SSL Offloading for Scalable AI Services with Azure Front Door

Question

Pulumi · Accepted Answer

SSL offloading is the process of removing the SSL-based encryption from incoming traffic to relieve a web server of the processing burden of encrypting and decrypting traffic. Azure Front Door supports SSL offloading by terminating SSL at the edge of Microsoft's network closer to the users, which helps improve performance, manage certificates and ciphers centrally, and enable the use of security features like Web Application Firewall (WAF).

In the following Pulumi Python program, you will create an Azure Front Door instance with SSL offloading capabilities. We'll configure Azure Front Door to handle the traffic and offload SSL at the network edge, which will route the traffic to your backends, such as your AI service.

The program will include the following resources:
- `FrontDoor`: The resource that defines the Azure Front Door service.
- `AFDEndpoint`: Endpoints within the Front Door service that define how client requests are handled.
- `AFDOriginGroup`: Origin group to handle traffic routing.
- `AFDOrigin`: Origin that represents the backend service.
- `FrontdoorCustomDomain`: Custom domain configuration with the SSL/TLS settings for SSL offloading.

Here's the Pulumi program:

```python
import pulumi
import pulumi_azure_native as azure_native

# Assume the user already has a resource group and an AI service deployed within Azure.
resource_group_name = 'my-resource-group'
ai_service_hostname = 'my-ai-service.azurewebsites.net'

# Create an Azure Front Door instance
front_door = azure_native.network.FrontDoor('my-frontdoor',
    # Location is optional: it's a global service, but it can be associated with a specific region for resource group metadata
    location='global',  
    resource_group_name=resource_group_name,
    enabled_state='Enabled',
    frontend_endpoints=[
        azure_native.network.FrontendEndpointArgs(
            name='defaultFrontendEndpoint',
            host_name='my-frontend-endpoint.azurefd.net',
        )
    ],
    backend_pools=[
        azure_native.network.BackendPoolArgs(
            name='defaultBackendPool',
            backends=[
                azure_native.network.BackendArgs(
                    address=ai_service_hostname,
                    http_port=80,
                    https_port=443,
                    enabled_state='Enabled'
                )
            ],
            load_balancing_settings=azure_native.network.LoadBalancingSettingsModelArgs(
                sample_size=4,
                successful_samples_required=2
            ),
            health_probe_settings=azure_native.network.HealthProbeSettingsModelArgs(
                path='/health',
                protocol='Https',
                probe_method='GET'
            )
        )
    ],
    routing_rules=[
        azure_native.network.RoutingRuleArgs(
            name='defaultRoutingRule',
            frontend_endpoints=[
                azure_native.network.SubResourceArgs(
                    id=front_door.id.apply(
                        lambda id: f'{id}/frontendEndpoints/defaultFrontendEndpoint')
                )
            ],
            accepted_protocols=['Https'],
            patterns_to_match=['/*'],
            route_configuration=azure_native.network.ForwardingConfigurationArgs(
                forwarding_protocol='HttpsOnly',
                backend_pool=azure_native.network.SubResourceArgs(
                    id=front_door.id.apply(
                        lambda id: f'{id}/backendPools/defaultBackendPool')
                )
            )
        )
    ],
)

# Create a custom domain with SSL configuration for the frontend endpoint
custom_domain = azure_native.cdn.FrontdoorCustomDomain('myCustomDomain',
    frontend_endpoint_name='defaultFrontendEndpoint',
    host_name='www.myaiapplication.com',  # Replace with your own domain
    resource_group_name=resource_group_name,
    frontend_endpoints_resource_group_name=resource_group_name,
    front_door_name=front_door.name,
    tls=azure_native.cdn.FrontdoorCustomDomainHttpsParametersArgs(
        certificate_source='FrontDoor',  # You can also use 'AzureKeyVault' to bring your own certificate
        minimum_tls_version='1.2',
    )
)

# Export the URL of the Front Door
pulumi.export('front_door_url', front_door.frontend_endpoints[0].host_name)
```

In this program:
- We create an instance of `FrontDoor` that acts as our entry point for SSL offloading and routing.
- A default `AFDEndpoint` is configured which is where traffic will be received.
- A backend pool (`AFDOriginGroup`) is defined to include the AI service that will process the requests.
- The AI service is added to the backend pool as an `AFDOrigin`.
- A routing rule (`routing_rules`) defines how incoming requests are matched and forwarded to the backend pool.
- A `FrontdoorCustomDomain` is created to attach a custom domain to the endpoint with SSL/TLS settings configured for SSL offloading.

This setup will route traffic through Azure Front Door, offloading the SSL at the edge, giving you the benefit of reduced load on your AI service when it comes to handling SSL encryption/decryption. The traffic will then be routed to your service in an optimized manner.

Remember to replace `my-resource-group`, `my-ai-service.azurewebsites.net`, and `www.myaiapplication.com` with your actual Azure Resource Group name, AI service hostname, and custom domain, respectively. The `resource_group_name` needs to be the same one where your AI service is running. The `ai_service_hostname` is the address where your AI service can be reached, and the `front_door.frontend_endpoints[0].host_name` will be the endpoint URL hosted by Azure Front Door for your custom domain.

After deploying this Pulumi program, remember to update your DNS provider's settings to point to the Azure Front Door's frontend endpoint for your custom domain, to ensure the traffic is served through Azure Front Door.