Azure Application Gateway Deployment Documentation

Deploying Azure Application Gateway

This document provides a comprehensive guide to deploying and configuring Azure Application Gateway. Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.

Note: Application Gateway offers Layer 7 load balancing capabilities, including a Web Application Firewall (WAF), SSL termination, and cookie-based session affinity.

Follow these steps to successfully deploy and configure your Application Gateway.

Prerequisites

  • An active Azure subscription.
  • An Azure Virtual Network (VNet) with a dedicated subnet for Application Gateway. This subnet must not contain any other resources.
  • At least one web application or service deployed in Azure or on-premises, accessible by the Application Gateway.
  • Appropriate permissions to create and manage Azure resources.

Deployment Steps

You can deploy Application Gateway using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. We'll cover the Azure portal steps here.

Step 1: Create Application Gateway

  1. Navigate to the Azure portal and search for "Application Gateway".
  2. Click "Create application gateway".
  3. Fill in the "Basics" tab:
    • Subscription: Select your Azure subscription.
    • Resource group: Choose an existing or create a new one.
    • Application gateway name: Provide a unique name.
    • Region: Select the desired Azure region.
    • Tier: Choose between Standard_v2, WAF_v2 (for WAF capabilities), or Standard_v1, WAF_v1 (older versions). v2 is recommended.
    • Enable autoscaling: Configure if needed.
    • Instance count: Set the initial number of instances.
    • Virtual network: Select the VNet and the dedicated subnet.
  4. Click "Next: Frontend".

Step 2: Configure Frontend IP

  1. In the "Frontend" tab:
    • Frontend IP address type: Public or Private. For public access, you'll need a public IP address.
    • If Public, select or create a Public IP address.
    • If Private, the gateway will use an IP from the specified subnet.
  2. Click "Next: Backend targets".

Step 3: Configure Backend Pool

  1. In the "Backend targets" tab:
    • Click "Add a backend pool".
    • Name: Give your backend pool a name.
    • Target type: Choose between IP address, FQDN, or App Service.
    • Target: Enter the IP address, FQDN, or select the App Service that hosts your application.
    • Add multiple targets if needed.
    • Click "Add".
  2. Click "Next: Configuration".

Step 4: Configure HTTP Settings

  1. In the "Configuration" tab, click "Add a routing rule".
  2. In the "Add a routing rule" pane, click "Add a backend settings".
  3. Configure the backend settings:
    • Name: Provide a name for the HTTP settings.
    • Backend protocol: HTTP or HTTPS.
    • Backend port: The port your backend application listens on (e.g., 80, 443).
    • Use well-known CA certificate: Select if your backend uses a certificate signed by a trusted CA.
    • Use custom probe: Configure a custom health probe if needed.
    • Cookie-based session affinity: Enable if required.
    • Connection draining: Enable to gracefully remove instances from the backend pool.
    • Request timeout: Set the timeout value.
  4. Click "Add".

Step 5: Configure Listener

  1. Still in the "Add a routing rule" pane, configure the listener:
    • Listener name: Give the listener a name.
    • Frontend IP: Select the frontend IP address created earlier.
    • Protocol: HTTP or HTTPS.
    • Port: The port clients will connect on (e.g., 80, 443).
    • Listener type: Basic or Multi site.
    • If HTTPS, upload your SSL certificate or select one from Key Vault.

Step 6: Configure Rules

  1. Associate the backend pool and HTTP settings with the listener.
  2. Click "Add" to create the routing rule.

Step 7: Review and Deploy

  1. Click "Next: Tags" to add tags if desired.
  2. Click "Next: Review + create".
  3. Review all settings. If everything is correct, click "Create".

Verification

Once the deployment is complete, test your Application Gateway by accessing your application's URL. Ensure traffic is correctly routed and your application is responsive.

You can also check the metrics and logs in the Azure portal for insights into traffic patterns and potential issues.

Troubleshooting

Common Issues:

  • Subnet Size: Ensure the Application Gateway subnet is sufficiently sized (at least /27 for v1, /29 for v2).
  • Network Security Groups (NSGs): Verify that NSGs on the Application Gateway subnet do not block necessary traffic.
  • Backend Health: Check the health status of your backend pool in the Application Gateway's "Health" section.
  • SSL Certificates: For HTTPS listeners, ensure certificates are valid, correctly uploaded, and have the correct private key.
  • Firewall Rules: If using on-premises backends, ensure your firewall allows traffic from the Application Gateway's IP.

Consult the official Azure documentation for detailed troubleshooting guides for specific error scenarios.