Azure Application Gateway Documentation

Your comprehensive guide to Microsoft's intelligent network traffic manager.

Introduction to Azure Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It is a Layer 7 (HTTP/HTTPS) load balancer that allows you to route traffic based on attributes of the request, such as the URL path or host header. It also provides a Web Application Firewall (WAF) capability to protect your web applications from common exploits and vulnerabilities.

What is Application Gateway?

Application Gateway provides functionalities like load balancing, HTTP to HTTPS redirection, cookie-based session affinity, SSL/TLS termination, multiple site hosting, and URL path-based routing.

Key Features

  • Load Balancing: Distributes incoming web traffic across multiple backend servers.
  • SSL/TLS Termination: Offloads the SSL/TLS encryption/decryption to the Application Gateway, reducing the load on your web servers.
  • Web Application Firewall (WAF): Protects your web applications from common web exploits and vulnerabilities, such as SQL injection and cross-site scripting.
  • Multiple Site Hosting: Host multiple web applications on a single Application Gateway instance.
  • URL Path-Based Routing: Routes requests to specific backend pools based on the URL path.
  • Cookie-Based Session Affinity: Directs all requests from a particular user to the same backend server.
  • Redirection: Redirect HTTP requests to HTTPS or other URLs.
  • Health Probes: Monitors the health of backend servers and routes traffic only to healthy instances.
  • Autoscaling: Automatically adjusts capacity based on traffic load.
Azure Application Gateway Architecture Diagram

Simplified diagram of Azure Application Gateway architecture.

Core Components

Understanding the core components of Application Gateway is crucial for its effective deployment and management.

Frontend IP Address

The frontend IP address is the IP address that clients use to connect to your Application Gateway. It can be a public IP, a private IP, or both.

Listeners

A listener listens for incoming requests on a specified port, protocol, and IP address. It can be configured for HTTP or HTTPS. For HTTPS, it requires an SSL certificate.

Request Routing Rules

Request routing rules bind a listener to a backend target (backend pool or backend instances) through HTTP settings. They define how traffic is routed.

Types of Routing Rules:

  • Basic: Routes traffic from a listener to a single backend pool.
  • Path-based: Routes traffic to different backend pools based on the URL path.

Backend Pools

A backend pool consists of the servers that Application Gateway forwards traffic to. These can be virtual machine scale sets, virtual machines, or even Azure App Service applications.

Health Probes

Health probes are used to check the availability and health of backend servers. Application Gateway continuously probes the backend servers to ensure they are responsive and healthy.

HTTP Settings

HTTP settings define how Application Gateway communicates with the backend servers. This includes the protocol (HTTP/HTTPS), port, cookie-based affinity, connection draining timeout, and probe settings.

Backend Targets

These are the actual endpoints to which traffic is routed, such as virtual machines, IP addresses, or FQDNs.

Common Use Cases

Application Gateway is versatile and can be used in various scenarios.

Load Balancing

Distribute incoming requests across multiple backend web servers to improve application availability and performance.

Web Application Firewall (WAF)

Deploy Application Gateway with WAF mode to protect your web applications from OWASP top 10 vulnerabilities and other malicious attacks.

Note: Application Gateway offers two WAF modes: WAF_v1 and WAF_v2. WAF_v2 offers improved performance, custom rules, and other enhancements.

SSL/TLS Termination

Terminate SSL/TLS connections at the Application Gateway. This simplifies certificate management and offloads the CPU-intensive decryption process from your backend servers. Traffic between the Application Gateway and backend servers can then be sent over HTTP.

URL-Based Routing

Route incoming requests to different backend pools based on the URL path. For example, requests to /images/* could go to an image server pool, while requests to /api/* go to an API server pool.

Also known as "sticky sessions," this feature ensures that requests from a specific client are consistently sent to the same backend server. This is useful for applications that store session state locally on the web server.

Getting Started

You can deploy Azure Application Gateway using the Azure portal, Azure CLI, PowerShell, or ARM templates.

  1. Create an Application Gateway instance.
  2. Configure frontend IP address(es).
  3. Define backend pools of your servers.
  4. Set up HTTP settings.
  5. Create listeners to define how incoming traffic is received.
  6. Configure request routing rules to map listeners to backend pools.
  7. (Optional) Enable WAF and configure its rules.
  8. Monitor the health of your backend servers.
Tip: For high availability, deploy Application Gateway in Availability Zones or across multiple regions.

Best Practices

  • Use a separate subnet for Application Gateway.
  • Configure appropriate health probes to ensure traffic is only sent to healthy instances.
  • Use SSL/TLS termination for better performance and simplified certificate management.
  • Implement WAF to protect your applications from common attacks.
  • Enable autoscaling to handle varying traffic loads efficiently.
  • Monitor Application Gateway metrics and logs for performance and security insights.
  • Keep your Application Gateway instances updated to the latest version for security and feature enhancements.

Further Reading

For more in-depth information, explore these resources: