What Does Application Gateway Design Mean?
Also known as: Application Gateway Design, Azure Application Gateway, AZ-305, Layer 7 load balancer, web application firewall
On This Page
Quick Definition
An Application Gateway is a special type of traffic director for web apps that works like a smart receptionist for a busy office. It reads the web request (like asking for a specific page or login) and sends it to the right backend server or service. It also can protect your app by checking for attacks and handling encryption so your servers do not have to.
Must Know for Exams
In the Microsoft Azure certification exam AZ-305 (Designing Microsoft Azure Infrastructure Solutions), Application Gateway Design appears in several key areas. The exam focuses on designing infrastructure solutions, including compute, networking, and security. One of the main objectives is to design a network infrastructure that supports application requirements. Candidates are expected to understand when to use an Application Gateway versus other load balancing solutions like Azure Load Balancer, Traffic Manager, or Front Door.
Specifically, the exam tests your ability to choose the right load balancing solution based on the architecture. For example, if a scenario describes a web application that needs URL-based routing, SSL offloading, and a web application firewall, the correct answer is likely the Application Gateway. If the scenario involves non-HTTP traffic such as SQL database connections, a Network Load Balancer would be more appropriate. The exam will present scenario-based questions where you must differentiate these services.
The AZ-305 exam also tests your understanding of high availability and disaster recovery designs. You may need to design an Application Gateway deployment that is zone-redundant and uses multiple instances. You might be asked about subnet sizing requirements for the gateway or how to configure health probes for backend pools. Additionally, questions about SSL/TLS certificate management, including integration with Azure Key Vault, are common.
Another area where Application Gateway appears is in security design. The exam includes objectives related to securing network traffic and protecting applications. You should know the capabilities of the WAF SKU, the rule sets it uses (OWASP), and how to configure WAF policies. You might also see questions comparing the WAF capabilities of Application Gateway versus Azure Front Door or Azure CDN.
The exam may also present integration scenarios. For instance, you might need to design a solution where an Application Gateway sits in front of an Azure App Service, and traffic must be restricted to only come from the gateway. This involves configuring access restrictions on the App Service to allow only the gateway's private IP address. Understanding these design patterns is critical for the exam.
Finally, the exam tests your ability to design for performance and scale. You may be asked about autoscaling settings, threshold configurations, and the maximum number of backend pool members. Knowing the limits and capabilities of the Standard v2 and WAF v2 SKUs will help you answer these questions correctly.
Simple Meaning
Imagine you run a large office building with many different departments. Each department handles specific tasks: one handles sales, one handles support, and one handles billing. When visitors arrive at the front desk, a receptionist asks them what they need. If they say billing, the receptionist gives them a visitor badge and directs them to the billing department on the third floor. If they say support, they go to the second floor. The receptionist also checks that visitors are not carrying anything dangerous and may handle security checks.
Application Gateway Design is like planning how that front desk works, but for a web application. Instead of a physical building, you have a website or a web service. Instead of people arriving, you get web requests from users. The receptionist is the Application Gateway, a piece of cloud software in Microsoft Azure that sits in front of your web servers. The Application Gateway reads each incoming request. It looks at the URL, such as whether the user is going to a shopping cart page, a login page, or a help desk page. Based on that information, the gateway decides which group of servers should handle the request. Those servers might be virtual machines or containers running your application.
The design part means you must decide how to organize these routing rules. You need to decide which URL paths go to which servers. You might decide that requests for images go to a specialized image server, while requests for checkout go to a heavily secured set of servers. You also decide how to handle encryption, how to scale the gateway itself if traffic grows, and how to make sure the gateway is not a single point of failure. You also plan for security features like a web application firewall that blocks common attacks. In short, Application Gateway Design is the blueprint for a smart, secure, and efficient front door for your web application in the cloud.
Full Technical Definition
Application Gateway Design in Microsoft Azure refers to the architectural planning and configuration of an Azure Application Gateway resource to handle HTTP and HTTPS traffic at Layer 7 of the OSI model. Unlike a traditional Layer 4 load balancer that forwards packets based on IP addresses and ports, the Application Gateway makes routing decisions based on the content of the HTTP request, such as the URL path, host header, query string, or even HTTP headers.
