Azure CDN: For Application running in AKS behind an Application Gateway

As you probably know that a K8s micro-services architecture can be configured with Azure Application gateway typically something like the following.

Current Architecture

Where you have application gateway in front of the AKS cluster and the ingress controller that is the entry point of cluster.

Not diving into the detailed configuration of the existing setup because it’s not in the scope of this document.

So, what if you have to cache the content of k8s pods for a user accessing the website from a particular location. Simple Answer: Use CDN!

I’ll be discussing about the configuration through which we can achieve the following but first we’ll review the existing set-up.

New Architecture

Let’s revisit the existing architecture from the DNS provider perspective before diving into Azure CDN configuration. We have an A record of our website that is pointing towards the public IP address of the application gateway.

Gateway Listeners are performing the http:// to https:// redirection and the SSL termination is happening at the gateway and on the backend rest is HTTP.

First we’ll create a new Azure CDN profile and select the pricing tier of our own choice.

Creating Azure CDN Profile

But there are few things to consider before selecting any because one might have a limitation.

Do consider reading the Azure CDN profile’s pricing tier feature differences and the limitation of certain CA for the Azure CDN Standard from Microsoft tier.

If down the road you want more control over the certificate being used at CDN for HTTPS then you must evaluate your CA for it and choose the profile accordingly.

I have selected the Standard Microsoft pricing tier because I’m fine with different SSL on CDN.

Create Endpoint

As the profile has been created, now we need an endpoint that can be configured for our website. It’s something that’ll contain the caching rules, Geo-filtering and optimization etc.

We’re going with the origin type of Custom origin because we want to bind our website to this endpoint later and it’s an IP address.

  1. Update the Origin hostname to the public IP address of your application gateway.
  2. Add a specific path for CDN caching or use the default option which I did.
  3. Add the website DNS under the origin host header.

(We’ve added the DNS to Origin host header because the SSL certificate we’re using in the Application gateway is issued against it not the IP).

Let’s wait for the endpoint to be created and it’ll take a while.

Update DNS Record

Once an endpoint is created then we’ll need to create a CNAME record under our DNS provider, before proceeding any further.

Kindly make sure that the DNS provider has a record of the website pointing to that endpoint. You’ll have to wait for this change to be propagated and it depends on the TTL (if set previously for the A record).

You can verify the propagation through the following command dig example.com and once it’s done then move to the next section.

;; ANSWER SECTION:
example.com. 1800 IN CNAME example-ep.azureedge.net.
example-ep.azureedge.net. 1799 IN CNAME example-ep.afd.azureedge.net.
example-ep.afd.azureedge.net. 29 IN CNAME star-azureedge-prod.trafficmanager.net.
star-azureedge-prod.trafficmanager.net. 28 IN CNAME t-0003.t-msedge.net.
t-0003.t-msedge.net. 31 IN CNAME Edge-Prod-DXB30r3.ctrl.t-0003.t-msedge.net.
Edge-Prod-DXB30r3.ctrl.t-0003.t-msedge.net. 239 IN CNAME standard.t-0003.t-msedge.net.
standard.t-0003.t-msedge.net. 71 IN A 13.x.x.13

Binding the website with endpoint

  1. Associate our custom domain name with the newly created endpoint.
  2. Enable the HTTPS configuration for CDN content.
  • Actually we do have the option to either use our own certificate (currently configured on the application gateway) or use a CDN managed certificate.

I have used the CDN managed certificate because my CA was not included in the list. And I don’t need SSL certificate’s public key from CDN for any further usage.

You can refer to the link shared earlier regarding the limitation of the CA if you’re using the Standard Microsoft.

In my case there was an issue in SSL handshake between CDN and application gateway for which I have performed this additional step.

“Disable the SNI flag for the https protocol listener on application gateway and we can’t do it from the Azure portal (as of now)”. — Azure Support

But you can test the configuration prior to the script execution.

curl -i https://example.com
HTTP/2 502
content-length: 25
x-azure-ref-originshield: 0KC3sXwAAAADA3zbb4+OTY=
x-azure-ref: 0KC3sXwAAAAD7I/EvkMRFhCMzBFREdFMDITTY=
date: Thu, 21 Jan 2021 20:27:13 GMT
Request cannot be served

If your website is working fine up till the last section then you can skip this step. But the chances are it won’t be working as expected.

If your website is also not working and you’re getting the 502 error then execute the following script.

$gatewayName = "myAppGateway"
$resourceGroupName = "shakaib-rg"
$listenerName = "webAppListener"
$appgw = Get-AzApplicationGateway -Name $gatewayName -ResourceGroupName $resourceGroupName$list = Get-AzApplicationGatewayHttpListener -Name $listenerName -ApplicationGateway $appgw$list.RequireServerNameIndication = $false
Set-AzApplicationGateway -ApplicationGateway $appgw

Open the website in your browser with developer option enabled and check the response header, you’ll see the following.

x-cache: TCP_HIT
X-Azure-Ref-OriginShield: 06bH9Xw...
X-Azure-Ref: 06bH9XwAAAACXF...

It’s an indication that contents are now served through the CDN. But you can also verify the configuration from terminal by issuing the following command.

curl -vvl -i https://example.com

I’ll post the another CDN profile configurations in a separate article with the same SSL certificate usage that’s configured on the application gateway.

Did you find this guide helpful?

I’m a DevOps Engineer who is exploring the cloud and microservices architecture.