Application performance not consistent when using application gateway

Question

Application performance not consistent when using application gateway

siddharth bansal 346

I observed that the performance is not consistent when using application gateway ,I have an application gateway with tier WAF V2, Capacity type: Manual, Instance count: 2, it has 2 backend app services ,when i was directly using the app service it was much faster , can you suggest how can i make the performance consistent and if is because of the WAF rules , then what all rules we can disable to improve the performance .

GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-05T13:46:07.8266667+00:00

Hello @siddharth bansal ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are observing inconsistent performance when using application gateway with tier WAF v2. The application works faster when you bypass the Application gateway but when you use the Application gateway, the performance is slower.

WAF is expected to add some latency regardless of it being in prevention or detection mode as the traffic is inspected by the WAF.

Do you have any numbers for the latency introduced? Is it very high?

I would request you to check your Application gateway metrics once, as those metrics can be used to determine whether the observed slowdown is due to the client network, Application Gateway performance, the backend network and backend server TCP stack saturation, backend application performance, or large file size.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-metrics

Also, take a look into the below documents which shares guidelines to help you set up your Application Gateway to handle extra traffic for any high traffic volume that may occur:

https://learn.microsoft.com/en-us/azure/application-gateway/high-traffic-support#manual-scaling-for-application-gateway-v2-sku-standard_v2waf_v2

https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-application-gateway#performance-efficiency

Regards,

Gita
siddharth bansal 346 Reputation points

2023-10-06T03:55:34.8733333+00:00

Hi @GitaraniSharma-MSFT Thanks for responding , i checked the metrics ,below is the screenshot for the same .can you let me know if any improvements can be done based on this metrics and as you mentioned that traffic is inspected by WAF, so is it because of the WAF rules ? and can anything be done with the WAF rules to improve performance ? is it recommended to disable WAF rules .
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-06T13:22:17.31+00:00
Hello @siddharth bansal ,

Like I mentioned above, WAF is expected to add some latency regardless of it being in prevention or detection mode as the traffic is inspected by the WAF.

In Detection mode, the WAF doesn't block any request, but the traffic is still inspected by the WAF and is logged.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#waf-modes

As long as the Application gateway has the WAF SKU enabled, disabling rules will not help improve performance.

So, my suggestion is to check all the listed metrics here and validate the numbers using the below example:

If there’s a spike in Backend first byte response time trend but the Backend connect time trend is stable, then it can be inferred that the Application gateway to backend latency and the time taken to establish the connection is stable, and the spike is caused due to an increase in the response time of backend application.

If the spike in Backend first byte response time is associated with a corresponding spike in Backend connect time, then it can be deduced that either the network between Application Gateway and backend server or the backend server TCP stack has saturated.

If you notice a spike in Backend last byte response time but the Backend first byte response time is stable, then it can be deduced that the spike is because of a larger file being requested.

Similarly, if the Application gateway total time has a spike but the Backend last byte response time is stable, then it can either be a sign of performance bottleneck at the Application Gateway or a bottleneck in the network between client and Application Gateway.

Additionally, if the client RTT also has a corresponding spike, then it indicates that the degradation is because of the network between client and Application Gateway.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-metrics#metrics-supported-by-application-gateway-v2-sku

The screenshots of metrics you shared only has Backend last byte response time and Application gateway total time and both of them shows spikes together at one point, so it could be due to larger files being requested.

I would request you to check all the metrics for a given time when you observed latency in your application and compare the data.

Regards,

Gita
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-09T13:38:06.96+00:00

@siddharth bansal , could you please provide an update on this issue? Were you able to compare the data for your Application gateway metrics?
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-11T15:58:40.0133333+00:00

@siddharth bansal , do you have any updates on this issue?
siddharth bansal 346 Reputation points

2023-10-12T04:12:05.5933333+00:00

@GitaraniSharma-MSFT i am analyzing metrics to get better understanding and figuring out if anywhere I can improve the performance , instance count seems to be fine as of now .
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-12T15:43:15.9433333+00:00

@siddharth bansal , thank you for the update. I've summarized the answer below for better visibility. Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-05T13:46:07.8266667+00:00

Hello @siddharth bansal ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are observing inconsistent performance when using application gateway with tier WAF v2. The application works faster when you bypass the Application gateway but when you use the Application gateway, the performance is slower.

WAF is expected to add some latency regardless of it being in prevention or detection mode as the traffic is inspected by the WAF.

Do you have any numbers for the latency introduced? Is it very high?

