Azure Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It provides Layer 7 load balancing and offers features like:

SSL termination: Offload SSL decryption from your web servers.
Cookie-based session affinity: Ensure requests from a particular user are sent to the same backend server.
URL-based content routing: Route traffic to different backend pools based on the URL path.
Web Application Firewall (WAF): Protect your web applications from common web vulnerabilities.
Health probes: Monitor the health of your backend servers.
Multiple site hosting: Host multiple web applications on the same Application Gateway instance.

Key Concepts

Listeners

A listener checks for incoming connection requests. You configure a listener with a frontend IP address, port, and protocol (HTTP or HTTPS). You can also associate a certificate with an HTTPS listener for SSL termination.

Backend Pools

A backend pool contains the servers that will receive the traffic forwarded by Application Gateway. These can be virtual machines, virtual machine scale sets, or app services.

HTTP Settings

HTTP settings define how Application Gateway forwards requests to the backend servers. This includes the backend protocol, port, cookie-based session affinity, and health probe configurations.

Routing Rules

Routing rules tie together the listener, backend pool, and HTTP settings. They define how incoming requests are processed and where they are sent.

Common Scenarios

SSL Termination

Application Gateway can terminate SSL connections, which means it decrypts the incoming HTTPS traffic and forwards it as unencrypted HTTP traffic to your backend servers. This offloads the SSL processing from your servers.


# Example: Basic SSL termination configuration
listener:
  frontendIPConfiguration: "publicIP"
  port: 443
  protocol: "Https"
  sslCertificate: "mySslCert"

httpSetting:
  protocol: "Http"
  port: 80

rule:
  listener: "listener"
  backendPool: "backendPool"
  httpSetting: "httpSetting"

URL-Based Content Routing

Route requests to different backend pools based on the URL. For example, requests to `/images/*` might go to an image serving pool, while `/api/*` goes to an API backend pool.

Tip: Use URL path-based routing to distribute traffic efficiently across different microservices or application tiers.

Web Application Firewall (WAF)

Application Gateway WAF provides centralized protection for your web applications from exploits and vulnerabilities. It can block common attacks such as SQL injection, cross-site scripting, and other web threats.

Important: Always enable WAF for public-facing applications to enhance their security posture.

Deployment and Management

Azure Application Gateway can be deployed using the Azure portal, Azure CLI, PowerShell, or ARM templates.

Pricing

Pricing is based on the instance size, number of instances, and data transfer. Different tiers (Standard_v2, WAF_v2) offer varying features and performance.

Note: Consider the v2 SKU for enhanced performance, availability, and autoscaling capabilities.

For more detailed information, please refer to the official Azure Application Gateway documentation.