This chapter covers Azure Application Gateway and its integrated Web Application Firewall (WAF), two critical services for securing and routing HTTP/S traffic to web applications. For AZ-900, this falls under Objective 2.3: 'Describe Azure architecture services,' specifically the section on load balancing and application delivery. This objective area typically accounts for about 15-20% of the exam, and understanding Application Gateway vs. other load balancers is a common point of confusion. By the end of this chapter, you'll know exactly how Application Gateway works, when to use it, and how it differs from Azure Load Balancer and Azure Front Door.
Jump to a section
Imagine you're a concert venue owner. Fans enter through a main gate (the internet) and head to different stages (your backend servers). Without any control, a mob could rush in, overwhelm a stage, or sneak in banned items. You need a VIP security checkpoint (Application Gateway) that sits between the main gate and the stages. This checkpoint not only directs each fan to the correct stage based on the ticket type (URL path routing), but also inspects every bag for weapons (WAF rules blocking SQL injection or cross-site scripting). It can also handle SSL decryption so the stages don't have to slow down for that. The checkpoint is smart: if a stage is overcrowded, it can hold some fans in a waiting room (session affinity) or send them to a different stage (load balancing). If a fan tries to enter with a fake ticket, the checkpoint rejects them immediately (TLS termination). The checkpoint also has a rate limiter: if 1,000 fans try to rush in from one IP, it slows them down to prevent a stampede (DDoS protection via WAF). This is exactly how Azure Application Gateway works: it's a layer 7 load balancer with a built-in Web Application Firewall that inspects, routes, and protects traffic to your web apps.
What is Azure Application Gateway and What Business Problem Does It Solve?
Azure Application Gateway is a fully managed layer 7 (application layer) load balancer that routes HTTP/S traffic to backend web servers. Unlike a layer 4 load balancer (like Azure Load Balancer) that only sees IP addresses and ports, Application Gateway understands the content of HTTP requests — URLs, headers, cookies, and even the body. This allows intelligent routing based on the request path, hostname, or query string.
Business problem: Modern web applications often consist of multiple microservices or pages served from different backend pools. For example, /images might be served from a VM running an image server, /api from a containerized API, and /checkout from a high-availability cluster. Without a layer 7 load balancer, you'd need to expose each backend separately or use a reverse proxy that you manage yourself. Application Gateway centralizes this routing and offloads SSL/TLS termination, cookie-based session affinity, and web application firewall (WAF) protection — all as a managed service.
How It Works — Step-by-Step Mechanism
Listener: Application Gateway listens on a frontend IP address and port (e.g., 80 or 443) for incoming HTTP/S requests. You can have multiple listeners for different hostnames or ports.
Routing Rules: Each listener has a routing rule that matches the request's path or hostname. For example, a rule might say: "If path starts with /api, forward to BackendPool-A; if path starts with /images, forward to BackendPool-B."
Backend Pool: A set of backend servers (VMs, VMSS, App Service, or even on-premises servers via VPN) that receive the forwarded traffic. You can configure health probes to check if each backend is healthy.
HTTP Settings: Define how traffic is sent to backends: protocol (HTTP or HTTPS), port, cookie-based affinity (sticky sessions), request timeout, and whether to override hostname.
WAF (if enabled): Before forwarding, the request passes through the Web Application Firewall, which inspects headers, cookies, and body against OWASP Core Rule Sets (CRS) to block attacks like SQL injection, cross-site scripting (XSS), and HTTP request smuggling.
SSL Termination: Application Gateway can handle decryption of HTTPS traffic, so backend servers don't have to do the heavy cryptographic work. You upload a TLS/SSL certificate to the gateway.
Response: The gateway forwards the request to a healthy backend, and the response flows back through the gateway to the client.
Key Components, Tiers, and Pricing
Components: - Frontend IP: Public or private (internal) IP address. - Listeners: Rules that match incoming traffic by protocol, port, hostname, and IP address. - Routing Rules: Bind listeners to backend pools and HTTP settings. - Backend Pools: Targets (VMs, VMSS, App Service, etc.) with optional health probes. - HTTP Settings: Protocol, port, cookie affinity, timeout, connection draining. - WAF Policy: Managed rule sets, custom rules, bot protection, and policy mode (Detection or Prevention). - SSL Certificates: For TLS termination or end-to-end TLS.
