Azure Application Gateway Documentation

Introduction to Azure Application Gateway

Azure Application Gateway is a managed application load balancer that enables you to manage traffic to your web applications. It provides features such as load balancing, Web Application Firewall (WAF), SSL termination, and cookie-based session affinity. It operates at Layer 7 (HTTP/S) and can route traffic based on various parameters like URL path, host name, and HTTP headers.

Key Benefit: Provides robust application layer load balancing and security for your web applications hosted on Azure.

Key Features

Load Balancing: Distributes incoming HTTP/S traffic across multiple backend servers. Supports various load balancing methods.
SSL Termination: Offloads SSL/TLS decryption from your web servers, simplifying certificate management and reducing server load.
Web Application Firewall (WAF): Protects your web applications from common web vulnerabilities and exploits such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Cookie-Based Session Affinity: Ensures that requests from a particular client are directed to the same backend server, which is essential for applications that maintain user session state on the server.
URL-Based Content Routing: Routes requests to different backend pools based on the URL path or other attributes of the request.
Host-Based Routing: Supports routing requests to different backend pools based on the hostname specified in the request's Host header.
End-to-End SSL Encryption: Provides encryption for traffic between the client and the Application Gateway, and optionally between the Application Gateway and the backend servers.
Health Probes: Continuously monitors the health of backend servers and only routes traffic to healthy instances.
Autoscaling: Automatically scales the Application Gateway capacity based on traffic load.

Common Use Cases

Load balancing HTTP/S traffic for highly available and scalable web applications.
Securing web applications against common threats using WAF.
Implementing SSL termination and offloading.
Routing traffic to different services or applications based on URL paths (e.g., /api to one set of servers, /images to another).
Hosting multiple web applications on a single Application Gateway using host-based routing.

Application Gateway Architecture

An Application Gateway consists of the following key components:

Frontend IP Configuration: Public or private IP addresses that clients connect to.
Listeners: Define the port, protocol, and host on which the Application Gateway listens for incoming traffic.
Rules: Combine the listener, backend targets, and other settings to define how requests are routed.
Backend HTTP Settings: Define settings for the backend pool, such as ports, protocols, and cookie-based affinity.
Backend Pools: Groups of backend servers that receive traffic. These can be virtual machines, virtual machine scale sets, or app services.
Health Probes: Custom probes to monitor backend server health.

You can deploy Application Gateway in two modes: Standard V2 and WAF V2. WAF V2 offers enhanced security features with an integrated Web Application Firewall.

Recommendation: For new deployments, it is recommended to use the V2 SKU, which offers autoscaling, zone redundancy, and improved performance.

Getting Started

Deploying an Application Gateway can be done through the Azure portal, Azure CLI, PowerShell, or ARM templates.

Azure Portal Deployment Example

1. Navigate to the Azure portal and search for "Application Gateway".

2. Click "Create".

3. Configure the Basics tab: Subscription, Resource Group, Name, Region, SKU (Standard V2 or WAF V2), Gateway scale.

4. Configure the Frontend tab: Frontend IP address (Public or Private).

5. Configure the Backend tab: Backend pools and Backend HTTP settings.

6. Configure the Configuration tab: Routing rules, listeners, and priority.

7. Configure Tags and Review + create.

Azure CLI Example


az group create --name myResourceGroup --location westus2
az network application-gateway create \
    --name myAppGateway \
    --resource-group myResourceGroup \
    --location westus2 \
    --sku Standard_V2 \
    --public-ip-address myAppGatewayPublicIP \
    --vnet-name myVNet \
    --subnet myAppGatewaySubnet \
    --frontend-port 80 \
    --backend-port 80 \
    --routing-rule

Ensure you have a Virtual Network (VNet) and a dedicated subnet for the Application Gateway. The subnet must be dedicated solely to the Application Gateway and cannot contain any other resources.

Advanced Configuration

SSL Certificates

You can upload your own SSL certificates or use Azure Key Vault for certificate management. This is crucial for enabling HTTPS listeners and end-to-end SSL encryption.

WAF Policies

For WAF V2 SKU, you can create custom WAF policies to define rulesets (e.g., OWASP Core Rule Set), bot protection, and custom rules to tailor security to your application's needs.

Note: WAF policies are applied to listeners configured with the WAF SKU.

Health Probes

Configure detailed health probes to ensure the Application Gateway accurately monitors backend server health. You can specify probe intervals, unhealthy threshold, and valid status codes.


# Example of a custom health probe configuration
{
    "name": "myHealthProbe",
    "properties": {
        "protocol": "Https",
        "host": "www.example.com",
        "path": "/health",
        "interval": 30,
        "timeout": 15,
        "unhealthyThreshold": 3,
        "pickHttpSettings": true
    }
}

Monitoring and Diagnostics

Azure Application Gateway provides comprehensive monitoring capabilities:

Azure Monitor: Track metrics such as active connections, request count, latency, and backend health.
Diagnostic Logs: Collect application gateway logs (ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog) for detailed analysis.
Application Gateway WAF Logs: Analyze firewall logs to identify and troubleshoot security events.
Application Insights: Integrate with Application Insights for deeper application performance monitoring and tracing.

Important: Regularly review diagnostic logs, especially WAF logs, to identify potential security threats and ensure optimal application performance.

Pricing

Azure Application Gateway pricing is based on the SKU (Standard V2, WAF V2), the amount of data processed, and the hourly cost of the gateway. Visit the Azure Application Gateway pricing page for the most up-to-date information.

Key pricing factors include:

Gateway hours (based on deployment time)
Data processed (GB)
WAF Processing Unit hours (for WAF SKU)

On This Page