Tutorial / Cram Notes

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 – TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port. However, the Application Gateway is more advanced as it includes routing based on additional attributes such as URI path or host headers. For any Azure Security Engineer preparing for the AZ-500 Microsoft Azure Security Technologies exam, understanding how to create and configure an Azure Application Gateway is essential.

To create and configure an Azure Application Gateway, one must complete the following steps:

1. Creation of Application Gateway:

  • Navigate to the Azure portal.
  • Search for and select “Application Gateways” in the search bar.
  • Click on “Add” to create a new Application Gateway.

2. Basic Configuration:

  • Provide a name for your Application Gateway instance.
  • Select a desired subscription and resource group where you want to deploy Application Gateway.
  • Choose the desired region that is closest to your users to minimize latency.

3. Virtual Network:

  • You need to select or create a virtual network (VNet) for the Application Gateway.
  • Application Gateway must have a dedicated subnet.

4. Size and Scale:

  • Choose a size for the Application Gateway (small, medium, large) or use the Autoscale option for auto-scaling the deployment based on the load.
  • Define the number of instances, if not using Autoscale.

5. Configuration:

  • Listeners: These are required to handle incoming traffic. Set up listeners for the protocols you require (HTTP, HTTPS).
  • Rules: Configure the routing rules that determine how incoming traffic should be redirected.
  • HTTP settings: Adjust the settings that control the behaviour of the gateway in terms of connection draining, cookie-based affinity, and timeout settings.
  • Backend pools: Define the backend pools which consist of IP addresses or FQDNs of the web servers that your Application Gateway needs to route the traffic to.

6. SSL termination (if using HTTPS):

  • If you are using SSL for your applications, you need to set up SSL termination on the Application Gateway to offload SSL encryption/decryption from your web servers, which can be CPU-intensive. This involves uploading a certificate and binding it to an HTTPS listener.

7. Web Application Firewall (WAF) Configuration:

  • If you need to protect your web applications more thoroughly, Application Gateway supports WAF, which provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.
  • There are two WAF modes: Detection mode and Prevention mode. Detection mode logs all threat alerts without blocking them, while Prevention mode blocks intrusions and attacks.
  • Configure WAF policies with custom rules if necessary.

8. Monitoring:

  • Enable logging and monitoring of the Application Gateway using Azure Monitor, Log Analytics, or Network Watcher for better visibility into its operation and performance.

9. Pricing:

  • Review the pricing tier options and associated features. There might be additional charges for enabled features such as WAF.

10. Review and Create:

  • Review all settings and create the Application Gateway. Azure will validate your configurations before the creation process starts.

Example Scenario:

Let’s assume that you want to configure an Azure Application Gateway for a web application that must support both HTTP and HTTPS traffic, includes URL-based routing, and requires high-availability with autoscaling.

In this scenario, you’d set up two listeners (one for HTTP and one for HTTPS), assign a WAF policy for security, enable autoscaling for high availability, and configure URL-based routing rules to ensure proper traffic distribution to different backend pools depending on the URL path requested.

The following table summarizes the key components and their purposes within the Application Gateway configuration:

Component Description
Listener Listens for incoming traffic and manages protocol type (HTTP/HTTPS).
Rule Defines how incoming traffic is redirected to backend pools.
HTTP Settings Manages connection draining, session affinity, and timeouts.
Backend Pool Collection of servers to receive the routed traffic.
SSL Termination Offloads SSL processing from web servers.
WAF Provides protection against web vulnerabilities.
Monitoring Tools to observe and log Application Gateway performance.

Summary:

Understanding and properly configuring Azure Application Gateway is central to managing web traffic and ensuring security in a cloud environment. An Azure Security Engineer should understand the implications of each setting and component of Application Gateway, be skilled at configuring it to meet the specific requirements of an application, and enable security features like WAF to protect against threats. This expertise is pivotal in passing the AZ-500 Microsoft Azure Security Technologies exam and effectively securing Azure web applications.

Practice Test with Explanation

True or False: Azure Application Gateway can provide URL-based routing.

  • 1) True
  • 2) False

Answer: True

Explanation: Azure Application Gateway supports URL-based routing which allows for routing traffic to different pages within your application.

