Azure Application Gateway Features

SSL/TLS Termination

Application Gateway can decrypt incoming SSL/TLS traffic, allowing decryption to occur at the gateway. This offloads the decryption overhead from your backend servers and simplifies SSL certificate management. You can then choose to re-encrypt traffic to the backend or send it unencrypted.

Key aspects:

• Centralized SSL certificate management
• Offloads CPU-intensive SSL decryption
• Supports both end-to-end SSL and SSL termination

Web Application Firewall (WAF)

Application Gateway includes an integrated Web Application Firewall (WAF) that helps protect your web applications from common web exploits and vulnerabilities. It provides protection against threats like SQL injection, cross-site scripting (XSS), and other common attacks.

The WAF offers:

• Protection against OWASP Top 10 vulnerabilities
• Managed rule sets for common threats
• Custom rule capabilities for specific needs
• Detection and prevention modes

Cookie-Based Session Affinity

Also known as "sticky sessions," this feature ensures that all requests from a particular client are sent to the same backend server. This is crucial for applications that rely on server-side session state and cannot handle requests distributed across multiple servers.

Path-Based Routing

Application Gateway allows you to route traffic to different backend pools based on the URL path of the request. This is extremely useful for microservices architectures or monolithic applications where different URL paths map to different services or application modules.

Example:

• /images/* routes to the image backend pool
• /api/* routes to the API backend pool
• /* routes to the default web server pool

Host-Header Routing

This feature enables you to route traffic to different backend pools based on the host header in the HTTP request. It's essential for hosting multiple websites on a single IP address. Application Gateway supports wildcard host names for more flexible configurations.

URL Rewriting

Application Gateway supports URL rewriting, allowing you to modify the URL of a request before it's forwarded to the backend. This can be used to simplify URLs, redirect old URL paths, or manage internal application structures without affecting the client-facing URL.

Health Probes

Application Gateway continuously monitors the health of your backend instances using configurable health probes. If an instance becomes unhealthy, Application Gateway automatically stops sending traffic to it, ensuring high availability and reliability for your applications.

Probe configurations include:

• Protocol (HTTP, HTTPS, TCP)
• Host, path, and port
• Interval and timeout settings
• Unhealthy threshold

Connection Draining

Connection draining allows you to gracefully remove backend instances from service during maintenance or updates. When an instance is marked for removal, Application Gateway ensures that all existing connections to that instance are completed before it's taken out of rotation.

SKU Options (Standard, WAF, WAF_v2)

Application Gateway offers different SKUs to meet various performance and security needs:

• Standard_v1/v2: Provides robust load balancing and routing features.
• WAF_v1/v2: Includes all Standard features plus comprehensive WAF capabilities.
• WAF_v2: The latest generation, offering autoscaling, zone redundancy, and improved performance.

Autoscaling (v2 SKU)

The v2 SKU of Application Gateway supports autoscaling, allowing it to automatically scale up or down based on traffic load. This ensures optimal performance and cost-efficiency by dynamically adjusting capacity as needed.

Zone Redundancy (v2 SKU)

With the v2 SKU, Application Gateway can be deployed across multiple Availability Zones in a region. This provides high availability by ensuring that your gateway remains accessible even if one Availability Zone experiences an outage.