Azure Standard Application Gateway
This topic explains how to use an Azure Standard Application Gateway (Layer 7) for your Turbine deployment. Two load balancers are required for this deployment. The Azure Standard Application Gateway (Layer 7) is used for external access to the Turbine platform and the Turbine Platform Installer. An additional Azure Load Balancer (Layer 4) is still required for the internal cluster communication.
Important! Azure recommends using the newer Standard_v2 Application Gateway. Instructions for that can be found here.
Architecture Diagram
Standard Application Gateway for the Turbine Platform and the Turbine Platform Installer
- Create an Azure Standard Application Gateway
Resource Group
should be set according to your organization's standardsRegion
should match that of the Virtual Machines that Turbine will be installed inTier
set toStandard
Instance Count
set to the number of virtual machines you will have in your Turbine clusterSKU Size
should be set according to your organization's standardsVirtual Network
should be set according to your organization's standards- The virtual network that the Application Gateway is in needs to be able to communicate to the virtual network that the Turbine virtual machines are in
Frontend IP Address Type
should be set according to your organization's standards
Backend Pools
- Create the following Backend Pools:
- Port 443
- Add the IP of each virtual machine that Turbine will be installed on
- Port 8800
- Add the IP of each virtual machine that Turbine will be installed on
- Port 443
Routing Rules
- Create the following Routing Rules:
- Port 443
Frontend IP
set to the IP that was selected aboveProtocol
set toHTTPS
Port
set to443
Listener Type
set toBasic
Backend Targets
Target Type
set toBackend Pool
Backend Target
set to thePort 443
backend pool created above
HTTP Settings
Backend Protocol
set toHTTPS
Backend Port
set to4443
- Note that this is
4443
and not443
- Note that this is
Backend Authentication Certificate
Use for App Service
set toNo
CER Certificate
set to the certificate uploaded for the Swimlane Web backend on the Turbine Platform Installer config page- More information on how to export this certificate in the right format can be found in Azure's Certificates for Backend Authentication documentation
Request time-out
may vary based on your preferences for how long the load balancer will wait for a request from the backend before returning a "connection timed out" error messageOverride with new host name
set toYes
Host Name Override
set toOverride with specific domain name
- Set the host name override field to the hostname of the certificate uploaded for the Turbine Web backend on the Turbine Platform Installer config page
Create custom probes
set toNo
- Port 8800
Frontend IP
set to the IP that was selected aboveProtocol
set toHTTPS
Port
set to8800
Listener Type
set toBasic
Backend Targets
Target Type
set toBackend Pool
Backend Target
set to thePort 800
backend pool created above
HTTP Settings
Backend Protocol
set toHTTPS
Backend Port
set to8800
Backend Authentication Certificate
Use for App Service
set toNo
CER Certificate
set to the certificate uploaded for the Turbine Platform Installer UI- More information on how to export this certificate in the right format can be found in Azure's Certificates for Backend Authentication documentation
Request time-out
may vary based on your preferences for how long the load balancer will wait for a request from the backend before returning a "connection timed out" error messageOverride with new host name
set toYes
Host Name Override
set toOverride with specific domain name
- Set the host name override field to the hostname of the certificate uploaded for the Turbine Platform Installer UI
Create custom probes
set toNo
- Optional - Port 80
- Used for the HTTP to HTTPS redirect and can be excluded if you only want HTTPS/443 to be available
Frontend IP
set to the IP that was selected aboveProtocol
set toHTTP
Port
set to80
Listener Type
set toBasic
Backend Targets
Target Type
set toRedirection
Redirection Type
set toPermanent
Redirection Target
set toListener
Target Listener
set to thePort 443
listener created aboveInclude Query String
set toYes
Include Path
set toYes
- Port 443
Network Security Groups
For Azure Standard Application Gateways, ingress port access is defined in the network security groups used by the subnets. The port requirements are available in System Requirements, External Access. Azure requires special ports to be open for the subnets that Application Gateways are in. More information can be found in Azure's Application Gateway Infrastructure Configuration documentation.
Load Balancer for internal cluster communication
- Create a Public Azure Load Balancer
Resource Group
should be set according to your organization's standardsRegion
should match that of the Virtual Machines that Turbine will be installed inType
set toPublic
- This has to be set to Public because Internal load balancers do not support hairpinning
- Access to the virtual machines should still be restricted by network security groups
SKU
set toStandard
Tier
set toRegional
Public IP Address
can either be a new Public IP Address to use or select an existing oneAvailability Zone
set toZone-redundant
Backend Pools
- Create the following Backend Pool:
- Port 6443
Backend Pool Configuration
set toNIC
IP Version
set toIPv4
Virtual Machines
- Add the first virtual machine that you'll be running the Turbine Platform Installer on to the backend pool
- After Turbine has been installed on the additional nodes they need to be added to this target group
- Add the first virtual machine that you'll be running the Turbine Platform Installer on to the backend pool
- Port 6443
Health Probes
- Create the following Health Probe:
- Port 6443
Protocol
set toTCP
Port
set to6443
Interval
andUnhealthy Threshold
may vary based on your preferences for how quickly a virtual machine should become unhealthy in order to stop receiving traffic
- Port 6443
Load Balancing Rules
- Create the following Load Balancing Rule:
- Port 6443
IP Version
set toIPv4
Frontend IP Address
set to the IP that was chosen when the load balancer was createdProtocol
set toTCP
Port
set to6443
Backend Port
set to6443
Backend Pool
set to thePort 6443
backend pool created aboveHealth Probe
set to thePort 6443
health probe created aboveFloating IP
set toDisabled
Outbound Source Network Address Translation
set toOutbound and inbound use the same IP
- Port 6443
Network Security Groups
For Azure Load Balancers, ingress port access is defined in the Network Security groups used by the virtual machines and subnets. The port requirements are available in System Requirements, External Access.
Turbine Configuration
Azure Application Gateways require explicitly trust of the backend certificates so be sure to upload your own certificate for the Turbine Platform Installer UI and for the Turbine platform.
Be sure to enable the Expose the Swimlane Web service externally
option on the Turbine Platform Installer UI config tab.