Application Gateway Settings
This page details the various configuration settings available for Azure Application Gateway, enabling you to customize its behavior for your specific application needs.
Basic Configuration
Listeners
Listeners define how traffic is accepted by the Application Gateway. You can configure:
- Protocol: HTTP or HTTPS.
- Port: Typically 80 for HTTP and 443 for HTTPS.
- Frontend IP address: The public or private IP address for incoming traffic.
- SSL certificate: For HTTPS listeners, you need to upload or reference an SSL certificate for secure connections.
Rules
Rules determine how Application Gateway routes incoming requests to backend pools. Key components include:
- Request routing rules: Connect a listener to a backend target.
- HTTP settings: Define parameters for the connection to the backend, such as port, protocol, cookie-based affinity, and connection draining.
- Backend pools: A collection of virtual machines, virtual machine scale sets, app services, or IP addresses that host your application.
- Health probes: Used to monitor the health of backend instances.
HTTP Settings
HTTP settings are crucial for defining how Application Gateway communicates with your backend servers. Configure the following:
- Backend protocol: HTTP or HTTPS.
- Backend port: The port on which your backend services listen.
- Cookie-based affinity: Enables sticky sessions to direct requests from the same client to the same backend server.
- Connection draining: Allows existing connections to complete before an instance is removed from rotation during updates or deployments.
- HTTP/2: Enable for improved performance if supported by your backend.
- Custom probes: Associate a specific health probe with this HTTP setting.
- Pick hostname from backend target: Automatically sets the host header based on the backend target's FQDN.
Health Probes
Application Gateway uses health probes to ensure requests are sent only to healthy backend instances. You can customize probes with:
- Protocol: HTTP, HTTPS, or TCP.
- Host: The host header used in the probe request.
- Path: The URI path used for the probe.
- Interval: The time in seconds between probe attempts.
- Timeout: The time in seconds before a probe attempt times out.
- Unhealthy threshold: The number of consecutive failed probes before an instance is marked unhealthy.
SSL Offloading
For HTTPS listeners, Application Gateway can handle SSL/TLS decryption, offloading this processing from your backend servers.
- Upload or reference an SSL certificate: Support for PFX files with private keys or Azure Key Vault certificates.
- SSL Policy: Define the minimum TLS version and cipher suites allowed.
You can also configure end-to-end SSL encryption by using HTTPS for connections to the backend.
Web Application Firewall (WAF)
Application Gateway offers a Web Application Firewall to protect your web applications from common exploits. Key WAF settings include:
- WAF Mode:
Detection(logs threats) orPrevention(blocks threats). - WAF Policy: Associate a managed rule set (e.g., OWASP CRS) or create custom rules.
- Exclusion rules: Specify parts of requests to exclude from WAF inspection.
Backend Health
The Backend Health section provides a dashboard view of the health status of your backend instances. You can view:
- Details of each backend instance.
- The current health status (Healthy, Unhealthy, Unknown).
- The reason for an unhealthy status, if applicable.
Routing Methods
Application Gateway supports two primary routing methods:
- Path-based routing: Routes requests to different backend pools based on the URL path.
- Host-based routing: Routes requests to different backend pools based on the host header. This is useful for hosting multiple domains on a single Application Gateway.