Azure Application Gateway - Networking Documentation

Understanding Azure Application Gateway

Azure Application Gateway is a managed web traffic load balancer that enables you to manage traffic to your web applications. It provides Layer 7 load balancing capabilities, allowing for more sophisticated routing decisions based on attributes like request headers, URI paths, and query strings.

What is it?

Application Gateway is a cloud-native service that offers features such as SSL termination, cookie-based session affinity, Web Application Firewall (WAF), and multi-site hosting.

Key Features

Layer 7 Load Balancing: Routes traffic based on application-level attributes.
SSL Termination: Offloads SSL/TLS decryption from your web servers.
Web Application Firewall (WAF): Protects your web applications from common web vulnerabilities and exploits.
Cookie-Based Session Affinity: Ensures a client's requests are directed to the same backend server.
URL-Based Content Routing: Routes requests to different backend pools based on the requested URL path.
Multi-site Hosting: Allows you to host multiple web applications on the same instance of Application Gateway.
Health Probes: Monitors the health of backend servers and routes traffic only to healthy instances.
Autoscaling: Automatically scales capacity up or down based on traffic load.

Common Use Cases

Securing Web Applications

Utilize the WAF feature to protect against OWASP top 10 vulnerabilities like SQL injection and cross-site scripting (XSS).

Distributing Traffic for Scalability

Efficiently distribute incoming traffic across multiple instances of your web application for high availability and performance.

Managing Multiple Websites

Host several distinct websites or domains using a single Application Gateway instance, simplifying network management.

Architecture Overview

Application Gateway consists of the following components:

Frontend IP Configuration: Public or private IP addresses that clients connect to.
Listeners: Define the port, protocol (HTTP/HTTPS), and host(s) for which the gateway listens.
Request Routing Rules: Link listeners to backend targets and specify how requests are routed.
Backend HTTP Settings: Configure backend protocols, ports, and cookie-based affinity.
Backend Pools: A collection of backend servers that serve the requests.
Health Probes: Custom probes to monitor backend health.

Important Note

Application Gateway operates at Layer 7 (the application layer), unlike Azure Load Balancer which operates at Layer 4 (the transport layer).

Configuration Basics

Configuring an Application Gateway typically involves defining:

Frontend IP: Choose between a public or private IP address.
Listeners: Set up HTTP or HTTPS listeners, specifying ports and hostnames for multi-site hosting.
Backend Pools: Define the IP addresses or FQDNs of your backend servers (e.g., Virtual Machines, App Services).
HTTP Settings: Configure protocol settings, port, cookie-based affinity, and health probe configurations.
Rules: Create rules to associate listeners with backend pools and HTTP settings.

Example: Basic Routing Rule


# Conceptual example of routing based on URL path
Listener: MyHttpListener (Port 80, Host '*' )
Rule: BasicRule
  If Request Path contains '/images/*'
  Then Route to Backend Pool: ImageServers
  Else Route to Backend Pool: DefaultWebServers

Pricing

Azure Application Gateway pricing is based on several factors, including the SKU chosen (Standard, WAF, WAF V2), data transfer, and the number of hours the gateway is provisioned. WAF V2 offers enhanced features and autoscaling capabilities.

For detailed pricing information, please refer to the official Azure Application Gateway pricing page.