Why Azure recommend not to deploy azure application gateway in hub network
Question
As a best practice of Azure Networking :
Don't deploy Layer-7 inbound NVAs, such as Azure Application Gateway, as a shared service in the central-hub virtual network. Instead, deploy them together with the application in their respective landing zones.
I wonder the reasons behind.
Deploying inbound NVAs in a hub(shares service VNET) may help in that:
- This VNET can be managed by an experienced Azure administrator, rather than users. If users misconfigure NVAs, administrators can use NSG to stop traffic (Defense in Depth).
- Network Administrator can add another NVAs between NVAs and backend applications, eg, traffic inspection or audit.
1 answers
solution1
0 2021-05-18 03:00:14
Essentially, the regional Azure Application Gateway provides a customizable layer 7 load-balancing solution. From the configuration , Application Gateway is always deployed in a virtual network subnet. It should be deployed close to the application service region to reduce latency. If not, we need to set up the VPN connection or virtual network peering to connect the backend cross-region service when using the IP address or hostname. This also adds complex networking infrastructures and is not often flexible to troubleshoot.
Also, there are constraints for peered virtual networks . Some services ( Application Gateway (v1) SKU ) that use a Basic load balancer don't work over global virtual network peering.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.