Traffic distribution in Azure comes in several flavors, each built for a different layer of the network stack. Azure Load Balancer operates at Layer 4, routing TCP and UDP traffic based on port and protocol without inspecting the content of the connection. Application Gateway operates at Layer 7, understanding HTTP and HTTPS well enough to route based on URL paths, host headers, and cookie values, and to terminate TLS and apply a web application firewall. Azure Front Door and Traffic Manager extend these capabilities globally. The AZ-104 exam focuses on when to use each, their SKU differences, and how health probes ensure traffic only reaches healthy backends.
Practice this topic
Azure Load Balancer distributes inbound TCP and UDP traffic across backend pool members using a hash-based algorithm that considers the source IP, source port, destination IP, destination port, and protocol. This five-tuple hash ensures that all packets in a given session go to the same backend (session affinity at the connection level). Load Balancer does not inspect application content, cannot route based on URLs, and does not terminate TLS.
Azure Load Balancer comes in two SKUs. The Basic SKU is free, supports backend pools up to 300 instances, does not support Availability Zones, and offers a 99.99% SLA only when combined with an Availability Set. The Standard SKU supports backend pools up to 1000 instances, is zone-redundant by default, supports outbound rules for SNAT, supports HTTPS health probes, and provides a 99.99% SLA without requiring an Availability Set. Standard SKU is required for zone-redundant deployments and is the recommended choice for any production workload.
Load Balancer supports public (internet-facing) and internal (private) configurations. A public load balancer has a public frontend IP and distributes internet traffic to the backend pool. An internal load balancer has a private frontend IP within a VNet and distributes traffic between internal services. Health probes monitor backend instances and remove unhealthy instances from rotation. HTTP, HTTPS, and TCP probes are supported on Standard SKU.
Application Gateway is a Layer 7 load balancer that understands HTTP and HTTPS. It can route traffic based on URL path (/images/* to one backend pool, /api/* to another), route based on host headers (shop.example.com to one pool, api.example.com to another), terminate TLS at the gateway (offloading decryption from backend servers), and apply a Web Application Firewall (WAF) that filters OWASP Top 10 threats. Application Gateway is deployed within a VNet in its own dedicated subnet.
Azure Front Door is a global load balancing and content delivery service that operates at the edge, closer to users. It combines load balancing, SSL offloading, WAF, and caching across globally distributed points of presence. Front Door routes users to the fastest backend based on measured latency and can fail over to a secondary region if the primary becomes unhealthy. Use Front Door when you have backends in multiple Azure regions and want to serve users from the closest available point.
Traffic Manager is a DNS-based load balancing service. It does not proxy traffic: it returns DNS responses that direct clients to the appropriate endpoint. Traffic Manager supports routing methods including Priority (failover), Weighted (traffic splitting), Performance (lowest latency endpoint), Geographic (region-based), and Multivalue. Because it is DNS-based, Traffic Manager cannot inspect or modify traffic, and it cannot guarantee connection affinity the way Load Balancer can.
Azure Load Balancer: Layer 4, TCP/UDP, hash-based distribution, no content inspection. Internal or public. Standard SKU for production.
Application Gateway: Layer 7, HTTP/HTTPS, URL-path routing, host-based routing, TLS termination, WAF. Regional.
Front Door: global Layer 7, multi-region, edge caching, WAF, failover across regions. For worldwide traffic.
Traffic Manager: DNS-based, global, no traffic proxy, routing methods: Priority, Weighted, Performance, Geographic.
WAF SKU: Application Gateway WAF tier and Front Door Premium both include WAF. Load Balancer has no WAF.
Standard LB vs Basic LB: Standard for production, zone-redundancy, larger backend pools, HTTPS probes.
Internal load balancer: private frontend IP, routes traffic within VNet. No internet exposure.
| Service | Layer | Scope | Key capability | Best for |
|---|---|---|---|---|
| Azure Load Balancer | 4 (TCP/UDP) | Regional | High throughput, low latency, zone-redundant | Internal and public Layer 4 load balancing |
| Application Gateway | 7 (HTTP/HTTPS) | Regional | URL routing, TLS termination, WAF | Web app routing, WAF, TLS offload |
| Azure Front Door | 7 (HTTP/HTTPS) | Global (edge) | Global routing, CDN caching, WAF | Multi-region web apps, global users |
| Traffic Manager | DNS | Global | DNS-based routing, failover, geography | Global endpoint routing, DR failover |
Application Gateway and Azure Load Balancer can be used interchangeably for web applications.
Azure Load Balancer operates at Layer 4 and has no knowledge of HTTP. It cannot route based on URLs, host headers, or cookies, cannot terminate TLS, and cannot apply a WAF. Application Gateway understands HTTP and provides all of these capabilities. For web applications that need URL-based routing or WAF protection, Application Gateway is required. For high-throughput TCP/UDP applications or internal service-to-service load balancing, Azure Load Balancer is appropriate.
Traffic Manager provides true load balancing with session affinity.
Traffic Manager works at the DNS layer. It returns a DNS response pointing the client to an endpoint, but it does not proxy or inspect any traffic after that. Because it relies on DNS TTL for propagation, failover is not instantaneous. It cannot provide session affinity at the connection level because it only controls the initial DNS resolution. For true connection-level load balancing with affinity, use Azure Load Balancer or Application Gateway.
Azure Front Door and Application Gateway are the same product at different scales.
Application Gateway is a regional, VNet-integrated Layer 7 load balancer for routing traffic within a region to backends in that region. Front Door is a global, edge-based service that sits outside your VNets, uses Microsoft's global network edge locations, provides caching, and routes users to the best regional backend. They can be used together: Front Door at the global edge routing to regional Application Gateways that then distribute to backend pools.
Try free Load Balancer & App Gateway practice questions with explanations, topic links and progress tracking.