NetworkingIntermediate29 min read

What Is Application Gateway in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An Application Gateway acts like a smart traffic manager for web applications. It sits between users and your servers, making sure requests go to the right place. It can also handle security tasks like checking for malicious traffic and encrypting data. This helps keep applications fast, secure, and available.

Common Commands & Configuration

az network application-gateway create --name myAppGateway --resource-group myRG --location eastus --sku Standard_v2 --capacity 2 --vnet-name myVNet --subnet mySubnet --public-ip-address myPublicIP

Creates an Azure Application Gateway in a specified virtual network subnet with a defined SKU and instance count.

Tests understanding of required parameters for deployment, especially subnet requirements and SKU selection for autoscaling vs. fixed capacity.

aws elbv2 create-load-balancer --name my-app-gw --type application --subnets subnet-123 subnet-456 --security-groups sg-789

Creates an AWS Application Load Balancer (ALB) as the AWS equivalent of an Application Gateway, attached to subnets and security groups.

Appears in AWS SAA to assess knowledge of ALB creation, subnet requirements (at least 2), and security group association for layer 7 routing.

az network application-gateway http-listener create --gateway-name myAppGateway --resource-group myRG --name myListener --frontend-port myPort --frontend-ip myFrontendIP --host-name www.example.com --protocol Https --ssl-cert myCert

Creates an HTTP(S) listener on the Application Gateway, specifying host name, frontend IP, port, protocol, and SSL certificate for HTTPS.

Tests understanding of listener configuration for host-based routing and SSL termination, a frequent exam scenario for AZ-104.

aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/app/my-alb/abcdef --protocol HTTP --port 80 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/my-tg/xyz

Creates a listener on an AWS ALB that forwards traffic by default to a target group.

Tests the ALB listener creation and default action configuration, often in multi-tier architecture questions for AWS SAA.

az network application-gateway probe create --gateway-name myAppGateway --resource-group myRG --name myProbe --protocol http --path /health --host-name-from-http-settings true --interval 30 --timeout 10 --unhealthy-threshold 3

Configures a custom health probe for an Application Gateway to monitor backend health via HTTP path and settings.

Exams (Network+, AZ-104) test probe configuration including path, interval, and unhealthy threshold to ensure high availability understanding.

aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789:listener/app/my-alb/abcdef/xyz --conditions Field=path-pattern,Values=['/api/*'] --priority 10 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/my-api-tg/uvw

Creates a path-based routing rule on an ALB listener for forwarding /api/* requests to a specific target group.

Tests path-based routing concepts in ALB, common in AWS SAA and Google ACE exams for microservices architectures.

az network application-gateway rewrite-rule set create --gateway-name myAppGateway --resource-group myRG --name myRewriteSet --rewrite-rules '[{"name":"addHeader","actionSet":{"requestHeaderConfigurations":[{"headerName":"X-Custom-Header","headerValue":"test"}]},"conditions":[{"variable":"var_request_uri","pattern":"/oldpath/*"}]}]'

Creates a rewrite rule set on an Application Gateway to modify request headers based on URI conditions.

Appears in AZ-104 to test advanced traffic management features like header rewriting and URL redirect capabilities.

Application Gateway appears directly in 17exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

Application Gateways appear in multiple certification exams, each with a slightly different focus. For the AWS Certified Solutions Architect Associate (AWS-SAA) exam, you need to understand the AWS Application Load Balancer (ALB) as a key service. You will be tested on its features like path-based routing, host-based routing, and integration with AWS WAF and Auto Scaling. Expect scenario questions where you must choose between ALB, Network Load Balancer (NLB), and Classic Load Balancer based on requirements such as Layer 7 vs Layer 4 functionality, static IP needs, or WebSocket support.

For the Microsoft Azure Administrator AZ-104 exam, Azure Application Gateway is a core topic. You should know how to configure it, understand the difference between v1 and v2 SKUs, and be familiar with features like URL path-based routing, multi-site hosting, and SSL termination. You may be asked to design a solution that includes Azure Application Gateway with WAF to protect against web attacks. Similarly, the Google Cloud Associate Engineer (Google-ACE) exam covers the HTTP(S) Load Balancer, which is Google Cloud’s application-layer load balancing solution. You need to understand how it works with backend services, instance groups, and Cloud Armor for security.