Tiers: - Standard v2: Autoscaling, zone-redundant, supports static IP, SSL offload, URL-based routing, and cookie affinity. No WAF. - WAF v2: Includes all Standard v2 features plus a fully integrated WAF with OWASP CRS 3.x. It has two modes: Detection (log only) and Prevention (block and log). - Basic (v1): Older tier, limited to manual scaling, no autoscaling, no zone redundancy. Not recommended for new deployments.
Pricing: Pay-as-you-go based on gateway capacity units (compute + throughput + number of rules) and data processed. WAF v2 adds a fixed monthly fee plus per-rule costs for custom rules. Autoscaling means you only pay for what you use, but there's a minimum hourly cost.
How It Compares to On-Premises Equivalent
On-premises, you might use an F5 BIG-IP, NGINX Plus, or HAProxy for layer 7 routing and WAF. These require hardware procurement, software licensing, manual configuration, and ongoing maintenance (patching, scaling). Azure Application Gateway is fully managed: Microsoft handles patching, scaling, and high availability. The trade-off is less customization — you can't install custom modules or tweak kernel parameters. But for most cloud-native apps, the managed service is faster to deploy and more cost-effective.
Azure Portal and CLI Touchpoints
Portal: - Navigate to 'Create a resource' > 'Networking' > 'Application Gateway'. - Fill in basics: subscription, resource group, name, region, tier (Standard v2 or WAF v2), autoscaling min/max instances, and virtual network. - Configure frontend IP: public, private, or both. - Add backend pool: targets can be VMs, VMSS, IP addresses, or App Services. - Create routing rule: define listener (port, hostname), backend pool, HTTP settings, and optionally WAF policy. - Review and create.
CLI Example (creating a simple WAF v2 gateway):
az network application-gateway create \
--name myAppGateway \
--resource-group myResourceGroup \
--location eastus \
--capacity 2 \
--sku WAF_v2 \
--http-settings-cookie-based-affinity Enabled \
--public-ip-address myPublicIP \
--vnet-name myVNet \
--subnet mySubnet \
--servers 10.0.1.4 10.0.1.5 \
--waf-policy myWAFPolicyPowerShell:
New-AzApplicationGateway -Name "myAppGateway" `
-ResourceGroupName "myResourceGroup" `
-Location "East US" `
-Sku @{Name="WAF_v2";Tier="WAF_v2";Capacity=2} `
-GatewayIPConfigurations $gipconfig `
-FrontendIPConfigurations $fipconfig `
-FrontendPorts $frontendPort `
-BackendAddressPools $pool `
-BackendHttpSettingsCollection $poolSetting `
-HttpListeners $listener `
-RequestRoutingRules $rule `
-WebApplicationFirewallConfiguration $wafConfigConcrete Business Scenarios
E-commerce site with separate admin and public APIs: Route /api/public to a scalable App Service, /api/admin to a VMSS with higher security, and /images to Azure CDN via URL rewrite.
Multi-tenant SaaS: Use hostname-based routing to direct customer1.example.com to one backend pool and customer2.example.com to another, with WAF enforcing tenant-specific rules.
Microservices migration: Gradually move traffic from monolithic VMs to containerized services by creating path-based rules, allowing incremental rollout with zero downtime.
Plan the Gateway Architecture
First, decide the tier (Standard v2 or WAF v2) based on whether you need built-in web application firewall. Choose the region close to your users and ensure you have a dedicated subnet for the gateway (minimum size /27 or /28 for v2). Plan the frontend IPs: public for internet-facing apps, private for internal apps. Decide on listeners: you need at least one listener per port/hostname combination. For example, a public listener on port 443 for HTTPS traffic. Also plan backend pools: list all target servers or services, and decide on health probe settings (path, interval, timeout). This upfront planning avoids reconfiguration later.
Create Virtual Network and Subnet
Application Gateway requires its own subnet within a virtual network. In the Azure portal, create a VNet (or use existing) and add a subnet named 'appgw-subnet' with address range at least /27 (e.g., 10.0.1.0/27). This subnet can only contain the gateway — no other resources. The gateway will use this subnet to communicate with backends and to scale out. For v2 gateways, the subnet must be at least /27 to allow for autoscaling and multiple instances. Important: the subnet cannot be delegated to any other service.
