Azure Application Gateway is a web traffic load balancer designed specifically for HTTP(S) traffic at the application layer (OSI Layer 7). It enables you to manage and optimize the delivery of web applications by offering advanced features like URL-based routing, SSL termination, session persistence, and a Web Application Firewall (WAF) for security.
Key Features of Azure Application Gateway
- Layer 7 Load Balancing:
- Routes traffic based on HTTP(S) properties, such as URLs, headers, or cookies.
- Example: Route
/apirequests to one backend pool and/apprequests to another.
- URL Path-Based Routing:
- Directs requests to specific backend servers based on the URL path.
- Example: Route requests to
/imagesto a storage service and/datato an API service.
- SSL Offloading:
- Terminates SSL/TLS at the gateway, reducing the processing load on backend servers.
- Optionally re-encrypts traffic when forwarding to backends (end-to-end encryption).
- Web Application Firewall (WAF):
- Protects web applications from common vulnerabilities like SQL injection, cross-site scripting (XSS), and others.
- Based on OWASP (Open Web Application Security Project) core rule set.
- Multi-Site Hosting:
- Hosts multiple applications on the same Application Gateway using different domain names.
- Example: Serve
www.site1.comandwww.site2.comfrom the same gateway.
- Redirection Support:
- Supports HTTP to HTTPS redirection or custom URL redirection.
- Session Affinity:
- Ensures requests from a particular client are always sent to the same backend server during a session.
- Autoscaling:
- Automatically scales based on traffic load to ensure high availability and performance.
- Custom Error Pages:
- Displays custom error messages for 403, 502, or other errors.
When to Use Azure Application Gateway
- HTTP/HTTPS Traffic Load Balancing:
- When your application relies heavily on web traffic and you need application-layer routing.
- Web Application Security:
- Use WAF to protect against vulnerabilities and attacks.
- Hosting Multiple Web Applications:
- Ideal for scenarios where you need to host and route traffic for multiple domains or paths.
- SSL Offloading:
- If you want to reduce the overhead of SSL/TLS encryption on backend servers.
- Dynamic Routing Based on URL/Headers:
- When you need advanced traffic distribution based on request details.
- Autoscaling Web Traffic Handling:
- For unpredictable or growing traffic demands.
How Azure Application Gateway Works
- Frontend:
- The Application Gateway listens for incoming HTTP/HTTPS requests on a public or private IP.
- Routing Rules:
- Configured rules determine how traffic is routed to backend pools based on URL paths, hostnames, or other properties.
- Backend Pools:
- A set of backend servers (e.g., VMs, App Services, AKS) that handle the actual requests.
- Health Probes:
- Monitors the health of backend servers to ensure traffic is sent only to healthy instances.
Comparison: Application Gateway vs. Load Balancer
| Feature | Application Gateway | Load Balancer |
|---|---|---|
| OSI Layer | Layer 7 (Application) | Layer 4 (Transport) |
| Traffic Type | HTTP(S) | Any TCP/UDP |
| Routing | URL-based, header-based, cookie-based | IP-based |
| SSL Offloading | Yes | No |
| Web Application Firewall | Yes | No |
Azure Application Gateway is ideal for managing web applications with sophisticated traffic-routing and security needs. It is often used in conjunction with Azure Front Door for global load balancing or paired with a Load Balancer for hybrid scenarios.