Azure Application Gateway: Architecture, Routing, and Security
In cloud architecture, routing and securing web traffic efficiently is a foundational requirement for high-performance applications. While traditional Layer 4 load balancers handle traffic routing purely based on IP addresses and TCP/UDP ports, modern web architectures demand application-aware intelligence
Azure Application Gateway is an Application Delivery Controller (ADC) as a service that operates at OSI Layer 7 (Application Layer)
What is Azure Application Gateway?
Azure Application Gateway acts as a single, secure entry point for your web applications
Client Request > [ Frontend IP ] > [ Listener ] > [ Routing Rules ] > [ HTTP Settings ] > Backend Pool
It dynamically balances traffic using a round-robin mechanism across backend target pools, which can be composed of Azure Virtual Machines (VMs), Virtual Machine Scale Sets (VMSS), Azure App Services, or external on-premises workloads over hybrid connections
How Request Processing Works
The core mechanism relies on a sequential four-step processing pipeline
- Client Connection: A client initiates a session by sending an HTTP or HTTPS request to a public or private IP address (or custom DNS name) bound to the gateway's Frontend IP infrastructure
. - Listener Evaluation: A matching Listener detects the incoming traffic based on its port, protocol (HTTP, HTTPS, HTTP/2, WebSocket), and optional hostnames
. If HTTPS is mandated, SSL/TLS decryption (SSL offloading) occurs at this juncture . - Rule Matching: The listener evaluates the traffic against attached Routing Rules, decoding the URL payload and interpreting base paths or multi-site host headers
. - Backend Selection: Traffic is routed through an HTTP Setting group—defining configurations like cookie affinity, custom timeouts, and custom health probes—before hitting a healthy member inside the designated Backend Pool
.
⚠️ Critical Architectural Rules
- Subnet Dedication: Azure Application Gateway must always be deployed into a dedicated subnet containing exclusively Application Gateway resources
. Standard Azure VMs or Azure Bastion hosts cannot share this subnet, ensuring predictable scaling and preventing internal IP conflicts . - Resource Coexistence & NSGs: Network Security Groups (NSGs) applied to the gateway subnet must be engineered to allow inbound infrastructure communications via the
GatewayManagerservice tag (ports65200-65535for v2 SKUs) for backend monitoring and platform orchestration health.
Core Routing Features
Azure Application Gateway provides advanced layer-7 routing mechanisms that minimize infrastructure overhead:
1. Host Multiple Sites (Multi-Site Hosting)
Instead of provisioning separate deployment architectures for individual domains, you can map multiple canonical records (CNAMEs) to the unique IP address of a single Application Gateway[http://contoso.com](http://contoso.com) and [http://fabrikam.com](http://fabrikam.com) hit the same public frontend IP but pass through distinct listeners and separate routing rules to isolated backend server pools
2. URL / Path-Based Routing
Path-based routing reads the precise URI path element of an active request to segment traffic across specialized backend pools
- A path looking for
/video/*routes systematically to a video-optimized backend server pool equipped to deal with data streams. - A path looking for
/images/*maps directly to storage-optimized or image-rendering backend targets. - Any pattern not matching predefined structural rules falls back onto the default backend pool configuration
.
3. Redirection & Rewriting
- Native Redirection: Application Gateway provides native support for redirecting traffic at the application layer, removing redirection overhead from backend VMs
. This can switch traffic dynamically from one listener path to another, or automatically redirect insecure HTTP to a secure HTTPS listener . - Rewriting Sets: This mechanism manipulates HTTP request and response frames mid-flight
. Administrators can rewrite incoming or outgoing HTTP headers, alter query strings, or completely rewrite the visible URL path before proxying the packet, hiding complex legacy back-end structures from external web consumers .
4. Internal Load Balancer (ILB) Mode
While often public-facing, the gateway can be isolated strictly inside an internal virtual network architecture
5. Rewriting Sets
Rewriting Sets provide powerful mechanisms to manipulate HTTP request and response frames mid-flight. Administrators can rewrite incoming or outgoing HTTP headers, alter query strings, or completely rewrite the visible URL path before the gateway proxies the data packet to a backend pool. This allows you to hide complex legacy back-end structures from external web consumers.
Enterprise Security and WAF
Security is baked directly into the Application Gateway architecture, serving as a protective shield for backend applications
Web Application Firewall (WAF)
The integrated WAF module provides proactive, centralized security scanning for applications before payloads reach listeners
- Detection Mode: Monitors and logs threats without blocking
. - Prevention Mode: Actively blocks malicious requests from hitting your backend
.
Application Gateway Security
SSL Termination
SSL/TLS Termination (or SSL Offloading) unburdens backend host instances from processing resource-intensive cryptographic decryption math
End-to-End SSL Encryption
For strict enterprise regulatory environments where unencrypted data traversal across internal Azure VNets is entirely prohibited, End-to-End SSL Encryption can be implemented
SSL Strategy Options
| Strategy | Description | Best For |
| SSL Termination | Decrypts traffic at the gateway's listener using uploaded PFX certificates and forwards standard unencrypted HTTP text frames to backend resources | Reducing backend processor cryptographic decryption math consumption |
| End-to-End SSL Encryption | Client-to-Gateway traffic terminates securely at the listener level, runs through WAF rule validations, and is re-encrypted by the gateway using public keys matching valid backend certs before being sent downstream | Strict enterprise regulatory environments where unencrypted data traversal across internal Azure VNets is entirely prohibited |
Mutual Authentication & SSL Policies
- Mutual Authentication (mTLS): Validates identity bidirectionally
. The gateway requires a valid certificate chain from the client-side before allowing any traffic to navigate past frontend filters . - SSL Policies: Enables compliance tracking by allowing administrators to disable deprecated cipher suites (such as TLS 1.0 or 1.1) and mandate strict TLS 1.2 or TLS 1.3 protocol profiles
.