The core components involved in the design include listeners, routing rules, backend pools, health probes, and the optional Web Application Firewall (WAF). A listener defines the frontend IP address, port, and protocol (HTTP or HTTPS) for the gateway. The routing rule connects the listener to a backend pool. The rule can be path-based, meaning if the URL path is /api/* the request goes to one pool, and if it is /images/* it goes to another. Alternatively, the rule can be hostname-based, routing traffic based on the site name in the request, such as app1.contoso.com versus app2.contoso.com.
The backend pool is a collection of virtual machines, virtual machine scale sets, Azure App Service instances, or even external endpoints. The gateway also performs health checks on the backend servers using either HTTP or HTTPS probes. If a server becomes unhealthy, the gateway stops sending traffic to it.
In terms of network design, the Application Gateway is deployed into a dedicated subnet within an Azure Virtual Network. It requires a subnet that is at least /27 in size to allow for scaling. The gateway can be configured with a public frontend IP for internet-facing applications, a private frontend IP for internal applications, or both. For high availability, it is recommended to deploy at least two instances, though the gateway automatically scales if you use the autoscaling SKU.
SSL/TLS termination is a common feature. The gateway can handle the decryption of HTTPS traffic, offloading the CPU-intensive task from backend servers. This also allows the gateway to inspect the unencrypted traffic for threats when the WAF is enabled. The WAF uses OWASP core rule sets to block SQL injection, cross-site scripting, and other common web vulnerabilities.
Design decisions also include choosing between the Standard v2 and WAF v2 SKUs. The v2 SKUs offer autoscaling, zone redundancy, and faster deployment. A well-designed gateway considers traffic patterns, security requirements, SSL certificate management, and integration with Azure services like Key Vault for certificate storage. Additionally, you must plan for end-to-end TLS if the traffic from the gateway to the backend must also remain encrypted.
Real-Life Example
Think of a large airport with multiple terminals. Each terminal handles different airlines or destinations. When you arrive at the airport, you first check the big screens to find which terminal your flight departs from. That screen is like the listener—it tells you where to go based on your destination. You then walk to Terminal A, B, or C. Each terminal has its own security checkpoint, baggage handlers, and gates. These are like the backend pools.
Now, consider a busy international airport. There are many types of travelers: domestic passengers, international passengers, crew members, and VIPs. The airport has a main entrance where all travelers arrive. A smart entrance system could scan your boarding pass and tell you which security line to join. If you are a VIP, you are directed to a fast-track lane. If you are crew, you go to a separate staff entrance. This routing decision is exactly what an Application Gateway does with web traffic.
The Application Gateway acts as the main airport entrance. When a user types a URL into their browser, the gateway reads the request like a boarding pass. If the URL ends with /checkout, the gateway routes it to the payment processing backend pool. If the request is for /images, it goes to the image server pool. If the request includes a special header indicating a mobile app, it could route to a dedicated API pool.
Also, the airport has security screening. The Application Gateway can include a Web Application Firewall that inspects each request for malicious content, much like security officers checking luggage for prohibited items. If a request contains a SQL injection attempt, the WAF blocks it before it ever reaches the backend server, just as security would confiscate a prohibited item before a passenger boards the plane.
Finally, the airport must handle peak times. During holidays, thousands of travelers arrive. The gateway can autoscale, adding more capacity to handle the load, just like the airport opening more security lanes. The design of the airport determines how efficiently passengers move through. Similarly, Application Gateway Design determines how efficiently and securely web traffic flows to your application.
Why This Term Matters
Application Gateway Design matters because it directly affects the performance, security, and reliability of web applications hosted in Azure. As applications grow and face more traffic, a simple web server can no longer handle all requests. Without a proper gateway design, you risk overloading a single server, exposing your application to attacks, and providing a poor user experience.
From a performance perspective, the gateway distributes traffic across multiple backend servers. This prevents any single server from becoming a bottleneck. It also allows you to scale out your application by adding more servers behind the gateway without changing the user-facing URL. The gateway can also perform TLS offloading, which reduces the computational load on your application servers, making them faster.
