Azure Application Gateway is a web traffic load balancer that operates at Layer 7 (application layer) of the OSI model, enabling you to manage and secure traffic to your web applications. Unlike traditional load balancers that work at Layer 4, Application Gateway can make routing decisions based on…Azure Application Gateway is a web traffic load balancer that operates at Layer 7 (application layer) of the OSI model, enabling you to manage and secure traffic to your web applications. Unlike traditional load balancers that work at Layer 4, Application Gateway can make routing decisions based on HTTP attributes such as URI paths, host headers, and other request characteristics.
Key security features include:
**Web Application Firewall (WAF):** Application Gateway integrates with WAF to protect applications against common web vulnerabilities like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. WAF policies can be configured in detection or prevention mode.
**SSL/TLS Termination:** The gateway handles SSL termination, offloading encryption processing from backend servers. This centralizes certificate management and reduces computational overhead on application servers. End-to-end SSL encryption is also supported for sensitive workloads.
**URL-based Routing:** Traffic can be routed to different backend pools based on URL paths, enabling microservices architectures and multi-tenant applications to share a single gateway endpoint.
**Session Affinity:** Cookie-based session affinity ensures user sessions remain connected to the same backend server, maintaining state for applications that require it.
**Autoscaling:** Application Gateway v2 supports automatic scaling based on traffic patterns, ensuring high availability during peak loads.
**Private Link Integration:** Backend pools can connect to private endpoints, keeping traffic within the Azure backbone network and enhancing security posture.
**Health Probes:** Custom health probes monitor backend server health, automatically removing unhealthy instances from rotation.
**Integration with Azure Security Services:** Application Gateway works seamlessly with Azure DDoS Protection, Azure Monitor, and Microsoft Defender for Cloud for comprehensive security monitoring and threat detection.
For Azure Security Engineers, Application Gateway serves as a critical component in implementing defense-in-depth strategies, providing a secure entry point for web applications while enabling granular traffic control and threat protection.
Azure Application Gateway
Why Azure Application Gateway is Important
Azure Application Gateway is a critical component for securing and optimizing web application traffic in Azure. As a web traffic load balancer operating at Layer 7 (Application Layer), it provides advanced routing capabilities, SSL/TLS termination, and integrated Web Application Firewall (WAF) protection. For the AZ-500 exam, understanding Application Gateway is essential because it represents a key service for protecting web applications from common vulnerabilities and attacks.
What is Azure Application Gateway?
Azure Application Gateway is a managed load balancer service that enables you to manage traffic to your web applications. Unlike basic load balancers that operate at Layer 4, Application Gateway understands HTTP/HTTPS traffic and can make routing decisions based on URL paths, host headers, and other HTTP attributes.
Key Features: - Web Application Firewall (WAF): Protects against OWASP top 10 vulnerabilities, SQL injection, and cross-site scripting - SSL/TLS Termination: Offloads encryption processing from backend servers - URL-based Routing: Routes traffic based on URL paths - Multi-site Hosting: Host multiple websites on a single gateway - Session Affinity: Cookie-based session affinity for stateful applications - Autoscaling: Automatic scaling based on traffic patterns - Zone Redundancy: Spans multiple Availability Zones for high availability
How Azure Application Gateway Works
Application Gateway sits between clients and your backend servers, processing incoming requests through several components:
1. Frontend IP Configuration: Public or private IP address that receives traffic 2. Listeners: Check for incoming connection requests on specified ports and protocols 3. Rules: Bind listeners to backend pools and determine how traffic is routed 4. Backend Pools: Collection of resources (VMs, VMSS, App Services, IP addresses) that receive traffic 5. HTTP Settings: Define how traffic flows to backend servers (port, protocol, cookie affinity) 6. Health Probes: Monitor backend server health and remove unhealthy instances
WAF Modes: - Detection Mode: Logs threats but allows traffic through - Prevention Mode: Blocks detected attacks and logs them
WAF Rule Sets: - OWASP Core Rule Set (CRS) 3.2, 3.1, 3.0, or 2.2.9 - Microsoft Default Rule Set (DRS) for bot protection
Exam Tips: Answering Questions on Azure Application Gateway
Key Concepts to Remember:
1. Layer 7 vs Layer 4: Application Gateway operates at Layer 7 (HTTP/HTTPS), while Azure Load Balancer operates at Layer 4 (TCP/UDP). Choose Application Gateway when you need URL-based routing or WAF.
2. WAF SKU Requirement: WAF functionality requires the WAF or WAF_v2 SKU. The Standard SKU does not include WAF capabilities.
3. End-to-End SSL: Application Gateway supports both SSL termination (decrypt at gateway) and end-to-end SSL (re-encrypt traffic to backend).
4. Private Link: Application Gateway v2 supports Private Link for secure access from other virtual networks.
5. Integration with Azure Services: Know that Application Gateway integrates with Azure Key Vault for certificate management, Azure Monitor for logging, and Microsoft Defender for Cloud for security recommendations.
Common Exam Scenarios:
- When asked about protecting web applications from SQL injection or XSS attacks, select Application Gateway with WAF - For routing traffic based on URL paths (e.g., /images/* to one pool, /api/* to another), choose Application Gateway with URL path-based routing - When SSL offloading is required to reduce backend server load, select Application Gateway with SSL termination - For hosting multiple websites with different domain names on one resource, use multi-site listeners
Watch Out For:
- Questions comparing Application Gateway to Azure Front Door - Front Door is global, Application Gateway is regional - Scenarios requiring Layer 4 load balancing - this requires Azure Load Balancer, not Application Gateway - WAF policy inheritance and per-site policies for multi-tenant scenarios