Azure Network: Azure Load Balancer & Azure Application Gateway

Azure Load Balancer is a key networking service that enables you to automatically distribute incoming and outgoing network traffic across a group of healthy backend resources, such as virtual machines (VMs). It operates at the Transport Layer (Layer 4) and supports high-throughput, low-latency scenarios for both TCP and UDP applications.

• High Availability: Provides fault tolerance by distributing traffic across multiple instances in one or more availability zones, ensuring continuous app performance.
• Types (SKUs): Offers two main SKUs:
  • Basic: For small-scale or test workloads without advanced features such as zone redundancy.
  • Standard: Recommended for production workloads with improved performance, extensive diagnostics, and higher reliability.
• Core Components:
  • Frontend IP Configuration: The public or private IP address load balancer uses to receive traffic.
  • Backend Pool: A set of VMs or endpoints that process the incoming traffic.
  • Health Probes: Check the health of each resource in the backend pool and ensure only healthy instances receive traffic.
  • Load Balancing Rules: Define how traffic is distributed from frontends to backend pools based on protocol and port.
  • Inbound/Outbound Rules: Manage inbound NAT for individual VMs and define outbound connectivity for backend resources.
• Protocols Supported: Handles TCP and UDP traffic, making it suitable for both web and non-web workloads.
• Scalability: Designed to support millions of concurrent flows and scale seamlessly as demand grows.
• Use Cases:
  • Distributing load for web servers, database servers, or VPN gateways
  • Providing outbound internet connectivity for VMs in private subnets
  • Ensuring resilience during planned or unplanned maintenance events

Below are some of the most important features that set Azure Load Balancer and Azure Application Gateway apart for managing traffic and ensuring application reliability in Azure environments:

Azure Load Balancer

• High Availability & Reliability: Ensures continuous app performance by routing traffic only to healthy backend instances, even across availability zones.
• Scalability: Can handle millions of active TCP and UDP connections for large-scale applications and automatically scales alongside demand.
• Low Latency & High Throughput: Pass-through design enables minimal latency and high-speed data transfers.
• Health Probes: Continuously checks the health of backend servers and removes unhealthy resources from traffic rotation[1][5].
• Flexible Configuration: Supports multiple ports, multiple IP addresses, inbound/outbound connectivity, and port forwarding.
• Session Persistence: Optionally directs repeated client requests in a session to the same backend resource when needed[2].
• IPv6 & Hybrid Connectivity: Supports IPv6 traffic and integration with on-premises networks through VPN or ExpressRoute connections[5].
• Integration with Azure Services: Works seamlessly with VM Scale Sets, automating horizontal scaling for backend resources[5].

Azure Application Gateway

• Layer 7 (Application Layer) Routing: Makes routing decisions based on URLs, host headers, and HTTP parameters to provide advanced, application-aware traffic management[10][6].
• SSL/TLS Termination: Offloads SSL decryption at the gateway, improving backend server performance and simplifying certificate management[6].
• Web Application Firewall (WAF): Offers built-in protection against common web attacks and aligns with OWASP Top 10 security risks[6][10].
• Autoscaling & Zone Redundancy: Automatically scales as traffic changes and can be distributed across multiple availability zones for higher resilience[15][12].
• Multi-site Hosting & Path-Based Routing: Supports hosting multiple websites with rules for URL path-based traffic distribution[14].
• Session Affinity: Ensures that user sessions persist on the same backend server to maintain context and improve experience[8].
• Redirection and URL Rewrite Rules: Enable HTTP to HTTPS redirection and advanced URL rewriting for user-friendly navigation and security.
• Metrics & Monitoring: Deep integration with Azure Monitor and Log Analytics for actionable insights and optimization[6].

Azure networking offers different Types and SKUs for both the Load Balancer and Application Gateway, allowing you to choose features and scalability that fit your needs.

