15

Currently I have a Service Fabric cluster with 2 stateless services hosting Asp Web APIs. While creating the cluster also appropriate Azure Load Balancers got created.

Now I would like to add Application Gateway in front of my cluster for various reasons like SSL offloading, url-routing etc.

I'd like to understand how to configure the Application Gateway correctly. I see 2 options, not sure which one is valid:

  • Application Gateway replaces the existing Load Balancer and points directly to SF services hosting WebApi
  • I keep existing LB configuration and Application Gateway points to this LB (seems like 1 LB solution too many)

Which one is correct? Any advise how to configure?

filip
  • 1,444
  • 1
  • 20
  • 40
  • Did you get this resolved? Which approach did you take? I'd like to know how to do this as I'm also evaluating doing the same in one of my projects. – Hiral Desai Jun 06 '17 at 01:03
  • 1
    Note the 20 port backend limit for app gateway and sf which requires one service per port. – user1496062 Jul 04 '17 at 17:15

4 Answers4

6

Approach 2 is what we are using, We have kept the load balancer and that is routing any request received from the Application Gateway. We found this to be easiest and simplest choice, as this involves minimum changes to be done in Application Gateway.

Satya Tanwar
  • 1,118
  • 6
  • 11
  • Satya, do you use the SF LB's public IP for the backend pool of the app gateway or the internal IP of each SF node? – Steve L. Mar 27 '18 at 02:24
  • 1
    We have kept the configuration minimal so far utilizing the load balancer which exposes the public IP address. This way we don't have to add multiple configuration rules to different nodes. Also this will shield you from future changes if you scale out your cluster. Otherwise any addition of node needs to be added to routing/monitoring config. – Satya Tanwar Mar 27 '18 at 18:33
  • Thanks, Satya. We recently horizontally scaled our cluster so we had to add the individual IPs of the cluster nodes to the AGs backend pool. I like your approach better because it only requires the IP (or fqdn) of the cluster LB. – Steve L. Mar 28 '18 at 19:14
0

Your two web api's can run on every node in the VM scale set. The Azure Load Balancer is used to distribute traffic over those nodes. Targeting a single service on a single node will reduce scalability and fault tolerance.

You could use the App Gateway to translate incoming request to different ports on the Load Balancer. (E.g. direct traffic to API 1 @url ~/1/ and API 2 @url ~/2/)

Favor using load balancing rules (using all nodes) over NAT redirections (to single nodes). This way you'll have a performant, reliable system.

LoekD
  • 11,402
  • 17
  • 27
  • And what if I add all SF nodes to AG backend pool, the same way the regular LB does it and skip the LB? – filip Nov 02 '16 at 10:47
0

Solution 2 would also provide possibly to create VPN connection e.g to manage your cluster. Then no need to expose management endpoint to the public. Internal lb also brings on additional features to utilize in the future.

JPKK
  • 139
  • 8
-2

I would go with your first option and to implement it create / modify your ARM template so that it doesn't contain the load balancer and instead contains the application gateway.

Here is a link to the quick starts for ARM templates which you can use. There isn't an out of the box example for service fabric with a gateway but it will give you a great starting place.

link

jimpaine
  • 877
  • 6
  • 11