Overview
The Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It operates at Layer 7 (HTTP/HTTPS) and offers features such as SSL termination, URL‑based routing, Web Application Firewall (WAF), and autoscaling.
Key Features
- Layer‑7 load balancing with path‑based routing
- SSL termination and end‑to‑end SSL
- Web Application Firewall (OWASP Core Rule Set)
- Autoscaling and zone‑redundant deployment
- Custom probes and health monitoring
- Integration with Azure Monitor and Log Analytics
Architecture Diagram
Configuration Steps (Portal)
- Create a Resource Group (or use an existing one).
- Navigate to Application Gateways → Add.
- Configure basics:
- Name, Region, Tier (Standard_v2 / WAF_v2)
- Frontend IP (Public or Private)
- Configure Backend pool – add virtual machines, VM scale sets, or App Service instances.
- Set up Health probes and HTTP settings (including cookie‑based affinity, connection draining).
- Create Rules – map listeners to backend pools with URL‑based routing.
- Enable WAF if required and select a policy.
- Review and create.
Example: Deploy with Terraform
resource "azurerm_resource_group" "rg" {
name = "rg-appgw-demo"
location = "East US"
}
resource "azurerm_virtual_network" "vnet" {
name = "vnet-appgw-demo"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_subnet" "subnet" {
name = "GatewaySubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_public_ip" "pip" {
name = "pip-appgw"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_application_gateway" "appgw" {
name = "appgw-demo"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku {
name = "WAF_v2"
tier = "WAF_v2"
}
gateway_ip_configuration {
name = "gw-ip-config"
subnet_id = azurerm_subnet.subnet.id
}
frontend_port {
name = "frontendPort"
port = 80
}
frontend_ip_configuration {
name = "frontendIP"
public_ip_address_id = azurerm_public_ip.pip.id
}
backend_address_pool {
name = "backendPool"
fqdns = ["mywebapp.azurewebsites.net"]
}
backend_http_settings {
name = "httpSetting"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
}
http_listener {
name = "listener"
frontend_ip_configuration_name = "frontendIP"
frontend_port_name = "frontendPort"
protocol = "Http"
}
request_routing_rule {
name = "rule1"
rule_type = "Basic"
http_listener_name = "listener"
backend_address_pool_name = "backendPool"
backend_http_settings_name = "httpSetting"
}
}
Monitoring & Diagnostics
| Metric | Description |
|---|---|
| Capacity Units | Current throughput capacity. |
| Healthy Host Count | Number of healthy backend instances. |
| Total Requests | Incoming requests per minute. |
| WAF Blocked Requests | Count of requests blocked by WAF. |
Enable Diagnostic Settings to stream logs to Log Analytics, Event Hub, or Storage for deeper analysis.
Frequently Asked Questions
- When should I use Application Gateway vs. Load Balancer?
- Use Application Gateway for HTTP/HTTPS layer‑7 features (routing, WAF, SSL offload). Use Load Balancer for TCP/UDP layer‑4 traffic and higher raw throughput.
- Can I combine WAF with Autoscaling?
- Yes. WAF policies work with the v2 SKU which supports autoscaling and zone redundancy.
- How do I migrate from Classic to v2?
- Deploy a new v2 gateway, configure the same backend pools and listeners, then switch DNS or traffic manager endpoints.