For CompTIA Network+ and Security+ exams, the focus is more on the conceptual role of an Application Gateway within a network architecture. You might see questions about the OSI model layers, particularly Layer 7 load balancing, or about how an Application Gateway differs from a firewall or a router. The CCNA exam also covers these concepts in the context of modern network design. Common question types include multiple-choice questions where you identify the correct scenario for using an Application Gateway, or drag-and-drop questions where you match features to the correct type of load balancer. Some exams also include troubleshooting scenarios, such as diagnosing why a health check is failing or why traffic is not being routed to the correct backend pool.

Simple Meaning

Imagine you are the owner of a large office building with many different departments. People come to the building for various services, like paying bills, getting permits, or asking for information. Without any guidance, visitors would wander around, get lost, and create chaos. This is where a friendly and knowledgeable receptionist at the front desk comes in. This receptionist greets everyone, asks what they need, and then directs them to the correct office. If a visitor asks for a specific person, the receptionist calls that person first to make sure they are available. The receptionist also checks if the visitor is on the list of expected guests and can deny entry to anyone who looks suspicious.

An Application Gateway does the same job, but for a web application instead of a physical building. When you type a web address into your browser, your request travels across the internet to the gateway. The gateway looks at the request and decides which server or service inside the network should handle it. For example, if you are shopping on an e-commerce site, the gateway might send product browsing requests to one server and payment processing requests to a different, more secure server. The gateway can also check the request for harmful code or patterns, like someone trying to break in, and block it before it reaches the application servers.

the gateway can perform other useful tasks. It can speed up the application by caching frequently requested content, so it does not have to ask the server every time. It can also handle the heavy work of encrypting and decrypting traffic using SSL/TLS, which takes a load off the web servers. This makes the whole system more efficient and secure. In cloud environments like AWS or Azure, an Application Gateway is a fully managed service, meaning you do not have to set up or maintain the hardware yourself. You simply configure rules and policies through a dashboard or API, and the cloud provider handles the rest. For IT professionals, understanding Application Gateways is essential for designing scalable, secure, and reliable web application architectures, and it is a key topic for many networking and cloud certification exams.

Full Technical Definition

An Application Gateway is a Layer 7 (Application Layer) load balancer and reverse proxy that operates at the OSI model’s highest layer. Unlike a traditional Layer 4 load balancer, which only routes traffic based on IP addresses and TCP/UDP ports, an Application Gateway can inspect the content of HTTP/HTTPS requests, including URLs, headers, cookies, and even the request body. This deep packet inspection capability allows the gateway to make intelligent routing decisions based on application-level data.

At its core, an Application Gateway typically includes several key components. A listener defines the frontend IP address, port, and protocol (HTTP or HTTPS) on which the gateway accepts incoming traffic. Routing rules then determine how to direct that traffic to backend pools, which are groups of servers or containers that actually run the application. Health probes are used to monitor the availability and performance of backend servers; if a server fails a health check, the gateway stops sending traffic to it until it recovers. Session persistence, also known as sticky sessions, can be configured so that all requests from a single client are sent to the same backend server, which is important for applications that store session state locally.

Application Gateways also provide essential security features. SSL/TLS termination offloads the computational overhead of encryption from backend servers, allowing them to focus on application logic. The gateway can also be configured to enforce HTTPS-only communication, redirecting HTTP traffic to HTTPS. Web Application Firewall (WAF) capabilities are often integrated, providing protection against common web vulnerabilities such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. Many gateways support mutual authentication (mTLS) where both the client and server present certificates.

In terms of protocols, Application Gateways primarily handle HTTP/1.1, HTTP/2, and HTTP/3 (QUIC) for web traffic. They can also manage WebSocket connections for real-time applications. For cloud-specific implementations, AWS Application Load Balancer (ALB) is a managed Application Gateway that supports path-based and host-based routing, integration with AWS WAF, and automatic scaling. Azure Application Gateway provides similar capabilities, including URL-based routing, multi-site hosting, and redirection. In on-premises environments, hardware appliances from vendors like F5, Citrix, or open-source solutions like NGINX and HAProxy can serve as Application Gateways. The configuration typically involves defining frontend IPs, SSL certificates, backend pools, health probes, and routing rules. Understanding these components is crucial for designing resilient and secure application architectures, and is frequently tested in certifications like AWS Certified Solutions Architect, Azure Administrator, and CompTIA Network+.

