Azure Cloud - Application Gateway

 

Azure application gateway

Azure Application Gateway is a Layer 7 (application layer) HTTP/HTTPS load balancer and reverse proxy that provides advanced traffic management capabilities.

Functions

Function Description
Layer 7 Load Balancing Routes traffic based on HTTP(S) headers, URLs, cookies, etc.
URL Path-Based Routing Routes requests to different backend pools based on URL paths (e.g., /api/, /images/)
Host-Based Routing (Multi-site Hosting) Routes based on domain name (e.g., api.contoso.com, web.contoso.com)
Listener-level Certificate Binding Use different TLS certs per listener for multiple sites
TLS/SSL Termination Decrypts SSL traffic at the gateway (offloads CPU from backends)
Web Application Firewall (WAF) Protects against OWASP Top 10 vulnerabilities (e.g., SQLi, XSS)
Cookie-Based Affinity (Session Stickiness) Ensures a client stays on the same backend server using a gateway-managed cookie
Custom Probes Health checks with flexible configuration (e.g., path, status code, interval)

Application Gateway SKUs

SKU Key Differences
Standard v2 Modern, scalable, autoscaling, zone redundant
WAF v2 Same as Standard v2 but includes Web Application Firewall
Standard (classic) Legacy SKU, lacks advanced features like autoscaling, rewriting

Overall Diagram

graph TD
    subgraph AGW["Azure Application Gateway"]
        C1["🔓 SSL Termination"]
        C2["🛡️ WAF Inspection<br>(SQLi, XSS, DDoS)"]
        C3["↔️ Host-Based Routing<br>(e.g., api.contoso.com)"]
        C4["↔️ URL Path-Based Routing<br>(e.g., /images → VMSS, /api → AKS)"]
    end
    user[Internet User] -->|HTTPS Request| AGW
    AGW --> backendPool

    backendPool --> D1[Virtual Machines]
    backendPool --> D2[VM Scale Sets]
    backendPool --> D3[Azure Kubernetes Service]
    backendPool --> D4[Azure App Service]

Multiple domains hosting (多域名托管)

graph TD
  subgraph DNS
    www["portal.contoso.com (CNAME)"]
    api["api.contoso.com (CNAME)"]
    kibana["kibana.contoso.com (CNAME)"]
    gateway["myappgw.eastus.cloudapp.azure.com<br>(Gateway canonical name)"]
  end

  www --> gateway
  api --> gateway
  kibana --> gateway
  gateway --> |A record| agw

  subgraph Application Gateway
    agw["Azure Application Gateway"]

    listener1["Listener<br>- Host: portal.contoso.com<br>- Port: 443<br>- Protocol: HTTPS<br>- SSL Certificate"]
    listener2["Listener<br>- Host: api.contoso.com<br>..."]
    listener3["Listener<br>- Host: kibana.contoso.com<br>..."]

    agw --> |"Host-based routing<br>(portal.contoso.com)"| listener1
    agw --> |"Host-based routing<br>(api.contoso.com)"| listener2
    agw --> |"Host-based routing<br>(kibana.contoso.com)"| listener3

    listener1 --> rule1["Rule<br>- Backend target<br>- Backend settings<br>- Path-based routing"]
    listener2 --> rule2["Rule"]
    listener3 --> rule3["Rule"]

    rule1 --> backendPool1["Backend Pool<br>(IP, FQDN, VM, VMSS)"]
    rule2 --> backendPool2["Backend Pool<br>(IP, FQDN, VM, VMSS)"]
    rule3 --> backendPool3["Backend Pool<br>(IP, FQDN, VM, VMSS)"]
  end

  lb["Load Balancer"]

  subgraph Virtual Machines
    vm["Kibana Server"]
  end

  backendPool1 -->|"IP address"| lb
  backendPool2 -->|"IP address"| lb
  backendPool3 -->|"VM"| vm

  lb --> ingressController

  subgraph AKS[Azure Kubernetes Service]
    ingressController["Ingress Controller<br>(Nginx, AGIC, etc.)"]
    ingress1["Ingress<br>portal.contoso.com"]
    ingress2["Ingress<br>api.contoso.com"]

    ingressController --> ingress1
    ingressController --> ingress2
    ingress1 --> frontend["Frontend Web App"]
    ingress2 --> apiBackend["API Service"]
  end