From a security standpoint, the Web Application Firewall (WAF) integrated into the Application Gateway is a critical line of defense. It blocks common exploits like SQL injection and cross-site scripting before they reach your application. Without a WAF, your application code must handle these threats, which is more complex and error-prone. The gateway also supports SSL termination, ensuring that encrypted traffic is decrypted only at the gateway, not at each backend server. This simplifies certificate management.
In terms of reliability, the Application Gateway performs health checks on backend servers. If a server fails, traffic is automatically redirected to the remaining healthy servers. This ensures high availability. The gateway itself can be deployed in a zone-redundant configuration, meaning it can survive an entire Azure datacenter failure. Without this design, a single server failure or datacenter outage could take down your entire application.
For IT professionals and architects, understanding Application Gateway Design is essential for passing the Azure Solutions Architect exam (AZ-305) and for real-world cloud implementations. Many organizations migrate from on-premises load balancers to cloud-native solutions. A well-designed Application Gateway reduces costs, simplifies operations, and provides a secure, scalable entry point for modern web applications.
How It Appears in Exam Questions
In certification exams, Application Gateway Design appears in multiple question formats. The most common type is the scenario-based multiple-choice question. For example, the exam might describe a company that runs an e-commerce application. The application has separate sections for product catalog, shopping cart, and payment processing. The company wants to route traffic to different server pools based on the URL path. It also needs TLS termination and protection against web attacks. The question then asks which Azure service should be used. The correct answer is Azure Application Gateway, and the distractors might be Azure Load Balancer, Traffic Manager, or Azure Front Door.
Another type of question is the design comparison question. You might be given a table of scenarios and asked to match each scenario to the correct load balancing service. For instance, one row says URL-based routing, another says global DNS load balancing, and another says non-HTTP traffic. You need to select Application Gateway for the first, Traffic Manager for the second, and Load Balancer for the third.
Configuration questions also appear. These might ask about the minimum subnet size required for deploying an Application Gateway. The correct answer is a /27 subnet. Or a question might ask what happens when a backend server fails a health probe. The answer is that the gateway stops routing traffic to that server until it becomes healthy again.
Troubleshooting questions are common as well. For example, a scenario describes a web application that works fine for users, but after deploying an Application Gateway, all users get a 502 Bad Gateway error. The question asks what is likely misconfigured. Possible answers include incorrect backend pool configuration, a failing health probe, or a timeout setting that is too low.
Architecture design questions require you to design a full solution. For example, you might need to design a three-tier application with a web tier, an API tier, and a database tier. The question asks where the Application Gateway fits. The correct answer is that it sits in front of the web tier, routing traffic to the appropriate backend pools. You may also need to specify whether the gateway should have a public or private frontend IP.
Finally, there are security-focused questions. For instance, a scenario describes that the application is vulnerable to SQL injection attacks. You are asked which feature of the Application Gateway can mitigate this. The answer is the Web Application Firewall (WAF). Or a question might ask how to restrict access to an App Service so that only traffic from a specific Application Gateway is allowed. The answer is to configure IP restrictions on the App Service to allow only the gateway's frontend IP or the subnet where the gateway is deployed.
Practise Application Gateway Design Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: A company called TechShop runs an online retail store. The website has three main sections: product browsing, user account management, and checkout. The product browsing section uses static files and images, the account management section uses a separate microservice, and the checkout section uses a payment processing service. The company expects high traffic during a holiday sale and wants to ensure that each section can scale independently. They also need to secure the checkout section with a firewall to block fraudulent requests.
How Application Gateway Design applies: The company deploys an Azure Application Gateway with three backend pools. One backend pool contains the servers that serve product images and static files. A second backend pool contains the microservice that handles user accounts. A third backend pool contains the payment processing service. The company configures path-based routing rules. When a user requests a URL like www.techshop.com/images/*, the gateway routes it to the static content pool. When the request is for www.techshop.com/account/*, it goes to the account microservice pool. When the request is for www.techshop.com/checkout/*, it goes to the payment processing pool. The gateway is configured with a Web Application Firewall that inspects all requests to the checkout path and blocks any SQL injection attempts. All HTTPS traffic is terminated at the gateway, so the backend servers only handle HTTP traffic, reducing their workload. During the holiday sale, the gateway autoscales to handle the increased traffic, and if any backend server fails, the health probe detects it and routes traffic to healthy servers only. This design keeps the website fast, secure, and available even during peak load.
