Need: publically available static IP to send telemetry to. Traffic sent to this IP needs to be routed to Application Insights data collection endpoint
- If we are limited to 1 IP for outgoing traffic, we can setup signalling and telemetry behind the same static IP using app gateway; app gateway may not support all constraints of signalling
Custom events can be sent as JSON to the collection endpoint
- Won't work; does not support static frontend IPs
- application layer DNS load balancer (won't work)
- transport layer load balancer (won't work)
- Quickstart: Create a Standard Load Balancer
- Won't work; only supports routing traffic to VMs in the same location as the load balancer
- application layer load balancer
- Application Gateway v2 SKU supports static public IP addresses
- Quickstart: Direct web traffic with Azure Application Gateway
- Might work; supports static public IP frontend and FQDN backend pool
- Supports integration with Key Vault for certificate management on HTTPS-enabled listeners in public preview, but without SLA and not recommended for production workloads
- Supports end-to-end SSL (required: appinsights collection endpoint requires HTTPS)
- Create a resource group
- Deploy an Application Gateway to the resource group
- Add a static pulic ip
- Configure a routing rule (http)
- http://nmcheck.gnome.org/ as a backend pool (http)
- Verify contents through gateway are same as direct hit
- Create a resource group
- Deploy App Insights
- frontend
- backend
- set up a routing rule/listener
- configure end to end HTTPS
- add an http setting
- set up key vault for certificate management (see Key Vault Setup)
Front end: public static IP
Backend: IP address or hostname dc.services.visualstudio.com
HTTP setting:
cookie based affinity: disabled
connection draining: disabled
protocol: https
use for app service: no
use well known CA certificate: yes
port: 443
request timeout: 20
override backend path: no
use custom probe: no
pick host name from backend address: yes
Listener:
port: 443
protocol: https
certificate: create new
choose from key vault: yes
managed identity: (managed identity name)
key vault: (key vault name)
certificate: (certificate name)
Rule:
listener: https
backend pool: appinsights API
http setting: https
result: accessing over https/:443 with this configuration fails because the certificate of the listener is not trusted (self-signed)
Overview of end-to-end SSL with Application Gateway
Create a user-assigned managed identity
- assign managed identity role of contributor
Configure SSL termination with Key Vault certificates
- Key vault must be created with "soft delete"
- Generate a certificate through key vault
- Create access policy on KV allowing managed identity to GET secret
SSL termination with Key Vault certificates
- Application gateway pricing
- Key Vault certificate management for Application Gateway is provided in public preview & without SLAs
- Key Vault for Application Gateway requires v2 SKU
- Application gateway does not require creation/maintenance of additional code
- App service pricing