Azure Application Gateway: Application-Layer Load Balancing for Modern Cloud Workloads
By Pooja | 15th July 2025
Introduction
In today’s world of dynamic, web-based applications, organizations must deliver secure, fast, and scalable web services to their users—globally and reliably. Traditional load balancers lack application-level intelligence and can’t manage increasingly complex web traffic.
To meet these modern demands, Azure Application Gateway offers Layer 7 (application layer) load balancing with powerful routing and security capabilities such as SSL termination, cookie-based affinity, and an integrated Web Application Firewall (WAF).
This article provides an in-depth look into Azure Application Gateway, from its core functionality to real-world applications and best practices.
What is Azure Application Gateway?
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Unlike traditional load balancers that operate at the transport layer (Layer 4), Application Gateway operates at the application layer (Layer 7) and understands HTTP/HTTPS protocols, enabling intelligent request routing.
Application Gateway can:
- Route traffic based on URL paths and host headers
- Perform SSL termination
- Implement session persistence using cookies
- Protect applications with Web Application Firewall (WAF)
It supports autoscaling, zone redundancy, and integrates with other Azure services, making it a vital component in cloud-native web architectures.
Why Use Application Gateway?
Organizations use Azure Application Gateway for the following reasons:
- Layer 7 Routing: Route traffic based on request content
- Security: Protect apps using built-in WAF against OWASP vulnerabilities
- SSL Offloading: Free up backend servers from encryption overhead
- Centralized Access Control: Control access across multiple backend pools
- URL Rewrite & Redirect: Flexibility to control request paths
- Autoscaling: Automatically scale to meet traffic demand
- High Availability: Built-in redundancy and zone-aware architecture
It is ideal for web apps, APIs, microservices, and secure public-facing services.
Key Features
Feature | Description |
Layer 7 Load Balancing | Content-based routing using URL paths and host headers |
Web Application Firewall | Built-in WAF to protect against common exploits (OWASP Top 10) |
SSL Termination | Decrypt SSL traffic at the gateway and forward as HTTP |
Cookie-Based Affinity | Session persistence using cookies |
Autoscaling | Automatically adjusts capacity based on traffic |
Multi-site Hosting | Route traffic to multiple web apps using a single gateway |
End-to-End SSL | Supports SSL pass-through to backend servers |
URL Rewrite & Redirection | Flexible URL management for SEO and routing logic |
Custom Probes | Define custom health check logic |
Application Gateway vs Azure Load Balancer
Feature | Application Gateway | Azure Load Balancer |
OSI Layer | Layer 7 (Application) | Layer 4 (Transport) |
Protocols | HTTP, HTTPS | TCP, UDP |
SSL Termination | Yes | No |
Path-based Routing | Yes | No |
WAF Support | Yes | No |
Session Affinity | Yes (Cookie-based) | Yes (Source IP-based) |
Ideal Use Case | Web apps, APIs, secure HTTP services | General network traffic |
Application Gateway Architecture
Application Gateway consists of several key components:
- Frontend IP: Public or private IP through which clients connect
- Listeners: Listen for incoming connections on specified ports
- Rules: Route traffic based on conditions (path, host, etc.)
- Backend Pool: Collection of targets (VMs, scale sets, App Services)
- Probes: Monitor backend health
You can deploy Application Gateway in single or multiple Availability Zones, with options for public or private endpoints.
Types of Azure Application Gateway
- Standard SKU
- Core Layer 7 load balancing features
- Basic routing, SSL termination
- Standard V2 SKU
- Autoscaling
- Zone redundancy
- Faster provisioning
- URL rewrite and redirect
- Custom error pages
- WAF SKU
- Same as Standard V2 plus:
- Web Application Firewall
- DDoS protection integration
- OWASP rule sets
Understanding WAF (Web Application Firewall)
Azure WAF protects applications from common web vulnerabilities, such as:
- SQL injection
- Cross-site scripting (XSS)
- Cookie poisoning
- HTTP protocol violations
It supports custom rules, IP restriction, and bot protection. WAF logs can be sent to Azure Monitor, Log Analytics, and Event Hub.
Modes:
- Detection: Monitors and logs threats
- Prevention: Blocks malicious requests in real time
Components of Application Gateway
Frontend IP Configuration
- Public or Private IP for incoming traffic
Listener
- Binds frontend IP and port to process incoming requests
Rules
- Define routing behavior (basic or path-based)
Backend Pool
- Targets (e.g., VMs, App Services, scale sets) that serve requests
Health Probes
- Ensure backend availability before routing traffic
URL-Based Routing and Path-Based Routing
Azure Application Gateway enables routing based on:
- URL Path: /images/* → Image server
- Host Header: api.example.com → API pool
- Rewrite Rules: Change path/query string before forwarding
This supports:
- Multi-site hosting on a single gateway
- Microservices routing (e.g., /api, /web)
- Blue/Green deployments
SSL Termination and End-to-End SSL
SSL Termination
- Decrypt SSL traffic at the gateway
- Forward plain HTTP to backend
- Reduces CPU load on backend servers
End-to-End SSL
- TLS passthrough to backend (no decryption)
- Needed for compliance or specific security scenarios
Re-encryption
- SSL termination at gateway → decrypt → inspect → re-encrypt to backend
Integration with Azure Services
Azure Application Gateway integrates with:
- App Services: Host web apps behind gateway
- VMs / VM Scale Sets: Route traffic to virtual machines
- Azure Key Vault: Store SSL certificates securely
- Azure Monitor: Observe metrics and logs
- Azure Front Door: Combine with global acceleration
Use Cases
- Web Hosting with Path Routing
Route /blog to blog server, /api to microservice, and / to main site.
- E-commerce Site with WAF
Protect checkout and login pages using custom WAF rules.
- Multi-Tenant Web Applications
Serve multiple domains (site1.com, site2.com) from a single gateway.
- Hybrid and Secure Backends
Access private networks securely using private Application Gateway.
Monitoring and Logging
Azure provides powerful observability features:
- Metrics: Request count, response time, backend errors
- Access Logs: Info about incoming requests
- Performance Logs: Backend health and timings
- Firewall Logs: WAF-triggered rules and blocks
Logs can be viewed in:
- Azure Monitor
- Log Analytics
- Event Hub
- Storage Account
Pricing Overview
Azure Application Gateway is billed based on:
- Instance Hours (VMs running the gateway)
- Data Processing (GB)
- WAF Policy (if enabled)
- SKU (Standard vs WAF V2)
Costs vary with scale, region, and configuration. Use the Azure Pricing Calculator for estimates.
Best Practices
- Use Standard V2 + WAF for production workloads
- Offload SSL at the gateway to reduce backend CPU usage
- Enable autoscaling for unpredictable web traffic
- Use custom health probes for fine-grained monitoring
- Combine with Front Door for global distribution and acceleration
- Use private IP for internal apps or microservices
- Monitor with Log Analytics and Alerts
Conclusion
Azure Application Gateway is a feature-rich, secure, and scalable Layer 7 load balancer that meets the needs of modern web applications. Its ability to route traffic based on URLs, handle SSL termination, support session persistence, and protect against web attacks via WAF makes it a robust solution for any enterprise.
Whether you’re hosting a basic website, running multi-tenant SaaS platforms, or deploying API-based microservices, Azure Application Gateway ensures your applications remain available, secure, and performant.
When combined with Azure Front Door, Azure Load Balancer, and other services, it becomes a powerful part of a multi-layered, cloud-native networking and security architecture.