Real-Life Example

Think of a large hospital. People come to the hospital with many different needs: some need emergency care, some have appointments with specialists, others are visiting patients, and some are picking up test results. Without a good system, the hospital would be total chaos. The hospital's main entrance is like the frontend of an Application Gateway. At the entrance, there is a triage desk staffed by a trained nurse. This nurse is the first point of contact. When a person walks in, the nurse does not just send them to any room. Instead, the nurse asks questions to understand their situation.

If someone is bleeding heavily, the nurse immediately directs them to the emergency room, which is like routing a critical request to a high-priority backend pool. If a person has a scheduled appointment with an orthopedist, the nurse checks the appointment system (like a routing rule) and sends them to the orthopedics wing on the third floor. The nurse also checks identification, which is like authentication, and can deny entry to someone who is not supposed to be there, much like a WAF blocking a malicious request. The nurse also keeps a list of which doctors are available right now, which is like health probes for backend servers.

Now, imagine the hospital also has a phone system. When you call, you might get a voice menu that asks you to press 1 for appointments, 2 for billing, and so on. This is exactly how an Application Gateway uses URL path-based routing. When a user visits a website and requests www.example.com/images/logo.png, the gateway can route that request to a server optimized for static content, while requests to www.example.com/api/checkout go to a different server with more security. The gateway can also rewrite URLs, much like a hospital operator redirecting a call to the right extension. The gateway can cache static files like images and CSS, similar to how the hospital might keep a supply of common forms at the front desk so people do not have to go all the way to the records office every time.

Why This Term Matters

In modern IT infrastructure, applications are rarely hosted on a single server. Instead, they are distributed across multiple servers, containers, or even geographic regions to improve performance, scalability, and reliability. An Application Gateway is a critical component in this distributed architecture because it acts as the single entry point for all external traffic. Without it, each server would have to handle tasks like SSL decryption, rate limiting, and security filtering individually, leading to inefficiency and increased attack surface.

From a practical standpoint, Application Gateways enable several important operational capabilities. They allow you to scale your application horizontally by adding or removing backend servers without interrupting service, because the gateway simply updates its routing table. They also provide centralized logging and monitoring, giving administrators a clear picture of traffic patterns, errors, and security threats. When deploying updates or new versions, you can use the gateway to gradually shift traffic from old servers to new ones (blue-green deployment) or to a small subset of users (canary release), reducing the risk of a full outage.

For IT professionals managing on-premises or cloud networks, understanding Application Gateways is essential for troubleshooting. If users report slow performance or errors, the gateway logs and metrics are often the first place to look. Issues like backend server health, SSL certificate expiration, or misconfigured routing rules commonly cause problems. Security-conscious organizations rely on Application Gateways to enforce policies such as geo-blocking, IP whitelisting, and rate limiting. In short, the Application Gateway is a foundational building block for delivering web applications at scale, and its proper configuration directly impacts user experience, security, and operational efficiency.

How It Appears in Exam Questions

Exam questions about Application Gateways often follow certain patterns. A typical scenario question might describe a company with a web application that experiences high traffic and needs to improve security and performance. The question will list specific requirements, such as routing traffic for /api/ to one set of servers and /images/ to another, blocking SQL injection attacks, and offloading SSL. You then need to select the correct service or configuration. For example, an AWS-SAA question might ask: “A company runs a multi-tier web application on EC2 instances. They need to host multiple domains on a single load balancer and route requests based on the URL path. Which load balancer should they use?” The correct answer is Application Load Balancer.

Another common pattern is configuration-based questions. You might be given a partially completed configuration snippet for an Azure Application Gateway or an AWS ALB and asked to fill in the missing parameter to meet a specific requirement, such as setting the path pattern to /images/* or enabling sticky sessions via cookie-based affinity. Some questions involve troubleshooting, where you are told that users are getting 503 Service Unavailable errors, and you must identify the cause from a list of possibilities like health probe misconfiguration, backend pool being empty, or SSL certificate mismatch.

In CompTIA Security+, you might get a question that asks which network device can perform deep packet inspection up to Layer 7 and help prevent SQL injection attacks. The answer is an Application Gateway with a WAF. For CCNA, you might be asked to compare a router, a firewall, and an Application Gateway in terms of the OSI layers they operate on. Always read the question carefully to identify whether the exam is testing your knowledge of features, use cases, or troubleshooting steps.

Practise Application Gateway Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A growing e-commerce company called ShopFast runs its online store on several web servers. The company is experiencing slow load times during sales events, and the security team is worried about recent web attacks on similar retailers. The IT team decides to implement an Application Gateway. They configure a new gateway with a public IP address that users will connect to instead of directly accessing the web servers. The gateway is set up with SSL termination using a trusted certificate, so the encrypted traffic from users is decrypted at the gateway and sent as plain HTTP to the backend servers, reducing server workload.

Next, they create two backend pools. Pool A contains the main application servers that handle product browsing and user accounts. Pool B contains separate servers for payment processing and checkout, which have additional security hardening. The routing rules are configured so that any request to shopfast.com/checkout goes to Pool B, while all other requests go to Pool A. Health probes are set up to check the /health endpoint on each server every 30 seconds. If a server in Pool A crashes, the probe fails and the gateway stops sending traffic to that server.

Finally, they enable the Web Application Firewall (WAF) feature, which inspects incoming requests for common attack patterns like SQL injection and cross-site scripting. They also enable sticky sessions based on a cookie, so that if a user adds items to their shopping cart, subsequent requests during the session go to the same server, ensuring the cart contents are consistent. After deployment, the site runs smoothly even during peak traffic, and the security team receives fewer alerts about malicious requests because the WAF blocks them before they reach the servers.

Common Mistakes

Confusing an Application Gateway with a standard firewall.

A standard firewall operates at Layers 3 and 4, filtering traffic based on IP addresses, ports, and protocols. An Application Gateway operates at Layer 7 and can inspect application data, perform routing, and terminate SSL. They serve different purposes and are often used together.

Think of a firewall as a bouncer checking IDs at the door, while an Application Gateway is a concierge who then directs you to the right room once you are inside.

Thinking all load balancers work at Layer 7.

Many load balancers, such as AWS Network Load Balancer or Azure Load Balancer, operate at Layer 4 and only use TCP/UDP information. They cannot inspect HTTP headers or URLs. Application Gateways are specifically Layer 7 load balancers.

Read the exam question carefully: if it mentions routing based on URL path, host header, or cookies, you need a Layer 7 Application Gateway.

Forgetting to configure health probes.

Without health probes, the gateway will send traffic to servers that are down or unhealthy, causing errors for users. This is a common troubleshooting point in exams and real life.

Always ensure health probes are configured with the correct protocol, port, and path that the backend server responds to (e.g., /health or /index.html).

Assuming SSL termination is always required.

While SSL termination is common, some applications require end-to-end encryption for compliance reasons. In that case, the gateway should pass through HTTPS traffic without decrypting it, which is called SSL passthrough.

Know the difference: SSL termination decrypts at the gateway, offloading work from servers. SSL passthrough keeps the traffic encrypted all the way to the backend server.

Misconfiguring session persistence when backend servers are stateless.

If your application is stateless (does not store session data locally), sticky sessions are unnecessary and can reduce load balancing effectiveness. Enabling them by default wastes resources.

Only use sticky sessions when your application relies on local session state. For stateless apps, the gateway can distribute requests evenly across all healthy servers.

Exam Trap — Don't Get Fooled

{"trap":"The exam question describes a scenario that requires routing based on URL path, but also mentions the need for a static IP address. Many learners choose an Application Gateway, forgetting that some Application Gateway tiers or versions might not support static IPs by default.","why_learners_choose_it":"Learners focus on the Layer 7 routing requirement and immediately pick an Application Gateway, without checking if a static IP is needed.

They assume all Application Gateways support static IPs.","how_to_avoid_it":"In AWS, an Application Load Balancer does not have a static IP by default; you would need a Network Load Balancer for that. In Azure, Application Gateway v2 supports static IPs, but v1 does not.

Read the full question: if a static IP is required, verify which specific service or SKU accommodates it. Sometimes the correct answer is a combination of services, like an Application Gateway with a Global Accelerator."

Commonly Confused With

Application GatewayvsLoad Balancer (Layer 4)

A Layer 4 load balancer routes traffic based on IP address and TCP/UDP port without inspecting the content of the request. An Application Gateway (Layer 7) can make routing decisions based on HTTP headers, URLs, and cookies, enabling more intelligent traffic management.

A simple load balancer might send all traffic on port 80 to the same pool of servers, while an Application Gateway can send requests for /images to one pool and /api to another.

Application GatewayvsFirewall

A firewall filters traffic based on predefined security rules, typically at Layers 3 and 4, but next-gen firewalls can go up to Layer 7. However, a firewall's primary purpose is security, not routing or load balancing. An Application Gateway focuses on distributing traffic and offloading tasks, though it often includes a Web Application Firewall (WAF) as an add-on.

