Workloads
Workloads is an Azion Console feature that centralizes communication protocol settings, such as certificates, domains, ports and protocols.
If you already own an application address with an existing domain such as www.azion.com, you can redirect your traffic to Azion by configuring the records in your DNS provider and listing your custom domains.
You may also bind a Digital Certificate to your workload to enable HTTPS/TLS security encryption.
Implementation
| Scope | Resource |
|---|---|
| Adding a custom domain | Getting started |
| About Digital Certificates | Digital Certificates |
| About mTLS | mTLS |
Infrastructure
With this setting you can control where your configuration will be deployed while using the same hostname in order to create an production and staging environments that can fully deliver SSL/HTTPS capabilities by adjusting your local DNS resolution and, therefore, test your application without worring about CORS, certification validation and other hostname related aspects.
- Production: production environment of the application. The Azion domain will be in the format
xxxx.map.azionedge.net. - Staging: environment for testing the application. This configuration won’t impact the Production environment. The Azion domain will be in the format
xxxx.preview.azionedge.net.
Select the infrastructure type for your workload. Once this option is saved, it cannot be modified.
Domains
Manage the addresses that users can use to access your application. Ensure proper DNS configuration by mapping CNAME records to the workload domain. You can also use Edge DNS to simplify domain management and link your domains to Azion.
Workload Domain
A Workload domain will be generated upon creating a Workload.
You may allow access to the self-generated workload domain after creating a workload (such as xxxxx.map.azionedge.net) by enabling the Workload Domain Allow Access switch, independently of other domains configured for this Workload.
Azion Custom Domain
Azion Custom Domain lets you set up a custom domain for your application using the format example.azion.app to personalize your application address with a user-friendly URL. These names are limited and not shareable among multiple accounts or configurations, and are automatically HTTPS enabled by using Azion’s SAN certificate. This feature is available at no additional cost.
Deployment Settings
Configure your workload deployment by selecting an Edge Application and an Edge Firewall. You can also set up Custom Pages to handle errors and configure cache time-to-live (TTL) settings based on the HTTP status code returned from the edge connectors.
A Workload Deployment is a configuration that ties Edge Application (mandatory), Edge Firewall and Custom Pages together for your application.
Protocol Settings
Configure the communication protocols used between the workload and its users. This section allows you to define security, compatibility, and performance settings to optimize how your Workload operates at the edge.
- HTTP: delivers your application using only the HTTP protocol.
- HTTP and HTTPS: delivers your application using both the HTTP and HTTPS protocols.
HTTP/3 support
Enable HTTP/3 support. Based on the QUIC protocol standard, HTTP/3 provides faster load times and lower latency when compared to previous versions.
For HTTP/3 enabled Workloads, Azion will listen to 443/UDP port which is the default and common used port for most browsers and HTTP/3compatible clients.
Upon a user’s first request to an edge application with HTTP/3, the handshake and first response will be conducted using TCP and HTTP/1.1 or HTTP/2. The response from this exchange will assign a value to the Alt-Svc header that indicates that the latest version of the protocol is available to the browser. If the browser supports HTTP/3, the QUIC protocol and HTTP/3 will be used, unless the cached response is missing or expires.
Ports
Azion offers a simultaneous multiport solution, allowing you to customize through which HTTP and HTTPS ports your application will be delivered through. You must choose at least one port for each protocol, but you can select from all available ports for delivery.
Available ports
The following table lists all available ports for HTTP, HTTPS, and HTTP/3 (QUIC) protocols. The “Notes” column indicates the default port for each protocol.
| Port | Protocol | Notes |
|---|---|---|
| 80 | HTTP | default |
| 8008 | HTTP | |
| 8080 | HTTP | |
| 8880 | HTTP | |
| 443 | HTTPS | default |
| 8443 | HTTPS | |
| 9440 | HTTPS | |
| 9441 | HTTPS | |
| 9442 | HTTPS | |
| 9443 | HTTPS | |
| 7777 | HTTPS | |
| 8888 | HTTPS | |
| 9553 | HTTPS | |
| 9653 | HTTPS | |
| 8035 | HTTPS | |
| 8090 | HTTPS | |
| UDP/443 | HTTP/3 (QUIC) | default |
Minimum TLS version
The Transport Layer Security (TLS) protocol allows you to encrypt web traffic. The following TLS versions can be used with edge applications:
- TLS 1.0 (deprecated)
- TLS 1.1 (deprecated)
- TLS 1.2
- TLS 1.3
You can choose the minimum version of TLS that’ll be supported by your Workload. By choosing recent versions of the protocol, older devices or browsers might not be able to access the edge application.
