Azure Application Gateway Listeners

Listeners are a crucial component of Azure Application Gateway. They check for incoming requests based on the configured port, protocol, host name, and IP address. Each listener is associated with a rule that defines how to route the request to the appropriate backend pool.

Types of Listeners

Application Gateway supports two primary types of listeners:

  • Basic Listener: Configured with a single port and protocol. It forwards all traffic on that port to a single backend pool.
  • Multi-site Listener: Allows you to host multiple websites on a single Application Gateway instance. You configure it with a port, protocol, and a host name, enabling it to differentiate between requests for different domains.

Listener Configuration Parameters

When configuring a listener, several parameters need to be defined:

  • Name: A unique identifier for the listener.
  • Frontend IP address: The public or private IP address assigned to the Application Gateway.
  • Port: The network port on which the listener will accept incoming traffic (e.g., 80 for HTTP, 443 for HTTPS).
  • Protocol: The transport protocol (HTTP or HTTPS).
  • Host name: (Optional, primarily for multi-site listeners) The domain name for which the listener will accept requests.
  • Cookie-based affinity: Enables session stickiness for clients.
  • SSL certificate: (Required for HTTPS listeners) The SSL certificate to use for decrypting HTTPS traffic.
  • Custom error pages: (Optional) Define custom error pages for specific HTTP error codes.

Configuring an HTTPS Listener

To configure an HTTPS listener, you need to provide an SSL certificate. This can be uploaded as a PFX file or referenced from Azure Key Vault. The Application Gateway uses this certificate to decrypt incoming HTTPS traffic before routing it.

Example: Creating an HTTPS Listener using Azure CLI

The following Azure CLI command demonstrates how to create an HTTPS listener with a referenced SSL certificate from Key Vault:


az network application-gateway http-listener create \
  --gateway-name myAppGateway \
  --name myHttpsListener \
  --resource-group myResourceGroup \
  --frontend-ip myFrontendIP \
  --port 443 \
  --protocol Https \
  --ssl-cert '{"keyVaultId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/.../secrets/mySslCert", "issuerName": "MyCA", "sslCertPassword": "your_pfx_password"}'

Listener and Rule Association

A listener itself doesn't perform any routing actions. It simply listens for traffic. The associated request routing rule determines where the traffic is sent. A rule connects a listener to a backend pool and specifies HTTP settings for the connection to the backend servers.

Best Practices

  • Use dedicated listeners for different ports and protocols.
  • For multi-site hosting, leverage multi-site listeners with specific host names.
  • Always configure listeners for HTTPS to ensure secure communication.
  • Use managed identities or service principals for Key Vault access to secure your SSL certificates.

API Reference Snippet

HttpListener Properties

name: string - Required. Unique name for the listener.

frontendIPConfiguration: SubResource - Required. Frontend IP configuration binding.

frontendPort: SubResource - Required. Frontend port binding.

protocol: string - Protocol for the listener. Possible values: "Http", "Https".

hostName: string - Host name for the listener. Used for multi-site listeners.

sslCertificate: SubResource - SSL certificate for HTTPS listeners.