Azure Application Gateway is a fully managed application delivery controller (ADC) that provides advanced features such as load balancing, SSL termination, web application firewall (WAF), and URL-based routing for web applications.
It is built to manage traffic to your web apps in the cloud and enable highly available and scalable applications.
It is a web traffic load balancer that helps you manage traffic to your web applications.
It operates at the application layer (OSI layer 7) and provides advanced routing capabilities.
It provides a wide range of functionalities, including intelligent routing, enhanced security features, scalability, and monitoring capabilities.
Here are the details on the Azure Application Gateway.
Key Features
a. Load Balancing
Application Gateway performs application-level (Layer 7) load balancing.
Supports URL-based routing, which allows directing traffic based on the URL path.
Distributes incoming traffic across backend servers to ensure availability and fault tolerance.
Works at Layer 7, allowing intelligent traffic decisions based on HTTP requests.
b. SSL Termination
Handles SSL/TLS encryption and decryption for secure web traffic.
Reduces the overhead on backend servers by offloading SSL processing.
Offloads SSL decryption from backend servers to the gateway, improving backend server performance.
Allows re-encrypting traffic before forwarding it to backend pools (end-to-end SSL).
c. Web Application Firewall (WAF)
Built-in WAF to protect against common web vulnerabilities like SQL injection, cross-site scripting (XSS), etc.
OWASP Core Rule Set (CRS) provides predefined rules for protection.
Protects applications against common vulnerabilities (e.g., SQL Injection, XSS).
Features:
OWASP Core Rule Set (CRS) support.
Custom WAF rules for application-specific security requirements.
Detection-only or prevention modes.
d. Autoscaling
Automatically scales based on the incoming traffic load to provide high availability and cost optimization.
Standard_v2 and WAF_v2 tiers support autoscaling.
Dynamically adjusts the number of Application Gateway instances based on traffic load.
e. URL Path-Based Routing
Route traffic to different backend server pools based on the URL path (e.g.,
/imagescan be routed to one pool and/apito another).Routes requests to specific backend pools based on URL paths.
Example:
Requests for
example.com/api/can route to one pool, whileexample.com/images/routes to another.
f. Multi-Site Hosting
Hosts multiple applications on the same gateway, with domain-based routing.
Host multiple domains on a single Application Gateway instance.
Supports domain-based routing, enabling one gateway to handle traffic for multiple applications (e.g.,
app1.domain.comandapp2.domain.com).
g. Redirection
Supports HTTP-to-HTTPS redirection.
Configurable URL redirection to meet your application's routing requirements.
Redirects traffic from HTTP to HTTPS.
Configurable to redirect traffic to another URL or host.
h. Session Affinity
Ensures a user is directed to the same backend server for session consistency using cookies.
Ensures client requests are consistently routed to the same backend server during a session using Gateway Managed Cookies.
i. Custom Health Probes
Monitors backend health and routes traffic only to healthy servers.
Supports custom health probes for specific endpoint monitoring.
j. Integration
Works seamlessly with Azure Kubernetes Service (AKS), Azure App Service, and other Azure resources.
k. Rewrite Rules
Modify headers in requests or responses to:
Add/remove custom headers.
Rewrite URL paths.
l. Geo-Based Traffic Routing (Preview)
Directs users to backend pools based on their geographical location.
Deployment Models
Standard v2
Improved Performance
Provides better performance and additional features like autoscaling and zone redundancy.
Enhanced Logging and Analytics
Supports integration with Azure Monitor, giving deeper insights into the operation and performance of the gateway.
Security Enhancements
Improved security capabilities with WAF and support for end-to-end TLS (Transport Layer Security) encryption.
WAF v2
Specifically focused on advanced WAF capabilities, offering enhanced protection, better detection, and response features against common application-layer vulnerabilities.
Standard
This older version, now deprecated, provides basic Layer 7 load balancing features without the advanced WAF and autoscaling capabilities of v2.
Pricing Tiers and SKUs
Pay-As-You-Go
Pricing is based on several factors, including the number of gateway units, data processing units (DPU), the number of inbound/outbound data processed, and WAF usage (if enabled).
Billing is Based on
Gateway Units: Fixed hourly charges for each Application Gateway instance.
Data Processing Units (DPU): Charges based on the volume of processed data.
WAF: Additional charges apply if the Web Application Firewall is enabled.
Architecture and Key Components
a. Frontend IP Configurations
The entry point for traffic to the Application Gateway.
Supports both Public IP (accessible over the internet) and Private IP (for internal applications within a Virtual Network).
Can have multiple frontend configurations for multi-site or hybrid applications.
b. Listeners
Entities that define how the gateway listens for incoming traffic.
Basic Listener: Supports a single domain.
Multi-Site Listener: Allows traffic segregation based on multiple domains (e.g.,
site1.comvssite2.com).
Configurable to handle HTTP or HTTPS protocols.
Supports SSL Certificates for HTTPS listeners.
c. Routing Rules
Define the mapping of listeners to backend targets.
Key components
Priority-Based Rules: Ensure specific traffic rules take precedence.
Path-Based Routing: Allows redirection to specific backend pools based on the URL path or query strings.
Rewrite Rules: Modify headers or URLs in requests/responses to meet application requirements.
d. Backend Pools
Groups of application servers or endpoints receiving traffic.
Supported backends:
Azure VMs
Azure Kubernetes Service (AKS)
Azure App Services
External IPs or FQDNs.
Dynamic Backend Membership: Automatically updates based on Azure resources, like Azure Kubernetes Service Pods.
e. HTTP Settings
Configure communication between the Application Gateway and backend pool.
Protocols: HTTP/HTTPS.
Ports: Define the ports used by backend instances.
Session Persistence: Sticky sessions using cookies for consistent user experiences.
Backend Path: Set a custom base path for routing requests.
f. Custom Health Probes
Checks backend server health to determine traffic eligibility.
Highly customizable:
Protocol (HTTP/HTTPS)
Probe interval, timeout, and retries.
Expected status codes and responses.
Security and Compliance
End-to-End SSL
Encrypts traffic from the client to the gateway and from the gateway to backend servers.
SSL Termination and Re-encryption.
Management of SSL certificates using Azure Key Vault integration.
IP Restriction
Filters access based on IP address.
Whitelist or block specific IP addresses to restrict access.
Web Application Firewall (WAF)
Protects web applications from common exploits:
SQL Injection
Cross-Site Scripting (XSS)
Cookie poisoning, etc.
Provides monitoring logs for security insights.
Compliance
Azure Application Gateway complies with industry standards, such as ISO 27001, SOC 1/2/3, PCI DSS, and others.
Use Cases
Multi-Site Hosting
Host multiple applications on the same gateway to reduce operational costs.
Web Application Security
Protect web applications using WAF against known vulnerabilities.
Microservices Traffic Management
Ideal for managing traffic to microservices or API-based applications.
Secure Hybrid Applications
Use private IP configurations to secure internal-only applications.
Dynamic Workloads
Autoscaling ensures cost efficiency for applications with fluctuating traffic.
Traffic Routing
Routing traffic based on geographical location, URL, or other attributes.
Integration with Azure Services
Azure Firewall
Can be integrated with Azure Firewall for enhanced security capabilities.
Azure Front Door
While Azure Application Gateway is an internal-facing service for web applications, Azure Front Door is often used for global load balancing and performance optimization.
These two can be used in tandem for a hybrid global solution.
Azure Monitor
Logs and metrics can be integrated with Azure Monitor, providing visibility into the traffic patterns and performance metrics.
Monitoring and Diagnostics
Integration with Azure Monitor for logs and metrics.
Diagnostics logs for troubleshooting issues.
Performance insights and alerts through Application Insights.
Metrics
Provides a comprehensive set of metrics via Azure Monitor:
Request Count
Failed Requests
Current Connections
Healthy/Unhealthy Backend Instances
Logs
Access logs: Detailed information about incoming requests.
Performance logs: Insights into Application Gateway performance.
WAF logs: Record of blocked/detected threats.
Integration
Azure Monitor for custom alerting and insights.
Application Insights for end-to-end monitoring.
Limitations
No support for Layer 4 (TCP/UDP) load balancing (use Azure Load Balancer instead).
Limited to supported Azure regions for certain advanced features.
Complex configurations for large-scale deployments.
Maximum Backend Pools and Instances There are limits to the number of backend pools and instances that can be configured depending on the size of the Application Gateway.
Timeouts and Idle Connections Depending on your configuration, there are limits on connection timeouts and idle time for connections.
Compatibility Some features may not work with non-HTTP(S) traffic (such as TCP or UDP) or may need to be configured with other Azure services like Azure Load Balancer.
Summary
In summary, Azure Application Gateway is a powerful and flexible solution designed for web traffic management, including advanced load balancing, secure SSL termination, traffic routing, and real-time web application firewall protections.
It can be integrated seamlessly into your existing Azure infrastructure, providing performance and security enhancements while ensuring scalability.
Leave a Reply