Configure Load Balancing with SSL for Bitnami Multi-Tier Solutions on Microsoft Azure
Introduction
Load balancing is a technique commonly used by high-traffic Web sites and Web applications to share traffic across multiple hosts, thereby ensuring quick response times and rapid adaptation to traffic peaks and troughs. The Application Gateway service from Microsoft Azure with Secure Sockets Layer (SSL) support makes it easy to add secure load balancing for Bitnami Multi-Tier Solution running on Microsoft Azure.
This guide walks you through the process of configuring and testing an Application Gateway with an SSL certificate for a Bitnami Multi-Tier Solution running on Microsoft Azure.
Assumptions and prerequisites
This guide assumes that:
-
You have a Bitnami Multi-Tier Solution running on Microsoft Azure, deployed using the Azure Marketplace. The example application used in this guide is the Bitnami WordPress Multi-Tier Solution.
-
You own a domain name and have the ability to modify the domain name record.
-
You have an SSL certificate for your domain in PFX format.
For self-signed certificates or certificates issued by a certification authority (including Let’s Encrypt), follow these instructions to generate a PFX file using OpenSSL. For Azure App Service Certificates generated through the Microsoft Azure portal, follow these instructions to generate a PFX file using PowerShell.
Step 1: Identify your Bitnami virtual machines in the Microsoft Azure portal
The first step is to identify your Bitnami virtual machines and collect various important bits of information that you will need in subsequent steps. To do this:
-
Log in to the Microsoft Azure portal.
-
From the “Resource groups” menu, search for and select your Bitnami application’s resource group from the list of available groups.
-
From the resource group page, select the primary virtual machine (typically named with suffix 0) and note the public IP address and availability zone.
-
Browse to the instance’s public IP address and confirm that you get a positive response, such as the welcome page of the Bitnami application. This response will be necessary to pass health checks performed by the load balancer.
Step 2: Configure a subnet for the application gateway
Before you can add an application gateway, you must add an empty subnet to host it in your Microsoft Azure network configuration. Follow these steps:
-
In your Bitnami application’s resource group, select the virtual network.
-
On the network details page, select the “Settings -> Address space” menu item.
-
Add a new address space to the network with the range 10.0.1.0/24 and save the changes.
-
On the network details page, select the “Settings -> Subnets” menu item.
-
Click the “Subnet” button to add a new subnet.
-
Enter a name for the new subnet and specify the address range 10.0.1.0/24. Click “OK” to save your changes.
The new subnet should now appear in the list of available subnets in the resource group network.
Step 3: Configure an application gateway with the SSL certificate
The next step is to add an application gateway and configure it to handle HTTPS requests. Follow these steps:
-
From the Microsoft Azure portal menu, select the “Create a resource” menu item.
-
Search for and select the “application gateway”.
-
On the application gateway description page, click the “Create” button to create a new application gateway.
-
On the “Basics” page, enter a new for the application gateway, select the correct Azure subscription, and select the Bitnami application’s resource group. Confirm that the availability zone is the same as that used by your Bitnami virtual machines and click “OK” to proceed.
-
On the “Settings” page, select the “Virtual network” field and select the network used by the resource group. The “Subnet” field should subsequently auto-populate with the new subnet added in Step 2.
-
On the same “Settings” page, in the “Frontend IP configuration” section, set the “IP address type” to “Public”, select the “Create new” option and enter a name for the new public IP address. Leave all other fields at their default values.
-
On the same “Settings” page, in the “Listener configuration” section, select “HTTPS” as the protocol, upload the PFX certificate and enter the password for the PFX certificate file. Click “OK” to save your changes.
-
On the “Summary” page, review your settings and click “OK” to proceed.
Your application gateway will now be created. The process may take some time. Once the application gateway is ready, it will appear in the list of resources managed by the resource group, together with the new public IP address.
Step 4: Add virtual machines to the application gateway
The application gateway must now be configured with one or more virtual machines, to which it will balance traffic. Follow these steps:
-
In your Bitnami application’s resource group, select the application gateway.
-
From the application gateway menu, select the “Settings -> Backend pools” menu item.
-
On the next page, select the default backend pool.
-
On the “Edit backend pool” page, select “Virtual machines” as the target. Select the primary virtual machine (typically named with suffix 0) from your Bitnami application’s resource group and also select its primary network interface. Click “Save” to save your changes".
The virtual machine will now be added to the application gateway’s backend pool.
Step 5: Configure HTTP redirection
NOTE: This is an optional but recommended step.
Typically, you will want to redirect any HTTP requests to your application, to the more secure HTTPS URL. To do this, you must configure a listener for the HTTP port, and a rule to redirect any requests to that listener to the HTTPS port. Follow these steps:
-
In your Bitnami application’s resource group, select the application gateway.
-
From the application gateway menu, select the “Settings -> Listeners” menu item.
-
On the “Listeners” page, click the “Basic” button.
-
On the “Add basic listener” page, enter a name for the listener and ensure that the protocol is set to “HTTP”. Click “OK” to save the listener configuration.
The new listener will appear in the list of available listeners. Next:
-
From the application gateway menu, select the “Settings -> Rules” menu item.
-
On the “Rules” page, click the “Basic” button.
-
On the “Add basic rule” page, enter a name for the rule and ensure that the listener is the HTTP listener configured previously. Check the “Configure redirection” field and select “Permanent” as the redirection type. Select “Listener” as the redirection target, and select the HTTPS listener as the target listener. Click “OK” to save the listener configuration.
The new rule will appear in the list of available rule. Once deployed, this rule will ensure that HTTP requests are redirected to the HTTPS listener.
NOTE: Sometimes, additional application-specific configuration is required for HTTPS redirection. Refer to the application’s documentation for more details in this case.
Step 6: Point your domain name to the application gateway’s IP address
Once the deployment is complete, perform the following steps:
-
Visit the application gateway overview page and note the public IP address for the configured application gateway.
NOTE: It may take up to 30 minutes for the backend pool to be refreshed and the public IP address to appear.
-
Update your domain’s DNS settings by adding an A record that points to the public Ip address of the application gateway. To do this, you will usually need to log in to your domain name provider’s management console and make the necessary changes.
NOTE: Once you make the necessary changes, it can take up to 48 hours for the change to propagate across other DNS servers.
Step 7: Test the application gateway
Verify that the changes to your domain name record have propagated by using the Global DNS Propagation Checker and entering your domain name into the search field. After confirming that the domain name now points to the public IP address of the load balancer, you can test it as follows (replace the DOMAIN placeholder with the correct domain name):
-
Browsing to http://DOMAIN should result in the application gateway displaying the insecure welcome page of the Bitnami application.
Alternatively, if you have configured the optional HTTPS redirection in Step 5, browsing to http://DOMAIN should redirect you to https://DOMAIN and the result described next.
-
Browsing to https://DOMAIN should result in the load balancer displaying the secure welcome page of the Bitnami application. Clicking the padlock icon in the browser address bar should display the details of the domain and SSL certificate.
Your application gateway has now been configured with an SSL certificate for your Bitnami Multi-Tier Solution running on Microsoft Azure.
Useful links
To learn more about the topics discussed in this guide, consider visiting the following links: