Microsoft Azure
If you want to migrate IIS / Apache servers to Azure, and expose the sites publicly, you will need to protect these sites, as you do On-Premises. To do this, Microsoft has provided a PaaS service, the Application Gateway, which allows load-balancing traffic on the 80 and 443 web ports directly to one or more servers. Based on an URL, which will point to the public IP of the App Gateway, the listener that will be configured, will redirect the traffic, according to a defined rule, to a VM, an On-Premises server or a VMSS:

Migrate IIS / Apache servers to Azure

This service can also act as a Web Application Firewall (WAF) to protect against attacks, but also SSL Offloading, to only provide traffic on port 443, with an SSL certificate, and then, redirect internal traffic to another port, for example 8081.

Web Application Firewall (WAF)

The advantage of this solution is that it is easy to set up and easy to manage. You will find all the necessary information for the App Gateway here: https://docs.microsoft.com/en-us/azure/application-gateway/overview

Here, we’ll just deploy an App Gateway + WAF. In the following article, we will see the configuration of the App gateway/WAF. I have already deployed an IIS server, which listens on port 8081, in HTTP:

IIS server

In the Azure portal, look for Application Gateway in the services, and create a new App Gateway. Here, I will choose the tier WAF V2 because it presents the fact of applying the changes much faster than the v1, among others. I disable here the auto scaling, and I choose 2 nodes, which is the minimum. Then choose a virtual network where your App Gateway will be linked:

WAF V2

Then you need to create an IP public if the site needs to be publicly exposed, but you can also use a private IP:

Create an IP public

Then create your first Backend pool which will contain one or more servers where the website is hosted:

Create your first Backend pool

Then you have to add a routing rule. Give him a name (I usually give the name of the site that will be used by this rule). In this rule, there will be a listener, on port 443 in HTTPS, with a certificate (PFX mandatory), of type multi-site:

Add a routing rule

In the Backend target part, I created a new HTTP setting, to port 8081, in HTTP. It will be this port that will discuss with the website:

HTTP setting

Finally, to finish, choose the backend you created before and the HTTP Setting created just before:

Choose the backend you created

You now have everything you need to get through the deployment:

Create an application gateweay

You can deploy your App Gateway/WAF:

Deploy your App Gateway/WAF

To summarize, here are the important elements here:

  • Backend pool: contains one or more servers, on the same VNet as the App Gateway, to an On-Premises IP, etc.
  • HTTP Settings: set how to chat with the site that is backend
  • Listeners: this is where we will tell which URL we are listening to, as well as the port and the certificate, if there is one
  • Rules: the rule allows to orchestrate everything, taking the listener’s traffic, associating it with an HTTP setting, and pointing it to a backend pool
  • Health probe (optional): allows to test if a site, in a backend pool, is functional or not and if it is therefore a candidate to display the requested site

The App Gateway is deployed and configured. I created my record azure.florentappointaire.cloud in my DNS, pointing it to the public IP of the WAF.

The App Gateway is deployed and configured

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ VSAN from StarWind

If I am now browsing https://azure.florentappointaire.cloud I should be redirected to my IIS server:

IIS server

Here, I am in HTTPS, while my site is configured in HTTP. Note that if you have NSGs that are applied to your subnets / network cards, you will have to open port 8081 for example in the NSG of the IIS server and 443 in the one of the App Gateway.

You can also test the security of your WAF, using the Microsoft Security Risk Detection tool: https://www.microsoft.com/en-us/security-risk-detection/

If you have any questions, do not hesitate to contact me 🙂

Views All Time
7
Views Today
17
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.