Application Gateway
Application Gateway is a Layer 7 load balancer for web traffic inside a region. It routes by URL path and host header, terminates TLS, and runs an optional Web Application Firewall — the regional ingress that sits in front of web applications in a VNet. Where Load Balancer moves packets, Application Gateway understands HTTP.
It is regional, not global. For a single-region web app it is the right ingress; for a multi-region application or edge caching you put Front Door in front, and Application Gateway may still serve as the regional origin. Choosing between them is a question of regional versus global, not better versus worse.
Routing
Request routing rules direct traffic by URL path (path-based routing — /api to one pool, /images to another) and by host header (multi-site hosting — several domains behind one gateway). This is what lets a single gateway front a microservice backend or several sites, routing each request to the right backend pool.
TLS Termination
Application Gateway terminates TLS at the edge, offloading decryption from the backends and centralizing certificate management — and it can re-encrypt to the backend for end-to-end TLS where compliance requires the traffic encrypted all the way. Integration with Key Vault lets the gateway pull and auto-rotate certificates rather than holding them inline.
Web Application Firewall
The WAF SKU adds managed protection against the OWASP Top 10 and bots, inspecting requests before they reach the backend. It runs in detection mode (log only) or prevention mode (block), and the managed rule sets update as new threats emerge. The WAF is the main reason to choose Application Gateway over a plain Layer 4 balancer for a public web app.
Autoscaling and Health
The v2 SKU autoscales instance capacity with traffic and is zone-redundant; the older fixed-capacity v1 was retired on 28 April 2026. Backend health probes remove unhealthy targets from rotation, as with Load Balancer. All deployments use v2 for autoscaling, zone redundancy, and the current feature set.
Application Gateway — Regional Layer 7 ingress inside a VNet, with WAF and path/host routing. Choose it for a single-region web app or as a regional origin.
Front Door — Global Layer 7 entry at the edge, with anycast routing, caching, and edge WAF. Choose it for multi-region apps and content delivery.
- Using Application Gateway for global, multi-region traffic where Front Door's edge anycast and caching belong in front.
- Still running the retired v1 SKU (retired April 2026) instead of migrating to the autoscaling, zone-redundant v2.
- Running the WAF in detection mode indefinitely and assuming it is blocking — detection only logs; prevention blocks.
- Holding TLS certificates inline and rotating them by hand instead of integrating with Key Vault.
- Skipping end-to-end TLS where compliance requires encryption to the backend, terminating at the gateway and sending plaintext onward.
- Misconfiguring backend health probes so healthy targets are dropped or unhealthy ones keep receiving traffic.
- Use the v2 SKU for autoscaling, zone redundancy, and the current feature set.
- Put Front Door in front for global apps; use Application Gateway as the regional ingress or origin.
- Enable the WAF in prevention mode for public web apps, after tuning rules in detection mode.
- Integrate certificates with Key Vault for centralized storage and automatic rotation.
- Use end-to-end TLS (re-encryption to the backend) where the data path must stay encrypted.
- Configure backend health probes against a real health endpoint.
Knowledge Check
What distinguishes Application Gateway from Azure Load Balancer?
- It works at Layer 7 — URL/host routing, TLS termination, and an optional WAF
- It is deployed globally with anycast rather than scoped to a single Azure region
- It only handles raw UDP datagram traffic and never HTTP
- It cannot terminate TLS and only forwards encrypted bytes
A WAF is configured in detection mode. What is it doing?
- Logging matching requests only — it must be in prevention mode to block them
- Actively blocking and logging every matching request from the OWASP Top 10 attack set
- Encrypting traffic on the hop to the backend pool
- Autoscaling the gateway instance count under load
When should Front Door sit in front of Application Gateway?
- For global, multi-region apps needing edge anycast routing and caching, with App Gateway as the regional origin
- For any single-region web app that already serves all of its users from just one regional deployment in one place
- Whenever the backend pool uses end-to-end TLS encryption
- Only when the gateway's WAF policy is disabled
You got correct