Application Gateway Architecture Overview

Understanding the core components and design principles of Azure Application Gateway

Introduction

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It offers various Layer 7 load balancing capabilities, including.

  • Dynamic application scaling: Application Gateway can automatically scale based on incoming traffic.
  • HTTP load balancing: Offers round-robin, least-connection, and less-CPU load-balancing methods.
  • Cookie-based session affinity: Useful for stateful applications that require the user to be sent to the same server instance.
  • SSL termination: End the SSL traffic at the gateway, so that traffic flowing through the public internet to your web servers is unencrypted.
  • Web Application Firewall (WAF): Protect your web applications from common web vulnerabilities and exploits.
  • URL-based content routing: Route traffic to specific backend pools based on URL paths.
  • Host-based routing: Route traffic to specific backend pools based on the host name in the request.

This article provides a high-level overview of the architecture of Azure Application Gateway.

Key Components

Application Gateway consists of several key components that work together to deliver traffic to your applications:

  • Frontend IP configuration: Defines the public or private IP addresses that Application Gateway listens on for incoming traffic.
  • Listeners: A combination of frontend IP address, port, and protocol (HTTP or HTTPS) that listens for connection requests.
  • Rules: Define how requests arriving at the Application Gateway are directed to backend servers. Rules connect the listener, backend pool, and backend HTTP settings.
  • Backend pools: A collection of virtual machines, virtual machine scale sets, and app services that serve the incoming requests.
  • HTTP settings: Define the backend protocol, port, and cookie-based affinity used to send traffic to the backend servers.
  • Health probes: Monitor the health of the backend servers and remove unhealthy instances from rotation.
  • Request routing: Directs traffic to the appropriate backend pool based on configured rules.

Conceptual Architecture Diagram

Application Gateway Architecture Diagram

Image source: Azure Documentation

Request Flow

Here's a simplified view of how a request flows through Application Gateway:

  1. A client sends an HTTP/HTTPS request to the frontend IP address of Application Gateway.
  2. The listener configured for that IP address, port, and protocol accepts the request.
  3. Application Gateway evaluates its routing rules based on the request (e.g., URL path, host name).
  4. Based on the matching rule, Application Gateway selects a backend pool and applies the associated HTTP settings.
  5. An available, healthy instance from the backend pool is chosen using the configured load-balancing method.
  6. Application Gateway forwards the request to the chosen backend instance.
  7. The backend instance processes the request and sends the response back to Application Gateway.
  8. Application Gateway sends the response back to the client.

For HTTPS traffic, Application Gateway can perform SSL termination, decrypting the traffic before forwarding it to the backend. It can also re-encrypt traffic if needed.

Key Features

Application Gateway offers a rich set of features to enhance web application delivery and security:

Load Balancing

It supports Layer 7 load balancing with various methods to distribute traffic efficiently.

SSL Termination

Offload SSL processing from your web servers, simplifying management and improving performance.

Web Application Firewall (WAF)

Provides centralized protection against common web attacks such as SQL injection and cross-site scripting (XSS).

URL-Based Routing

Direct requests to different backend pools based on the URL path. For example, requests to /images/* can be routed to an image-serving pool, while /api/* routes to an API pool.


    # Example routing rule configuration
    Conditions:
      - Field: urlPath
        Operator: BeginsWith
        Values:
          - /images/
    BackendPool: ImageBackendPool

    Conditions:
      - Field: urlPath
        Operator: BeginsWith
        Values:
          - /api/
    BackendPool: ApiBackendPool

Host-Based Routing

Enable hosting of multiple websites on the same Application Gateway instance by routing based on the host name specified in the HTTP request's Host header.

Autoscaling

Application Gateway can automatically scale its capacity up or down based on traffic load, ensuring optimal performance and cost efficiency.

Conclusion

Azure Application Gateway is a powerful and flexible service for managing and securing web traffic to your applications in Azure. Its robust feature set, including Layer 7 load balancing, SSL termination, WAF, and advanced routing capabilities, makes it an essential component for modern web architectures.

By understanding its core components and request flow, you can effectively deploy and manage your web applications with enhanced performance, security, and scalability.