Share via

SSO using Azure Open ID connect for Multi region App Services which are load Balanced with ATM is not working

Srikakulapu, Charan 0 Reputation points
2023-02-22T02:59:38.6366667+00:00

I have followed this document to add authentication, and load balance multi-region App Services (Web App).

https://azure.github.io/AppService/2021/03/26/Secure-resilient-site-with-custom-domain.html

Instead of using ADF, I have used ATM, and instead of AAD, I have used Open ID Connect. I set the Profile Routing Method as Weighted in ATM with both the Apps Services' (in region #1 and #2) weights as 1. Now, once the user is authenticated and UI is loaded on to the browser from region #1 Apps Service, then all the consecutive AJAX calls are also hitting same App Service i.e. region #1 and not load balancing those requests between region #1 and region #2 App Services. So, I have disabled the region #1 endpoint in ATM and stopped the App Service in region #1, even then the traffic from the UI's AJAX calls are hitting the region #1 App Service and failing.

Does it maintain a sticky session or something like that? In that case, the whole point of having ATM to load balance in this scenario is useless.

Secondly, after shutting down the App Service region #1, I have refreshed the UI, then it asked to me login again as it have hit the App Service in region #2. Does it mean SSO cannot be achieved with App Services in different regions load balance thru ATM ?

In short, if you enable authentication then load balancing is not possible. Is it right?

Azure Traffic Manager
Azure Traffic Manager
An Azure service that is used to route incoming network traffic for high performance and availability.
111 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,015 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 26,241 Reputation points Microsoft Employee
    2023-02-23T23:48:09.0666667+00:00

    Hi @Srikakulapu, Charan

    As you know, Traffic Manager is a L7 load balancer at the DNS layer. Because of this, it doesn't support sticky sessions because the only thing it's doing is routing the client to your app service endpoint based on the configured profile. The main point of using Traffic Manager is the routing traffic methods you've configured and high availability/failover of your app service, e.g., having your app service deployed to both the west coast and east coast regions of the continental US.

    For authentication, it's done at the app service level, not the load balancer. Any load balancer will only direct the client to the app service endpoint. However, the auth tokens should be part of the header. As you've correctly pointed out, App Service supports sticky sessions by default through the AAR Affinity cookie. You can disable this feature assuming your application in general is stateless. And since the token store is shared within the app service, they will still be authenticated if your app happens scales out to multiple instances.

    In a high availability scenario, where you have your app deploy to separate regions, it isn't as elegant. In order to maintain that authentication, you'll need to configure the token store to a storage account that can be accessed by your app service in different regions. However, there is egress costs that will be incurred when accessing a storage account from a separate region.