A firewall blocks traffic from a known malicious IP address. An Application Gateway would then route allowed traffic to the appropriate backend server.

Application GatewayvsReverse Proxy

A reverse proxy and an Application Gateway are similar and often overlap. Both sit in front of servers and forward client requests. However, an Application Gateway typically includes more advanced load balancing features like health checks, session persistence, and integrated WAF, while a reverse proxy may be simpler and focused on caching, compression, or SSL termination.

NGINX can act as a reverse proxy for a single application, but an Application Gateway like Azure Application Gateway offers built-in auto-scaling and WAF integration.

Application GatewayvsAPI Gateway

An API Gateway is specifically designed for managing APIs. It handles tasks like authentication, rate limiting, versioning, and request transformation, often using RESTful or GraphQL interfaces. An Application Gateway is more general and handles any web traffic, not just API calls.

An API Gateway might require an API key in the request header and then transform the request body. An Application Gateway would simply route that request to the correct backend based on the URL.

Application GatewayvsCDN (Content Delivery Network)

A CDN caches static content at edge locations close to users to reduce latency. An Application Gateway does not typically cache content; it routes traffic to servers based on rules. Some Application Gateways do have caching capabilities, but that is not their primary function.

A CDN stores a copy of your logo image in servers around the world. An Application Gateway sends the first request for that image to the backend server, and then the CDN might serve it from the edge.

Step-by-Step Breakdown

1

Client Request Initiation

A user types a URL into their browser, such as https://www.example.com/products. The browser performs a DNS lookup to resolve the domain name to the public IP address of the Application Gateway. The request is then sent to that IP address on port 443 (HTTPS).

2

Listener Processing

The Application Gateway has one or more listeners configured. A listener defines the frontend IP, port, and protocol (HTTP or HTTPS) that it monitors. For an HTTPS listener, the gateway also holds the SSL certificate. The listener accepts the incoming connection and decrypts the traffic if SSL termination is enabled.

3

Rule Evaluation

The gateway evaluates its routing rules in priority order. Each rule specifies a condition and a target. For example, a rule might state: 'If the URL path starts with /products, route to the products backend pool.' The gateway inspects the request's URL, headers, and sometimes body to find a matching rule.

4

Backend Pool Selection

Once a matching rule is found, the gateway identifies the target backend pool. A backend pool is a logical group of servers, containers, or IP addresses that serve a specific function, such as all web servers handling product pages. If no rule matches, the gateway returns a 404 or 502 error.

5

Health Probe Check

Before forwarding the request, the gateway checks the health of the backend servers in the selected pool. It maintains a list of healthy servers based on periodic health probes (e.g., HTTP GET requests to /health). If all servers in the pool are unhealthy, the gateway returns a 503 Service Unavailable error.

6

Request Forwarding

The gateway selects one server from the healthy pool, often using a round-robin or least-connections algorithm. If session persistence is enabled, it uses a cookie or source IP to consistently route the same client to the same server. The gateway then forwards the request to that server, optionally adding headers like X-Forwarded-For to preserve the client's original IP.

7

Server Response and Potential Caching

The backend server processes the request and sends a response back to the gateway. The gateway may cache the response if caching is configured and the response is cacheable. It then encrypts the response again (if SSL termination was used) and sends it back to the client. The gateway may also perform response rewriting or error handling at this stage.

8

Logging and Monitoring

After the transaction completes, the gateway logs details about the request, such as client IP, URL, response status, response time, and backend server used. These logs are sent to a monitoring service for analysis. The gateway also updates its metrics, which can be used for scaling alerts or troubleshooting.

Practical Mini-Lesson

When working with Application Gateways in the real world, the first step is always planning the routing logic. You need to map out the URLs and hostnames your application uses, and decide how they should be distributed across backend resources. For example, you might have a single application that serves both a public website and an admin dashboard, and you want to keep them separate for security. The public site (e.g., www.example.com) should go to one pool of web servers, while the admin dashboard (e.g., admin.example.com) goes to a pool with stricter network access controls. This is called host-based routing.

Next, you need to decide on SSL/TLS certificate management. For production environments, use certificates from a trusted Certificate Authority (CA). You can also use cloud-managed certificates in services like AWS Certificate Manager (ACM) or Azure Key Vault. If you have multiple domains, you may need multiple certificates or a wildcard certificate. Remember that the gateway must have the private key to decrypt traffic for SSL termination. If you choose SSL passthrough, the gateway does not need the private key, but then it cannot inspect the request content for routing based on URL paths.