Configure Frontend IP and Listener
In the Azure portal, under the gateway resource, go to 'Listeners' and add a new listener. Specify the frontend IP (public or private), protocol (HTTP or HTTPS), and port. For HTTPS, you must upload a TLS/SSL certificate (PFX or PEM) for termination. You can also set hostnames for multi-site routing. For example, create a listener for 'api.contoso.com' on port 443. The listener will wait for incoming connections. Behind the scenes, Azure assigns a frontend IP from your public IP resource or private subnet.
Define Backend Pools and Health Probes
Create backend pools that group your target servers. You can add VMs, VMSS, App Services, or IP addresses. For each pool, configure a health probe: specify the path (e.g., /health), protocol, interval (default 30 seconds), timeout, and unhealthy threshold (default 3 failures). Azure periodically sends HTTP requests to each backend; if a backend fails the probe, it is removed from rotation. This ensures traffic only goes to healthy instances. For example, a pool of two VMs running a web app with a health endpoint at /status.
Create Routing Rules and HTTP Settings
A routing rule binds a listener to a backend pool with specific HTTP settings. HTTP settings define the protocol to use when forwarding (HTTP or HTTPS), port (usually 80 or 443), cookie-based affinity (on/off), request timeout (default 20 seconds), and whether to override the hostname. For path-based routing, you create multiple rules under one listener — for example, rule1: path '/api/*' -> poolA, rule2: path '/images/*' -> poolB. The gateway evaluates rules in order of precedence (most specific first). Basic routing (all traffic to one pool) is simpler but less flexible.
Enable and Configure WAF Policy
If using WAF v2, create a WAF policy and associate it with the gateway or specific listeners. The policy includes managed rule sets (e.g., OWASP 3.2) and custom rules. Set mode to 'Prevention' to block attacks or 'Detection' to log only. You can also enable bot protection to block malicious bots. Custom rules allow you to whitelist or blacklist IP ranges, filter by request body size, or match on headers. For example, block requests from IPs outside your country. The policy is evaluated per request before forwarding to the backend.
Test and Monitor the Deployment
Once created, test the gateway by sending HTTP requests to its frontend IP or DNS name. Verify that routing works: e.g., /api goes to the correct backend, /images to another. Check health probe logs to ensure backends are healthy. Monitor metrics like 'Healthy Host Count' and 'Unhealthy Host Count' in Azure Monitor. For WAF, review the 'WAF Blocked Requests' metric. Enable diagnostic logs to capture detailed request and response data. Troubleshoot common issues: backend not responding (check NSG rules allowing traffic from gateway subnet), SSL certificate errors, or routing rule misconfiguration.
Scenario 1: E-commerce Platform with Microservices
A large online retailer deploys its application as microservices: a user service, product catalog, order service, and payment service, each running in separate Azure VM Scale Sets. They need a single public endpoint that routes /users to the user service, /products to the catalog, /orders to the order service, and /payments to the payment service. They also need to protect against SQL injection and cross-site scripting attacks. The team deploys a WAF v2 Application Gateway with four backend pools. They configure path-based routing rules and enable the OWASP 3.2 rule set in Prevention mode. Cost is based on gateway capacity units; with autoscaling, they pay for the traffic they handle. During a flash sale, traffic spikes; the gateway automatically scales out to handle 10,000 requests per second. Without the gateway, they would have needed to manage a custom reverse proxy and WAF, increasing operational overhead. If incorrectly configured (e.g., wrong path patterns), users might see 404 errors or traffic could be sent to the wrong service, causing checkout failures.
Scenario 2: Internal HR Application with SSL Offload
A multinational company runs an internal HR portal on a set of VMs in Azure. The app uses HTTPS with a certificate from an internal CA. The app team wants to offload SSL decryption to the gateway so backend VMs don't waste CPU on encryption. They deploy a Standard v2 Application Gateway with a private frontend IP. They upload the internal certificate to the gateway and configure HTTPS listener. Backend HTTP settings use HTTP on port 80, since SSL is terminated at the gateway. The gateway also enables cookie-based session affinity so users stay on the same backend during their session. If the team mistakenly uses the wrong certificate or forgets to update it before expiry, users will see certificate errors. The gateway's health probe checks the /health endpoint every 30 seconds; if a backend VM is down, traffic is redirected to healthy ones, ensuring high availability.
