Azure Application Gateway, Load Balancer, Front Door and Firewall… What’s are the differences?

This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.

Hello folks,

 

Last week at a conference in Toronto, an attendee came to the Microsoft booth and asked something that has been asked many times in the past.  So, I decided to cover it here for everyone’s benefit.

What are the differences between Azure Firewall, Azure Application Gateway, Azure Load Balancer, NSG, Azure Traffic Manager, Azure Front Door?

 

Here's a high-level consolidation of what they each do.

 

Azure Application Gateway

 

The Azure Application Gateway (AAG) is a web traffic manager for your web applications (one or multiple). With AAG, on top of load balancing your workloads, you can make routing decisions based on URI path or host headers. For example, you can route traffic based on the incoming URL.  Therefore if /images is in the inbound URL, you can route traffic to a specific set of servers (or pool) configured for images. If /video is in the URL, that traffic is routed to another pool.

 

AAG.png

 

AAG includes a web application firewall called Web application firewall (WAF) that protects your workload from common exploits like SQL injection attacks or cross-site scripting attacks, to name a few.  This protection uses rules from the Open Web Application Security Project version 3.0 or 2.2.9.  However, it is not an L3-L7 stateful firewall.

 

The Azure Application Gateway can be used to do SSL termination. This can be useful to allow unencrypted traffic between the AAG and the backend servers saving some of the processing load needed to encrypt and decrypt said traffic. However, sometimes unencrypted communication to the servers is not acceptable because of security requirements, compliance requirements, or the application may only accept a secure connection. In these situations, the Azure Application Gateway also supports end-to-end SSL encryption.  These are just a few of the capabilities of AAG.

Azure Front Door

 

Azure Front Door gives you the ability to define, manage, and monitor the global routing for your web traffic (across regions).  It optimizes your web traffic globally for performance (lowest latency) and for high-availability by enabling instant fail-over for all your Internet-facing applications hosted inside or outside of Azure.  It does so by using several traffic-routing methods (latency, Priority, weighted, and Session Affinity).  Just like the Azure Application Gateway Front Door can allow you to route traffic based on URL paths of the request but it does allow for more complex route matching scenariosfront-door.png

Azure Traffic Manager

 

Azure Traffic Manager enables you to control how traffic is distributed across your application endpoints. An endpoint can be any Internet-facing endpoint, hosted in Azure or outside Azure.  It really provides two key benefits:

 

  1. Distribution of traffic according to one of several traffic-routing methods (priority, weighted, performance, geographic, multivalued and subnet).
  2. Continuous monitoring of endpoint health and automatic failover when endpoints fail.

When an end user attempts to connect to a service endpoint, their client (PC, phone, etc.) must first resolve the DNS name in that endpoint to an IP address. The client then connects to that IP address to access the service.   Traffic Manager works at the DNS level. Traffic Manager uses DNS to direct end users to particular service endpoints, based on the chosen traffic-routing method and the current endpoint health. Clients then connect to the selected endpoint directly. Traffic Manager is not a proxy and does not see the traffic passing between the client and the service.

traffic-manager.jpg

 

Azure Load Balancer

 

The Azure Load Balancer Load Balancer distributes inbound traffic to a backend pool instances according to rules and health probes. It can also provide outbound connections for virtual machines (VMs) inside your virtual network by translating their private IP addresses to public IP addresses.  The Load Balancer is a TCP/UDP load balancing and port forwarding engine only.  It does not terminate, respond, or otherwise interact with the traffic.  It simply routes traffic based on source IP address and port, to a destination IP address and port. load-balancer-distribution.png

 

It can also be deployed both as a Public Load Balancer or an Internal Load Balancer to manage internal traffic.

load-balancer-2.png

 

Azure Firewall

 

Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network. It allows you to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

Just like any firewall currently found in your own datacenter, it can be used to limit outbound traffic to a specified list of fully qualified domain names (FQDN) including wild cards.  So.  Really you can set the rules to allow or deny network access by source and destination IP address, port, and protocol and since the Azure Firewall is fully stateful (L3-L7) it can distinguish legitimate packets for different types of connections.

Azure-firewall.png

 

 

I really hope this makes sense to you.  There is some overlap across all these services, however, each is well suited to its own specific scenarios.

 

Cheers!

 

Pierre

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.