Azure Load Balancer SKUs

• Basic SKU:
  • Designed for small-scale, dev/test scenarios.
  • Supports basic Layer 4 load balancing for TCP/UDP.
  • Single availability zone (no zone redundancy).
  • No built-in diagnostics or advanced networking features.
  • Limited SLA guarantee.
• Standard SKU:
  • Recommended for production workloads.
  • Supports both regional and cross-zone load balancing.
  • Offers higher scale, improved security, and more backend instances.
  • Includes advanced diagnostics and health monitoring.
  • Provides a higher SLA with zone redundancy options.
  • Mandatory for integration with VM scale sets, public IP prefixes, and outbound rules.

Azure Application Gateway SKUs (Tiers)

• Standard Application Gateway:
  • Provides basic Layer 7 load balancing for web traffic (HTTP/HTTPS).
  • Supports SSL offload, URL-based routing, and session affinity.
• WAF (Web Application Firewall) Application Gateway:
  • Includes all Standard features plus integrated web application firewall for OWASP Top 10 protection.
  • Supports both Detection and Prevention WAF modes.
• v2 SKUs (Standard_v2 & WAF_v2):
  • Next-generation platform with autoscaling, zone redundancy, faster deployment, and enhanced performance.
  • Supports end-to-end SSL, header rewrite, and trusted client certificates.
  • Enables deeper diagnostics and cost-efficient scaling based on real-time demand.
  • Recommended for enterprise and mission-critical scenarios.

Choosing the Right SKU:
When deciding between SKUs, consider the required scale, feature set, security needs, and SLA for your production environment.

Understanding when to use Azure Load Balancer and Azure Application Gateway helps you design scalable, secure, and resilient cloud applications. Here are the most common use cases for each:

Azure Load Balancer Use Cases

• Distributing Network Traffic Across VMs: Spreads incoming client or application traffic evenly across multiple virtual machines to ensure consistent performance and avoid overloading a single resource.
• Providing Outbound Internet Connectivity: Allows VMs in a private subnet to reach the internet via NAT (Network Address Translation) without exposing individual IP addresses.
• Enabling High Availability: Maintains application uptime by directing traffic only to healthy instances, helping to prevent downtime during updates or failures.
• Multi-Tier Application Design: Efficiently routes traffic between frontend, application, and database tiers in complex architectures.
• Supporting Both Internal and Public Load Balancing: Can be used for both internet-facing applications and internal business apps within a secure network.
• Serving Non-HTTP(S) Workloads: Handles protocols such as SMTP, RDP, or custom TCP/UDP applications.

Azure Application Gateway Use Cases

• Advanced Web Traffic Management: Distributes HTTP/HTTPS traffic based on URL path, host header, or other HTTP(S) properties for optimal routing to web apps and APIs.
• Securing Web Applications with WAF: Protects against threats like SQL injection and XSS by enabling a web application firewall (WAF) in front of your applications.
• SSL Termination and Centralized Certificate Management: Offloads SSL/TLS operations from backend servers, simplifying encryption and boosting backend performance.
• Hosting Multiple Websites: Allows multiple domains/subdomains to share a single gateway, each with custom routing logic and security policies.
• Session Affinity for State-Dependent Apps: Ensures user sessions stay connected to the same backend server (useful for shopping carts, portals, etc.).
• Path-Based Routing for Microservices: Directs requests to specific backend pools based on URL paths—ideal for container-based or microservice applications.
• HTTP to HTTPS Redirection: Forces secure connections, helping you comply with security policies or regulatory requirements.

Summary: Decide which service is best for your scenario—Azure Load Balancer excels at fast, protocol-level traffic distribution, while Azure Application Gateway is ideal for intelligent, application-aware routing, security, and advanced web workloads.

Azure Application Gateway is a web traffic load balancer that operates at the Application Layer (OSI Layer 7). It is designed to manage HTTP(S) traffic with intelligent routing, deep packet inspection, and integrated security features. Unlike traditional load balancers, it can make routing decisions using details from HTTP requests, such as URL paths and host headers, providing sophisticated control for modern web applications[2][6].

• Core Components:
  • Frontend IP Configuration: The point of entry for client requests. Can be set as a public or private IP address based on whether you need internet-facing or internal application access[4][14].
  • Listeners: Entities that monitor for incoming traffic on specified ports and protocols. They bind with SSL certificates for secure communication and determine how client requests are received[4][6].
  • Routing Rules: Direct how incoming requests are forwarded to backend pools based on HTTP properties like path or host header. They link listeners to backend resources and define the logic for distributing traffic[1][6][14].
  • Backend Pools: Groups of servers (Azure VMs, App Service, VM scale sets, or external resources) that process the application traffic[1][6].
  • HTTP Settings: Define how requests are sent to backend pool members, including protocol (HTTP/HTTPS), port, cookie-based affinity, and custom probe settings[1][14].
  • Health Probes: Regularly check the health of backend instances and help route traffic only to healthy targets to boost reliability[1][4].
• How It Works:
  • The gateway receives a client request at its frontend IP.
  • A listener processes the request and applies associated SSL certificates if using HTTPS.
  • Routing rules determine which backend pool should receive the request, possibly using URL path or host header values.
  • HTTP settings define how the request is relayed to backend servers.
  • Health probes monitor the backend servers; only healthy servers receive traffic[1][6].
• Deployment Scenarios:
  • Web traffic routing with advanced Layer 7 policies
  • Centralized SSL termination and certificate management
  • Protecting applications with integrated Web Application Firewall (WAF)
  • Multi-site hosting and path-based routing for microservices and APIs[2][10]

Azure Application Gateway supports both v1 and v2 SKUs, with v2 offering advanced features like autoscaling, zone redundancy, and improved performance for enterprise-grade deployments.

Both Azure Load Balancer and Azure Application Gateway have foundational building blocks that define how they function and provide advanced traffic management in Azure environments.

Azure Load Balancer Core Components

• Frontend IP Configuration: The entry point for network traffic. Can be configured with a public or private IP address, determining whether the load balancer is internet-facing or internal[1][2][9].
• Backend Pool: A group of Azure resources (such as VMs or VM scale sets) that receive traffic from the load balancer. Backend pools can dynamically scale as resources are added or removed[1][2][9].
• Health Probes: Actively check the status and health of backend instances by probing application endpoints. Only healthy resources receive new traffic, maintaining high availability[1][2][5].
• Load Balancing Rules: Define how traffic is distributed from the frontend IP to the backend pool based on protocol and port. Also enable flexible configurations such as high-availability ports[1][2][13].
• Inbound NAT Rules: Allow you to configure Network Address Translation so specific ports on the frontend IP are mapped to ports on individual backend machines for targeted access scenarios[1][2].

Azure Application Gateway Core Components

• Frontend IP Addresses: The virtual IP address used as the gateway’s network entry point. Can be public or private, supporting both web-facing and internal applications[6][12][15].
• Listeners: Logical entities that monitor for incoming connection requests on a specific IP, port, and protocol. Must be configured to accept client requests and can be linked with SSL certificates for HTTPS[6][12][15].
• Request Routing Rules: Control how client requests received by listeners are forwarded to backend pools. Rules can use HTTP attributes like URL path and host headers for advanced traffic management[12][15].
• HTTP Settings: Define communication details to backend pool members (protocol, port, affinity, custom probes). Customize how requests are relayed from the gateway to backend servers[8][15].
• Backend Pools: Collections of backend resources—VMs, VM scale sets, App Services, or external endpoints—that process application traffic[6][8][15].
• Health Probes: Regular tests sent to backend servers to ensure only healthy endpoints receive client requests, improving application resilience[6][8][15].

To help you get started, here’s a walkthrough for deploying and configuring both Azure Load Balancer and Azure Application Gateway.
Follow these step-by-step instructions to build robust traffic management for your cloud-based workloads.

