Azure Application Gateway Architecture Components
This document details the core components that make up the Azure Application Gateway architecture, providing a comprehensive understanding of how it functions to manage and direct application traffic.
Core Components
Azure Application Gateway is a managed service that enables you to manage traffic to your web applications. It offers features like web application firewall (WAF), load balancing, SSL termination, and more. Understanding its architectural components is crucial for effective deployment and management.
1. Gateway Load Balancer (GLB)
The Gateway Load Balancer is the primary entry point for traffic directed to the Application Gateway. It distributes incoming network traffic across multiple instances of the Application Gateway within a virtual machine scale set. This ensures high availability and scalability.
2. Application Gateway Instances
These are the actual compute instances that run the Application Gateway software. They process incoming requests, apply routing rules, perform SSL offloading, and forward traffic to backend pools. The number of instances can be scaled manually or automatically based on load.
3. Backend Pools
Backend pools define the set of servers that host your web applications. These can be virtual machines, virtual machine scale sets, or even other Azure services like App Services. The Application Gateway routes traffic to the healthy instances within these pools.
4. Health Probes
Health probes are essential for ensuring that traffic is only sent to healthy backend servers. The Application Gateway periodically sends probes to backend instances to check their availability and responsiveness. Unhealthy instances are temporarily removed from the active rotation.
5. Listeners
Listeners are the components that listen for incoming traffic on specific ports and IP addresses. They are configured with protocols (HTTP/HTTPS), port numbers, and can be associated with SSL certificates for HTTPS termination.
6. Request Routing Rules
Request routing rules define how incoming traffic is directed to backend pools. They can be based on various criteria, such as the URL path, host name, or HTTP headers. This allows for advanced traffic management, like routing different parts of an application to different backend services.
7. HTTP Settings
HTTP settings define the parameters for establishing connections to the backend servers. This includes the protocol (HTTP/HTTPS), port, cookie-based affinity, connection draining timeouts, and custom probe configurations.
8. SSL Certificates
For HTTPS traffic, SSL certificates are used to enable secure communication. Application Gateway supports SSL termination, where it decrypts incoming HTTPS traffic and forwards it as unencrypted HTTP to the backend servers. It can also perform end-to-end SSL encryption.
Architectural Diagram
Simplified diagram illustrating the flow of traffic through Azure Application Gateway components.
Web Application Firewall (WAF)
The Web Application Firewall (WAF) is an optional but powerful component integrated with Application Gateway. It protects your web applications from common web vulnerabilities such as SQL injection, cross-site scripting (XSS), and other exploits. WAF can be deployed in a prevention or detection mode.
WAF Components:
- WAF Policy: Defines the rules, threat protection modes, and custom rulesets.
- Managed Rule Sets: Pre-defined sets of rules managed by Microsoft to protect against common threats (e.g., OWASP core rule sets).
- Custom Rules: Allows you to define your own rules based on IP addresses, request headers, or URI paths for more granular control.
Important Note:
The specific components and their configurations will vary based on your deployment needs and the features you enable. Always refer to the official Azure documentation for the most up-to-date and detailed information.
Key Interactions
Incoming traffic arrives at the Gateway Load Balancer, which forwards it to an available Application Gateway instance. The instance uses its configured listener to accept the request. Based on the request routing rules, the Application Gateway selects a backend pool and an HTTP setting. It then performs health checks on the backend servers in the pool. If a server is healthy, the Application Gateway forwards the request, potentially after SSL termination and WAF inspection.
Understanding these components allows for a robust and secure web application delivery strategy within Azure.