Azure Application Gateway Architecture

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It offers functionalities like load balancing, web application firewall (WAF), and SSL termination.

Figure 1: High-level architecture of Azure Application Gateway.

Key Components

The Application Gateway service consists of several key components that work together to provide its functionality:

1. Front-end IP Configuration

This defines the IP address that Application Gateway listens on for incoming client traffic. It can be a public IP address, a private IP address, or both.

2. Listeners

A listener represents the port, protocol (HTTP or HTTPS), and certificate (for HTTPS) that Application Gateway listens on. You can configure multiple listeners for different hostnames and paths.

3. Request Routing Rules

These rules determine how traffic received by a listener is routed to the back-end pool. Rules can be based on hostnames, paths, or both.

4. Backend HTTP Settings

These settings define the protocol (HTTP or HTTPS), port, and cookie-based session affinity for traffic sent to the back-end servers. You can also configure health probe settings here.

5. Backend Pools

A backend pool contains the IP addresses or FQDNs (Fully Qualified Domain Names) of the servers that host your web applications. Application Gateway distributes traffic among these servers.

6. Health Probes

Health probes are used to monitor the health of the backend servers. Application Gateway periodically sends probes to the backend servers and routes traffic only to healthy instances.

7. Web Application Firewall (WAF)

Application Gateway offers an optional WAF that protects your web applications from common web exploits and vulnerabilities, such as SQL injection and cross-site scripting attacks.

Architectural Flow

Client Request: A user's browser sends an HTTP/S request to the public or private IP address of the Application Gateway.
Listener Match: The Application Gateway's listener checks the incoming request based on configured port, protocol, and hostname.
Rule Evaluation: If a listener matches, the associated routing rule is evaluated. This rule determines the backend pool and backend HTTP settings to use.
Health Probe: Before sending the request to a backend server, Application Gateway checks the health of the available backend instances using configured health probes.
Request Routing: The request is forwarded to a healthy backend server in the selected backend pool, according to the backend HTTP settings.
Response: The backend server processes the request and sends the response back to the Application Gateway.
Response to Client: The Application Gateway returns the response to the client browser. If SSL termination was configured, the gateway handles the SSL encryption/decryption.

Deployment Modes

Application Gateway can be deployed in several ways to suit different needs:

Standard v1/v2 SKU

Provides basic load balancing, WAF, and SSL termination. v2 offers autoscaling, zone redundancy, and a static VIP.

WAF SKU

Includes all features of the Standard SKU plus advanced WAF capabilities for enhanced security.

Benefits

High Availability: Ensures your applications are accessible even if some backend servers fail.
Scalability: Can automatically scale to handle varying traffic loads (especially v2 SKU).
Security: Provides SSL termination and optional WAF protection.
Performance: Offloads SSL processing from your application servers.
Traffic Management: Enables complex routing based on hostnames and paths.

For detailed configuration steps and advanced scenarios, please refer to the Application Gateway Configuration Guide.