Guide Metadata
Service Name: azure application gateway Generation Approach: sequential_workflow Phases Completed: 5 Generation Complete: True Timestamp: 2025-09-01T14:38:47.853686 Config File: config/semantic_kernel_config.yaml
Azure Application Gateway - Azure Service Guide
What is Azure Application Gateway?
Azure Application Gateway is a fully managed Application Delivery Controller (ADC) and Layer 7 load balancer (HTTP/HTTPS) within Azure.
It routes and secures web traffic to backend applications, supporting URL-based routing, SSL offload, end-to-end encryption, and an integrated Web Application Firewall (WAF) for application layer protection.
Unlike Azure Load Balancer (Layer 4, network-level), Application Gateway makes routing decisions based on HTTP request properties such as URL paths, host headers, and query strings.
Simple Words Explanation:
Think of Azure Application Gateway as a traffic director for websites and apps that not only decides where to send traffic, but can securely inspect it, block attacks, and optimize delivery — all while understanding the contents of the web request.
Key Use Cases
- Secure web application delivery — HTTPS termination, TLS policies, and WAF protection.
- Multi-site and multi-domain hosting — Route traffic for many domains from one gateway.
- Microservices routing — Send
/apito one backend,/imagesto another. - Hybrid application publishing — Securely expose on-premises apps via Azure.
- Internal secure portals — Private IP gateways for intranet or cross-VNET access.
Service Categories/Types
- Standard — Basic Layer 7 load balancing with manual scaling.
- WAF — Standard features + OWASP-based Web Application Firewall.
- Standard_v2 — Autoscaling, faster provisioning, zone redundancy.
- WAF_v2 — Standard_v2 + WAF with enhanced detection/prevention.
🎯 Core Concepts
Essential Terms & Definitions
| Term | Definition | Example |
|---|---|---|
| Listener | Logical endpoint for receiving traffic at a specific IP, port, protocol | HTTPS listener on appgateway.contoso.com:443 |
| Backend Pool | Group of backend servers or endpoints serving requests | App Service + VM backend for /app1 |
| HTTP Setting | Configuration for backend communication (protocol, timeouts, cookies) | HTTP setting with 60s timeout, cookie affinity enabled |
| Path-based Routing | Rule that routes based on request URL path segments | /images/* → image servers |
| WAF | Web Application Firewall scanning for malicious HTTP requests | Blocks SQL injection attempts |
Key Features
- URL path and host-based routing — Fine-grained backend selection.
- Multi-site hosting — 100+ domains on one gateway.
- SSL termination & end-to-end SSL — Offload TLS or encrypt all the way.
- Integrated WAF — OWASP CRS with prevention or detection mode.
- Header and URL rewrite — Modify requests/responses on the fly.
- Autoscaling & zone redundancy — In v2 SKUs.
- mTLS — Client certificate authentication.
- Session affinity — Stick client to a backend instance.
Technical Deep Dive
Azure Application Gateway operates at OSI Layer 7 using a reverse proxy model.
Traffic first terminates at the gateway listener, where TLS can be decrypted. Rules are applied for routing decisions based on:
- Host headers (e.g.,
api.contoso.comvsshop.contoso.com) - Path segments (
/api/*vs/static/*) - HTTP parameters
Backends can be Azure resources (VMs, App Service, AKS) or on-premises servers reachable via hybrid connectivity.
Security model includes:
- Per-listener TLS settings with controlled cipher suites.
- WAF with preconfigured and custom rules.
- Integration with Azure Key Vault for cert lifecycle.
Observability is native through Azure Monitor logs, metrics, and WAF reports.
🔄 Azure Service Comparisons
Core Comparison Table
| Feature / Capability | Azure Application Gateway | Azure Front Door | Azure Load Balancer |
|---|---|---|---|
| OSI Layer | Layer 7 (HTTP/S) | Layer 7 (HTTP/S) | Layer 4 (TCP/UDP) |
| Scope | Regional | Global (edge POPs) | Regional |
| Primary Use | Secure, regional app delivery | Global distribution + caching | Network-level load balancing |
| Protocols | HTTP, HTTPS | HTTP, HTTPS, WebSockets | TCP, UDP |
| Routing | Path, host headers, rewrite | Path, host headers, geo | Port, IP hash |
| SSL Termination | Yes | Yes | No |
| WAF | Regional | Global | No |
| Autoscaling | Yes (v2) | Yes | Yes (Std SKU) |
| Private Endpoints | Yes | No | Yes |
Decision Matrix
| Requirement | Application Gateway | Azure Front Door | Azure Load Balancer |
|---|---|---|---|
| Global presence | With Traffic Manager | ✅ Built-in | With Traffic Manager |
| L7 routing | ✅ | ✅ | ❌ |
| L4 routing | ❌ | ❌ | ✅ |
| Private access | ✅ | ❌ | ✅ |
| WAF needed | ✅ | ✅ | ❌ |
🌐 Networking Considerations
- Deploy in Virtual Network for private/internal access.
- v2 SKU supports zone redundancy for high availability.
- Secure backend comms with end-to-end SSL.
- Use NSGs and Azure Firewall to control gateway and backend traffic.
- For multi-region: combine with Traffic Manager or Front Door.
- Supports IPv4 and IPv6 frontend IPs.
💰 Pricing & Cost Considerations
Azure charges for:
- Instances or capacity units — v1 = per instance; v2 = per capacity unit.
- Data processed — per GB of inbound & outbound.
- WAF costs — Extra per GB inspected.
Example (2024 rates):
- Standard_v2: ~$0.25–$0.27/CU/hour + ~$0.008/GB.
- WAF_v2: ~$0.35/CU/hour + ~$0.014/GB.
Optimization Tips:
- Match CU count to baseline usage; autoscale upper bound for peaks.
- Avoid over-inspecting internal trusted traffic to save WAF costs.
- Consolidate domains into multi-site hosting to reduce instance count.
🔒 Security & Compliance
- TLS 1.2 / 1.3 support with policy enforcement.
- OWASP CRS for WAF.
- mTLS for client authentication.
- Logging with retention via Monitor / Log Analytics.
- Compliant with ISO, SOC, PCI-DSS, HIPAA, GDPR.
- Integrates with Azure DDoS Protection for enhanced defense.
📊 Performance & Scalability
- Autoscale up to 125 instances (v2).
- Client-side HTTP/2 supported; backend limited to HTTP/1.1.
- Latency introduced by WAF inspection — plan capacity for performance-critical apps.
- Connection draining prevents disruptions during backend maintenance.
- WebSockets over HTTP/S supported.
📝 Interview Preparation Checklist
Quick Recap with Key Answers
- Layer: OSI Layer 7 — HTTP-aware.
- SKUs: Standard, WAF, Standard_v2, WAF_v2.
- Scaling: Manual in v1, autoscale in v2.
- WAF Mode: Detection & prevention.
- Use Case Fit: Secure, scalable, application-aware routing.
Architecture Scenarios Practice
- Global + Regional WAF
- Front Door → Application Gateway → Backends
- Pros: Multi-layer security.
- Trade-off: Cost, complexity.
- Intranet Portal
- Private Application Gateway → VM backends
- Pros: Isolation, compliance.
- Trade-off: No public access without VPN/ER.
- Microservices App
- AG with path-based rules → distinct microservice pools.
Must-Know Topics Checklist
- [ ] Difference between L4 and L7 load balancers
- [ ] Path & host-based routing configuration
- [ ] WAF rule customization
- [ ] SSL termination vs end-to-end SSL
- [ ] v1 vs v2 SKU differences
- [ ] Integration with AKS (AGIC)
- [ ] Logging and monitoring setup
Hands-On Practice Tasks
- [ ] Deploy WAF_v2 with multi-site hosting
- [ ] Configure mTLS client auth
- [ ] Create path-based routing rules
- [ ] Integrate with Key Vault for certificate rotation
- [ ] Connect AG to private endpoints securely
- [ ] Analyze WAF logs in Log Analytics
❓ Common Interview Questions
Alright — based on your research and structured service documentation for Azure Application Gateway, here is the fully formatted, exhaustive interview preparation question set exactly following your required template.
No answers are included — only interview-ready questions.
Azure Application Gateway – Comprehensive Interview Questions
❓ Common Interview Questions
Fundamental Questions
- What is Azure Application Gateway and what problem does it solve?
- How does Azure Application Gateway differ from Azure Load Balancer and Azure Front Door?
- What are the main components of Azure Application Gateway?
