Azure Application Gateway
What is Azure Application Gateway?
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It provides Layer 7 load balancing capabilities, allowing for advanced routing decisions based on attributes like request URL path, host name, and more. It also offers features such as SSL termination, cookie-based session affinity, and Web Application Firewall (WAF).
- Load balancing HTTP/HTTPS traffic across multiple web servers.
- URL-based content routing to different application tiers.
- SSL offloading to reduce the load on backend servers.
- Protection against common web exploits with WAF.
- Maintaining session affinity with cookie-based affinity.
Key Components
Application Gateway consists of several key components that work together to manage and route traffic:
- Frontend IP Configuration: Either a public IP address, a private IP address, or both, that clients connect to.
- Listeners: A logical component that checks for incoming connection requests. It defines a port, protocol (HTTP or HTTPS), and certificate (for HTTPS).
- Rules: Define how the gateway routes traffic. A rule associates a listener, a backend pool, and backend health probes.
- Backend Pools: A collection of virtual machines, virtual machine scale sets, or any other registered Azure resource that will serve the requests.
- HTTP Settings: Configures the parameters for traffic sent to the backend pool. This includes protocol, port, cookie-based affinity, connection draining, and more.
- Health Probes: Used to monitor the health of the backend instances. Application Gateway uses health probes to send requests to backend instances and determines if they are healthy.
Getting Started with Application Gateway
You can provision an Application Gateway through the Azure portal, Azure CLI, PowerShell, or ARM templates.
Deploying via Azure Portal:
- Navigate to the Azure portal and search for "Application Gateway".
- Click "Create Application Gateway".
- Configure the basic settings, including resource group, name, region, SKU (Standard, WAF, etc.), and instance count.
- Configure the frontend IP address (public or private).
- Configure the backend pool with the IP addresses or FQDNs of your backend servers.
- Set up HTTP settings, including port, protocol, and cookie-based affinity.
- Create listeners for your applications (e.g., port 80 for HTTP, port 443 for HTTPS).
- Configure routing rules to associate listeners with backend pools and HTTP settings.
- (Optional) Configure health probes to monitor backend health.
- Review and create the Application Gateway.
URL-Based Content Routing
Application Gateway supports routing requests to different backend pools based on the request URL. This is useful for microservices architectures or when you have different application components hosted on separate sets of servers.
For example, you can route requests starting with /images/* to one backend pool, /api/* to another, and all other requests to a default backend pool.
Example Rule Configuration:
| Listener | Path Match | Backend Pool | HTTP Settings |
|---|---|---|---|
| Port 80 (Default) | /* | DefaultBackendPool | DefaultHTTPSetting |
| Port 80 (Default) | /api/* | APIBackendPool | APIHTTPSetting |
| Port 80 (Default) | /images/* | ImageBackendPool | ImageHTTPSetting |
Web Application Firewall (WAF)
Azure Application Gateway WAF provides centralized protection for your web applications from common exploits and vulnerabilities, such as SQL injection, cross-site scripting (XSS), and others.
WAF policies are managed separately and can be associated with your Application Gateway. You can choose between managed rule sets (OWASP) or create custom rules.
High Availability and Scalability
Application Gateway offers different tiers (Standard_v1, Standard_v2, WAF_v1, WAF_v2) that provide varying levels of availability and scalability. The v2 SKU supports autoscaling and zone redundancy, providing higher resilience.
Further Reading
Explore these resources for more in-depth information: