Hi
I am hoping someone will tell me if what am trying is possible or if i have to revert to plan b - which i will also outline
Currently we are using the Azure Application gateway infront of our web tier to direct traffic to the correct backend service as well as using it to perform ssl offload. This is fine and it works in this role for what we need it to.
The issue I have is that the service we are developing requires access to a third party service that is restricted via IP Whitelist. Obviously this is a problem as the Application Gateway doesnt support a static Public IP and we obviously dont want to have
to assign Public IPs to each of our VMs for this purpose only which means an alternative method is required.
I investigated potentially swopping out the Application Gateway with the Azure Load Balancer and at first glance this seemed to do everything that we needed of it, and also helped to begin solving another issue. It gives us outbound SNAT with minimal additional configuration and also improves the custom probe healthcheck functionality - brilliant.
Well, no. The one key service not provided here is the SSL offload. In order to use thie Load Balancer here we would need to build out a new tier to handle the SSL Offload, and we have also moved the termination of the service in one level, bringing a whole new range of considerations to the party. Cant use the load balancer then. I checked withe the Development team and apparently it is non-trivial to reconfigure the application to handle the SSL offload itself hence the requirement of the new tier and services to do this. Great
So Plan B - well this is to build an outbound proxy box, using the existing technologies for such things and then work to ensure that introducing this, as well as the new UDRs and NSGs required for this doesnt break the application, or the deployment process. This also requires additional configuration but it doesnt require a change to the application itself, and so it should be minimal impact from that side.
It does however add a lot of complexity to the infrastructure, the RM Templates and our Configuration Management Code (yes im being slightly selfish here)
So that brings me to my question:
I was thinking about deploying an application gateway and a load balancer to the same resource group. Using the Application gateway as the frontend to the service and only using the Load Balancer for its outgoing SNAT capability, not allowing inbound connections from there at all. Does anyone know if 1)this is possible and 2) not stupid and 3) how it would look?
Thanks for any assistance
Joe
I should just clarify - I dont want to put the load balancer in front or behind the application gateway, unless that actually would work... hmmm...