WEBVTT 0:00:02.940000 --> 0:00:07.700000 In this video, I'm going to talk about the Azure Application Gateway and 0:00:07.700000 --> 0:00:09.320000 how to configure it. 0:00:09.320000 --> 0:00:14.480000 The topics that we're going to cover include the various features of the 0:00:14.480000 --> 0:00:18.500000 Application Gateway, what are the components of the Application Gateway 0:00:18.500000 --> 0:00:21.920000 because those can be a little bit confusing. 0:00:21.920000 --> 0:00:24.960000 I'm going to try and make that as straightforward as possible, and then 0:00:24.960000 --> 0:00:27.460000 I'm going to demonstrate the Application Gateway. 0:00:27.460000 --> 0:00:32.420000 Now, before I dive into the specifics of the Application Gateway, just 0:00:32.420000 --> 0:00:34.840000 giving you a very high level, what is this? 0:00:34.840000 --> 0:00:39.520000 The Application Gateway is really a Layer 7 load balancer. 0:00:39.520000 --> 0:00:43.040000 Now, it's Layer 7, which means it's looking at the application protocols, 0:00:43.040000 --> 0:00:46.600000 specifically HTTP and HTTPS. 0:00:46.600000 --> 0:00:50.160000 So, this is a load balancer that is really for web-based workloads, which 0:00:50.160000 --> 0:00:54.340000 makes sense because many workloads, it's not just user interfaces, but 0:00:54.340000 --> 0:00:58.300000 also many REST-based services, in fact, use these protocols. 0:00:58.300000 --> 0:01:00.180000 So, it's a very common protocol. 0:01:00.180000 --> 0:01:05.080000 Now, if you take the Application Gateway and you compare it to the Azure 0:01:05.080000 --> 0:01:10.220000 load balancer, because it uses a protocol that's in a higher level of 0:01:10.220000 --> 0:01:12.800000 the stack, right, it's going to be a little more constrained in terms 0:01:12.800000 --> 0:01:16.900000 of the traffic you can load balance it, but it's going to have many more 0:01:16.900000 --> 0:01:20.140000 features, and that's what we're going to get into first are some of the 0:01:20.140000 --> 0:01:22.260000 features of the Application Gateway. 0:01:22.260000 --> 0:01:24.100000 But I wanted to give you that context. 0:01:24.100000 --> 0:01:28.320000 Conceptually, it's just a load balancer, but it is a Layer 7 load balancer. 0:01:28.320000 --> 0:01:33.160000 So, let's go into the features of the Application Gateway. 0:01:33.160000 --> 0:01:37.280000 What can this service, what can this resource do for you? 0:01:37.280000 --> 0:01:41.420000 The first thing I want to talk about is the web application firewall. 0:01:41.420000 --> 0:01:45.960000 The Application Gateway has the option of implementing a web application 0:01:45.960000 --> 0:01:50.940000 firewall, and what that does is protect against common attacks. 0:01:50.940000 --> 0:01:54.540000 So, if you have cross-site scripting attack, even SQL injection attacks, 0:01:54.540000 --> 0:01:58.760000 those will actually be caught at the Application Gateway, whereas, of 0:01:58.760000 --> 0:02:03.400000 course, any valid requests are going to go through. 0:02:03.400000 --> 0:02:05.000000 So, that's one of the features. 0:02:05.000000 --> 0:02:09.880000 Another key feature that you have with this is path-based routing. 0:02:09.880000 --> 0:02:17.800000 And with path-based routing, I would set up a basic DNS pointer to the 0:02:17.800000 --> 0:02:23.060000 Application Gateway, but then, based on the path. 0:02:23.060000 --> 0:02:27.100000 So, here, I've got something going in iNee.com slash catalog, slash P1, 0:02:27.100000 --> 0:02:30.360000 so it's something coming out of our catalog, and I've got path-based routing 0:02:30.360000 --> 0:02:34.440000 that's going to send it to one set of backend servers that are handling 0:02:34.440000 --> 0:02:35.960000 my catalog requests. 0:02:35.960000 --> 0:02:40.980000 But then, if I get a video, I'm going to send that to another set of backend 0:02:40.980000 --> 0:02:45.340000 servers that are handling, obviously, video streaming. 0:02:45.340000 --> 0:02:49.220000 So, I have that ability to have that path-based routing. 0:02:49.220000 --> 0:02:52.940000 I also have the ability to do redirects. 0:02:52.940000 --> 0:02:54.360000 And typically, what is that? 0:02:54.360000 --> 0:02:58.560000 Somebody comes in, they're requesting that HTTP iNee.com. 0:02:58.560000 --> 0:03:00.400000 I send a 301 redirect. 0:03:00.400000 --> 0:03:04.360000 I don't send it, but the Application Gateway sends a 301 redirect back, 0:03:04.360000 --> 0:03:09.280000 and then, they're going to connect over HTTPS, right? 0:03:09.280000 --> 0:03:11.620000 So, they're going to have a secure connection. 0:03:11.620000 --> 0:03:16.120000 Those are what I would consider to be the most common features that are 0:03:16.120000 --> 0:03:21.380000 used beyond just a very traditional capability of load balancing the request. 0:03:21.380000 --> 0:03:24.540000 I could just do that, but those are some additional capabilities. 0:03:24.540000 --> 0:03:26.440000 Then, there's other features as well. 0:03:26.440000 --> 0:03:32.040000 You have session affinity being able to define what circumstances requests 0:03:32.040000 --> 0:03:33.560000 come in from the same session. 0:03:33.560000 --> 0:03:35.540000 Go to the same backend server. 0:03:35.540000 --> 0:03:40.640000 It also supports traffic using the WebSocket protocol. 0:03:40.640000 --> 0:03:46.300000 So, it's not just HTTP and HTTPS, as well as HTTP slash 2 traffic. 0:03:46.300000 --> 0:03:53.300000 It serves, it can serve as an Azure Kubernetes service ingress controller. 0:03:53.300000 --> 0:03:58.080000 If you're using Azure Kubernetes service, which is a fantastic tool, Kubernetes 0:03:58.080000 --> 0:04:01.520000 in general, it's a fantastic tool for container-based solutions, you can 0:04:01.520000 --> 0:04:05.380000 use this as the front end for any of the other things. 0:04:05.380000 --> 0:04:07.560000 It also has connection draining. 0:04:07.560000 --> 0:04:09.360000 Connection draining is pretty cool. 0:04:09.360000 --> 0:04:13.860000 If you want to take a backend offline, instead of just immediately taking 0:04:13.860000 --> 0:04:18.240000 that backend offline, what it's going to do is make it ineligible for 0:04:18.240000 --> 0:04:19.660000 future connections. 0:04:19.660000 --> 0:04:22.540000 But if you've already got sessions connected to it, it's going to let 0:04:22.540000 --> 0:04:27.440000 those naturally go away over time before it takes that fully offline. 0:04:27.440000 --> 0:04:30.700000 So, if you've got some service that you need, but you don't want to interrupt 0:04:30.700000 --> 0:04:35.480000 any existing session, somebody's in your e-commerce site, and they've 0:04:35.480000 --> 0:04:39.540000 got a million dollars worth of purchases in their shopping cart, you probably 0:04:39.540000 --> 0:04:41.940000 don't want to just have them lose all of that. 0:04:41.940000 --> 0:04:42.620000 That would be bad. 0:04:42.620000 --> 0:04:44.700000 And that's what connection draining does. 0:04:44.700000 --> 0:04:48.080000 You can also intercept custom error pages. 0:04:48.080000 --> 0:04:49.080000 That's pretty cool. 0:04:49.080000 --> 0:04:53.840000 So, you're coming in, you want to have your own 404 error or 501 error. 0:04:53.840000 --> 0:04:54.940000 You can do that. 0:04:54.940000 --> 0:04:57.360000 You can also rewrite HTTP headers. 0:04:57.360000 --> 0:05:02.480000 You can inject headers either going into your server or also inject headers 0:05:02.480000 --> 0:05:04.320000 going back to the client. 0:05:04.320000 --> 0:05:08.020000 So, a lot of pretty cool features that are given to you by the application 0:05:08.020000 --> 0:05:13.860000 gateway. Alright, let's take a look at the application gateway components. 0:05:13.860000 --> 0:05:18.740000 And there's a number of components, and they really take care of different 0:05:18.740000 --> 0:05:22.020000 capabilities, and it can be a little bit confusing. 