Skip to content

App Gateway (L7 LB + WAF)


Azure Load Balancer could load balance any TCP/UDP traffic to the backend servers; however, Azure Application Gateway is designed to distribute the incoming web requests to a web application (using HTTP). Unlike Azure Load Balancer, which operates at layer 4, or the Transport layer, Application Gateway uses layer 7, or the Application layer, routing to route the traffic to the backend web applications.

OSI Layer AWS Azure
L4 Network LB Azure LB
L7 Application LB App Gateway

Since Application Gateway is operating at layer 7, the IP addresses of the backend servers are not considered; rather, hostnames and paths are used for routing.

Unlike typical load balancers that function at Layer 4 and route traffic based on the source IP address and port, Azure Application Gateway makes routing choices based on additional parameters of an HTTP request, such as URI path or host headers. It is a very helpful and valuable tool for web traffic managers, and it operates similarly to the AWS Application Gateway.

Using sticky sessions

If you would like to implement session stickiness, Application Gateway supports that as well. Using session stickiness, you can override the default round-robin fashion, and client requests in the same session will be routed to the same backend server.


  • Supported protocols: It supports HTTP, HTTPS, HTTP/2, and WebSocket.
  • WAF support: Web Application Firewall can be incorporated with Application Gateway to protect web applications.
  • Encryption: It supports end-to-end request encryption.
  • Autoscaling: You can dynamically scale Application Gateway to handle traffic spikes.
  • Redirection: Traffic can be redirected to another site or from HTTP to HTTPS.
  • Rewrite HTTP headers: It allows passing additional information with the request or response.


  • Frontend IP
  • HTTP/HTTPs Listner
  • Routing Rules
    • HTTP Settings
  • Backend Pool
    • Health Probes

Frontend IP

The IP address connected to an application gateway is known as the “frontend IP address.” You can set up an application gateway to have a private IP address, a public IP address, or both. An application gateway supports one private or one public IP address.


There can be multiple listeners linked to an application gateway, and they can be utilized for the same protocol. When a listener detects incoming client requests, the application gateway directs them to members of the backend pool specified in the rule.

They are used for port, protocol and certificate configurations

Routing rules

When a listener receives a request, the request routing rule either passes it to the backend or redirects it to another location. If the request is sent to the backend, the request routing rule specifies which backend server pool it should be routed to. The request routing rule also specifies whether the headers of the request are to be modified. One listener can be assigned to one rule.

Backend Pool

A backend pool directs requests to backend servers, who serve the requests. Backend pools can contain

  1. VMSS
  2. VM
  3. App Service

Health Probes

Application gateway checks the health of all resources in its backend pool and eliminates unhealthy ones automatically. When sick instances become available, it monitors them and adds them back to the healthy backend pool, as well as responding to health probes.

Routing methods

Path/URL based

As shown in the below image, for path-based routing, the Application Gateway inspects the URL paths and then routes the traffic to the different backend pools. For example, you can direct the requests with the path /images/* to the backend pool containing the image documents. Similarly, all URLs containing the path /videos/* can be routed to the backend servers optimized for video streaming.

Re-write HTTP headers + URL

Application Gateway allows you to rewrite selected content of requests and responses. With this feature, you can translate URLs, query string parameters as well as modify request and response headers. It also allows you to add conditions to ensure that the URL or the specified headers are rewritten only when certain conditions are met.

Multi-site hosting

Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool. For example, three domains,,, and, point to the IP address of the application gateway. You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.

Was this page helpful?