloads to reach web sites behind Azure Front Door IP blacklists and whitelists • Configure custom rules to control access based on list of IP addresses Geo filtering • Configure custom access control based on client’s country code Flexible actions • Configure action to allow, block, or log only when a rule is triggered Custom http(s) access rules • Configure custom access rules based on matching http(s) request parameters including headers, URL, and query strings Rate limiting • Configure limit on number of web requests allowed by a client IP in a one minute duration Azure managed ruleset • Enable pre–configured SQL injection • Cross–site scripting checking on request parameters
  12. Azure Front Door Service Summary 19 • SSL offload and

    application acceleration at the edge close to end users • Global HTTP load balancing with instant failover • Actionable insights about your users and back ends • Web Application Firewall (WAF) and DDoS Protection • Central control plane for traffic orchestration