Skip to main content
Welcome to this lesson on designing Azure Application Gateway. Azure Application Gateway is a Layer 7 (application-layer) load balancer from Microsoft that delivers intelligent HTTP/HTTPS routing, SSL termination (offloading), web application firewall (WAF) protection, and advanced routing capabilities such as path-based and host-based routing. It is commonly used to secure and scale web applications in Azure, terminate TLS at the edge, and apply WAF rules to protect applications from common web vulnerabilities. In this lesson you’ll learn to:
  • Understand core Application Gateway concepts: SSL offloading, cookie-based affinity, connection draining, and integration with Azure WAF.
  • Examine how Application Gateway processes requests through listeners, routing rules, HTTP settings, and backend pools — and how these components work together to direct traffic.
  • Choose the right SKU and tier for your scenario by comparing Standard, Standard_v2, WAF, and WAF_v2 SKUs with respect to features, autoscaling, performance, and security.
  • Plan real-world deployments including high availability, autoscaling, network integration (VNet, subnets, and user-defined routes), and common security patterns.
This lesson focuses on conceptual design and decision-making for Application Gateway. It does not include step-by-step deployment commands or ARM/Bicep templates, but it will help you design the right architecture before you implement it.
A presentation slide titled "Learning Objectives" listing four points about Application Gateway: understanding key features, determining routing behavior, choosing the appropriate SKU, and planning deployment configuration.

Key concepts at a glance

  • Layer 7 load balancing — routes based on URL path, hostname, headers, and more.
  • SSL termination (TLS offloading) — decrypts traffic at the gateway and forwards to backend in plain HTTP or re-encrypted HTTPS.
  • Web Application Firewall (WAF) — protects against common threats like SQL injection and XSS (available in WAF SKUs).
  • Listeners, rules, HTTP settings, and backend pools — the primary building blocks used to define how requests are handled and where they are forwarded.
  • Affinity and draining — cookie-based session affinity preserves client sessions; connection draining ensures graceful backend updates.

SKU and tier comparison

Choosing the correct SKU affects features, autoscaling behavior, performance, and security. Use the table below to quickly compare the available SKUs.
SKUKey featuresAutoscalingTypical use case
StandardBasic Layer 7 capabilities, path/host-based routing, SSL offloadNoSmall to medium workloads that need basic L7 routing
Standard_v2Higher performance, zone redundancy, simplified configuration, faster provisioningYes (autoscaling)Production workloads needing autoscaling and higher throughput
WAFStandard features + Web Application Firewall (WAF) v1NoWorkloads that require WAF protection but not autoscaling
WAF_v2WAF v2, autoscaling, zone redundancy, performance improvementsYes (autoscaling)Production web apps requiring autoscaling and advanced WAF features
For in-depth technical details and the latest limits/pricing, refer to:

What you’ll get from this lesson

By the end of this lesson you should be able to:
  • Describe the role of listeners, rules, HTTP settings, and backend pools and map them to real routing needs.
  • Decide whether to terminate TLS at the gateway or re-encrypt to backend nodes.
  • Select the appropriate SKU and size based on expected throughput, scalability needs, and required security controls.
  • Identify network and HA considerations for deploying Application Gateway within a VNet (subnet planning, UDRs, NSGs) and integrating with other Azure services.
Next, we’ll break down how Application Gateway processes a request step-by-step and walk through design patterns for common scenarios.

Watch Video