0:05:22.020000 --> 0:05:25.420000 So, I've got them drawn out here, and let's just look at what the components 0:05:25.420000 --> 0:05:29.640000 are, how they relate, and then specifically what they do. 0:05:29.640000 --> 0:05:32.700000 These are the components we have for an application gateway. 0:05:32.700000 --> 0:05:37.440000 I've got the web application firewall, which kind of sits off on its own. 0:05:37.440000 --> 0:05:44.100000 There's a front end IP configuration, a listener, a rule, HTTP settings, 0:05:44.100000 --> 0:05:46.180000 back end pool, and health probe. 0:05:46.180000 --> 0:05:48.440000 Now, how do all of these go together? 0:05:48.440000 --> 0:05:52.200000 Well, the listener connects up to the front end configuration. 0:05:52.200000 --> 0:05:56.100000 And then the rule, you can see, is really what pretty much glues all of 0:05:56.100000 --> 0:05:59.360000 this together. The rule is going to, in addition to having a few settings 0:05:59.360000 --> 0:06:03.200000 of its own, really be that tool that combines the listener, the back end 0:06:03.200000 --> 0:06:05.140000 pool, and the HTTP settings. 0:06:05.140000 --> 0:06:09.000000 And the HTTP settings are associated with a health probe. 0:06:09.000000 --> 0:06:12.080000 And again, the web application firewall is very important, but it's kind 0:06:12.080000 --> 0:06:14.120000 of out there on its own. 0:06:14.120000 --> 0:06:19.140000 Let's take a look at what each one of these components actually does. 0:06:19.140000 --> 0:06:23.560000 The front end IP configuration is exactly what it sounds like. 0:06:23.560000 --> 0:06:24.820000 It's the front end IP. 0:06:24.820000 --> 0:06:26.600000 You can have a public and a private. 0:06:26.600000 --> 0:06:30.980000 You can have one of each associated with your application gateway, or 0:06:30.980000 --> 0:06:33.380000 you can just have one or the other. 0:06:33.380000 --> 0:06:36.820000 And it also has a set of listeners. 0:06:36.820000 --> 0:06:41.340000 The listener, on the other hand, is going to associate with a front end 0:06:41.340000 --> 0:06:42.520000 IP configuration. 0:06:42.520000 --> 0:06:44.680000 So this is the listener for an IP configuration. 0:06:44.680000 --> 0:06:49.100000 It's going to specify what port or ports it's listening to. 0:06:49.100000 --> 0:06:53.140000 What is the SSL policy that needs to be implemented? 0:06:53.140000 --> 0:06:56.320000 And you can specify, for example, what Cypher suite, so there's a default, 0:06:56.320000 --> 0:06:59.220000 but you have very granular control of that. 0:06:59.220000 --> 0:07:01.540000 You can also implement a certificate. 0:07:01.540000 --> 0:07:05.760000 If you use an SSL, you're going to want to install the certificate there. 0:07:05.760000 --> 0:07:09.780000 And then you can finally define what protocol that listener is working 0:07:09.780000 --> 0:07:14.800000 with. The rule, in and of itself, doesn't have a lot of its own settings. 0:07:14.800000 --> 0:07:18.900000 Again, it's primarily there to tie together the listener, the settings, 0:07:18.900000 --> 0:07:20.120000 and the back end pool. 0:07:20.120000 --> 0:07:24.600000 But if you want redirection or path -based direction, that's going to be 0:07:24.600000 --> 0:07:27.040000 defined on the rule. 0:07:27.040000 --> 0:07:29.020000 Going farther down. 0:07:29.020000 --> 0:07:33.160000 The HTTP settings probably has the most of what you're going to work with. 0:07:33.160000 --> 0:07:38.840000 You can see a fairly large set of options, some of which are a little 0:07:38.840000 --> 0:07:42.220000 bit redundant. The port, we have that on the listener as well. 0:07:42.220000 --> 0:07:46.000000 But you have the affinity, connection draining, the protocol import, also 0:07:46.000000 --> 0:07:47.780000 time out for a session. 0:07:47.780000 --> 0:07:50.060000 Back end path, kind of important. 