What is Azure Application Gateway?

Azure Application Gateway is a Layer 7 load balancer that provides application-level routing, SSL termination, and Web Application Firewall (WAF) capabilities. It serves as the primary entry point for web traffic flowing into your Azure environment, inspecting every HTTP/HTTPS request before it reaches your applications.

Unlike traditional network load balancers that operate at Layer 4, Application Gateway understands HTTP semantics and can make intelligent routing decisions based on URL paths, host headers, and other request attributes. This makes it ideal for modern microservices architectures where different services handle different URL paths.

Key Features and Capabilities

URL-Based Routing

Application Gateway can route traffic to different backend pools based on URL patterns. For example, /images/* requests can go to an optimized image storage backend while /api/* requests route to your API servers. This eliminates the need for separate load balancers per service.

SSL/TLS Termination

Offloading SSL processing to the gateway reduces the computational burden on backend servers by up to 80%. It supports end-to-end SSL, SSL offload, and custom SSL policies. You can manage certificates centrally using Azure Key Vault integration, automatically rotating certificates before expiry.

Autoscaling

The v2 SKU supports automatic scaling based on traffic patterns, scaling from 0 to 125 instances. During peak hours, the gateway automatically adds capacity. During quiet periods, it scales back down, optimizing costs. This elastic behavior means you never over-provision or under-provision.

Web Application Firewall (WAF)

WAF provides centralized protection against common exploits and vulnerabilities. Built on the OWASP ModSecurity Core Rule Set (CRS 3.2), it defends against SQL injection, cross-site scripting (XSS), command injection, HTTP request smuggling, and other OWASP Top 10 threats.

WAF Policies and Custom Rules

WAF policies allow granular control over security rules. You can create custom rules that match specific IP ranges, geolocation, request headers, or body content. Priority-based rule evaluation ensures that your business-specific rules execute before generic OWASP rules.

Rate limiting rules prevent abuse by throttling requests from specific sources. For example, you can limit API endpoints to 100 requests per minute per IP address, effectively mitigating DDoS attacks at the application layer.

Detection vs Prevention Mode

In detection mode, WAF logs all threat detections without blocking requests — ideal for initial deployment and tuning. Once you’re confident in the rule configuration, switch to prevention mode where malicious requests are actively blocked. Most organizations spend 2-4 weeks in detection mode before transitioning.

Architecture Patterns

Multi-Region with Traffic Manager

For global applications, deploy Application Gateway in multiple regions behind Azure Traffic Manager. Each region has its own Application Gateway with WAF, providing both regional load balancing and global traffic distribution. Failover between regions takes approximately 30 seconds.

AKS Ingress Controller (AGIC)

Application Gateway Ingress Controller integrates natively with Azure Kubernetes Service. The controller watches Kubernetes ingress resources and automatically configures the Application Gateway, making it the entry point for AKS workloads. This avoids running an in-cluster ingress controller and provides WAF protection for all Kubernetes services.

Performance Optimization

Connection draining ensures graceful removal of backend instances during deployments. HTTP/2 support reduces latency through multiplexing. Cookie-based session affinity maintains user sessions on the same backend server. Health probes monitor backend health every 30 seconds by default, with customizable paths and intervals for each backend pool.

Cost Considerations

Application Gateway v2 pricing includes a fixed hourly cost plus capacity unit charges. A small deployment serving 2,000 concurrent connections with WAF enabled typically costs between $350-450 per month. Enabling autoscaling with a minimum instance count of 2 ensures high availability while controlling costs.

Best Practices

• Always use the v2 SKU for autoscaling and zone redundancy support
• Enable diagnostic logging and send logs to Log Analytics for WAF threat analysis
• Use managed rules as a baseline and add custom exclusions for false positives
• Integrate with Azure Key Vault for automatic certificate management
• Deploy across availability zones for 99.99% SLA
• Configure custom health probes with application-specific health check endpoints

Frequently Asked Questions

What is the difference between Application Gateway and Azure Front Door?

Application Gateway is a regional service for load balancing within a single Azure region. Azure Front Door is a global service that provides edge-level routing across multiple regions. For multi-region deployments, Front Door + Application Gateway together provide the most comprehensive solution.

Can WAF protect against zero-day attacks?

WAF with managed rule sets receives regular updates from Microsoft’s threat intelligence team. Bot protection rules and anomaly scoring detect unusual patterns that may indicate zero-day exploits. Custom rules can be deployed within minutes to address emerging threats.

Key Features and Capabilities

The following are the core capabilities that make this technology essential for modern cloud infrastructure:

Layer 7 Load Balancing

URL path-based and host-based routing distributing traffic across backend pools with cookie-based session affinity and connection draining

Web Application Firewall

OWASP CRS 3.2 rule set blocking SQL injection, XSS, and command injection with per-rule customization and exclusion lists

SSL/TLS Termination

Centralized certificate management with Key Vault integration, end-to-end TLS re-encryption, and support for TLS 1.3 cipher suites

Autoscaling

V2 SKU automatically scales from 0 to 125 instances based on traffic patterns, eliminating capacity planning and reducing costs during low traffic

Private Link Integration

Backend connectivity through Private Endpoints, enabling Application Gateway to reach services in other VNets or even on-premises through ExpressRoute

Real-World Use Cases

Organizations across industries are leveraging this technology in production environments:

Multi-Tenant SaaS

Host-based routing directs tenant1.app.com and tenant2.app.com to isolated backend pools while sharing a single Gateway instance

API Gateway Complement

Application Gateway handles TLS termination and WAF protection in front of Azure API Management, adding network-level security to API-level policies

Blue-Green Deployment

Backend pool weights enable gradual traffic shifting from blue to green environments with instant rollback capability

Compliance Gateway

WAF blocks common OWASP Top 10 attacks while custom rules enforce geographic restrictions and request body size limits for regulated workloads

Best Practices and Recommendations

Based on enterprise deployments and production experience, these recommendations will help you maximize value:

• Use WAF_v2 SKU with autoscaling in production — V1 SKU lacks critical features and is on deprecation path
• Start WAF in Detection mode for 2 weeks to build rule exclusions before switching to Prevention mode
• Integrate health probes with application-level checks (/health endpoint returning HTTP 200) rather than TCP-only checks
• Enable access logs and WAF logs to Log Analytics — correlate blocked requests with legitimate traffic for false positive tuning
• Use Key Vault references for SSL certificates with managed identity — avoid manual certificate deployment and renewal
• Configure connection draining timeout (30-60 seconds) to prevent request failures during backend deployments

Frequently Asked Questions

What is the difference between Application Gateway and Azure Front Door?

Application Gateway is regional, deployed in your VNet for private backend connectivity. Front Door is global edge with anycast routing, built-in CDN, and DDoS protection. Use Application Gateway for regional apps with VNet requirements, Front Door for global multi-region applications.

How much does WAF cost?

WAF_v2 starts at ~$0.36/hour (~$260/month) base plus ~$0.008/capacity unit. A typical deployment processing 100 requests/second costs approximately $350-$500/month. The cost is significantly lower than third-party WAF appliances requiring dedicated VM infrastructure.

Can WAF protect against zero-day attacks?

WAF with Bot Protection and DRS 2.1 rule set includes behavioral-based detection that catches many zero-day patterns. For advanced protection, enable Microsoft Threat Intelligence feed and integrate with Microsoft Sentinel for custom detection rules.