Azure Cloud

Core Azure Services

Networking

Storage & Databases

🌐 Azure Application Gateway – Layer 7 Load Balancer with Web Application Firewall (WAF)

Modern web applications need high availability, security, and intelligent traffic management. Simple Layer 4 load balancers distribute traffic based on IP/port but lack application-level awareness.

Azure Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer that distributes traffic based on URL paths, host headers, or session cookies. It also includes Web Application Firewall (WAF) to protect web applications from common threats such as SQL injection, XSS, and other OWASP vulnerabilities.

With Application Gateway, enterprises can:

  • Optimize traffic routing
  • Secure apps with WAF
  • Enable SSL termination and session affinity
  • Scale automatically for high traffic applications

What is Azure Application Gateway?

Azure Application Gateway is a managed PaaS service that provides:

  1. Layer 7 Load Balancing: Distribute traffic intelligently using HTTP/HTTPS attributes.
  2. Web Application Firewall (WAF): Protect applications from OWASP top 10 threats.
  3. SSL Termination: Offload SSL decryption to reduce VM load.
  4. Path-Based Routing: Route requests based on URL paths (e.g., /images, /api).
  5. Multi-Site Hosting: Host multiple web applications on the same gateway with different domain names.
  6. Autoscaling: Adjust capacity based on traffic patterns.

Key Features

  • URL-based routing: Direct requests to backend pools based on paths.
  • Host-based routing: Route traffic based on domain names.
  • Session affinity (cookie-based): Send user requests to the same backend VM.
  • Custom WAF rules: Add extra security policies.
  • Redirection & rewriting: Modify HTTP headers and URLs.
  • Integration with VNets: Secure backend servers inside a VNet.

Architecture

  1. Frontend IP Configuration: Public or private IP address where requests arrive.
  2. Listeners: Monitor incoming requests on specific ports and protocols.
  3. Routing Rules: Define how requests are directed to backend pools.
  4. Backend Pools: Group of VMs, NICs, or IP addresses that serve traffic.
  5. Health Probes: Check backend availability.
  6. WAF: Inspects incoming traffic and blocks malicious requests.

Example Programs / Deployments

Example 1: Deploy Application Gateway using Azure CLI

Terminal window
# Create a Resource Group
az group create --name MyResourceGroup --location eastus


# Create a public IP for the gateway
az network public-ip create --resource-group MyResourceGroup --name AppGatewayPublicIP --sku Standard


# Create Application Gateway
az network application-gateway create \
  --name MyAppGateway \
  --location eastus \
  --resource-group MyResourceGroup \
  --capacity 2 \
  --sku WAF_v2 \
  --frontend-port 80 \
  --http-settings-cookie-based-affinity Enabled \
  --frontend-ip AppGatewayPublicIP \
  --routing-rule-type Basic

👉 This sets up an Application Gateway with WAF enabled, session affinity, and basic routing.

Example 2: Path-Based Routing using PowerShell

Terminal window
# Create backend pools
$backendPool1 = New-AzApplicationGatewayBackendAddressPool -Name "ApiPool" -BackendFqdns "api.example.com"
$backendPool2 = New-AzApplicationGatewayBackendAddressPool -Name "WebPool" -BackendFqdns "www.example.com"


# Create HTTP settings
$httpSetting1 = New-AzApplicationGatewayBackendHttpSettings -Name "ApiHttpSetting" -Port 80 -Protocol Http
$httpSetting2 = New-AzApplicationGatewayBackendHttpSettings -Name "WebHttpSetting" -Port 80 -Protocol Http


# Create URL path map
$pathMap = New-AzApplicationGatewayUrlPathMapConfig -Name "PathMap1" -DefaultBackendAddressPool $backendPool2 -DefaultBackendHttpSettings $httpSetting2 -PathRules @(@{Name="ApiRule"; Paths=@("/api/*"); BackendAddressPool=$backendPool1; BackendHttpSettings=$httpSetting1})


# Apply to listener
Set-AzApplicationGateway -ApplicationGateway $appgw -UrlPathMap $pathMap

👉 Requests to /api/* go to API pool, while all other traffic goes to Web pool.

Example 3: ARM Template Deployment

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2021-08-01",
      "name": "myAppGateway",
      "location": "eastus",
      "sku": { "name": "WAF_v2", "tier": "WAF_v2", "capacity": 2 },
      "properties": {
        "frontendIPConfigurations": [
          { "name": "frontendIP", "properties": { "PublicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses','AppGWPublicIP')]" } } }
        ],
        "backendAddressPools": [
          { "name": "WebPool", "properties": { "backendAddresses": [{ "fqdn": "www.example.com" }] } }
        ],
        "backendHttpSettingsCollection": [
          { "name": "WebHttpSetting", "properties": { "port": 80, "protocol": "Http" } }
        ],
        "httpListeners": [
          { "name": "listener1", "properties": { "FrontendIPConfiguration": { "id": "[concat(resourceId('Microsoft.Network/applicationGateways','myAppGateway'),'/frontendIPConfigurations/frontendIP')]" }, "FrontendPort": { "id": "[concat(resourceId('Microsoft.Network/applicationGateways','myAppGateway'),'/frontendPorts/frontendPort1')]" }, "Protocol": "Http" } }
        ]
      }
    }
  ]
}

👉 This template deploys Application Gateway with WAF and a backend pool, ideal for production environments.

How to Remember Azure Application Gateway (Interview & Exam Tips)

Use the mnemonic “L.A.W.S.”

  • L – Layer 7 Load Balancing
  • A – Application Routing (URL/Host-based)
  • W – WAF Protection
  • S – SSL Termination & Session Affinity

Think: “L.A.W.S. protects your web applications while routing intelligently.”

Why Learning Application Gateway is Important

  1. Web App Security: Protects against SQL injection, XSS, and OWASP threats.
  2. Traffic Management: Enables intelligent routing based on URL, host headers, or session affinity.
  3. Performance: SSL offloading reduces load on backend VMs.
  4. Certification Advantage: Key topic for AZ-104, AZ-305, and Azure security exams.
  5. Real-World Relevance: Used by enterprises for multi-site hosting, secure APIs, and high-traffic websites.

Real-World Use Cases

  • Multi-Tier Web Apps: Route /api traffic to backend API servers, /images to CDN cache.
  • E-Commerce Websites: WAF protects checkout pages from attacks.
  • Microservices Architecture: Different services served based on URL paths.
  • Hybrid Applications: Internal backend apps protected and routed securely.
  • Global Applications: Multi-region deployments with intelligent routing and WAF.

Best Practices

  • Enable WAF in production for security.
  • Use path-based routing to separate backend services.
  • Combine Application Gateway + Azure Front Door for global distribution.
  • Use autoscaling to handle traffic spikes.
  • Monitor with Azure Monitor and Application Insights.

Conclusion

Azure Application Gateway is a robust Layer 7 load balancer with WAF that ensures your web applications are secure, highly available, and intelligent in routing traffic.

Key takeaways:

  • Layer 7 routing, URL/Host-based traffic distribution
  • WAF for protection against common web attacks
  • SSL termination and session affinity improve performance and user experience
  • Integration with VNet ensures secure communication with backend servers

Mastering Application Gateway prepares you for real-world cloud deployments, Azure certification exams, and enterprise-scale web architectures.