Introduction to Azure Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It supports various Layer 7 load balancing capabilities. It allows you to route traffic based on attributes of the request, such as the URI path or host headers. For instance, if you have multiple web applications hosted on the same virtual machine scale set, you can use Application Gateway to route requests to the correct application.

Application Gateway offers a fully managed application delivery controller (ADC) as a service. It is ideal for load balancing application traffic, and it provides advanced routing capabilities and enhanced security for your web applications.

Key Components

An Application Gateway deployment consists of the following components:

  • Frontend IP configuration: This can be a public IP address, a private IP address, or both. It’s the IP address clients use to connect to the application gateway.
  • Listeners: A listener is the logical entity that accepts incoming traffic. It's configured with a frontend IP address, port, and protocol (HTTP or HTTPS). You can configure multiple listeners for a single application gateway.
  • Rules: Rules define how traffic is routed to backend pools. There are two types of rules:
    • Request routing rules: Route traffic based on path-based rules or host-based rules.
    • Basic rules: Route all traffic from a listener to a specific backend pool.
  • Backend pools: A backend pool contains the virtual machines, virtual machine scale sets, or web apps that will serve the incoming requests.
  • HTTP settings: These settings define how Application Gateway forwards requests to the backend. They include protocol, port, cookie-based affinity, connection draining, and health probe settings.
  • Health probes: These are used to monitor the health of the backend servers. If a server is unhealthy, Application Gateway stops sending traffic to it.
  • Certificates: Used for SSL termination and end-to-end SSL encryption.

Traffic Flow Diagram and Explanation

Azure Application Gateway Architecture Diagram

Here's a typical traffic flow:

  1. A client sends an HTTP/HTTPS request to the public IP address of the Application Gateway.
  2. The Application Gateway's frontend IP configuration receives the request.
  3. A configured listener matches the incoming request based on port, protocol, and host.
  4. The Application Gateway evaluates the routing rules associated with the listener.
  5. Based on the rule (e.g., path-based routing), Application Gateway selects the appropriate backend pool.
  6. The HTTP settings are applied to formulate the request to the backend.
  7. Application Gateway forwards the request to one of the healthy backend servers in the selected pool.
  8. The backend server processes the request and sends the response back to Application Gateway.
  9. Application Gateway sends the response back to the client.

Key Features

  • SSL Termination: Decrypts incoming SSL/TLS traffic, reducing the load on backend servers.
  • End-to-end SSL Encryption: Encrypts traffic from the gateway to the backend, ensuring data security.
  • Web Application Firewall (WAF): Protects your web applications from common web exploits and vulnerabilities.
  • Cookie-based Session Affinity: Ensures that requests from a particular client are consistently sent to the same backend server.
  • URL Path-based Routing: Routes traffic to specific backend pools based on the request's URL path.
  • Host-based Routing: Routes traffic to different backend pools based on the requested host name.
  • Support for Multiple Websites: Host multiple web applications on the same Application Gateway instance.
  • Connection Draining: Allows backend servers to gracefully finish existing requests before being removed from service.
  • Redirection: Redirects HTTP requests to HTTPS, or to a different URL.
  • Autoscaling: Scales automatically based on traffic load.

Common Use Cases

  • Load balancing web applications hosted on Azure Virtual Machines, Virtual Machine Scale Sets, or Azure App Service.
  • Securing web applications with the integrated Web Application Firewall (WAF).
  • Implementing advanced routing scenarios like path-based routing for microservices.
  • Providing a single point of access and SSL termination for multiple internal web applications.
  • Enabling secure access to on-premises applications through hybrid connections.

Deployment Models

Application Gateway can be deployed in two main modes:

  • Standard: Offers features like SSL termination, WAF, and routing capabilities.
  • v2: The latest generation, offering autoscaling, zone redundancy, and improved performance. It's recommended for new deployments.

Security Considerations

Application Gateway enhances security by providing:

  • SSL Termination & Encryption: Protects data in transit.
  • Web Application Firewall (WAF): Guards against OWASP Top 10 vulnerabilities and custom rules.
  • Network Isolation: Can be deployed in an isolated subnet, limiting direct access to backend resources.
  • Integration with Network Security Groups (NSGs): Further control network traffic.