Application Gateway

Azure Application Gateway provides layer 7 load balancing functionality for HTTP applications, including:

  • SSL/TLS termination and secure certificate storage, optionally using a Key Vault.
  • HTTP health probes allow assertions based on both response status and body content.
  • Public and private IP configurations allow use both internally and externally.
  • Host- and path-based routing allow virtual hosting multiple names on the same gateway, and directing traffic to different backend pools based on properties.
  • WAF functionality, in both detection and protection modes, enforces OWASP core rule sets.


Application Gateway resources

  • Gateway IP Configurations define IP addresses used for communication with backend services. We have to dedicate a subnet within the same virtual network as the application servers to the gateway.
  • Request Routing Rules tie together both a listener and some form of response (either a redirect or a backend pool).
    • HTTP Listeners define rules for matching incoming requests and routing them to something that'll respond.
      • Error Pages allow overriding the default IIS error pages with some more palatable branded ones. These error pages are shown in the event the backend pool fails to respond.
      • Frontend IP Configurations can be used to distinguish between public and private IP addresses assigned to the gateway. We only use public IPs.
      • Frontend Ports define the incoming protocol (HTTP/HTTPS) and port (80/443).
      • SSL Certificates enable SSL termination.
    • Redirect Configurations allow redirecting to external sites or to other listeners on the gateway (e.g. HTTP to HTTPS or from to
    • Backend Pools are groups of backend servers.
      • Pool Associations reference individual backend application servers that'll respond to the request.
    • Backend HTTP Settings set response timeouts and allow overriding the Host header and request path.
      • Probes define HTTP requests used as health checks, which can use a mix of HTTP status codes and regular expressions against the response body to verify successful responses.

Error pages

Error pages are only fetched during deployments of the application gateway that change the error page configurations, then they're cached on the application gateway instances. Be sure to change the URL each time the content of the error pages changes. It's wise to include a revision number in the URLs that can be easily incremented when changes are applied.