Microsoft Azure — Application Gateway & WAF
Application Gateway, HTTP(S) load balancing, URL routing, SSL termination, and Web Application Firewall..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Azure subscription, Terraform installed (v1.5+), Azure CLI (v2.50+), basic knowledge of Azure networking and HCL syntax, familiarity with HTTP/HTTPS protocols
Application Gateway & WAF is like having a specialized tool that handles application gateway in the Microsoft cloud — you manage the configuration, Azure handles the infrastructure.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers application gateway & waf with production-ready configurations, best practices, and hands-on examples.
Why Azure Application Gateway and WAF Matter in Production
In production, you need a reverse proxy that can handle HTTP/S traffic at scale while protecting your backends from common exploits. Azure Application Gateway is a layer-7 load balancer that offers SSL termination, URL-based routing, and session affinity. When paired with the Web Application Firewall (WAF), it blocks SQL injection, XSS, and other OWASP Top-10 attacks before they reach your application. Many teams start with a basic load balancer and later realize they need WAF after an incident. Don't be that team. Deploy Application Gateway with WAF from day one. The cost difference is minimal compared to the cost of a breach. In production, you'll also need to plan for scaling, health probes, and logging. This article walks through a real-world setup with Terraform, covering everything from basic routing to advanced WAF tuning.
Designing a Multi-Site Routing Architecture
In production, you rarely have a single backend. You might have multiple microservices, each exposed under different hostnames or paths. Application Gateway supports multi-site listeners, allowing you to route traffic based on the Host header or URL path. For example, api.example.com goes to one backend pool, while app.example.com goes to another. This is critical for zero-downtime deployments and canary releases. When designing routing, keep it simple: use path-based routing for internal services and host-based routing for external facing ones. Avoid complex rewrite rules unless absolutely necessary—they add latency and debugging complexity. Always use HTTPS listeners with SSL termination at the gateway. This offloads CPU work from your backends and centralizes certificate management. In production, you'll also want to set up a custom domain with Azure Key Vault for certificate storage.
Configuring Health Probes for Reliable Backend Detection
Health probes are the backbone of reliable traffic routing. Application Gateway uses probes to determine if a backend is healthy. If a probe fails, the gateway stops sending traffic to that backend. In production, you must configure custom probes that match your application's health endpoint. The default probe only checks if the TCP port is open, which is useless for most apps. A proper health endpoint should return 200 OK within a short timeout and include a lightweight check (e.g., database connectivity). Set the probe interval to 30 seconds and the unhealthy threshold to 3 failures. This gives your app time to recover from transient issues without being removed prematurely. Also, configure the backend HTTP settings to use the same probe. In production, we've seen probes that are too aggressive cause cascading failures during deployments.
Enabling WAF with OWASP Rules and Custom Rules
WAF is your first line of defense against web attacks. Azure WAF comes with a managed rule set based on OWASP 3.2 (or 3.1). In production, you should enable the OWASP rules and then tune them to reduce false positives. Start in Detection mode to log violations without blocking traffic. After a week, review the logs and disable rules that cause false positives. Then switch to Prevention mode. You can also add custom rules for application-specific threats, like blocking requests from certain IP ranges or enforcing a maximum request body size. Be careful with custom rules—they can easily block legitimate traffic if not tested. In production, we recommend using managed rules as a baseline and only adding custom rules for known attack patterns. Also, enable WAF logs to Azure Monitor or a SIEM for analysis.
SSL Termination and Certificate Management with Key Vault
SSL termination at the gateway offloads encryption from backends and centralizes certificate management. In production, store certificates in Azure Key Vault and reference them in the Application Gateway configuration. This allows automatic renewal and rotation without downtime. Never store certificates in the gateway configuration directly—they expire and cause outages. Use managed identities to grant the gateway access to Key Vault. When setting up SSL, use TLS 1.2 or higher and disable older protocols. Also, consider using Azure Front Door for global SSL termination if you have multiple regions. In production, we've seen outages caused by expired certificates that were not monitored. Set up alerts for certificate expiration at least 30 days before expiry.
Scaling and Performance Tuning for High Traffic
Application Gateway v2 supports autoscaling, but you must configure minimum and maximum instance counts. In production, set a minimum of 2 instances for high availability and a maximum based on your expected peak traffic. The gateway scales based on CPU and throughput metrics. However, scaling is not instantaneous—it can take 5-10 minutes. To handle traffic spikes, pre-warm the gateway by setting a higher minimum during known high-traffic periods. Also, tune the request timeout and connection draining settings. Connection draining ensures in-flight requests complete before a backend is removed. Set the drain timeout to 30 seconds. In production, we've seen gateways overwhelmed by too many concurrent connections. Use keep-alive connections and reduce the timeout to free up resources.
Logging, Monitoring, and Alerting for Production
You can't fix what you can't see. In production, enable all diagnostic logs: Access Logs, Performance Logs, Firewall Logs, and Health Probe Logs. Send them to Log Analytics for querying. Create dashboards for key metrics like throughput, latency, and failure rates. Set up alerts for backend health degradation, high CPU, and WAF blocked requests. Use Azure Monitor alerts with action groups to notify the on-call team. Also, enable network watcher for connection troubleshoot. In production, we've seen teams miss slow degradation because they only monitored at the VM level. Monitor the gateway itself. A common mistake is not logging WAF false positives—you need those logs to tune rules. Set up a weekly review of WAF logs to adjust rules.