0:07:50.060000 --> 0:07:53.000000 And if you're going to use a custom probe, it's going to be the custom 0:07:53.000000 --> 0:07:59.240000 probe. And also, what host name you want to use for the actual communication. 0:07:59.240000 --> 0:08:01.420000 If you need to alias that. 0:08:01.420000 --> 0:08:05.400000 The back end pool, you have various types of back end pool with an application 0:08:05.400000 --> 0:08:07.700000 gateway. It is not limited. 0:08:07.700000 --> 0:08:11.480000 You have virtual machines and VMSS, which is actually consistent with, 0:08:11.480000 --> 0:08:14.020000 for example, what you have with the Azure load balancer. 0:08:14.020000 --> 0:08:19.100000 But you also can just associate with any public or any accessible IP address 0:08:19.100000 --> 0:08:23.260000 or any accessible host name accessible to the application gateway. 0:08:23.260000 --> 0:08:26.640000 You can also associate it directly with a web app. 0:08:26.640000 --> 0:08:29.980000 So if I want to layer this on top of a web app, there are ways to do that 0:08:29.980000 --> 0:08:34.100000 now. And so the back end pool, pretty important, the health probe. 0:08:34.100000 --> 0:08:37.940000 If you wanted to find your own custom health probe, you can do that. 0:08:37.940000 --> 0:08:42.280000 You can define the protocol, the host name, you see the path, the interval, 0:08:42.280000 --> 0:08:46.320000 the time out, what the unhealthy threshold is, and pretty cool. 0:08:46.320000 --> 0:08:49.620000 You have more sophisticated matching rules. 0:08:49.620000 --> 0:08:53.240000 So you can actually look, for example, at the payload of a response to 0:08:53.240000 --> 0:08:57.940000 determine whether or not that is a successful response. 0:08:57.940000 --> 0:09:03.600000 And the final component is the web application firewall. 0:09:03.600000 --> 0:09:08.820000 There are a couple different tiers of the application gateway. 0:09:08.820000 --> 0:09:13.740000 Effectively, there is the no web application firewall tier and the tier 0:09:13.740000 --> 0:09:15.580000 with the web application firewall. 0:09:15.580000 --> 0:09:19.200000 You are going to pay for the web application firewall. 0:09:19.200000 --> 0:09:20.240000 What does this do? 0:09:20.240000 --> 0:09:21.600000 First of all, you have the status. 0:09:21.600000 --> 0:09:26.080000 If you have it, you can turn it on and off, although likely you won't. 0:09:26.080000 --> 0:09:31.120000 The mode, do you want to have just detection or do you want to have prevention? 0:09:31.120000 --> 0:09:35.120000 You can exclude certain requests. 0:09:35.120000 --> 0:09:40.340000 So if I've got a request that I know would typically trigger the web application 0:09:40.340000 --> 0:09:45.360000 firewall, but it's coming from a trusted location, I could then set up 0:09:45.360000 --> 0:09:46.620000 exclusions for that. 0:09:46.620000 --> 0:09:50.760000 You can actually look in the body, whether or not it looks into the actual 0:09:50.760000 --> 0:09:55.840000 body of a request to determine whether or not that request is dangerous. 0:09:55.840000 --> 0:10:00.960000 You have the maximum body size, the maximum attachment size, and you have 0:10:00.960000 --> 0:10:08.260000 preset rules. You have either OWASP, O-W-A-S-P, 3.0, or you have OWASP, 0:10:08.260000 --> 0:10:10.540000 O-W-A-S-P, 2.9.9. 0:10:10.540000 --> 0:10:13.100000 You can choose either set of those rules. 0:10:13.100000 --> 0:10:18.280000 Now, you cannot add rules, but if you feel necessary, you can disable 0:10:18.280000 --> 0:10:22.000000 rules within those, although, generally speaking, it's not recommended. 0:10:22.000000 --> 0:10:23.540000 So these are all the parts. 0:10:23.540000 --> 0:10:27.040000 Again, that's something where if I was watching this video for the first 0:10:27.040000 --> 0:10:29.860000 time, I might have to rewind there a few times just to make sure I understand 0:10:29.860000 --> 0:10:31.780000 what the parts are and what they do. 0:10:31.780000 --> 0:10:34.000000 But that is a synopsis of that. 0:10:34.000000 --> 0:10:40.100000 So with that, let's go ahead and let's take a look at a demonstration 0:10:40.100000 --> 0:10:43.680000 of the application gateway. 0:10:43.680000 --> 0:10:51.740000 Just as a reminder, if you've seen other demonstrations along this subject, 0:10:51.740000 --> 0:10:54.940000 this is my demonstration architecture that I'm going to use. 0:10:54.940000 --> 0:11:00.200000 In this, I'm really only focusing on my web servers. 0:11:00.200000 --> 0:11:07.300000 So I have these web servers right here, and I am going to set up an application 0:11:07.300000 --> 0:11:17.560000 gateway that's going to front end those. 0:11:17.560000 --> 0:11:19.140000 Very simplistic architecture. 0:11:19.140000 --> 0:11:21.360000 That's what we're going to do right there. 0:11:21.360000 --> 0:11:25.660000 And in order to do that, the first thing I'm going to do is go ahead and 0:11:25.660000 --> 0:11:29.600000 create an application gateway. 0:11:29.600000 --> 0:11:36.080000 All right, let's pop on over to my Azure portal, and I'm going to go ahead. 0:11:36.080000 --> 0:11:38.040000 I've already got those virtual machines. 0:11:38.040000 --> 0:11:45.140000 I'm going to go ahead and create an application gateway. 0:11:45.140000 --> 0:11:52.520000 And I took longer than I had to because I wanted to type the absolute 0:11:52.520000 --> 0:11:54.380000 fewest characters I could. 0:11:54.380000 --> 0:11:58.740000 There we go. Now, the cool thing about configuring the application gateway 0:11:58.740000 --> 0:12:04.220000 through the portal is that you are actually going to configure everything 0:12:04.220000 --> 0:12:06.980000 for kind of a default path at once. 0:12:06.980000 --> 0:12:10.260000 The downside is you kind of have to have everything set up before you 0:12:10.260000 --> 0:12:14.500000 go through it. So I'm going to go in, put it in my standard resource group. 0:12:14.500000 --> 0:12:23.740000 I'm going to give this a name. 0:12:23.740000 --> 0:12:25.940000 Give it a region. 0:12:25.940000 --> 0:12:31.660000 Now, tiers. There's a version one in a version two, and the version two 0:12:31.660000 --> 0:12:33.280000 has more flexibility. 0:12:33.280000 --> 0:12:37.540000 And there's also the tier with or without the web application firewall. 0:12:37.540000 --> 0:12:40.440000 I'm going to go ahead and go with the latest tier and the web application 0:12:40.440000 --> 0:12:45.760000 firewall. Now, one of the things that version two does is it lets you 0:12:45.760000 --> 0:12:51.240000 auto scale. You have a certain amount of performance per instance. 0:12:51.240000 --> 0:12:54.280000 And what you can do is set up, all right, I'm going to go, let's say, 0:12:54.280000 --> 0:12:58.140000 between zero and three instances, right? 0:12:58.140000 --> 0:13:02.040000 If I go to zero, that's pretty cool because that means that I'm not paying 0:13:02.040000 --> 0:13:04.740000 for anything, but I kind of suspect I need at least one. 0:13:04.740000 --> 0:13:06.180000 There we go. All right. 0:13:06.180000 --> 0:13:08.640000 Now, firewall status, it's enabled. 0:13:08.640000 --> 0:13:11.320000 Firewall mode is in detection mode. 0:13:11.320000 --> 0:13:14.180000 I can have this across availability zones. 0:13:14.180000 --> 0:13:16.800000 I'm going to put this across all three availability zones. 0:13:16.800000 --> 0:13:21.720000 And I can determine whether or not I want HTTP to, which I don't. 0:13:21.720000 --> 0:13:23.640000 So I'm going to go front ends. 0:13:23.640000 --> 0:13:41.220000 Hopefully. And oh, useful if I actually go down and pick everything up. 0:13:41.220000 --> 0:13:47.780000 All right. And I'm going to go to 01 tasks, web server. 0:13:47.780000 --> 0:13:54.340000 And subnet must have only advocate, most only have application gateway. 0:13:54.340000 --> 0:13:59.820000 I need a subnet for this. 0:13:59.820000 --> 0:14:02.680000 This is kind of a new feature because I didn't have this set up. 0:14:02.680000 --> 0:14:05.740000 I'm going to go ahead and add a subnet. 