Which feature of Azure Application Gateway provides end-to-end SSL encryption?

  • 1) SSL termination
  • 2) Web Application Firewall (WAF)
  • 3) SSL offloading
  • 4) End-to-End SSL

Answer: End-to-End SSL

Explanation: Azure Application Gateway supports End-to-End SSL, also known as SSL bridging, to provide end-to-end encryption of data.

True or False: Azure Application Gateway’s Web Application Firewall (WAF) can only operate in Prevention mode.

  • 1) True
  • 2) False

Answer: False

Explanation: The WAF in Azure Application Gateway can function in both Detection mode and Prevention mode, providing flexibility in your security approach.

Which Azure Application Gateway tier supports autoscaling?

  • 1) Standard
  • 2) Standard_v2
  • 3) WAF
  • 4) WAF_v2

Answer: Standard_v2 and WAF_v2

Explanation: Both Standard_v2 and WAF_v2 Application Gateway tiers support autoscaling to meet varying loads.

True or False: Azure Application Gateway can be integrated with Azure Traffic Manager.

  • 1) True
  • 2) False

Answer: True

Explanation: Azure Application Gateway can be used in conjunction with Azure Traffic Manager for more advanced traffic distribution scenarios.

When configuring Azure Application Gateway, what type of IP address can be assigned?

  • 1) Only Public IP addresses
  • 2) Only Private IP addresses
  • 3) Either Public or Private IP addresses
  • 4) Neither, as it uses a virtual address

Answer: Either Public or Private IP addresses

Explanation: Azure Application Gateway can be configured with either a Public IP or a Private IP address based on the requirements.

Which of the following is NOT a key feature of Azure Application Gateway?

  • 1) Custom Health Probes
  • 2) Azure Active Directory authentication
  • 3) Integrated VPN capabilities
  • 4) Session Affinity based on cookies

Answer: Integrated VPN capabilities

Explanation: Integrated VPN capabilities are not a feature of Azure Application Gateway. This service is for routing and load balancing, not VPN functionalities.

True or False: Azure Application Gateway’s Web Application Firewall (WAF) comes pre-configured with rules that meet the OWASP’s top 10 security vulnerabilities by default.

  • 1) True
  • 2) False

Answer: True

Explanation: The WAF in Azure Application Gateway comes with a pre-configured set of rules that protect against the vulnerabilities outlined in the OWASP’s top

What is the purpose of a listener in Azure Application Gateway?

  • 1) To scale the instances based on load
  • 2) To listen and process incoming traffic based on rules
  • 3) To redirect traffic to another region
  • 4) To authenticate users against an Azure Active Directory

Answer: To listen and process incoming traffic based on rules

Explanation: A listener is a crucial component that processes incoming traffic according to specified rules including host, IP, and path-based rules.

Which feature allows Azure Application Gateway to securely store SSL certificates for HTTPS traffic?

  • 1) Azure Key Vault
  • 2) Azure Blob Storage
  • 3) Azure File Storage
  • 4) Azure Table Storage

Answer: Azure Key Vault

Explanation: Azure Application Gateway integrates with Azure Key Vault to securely store, manage, and use SSL/TLS certificates for encrypting HTTPS traffic.

Interview Questions

QA updating…
0 0 votes
Article Rating
Subscribe
Notify of
guest
22 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Afşar Kunt
1 year ago

Great article on configuring Azure Application Gateway! Really helped me understand the basics.

Michaela Bonnet
1 year ago

I have a question regarding the WAF policies. How do you enable custom rules for specific route paths?

Margie Hunter
1 year ago

Can someone explain the difference between Basic and Standard SKUs for Application Gateway in terms of security?

Ely Monteiro
1 year ago

Thanks for this comprehensive guide!

Kadir Bakırcıoğlu

I followed the steps but can’t get the gateway to work with my HTTPS endpoint. Any suggestions?

Jesse Allen
1 year ago

Awesome post, really helped me nail down the basics.

Adam Jørgensen
1 year ago

A bit more depth on integrating Azure AD for authentication would have been helpful.

Perica Raspopović
1 year ago

Does the Application Gateway support end-to-end SSL?

22
0
Would love your thoughts, please comment.x
()
x