Home Azure Networking Azure Application Gateway
Last updated: May 2026
Azure Networking Intermediate AZ-104 ⏱ 13 min read

Azure Application Gateway

Azure Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer and application delivery controller. Unlike the basic Load Balancer, Application Gateway understands HTTP — it can route based on URL paths, hostnames, and HTTP headers. It also provides SSL termination, cookie-based session affinity, and an integrated Web Application Firewall (WAF) to protect against common web vulnerabilities.

What you'll learn What Application Gateway does and when to use it · SKUs — Standard v2 and WAF v2 · Key components — listeners, routing rules, backend pools, HTTP settings · URL path-based routing · Multi-site hosting · SSL termination and end-to-end SSL · Web Application Firewall (WAF) · Autoscaling · App Gateway vs Load Balancer
Table of Contents
  1. What is Application Gateway?
  2. SKUs
  3. Key Components
  4. URL Path-Based Routing
  5. Multi-Site Hosting
  6. SSL Termination
  7. Web Application Firewall (WAF)
  8. Autoscaling
  9. App Gateway vs Load Balancer
  10. Practice Questions

What is Application Gateway?

Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It is an Application Delivery Controller (ADC) as a service — handling SSL offloading, URL routing, health monitoring, and security in one place.

FeatureCapability
Layer 7 routingRoute based on URL paths, hostnames, HTTP headers
SSL terminationDecrypt HTTPS at the gateway, send HTTP to backends
End-to-end SSLDecrypt, inspect, re-encrypt to backends
WAFProtect against OWASP Top 10 vulnerabilities
Session affinityCookie-based — same user always hits same backend
Health probesHTTP/HTTPS probes to backend pool members
AutoscalingScale in/out based on traffic load (v2 SKU)
Zone redundancyDeploy across Availability Zones (v2 SKU)

SKUs

SKUFeaturesBest For
Standard v2All App Gateway features, autoscaling, zone redundancyProduction web applications
WAF v2Standard v2 + Web Application FirewallWeb apps needing security protection
💡
Always use v2 SKUs v1 SKUs are legacy and being retired. Standard v2 and WAF v2 support autoscaling and zone redundancy. For any internet-facing web application, WAF v2 is strongly recommended.

Key Components

Frontend IP

The public or private IP that clients connect to. Application Gateway must be deployed in its own subnet (no other resources in that subnet).

Listeners

A listener accepts incoming connection requests. It defines: protocol (HTTP/HTTPS), port, frontend IP, and optionally hostname. You create one listener per website/port combination.

Routing Rules

Maps a listener to a backend pool and HTTP settings. Two types:

  • Basic — All traffic from the listener goes to one backend pool
  • Path-based — Different URL paths go to different backend pools

Backend Pools

Groups of backend servers — VMs, VM Scale Sets, App Services, or IP/FQDN addresses. Multiple backend pools can exist for different purposes.

HTTP Settings

Defines how Application Gateway connects to backend servers: protocol, port, cookie-based affinity, connection timeout, and health probe.

URL Path-Based Routing

One of Application Gateway's most powerful features — route different URL paths to different backend pools:

Example URL path-based routing 
www.contoso.com/api/*     → API backend pool (API servers)
www.contoso.com/images/*  → Images backend pool (image servers)
www.contoso.com/*         → Default backend pool (web servers)

This is extremely useful for microservices architectures where different services handle different URL paths — all behind a single frontend IP.

Multi-Site Hosting

Application Gateway can host multiple websites on the same gateway using hostname-based routing:

Example Multi-site hosting 
www.contoso.com    → Contoso backend pool
www.fabrikam.com   → Fabrikam backend pool

Both domains point to the same Application Gateway IP. The gateway inspects the HTTP Host header to route to the correct backend.

SSL Termination

Application Gateway can handle SSL/TLS so your backend servers don't have to:

SSL Termination (Offloading)

Client → HTTPS → App Gateway (decrypt) → HTTP → Backend
Backend servers receive unencrypted HTTP — simpler, lower CPU load on backends.

End-to-End SSL

Client → HTTPS → App Gateway (decrypt, inspect) → HTTPS → Backend
Re-encrypts traffic to backends. Required for compliance scenarios where data must be encrypted in transit throughout.

Web Application Firewall (WAF)

The WAF v2 SKU includes a Web Application Firewall that protects against common web vulnerabilities in the OWASP (Open Web Application Security Project) Core Rule Set:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Command Injection
  • HTTP Request Smuggling
  • HTTP Response Splitting
  • Remote File Inclusion

WAF Modes

ModeBehaviourUse When
DetectionLogs violations but allows all traffic throughInitial deployment — tune rules without blocking legitimate traffic
PreventionBlocks traffic that matches WAF rulesProduction — after tuning to eliminate false positives
💡
Always Start with Detection Mode When you first enable WAF, use Detection mode. Review the logs for false positives (legitimate traffic that would be blocked). Add exclusions as needed, then switch to Prevention mode.

Autoscaling

Application Gateway v2 supports autoscaling — it automatically adds or removes capacity based on traffic load. You set a minimum and maximum instance count. Azure handles the rest — no manual scaling needed during traffic spikes.

  • Minimum instances: 0 (for dev/test — scales to zero when idle)
  • Maximum instances: up to 125
  • Scales in ~1–2 minutes

App Gateway vs Load Balancer

FeatureApp GatewayLoad Balancer
OSI LayerLayer 7Layer 4
ProtocolsHTTP, HTTPS onlyAny TCP, UDP
URL routing✅ Yes❌ No
SSL termination✅ Yes❌ No
WAF✅ Yes (WAF SKU)❌ No
ScopeRegionalRegional
Internal useYesYes
CostHigherLower
💡
AZ-104 Exam Tip Know that App Gateway is Layer 7 (HTTP/HTTPS only), supports URL path-based routing, multi-site hosting, SSL termination, cookie-based session affinity, and WAF. The WAF has Detection and Prevention modes. v2 SKU supports autoscaling and zone redundancy.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. A company wants to route requests to /api/* to API servers and /static/* to CDN servers using a single Azure service. What should they use?
A Azure Load Balancer
B Azure Application Gateway
C Network Security Groups
D Azure Traffic Manager
Q2. What is SSL termination on Application Gateway?
A Blocking all SSL/HTTPS traffic
B Decrypting HTTPS at the gateway and forwarding HTTP to backends — offloading SSL from backend servers
C Re-encrypting traffic between App Gateway and backend servers
D Generating SSL certificates for client devices
Q3. When should you use WAF Detection mode vs Prevention mode?
A Detection mode for production; Prevention mode for testing
B Detection mode initially to tune rules and eliminate false positives; then Prevention mode for production
C Detection mode for HTTP; Prevention mode for HTTPS
D Detection mode for internal traffic; Prevention mode for internet-facing traffic
Q4. Application Gateway v2 supports autoscaling. What does this mean?
A Backend VMs are automatically added or removed based on traffic
B The gateway automatically scales its own capacity based on traffic load
C Traffic is automatically distributed across multiple Azure regions
D SSL certificates are automatically renewed
Q5. What protocols does Azure Application Gateway support for load balancing?
A TCP, UDP, HTTP, and HTTPS
B HTTP and HTTPS only
C HTTP only — no HTTPS support
D HTTP, HTTPS, WebSocket, and FTP
Related Topics
Azure Networking Azure Load Balancer Azure Networking Azure Front Door Azure Networking Network Security Groups
← Previous Azure Load Balancer
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.