Scenario 3: Multi-Tenant SaaS with Hostname Routing
A SaaS provider hosts different customers on separate backend pools for isolation. Each customer has a unique hostname (e.g., acme.contoso.com, beta.contoso.com). They deploy a WAF v2 gateway with multiple listeners, each listening on port 443 with a different hostname. Each listener routes to a dedicated backend pool. The WAF policy is customized per customer: for a financial services customer, they add custom rules to block non-US IPs. The gateway also provides TLS termination, so each customer can bring their own certificate. If a hostname is misconfigured, traffic might go to the wrong tenant, causing data leakage. The solution scales automatically as new customers are added — just create a new listener and backend pool.
Objective: AZ-900 Objective 2.3 — 'Describe Azure architecture services.' Within this, Application Gateway and WAF are tested as part of 'load balancing and application delivery services.' Expect 1-3 questions on this topic.
What the exam tests exactly: - The ability to differentiate between Azure Load Balancer (layer 4), Application Gateway (layer 7), and Azure Front Door (global layer 7 with CDN). - Understanding that Application Gateway supports URL path-based routing, hostname-based routing, SSL offload, and cookie-based session affinity. - Knowing that WAF is included in the WAF v2 tier and protects against OWASP Top 10 attacks (SQL injection, XSS). - Recognizing that Application Gateway operates at layer 7 (OSI model), while Azure Load Balancer operates at layer 4.
Common Wrong Answers and Why Candidates Choose Them: 1. 'Application Gateway is used for any TCP/UDP traffic.' — Wrong. That's Azure Load Balancer. Candidates confuse layer 4 vs. layer 7. Remember: App Gateway is HTTP/HTTPS only. 2. 'WAF is a separate service that you attach to any load balancer.' — Wrong. WAF is integrated only with Application Gateway and Azure Front Door. Candidates think it's like a separate appliance. 3. 'Application Gateway does not support SSL termination.' — Wrong. SSL termination is a key feature. Candidates might think it only passes through traffic. 4. 'You can use Application Gateway to load balance non-HTTP traffic like FTP.' — Wrong. It only handles HTTP/S. For FTP, use Azure Load Balancer.
Specific Terms and Values That Appear Verbatim: - 'Layer 7 load balancer' - 'URL path-based routing' - 'Hostname-based routing' - 'SSL/TLS termination' (or 'SSL offload') - 'Cookie-based session affinity' - 'WAF (Web Application Firewall)' - 'OWASP Core Rule Set' - 'Standard_v2' and 'WAF_v2' as SKU names
Edge Cases and Tricky Distinctions: - Application Gateway vs. Azure Front Door: Front Door is global (multiple regions), supports CDN, and has WAF. Application Gateway is regional (single region). The exam may ask which to use for a single-region app vs. global app. - Application Gateway vs. Traffic Manager: Traffic Manager is DNS-based (layer 7 DNS), not a proxy. It redirects clients to endpoints but doesn't inspect traffic. Application Gateway is a reverse proxy. - WAF mode: Detection vs. Prevention. Detection logs but doesn't block; Prevention blocks. The exam may ask which mode is used for testing. - Gateway SKU: v2 supports autoscaling and zone redundancy; v1 does not. New deployments should use v2.
Memory Trick: 'App Gateway is the smart bouncer at the HTTP party.' It reads the URL (path), checks ID (session cookie), and frisks for weapons (WAF). If it's not HTTP/S, it's not App Gateway — it's Load Balancer.
Decision Tree for Eliminating Wrong Answers: 1. Does the scenario mention HTTP/HTTPS traffic? If no → eliminate Application Gateway. 2. Does it require URL path or hostname routing? If yes → Application Gateway (or Front Door). 3. Does it require global multi-region routing? If yes → Front Door. If single region → Application Gateway. 4. Does it need WAF? If yes → WAF v2 tier or Front Door with WAF. 5. Does it need SSL offload? Application Gateway supports it.
Azure Application Gateway is a managed layer 7 load balancer for HTTP/S traffic only.
It supports URL path-based routing, hostname-based routing, SSL termination, and cookie-based session affinity.
The WAF (Web Application Firewall) is only available in the WAF_v2 SKU and protects against OWASP Top 10 attacks.
Application Gateway v2 is the current generation; it supports autoscaling and zone redundancy.
Azure Load Balancer operates at layer 4 and is for any TCP/UDP traffic, not HTTP/S routing.
