Application Proxy - multiple datacenters

%3CLINGO-SUB%20id%3D%22lingo-sub-1626787%22%20slang%3D%22en-US%22%3EApplication%20Proxy%20-%20multiple%20datacenters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1626787%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3EI'm%20trying%20to%20understand%20how%20Azure%20Application%20Proxy%20would%20route%20the%20traffic.%3CBR%20%2F%3EI%20have%20multiple%20physical%20sites%20with%20some%20applications%20deployed%20within%20those%20datacenters.%20The%20locations%20all%20can%20talk%20to%20each%20other%20through%20IPSEC%20VPN%20tunnels%20between%20firewalls.%3CBR%20%2F%3ELet's%20say%20Location1%20has%20couple%20web%20applications%20that%20I%20want%20to%20publish%20through%20Azure%20Enterprise%20Applications%20portal.%3CBR%20%2F%3EUsers%20in%20Location1%20accessing%20Application1%20using%20link%20-%20%3CA%20href%3D%22https%3A%2F%2Fapplication1.domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapplication1.domain.com%3C%2FA%3E%3C%2FP%3E%3CP%3EApplication2%20-%20%3CA%20href%3D%22https%3A%2F%2Fapplication2.domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapplication2.domain.com%3C%2FA%3E%3C%2FP%3E%3CP%3Eetc.%3C%2FP%3E%3CP%3ESame%20happens%20for%20users%20in%20other%20locations%2C%20they%20are%20routed%20over%20IPSEC%20tunnel%20to%20the%20corresponding%20location%2C%20where%20application%20hosted.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20deploy%20multiple%20multiple%20dedicated%20VMs%20with%20Azure%20Application%20Proxy%20deploy%20to%20accommodate%20the%20traffic.%20As%20recommend%20by%20Microsoft%20-%202%20per%20application%20group.%3CBR%20%2F%3E%3CBR%20%2F%3EAssuming%20other%20applications%20(Application4%2C%20Application5%2C%20etc)%20deployed%20in%20a%20similar%20manner%20across%20multiple%20locations%20-%3CBR%20%2F%3EHow%20best%20this%20deployment%20should%20be%20implemented%3F%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20happens%20for%20users%20in%20Location1%2C%20when%20they%20trying%20to%20lunch%20application%20that%20hosted%20in%20the%20same%20datacenter%20they%20belong%20to%20through%20Azure%20Enterprise%20Applications%20portal%3F%3CBR%20%2F%3EWhat%20is%20the%20traffic%20pattern%20here%3F%20Are%20they%20constantly%20connected%20to%20Azure%20Application%20Proxy%20service%2C%20that%20in%20turn%20communicates%20through%20Service%20Bus%20with%20corresponding%20Azure%20Application%20Proxy%20agent%20for%20that%20Application1%20deployed%20with-in%20the%20same%20location%20where%20Application1%20is%20deployed.%3C%2FP%3E%3CP%3EDo%20we%20have%20traffic%20goes%20back%20and%20forth%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThank%20you.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1630248%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Proxy%20-%20multiple%20datacenters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1630248%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436715%22%20target%3D%22_blank%22%3E%40VickVega%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20closest%20from%20Microsoft%20I%20was%20able%20to%20find%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22%3CSTRONG%3EConditional%20Access%20requirements%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23FF0000%22%3EWe%20do%20not%20recommend%20using%20Application%20Proxy%20for%20intranet%20access%26nbsp%3Bbecause%20this%20adds%20latency%20that%20will%20impact%20users%3C%2FFONT%3E.%20We%20recommend%20using%20Application%20Proxy%20with%20preauthentication%20and%20Conditional%20Access%20policies%20for%20remote%20access%20from%20the%20internet.%20An%20approach%20to%20provide%20Conditional%20Access%20for%20intranet%20use%20is%20to%20modernize%20applications%20so%20they%20can%20directly%20authenticate%20with%20AAD.%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBut%20if%20that%20is%20the%20case%20I%20loose%20the%20obvious%20benefits%20of%20having%20application%20published%20through%20Enterprise%20Applications%20portal.%20I%20need%20to%20move%20the%20users%20away%20from%20the%20applications%20to%20get%20the%20benefit.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1630251%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Proxy%20-%20multiple%20datacenters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1630251%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436715%22%20target%3D%22_blank%22%3E%40VickVega%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EAdditional%20details%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-custom-domain%23dns-configuration-options%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-custom-domain%23dns-configuration-options%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1630280%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Proxy%20-%20multiple%20datacenters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1630280%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436715%22%20target%3D%22_blank%22%3E%40VickVega%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ESo%2C%20the%20bottom%20line%3A%3C%2FP%3E%3CP%3E1.%20Use%20same%20FQDN%20for%20the%20application%20for%20both%20type%20of%20access%20either%20internally%20or%20externally.%20Naming%2C%20links%2C%20etc.%3CBR%20%2F%3E2.%20Want%20benefit%20from%20Enterprise%20portal%3F%20Would%20have%20to%20suffer%20some%20performance%20degradation%20on%20up%20and%20down%20traffic%20on%20the%20same%20pipe.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,
I'm trying to understand how Azure Application Proxy would route the traffic.
I have multiple physical sites with some applications deployed within those datacenters. The locations all can talk to each other through IPSEC VPN tunnels between firewalls.
Let's say Location1 has couple web applications that I want to publish through Azure Enterprise Applications portal.

Currently, users in Location1 access Application1 using link - https://application1.domain.com

Application2 - https://application2.domain.com

etc.

Same happens for users in other locations, they are routed over IPSEC tunnel to the corresponding location, where application hosted.

I deploy multiple multiple dedicated VMs with Azure Application Proxy in each location to accommodate the traffic. As recommend by Microsoft - at least 2 proxies per application group.

Assuming other applications (Application4, Application5, etc) deployed in a similar manner across multiple locations -
How best this deployment should be implemented?

What happens for users in Location1, when they trying to lunch application that hosted in the same datacenter they belong to through Azure Enterprise Applications portal?
What is the traffic pattern here? Are they constantly connected to Azure Application Proxy service, that in turn communicates through Service Bus with corresponding Azure Application Proxy agent for that Application1 deployed with-in the same location where Application1 is deployed.

Do we have traffic goes back and forth?


Thank you.

3 Replies

@VickVega 

The closest from Microsoft I was able to find:

"Conditional Access requirements:
We do not recommend using Application Proxy for intranet access because this adds latency that will impact users. We recommend using Application Proxy with preauthentication and Conditional Access policies for remote access from the internet. An approach to provide Conditional Access for intranet use is to modernize applications so they can directly authenticate with AAD."


But if that is the case I loose the obvious benefits of having application published through Enterprise Applications portal. I need to move the users away from the applications to get the benefit.

 

@VickVega 
So, the bottom line:

1. Use same FQDN for the application for both type of access either internally or externally. Naming, links, etc.
2. Want benefit from Enterprise portal? Would have to suffer some performance degradation on up and down traffic on the same pipe.