Azure Documentation

Azure Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It provides a web application firewall (WAF) for protection against common web exploits, and SSL termination. Application Gateway can route traffic based on attributes such as HTTP headers, URI paths, and server variables.

Key Features

• Layer 7 Load Balancing: Operates at the application layer (HTTP/HTTPS), allowing for intelligent routing decisions based on request content.
• Web Application Firewall (WAF): Protects your web applications from common vulnerabilities like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats.
• SSL Termination: Offloads SSL decryption from your web servers, simplifying certificate management and improving performance.
• Cookie-based Session Affinity: Ensures that requests from a particular client are consistently sent to the same backend server, crucial for applications that rely on session state.
• URL Path-based Routing: Routes requests to different backend pools based on the URL path in the request. For example, /images/* could be routed to one pool and /api/* to another.
• Host-based Routing: Routes traffic to different web applications hosted on the same IP address, based on the host name in the request.
• Redirection: Configures HTTP to HTTPS redirection or custom error pages.
• Health Probes: Continuously monitors the health of backend servers and only routes traffic to healthy instances.
• Autoscaling: Automatically scales the Application Gateway's capacity to meet traffic demands.

Use Cases

• Load balancing HTTP/HTTPS traffic across multiple web servers.
• Providing a WAF to protect web applications from common attacks.
• Implementing SSL termination to simplify certificate management.
• Routing traffic based on URL paths or host names.
• Ensuring session persistence for stateful applications.

Architecture Overview

An Application Gateway consists of the following components:

• Frontend IP configuration: Can be public or private.
• Listeners: Define a port, protocol, and host for which Application Gateway listens for incoming traffic.
• Request Routing Rules: Connect a listener to a backend pool and define how traffic should be routed.
• Backend Pools: A collection of servers that Application Gateway routes traffic to.
• HTTP Settings: Define settings for new HTTP requests that Application Gateway sends to the backend.
• Health Probes: Define how Application Gateway tests the health of backend servers.

Configuring Application Gateway

Configuration can be done via the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. The general steps involve:

1. Creating a virtual network and subnet for the Application Gateway.
2. Creating the Application Gateway resource, specifying SKU, instance count, and frontend IP.
3. Configuring listeners to accept incoming traffic.
4. Defining backend pools with your application servers.
5. Configuring HTTP settings and health probes.
6. Creating routing rules to connect listeners to backend pools.

WAF Considerations

When using the WAF feature, it's important to:

• Choose the appropriate WAF mode (Detection or Prevention).
• Regularly update WAF rule sets.
• Monitor WAF logs for suspicious activity and tune rules to minimize false positives.

# Example of creating an Application Gateway using Azure CLI
az network application-gateway create \
  --name MyApplicationGateway \
  --resource-group MyResourceGroup \
  --location eastus \
  --sku WAF_v2 \
  --frontend-port 443 \
  --http-settings-cookie-based-affinity Enabled \
  --vnet-name MyVNet \
  --subnet MyAppGwSubnet \
  --public-ip-address MyPublicIP \
  --backend-pool-name MyBackendPool \
  --servers server1.example.com server2.example.com