Azure Load Balancer: Step-by-Step

1. Log in to Azure Portal:
   Access portal.azure.com and sign in with your Azure credentials[5].
2. Create a Load Balancer Resource:
   
   • Use the search bar to find “Load Balancers” and click Create.
   • On the Basics tab, select your Subscription, Resource Group, Name your balancer, select Region, and choose SKU (Standard recommended for most scenarios).
   • Decide on Load Balancer Type: Public for internet-facing, Internal for internal apps.
3. Configure Frontend IP:
   Add a frontend IP configuration (Public IP for public, Private IP for internal). Name it and choose an address assignment method.
4. Set Up Backend Pool:
   
   • Create a backend pool with the virtual machines or VM scale sets that will handle the traffic.
   • Add the intended backend resources.
5. Add Health Probes:
   Define how the load balancer checks the health of the backend (protocol, port, probe interval).
6. Create Load Balancing Rules:
   Define rules that map frontend IP/protocol/port to backend pool and configure with the health probe.
7. Review and Create:
   Verify all configurations, then click Create to deploy your load balancer.
8. Test the Configuration:
   Use the load balancer’s public IP to verify traffic reaches backend VMs. Try stopping a VM to confirm health probe/routing works as expected[1][5].

Azure Application Gateway: Step-by-Step

1. Prepare Prerequisites:
   Ensure you have a resource group, at least one virtual network with subnets (one for gateway, one for backends), and backend servers ready[6][10].
2. Create an Application Gateway:
   
   • In the portal, choose Create a resource > Networking > Application Gateway.
   • Fill out the Basics tab: Resource group, gateway name, region, and tier/SKU (Standard_v2 recommended).
   • Configure the Frontend IP (public or private as per requirements).
3. Configure Backend Pool:
   Create a backend pool and add target resources—VMs, app services, or IP/FQDN endpoints.
4. Set up Listeners and Routing Rules:
   
   • Listeners: Define how incoming requests are accepted (HTTP/HTTPS, port, certificate if required).
   • Routing Rules: Connect frontend listeners to backend pools, specify HTTP settings and path-based routing as needed.
5. Configure Health Probes (Optional):
   Add custom health probes to monitor backend health.
6. Review + Create:
   Validate your selections and click Create. The provisioning process can take a few minutes.
7. Test the Gateway:
   Use the public IP (or assigned DNS name) to access your app through the gateway and verify routing, SSL offload, and WAF as configured[10][6].

Consider using additional Azure features such as tagging, autoscaling (for Application Gateway v2), and diagnostic logging for advanced management.

Choosing between Azure Load Balancer and Azure Application Gateway depends on your workload’s protocol, required features, and level of application awareness. Here are key guidelines to help you make the best selection:

When to Use Azure Load Balancer

• Non-HTTP(S) Workloads: Select the Load Balancer for traffic types other than HTTP or HTTPS (e.g., RDP, SMTP, database, or any custom TCP/UDP-based service).
• Simple Layer 4 Load Balancing: Best for distributing traffic purely based on IP address and port, without needing to inspect application data.
• High Performance at Scale: Handles massive volumes of connections with ultra-low latency (suitable for gaming, video streaming, VoIP, or other real-time services).
• Internal and Outbound Scenarios: Useful for providing internal load balancing within private networks and enabling outbound internet connectivity for VMs using SNAT.
• Basic Health Monitoring: When you need simple health checks on your backend servers based on TCP/HTTP probes.

When to Use Azure Application Gateway

• Advanced Web Application Routing: Choose Application Gateway for application-aware routing decisions based on HTTP attributes (URL path, headers, host, cookies) for modern web apps and APIs.
• SSL/TLS Offloading and Centralized Management: Offload SSL decryption and certificate management from backend servers to simplify security and improve performance.
• Web Application Firewall (WAF) Protection: Required when your web apps need built-in defenses against common exploits, such as SQL injection or XSS.
• Session Affinity (Sticky Sessions): Needed when user sessions should persist with the same backend server—for scenarios like shopping carts, portals, or custom portals.
• Multi-Site Hosting & Path-Based Routing: When you want to host multiple domains or split traffic to microservices/APIs using different URL paths or host headers.
• HTTPS Redirection and URL Rewrite: For implementing HTTP to HTTPS redirection, or advanced rewrite rules for user-friendly URLs and enhanced security.

Tip:
You can combine both services for layered solutions. For example, use Azure Load Balancer to distribute TCP traffic to multiple Application Gateways, which then apply application-aware routing and web security for HTTP/S workloads.

Summary Table: