question

SirA-7372 avatar image
0 Votes"
SirA-7372 asked sikumars commented

Co-locate Application proxy connector with application server

I did not find anything about this in the App Proxy Connector docs. All it says is that Connector and application should be installed close to each other.

Has anyone co-located Connectors with application servers in this manner,

Server1: Application + App Proxy Connector
Server2: Application + App Proxy Connector

Loadbalancer that points to Server1 and Server 2.

  1. User accesses Application through external endpoint (App Proxy Service).

  2. Connector on Server1 picks up the connection and then uses the loadbalancer to forward it to application on either Server 1 or Server 2.

Will such a setup work well?

azure-ad-application-proxy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
1 Vote"
sikumars answered

Hello @SirA-7372,

Thanks for reaching out.

I hope you are referring back-end application as multiple servers (such as server farm) on Server 1 and 2, if so then user request may end up in an infinite loop between connector and application with above manner as AAD proxy connector relay on DNS resolution which point it to backend application.

Therefore, the best practices for load balancing among multiple app servers, When the connector group that's assigned to the Application Proxy application has two or more connectors, and you’re running the back-end web application on multiple servers (server farm), a good load-balancing strategy is required. A good strategy ensures that servers pick up client requests evenly and prevents over- or under-utilization of servers in the server farm.

To learn more, refer : https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-high-availability-load-balancing#best-practices-for-load-balancing-among-multiple-app-servers

Scenarios :

The simplest scenario is where the back-end web application doesn’t require session stickiness (session persistence). Any request from the user can be handled by any back-end application instance in the server farm. You can use a layer 4 load balancer and configure it with no affinity

You can Install one or more Azure AD proxy connect on individual server (server X) which is close to each back-end server (Server 1 and 2) and then create localhost or DNS entry which to point it to load balancer as shown below by this way load balancer ensures that servers pick up client requests evenly and prevents over- or under-utilization of servers in the server farm.

109434-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (96.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SirA-7372 avatar image
1 Vote"
SirA-7372 answered

Thanks for replying.

Yes, I am referring to back-end application. This is for a Remote Desktop Services solution, and I've read that some people have indeed implemented this solution, to attain best possible user experience. The solution is implemented in the following manner,

RDS Web, RDS Gateway and App Proxy Connector are installed on Server1 and Server2
A record for App.domain.com is created in internal DNS, which points to the IP Address of a Load Balancer
The Load Balancer will send traffic to either Server1 or Server2
Interal (and External) URL of the Enterprise Application associated with the AAD App Proxy is https://app.domain.com

The flow would be like this,

109447-appproxyconnector2.png

1 (blue arrow) User accesses the application at https://app.domain.com
2 (red arrows) App Proxy Connector on Server1 (or Server2) connects to the Proxy Service and downloads user data
3 (green arrow) App Proxy Connector on Server1 contacts Load Balancer to find App.domain.com
4. (orange arrow) Load Balancer points it to itself (Server1)
5. App Proxy Connector retrieves data and sends it back to the App Proxy service, where the user can receieve it

I'm curious to know, how this would end up in an infinite loop between connector and application? :)



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SirA-7372 avatar image
0 Votes"
SirA-7372 answered sikumars commented

Would love to hear why the above configuration would end up in an infinite loop between connector and application? :)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry for delayed response.

If the name resolution are misconfigured then users may experience loop but looking at above architecture it should work when name resolution configured correctly (connector hosts must be able to resolve the internal URL of applications being published)

its worth referring to following articles:
Plan an Azure AD Application Proxy deployment
DNS configuration options
Best practices for load balancing among multiple app servers

Hope this helps

2 Votes 2 ·