- What are the different SKUs available for Application Gateway and their key differences?
- When should you use Azure Application Gateway?
- When should you NOT use Azure Application Gateway?
- What are the main advantages of using Azure Application Gateway?
- What are the potential limitations or drawbacks of Application Gateway?
- How does Application Gateway align with Layer 7 load balancing principles?
- How does Application Gateway support cloud-native architectures?
- What are the typical use cases for Application Gateway?
- Which industries benefit most from Application Gateway?
- How does Application Gateway pricing work, and what are the cost components?
- How do Standard vs. Standard_v2 SKUs differ in scaling and performance?
- How does Azure Application Gateway handle HTTPS traffic compared to HTTP traffic?
- What are the common misconceptions about Azure Application Gateway?
- How does Application Gateway fit into hybrid cloud or multi-cloud architectures?
- What role does Web Application Firewall (WAF) play in Application Gateway?
- How has Azure Application Gateway evolved over time, particularly with v2 SKUs?
Technical Questions
- How does Azure Application Gateway perform application-level routing?
- What types of routing rules are supported (path-based, host-based, multi-site hosting)?
- How does Application Gateway support URL rewriting?
- What is the method for configuring HTTP-to-HTTPS redirection in Application Gateway?
- How does Application Gateway autoscaling work in v2 SKUs?
- What security features are included with Application Gateway?
- How do you enable and configure WAF in Application Gateway?
- How does the Web Application Firewall detect and prevent threats?
- What OWASP Core Rule Set versions are supported by WAF?
- What are the steps to implement custom WAF rules, and in what scenarios?
- How does Application Gateway handle SSL/TLS termination?
- How do you configure mutual TLS authentication (mTLS) in Application Gateway?
- What is TLS policy management in Application Gateway and why is it important?
- What are the best practices for securing Application Gateway in a public-facing deployment?
- How does Application Gateway integrate with Azure Key Vault for certificate management?
- How do you configure Application Gateway for end-to-end SSL encryption?
- What logging capabilities does Application Gateway provide?
- How is performance monitored in Application Gateway?
- What diagnostic logs are available (access logs, performance logs, firewall logs)?
- How do you integrate Application Gateway metrics with Azure Monitor and Log Analytics?
- How is Application Gateway deployed with Availability Zone redundancy?
- What are the high availability and disaster recovery options?
- How does Application Gateway handle session affinity (sticky sessions)?
- What is connection draining and how is it configured in Application Gateway?
- What limitations exist in HTTP/2 support for Application Gateway?
- How does Application Gateway handle WebSocket traffic?
- What’s the process to configure multi-site hosting on Application Gateway?
- How do you integrate Application Gateway as an AKS ingress controller?
- What are the performance impacts of enabling WAF?
- How do you mitigate WAF latency in high-performance scenarios?
- How do you estimate capacity units (CU) for Application Gateway?
- How do you troubleshoot unhealthy backend servers in Application Gateway?
- What is the impact of rewrite rules on application gateway performance?
- How does Application Gateway integrate with Azure Traffic Manager?
- How does Application Gateway interact with Azure Front Door in layered architectures?
- What limitations should teams consider for gRPC traffic in Application Gateway?
- How do you securely publish internal applications using Application Gateway?
- What are the SLA guarantees for Application Gateway?
- What’s the recommended process for upgrading Application Gateway from v1 to v2 SKU?
- How does Application Gateway interact with Virtual Network (VNet) and subnets?
- What firewall and NSG rules are typically applied when deploying Application Gateway?
- How do you optimize costs in high-throughput workloads for Application Gateway?
Scenario-Based Questions
- How would you design a global, multi-region e-commerce platform using Application Gateway with minimal downtime?
- Your backend servers experience intermittent latency spikes — how would you diagnose whether the bottleneck is within Application Gateway or the backends?
- A customer needs to host 50 domains with different SSL certificates on a single gateway. How would you design this?
- How would you implement blue-green deployments with Application Gateway in front of an AKS cluster?
- You’re migrating an on-prem monolithic web application to Azure — how would you use Application Gateway for a phased migration?
- How would you configure Application Gateway for internal applications that must meet HIPAA compliance?
- A financial services client requires mTLS authentication for all client requests — how would you design this using Application Gateway and Key Vault?