0:14:05.740000 --> 0:14:14.760000 Application gateway. 0:14:14.760000 --> 0:14:23.780000 Out there. And that should be good. 0:14:23.780000 --> 0:14:27.100000 I need my subnet there. 0:14:27.100000 --> 0:14:27.880000 That is important. 0:14:27.880000 --> 0:14:28.700000 Some I didn't say. 0:14:28.700000 --> 0:14:31.240000 That's why it's always good to have a demonstration. 0:14:31.240000 --> 0:14:37.240000 The application gateway does need its own dedicated subnet. 0:14:37.240000 --> 0:14:56.620000 There we go. And I can choose a public IP address, but I don't have one. 0:14:56.620000 --> 0:14:59.600000 So I'll go ahead and create one. 0:14:59.600000 --> 0:15:09.580000 And then create that. 0:15:09.580000 --> 0:15:10.480000 And so that's good. 0:15:10.480000 --> 0:15:13.320000 Next, it's going to let me set up my back ends. 0:15:13.320000 --> 0:15:16.860000 And I'm going to add a back end pool. 0:15:16.860000 --> 0:15:21.380000 Get this a name of demo, beep. 0:15:21.380000 --> 0:15:25.600000 And I'm going to add targets. 0:15:25.600000 --> 0:15:28.420000 I'm going to add a virtual machine. 0:15:28.420000 --> 0:15:34.180000 And I want web server zero. 0:15:34.180000 --> 0:15:39.960000 And go with another virtual machine. 0:15:39.960000 --> 0:15:42.520000 And again, web server one. 0:15:42.520000 --> 0:15:45.400000 Now notice when I pick a virtual machine, it's only giving me virtual 0:15:45.400000 --> 0:15:49.300000 machines that are within the same virtual network. 0:15:49.300000 --> 0:15:54.520000 But I could just give it an IP address or host name or select an app service. 0:15:54.520000 --> 0:15:56.560000 So a lot of flexibility in this. 0:15:56.560000 --> 0:15:59.160000 I'm going to go ahead and add those in. 0:15:59.160000 --> 0:16:03.440000 So that's good. Next, my IP configuration. 0:16:03.440000 --> 0:16:05.480000 And so I've got the front ends. 0:16:05.480000 --> 0:16:06.600000 I've got the back end pool. 0:16:06.600000 --> 0:16:07.840000 Now I need to add a rule. 0:16:07.840000 --> 0:16:09.820000 Add a configuration. 0:16:09.820000 --> 0:16:12.920000 So here is my rule. 0:16:12.920000 --> 0:16:17.040000 Let me give this rule name, which is called HTTP. 0:16:17.040000 --> 0:16:26.320000 I'm going to define a listener for this. 0:16:26.320000 --> 0:16:30.720000 And that listener is going to listen to my public front end. 0:16:30.720000 --> 0:16:32.920000 Protocol is going to be HTTP. 0:16:32.920000 --> 0:16:36.880000 Port is 80. I'm going to set up a basic listener. 0:16:36.880000 --> 0:16:40.440000 And I'm not going to have an error page URL. 0:16:40.440000 --> 0:16:43.240000 Then I'm going to go over to the back end targets, which I'm glad that 0:16:43.240000 --> 0:16:50.480000 I actually remembered because I often don't. 0:16:50.480000 --> 0:16:54.740000 But then I also want to go ahead and set up my HTTP settings, which I 0:16:54.740000 --> 0:16:56.300000 have to create new. 0:16:56.300000 --> 0:17:00.200000 And this is why I wanted to show you that outline, because as I go through 0:17:00.200000 --> 0:17:01.660000 this, it can be a little bit confusing. 0:17:01.660000 --> 0:17:04.780000 You go back and you see how these components go together. 0:17:04.780000 --> 0:17:09.180000 So a routing rule in and of itself isn't really a thing. 0:17:09.180000 --> 0:17:14.520000 It is a combination of a rule and the different components that go with 0:17:14.520000 --> 0:17:20.760000 it. So this is going to be HTTP settings. 0:17:20.760000 --> 0:17:22.740000 So port is HTTP. 0:17:22.740000 --> 0:17:24.580000 Back end port is 80. 0:17:24.580000 --> 0:17:26.600000 I can have cookie based affinity. 0:17:26.600000 --> 0:17:27.620000 I don't want that. 0:17:27.620000 --> 0:17:29.280000 I can have connection draining. 0:17:29.280000 --> 0:17:31.220000 That is, by the way, how affinity is handled here. 0:17:31.220000 --> 0:17:32.600000 It's cookie based. 0:17:32.600000 --> 0:17:34.620000 Request timeout. 0:17:34.620000 --> 0:17:37.520000 And if I need to change the back end path. 0:17:37.520000 --> 0:17:42.520000 So if I have a back end path that's coming in, maybe as slash demo, and 0:17:42.520000 --> 0:17:46.340000 I need that to go to slash production, I can actually do that. 0:17:46.340000 --> 0:17:50.440000 By default, application way, gateway does not change the incoming HTTP 0:17:50.440000 --> 0:17:54.420000 host header. Settings to header, unaltered to the back end. 0:17:54.420000 --> 0:17:58.480000 If you need to alter it, you can override it. 0:17:58.480000 --> 0:18:00.400000 And so I can say, okay, I want to do that. 0:18:00.400000 --> 0:18:03.800000 I could pick that from the back end target. 0:18:03.800000 --> 0:18:06.400000 So in other words, it could send it to the back end target with the back 0:18:06.400000 --> 0:18:11.940000 end target. And if, interestingly enough, if I have a go new host name, 0:18:11.940000 --> 0:18:15.160000 that gives me the ability to create custom probe. 0:18:15.160000 --> 0:18:16.700000 We're just going to go there. 0:18:16.700000 --> 0:18:22.120000 And finally, that should be the rest of that configuration. 0:18:22.120000 --> 0:18:24.580000 And then I would go tags. 0:18:24.580000 --> 0:18:26.640000 I'm not going to add any tags. 0:18:26.640000 --> 0:18:28.740000 Review and create. 0:18:28.740000 --> 0:18:31.080000 Because everything is good, I'm going to click create. 0:18:31.080000 --> 0:18:34.540000 And I'm going to wait a bit for that to fully provision. 0:18:34.540000 --> 0:18:40.780000 And then we'll come back and take a look at the result. 0:18:40.780000 --> 0:18:48.460000 All right, it has deployed. 0:18:48.460000 --> 0:18:50.060000 Let's go take a look at it. 0:18:50.060000 --> 0:18:52.500000 I'm going to go to the resource group. 0:18:52.500000 --> 0:18:54.600000 That's got all kinds of things in it. 0:18:54.600000 --> 0:19:00.080000 And once it decides to come up, there we go. 0:19:00.080000 --> 0:19:02.260000 There's my application gateway. 0:19:02.260000 --> 0:19:05.120000 I'm going to pop into the application gateway. 0:19:05.120000 --> 0:19:09.040000 And not much going on right at the moment. 0:19:09.040000 --> 0:19:11.620000 But you can see, you know, your basic settings, as you would expect. 0:19:11.620000 --> 0:19:13.800000 There's my virtual network it's associated with. 0:19:13.800000 --> 0:19:17.000000 There's the front end public IP address. 0:19:17.000000 --> 0:19:20.380000 And here's my web application firewall. 0:19:20.380000 --> 0:19:23.460000 And so I'm on a WAFV2. 0:19:23.460000 --> 0:19:26.500000 I'm in detection mode. 0:19:26.500000 --> 0:19:30.320000 If I go to rules, I've got the ruleset. 0:19:30.320000 --> 0:19:32.280000 Which actually now has 3.1. 0:19:32.280000 --> 0:19:34.180000 That one's a bit new. 0:19:34.180000 --> 0:19:36.040000 And Microsoft one. 0:19:36.040000 --> 0:19:38.880000 Always fun coming in through a demo, finding new stuff. 0:19:38.880000 --> 0:19:43.680000 And then if I want, I can go in based on the ruleset and I can disable 0:19:43.680000 --> 0:19:47.320000 certain rules. But I don't want to do that. 0:19:47.320000 --> 0:19:49.760000 Discard those changes. 0:19:49.760000 --> 0:19:51.620000 Just go over here. 0:19:51.620000 --> 0:19:53.180000 There's my back end pool. 0:19:53.180000 --> 0:19:54.420000 See my back end pool. 0:19:54.420000 --> 0:19:57.040000 I've got, it is associated with one rule. 0:19:57.040000 --> 0:19:58.540000 And it's got two targets. 0:19:58.540000 --> 0:20:01.560000 Right? And so I dive down in there a little bit. 0:20:01.560000 --> 0:20:05.620000 And I can see the rule it's associated with and the targets. 0:20:05.620000 --> 0:20:09.960000 And you can add another back end pool if you wanted without targets. 0:20:09.960000 --> 0:20:12.320000 But I'm not going to do that. 0:20:12.320000 --> 0:20:16.340000 My settings. Notice I can have additional settings. 0:20:16.340000 --> 0:20:18.600000 Front end IP configuration. 0:20:18.600000 --> 0:20:19.840000 It's just got two public and private. 0:20:19.840000 --> 0:20:23.080000 But if I want private, I can go and set that up. 0:20:23.080000 --> 0:20:25.740000 And pretty much what you would expect through here. 0:20:25.740000 --> 0:20:30.560000 Except, you know, when I go to listeners, what I have available here that 0:20:30.560000 --> 0:20:34.640000 I didn't have when I was setting it up is this SSL policy. 0:20:34.640000 --> 0:20:38.900000 And so here is my default policy. 0:20:38.900000 --> 0:20:42.580000 And it's giving me that it will use TLS version 1.0. 0:20:42.580000 --> 0:20:47.280000 And all of the different cipher suites that it will support. 0:20:47.280000 --> 0:20:52.140000 I can go to other predefined policies. 0:20:52.140000 --> 0:20:59.860000 So there's TLS version 1.1. 0:20:59.860000 --> 0:21:06.400000 And there's TLS version 1.2 and the cipher suites that it supports. 0:21:06.400000 --> 0:21:07.620000 And I can save that. 0:21:07.620000 --> 0:21:17.040000 And I can also go custom and set up the men protocol version and also 0:21:17.040000 --> 0:21:20.300000 edit what I wanted to allow. 0:21:20.300000 --> 0:21:24.020000 We'll go ahead and use that, which actually isn't really the best setting. 0:21:24.020000 --> 0:21:25.140000 But that's okay. 0:21:25.140000 --> 0:21:27.580000 I can add additional listeners. 0:21:27.580000 --> 0:21:32.720000 I can also add multi-site listeners that will pull in different requests 0:21:32.720000 --> 0:21:35.060000 to different locations. 0:21:35.060000 --> 0:21:37.780000 Rules. We know the HTTP rule. 0:21:37.780000 --> 0:21:42.120000 That's pretty, again, at the outset, certainly pretty straightforward. 0:21:42.120000 --> 0:21:45.740000 Listener back in pull HTTP settings. 0:21:45.740000 --> 0:21:50.540000 And the only thing else would be configuring redirection. 0:21:50.540000 --> 0:21:53.320000 Rules are pretty straightforward. 0:21:53.320000 --> 0:21:55.920000 Rewrites, that's going to be your headers. 0:21:55.920000 --> 0:22:00.720000 Health probes. Okay, now there are no health probes because I just used 0:22:00.720000 --> 0:22:03.280000 the default health probe. 0:22:03.280000 --> 0:22:06.020000 I want to add my own health probe. 0:22:06.020000 --> 0:22:07.020000 There are the settings. 0:22:07.020000 --> 0:22:09.380000 Give it a name. Protocol. 0:22:09.380000 --> 0:22:14.340000 The host. Or I could pick the host name from the back end. 0:22:14.340000 --> 0:22:17.540000 Path. And you see interval timeout. 0:22:17.540000 --> 0:22:21.140000 Unhealthy, etc. All right. 0:22:21.140000 --> 0:22:24.960000 And I have HTTP settings that I can use it. 0:22:24.960000 --> 0:22:29.680000 But I'm not going to do any of that because I've already got one and I 0:22:29.680000 --> 0:22:30.740000 just want to demonstrate it now. 0:22:30.740000 --> 0:22:35.220000 All right. And hopefully the demonstration will be a little bit anti-climactic. 0:22:35.220000 --> 0:22:44.100000 I'm going to take the front end public IP address and pop over here. 0:22:44.100000 --> 0:22:48.760000 And there we go. 0:22:48.760000 --> 0:22:55.540000 There is my anti-climactic result showing that it is going to one of my 0:22:55.540000 --> 0:22:56.220000 back end servers. 0:22:56.220000 --> 0:23:00.240000 That returns this incredibly sophisticated page. 0:23:00.240000 --> 0:23:05.120000 But the sophistication of the page notwithstanding, I've got requests 0:23:05.120000 --> 0:23:09.100000 that are going through my application gateway. 0:23:09.100000 --> 0:23:11.200000 They're being load balanced to the back end. 0:23:11.200000 --> 0:23:16.120000 And they're providing all of these additional features that I get because 0:23:16.120000 --> 0:23:20.640000 the application gateway again is a layer seven gateway focusing on HTTP 0:23:20.640000 --> 0:23:26.340000 and HTTPS. As well as remember the ability to go with HTTP to and Web