Common Mistakes
Confusing Application Gateway with Azure Load Balancer.
Azure Load Balancer operates at Layer 4, routing traffic based on IP address and port without looking at the HTTP request content. It cannot perform URL-based routing, SSL offloading, or web application firewall functions.
Remember that Application Gateway is a Layer 7 load balancer for HTTP/HTTPS traffic. If your application needs to route based on URL path, hostname, or HTTP headers, choose Application Gateway. For pure TCP/UDP traffic, use Load Balancer.
Forgetting to place the Application Gateway in a dedicated subnet with sufficient IP address space.
The Application Gateway requires a dedicated subnet of at least /27 size. If you place it in a shared subnet or a subnet with fewer than 30 IPs, the deployment may fail or the gateway may not be able to scale.
Always create a dedicated subnet for the Application Gateway. Use a /27 subnet size as a minimum to allow for scaling and multiple instances.
Not configuring health probes for backend pools.
Without health probes, the Application Gateway does not know if a backend server is healthy. It will continue sending traffic to failed servers, causing errors for users.
Configure at least one health probe per backend pool. Use a custom path like /health and set appropriate interval and timeout values so the gateway can detect failures quickly.
Assuming the Application Gateway can handle non-HTTP traffic like databases or email.
The Application Gateway only works with HTTP and HTTPS. It cannot load balance database connections (e.g., SQL Server on port 1433) or SMTP traffic. Using it for such purposes will cause failure.
For non-HTTP traffic, use Azure Load Balancer. Keep Application Gateway exclusively for web application traffic.
Ignoring the need for end-to-end TLS when sensitive data is involved.
By default, traffic from the Application Gateway to backend servers is HTTP (unencrypted). If sensitive data must remain encrypted throughout the entire path, you need to enable HTTPS on the backend as well.
If end-to-end encryption is required, configure the backend pool to use HTTPS and upload the appropriate certificate to the gateway. The gateway will then re-encrypt traffic to the backend.
Exam Trap — Don't Get Fooled
An exam question asks: Your company needs to load balance traffic for a web application. The application has multiple backend servers, and you need to route traffic to the appropriate server based on the URL path. You also need high availability and the ability to handle millions of requests per second.
Which Azure service should you use? Options: Azure Load Balancer, Azure Application Gateway, Azure Traffic Manager, or Azure Front Door. Remember that Azure Application Gateway (especially the v2 SKU with autoscaling) can handle very high throughput, often millions of requests per second for standard workloads.
The key differentiator here is URL path routing. Azure Load Balancer does not support that. Azure Traffic Manager does DNS-level routing, not path-based. Azure Front Door is for global routing with path support, but it is designed for multi-region scenarios, not just a single region.
Since the question does not mention multiple regions, Application Gateway is the best fit. Focus on the routing requirement first, then consider scale.
Commonly Confused With
Azure Load Balancer works at Layer 4 and balances traffic based on IP address and port. It cannot read HTTP request paths or hostnames. Application Gateway works at Layer 7 and can route based on URL paths, host headers, and other HTTP attributes. Use Load Balancer for non-web traffic like SQL or RDP, and Application Gateway for HTTP/HTTPS applications.
If you have two web servers and want all traffic for /api to go to server A and /images to go to server B, you need Application Gateway. If you just want to distribute all traffic evenly between two SQL servers, use Load Balancer.
Azure Traffic Manager operates at the DNS level. It routes traffic based on the domain name, not the URL path. It directs users to the best endpoint based on geography, latency, or priority. Application Gateway operates within a single region and routes traffic based on the URL path. Traffic Manager is for global load balancing, while Application Gateway is for local load balancing and traffic routing.
If you have web apps in the US and Europe, and you want users from Europe to go to the European server, use Traffic Manager. If you want traffic for /checkout to go to a specific backend pool within your European datacenter, use Application Gateway.
