Quickstart: Create an Application Gateway with SSL Termination

This guide will walk you through the essential steps to deploy an Azure Application Gateway with SSL termination enabled. Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.

Prerequisites

Step 1: Create a Resource Group

First, create a resource group to hold your Application Gateway and related resources. A resource group is a logical container for your Azure resources.

az group create --name myAppGatewayResourceGroup --location westus2

Step 2: Create a Virtual Network (VNet) and Subnet

Application Gateway requires a dedicated subnet within your virtual network. This subnet cannot contain any other Azure resources.

1

Create the VNet:

az network vnet create --resource-group myAppGatewayResourceGroup --name myVnet --address-prefix 10.0.0.0/16
2

Create the subnet for Application Gateway:

az network vnet subnet create --resource-group myAppGatewayResourceGroup --vnet-name myVnet --name appGatewaySubnet --address-prefix 10.0.1.0/24

Step 3: Create the Application Gateway

Now, create the Application Gateway itself. This command specifies the SKU (Standard_v2), instance count, and the subnet created in the previous step. We'll also configure it to use SSL termination by providing a certificate.

For this quickstart, we'll generate a self-signed certificate. In production environments, you should use certificates from a trusted Certificate Authority (CA).
1

Generate a self-signed SSL certificate (for testing purposes):

openssl req -x509 -newkey rsa:2048 -nodes -keyout appgw.key -out appgw.cer -days 365 -subj "/CN=www.test.com"

You will have two files: appgw.key and appgw.cer.

2

Create the Application Gateway using the certificate:

az application-gateway create --resource-group myAppGatewayResourceGroup --name myAppGateway --sku Standard_v2 --serial-number-dns-name www.test.com --ssl-cert appgw.cer --private-key-file appgw.key --vnet-name myVnet --subnet appGatewaySubnet --public-ip-address myAppGatewayPublicIP --sku-tier Standard_v2 --capacity 2

This process can take several minutes to complete.

Step 4: Configure Listener and Backend Pool

Application Gateway needs a listener to accept incoming traffic and a backend pool to route that traffic to. For simplicity, we'll configure a basic HTTP listener and a default backend pool pointing to an imaginary web server.

1

Create a backend address pool:

az application-gateway address-pool create --resource-group myAppGatewayResourceGroup --gateway-name myAppGateway --name myBackendPool
2

Create an HTTP setting (defines how traffic is sent to backend servers):

az application-gateway http-settings create --resource-group myAppGatewayResourceGroup --gateway-name myAppGateway --name myHttpSettings --port 80 --protocol Http --cookie-based-affinity Disabled
3

Create a listener for HTTPS traffic on port 443, referencing the SSL certificate:

az application-gateway listener create --resource-group myAppGatewayResourceGroup --gateway-name myAppGateway --name myHttpsListener --frontend-port 443 --frontend-ip-address myAppGatewayPublicIP --protocol Https --ssl-cert appgw.cer --priority 100
4

Create a rule to tie the listener, backend pool, and HTTP settings together:

az application-gateway rule create --resource-group myAppGatewayResourceGroup --gateway-name myAppGateway --name myHttpsRule --listener myHttpsListener --backend-pool myBackendPool --http-settings myHttpSettings

Step 5: Verify Deployment

Once the commands complete, your Application Gateway will be deployed and configured. You can retrieve its public IP address to test access.

az application-gateway show --resource-group myAppGatewayResourceGroup --name myAppGateway --query "frontendIPConfigurations[0].publicIPAddress.ipAddress" -o tsv

Copy the IP address returned. You can then navigate to https://<your-app-gateway-ip> in your browser. You will likely see a certificate warning because it's self-signed, but the connection should establish.

To test with actual web applications, you would typically deploy virtual machines or Azure App Service instances and add their IP addresses or FQDNs to the backend pool.

Next Steps