Azure Paas service Load Balancer sending HTTP request to multiple Web Role instances

Question

We are experiencing some very strange behaviour with the Azure load balancer in production

we are try to make a request which takes longer time to process, which were being duplicated in system. when we analysed the logs and App insights we could see multiple requests being triggered any where from 2 to 9 times for every 2 mins, each requests handled by different instances. while we have sent only single request from browser

This is very concerning for us as we understood the Azure load balancer which sits in front of our web roles simply forwarded requests onto the web role instances in a round robin pattern.

We cannot find any detailed documentation on the Azure load balancer implementation, why this was happening or how the LB process requests

n.b. We have monitored and know that we are NOT sending duplicate requests

Answer 1

satyajitroybandla, Apologies for the delay.

1/2:

Firstly, to highlight on how load balancing works on App Service, front ends terminate SSL connection for all HTTPS requests for all applications and any type of certificate.
The front end then forwards the request to the designated worker for a given application.

That means that TLS/SSL requests never get to your app. You don't need to, and shouldn't implement any support for TLS/SSL into your app.
The front ends are located inside Azure data centres. If you use TLS/SSL with your app, your traffic across the Internet will always be safely encrypted.
So, the request that makes it to the worker your app is on is always going to be HTTP.

Furthermore, the front end is a layer seven-load balancer, acting as a proxy, distributing incoming HTTP requests between different applications and their respective Workers.
Currently, the App Service load-balancing algorithm is a simple round robin between a set of servers allocated for a given application.

HttpsOnly (setting/feature available on the Portal) will only impact http request (App Service LB will redirect http to https). If the incoming is already https – then no-op.

Kindly check these docs, which provides more info on your ask:
Inside the Azure App Service Architecture (provides a detailed insights into the architecture)

Security in Azure App Service

Answer 2

2/2:

Azure Load Balancer has a default idle timeout setting of four minutes (~230 sec).

It sounds like you may be referring to Always ON feature.

By default, web apps are unloaded if they're idle for a set period of time. This way, the system can conserve resources.

When Always On is not turned on (default), the app is unloaded after 20 minutes without any incoming requests.

• Keeps the app loaded even when there's no traffic.
• The front-end load balancer sends a GET request to the application root every five minutes. The continuous ping prevents the app from being unloaded.

If Always on is not enabled:

• The unloaded app can cause high latency for new requests because of its warm-up time.

Additionally, to further highlight, there are really two sites for each Web App: the normal site and the scm site (which runs Kudu or Webjobs).
Each site gets a ping, so you would see two (the ~1 name is the scm site).

Kindly let us know, I'll follow-up with you further. Thank for your patience!

Checkout this docs for more info:

Monitor App Service instances using Health check
Setting up Health Check for Azure App Service