- You need to handle autoscaling up to 100,000 concurrent web connections during a marketing event. What’s your planning and testing approach?
- How would you set up Application Gateway to route
/api/*traffic to one backend and/images/*to another backend service? - Your application experiences higher latency when WAF is enabled. How would you troubleshoot and improve performance without sacrificing security?
- You are implementing a multi-tenant SaaS platform — how would you use Application Gateway for path-based isolation while keeping costs optimized?
- The business wants a zero-downtime disaster recovery strategy across two Azure regions using Application Gateway — what’s your design?
- How would you architect an AKS environment with Application Gateway ingress that can handle burst traffic loads?
- Application Gateway backend pool members are failing health probes — how do you troubleshoot and resolve this?
- How would you integrate Azure Application Gateway with Azure Front Door for a globally distributed application architecture?
- You need to enforce PCI-DSS encryption standards — how would you configure TLS policies in Application Gateway?
- How would you use Application Gateway firewall logs for incident response and forensic investigation?
- You have an existing Azure Load Balancer — how and when would you migrate to Application Gateway without user disruption?
- How would you perform canary releases using Application Gateway’s routing rules?
- In a hybrid cloud setup, how would you expose an on-prem application via Application Gateway secured with Azure VPN or ExpressRoute?
📝 Interview Preparation Checklist
Quick Recap with Key Questions
Core Service Knowledge
- What is Azure Application Gateway?
- What are the primary use cases?
- What are the key differentiators compared to Azure Load Balancer and Azure Front Door?
- What are the advantages and limitations?
- What is the pricing model?
Technical Essentials
- What are the main components?
- How do routing rules work?
- How does scaling work in Standard vs. v2 SKUs?
- What built-in security capabilities exist?
- What compliance standards are supported?
Integration & Architecture
- What are the most common integrations with Application Gateway?
- What are the typical architecture patterns (single region, multi-region, AKS ingress)?
- When should you use Application Gateway?
- When should you NOT use it?
- What HA/DR strategies are possible with Application Gateway?
Architecture Scenarios Practice
Scenario 1: Multi-Site Hosting Architecture
- What business problem are you solving?
- How would you architect the solution with Application Gateway?
- How would you handle SSL certificate management?
- What trade-offs would you consider?
Scenario 2: AKS Ingress with WAF
- How would you design Application Gateway as an ingress controller for AKS?
- How would you secure ingress endpoints?
- How would you scale for peak loads?
Scenario 3: Cross-Region Failover
- What challenge exists at global scale?
- How would you combine Application Gateway with Traffic Manager or Azure Front Door for global failover?
- What operational practices would you apply?
Scenario 4: Secure Internal Applications
- How would you configure Application Gateway for internal-only access?
- How would Private Link or internal VNet integration play a role?
Scenario 5: PCI-DSS Compliant Payment Platform
- How would you configure TLS policies?
- How would you ensure no insecure cipher suites are used?
Scenario 6: Marketing Event High Traffic
- How would you size or plan autoscaling for 10x expected load?
- How would you test before the event?
Scenario 7: WAF Tuning
- How would you minimize false positives?
- How would you test changes in detection vs. prevention mode?
Scenario 8: Latency Troubleshooting
- What metrics and logs would you analyze?
- How would you isolate WAF vs. backend latency sources?
Scenario 9: Disaster Recovery
- How would you design failover to a secondary region?
- How would DNS or global routing be updated?
Scenario 10: Application Migration
- How would you phase traffic to new application versions?
- How would you ensure rollback paths?
Must-Know Topics Checklist
- [ ] Core concepts and definition of Azure Application Gateway
- [ ] SKUs and their differences
- [ ] Routing rules (path & host-based)
- [ ] WAF modes and OWASP capabilities
- [ ] Pricing model and cost components
- [ ] SSL/TLS termination, end-to-end SSL, mTLS
- [ ] Scaling strategies and limits
- [ ] Logging and monitoring integrations
- [ ] High availability and disaster recovery
- [ ] Integration patterns (AKS, Front Door, Traffic Manager)
- [ ] Cost optimization strategies
- [ ] Migration approaches from other load balancers
If you'd like, I can now extend this into a side-by-side comparison matrix of Azure Application Gateway vs Azure Front Door vs Azure Load Balancer, which is often asked in advanced interviews to test architectural judgement.
Do you want me to prepare that next?