Azion blocks TLS Renegotiation and TLS Resumption by default. If you want to customize this setup, contact the Sales team.
TLS Ciphers
Ciphers are cryptography algorithms utilized to encrypt plaintext into ciphertext, which requires a key to be decrypted. Azion gives you the possibility to change the cipher suite your edge application will use in order to protect your application against TLS attacks.
The cipher suite will determine which cryptographic algorithms will be used in the TLS connections of your edge application. Both client and server will negotiate the cipher suite to securely encrypt and decrypt the data exchanged during the session.
The table below shows the ciphers available in each cipher suite.
| Cipher | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.3_2022 |
|---|---|---|---|---|
| TLS_AES_128_GCM_SHA256 | ✔︎ | ✔︎ | ✔︎ | ✕ |
| TLS_AES_256_GCM_SHA384 | ✔︎ | ✔︎ | ✔︎ | ✕ |
| TLS_CHACHA20_POLY1305_SHA256 | ✔︎ | ✔︎ | ✔︎ | ✕ |
| ECDHE-ECDSA-AES128-GCM-SHA256 | ✔︎ | ✔︎ | ✔︎ | ✔︎ |
| ECDHE-ECDSA-AES256-GCM-SHA384 | ✔︎ | ✔︎ | ✔︎ | ✔︎ |
| ECDHE-ECDSA-CHACHA20-POLY1305 | ✔︎ | ✔︎ | ✔︎ | ✔︎ |
| ECDHE-ECDSA-AES256-SHA384 | ✔︎ | ✔︎ | ✕ | ✕ |
| ECDHE-ECDSA-AES128-SHA256 | ✔︎ | ✔︎ | ✕ | ✕ |
| ECDHE-RSA-AES128-GCM-SHA256 | ✔︎ | ✔︎ | ✔︎ | ✔︎ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔︎ | ✔︎ | ✔︎ | ✔︎ |
| ECDHE-RSA-CHACHA20-POLY1305 | ✔︎ | ✔︎ | ✔︎ | ✔︎ |
| ECDHE-RSA-AES128-SHA256 | ✔︎ | ✔︎ | ✕ | ✕ |
| ECDHE-RSA-AES256-SHA384 | ✔︎ | ✔︎ | ✕ | ✕ |
| AES128-GCM-SHA256 | ✔︎ | ✕ | ✕ | ✕ |
| AES256-GCM-SHA384 | ✔︎ | ✕ | ✕ | ✕ |
| AES128-SHA256 | ✔︎ | ✕ | ✕ | ✕ |
Mutual Authentication Settings
Enable Mutual Authentication (mTLS) to require that both client and server present an authentication protocol to each other.
Azion Workloads also have Support for Mutual Transport Layer Security (mTLS), an authentication method for users and visitors that validates the digital certificate on both sides of a request, client, and edge (server). Adding support for mTLS to your Edge Application ensures a more secure TLS/TLS handshake.
To enable this feature, contact our Sales Team.
Digital Certificate
To use your Workload with HTTPS support, you’ll need a TLS certificate (X.509). Without additional costs, you may include your TLS certificates in Azion Console or generate a Let’s Encrypt™ certificate, which will be automatically managed by Azion.
Limits
These are the default limits:
| Scope | Limit |
|---|---|
| CNAMEs per Workload | 50 |
These are the default limits for each Service Plan:
| Scope | Developer | Business | Enterprise | Mission Critical |
|---|---|---|---|---|
| Workload per account | 100 | 100 | 100 | 1,000 |