ARRAffinity cookie is a feature on Azure App Service that allows an end user to talk to the same Azure App Service worker instance until session finishes.
A common problem encountered when having Azure App Service behind Azure Application Gateway is
whether we can use the cookie-based affinity feature on Azure Application Gateway end instead to maintain session stickiness.
Answer is NO. Because as explained at Azure - Inside the Azure App Service Architecture | Microsoft Learn Azure App Service is distributed system
and has its own frontend workers and backend workers,
enabling cookie-based affinity on Application Gateway side only allows requests from the same end user to
get routed to the same App Gateway backend target within a session
and we still need the ARR Affinity cookie feature to be enabled on Azure App Service end
so that App Service frontend workers will forward requests from the same end user to the same App Service backend workers subsequently.
Below is an example solution to above problem with which clients are able to stick to a specific App Service instance throughout the session.
1. Add custom domain and ssl certificate on App Service.
Although custom domain should be eventually resolved to the public frontend IP address of App Gateway, this step is still necessary for two reasons:
a. the domain attribute of ARRAffinity cookie set by App Service is determined by the value of host header in HTTP requests.
b. App Service needs to have custom domain binding in order to be identified by App Service Platform based on the custom domain host header in HTTP requests.
2. Create Health Probe for App Service on App Gateway side.
Here we set "Pick hostname from backend settings" to "Yes".
3. Create Backend setting for App Service on App Gateway side.
Here
a. cookie-based affinity on App Gateway end should be enabled if we have multiple backend targets configured in App Gateway backend pool
because this cookie ensures requests from the same end user to get routed to the same App Gateway backend target within a session.
Turning this cookie on or not does not matter if there is only one backend target set in backend pool.
b. override value of HTTP host header to custom domain we added on App Service in step 1.
c. use health probe created in previous step.
4. Add App Service to backend pool of App Gateway.
Here we select App Service as backend Target type and default hostname of App Service as the Target FQDN.
5. Create Listener for backend App Service on App Gateway end.
Here we need to set the custom domain configured on App Service in step 1 to be the host name that App Gateway will listen on for requests
and attach the certificate for the custom domain to the App Gateway.
6. Create routing rule on App Gateway to connect Listener and Backend target configured previously.
7. Change dns entry to resolve custom domain added in step 1 to the public frontend IP address of App Gateway.
8. Enable ARRAffinity cookie on App Service.
With above configurations in place, if we print out the value of affinity cookie that is attached to the end user requests,
we can see in application log that requests with the same affinity cookie value get processed by the same backend App Service worker instance within the session.
Instance: 3f2f
Instance: d1e1
Have fun playing around.