Azurecloud~5 mins

Application Gateway (Layer 7) in Azure - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you want to control and secure web traffic to your apps, an Application Gateway helps by managing traffic at the web level. It directs user requests to the right place and protects your apps from bad traffic.

When you want to balance web traffic across multiple servers to keep your app fast and available

When you need to block harmful web requests before they reach your app

When you want to route users to different parts of your app based on the web address they use

When you want to add SSL encryption to secure user data between them and your app

When you want to monitor and log web traffic to understand user behavior and troubleshoot issues

Config File - application-gateway.json

application-gateway.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2023-02-01",
      "name": "myAppGateway",
      "location": "eastus",
      "properties": {
        "sku": {
          "name": "Standard_v2",
          "tier": "Standard_v2",
          "capacity": 2
        },
        "gatewayIPConfigurations": [
          {
            "name": "appGatewayIpConfig",
            "properties": {
              "subnet": {
                "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"
              }
            }
          }
        ],
        "frontendIPConfigurations": [
          {
            "name": "appGatewayFrontendIP",
            "properties": {
              "publicIPAddress": {
                "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/myPublicIP"
              }
            }
          }
        ],
        "frontendPorts": [
          {
            "name": "appGatewayFrontendPort",
            "properties": {
              "port": 80
            }
          }
        ],
        "backendAddressPools": [
          {
            "name": "appGatewayBackendPool",
            "properties": {
              "backendAddresses": [
                { "ipAddress": "10.0.1.4" },
                { "ipAddress": "10.0.1.5" }
              ]
            }
          }
        ],
        "backendHttpSettingsCollection": [
          {
            "name": "appGatewayBackendHttpSettings",
            "properties": {
              "port": 80,
              "protocol": "Http",
              "cookieBasedAffinity": "Disabled"
            }
          }
        ],
        "httpListeners": [
          {
            "name": "appGatewayHttpListener",
            "properties": {
              "frontendIPConfiguration": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/frontendIPConfigurations/appGatewayFrontendIP')]"
              },
              "frontendPort": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/frontendPorts/appGatewayFrontendPort')]"
              },
              "protocol": "Http"
            }
          }
        ],
        "requestRoutingRules": [
          {
            "name": "rule1",
            "properties": {
              "ruleType": "Basic",
              "httpListener": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/httpListeners/appGatewayHttpListener')]"
              },
              "backendAddressPool": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/backendAddressPools/appGatewayBackendPool')]"
              },
              "backendHttpSettings": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', 'myAppGateway'), '/backendHttpSettingsCollection/appGatewayBackendHttpSettings')]"
              }
            }
          }
        ]
      }
    }
  ]
}

This JSON file is an Azure Resource Manager template that creates an Application Gateway named myAppGateway in the eastus region.

The sku defines the size and features of the gateway.

The gatewayIPConfigurations link the gateway to a subnet in a virtual network.

The frontendIPConfigurations set up a public IP address where users connect.

The frontendPorts define which port listens for web traffic (port 80 for HTTP).

The backendAddressPools list the IP addresses of servers that will receive the traffic.

The backendHttpSettingsCollection defines how to connect to backend servers.

The httpListeners listen for incoming requests on the frontend IP and port.

The requestRoutingRules connect listeners to backend pools, directing traffic properly.

Commands

This command creates an Azure Application Gateway named myAppGateway in the myResourceGroup resource group. It sets the size to Standard_v2 with 2 instances, connects it to the myVnet virtual network and mySubnet subnet, and assigns the public IP myPublicIP for users to access.

Terminal

az network application-gateway create --name myAppGateway --resource-group myResourceGroup --location eastus --sku Standard_v2 --capacity 2 --vnet-name myVnet --subnet mySubnet --public-ip-address myPublicIP

Expected OutputExpected

{ "frontendIpConfigurations": [ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway/frontendIPConfigurations/appGatewayFrontendIP", "properties": { "privateIpAddress": null, "publicIpAddress": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/myPublicIP" } }, "name": "appGatewayFrontendIP" } ], "gatewayIPConfigurations": [ { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway/gatewayIPConfigurations/appGatewayIpConfig", "properties": { "subnet": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet" } }, "name": "appGatewayIpConfig" } ], "location": "eastus", "name": "myAppGateway", "sku": { "capacity": 2, "name": "Standard_v2", "tier": "Standard_v2" }, "resourceGroup": "myResourceGroup", "type": "Microsoft.Network/applicationGateways" }

→

--sku - Defines the size and features of the Application Gateway

→

--capacity - Sets the number of instances for load balancing

→

--public-ip-address - Assigns the public IP for user access

This command updates the backend HTTP settings for the Application Gateway to connect to backend servers on port 80 using HTTP protocol and disables cookie-based affinity for simple load balancing.

Terminal

az network application-gateway http-settings update --gateway-name myAppGateway --resource-group myResourceGroup --name appGatewayBackendHttpSettings --port 80 --protocol Http --cookie-based-affinity Disabled

Expected OutputExpected

{ "name": "appGatewayBackendHttpSettings", "properties": { "port": 80, "protocol": "Http", "cookieBasedAffinity": "Disabled" } }

→

--port - Specifies the port to connect to backend servers

→

--protocol - Sets the protocol used to communicate with backend servers

This command creates a routing rule named rule1 that connects the HTTP listener to the backend address pool using the specified backend HTTP settings. It directs incoming web traffic to the backend servers.

Terminal

az network application-gateway rule create --gateway-name myAppGateway --resource-group myResourceGroup --name rule1 --http-listener appGatewayHttpListener --rule-type Basic --address-pool appGatewayBackendPool --http-settings appGatewayBackendHttpSettings

Expected OutputExpected

{ "name": "rule1", "properties": { "ruleType": "Basic", "httpListener": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway/httpListeners/appGatewayHttpListener" }, "backendAddressPool": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway/backendAddressPools/appGatewayBackendPool" }, "backendHttpSettings": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/applicationGateways/myAppGateway/backendHttpSettingsCollection/appGatewayBackendHttpSettings" } } }

→

--rule-type - Defines the type of routing rule (Basic or Path-based)

This command shows the current configuration and status of the Application Gateway to verify it was created and configured correctly.

Terminal

az network application-gateway show --name myAppGateway --resource-group myResourceGroup

Expected OutputExpected

{ "name": "myAppGateway", "location": "eastus", "sku": { "name": "Standard_v2", "tier": "Standard_v2", "capacity": 2 }, "provisioningState": "Succeeded", "operationalState": "Running" }

Key Concept

If you remember nothing else from this pattern, remember: Application Gateway manages and routes web traffic securely and efficiently at the web (Layer 7) level.

Common Mistakes

Not assigning a public IP address to the Application Gateway frontend configuration

Without a public IP, users cannot reach the Application Gateway from the internet.

Always create or assign a public IP address and link it to the frontend IP configuration.

Using mismatched ports between frontend listener and backend HTTP settings

Traffic will fail to route correctly if ports do not match between listener and backend settings.

Ensure frontend listener port and backend HTTP settings port are consistent.

Forgetting to create routing rules connecting listeners to backend pools

Without routing rules, the Application Gateway does not know where to send incoming requests.

Always create routing rules that link HTTP listeners to backend address pools and HTTP settings.

Summary

Create the Application Gateway with proper SKU, subnet, and public IP to accept web traffic.

Configure backend HTTP settings to define how the gateway connects to backend servers.

Create routing rules to connect frontend listeners to backend pools for traffic routing.

Verify the Application Gateway status and configuration to ensure it is running correctly.