Azure Kubernetes Service (AKS) Integration
The Application Gateway Ingress Controller (AGIC) allows developers to leverage Azure's native Layer 7 load balancer as the ingress for Kubernetes clusters, translating Kubernetes Ingress resources directly into Application Gateway configurations
- Greenfield Deployment (Ingress Controller Add-on): Applies to brand-new cloud application patterns
. When enabling the AGIC add-on during the provisioning of a completely new AKS cluster, the platform automatically provisions a brand-new Azure Application Gateway alongside it, mapping Kubernetes Ingress specifications directly into corresponding Layer 7 cloud routing components . - Brownfield Deployment (Ingress Controller Add-on): Applies when an operational, pre-existing Azure Application Gateway deployment must be linked to a separate, running AKS cluster environment
. The AGIC pod hooks directly into the control planes of both components, synchronizing cluster container endpoints with the existing gateway backend targets seamlessly .
Monitoring, Operations, and Advanced Configuration
High Availability and Scaling
Modern enterprise deployments rely completely on Standard v2 and WAF v2 SKUs, which introduce performance enhancements, faster provisioning times, native autoscaling, and true zone-redundant capabilities over legacy v1 SKUs
- Auto Scaling: Monitors metric telemetry trends, automatically adjusting instance counts up or down to handle unpredictable seasonal traffic loads without administrative interruption
. - Zone Redundancy: Instances can be physically distributed across multiple Availability Zones within an Azure region, ensuring that if a primary zone experiences infrastructure failure, the gateway continues functioning without data path degradation
.
Backend Health & Health Probe
The load balancing tier continuously tracks member availability through Health Probes
- Default Probes: Automatically created if no custom probe is bound
. They send a periodic request to the target server every 30 seconds, looking for responsive HTTP status return codes between 200 and 399 . - Custom Probes: Enable deep configurations allowing custom paths (e.g.,
/healthz), adjustable check frequencies, and explicit failure count thresholds. If a backend fails consecutive checks, it is temporarily marked unhealthy, and traffic skips that instance entirely .
Advanced Operations
High Traffic Support & Pricing:
High traffic workloads run efficiently on the autoscaling architecture without manual intervention. Billing configurations match usage consumption models based on Capacity Units (CUs), calculating performance parameters across computing dimensions, concurrent connections, and bandwidth usage alongside a base fixed hourly cost.
Advanced Traffic Management
- Cookie Affinity: Uses gateway-managed cookies to bind a client's web browser session directly to the exact same backend instance, maintaining session stickiness for applications that store state locally on individual web nodes
. - Connection Draining: Enables zero-downtime maintenance patches
. When a backend host is removed or updated, connection draining stops new traffic from hitting that node while keeping existing active request sessions alive until tasks complete naturally . - WebSockets & Custom Error Pages: Provides native full-duplex communication pipelines for persistent, low-latency client-server channels (like live chat feeds or financial tickers)
. It also allows replacing generic HTTP error codes (such as 403 or 502 bad gateway messages) with specialized corporate-branded HTML error templates .
Monitoring and Observability
The load-balancing tier continuously tracks member availability through Health Probes/healthz), adjustable check frequencies, and explicit failure count thresholds
For logging, Diagnostic Settings orchestrate where platform security logs and metric indicators are pushed—concurrently streaming to a secure Storage Account for compliance, Event Hubs for real-time SIEM ingestion, or Log Analytics workspacesAGWAccessLog and AGWFirewallLog schemas to quickly identify specific IP sources triggering firewall block rules or trace slow-performing web paths
Component Configuration Blueprint
When configuring an Azure Application Gateway via the Azure Portal, CLI, or Terraform, the architecture is broken into these structural blocks
[Infrastructure & Frontend IP] │ ▼ [Listeners & Routing Rules] │ ▼ [HTTP Settings & Backend Pools]
- Infrastructure & Frontend IP: Maps out virtual appliance instances running within isolated subnets, assigning either a static Public IP address for internet consumers or a private internal Virtual Network address for internal topologies
. - Listeners & Routing Rules: Listeners serve as logical entry components evaluating traffic boundaries by monitoring matching protocol, port, and certificate settings
. Routing Rules act as the primary structural link tying a specific Listener directly to a target Backend Pool based on the parsed traffic structure . - HTTP Settings & Backend Pools: HTTP Settings dictate the configuration of the proxied connection down to the target instances (defining port overrides, custom probe bindings, timeout policies, and protocol rules)
. Backend Pools house the actual target endpoints, referenced via NIC configurations, private IP definitions, FQDN targets, or dynamic structures like Virtual Machine Scale Sets .
Configuration Blueprint
When building or updating an Azure Application Gateway, the implementation maps directly out to these essential configuration blocks
| Configuration Block | Component | Purpose |
Infrastructure | Infrastructure | Maps out virtual appliance instances running within isolated Azure virtual subnets |
| Frontend IP | Frontend IP | Assigns a static Public IP address for internet consumers or a private internal Virtual Network address for internal topologies |
Listeners | Listeners | Logical entry components evaluating traffic boundaries by monitoring matching protocol, port, and certificate settings |
| Routing Rules | Routing Rules | The primary structural link tying a specific Listener directly to a target Backend Pool by instructing the engine where to evaluate settings |
HTTP Settings | HTTP Settings | Dictates the configuration of the proxied connection down to the target instances, defining port overrides, custom probe bindings, timeout policies, and protocol rules |
| Backend Pools | Backend Pools | The collection of target endpoints referenced via NIC configurations, private IP definitions, FQDN targets, or dynamic structures like Virtual Machine Scale Sets |
