Azure Application Gateway – Implementation and Troubleshooting

To help with implementation or architecture for Azure Application Gateway, let me outline the process step by step and provide details for a simple use case.

I'll also provide an option for a custom architecture diagram if needed.

Implementation Plan for Azure Application Gateway

Scenario: A Web Application with HTTPS and WAF

We will set up an Azure Application Gateway to:

1. Load balance traffic to backend servers.

2. Enable HTTPS for secure communication.

3. Protect the application with Web Application Firewall (WAF).

4. Redirect HTTP traffic to HTTPS.

Step 1: Prerequisites

1. Azure Resources

• Create a Virtual Network (VNet) with two subnets:

  • Application Gateway Subnet (required, e.g., subnet-appgw).

  • Backend Subnet for your application servers (e.g., subnet-backend).

2. Certificates

• Obtain an SSL certificate (PFX format) for your custom domain.

• Store it securely, preferably in Azure Key Vault.

3. Backend Instances

• Prepare your backend servers, e.g., Azure VMs, App Service, or AKS.

• Ensure they have applications running and are accessible via HTTP/HTTPS.

Step 2: Deploy the Application Gateway

a. Basic Configuration

1. Navigate to

Azure Portal → Create a Resource → Application Gateway.

2. Enter the details

• Resource Group: Select or create a new resource group.

• Region: Select the same region as your backend servers.

• Tier: Choose WAF_v2 for autoscaling and WAF functionality.

b. Networking

1. Virtual Network

Select the VNet with your Application Gateway Subnet.

2. Frontend IP

• Choose Public IP (create one) if it's internet-facing.

• Choose Private IP for internal-only access.

c. Backend Configuration

1. Add your backend servers to the Backend Pool

• Example: Add VMs using IP addresses or use Azure services like App Service or AKS.

2. Create an HTTP Setting

• Set the port (e.g., 80 for HTTP or 443 for HTTPS).

• Enable cookie-based affinity if session persistence is required.

d. Listeners and Routing

1. HTTPS Listener

• Add a listener with the uploaded SSL certificate.

• Use the Custom Domain Name for the listener.

2. Configure Routing Rules

• Map the listener to the backend pool.

• Enable Path-Based Routing (if required) to direct traffic based on URL paths.

e. Enable Web Application Firewall

1. Go to Firewall Settings.

2. Choose Prevention Mode to block malicious requests.

3. Configure WAF rules or use the default OWASP CRS.

Step 3: Advanced Features

a. HTTP-to-HTTPS Redirection

1. Create a separate listener for HTTP (port 80).

2. Add a redirection rule to route HTTP traffic to HTTPS.

b. Custom Health Probes

1. Add a custom health probe to monitor backend server health.

   • Example: Probe /health endpoint.

   • Configure expected status codes (e.g., 200-399).

c. Autoscaling

1. Autoscaling is enabled by default in Standard_v2 and WAF_v2 tiers.

2. Configure scaling parameters in the Configuration tab.

Step 4: Testing and Monitoring

a. Test the Gateway

1. Access your application using the gateway’s public/private IP or domain name.

2. Validate:

   • HTTPS traffic is working.

   • HTTP redirects to HTTPS.

   • Traffic is routed to the correct backend servers.

b. Monitor Traffic

1. Use Azure Monitor for insights:

   • Metrics: View request count, latency, and failed requests.

   • Logs: Analyze WAF logs for blocked requests and threats.

2. Enable alerts for performance or security issues.