Azure Application Gateway Reference
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It offers Layer 7 load balancing capabilities with features such as SSL termination, cookie-based session affinity, round-robin load distribution, health probes, and more.
Key Components and Concepts
Listeners
Listeners configure the port, protocol (HTTP/HTTPS), IP address, and SSL certificate for incoming traffic. You can have multiple listeners associated with a single Application Gateway instance.
- Port: The port on which the Application Gateway listens for requests (e.g., 80 for HTTP, 443 for HTTPS).
- Protocol: The protocol used for communication (HTTP or HTTPS).
- IP Address: The public or private IP address that the Application Gateway is associated with.
- SSL Certificate: For HTTPS listeners, a certificate is required for SSL termination. This can be a certificate stored in Azure Key Vault or uploaded directly.
Backend Pools
Backend pools define the group of virtual machines or services that will receive traffic from the Application Gateway. These can be:
- IP addresses or Fully Qualified Domain Names (FQDNs).
- App Service environments.
- Virtual Machine Scale Sets (VMSS).
HTTP Settings
HTTP settings define how the Application Gateway routes requests to the backend pool. Key configurations include:
- Backend Protocol: The protocol to use when sending traffic to the backend (HTTP or HTTPS).
- Port: The port on the backend servers to send traffic to.
- Cookie-based Affinity: Enables sticky sessions where subsequent requests from a client are directed to the same backend server.
- Connection Draining: Allows existing requests to complete before a backend instance is removed from service.
- Health Probes: How Application Gateway checks the health of backend servers.
Rules
Rules connect listeners to backend pools and HTTP settings. They determine how incoming requests are processed and routed. There are two types of rules:
- Basic Rules: Route traffic from a listener to a single backend pool using specified HTTP settings.
- Path-based Rules: Allow routing based on the URL path of the request. This enables you to direct traffic to different backend pools based on the requested resource.
Health Probes
Custom health probes allow you to define how Application Gateway monitors the health of your backend servers. If a backend server is deemed unhealthy, Application Gateway will stop sending traffic to it until it becomes healthy again.
- Protocol: HTTP or HTTPS.
- Host: The host header to use in the probe request.
- Path: The relative path for the probe request.
- Interval: The time interval between probe attempts (in seconds).
- Timeout: The time to wait for a response from the backend server (in seconds).
- Unhealthy Threshold: The number of consecutive failed probes before a backend server is marked as unhealthy.
SSL Termination and End-to-End SSL
Application Gateway supports SSL termination at the gateway, decrypting incoming HTTPS traffic and forwarding it as unencrypted HTTP to the backend. It also supports end-to-end SSL, where traffic remains encrypted all the way to the backend servers.
Features
- URL Routing: Route requests to different backend pools based on URL paths.
- SSL Termination: Offload SSL decryption from your web servers.
- Cookie-based Session Affinity: Ensure client requests are consistently directed to the same backend server.
- Web Application Firewall (WAF): Protect your web applications from common exploits and vulnerabilities.
- Autoscaling: Automatically adjust the capacity of Application Gateway based on traffic load.
- Redirection: Redirect HTTP requests to HTTPS, or to a different URL.
Common Use Cases
- Load balancing web applications hosted on VMs, VMSS, or App Services.
- Enforcing SSL/TLS encryption for web traffic.
- Implementing path-based routing for microservices architectures.
- Providing a centralized point for Web Application Firewall protection.