The network security portal covers several design modes, including global routing mode, global offloading mode and healthy terminal monitoring mode. Network security portals focus on: global routing , low-latency failover , and mitigating attacks at the edge .
The picture above contains 3 requirements.
•Network security portal mode encapsulates the global routing mode. Therefore, implementations can route requests to workloads in different regions. •Implementations must be able to identify healthy and unhealthy workloads and make routing adjustments as needed in a timely manner. Latency should be able to support routing adjustments in a matter of minutes. •Mitigating attacks at the edge requires the “cybersecurity” part of the implementation. Workloads or Platform as a Service (PaaS) services should not be accessed over the Internet. Internet traffic can only be routed through the gateway. The gateway should have the ability to mitigate attacks.
Below is an implementation example using Azure cloud services.
Request process
1. The user makes an HTTP or HTTPS request to the Azure Front Door endpoint. 2. Evaluate WAF rules. Matching rules are always logged. If the Azure Front Door WAF policy mode is set to Block mode, and the matching rule's action is set to Block on exception, the request is blocked. Otherwise, continue with the request or redirect, or evaluate subsequent rules. 3. Match the route configured in Azure Front Door and select the correct source group. In this example, the path is to the static content of the website. 4.Select a source from the source group. 5.a. In this example, the health probe considers the site unhealthy and therefore excludes it from possible sources. b. Select this website. 6. The request is routed to the Azure storage account via Private Link over the Microsoft backbone network.
Main advantages
When implementing a network security entry model, the following are key benefits:
• Low-latency global routing through health detection enables horizontal scaling by deploying more resources in different regions, thereby providing reliability and insulating applications from regional failures. • Provides centralized protection for HTTP and HTTPS requests. • Eliminates the need to expose on-premises or PaaS services to the Internet. •Achieve horizontal expansion by deploying more resources in the same area or different areas to achieve global routing.
source
Here's more information about the three modes mentioned above:
•Gateway Routing Mode: Routes requests to multiple services or service instances that can be located in different regions. •Gateway offload mode: offloads functionality to the gateway agent, such as attack mitigation. • Healthy Endpoint Monitoring Mode: Exposes endpoints that verify workload health.
Hopefully this brief summary helps you understand this pattern at a high level.