Azure Application Gateway

Paco Sepulveda
June 30, 2020

On a previous post, we talked about Azure Load Balancer: as a tool to distribute requests between multiple virtual machines or Azure services.


Azure Load Balancer can distribute the load using both origin/destination IP addresses and ports. On the other hand, Azure Application Gateway is able to distribute the load based on the 7 layers of the OSI model. With this, we will be able as an example,  distribute the load depending on the requests target URL.

We can see a diagram of this functionality below:



Behind our Application Gateway, we have two web servers that deliver different pages. The first one for the domain “Adatum”, and the second one for the “Contoso” domain. The Application Gateway has a single public IP address on which it will receive the clients requests. The request will be either sent to Adatum server or Contoso server depending on the defined rules.


Azure Application Gateway also includes features such as: SSL termination or WAF (Web Application Firewall), which we will talk about on different posts.


This time we will implement a structure like the one shown on the previous diagram, on which we will have 2 web servers (Ubuntu Virtual Machines instances with Apache installed), that will be part of the Application Gateway backend. We will create the required rules so when a petition is made to, it will be sent to Server 1, and when a petition is made to, the petition will be sent to Server 2 instead.

We already have a resource group named RG-AppGW and two ubuntu Virtual Machines.

On these VMs (Virtual Machines) we have already installed Apache, and customized the index.html file.


On the same Virtual network on which we are deploying the infrastructure, we will create a subnet that will be used by the Application Gateway, a 28 bits range is enough for this.

Then, we can proceed to create the Application Gateway. When doing it we will find 4 different options: Standard, Standard V2, WAF and WAF V2.

The V2 SKU items have features like autoscaling, redundancy between multiple availability zones, performance improvements among others that we can check on the following link:

Also, the billing mode with the v2 items has been changed; now, it does not depend on the amount of instances or its size, but on its usage.

On the region that we will use to do our deployments the prices are:



Where each Capacity Unit is equivalent to 50 connections per second with a 2048 bits RSA TLS certificate, or 2500 persistent connections with a 2.22 Mbps bandwidth each.



 We will create the Application Gateway with the following settings:

Select Public as Fronted IP address type.

After that, we add Server 1 as our first backend target.

Then Server 2 as the second target:

We will end up with this:

And we add the necessary rules for traffic distribution:

We add a rule for

We set the listener type as: “Multiple sites” because we will host both and behind the Gateway.


Then we define a HTTP Setting for this rule:

Along with a backend target, which is Server 1 on this case:

We do the same for Server 2:


With this done, we will be able to deploy the Application Gateway, what will take a couple of minutes.

In order to check that the rules are functioning correctly, and as we do not own neither the nor the domains to redirect them to our Application Gateway, we can modify our hosts file. If we have a Windows computer, we need to edit the file under %systemroot%\System32\drivers\etc, then we add the next lines replacing the IP with the one from our Application Gateway.


This way, we can be sure that the traffic will be redirected to the correct backend server depending on the request URL:

We can also monitor the Application load balancer activity.



Translated by Josué Padilla.

Paco Sepulveda

In February I will be working as a freelance consultant and trainer for 19 years.

I am currently responsible for networks and security in a company that offers telemedicine services for hospitals in the Community of Madrid and for the Army and Navy. For this company I have implemented all the cloud infrastructure.

I work in the morning teaching the Azure MCSE in Tajamar and I also occasionally give tailor-made training for companies in systems, network and security architecture.

I have the following certifications:

- LPIC-1 and LPIC-2

- ITIL v3 Foundation


- Microsoft: MCT, MCSE Cloud Platform and Infrastructure, MCSA Windows Server 2012 and 2016, MCSE Private Cloud.

The first Microsoft certification was obtained in 2009 with the MCSE Windows Server 2003 and then the MCITP Windows Server 2008.

Keep Reading


Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form