Azure App Serivce load balancer

Question

Azure App Serivce load balancer

Jeff Trotman 6

I'm having a hard-time finding documentation about the load balancing providing as part of Azure App Service. Not Application Gateway or Azure Load Balancer, but the one that's included in Azure App Service that facilitates scaling out to multiple instances.

A prospect for our SAAS application that's hosted in Azure App Service is asking if HTTPS ends at the load balancer or at the application server. I can't find documentation that says this for sure. When I do a Log Stream in the App Service, I see some requests to http://... so I assume that the traffic between the load balancer and the web server hosting our application is http as opposed to https, but it would be nice to see this documented somewhere.

Does anyone know for sure how this works? Even better - is there documentation explaining this?

2 answers

Your answer

Answer 1

ajkuma 28,036 Microsoft Employee Moderator

anonymous user, Thanks for the great question.

On App Service, front ends terminate SSL connection for all HTTPS requests for all applications and any type of certificate.
The front end then forwards the request to the designated worker for a given application.

That means that TLS/SSL requests never get to your app. You don't need to, and shouldn't implement any support for TLS/SSL into your app.
The front ends are located inside Azure data centres. If you use TLS/SSL with your app, your traffic across the Internet will always be safely encrypted.
The request that makes it to the worker your app is on is always going to be HTTP.

Furthermore, the front end is a layer seven-load balancer, acting as a proxy, distributing incoming HTTP requests between different applications and their respective Workers.
Currently, the App Service load-balancing algorithm is a simple round robin between a set of servers allocated for a given application.

HttpsOnly (setting/feature available on the Portal) will only impact http request (App Service LB will redirect http to https). If the incoming is already https – then no-op.

Kindly check these docs, which provides more info on your ask:
Inside the Azure App Service Architecture (provides a detailed insights into the architecture)

Security in Azure App Service

-----
To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘Accept Answer’ & ‘Up-Vote’.

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2022-03-04T19:30:10.573+00:00

Adding more info, for some more clarity:

As highlighted above, the TLS/SSL termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests.
If your app logic needs to check if the user requests are encrypted or not, inspect the X-Forwarded-Proto header.

Additionally, as for as web site's files, they follow a structure described here.
They are rooted in %HOME% directory.
For App Service on Linux and Web app for Containers, persistent storage is rooted in /home

These files are persistent, meaning that you can rely on them staying there until you do something to change them, and they are shared between all instances of your site (when you scale it up to multiple instances). Internally, the way this works is that they are stored in Azure Storage instead of living on the local file system.

Azure Web App sandbox
All Azure Web Apps (as well as Mobile App/Services, WebJobs and Functions) run in a secure environment called a sandbox.

Operating system functionality on Azure App Service

Just as a side note, based on your requirement you can leverage Azure Logic Apps Connectors to connect to SaaS platforms.
Dor Marcovitch 1 Reputation point

2023-03-12T09:34:16.3033333+00:00

Hey,

wondering again about the way the LB is working, we are performing upgrades and during the migration we have 2 webapps on the ASP that should get requests for the same host header IE: "contoso.microsoft.com"

on the Azure WAF i have 2 rules for example:

contoso.microsoft.com -> "old webapp"

contoso-new.microsoft.com -> "new webapp" with renaming the host header to "contoso.microsoft.com"

does the "internal proxy" of the ASP is on per webapp i put on the ASP ? is it for all webapps on the ASP ? does the requests reach to the relevant webapp as i expected?
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-15T15:13:56+00:00

On App Service Scale unit -Just to highlight, in a nutshell, the App Service Plan (ASP) is the scale unit of the App Service Apps. If the plan is configured to run 4 VM instances, then all apps in the plan run on all 4 instances.

--If the plan is configured for autoscaling, then all apps in the plan are scaled out together based on the autoscale settings. You pay for the ASP, not for # the Apps.

https://learn.microsoft.com/azure/app-service/overview-hosting-plans

When your Azure web app is scaled out to multiple instances, To learn more, see Monitor App Service instances using Health check.

Answer 2

Rijwan Ansari 766 MVP

You can scale out into multiple instances using azure app service feature.

https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started?toc=%2Fazure%2Fapp-service%2Ftoc.json

Share via

Azure App Serivce load balancer

2 answers

Your answer