I would request you to check your Application gateway metrics once, as those metrics can be used to determine whether the observed slowdown is due to the client network, Application Gateway performance, the backend network and backend server TCP stack saturation, backend application performance, or large file size.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-metrics

Also, take a look into the below documents which shares guidelines to help you set up your Application Gateway to handle extra traffic for any high traffic volume that may occur:

https://learn.microsoft.com/en-us/azure/application-gateway/high-traffic-support#manual-scaling-for-application-gateway-v2-sku-standard_v2waf_v2

https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-application-gateway#performance-efficiency

Regards,

Gita
siddharth bansal 346 Reputation points

2023-10-06T03:55:34.8733333+00:00

Hi @GitaraniSharma-MSFT Thanks for responding , i checked the metrics ,below is the screenshot for the same .can you let me know if any improvements can be done based on this metrics and as you mentioned that traffic is inspected by WAF, so is it because of the WAF rules ? and can anything be done with the WAF rules to improve performance ? is it recommended to disable WAF rules .
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-09T13:38:06.96+00:00

@siddharth bansal , could you please provide an update on this issue? Were you able to compare the data for your Application gateway metrics?
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-11T15:58:40.0133333+00:00

@siddharth bansal , do you have any updates on this issue?
siddharth bansal 346 Reputation points

2023-10-12T04:12:05.5933333+00:00

@GitaraniSharma-MSFT i am analyzing metrics to get better understanding and figuring out if anywhere I can improve the performance , instance count seems to be fine as of now .
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-12T15:43:15.9433333+00:00

@siddharth bansal , thank you for the update. I've summarized the answer below for better visibility. Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello @siddharth bansal ,

I understand that you are observing inconsistent performance when using application gateway with tier WAF v2. The application works faster when you bypass the Application gateway but when you use the Application gateway, the performance is slower.

WAF is expected to add some latency regardless of it being in prevention or detection mode as the traffic is inspected by the WAF.

In Detection mode, the WAF doesn't block any request, but the traffic is still inspected by the WAF and is logged.

Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#waf-modes

As long as the Application gateway has the WAF SKU enabled, disabling rules will not help improve performance.

I would request you to check your Application gateway metrics once, as those metrics can be used to determine whether the observed slowdown is due to the client network, Application Gateway performance, the backend network and backend server TCP stack saturation, backend application performance, or large file size.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-metrics

It's important that you scale your Application Gateway according to your traffic and with a bit of a buffer so that you're prepared for any traffic surges or spikes and minimizing the impact that it may have in your QoS.

Capacity Unit is the measure of capacity utilization for an Application Gateway across multiple parameters.

A single Capacity Unit consists of the following parameters:

2500 Persistent connections
2.22-Mbps throughput
1 Compute Unit

If any of these parameters are exceeded, then another N capacity units are necessary, even if the other two parameters don’t exceed this single capacity unit’s limits.

Each Application gateway instance guarantees a minimum of 10 capacity units in terms of processing capability.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/understanding-pricing#v2-skus

Also, take a look into the below documents which shares guidelines to help you set up your Application Gateway to handle extra traffic for any high traffic volume that may occur:

https://learn.microsoft.com/en-us/azure/application-gateway/high-traffic-support#manual-scaling-for-application-gateway-v2-sku-standard_v2waf_v2

https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-application-gateway#performance-efficiency

My suggestion is to check all the listed metrics here and validate the numbers using the below example:

If there’s a spike in Backend first byte response time trend but the Backend connect time trend is stable, then it can be inferred that the Application gateway to backend latency and the time taken to establish the connection is stable, and the spike is caused due to an increase in the response time of backend application.
If the spike in Backend first byte response time is associated with a corresponding spike in Backend connect time, then it can be deduced that either the network between Application Gateway and backend server or the backend server TCP stack has saturated.
If you notice a spike in Backend last byte response time but the Backend first byte response time is stable, then it can be deduced that the spike is because of a larger file being requested.
Similarly, if the Application gateway total time has a spike but the Backend last byte response time is stable, then it can either be a sign of performance bottleneck at the Application Gateway or a bottleneck in the network between client and Application Gateway.
Additionally, if the client RTT also has a corresponding spike, then it indicates that the degradation is because of the network between client and Application Gateway.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-metrics#metrics-supported-by-application-gateway-v2-sku

Check all the metrics for a given time when you observed latency in your application and compare the data to find where the issue is.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Application performance not consistent when using application gateway

0 additional answers

Your answer