Azure Front Door is a global Layer 7 service that combines capabilities of Application Gateway and Traffic Manager. It provides global routing, path-based routing, SSL offloading, and WAF across multiple regions. Application Gateway is a regional service. Front Door is recommended for global applications with users around the world, while Application Gateway is for single-region or local deployments.
If your application is deployed in three Azure regions and you need users in any region to get a fast experience with path-based routing and security, use Front Door. If your application is only in one region and you need path-based routing and WAF, use Application Gateway.
Step-by-Step Breakdown
Define the application requirements
Start by understanding what your web application needs. Identify the types of HTTP requests it receives, such as different URL paths like /api, /images, or /login. Determine if you need SSL termination, a web application firewall, or session affinity. Also estimate the expected traffic volume. This step defines the design goals.
Choose the appropriate SKU and tier
Select between Standard v2 and WAF v2 SKUs. If you need the Web Application Firewall, choose WAF v2. Both support autoscaling and zone redundancy. Also decide whether you need a public, private, or both frontend IP addresses based on whether the application is internet-facing or internal.
Design the subnet and networking
The Application Gateway requires a dedicated subnet within an Azure Virtual Network. The subnet must be at least /27 in size to allow for scaling and multiple instances. Plan for network security groups (NSGs) to control inbound and outbound traffic. For public-facing gateways, ensure the subnet is not too restrictive.
Configure listeners and frontend IPs
Create one or more listeners that specify the frontend IP, port, and protocol (HTTP or HTTPS). For HTTPS, you must upload a valid SSL certificate. Listeners wait for incoming requests on that address and port. You can have multiple listeners for different hostnames or ports.
Define backend pools and health probes
Create backend pools that contain your application servers, such as virtual machines, scale sets, or App Services. For each pool, configure a health probe that checks the status of the servers using an HTTP/HTTPS request to a specific path like /health. Set the interval and timeout to detect failures quickly.
Create routing rules
Create routing rules that link listeners to backend pools. You can use basic routing (all traffic goes to one pool) or path-based routing. For path-based routing, define path patterns like /api/* or /images/* and map each to the correct backend pool. You can also use hostname-based routing for multi-site applications.
Configure security and optional features
Enable the Web Application Firewall if you chose the WAF SKU. Configure WAF policies with OWASP rule sets to block SQL injection, XSS, and other attacks. Optionally enable session affinity if your application requires sticky sessions. Also configure TLS settings, including supported versions and cipher suites.
Deploy and test the gateway
Deploy the Application Gateway to the subnet. After deployment, test the routing by sending requests to the frontend URL. Verify that requests for /api go to the correct backend pool and that health probes mark unhealthy servers. Monitor the gateway's logs and metrics to ensure it handles traffic as designed.
Practical Mini-Lesson
Let us walk through designing an Application Gateway for a real-world scenario. Suppose you work for a media company with a web application that serves videos, user profiles, and an administrative dashboard. Each of these functions runs on separate sets of virtual machines in Azure. Your goal is to route traffic efficiently and securely.
First, you need to decide on the SKU. Since the application is public-facing and you want to protect against web attacks, choose the WAF v2 SKU. This gives you both the path-based routing and the web application firewall. Next, plan the subnet. You create a virtual network with a dedicated subnet for the gateway. You allocate a /27 subnet, which gives you 32 IP addresses, enough for scaling to many instances.
Now, create the frontend configuration. You need a public IP address that users will use to access the site. You allocate a standard SKU public IP and associate it with the gateway. For SSL, you have a wildcard certificate for *.media.com. You upload this certificate to the gateway for SSL termination. This means the gateway handles decryption, and your backend servers receive plain HTTP traffic, which saves them CPU cycles.
Next, create three backend pools. The video pool contains the VMs that stream video. The user pool contains VMs that handle user account data. The admin pool contains VMs for the dashboard. For each pool, you create a health probe. The probe for the video pool hits /health.txt on each VM. If the file is missing or the server is down, the probe fails and the gateway stops sending traffic to that VM.
Now, create the listeners. You have one listener on port 443 (HTTPS) with the wildcard certificate. Then create the routing rules. You add a path-based rule. The first path pattern is /videos/*, which routes to the video backend pool. The second pattern is /user/*, which routes to the user pool. The third pattern is /admin/*, which routes to the admin pool. You also add a default rule that sends all other traffic to a static error page or a main pool.
Finally, configure the WAF. You enable the OWASP 3.2 rule set and set the mode to prevention. This blocks malicious requests automatically. You also add custom rules to block IP addresses from certain countries if needed.
After deployment, you test by typing https://www.media.com/videos/movie1. The gateway sees the path /videos/ and routes the request to the video pool. The health probe ensures only healthy VMs receive traffic. If a VM in the video pool crashes, the probe fails, and the gateway sends new video requests to the other VMs. This design provides a resilient, secure, and scalable web architecture. Professionals should also monitor Azure Monitor logs to see WAF alerts and gateway performance metrics. Common issues include misconfigured health probes that mark healthy servers as unhealthy, or incorrect path patterns that cause 404 errors. Always test routing with multiple paths before going live.
Memory Tip
Think of Application Gateway as a Traffic Cop with a Security Badge. The Traffic Cop directs cars (web requests) to the correct lane (backend pool) based on their destination sign (URL path). The Security Badge means the cop also checks for weapons (WAF). Remember: Layer 7, URL routing, WAF, SSL offload. For exam: if the question says URL path or hostname routing, think Application Gateway first.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-305AZ-305 →Related Glossary Terms
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
What is the difference between Application Gateway and Azure Front Door?
Application Gateway is a regional Layer 7 load balancer, while Azure Front Door is a global Layer 7 load balancer that works across multiple regions. Use Application Gateway when your application is in a single region. Use Front Door when you need global routing and acceleration.
Can I use Application Gateway with Azure App Service?
Yes, you can use Application Gateway as a frontend for an Azure App Service. You configure the App Service as a backend pool member, and you can restrict incoming traffic to only the Application Gateway's subnet for security.
Does Application Gateway support WebSocket traffic?
Yes, Azure Application Gateway v2 supports WebSocket traffic natively. It can pass WebSocket connections through to the backend servers without additional configuration.
What happens if a backend server fails a health probe?
If a backend server fails a health probe, the Application Gateway removes that server from rotation and stops sending new traffic to it. The gateway periodically retries the probe, and if the server becomes healthy again, traffic resumes.
How does SSL termination work on Application Gateway?
SSL termination means the Application Gateway decrypts incoming HTTPS traffic using a certificate you upload. The traffic to the backend servers is then sent as plain HTTP. This offloads the encryption workload from your backend servers.
Can I have multiple sites on one Application Gateway?
Yes, using hostname-based routing, you can host multiple websites on a single Application Gateway. Each listener is associated with a different hostname, and traffic is routed to the appropriate backend pool based on the host header in the request.
What is the minimum subnet size for an Application Gateway?
The minimum subnet size for an Application Gateway is /27. This provides at least 30 usable IP addresses, which allows the gateway to scale to multiple instances. Smaller subnets will cause deployment errors.
Summary
Application Gateway Design is a core concept in Microsoft Azure networking that involves planning and configuring a Layer 7 load balancer for HTTP and HTTPS traffic. Unlike standard load balancers, it routes traffic based on URL paths, hostnames, or other HTTP attributes, making it ideal for complex web applications with multiple services. It also provides SSL termination to offload encryption from backend servers, and a Web Application Firewall to block common web attacks.
For IT professionals and certification candidates, understanding when to use Application Gateway versus other Azure services like Load Balancer, Traffic Manager, or Front Door is critical. Key design considerations include choosing the right SKU, using a dedicated subnet of at least /27, configuring health probes, and setting up path-based routing rules. Common mistakes include confusing the gateway with Layer 4 load balancers and neglecting health probe configuration.
On the AZ-305 exam, you will encounter scenario-based questions that test your ability to design and troubleshoot Application Gateway deployments. Remember that this service is your smart front door that reads the request, checks security, and sends traffic to the right server, all while ensuring high availability and scalability. Mastering Application Gateway Design will serve you well both in exams and in real-world cloud architecture.