Book 01 — Azure Networking Deep Dive
Application Delivery: Load Balancer and Application Gateway
Azure provides two complementary load balancing services for inbound workloads. Azure Load Balancer operates at Layer 4 (TCP/UDP) and provides high throughput, zone redundancy, and outbound SNAT. Application Gateway operates at Layer 7 (HTTP/HTTPS) and adds SSL termination, WAF, URL routing, and cookie-based affinity. Choosing the right service — or combining both — depends on what the application requires.
Azure Load Balancer (Layer 4)
Important
Azure Load Balancer Basic SKU was retired on September 30, 2025. All new deployments must use Standard SKU. Any existing Basic LBs must be migrated. Standard SKU provides zone redundancy, NSG flow logs, and 99.99% SLA — none of which Basic offered.
Standard LB Components
| Component | Description |
|---|---|
| Frontend IP | Public (Standard PIP) or Internal (VNet private IP); zone-redundant spans all AZs |
| Backend pool | NICs or VMSS instances; Standard LB supports cross-zone backend pools |
| Health probe | HTTP(S) or TCP check; unhealthy VMs removed from rotation |
| Load balancing rule | Maps frontend IP:port to backend pool:port; session persistence options |
| Outbound rule | Explicit SNAT for internet access from backend VMs without public IPs |
| HA ports rule | Protocol=All, port=0; for NVA ILB only (routes all TCP/UDP to NVA) |
# Standard LB with zone-redundant frontend
az network lb create --name lb-web --resource-group rg-app \
--sku Standard --frontend-ip-name fe-web \
--public-ip-address pip-lb-web
az network lb probe create \
--lb-name lb-web --resource-group rg-app \
--name probe-http \
--protocol Http --port 80 --path /health
az network lb rule create \
--lb-name lb-web --resource-group rg-app \
--name rule-http \
--protocol Tcp --frontend-port 80 --backend-port 80 \
--frontend-ip-name fe-web \
--backend-pool-name be-web \
--probe-name probe-http
az network lb outbound-rule create \
--lb-name lb-web --resource-group rg-app \
--name outbound-web \
--frontend-ip-configs fe-web \
--backend-pool-name be-web \
--protocol All
Application Gateway (Layer 7)
WAF v2 SKU
Application Gateway v2 is the current SKU. It autoscales from 0 to 125 instances based on traffic load, supports zone redundancy, and includes Key Vault integration for TLS certificates. The WAF_v2 SKU adds OWASP CRS 3.2 and Microsoft Default Rule Set protection.
Application Gateway requires a dedicated subnet. Minimum /26 recommended. The subnet must allow inbound TCP 65200–65535 from the GatewayManager service tag (Azure's internal health probes for the gateway infrastructure).
URL Path-Based Routing
URL path maps route requests matching specific path prefixes to different backend pools. This enables a single App Gateway frontend to serve multiple microservices:
SSL Options
| Mode | Client → AppGW | AppGW → Backend | Use Case |
|---|---|---|---|
| SSL Termination | HTTPS | HTTP | Centralised cert management at AppGW |
| SSL Passthrough | HTTPS (TCP) | HTTPS (unmodified) | AppGW cannot inspect; backend handles cert |
| End-to-End SSL | HTTPS | HTTPS (re-encrypt) | Compliance requiring TLS throughout |
WAF v2 Configuration
# WAF Policy in Prevention mode with CRS 3.2
az network application-gateway waf-policy create \
--name wafpol-web --resource-group rg-app \
--location eastus2
az network application-gateway waf-policy policy-setting update \
--policy-name wafpol-web --resource-group rg-app \
--mode Prevention \
--state Enabled \
--request-body-check true
# Attach WAF policy to App Gateway
az network application-gateway update \
--name appgw-web --resource-group rg-app \
--waf-policy wafpol-web
LB vs App Gateway Decision
| Use Azure Load Balancer when | Use Application Gateway when |
|---|---|
| Protocol is non-HTTP (TCP/UDP, SQL, SMTP) | Protocol is HTTP/HTTPS/WebSocket |
| Throughput requirements are very high | WAF inspection is required |
| Fronting an NVA (HA ports rule) | URL path or host-based routing needed |
| Simple port forwarding needed | SSL termination or end-to-end SSL needed |
Lab: Standard LB and App Gateway
Standard LB with Zone-Redundant Frontend (CE-19)
# CE-19: Standard LB with zone-redundant PIP and health probe
RG="rg-lab-ch08"; LOC="eastus2"
az group create --name "$RG" --location "$LOC"
az network public-ip create --name pip-lb \
--resource-group "$RG" --sku Standard --zone 1 2 3
az network lb create --name lb-lab \
--resource-group "$RG" --sku Standard \
--frontend-ip-name fe-lab --public-ip-address pip-lb
az network lb probe create \
--lb-name lb-lab --resource-group "$RG" \
--name probe-tcp --protocol Tcp --port 80
az network lb rule create \
--lb-name lb-lab --resource-group "$RG" \
--name rule-http \
--protocol Tcp --frontend-port 80 --backend-port 80 \
--frontend-ip-name fe-lab \
--backend-pool-name be-lab \
--probe-name probe-tcp
App Gateway WAF v2 Deploy (CE-20)
# CE-20: App Gateway WAF_v2
az network vnet create --name vnet-appgw \
--resource-group "$RG" --address-prefixes 10.0.0.0/22 \
--subnet-name snet-appgw --subnet-prefixes 10.0.0.0/26 \
--location "$LOC"
az network public-ip create --name pip-appgw \
--resource-group "$RG" --sku Standard --zone 1 2 3
az network application-gateway create \
--name appgw-lab --resource-group "$RG" \
--sku WAF_v2 --capacity 1 \
--vnet-name vnet-appgw --subnet snet-appgw \
--public-ip-address pip-appgw \
--http-settings-port 80 --http-settings-protocol Http \
--location "$LOC"
az group delete --name "$RG" --yes --no-wait
Summary
| Concept | Key Fact |
|---|---|
| Basic LB | Retired Sept 30, 2025 — use Standard for all new deployments |
| Zone-redundant frontend | Standard PIP zones 1+2+3; survives single AZ failure |
| HA ports rule | Protocol=All, port=0; NVA ILB only |
| App Gateway subnet | Dedicated; min /26; allow 65200–65535 from GatewayManager |
| WAF v2 modes | Detection (log only) vs Prevention (log + block) |
| URL path routing | Route /api/* etc to different backend pools via URL path map |
| SSL termination | AppGW decrypts; backend receives HTTP — centralised cert mgmt |
Chapter 9 covers Azure Front Door and CDN — global anycast load balancing with WAF at the edge, Private Link origins, and rules engine for URL rewriting.
Chapter: 8 of 12 | Status: v0.1 Draft |