Health probe configuration is another area where many mistakes happen. A common best practice is to create a simple health check endpoint on your backend servers that returns a 200 OK status if the server is truly healthy, not just if the TCP port is open. For a web application, this endpoint could check that the application is connected to the database and able to serve basic pages. The probe interval and threshold should be set appropriately; too frequent probes can overload the server, while too infrequent probes can delay failover. A typical setup uses a 30-second interval with a 2-3 failure threshold before marking a server as unhealthy.

Another practical consideration is session persistence. If your application stores session state in memory on the server (e.g., using PHP sessions), you must enable sticky sessions to avoid users being bounced between servers and losing their session. However, this can cause uneven load distribution. A better architecture is to use a shared session store like Redis or a database, which makes the application stateless and removes the need for sticky sessions. In exam scenarios, be prepared to recommend the right architecture based on the application's requirements.

Finally, remember that Application Gateways are not a silver bullet. They can become a single point of failure if not deployed with redundancy. In the cloud, you typically deploy at least two instances in different availability zones. You should also monitor the gateway's performance metrics like request count, latency, and error rates. Tools like CloudWatch, Azure Monitor, or on-premises logging solutions can help. When troubleshooting slow performance, check if the backend servers are under heavy load, if the health probes are failing, or if the SSL certificate is about to expire. In many cases, the issue is not the gateway itself but the backend servers or the application code.

Troubleshooting Clues

Backend health shows unhealthy

Symptom: Application Gateway health probe shows 'Unhealthy' status for all backend pool members.

The health probe is failing, likely due to incorrect probe path, port mismatch, or backend server not responding (timeout). Also check if the backend NSG or firewall is blocking the probe traffic from the gateway's subnet.

Exam clue: Exams (AZ-104, Network+) present scenarios where health probe fails because of NSG rules blocking traffic from the gateway's address prefix (e.g., AzureLoadBalancer).

502 Bad Gateway errors

Symptom: Clients receive HTTP 502 errors when accessing the application through the gateway.

The gateway receives no valid response from the backend. Common causes: backend server timeout, SSL/TLS handshake failure, or backend configuration mismatch (e.g., wrong port or protocol).

Exam clue: Azure and AWS exams test troubleshooting 502 errors by isolating backend connectivity, SSL certificate issues, or oversubscribed backend instances.

SSL termination failure

Symptom: HTTPS connections to the gateway fail with certificate errors or handshake failures.

The SSL certificate configured on the listener might be expired, mismatched with the hostname, or incorrectly uploaded (e.g., missing private key). Also, the gateway SKU may not support certain cipher suites.

Exam clue: AZ-104 and Security+ questions test SSL certificate configuration, including using Azure Key Vault for certificates and ensuring certificate chain validity.

Routing rules not matching traffic

Symptom: Traffic is not being directed to the intended backend pool based on path or hostname.

The listener or rule priority might be misconfigured. Higher priority rules may override, or the hostname/path patterns may have syntax errors (e.g., missing wildcard).

Exam clue: AWS SAA and Google ACE exams often include questions where path patterns like '/api' do not include wildcards or use incorrect format, causing misrouting.

Autoscaling not triggering

Symptom: Application Gateway remains at capacity 1 even under high traffic, causing throttling.

The gateway SKU is Standard_v1 (non-autoscaling) instead of Standard_v2 or WAF_v2. Or the autoscaling configuration has min/max limits set incorrectly.

Exam clue: AZ-104 tests the difference between v1 (fixed capacity) and v2 (autoscaling) SKUs, often in scenarios about scaling requirements.

Web Application Firewall (WAF) blocking legitimate traffic

Symptom: Legitimate user requests get 403 Forbidden responses, especially on POST requests.

WAF rules (e.g., OWASP CRS) may be too restrictive, blocking requests with SQL keywords or XSS patterns. Custom exceptions or rule exclusions may be needed.

Exam clue: Security+ and Azure security exams test understanding of WAF modes (Detection vs. Prevention), rule tuning, and using managed rule sets.

Session persistence (sticky sessions) not working

Symptom: User sessions are lost after navigation, or multiple requests go to different backend servers.

