Have you ever needed to publish an internal web application for use outside of your corporate firewall? If you have, you’re probably aware of many of the complications that come up while exploring that option including what ports need to be exposed, to DMZ or not to DMZ, various authentication challenges, etc. Well, now you can with Azure Application Proxy and the configuration process couldn’t be any easier!
So, what is Azure Application Proxy?
Azure Active Directory Application Proxy (AAD-AP) is a service, hosted in azure, that accesses connectors that are installed behind a firewall to access resources on the internal network. The connectors allow outbound traffic only and authentication for the user is handled via Azure Active Directory. SSO is also possible, including more complex scenarios with Kerberos and backend systems.
What are some of the benefits?
There are several benefits to using this solution rather than exposing application via traditional methods and firewall configuration:
- generally, no firewall configuration or DMZ needed which means no change to existing infrastructure (ie: moving the front end to a DMZ, changing IP addresses, etc.)
- the application is listed both in the Office 365 menu and the Access Panel
- authentication is handled via Azure Active Directory (including multi-factor authentication)
- if your company wireless network does not allow you to connect to internal web sites and resources, applications exposed via Azure Application Proxy will now be available.
No firewall configuration, can it be true?
While this is true in many cases, it may not be true for every environment. Some environments are very locked down, control outbound traffic, and may require the use of a DMZ for certain scenarios… anytime systems need to be exposed to the outside world, it is very important to follow up with your infrastructure and security experts regardless of Azure Active Directory proxy to ensure there are no critical concerns, compliance violations, etc. Otherwise, it really is quite easy to get started with AAD -AP and makes accessing these applications from the outside easy, and secure.
What about performance considerations?
Generally speaking, you need to have enough connectors to handle peak traffic to your web applications. The service hosted in Azure will scale as needed, but all traffic goes through your configured connectors which are mainly bound to CPU and network resources. There are also other factors to consider such as additional proxies on the web application and domain authentication complications that can be a factor in slow performance.
When is Application Proxy a good fit?
Web applications that use heavy imagery and/or videos are not a good fit for application proxy due to the bandwidth and CPU required for these types of resources. AAD-AP is a feature of AAD Premium and Basic and it may also be worth noting that because authentication is handled by AAD, your users need to be sync’d out to AAD. If the AAD criteria is met and your web applications are more business data focused (such as CRM, e-mail, SharePoint, purchasing and order processing, etc.), you may have some great candidates to expose via Azure Active Directory Application Proxy.