Chapter 8 of 12

Book 01 — Azure Networking Deep Dive

Application Delivery: Load Balancer and Application Gateway

Azure provides two complementary load balancing services for inbound workloads. Azure Load Balancer operates at Layer 4 (TCP/UDP) and provides high throughput, zone redundancy, and outbound SNAT. Application Gateway operates at Layer 7 (HTTP/HTTPS) and adds SSL termination, WAF, URL routing, and cookie-based affinity. Choosing the right service — or combining both — depends on what the application requires.

Azure Load Balancer (Layer 4)

Important

Azure Load Balancer Basic SKU was retired on September 30, 2025. All new deployments must use Standard SKU. Any existing Basic LBs must be migrated. Standard SKU provides zone redundancy, NSG flow logs, and 99.99% SLA — none of which Basic offered.

Standard LB Components

ComponentDescription
Frontend IPPublic (Standard PIP) or Internal (VNet private IP); zone-redundant spans all AZs
Backend poolNICs or VMSS instances; Standard LB supports cross-zone backend pools
Health probeHTTP(S) or TCP check; unhealthy VMs removed from rotation
Load balancing ruleMaps frontend IP:port to backend pool:port; session persistence options
Outbound ruleExplicit SNAT for internet access from backend VMs without public IPs
HA ports ruleProtocol=All, port=0; for NVA ILB only (routes all TCP/UDP to NVA)
Standard Load Balancer with zone-redundant frontend public IP. Backend pool VMs span availability zones 1, 2, and 3. Health probe checks HTTP /health. Outbound rule provides SNAT. Load balancing rule maps port 80 frontend to port 80 backend.
Figure 8.1 — Standard Load Balancer: zone-redundant frontend, cross-zone backend pool, health probes and outbound SNAT
bash
# Standard LB with zone-redundant frontend
az network lb create --name lb-web --resource-group rg-app \
  --sku Standard --frontend-ip-name fe-web \
  --public-ip-address pip-lb-web

az network lb probe create \
  --lb-name lb-web --resource-group rg-app \
  --name probe-http \
  --protocol Http --port 80 --path /health

az network lb rule create \
  --lb-name lb-web --resource-group rg-app \
  --name rule-http \
  --protocol Tcp --frontend-port 80 --backend-port 80 \
  --frontend-ip-name fe-web \
  --backend-pool-name be-web \
  --probe-name probe-http

az network lb outbound-rule create \
  --lb-name lb-web --resource-group rg-app \
  --name outbound-web \
  --frontend-ip-configs fe-web \
  --backend-pool-name be-web \
  --protocol All

Application Gateway (Layer 7)

WAF v2 SKU

Application Gateway v2 is the current SKU. It autoscales from 0 to 125 instances based on traffic load, supports zone redundancy, and includes Key Vault integration for TLS certificates. The WAF_v2 SKU adds OWASP CRS 3.2 and Microsoft Default Rule Set protection.

Application Gateway requires a dedicated subnet. Minimum /26 recommended. The subnet must allow inbound TCP 65200–65535 from the GatewayManager service tag (Azure's internal health probes for the gateway infrastructure).

URL Path-Based Routing

URL path maps route requests matching specific path prefixes to different backend pools. This enables a single App Gateway frontend to serve multiple microservices:

Application Gateway WAF v2 URL routing. WAF inspects all traffic with OWASP CRS 3.2. URL path map routes /api/* to API backend pool (Node.js VMs), /images/* to Azure Blob Storage, and /* default to Web frontend VMSS.
Figure 8.2 — App Gateway WAF v2: URL path routing sends /api/*, /images/*, default to different backend pools

SSL Options

ModeClient → AppGWAppGW → BackendUse Case
SSL TerminationHTTPSHTTPCentralised cert management at AppGW
SSL PassthroughHTTPS (TCP)HTTPS (unmodified)AppGW cannot inspect; backend handles cert
End-to-End SSLHTTPSHTTPS (re-encrypt)Compliance requiring TLS throughout

WAF v2 Configuration

bash
# WAF Policy in Prevention mode with CRS 3.2
az network application-gateway waf-policy create \
  --name wafpol-web --resource-group rg-app \
  --location eastus2

az network application-gateway waf-policy policy-setting update \
  --policy-name wafpol-web --resource-group rg-app \
  --mode Prevention \
  --state Enabled \
  --request-body-check true

# Attach WAF policy to App Gateway
az network application-gateway update \
  --name appgw-web --resource-group rg-app \
  --waf-policy wafpol-web

LB vs App Gateway Decision

Use Azure Load Balancer whenUse Application Gateway when
Protocol is non-HTTP (TCP/UDP, SQL, SMTP)Protocol is HTTP/HTTPS/WebSocket
Throughput requirements are very highWAF inspection is required
Fronting an NVA (HA ports rule)URL path or host-based routing needed
Simple port forwarding neededSSL termination or end-to-end SSL needed

Lab: Standard LB and App Gateway

1

Standard LB with Zone-Redundant Frontend (CE-19)

bash
# CE-19: Standard LB with zone-redundant PIP and health probe
RG="rg-lab-ch08"; LOC="eastus2"
az group create --name "$RG" --location "$LOC"
az network public-ip create --name pip-lb \
  --resource-group "$RG" --sku Standard --zone 1 2 3
az network lb create --name lb-lab \
  --resource-group "$RG" --sku Standard \
  --frontend-ip-name fe-lab --public-ip-address pip-lb
az network lb probe create \
  --lb-name lb-lab --resource-group "$RG" \
  --name probe-tcp --protocol Tcp --port 80
az network lb rule create \
  --lb-name lb-lab --resource-group "$RG" \
  --name rule-http \
  --protocol Tcp --frontend-port 80 --backend-port 80 \
  --frontend-ip-name fe-lab \
  --backend-pool-name be-lab \
  --probe-name probe-tcp
2

App Gateway WAF v2 Deploy (CE-20)

bash
# CE-20: App Gateway WAF_v2
az network vnet create --name vnet-appgw \
  --resource-group "$RG" --address-prefixes 10.0.0.0/22 \
  --subnet-name snet-appgw --subnet-prefixes 10.0.0.0/26 \
  --location "$LOC"
az network public-ip create --name pip-appgw \
  --resource-group "$RG" --sku Standard --zone 1 2 3
az network application-gateway create \
  --name appgw-lab --resource-group "$RG" \
  --sku WAF_v2 --capacity 1 \
  --vnet-name vnet-appgw --subnet snet-appgw \
  --public-ip-address pip-appgw \
  --http-settings-port 80 --http-settings-protocol Http \
  --location "$LOC"

az group delete --name "$RG" --yes --no-wait

Summary

ConceptKey Fact
Basic LBRetired Sept 30, 2025 — use Standard for all new deployments
Zone-redundant frontendStandard PIP zones 1+2+3; survives single AZ failure
HA ports ruleProtocol=All, port=0; NVA ILB only
App Gateway subnetDedicated; min /26; allow 65200–65535 from GatewayManager
WAF v2 modesDetection (log only) vs Prevention (log + block)
URL path routingRoute /api/* etc to different backend pools via URL path map
SSL terminationAppGW decrypts; backend receives HTTP — centralised cert mgmt

Chapter 9 covers Azure Front Door and CDN — global anycast load balancing with WAF at the edge, Private Link origins, and rules engine for URL rewriting.


Chapter: 8 of 12  |  Status: v0.1 Draft  |