Azure Application Gateway is a sophisticated resource
capable of being a firewall, reverse proxy, http listener, router and many
more. Among the salient ways in which it is used for directing traffic to
backend app services, path-based routing is one of the widely. But
practitioners often encounter errors that they might quickly blame it on the
gateway and look for documentation to overcome them. There’s quite a few of
them and due to the high number of configuration variations involving web
traffic, it is not easy to find the right fix for specific error codes.
This article talks about two such error codes that are often
considered to be time taking to resolve but the resolutions are explained here.
First, is the error encountered when expanding `url_path_map`. There is a conflict between
`backend_address_pool_name` and `redirect_configuration_name` (back-end pool
not applicable when redirection specified) 
Every
url path can be routed in one of two ways, it can be routed to a backend pool
member, or it can be redirected to an external location. The directions this
traffic takes are exactly the opposite with one going towards the backend and
another going towards the client. That is why the same path rule cannot have
both specified. In such a case, the resolution is to split the rules to serve
the client or the backend. The rules can split the path as well with one
targeting say /path/subpath1 and another targeting the remaining as /path/*.
There are no exclusions to author the paths so ordering the specific rules
before the general rules is helpful. In general, we can have arbitrary path and
how we sequence the rules depends on us.
A
sample path map would be like this:
   
url_path_maps = [
      {
   
    default_backend_address_pool_name =
"default-pool"
        default_backend_http_settings_name
=  "myapps-nonprod-setting"
        name = 
"myapps-nonprod-rule"
        path_rules =  [
          {
            backend_address_pool_name =  null
            backend_http_settings_name =  null
            name =  "fn-demo-7-docs"
            paths =  [
              "/fn-demo-7/docs"
            ]
            rewrite_rule_set_name = null
            redirect_configuration_name =
"fn-demo-7-appdocs"
          },
          {
            backend_address_pool_name =  "fn-demo-7"
            backend_http_settings_name =  "myapps-nonprod-setting"
            name =  "fn-demo-7"
            paths =  [
              "/fn-demo-7/*"
            ]
            rewrite_rule_set_name =
"location-header-rewrite"
            redirect_configuration_name = null
          }
        ]
      }
   
]
Second, error encountered is called
ApplicationGatewayPathOverrideAndUrlModificationNotSupported and comes with the
error message: The request routing rule
/subscriptions/***/resourceGroups/rg-demo-7/providers/Microsoft.Network/applicationGateways/gwy-demo-7/requestRoutingRules/myapps-nonprod-rule
associated with this rewrite action properties.rewriteRuleSets[0].properties.rewriteRules[0].actionSet
has the override back-end path switch enabled in the HTTP setting
/subscriptions/***/resourceGroups/rg-demo-07/providers/Microsoft.Network/applicationGateways/gwy-demo-7/backendHttpSettingsCollection/myapps-nonprod-setting.
Either disable this switch or remove url rewrite action set
properties.rewriteRuleSets[0].properties.rewriteRules[0].actionSet.urlConfiguration.
While the attempted resolution is often to remove the
backend_http_settings from the url path mappings, the fix is actually quite
simple in that it talks about a specific override within that configuration
block.  As shown with the example, the
path override is used to provide one when the incoming path needs to be modified
but in this case, that is not required because the rewrite only changes the response
headers.
   
backend_http_settings = [
      {
        authentication_certificate =  []
        cookie_based_affinity =  "Disabled"
        host_name =  ""
        name = 
"myapps-nonprod-setting"
        path = “/” -> null
        pick_host_name_from_backend_address =
true
        port = 
443
        probe_name = null
        protocol =  "Https"
        request_timeout =  20
        trusted_root_certificate_names =  [
            "DigiCertGlobalRootG2"
        ]
      }
   
]
The path override is the “/” which
must be unset with null to enable the application gateway to be created.
These are the two errors whose
resolutions are distilled from the available online documentation and forums.
 
No comments:
Post a Comment