September 23, 2020 2 min read

Azure Application Gateway: Layer 7 Load Balancing

Azure Application Gateway Load Balancing Networking

Application Gateway is Azure’s web traffic load balancer operating at Layer 7 (HTTP/HTTPS).

Key Features

URL-based routing: Route /api/* to backend A, /images/* to backend B
SSL termination: Offload SSL at the gateway
Session affinity: Cookie-based sticky sessions
WAF: Web Application Firewall protection
Autoscaling: Handle traffic spikes

Basic Configuration

resource "azurerm_application_gateway" "main" {
  name                = "myappgateway"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location

  sku {
    name     = "WAF_v2"
    tier     = "WAF_v2"
  }

  autoscale_configuration {
    min_capacity = 2
    max_capacity = 10
  }

  gateway_ip_configuration {
    name      = "gateway-ip"
    subnet_id = azurerm_subnet.appgw.id
  }

  frontend_port {
    name = "https-port"
    port = 443
  }

  frontend_ip_configuration {
    name                 = "frontend-ip"
    public_ip_address_id = azurerm_public_ip.appgw.id
  }

  backend_address_pool {
    name = "api-backend"
  }

  backend_http_settings {
    name                  = "api-settings"
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 60
    probe_name            = "api-probe"
  }

  http_listener {
    name                           = "https-listener"
    frontend_ip_configuration_name = "frontend-ip"
    frontend_port_name             = "https-port"
    protocol                       = "Https"
    ssl_certificate_name           = "wildcard-cert"
  }

  request_routing_rule {
    name                       = "api-rule"
    rule_type                  = "PathBasedRouting"
    http_listener_name         = "https-listener"
    url_path_map_name          = "url-map"
  }

  url_path_map {
    name                               = "url-map"
    default_backend_address_pool_name  = "api-backend"
    default_backend_http_settings_name = "api-settings"

    path_rule {
      name                       = "api-path"
      paths                      = ["/api/*"]
      backend_address_pool_name  = "api-backend"
      backend_http_settings_name = "api-settings"
    }
  }

  probe {
    name                = "api-probe"
    protocol            = "Http"
    path                = "/health"
    host                = "127.0.0.1"
    interval            = 30
    timeout             = 30
    unhealthy_threshold = 3
  }
}

vs. Azure Load Balancer

Feature	App Gateway	Load Balancer
Layer	7 (HTTP)	4 (TCP/UDP)
SSL Termination	Yes	No
URL Routing	Yes	No
WAF	Yes	No
WebSockets	Yes	Yes

Use Application Gateway for web traffic, Load Balancer for everything else.