The Application Gateway uses a cookie-based affinity (Application Gateway Affinity cookie). This may fail if the backend removes the cookie, or if multiple gateways are used under a load balancer with different domain names.

Exam clue: AWS SAA tests ALB sticky sessions via target group attributes (stickiness.enabled, type=app_cookie or lb_cookie).

Memory Tip

Remember the four key features of an Application Gateway: Listen, Route, Probe, and Secure (LRPS). Listen for incoming traffic, Route based on URL or host, Probe for server health, and Secure with WAF and SSL termination.

Learn This Topic Fully

This glossary page explains what Application Gateway means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.Which of the following is a requirement for deploying an Azure Application Gateway in Standard_v2 SKU?

2.A user reports HTTP 502 errors when accessing an application behind an AWS Application Load Balancer. Backend target group targets are healthy. What is the most likely cause?

3.In an Azure Application Gateway, you want to route requests based on the URL path '/api' to backend pool A and '/web' to backend pool B. What must be configured?

4.When troubleshooting a health probe failure on an Application Gateway, which IP address range must be allowed in the backend's network security group?

5.Which of the following features is unique to Application Gateway (Layer 7) compared to a traditional Layer 4 load balancer?

Frequently Asked Questions

What is the difference between an Application Gateway and a standard load balancer?

A standard load balancer typically works at Layer 4 (TCP/UDP) and routes traffic based on IP and port. An Application Gateway works at Layer 7 (HTTP/HTTPS) and can route traffic based on URL, headers, and cookies, and can also perform SSL termination, WAF, and path-based routing.

Do I need an Application Gateway if I only have one server?

Not necessarily. A single server can handle all traffic directly. However, you might still use an Application Gateway for SSL offloading, caching, or security features like WAF. For high availability or scalability, you would need multiple servers and a gateway to distribute traffic.

Does an Application Gateway replace a firewall?

No, they serve different roles. A firewall filters traffic based on security rules and operates at lower layers. An Application Gateway routes and manages traffic at Layer 7. Many Application Gateways include a WAF, which is a layer 7 security tool, but you still need a network firewall for lower-layer protection.

Can an Application Gateway handle WebSocket traffic?

Yes, many Application Gateways support WebSocket connections. In AWS, the ALB supports WebSocket natively. In Azure, the Application Gateway v2 also supports WebSocket traffic. The gateway can route WebSocket upgrades to the appropriate backend pool.

How does SSL termination work on an Application Gateway?

The gateway holds the SSL certificate and private key. When a client sends an HTTPS request, the gateway decrypts it and forwards the request to the backend as plain HTTP. This offloads the encryption work from the backend servers. The gateway then encrypts the response before sending it back to the client.

What is a health probe and why is it important?

A health probe is a periodic check that the gateway performs on backend servers to see if they are available and healthy. It is important because the gateway will only send traffic to healthy servers. If a server fails a probe, the gateway stops sending traffic to it until it recovers, preventing user errors.

Is an Application Gateway the same as a reverse proxy?

They are very similar, and the terms are sometimes used interchangeably. An Application Gateway is typically a more feature-rich reverse proxy that includes load balancing, health checks, session persistence, and WAF. A generic reverse proxy might only focus on forwarding and caching.

Summary

An Application Gateway is a Layer 7 traffic manager that sits between users and web application servers. It makes intelligent routing decisions based on the content of HTTP/HTTPS requests, such as URL path or hostname. Beyond routing, it provides essential capabilities like SSL termination, health monitoring, session persistence, and integrated Web Application Firewall protection. This makes it a cornerstone of modern, scalable, and secure web architectures, whether deployed on-premises or in the cloud.

For IT certification candidates, a solid understanding of Application Gateways is critical across multiple exams. In AWS, you need to know the Application Load Balancer. In Azure, the Application Gateway service. For CompTIA Network+ and Security+, the conceptual knowledge of Layer 7 load balancing and WAF is tested. Common exam scenarios involve choosing the right type of load balancer for a given requirement, configuring routing rules, or troubleshooting health probe failures. Mistakes often arise from confusing Layer 4 and Layer 7 load balancers, neglecting health probes, or misconfiguring SSL termination.

The key takeaway for exams is to remember the four pillars of an Application Gateway: Listen, Route, Probe, and Secure. Focus on the specific features of each cloud provider's implementation, and practice with scenario-based questions. Real-world experience, even in a lab environment, will solidify your understanding of how these components work together to deliver fast, resilient, and secure applications.