Azure Front Door is a global (multi-region) layer 7 load balancer with CDN capabilities; use it for global applications.
Application Gateway requires a dedicated subnet (minimum /27 for v2) within a virtual network.
Health probes are required to monitor backend health; unhealthy backends are automatically removed from rotation.
WAF has two modes: Detection (log only) and Prevention (block and log).
On the AZ-900 exam, know the difference between Application Gateway, Load Balancer, and Front Door based on layer and scope.
These come up on the exam all the time. Here's how to tell them apart.
Azure Application Gateway
Layer 7 (Application layer) – understands HTTP/S content
Supports URL path and hostname routing
Includes WAF (Web Application Firewall) in WAF v2 tier
SSL termination (offload) supported
Cookie-based session affinity
Azure Load Balancer
Layer 4 (Transport layer) – only sees IP, port, protocol
No URL or hostname awareness – routes all traffic in a pool equally
No built-in WAF
No SSL termination – passes through encrypted traffic
Only source IP affinity (5-tuple hash) – no cookie-based affinity
Mistake
Application Gateway can load balance any type of network traffic, including UDP and FTP.
Correct
Application Gateway is a layer 7 load balancer that only handles HTTP, HTTPS, and HTTP/2 traffic. For TCP/UDP traffic, use Azure Load Balancer.
Mistake
WAF is a separate Azure service that you can attach to any resource, like a VM or App Service.
Correct
WAF is integrated only with Azure Application Gateway and Azure Front Door. You cannot attach it independently to other services. It's part of the gateway's configuration.
Mistake
Application Gateway does not support SSL termination; you must handle SSL on the backend servers.
Correct
SSL termination (or SSL offload) is a core feature. Application Gateway can decrypt HTTPS traffic so backend servers can use HTTP, reducing their CPU load.
Mistake
You can only use public IP addresses with Application Gateway; private IPs are not supported.
Correct
Application Gateway supports both public and private frontend IPs. Private IPs are used for internal-only applications.
Mistake
Application Gateway v1 and v2 are identical except for pricing.
Correct
v2 supports autoscaling, zone redundancy, and static IP addresses; v1 does not. v2 is the recommended SKU for new deployments.
Azure Load Balancer operates at layer 4 (transport) and routes any TCP/UDP traffic based on IP and port. It does not inspect HTTP headers or URLs. Azure Application Gateway operates at layer 7 (application) and only handles HTTP/HTTPS traffic. It can route based on URL path, hostname, and supports SSL termination, cookie affinity, and WAF. Use Load Balancer for non-HTTP traffic (e.g., database connections) and Application Gateway for web applications.
Yes. Application Gateway supports both public and private frontend IP addresses. For internal applications, you can assign a private IP from your virtual network and restrict access to that IP. The gateway will still provide load balancing, SSL offload, and WAF for internal traffic.
Standard_v2 provides all layer 7 load balancing features (URL routing, SSL offload, cookie affinity, autoscaling) but does NOT include the Web Application Firewall. WAF_v2 includes everything in Standard_v2 plus an integrated WAF with OWASP rule sets and custom rules. If you need to protect against web attacks, choose WAF_v2. For simple routing without WAF, Standard_v2 is sufficient and cheaper.
Yes. Application Gateway natively supports WebSocket traffic for both HTTP and HTTPS. It can route WebSocket connections to backend servers just like regular HTTP traffic. No additional configuration is needed beyond enabling WebSocket on the backend.
Application Gateway can terminate SSL connections by decrypting traffic using a certificate you upload (PFX or PEM). You can also configure end-to-end SSL encryption, where the gateway re-encrypts traffic to the backend. For SSL termination, the backend receives HTTP traffic; for end-to-end SSL, the backend must have its own certificate.
The default health probe sends an HTTP GET request to the root path ('/') on the backend port every 30 seconds. If three consecutive probes fail (unhealthy threshold), the backend is marked unhealthy. You can customize the path, interval, timeout, and threshold. It's best practice to create a dedicated health endpoint (e.g., /health) that returns 200 OK.
Yes. You can add an App Service as a backend target in a backend pool. However, App Service has its own frontend and scaling; using Application Gateway in front adds features like WAF, URL routing, and SSL offload. Note that you must configure the App Service to accept traffic only from the gateway's IP or use private endpoints.
You've just covered Azure Application Gateway and WAF — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?