Deploying Web Access with Azure Front Door

This guide is intended for IT infrastructure architects and DevOps professionals responsible for deploying or enabling Web Access in the Azure public cloud.

This guide applies to Nasuni Edge Appliance 10.1 and higher.

Introduction

Azure Front Door is a cloud-based content delivery network (CDN) service that improves download performance and optimizes traffic over high-bandwidth connections.

The simplest way to set up Front Door is to expose the Edge Appliance to the internet through a public IP address that allows access only from Front Door. This guide focuses on that configuration and does not cover setups using Azure Private Links.

Prerequisites

• The account setting “Restrict Session IP” must be set to False by Nasuni Support.

• An Edge Appliance must be deployed to Azure and joined to the NMC.

• A public Fully Qualified Domain Name (FQDN) for your instance and corresponding SSL/TLS server certificate.

• Access to DNS to set up the FQDN.

Account Configuration

By default, Web Access restricts sessions to a single IP address. Because requests routed through Front Door might originate from different IP addresses, this restriction must be disabled.

To have Restrict Session IP disabled for Web Access, contact Nasuni Support. For more information, see Web Access - Deployment Architecture and Sizing.

Restricting the Public IP

To allow only HTTPS access via the Azure Front Door servers, follow these steps:

1. Log in to Azure.

2. Navigate to Virtual Machines and select the Edge Appliance instance.

3. Expand the Networking category and select Network Settings. A public IP address displays in the right-hand panel. If an IP is not configured, follow these steps:

   1. Click the Configure link, the NIC network settings load.

      

   2. Click ipconfig1 to load the Edit IP configuration window.

      

   3. Check the Associate public IP address checkbox. A dropdown box appears, populated with a new public IP address. Alternatively, create a new public IP address by clicking Create a public IP address, followed by Save.

      

   4. Navigate to the Networking category and click Network settings to refresh the page. The new IP address is displayed.

      

4. Scroll down to Rules and click HTTPS. An HTTPS window opens on the right side.

   

5. Using the Source drop-down, select Service Tag.

   

6. Using the Source service tag drop-down, select AzureFrontDoor.Backend.

7. Enter “*” in the Source port ranges field.

8. Using the Destination drop-down, select Any.

9. Set the Service field to HTTPS.

10. Click Save.

Adding a Valid Certificate to the Edge Appliance

Azure Front Door requires a properly signed certificate on the origin (Edge Appliance).

To add the certificate to an Edge Appliance, log in to the Edge Appliance on port 8443 and navigate to Configuration → SSL Certificates. A certificate can be generated by clicking Generate Certificate or uploaded by clicking Upload Certificate.

Adding an Azure Front Door

To add a Front Door, follow these steps:

1. Log in to Azure.

2. Navigate to the search bar and enter “front door”. Services are displayed in the search result. Select Front Door.

   

3. Click Create front door.

4. Click Quick create.

5. Enter the following Front Door profile attributes:

   

   1. Subscription: Use this drop-down to select your subscription.

   2. Resource group: Use this drop-down to choose a resource group.

   3. Name: Enter a name.

   4. Tier: Click Standard.

   5. Endpoint name: Generates a DNS record for all of the IPs.

   6. Origin type: Public IP address.

   7. Origin host name: Use this drop-down to pick the hostname IP address.

   8. Caching: Leave blank.

   9. WAF Policy: Leave blank.

6. Click Review + create.

7. Review the profile for accuracy, and click Create.

8. Click Go to resource and proceed to the Editing the Front Door section.

Editing the Front Door

After provisioning an Azure Front Door, use the following sections to complete the setup.

Origins

To update the origin group, follow these steps:

1. From the left-hand menu, expand Settings, and click Origin groups.

2. Click default-origin-group. An Update origin group panel opens on the right side.

3. Uncheck the Enable session affinity checkbox.

   

4. (Optional) To enable health probes, click Enable health probes and enter the following configuration into the provided fields:

   1. Path: /fs/auth/login

   2. Protocol: HTTPS

   3. Probe Method: Get

   4. Interval (in seconds): 100

5. Navigate to the Origin host name, and click the “…”, followed by edit.

   

6. Using the Update origin panel, uncheck the Enable the validation checkbox. The rest of the fields remain unchanged.

   

7. Click Apply.

8. Click Update.

Note: It might take a few minutes for the origin to update.

Rule Sets

After configuring the origin, create a rule set.

To create a rule set, follow these steps:

1. Navigate to the left-side menu, expand the Settings category, and click Rule sets.

2. Click +Add.

   

3. Enter a Rule set name.

4. Click Add a condition.

5. Use the Operator drop-down to select Equal.

6. Click the Edit in the Values field and use the right-side panel to enter “/”

   

7. At the bottom of the Edit panel, click Update.

8. Click Add an action.

9. Use the Redirect type drop-down to select Temporary redirect.

10. Use the Redirect protocol drop-down to select HTTPS.

11. In the Destination path field, enter “/fs”.

    

12. Click Save.

Routes

After configuring the rule set, you must configure the routes.

To configure the Front Door routes, follow these steps:

1. Navigate to the left-side menu, expand the Settings category, and click Front door manager.

2. Click Default route.

   

3. Navigate to Redirect and check the Redirect all traffic to use HTTPS checkbox.

4. Next to Forwarding protocol, click the HTTPS only radio button.

5. Click the Rule set drop-down, and select the rule set created in the previous step.

   

6. Click Update.

Testing

After completing the Azure Front Door configuration, follow these steps to confirm a proper setup:

1. Navigate to the left-side menu, and click Overview.

2. Copy the Endpoint hostname by clicking .

3. Paste the endpoint hostname into a browser and confirm that the Web Access page is displayed.

Note: If the redirect rule is not set up or working, append “/fs” to the URL.

FQDN Setup

To use a custom FQDN for a Web Access instance, create a CNAME record in the customer’s DNS that points to the endpoint hostname obtained in the previous step. After the FQDN is registered in DNS, configure the domain.

To set up the FQDN, follow these steps:

1. Log in to portal.azure.com.

2. Navigate to Virtual Machines and select the Edge Appliance instance.

3. Expand the Settings category and select Domains.

4. Click +Add.

   

5. Choose a Domain type.

   1. Non-Azure validated domain: Validates the domain with a non-Azure service.

   2. Azure pre-validated domain: Use Azure to pre-validate the domain.

6. Choose your method of DNS Management.

   1. Azure managed DNS: Manage the DNS with Azure.

   2. All other DNS services: Use a service that is not Azure.

7. Use the Custom domain field to enter your custom domain. For example, www.yourdomain.com.

8. Choose a Certificate type.

   1. Select AFD managed (Recommended) to have Azure create your own certificate.

      Note: You must create a CNAME record or a TXT record (if DNS validation is used) in your DNS host that points to the Front Door endpoint.

   2. Select Bring your own certificate to upload your own certificate.  

9. Use the TLS policy drop-down to select the latest policy.

   

10. Click Add.

11. Under the Validation state column, click Pending.

    1. The Validate custom domain ownership panel displays on the right side with instructions on verifying ownership of the domain.

12. Under the Settings category, click Front Door Manager.

13. Click the default-route.

    

14. Click the Domains drop-down, and select the additional domain.

    

15. Click Update.

For more information, see Azure documentation at Domains in Azure Front Door.