3.2 Azure Application Gateway
📘Microsoft Azure Networking Solutions (AZ-700)
Azure Application Gateway is a layer 7 (HTTP/HTTPS) load balancer. It’s designed to manage and route web traffic to your applications in Azure efficiently. When preparing for the exam, you need to know how to map business or technical requirements to the right Application Gateway features.
Let’s go through the main features and how you match them to specific requirements.
1. Requirement: Secure your web applications
Scenario: You have web apps that must be protected from common attacks like SQL injection or cross-site scripting (XSS).
Feature to use: Web Application Firewall (WAF)
- What it does: WAF inspects incoming HTTP/HTTPS requests and blocks malicious traffic.
- Modes:
- Detection mode: Logs malicious requests but doesn’t block them.
- Prevention mode: Actively blocks malicious requests.
- Exam tip: If the requirement mentions protection against OWASP Top 10 vulnerabilities, map it to WAF.
IT Example: You host an e-commerce website in Azure. You want to prevent attackers from injecting malicious SQL commands via your login forms. Enable Application Gateway WAF in prevention mode.
2. Requirement: Route traffic based on URL paths
Scenario: Your company hosts multiple applications on the same domain but wants users to go to different apps depending on the URL.
Feature to use: Path-based routing
- What it does: Sends requests to different backend pools based on URL paths.
- Example:
/app1/*→ Backend pool for App1/app2/*→ Backend pool for App2
IT Example: A company hosts intranet.company.com/app1 for HR and intranet.company.com/app2 for IT. Use path-based routing so requests go to the correct servers.
Exam tip: If the requirement mentions “different URLs to different backends”, pick path-based routing.
3. Requirement: Distribute traffic for high availability
Scenario: Your app must remain available even if one server fails or traffic spikes.
Feature to use: Load balancing
- What it does: Balances traffic among multiple backend servers to ensure high availability.
- Options:
- Round-robin distribution – Default, distributes evenly.
- Session affinity – Routes requests from the same client to the same server using cookies.
IT Example: Your web application runs on 3 Azure VMs. Using Application Gateway load balancing, users are automatically routed to healthy VMs if one goes down.
Exam tip: Requirements mentioning “scale”, “high availability”, or “distribute requests” map to load balancing features.
4. Requirement: Secure traffic using SSL/TLS
Scenario: Your organization wants to encrypt web traffic and optionally inspect it before sending to backend servers.
Feature to use: SSL termination and end-to-end SSL
- SSL Termination: Application Gateway decrypts traffic at the gateway, then sends it unencrypted to backend.
- End-to-End SSL: Keeps traffic encrypted all the way to backend.
- SSL Offload: Reduces CPU load on backend servers by handling encryption at the gateway.
IT Example: You host a finance application. Users connect over HTTPS. You enable SSL termination at Application Gateway to reduce load on backend VMs while still using HTTPS externally.
Exam tip: If requirement mentions “offload SSL” or “decrypt traffic at gateway”, map it to SSL termination.
5. Requirement: Redirect traffic or rewrite URLs
Scenario: You want to redirect HTTP traffic to HTTPS, or modify request URLs before they reach the backend.
Feature to use: URL redirect and rewrite
- Redirect: Automatically send requests to a different URL (common for HTTP → HTTPS).
- Rewrite: Change URL path or headers before reaching backend.
IT Example: Users enter http://app.company.com. You configure HTTP → HTTPS redirect so all traffic is secure. Or, rewrite /oldpath/* to /newpath/* to avoid broken links.
Exam tip: Requirements mentioning “redirect HTTP to HTTPS” or “change URL paths” point to redirect/rewrite rules.
6. Requirement: Control access to backend applications
Scenario: Only specific users or IP ranges should access certain apps.
Feature to use: Custom WAF rules, IP restrictions, or backend pool access controls
- IP restrictions: Allow or block traffic from certain IPs.
- WAF custom rules: Define conditions to block or allow traffic based on headers, cookies, or query strings.
IT Example: Internal HR app should only be accessible from the corporate office IP range. Configure Application Gateway IP restriction rules.
7. Requirement: Support autoscaling based on traffic
Scenario: Your traffic fluctuates during the day or during events.
Feature to use: Autoscaling
- What it does: Automatically adds or removes Application Gateway instances based on traffic load.
- Exam tip: Look for requirements mentioning “handle peak traffic automatically” → enable autoscaling.
8. Requirement: Integrate with Azure services
Scenario: You need advanced features like WAF logs in Azure Monitor or traffic analytics.
Feature to use: Diagnostics and integration with Azure Monitor
- What it does: Sends metrics and logs to Azure Monitor, Log Analytics, or Event Hub.
- IT Example: You want to track all malicious requests blocked by WAF in a centralized logging system. Enable diagnostic logging.
Quick Exam Mapping Table
| Requirement | Application Gateway Feature |
|---|---|
| Protect app from attacks | Web Application Firewall (WAF) |
| Route traffic by URL | Path-based routing |
| High availability & load distribution | Load balancing / session affinity |
| Encrypt traffic | SSL termination / end-to-end SSL |
| Redirect HTTP to HTTPS / rewrite URLs | URL redirect & rewrite |
| Restrict access by IP | IP restrictions / WAF custom rules |
| Handle traffic spikes | Autoscaling |
| Monitor & log traffic | Diagnostic logs / Azure Monitor integration |
Tips for the Exam
- Keywords in requirement → feature mapping
Look for words like “secure” → WAF, “route by URL” → path-based routing, “scale automatically” → autoscaling. - Remember SSL options
SSL termination vs end-to-end SSL is a common exam topic. - Understand WAF modes
Detection vs prevention is frequently tested. - Think in Azure terms
All features integrate with backend pools, listeners, and routing rules.
✅ Summary:
To map requirements to Application Gateway features for AZ-700, carefully read the requirement, identify the keyword, and select the feature that meets it—WAF for security, path-based routing for URL-based traffic, SSL termination for encryption, autoscaling for traffic spikes, and so on. Understanding the IT context of each feature helps you answer scenario-based exam questions effectively.
