Security with Azure and NGINX

NGINX Management with NGINX Controller

NGINX Controller is a separate and optional product from NGINX, Inc. that manages the NGINX data plane and the entire lifecycle of NGINX Plus under these configurations:

  • Load Balancer
  • API Gateway
  • Proxy in a service mesh environment

This optional and separate NGINX product is fully functional within Azure and provides an additional or exclusive way to manage NGINX without the use of Azure Security Center, Azure Monitor or the Azure Portal or PowerShell.


Monitoring NGINX in Azure

Azure Security Center with NGINX

Azure Security Center (ASC) is a service that comes in a free tier with limited functionality and a fee-based standard tier with a complete set of security capabilities for organizations that need enhanced functionality. The free tier monitors compute, network, storage, and application resources in Azure. It also provides security policy, security assessment, security recommendations, and the ability to connect with other security partner solutions. The standard tier includes all the capabilities of the free tier for on-prem environments (private cloud) as well as other public clouds such as AWS and Google Cloud Platform (GCP). The standard tier also includes many more security features along with the following critical security controls:

  • Built-in and custom alerts
  • Security event collection and advanced search
  • Just-in-time VM access
  • Application white listing


NGINX Plus and Microsoft Azure Load Balancers

Microsoft Azure have three options for load balancing:

  • NGINX Plus,
  • the Azure load balancing services, or
  • NGINX Plus in conjunction with the Azure load balancing services.

The following aims to give you enough information to decide which best works for you and shows you how using NGINX Plus with Azure Load Balancer can give you a highly available HTTP load balancer with rich Layer 7 functionality.


Installing NGINX via ARM and PowerShell

Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription. You can use its access control, auditing, and tagging features to secure and organize your resources after deployment.

There are no prebuilt ARM templates or PowerShell scripts available from NGINX currently. However, there is nothing preventing the creation of an ARM template and PowerShell script based on your custom deployment requirements for Azure using your custom VM images previously created.

The following provides an example of creating an Ubuntu 16.04 LTS marketplace image from Canonical along with the NGINX web server using the Azure Cloud Shell and the Azure PowerShell module.


Installing NGINX via Azure Marketplace

The Azure Marketplace is a software repository for pre-built and configured Azure resources from independent software vendors (ISVs). You will find open source and enterprise applications that have been certified and optimized to run on Azure.

NGINX, Inc. provides the latest release of NGINX Plus in the Azure Marketplace as a virtual machine (VM) image. NGINX OSS is not available from NGINX, Inc. but there are several options available from other ISVs in the Azure Marketplace.

Searching for “NGINX” in the Azure Marketplace will produce several results as shown below:


NGINX Plus on Azure

NGINX Open Source Software (OSS) is free while NGINX Plus is a commercial product that offers advanced features and enterprise-level support as licensed software by NGINX, Inc.

NGINX Plus combines the functionality of a high-performance web server, a powerful front-end load balancer and a highly-scalable accelerating cache to create the ideal end-to-end platform for your web applications. NGINX Plus is built on top of NGINX open source.

For organizations currently using NGINX open source, NGINX Plus eliminates the complexity of managing a “do-it-yourself” chain of proxies, load balancers and caching servers in a mission-critical application environment.


The OSI Model and Load Balancing

The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers:

  • Layer 7: The application layer
  • Layer 6: The presentation layer
  • Layer 5: The session layer
  • Layer 4: The transport layer
  • Layer 3: The network layer
  • Layer 2: The data-link layer
  • Layer 1: The physical layer

The OSI model doesn’t perform any functions in the networking process. It is a conceptual framework to better understand complex interactions that are happening.


Introduction to Azure Load Balancing

Load balancers have evolved considerably since they were introduced in the 1990s as hardware-based servers or appliances. Cloud load balancing, also referred to as Load Balancing as a Service (LBaaS), is an updated alternative to hardware load balancers. Regardless of the implementation of a load balancer, scalability is still the primary goal of load balancing, even though modern load balancers can do so much more.

Optimal load distribution reduces site inaccessibility caused by the failure of a single server while assuring consistent performance for all users. Different routing techniques and algorithms ensure optimal performance in varying load-balancing scenarios.

Modern websites must support concurrent connections from clients requesting text, images, video, or application data, all in a fast and reliable manner, while scaling from hundreds of users to millions of users during peak times. Load balancers are a critical part of this scalability.

  • Problems Load Balancers Solve
  • The Solutions Load Balancers Provide
  • The OSI Model and Load Balancing

Problems Load Balancers Solve

In cloud computing, load balancers solve three issues that fall under:

  • Cloud Bursting
  • Local Load Balancing
  • Global Load Balancing

Cloud bursting is a configuration between a private cloud (i.e. on-prem compute environment) and a public cloud that uses a load balancer to redirect overflow traffic from a private cloud that has reached 100% of resource capacity to a public cloud to avoid decreases in performance or an interruption of service.


Load Balancing In Microsoft Azure Series


This series of 9 blog posts are suitable for cloud solution architects and software architects looking to integrate NGINX (pronounced en-juhn-eks) with Azure-managed solutions to improve load balancing, performance, security, and high availability for workloads. Software developers and technical managers will also understand how these technologies in the cloud have a direct impact on application development and application architecture for more cloud-native solutions. Load balancing provides scalability and a higher level of availability by distributing incoming network traffic efficiently across a group of backend servers, also known as a server pool or server cluster.

This series of blog posts provides a meaningful description of load-balancing options available natively from Microsoft Azure and the role NGINX can play in a comprehensive solution.

Even though the examples used are specific to Azure, these load balancing concepts and implementations using NGINX apply equally to other large public cloud providers such as Amazon Web Services (AWS), Google Cloud Platform, Digital Ocean, and IBM Cloud along with their respective cloud platform–native load balancers.