Take out: Steps to configure Azure Application Gateway V2 for hosting two web applications inside single Azure Windows VM on IIS Server.
Assumption: You have already provisioned an Azure Windows VM and Azure ApplicationGatewayV2 in a ResourceGroup. IIS is installed and binding has been done for 2 web application URLs on port 443 with respective security certificates.
Step 1: Click on Application Gateway’s name in Resource Group.
Step 2: Click on “ Web application Firewall” option in left menu blade and set the configurations as shown below: -
Tier=> WAF,
Firewall Status=> Enabled,
Firewall Mode=> ‘Detection’ or ‘Prevention’ as per your need. In Prevention Mode: you can allow/block the requests coming to your application URL based on specific Request Headers, Attributes and Cookies whereas Detection Mode will detect the requests and collects the logs in provided storage account or you may also choose to send it as an input to Azure Analytics or Event Hubs for further processing.
8th-Jan-2020 Update:
(If you are Enabling Prevention mode in WAF, then you may need to have a look into request types (Request Headers, Cookies, Attributes etc.) and need to allow the specific ones in exclusion list of WAF because, Application Gateway may block some requests if the request body is containing some different formats/characters other than the default allowed ones.This may result in 403 or 401 errors while accessing the URL on browsers. 401 comes when you try to upload larger file size than the allowed size, you might consider changing the ‘File Upload Limit’ in Global Parameters section of WAF configuration.
Few more things needs to be checked in “Prevention Mode” like disabling ‘Inspect Request body’ if application request is getting blocked even after adding specific strings in Exclusion list. If for some reasons still you are running in issues of 401/403 or application is getting blocked, then you need to check the diagnostic logs of Application Gateway. (You need to enable diagnostic settings for App-Gateway by storing the logs to a blob storage).
In Logs you can check which types of requests are being blocked and check the error description and act accordingly. If needed you can block some rules on WAF by clicking on WebApplication Firewall->Rules-> Advanced rule configuration-> Enable
Please be aware that disabling rules may degrade your Security.
For detailed info on Troubleshooting such issues please refer this Microsoft Docs Link.)
You may leave other settings as default. Finally click Save button to save the settings so far.
Step 3: Click on “Backend Pools” and then Click “+Add” option to add the BackendPool. In our case it’ll be a VirtualMachine
Step 4: Click on ‘Health Probe’ menu and then click ‘+Add’ option to create a health probe. Its needed to check the backend health of the VM where application will be running.
Step 5: Add 2 Health Probes for Application 1 (abc.com) and Application 2 (xyz.abc.com) respectively.
Use HTTPS protocol, Give ‘/’ in path and check the box against ‘use probe matching condition’.
Finally Click Add button to save the changes.
Step 6: Create HTTP Settings on port 443(HTTPS) for Both Applications Respectively.
Select Probe1 which you created for App1 and provide the App1 URL in ‘Override Host Name’ box. Repeat Step 6 for Creating HTTP Settings for Second Application URL.
Step 7: Click on Listener menu option and Click ‘+Multi-Site’ option to Add Listeners for both applications.
We must create 2 Multi-Site Listeners for one Application. One on port 443 (main listener) and another one on port 80 (for HTTP to HTTPS redirection purpose).
Step 8: Create HTTPS (port 443) listener for first application as shown below. Provide URL for Application-1 in host name and upload respective .pfx certificate and password.
Step 9: Create another multi-site listener for first application URL on port 80 (HTTP) for HTTP-to-HTTPS redirection purpose as shown below:
Repeat Steps 7,8 and 9 for creating two listeners for second application URL in same fashion as we did above for first application.
Step 10: Create Rules (basic) for both Applications by clicking on Rules menu and ‘+Basic’ button as below.
Step 11: Create Main rule for first application.
- In Listener option, select the main listener which you created on port 443 for first application.
- In BackenPool option, select the BackendPool which you created in Step 3.
- In HTTP Settings option, select the Http Settings which you created for first application in Step 6. Finally Click on OK button below to save the settings.
Step 12: Create second Rule for HTTP-to-HTTPS redirection purpose as shown below:
- In Listener option, select the listener which you created on Port 80 for Application-1 in Step 9
- Check the box against Configure Redirection
- “Redirection Type” will be permanent.
- “Redirection Target” will be Listener.
- In “Target Listener”, select the listener which you created on Port 443 for Application-1 in Step 8.
- Check the boxes against ‘Include query string’ and ‘include path’ options as shown below.
Finally Click OK to save the settings.
Repeat Steps 10, 11 and 12 for creating and configuring rules for Second Application (Application 2) with Respective URLs and use HTTP Settings which you created for Second Application URL.
If Above mentioned steps have been followed correctly, Application Gateway Configuration has been completed by this.
(If not done already) Next you need to Create IIS bindings inside Application VMs for both the Application URLs on port 443 by installing the pfx security certificates in that VM by creating two sample web applications, to test the URLs on browser.
Once this is done you can test if application gateway is working fine or not, by following the below mentioned step.
Step 13: Scroll down the Application Gateway Page to the Monitoring Section and Click on “Backend Health” option.
If all the AppGateway Configuration Steps are correct and IIS binding for test websites in Application VM is done correctly then you should see a screen like below. Both Http Settings should show Healthy status.
And Application URLs should work on the bowsers correctly. (It should show the web page which you have configured in Application VM while IIS binding).
If Backend Health status is Unhealthy, it means there is something wrong with Application Gateway Configuration or IIS Server Application Bindings.
I'm an expert in Azure and web application hosting, particularly when it comes to configuring Azure Application Gateway V2 for hosting multiple web applications on a single Azure Windows VM using IIS Server. I have hands-on experience with this setup and can provide detailed guidance on each step to ensure successful configuration. Let me walk you through the key concepts and steps mentioned in the article.
Concepts and Steps:
-
Azure Resources: Before configuring the Azure Application Gateway, ensure that you have already provisioned an Azure Windows VM and an Azure Application Gateway V2 in the same Resource Group. Additionally, IIS should be installed on the VM, and bindings for the two web application URLs should be set up on port 443 with the respective security certificates.
-
Web Application Firewall (WAF): Access the Azure Application Gateway's settings by selecting its name in the Resource Group. In the left menu blade, click on "Web Application Firewall." Configure the WAF with the following settings:
- Tier: WAF
- Firewall Status: Enabled
- Firewall Mode: Choose 'Detection' or 'Prevention' based on your needs. In 'Prevention' mode, you can allow/block requests based on specific Request Headers, Attributes, and Cookies.
Note: When enabling Prevention mode in WAF, pay attention to request types, file upload limits, and exclusion lists to avoid potential 401 or 403 errors.
-
Backend Pools: Configure Backend Pools by clicking on "Backend Pools" and then clicking "+Add." In this case, the Backend Pool will be associated with a Virtual Machine.
-
Health Probe: Create health probes by navigating to the "Health Probe" menu and clicking "+Add." You'll need two health probes for Application 1 and Application 2. Use HTTPS protocol, set the path to '/', and check the box for 'use probe matching condition.'
-
HTTP Settings: Create HTTP settings on port 443 (HTTPS) for both applications. Select the appropriate health probe for each application and provide the respective application URLs in the 'Override Host Name' box.
-
Listeners: Set up Multi-Site Listeners for both applications. You'll create two listeners for each application, one on port 443 (HTTPS) and another on port 80 (HTTP) for redirection.
-
Rules: Create Rules for both applications. These rules will define how traffic is routed. In the Main rule for each application, select the appropriate listener, Backend Pool, and HTTP Settings.
-
Redirection: For HTTP-to-HTTPS redirection, create a rule that checks the box for configuring redirection. Specify 'permanent' as the Redirection Type, and select the listener on port 443 as the Target Listener. Also, check the boxes for 'Include query string' and 'include path.'
-
Configuration for Second Application: Repeat the steps (10-12) for creating and configuring rules for the second application, ensuring you use the HTTP settings created for the second application URL.
-
IIS Configuration: Inside the Application VMs, create IIS bindings for both application URLs on port 443 by installing the PFX security certificates.
-
Testing: Verify the configuration by accessing the "Backend Health" option in the Application Gateway's Monitoring Section. If all configuration steps are correct and IIS bindings are set up properly, both Http Settings should show a healthy status, and the application URLs should work correctly in web browsers.
These steps should help you successfully configure Azure Application Gateway V2 for hosting two web applications on a single Azure Windows VM using IIS Server. Remember to follow best practices and maintain security when configuring your Azure resources.