Zero-Downtime Deployments with Application Gateway
Updating backends without downtime requires careful orchestration. Application Gateway supports rolling updates via backend pools. When deploying a new version, add the new instances to a separate backend pool, update the routing rule to point to the new pool, and then remove the old pool. Use the gateway's connection draining to allow in-flight requests to complete. For blue-green deployments, you can have two listeners pointing to different pools and switch traffic by updating the DNS or using a weighted rule. In production, automate this with Terraform or Azure DevOps. Avoid making changes directly in the portal—they are error-prone. Also, test the new backend pool with a small percentage of traffic before full cutover. We've seen deployments fail because the new backend didn't pass health checks.
Cost Optimization and Right-Sizing
Application Gateway WAF_v2 is not cheap. In production, you need to balance cost with performance. Start with the minimum capacity that meets your baseline traffic and let autoscaling handle spikes. Use reserved instances if you have predictable traffic. Also, consider using Azure Front Door for global traffic and Application Gateway for regional routing—this can reduce the number of gateways needed. Monitor your gateway's throughput and CPU metrics to right-size. If you see consistently low utilization, reduce the minimum capacity. Conversely, if you see throttling, increase the maximum. In production, we've seen teams over-provision out of fear, wasting thousands per month. Use Azure Cost Management to track spending. Also, consider using the Basic tier for non-production environments, but never for production.
Disaster Recovery and Multi-Region Failover
For critical applications, you need a disaster recovery plan. Application Gateway is regional, so if a region goes down, your gateway goes with it. To achieve multi-region failover, use Azure Front Door or Traffic Manager in front of Application Gateways in different regions. Front Door provides global load balancing with automatic failover. Configure health probes on each gateway and set up a failover priority. In production, test your failover regularly. We've seen teams configure DR but never test it, only to find out during an actual outage that the secondary gateway was misconfigured. Also, ensure your backends are replicated across regions. Use Azure SQL geo-replication or Cosmos DB multi-region writes. For stateless apps, this is straightforward. For stateful apps, plan for session persistence.
Security Hardening Beyond WAF
WAF is not a silver bullet. In production, you need defense in depth. Start by restricting access to the gateway's frontend IP using NSGs or Azure Firewall. Only allow traffic from known sources (e.g., Cloudflare IPs if you use a CDN). Enable DDoS Protection Standard on the virtual network. Use private IPs for backend communication—never expose backends to the internet. Also, enforce HTTPS only by redirecting HTTP to HTTPS at the gateway level. Set up a custom error page for 403 and 502 errors to avoid leaking information. In production, we've seen attacks that bypass WAF by targeting the backend directly. Always place backends in a private subnet with no public IP. Use service endpoints or Private Link for Azure services.
Troubleshooting Common Production Issues
Even with perfect configuration, things go wrong. Common issues include: 502 Bad Gateway (backend unhealthy or timeout), 403 Forbidden (WAF blocking), and 504 Gateway Timeout (backend too slow). Start troubleshooting by checking the backend health probe status in the portal. If probes are failing, check the backend's health endpoint and network connectivity. For WAF blocks, review the firewall logs to see which rule triggered. For timeouts, increase the request timeout or optimize the backend. Also, check the gateway's performance metrics for CPU or throughput bottlenecks. In production, we've seen a misconfigured NSG block traffic between the gateway and backend. Use Network Watcher's IP flow verify to test connectivity. Always have a rollback plan for configuration changes.
| File | Command / Code | Purpose |
|---|---|---|
| main.tf | resource "azurerm_application_gateway" "example" { | Why Azure Application Gateway and WAF Matter in Production |
| routing.tf | resource "azurerm_application_gateway" "example" { | Designing a Multi-Site Routing Architecture |
| probes.tf | resource "azurerm_application_gateway" "example" { | Configuring Health Probes for Reliable Backend Detection |
| waf.tf | resource "azurerm_application_gateway" "example" { | Enabling WAF with OWASP Rules and Custom Rules |
| ssl.tf | resource "azurerm_key_vault_certificate" "example" { | SSL Termination and Certificate Management with Key Vault |
| scaling.tf | resource "azurerm_application_gateway" "example" { | Scaling and Performance Tuning for High Traffic |
| monitoring.tf | resource "azurerm_monitor_diagnostic_setting" "example" { | Logging, Monitoring, and Alerting for Production |
| deployment.tf | resource "azurerm_application_gateway" "example" { | Zero-Downtime Deployments with Application Gateway |
| cost.tf | resource "azurerm_application_gateway" "example" { | Cost Optimization and Right-Sizing |
| dr.tf | resource "azurerm_frontdoor" "example" { | Disaster Recovery and Multi-Region Failover |
| security.tf | resource "azurerm_network_security_group" "example" { | Security Hardening Beyond WAF |
| troubleshoot.ps1 | Get-AzApplicationGatewayBackendHealth -ApplicationGateway $appgw | Troubleshooting Common Production Issues |
Key takeaways
Common mistakes to avoid
3 patternsNot planning application gateway properly before deployment
Ignoring Azure best practices for application gateway
Overlooking cost implications of application gateway
Interview Questions on This Topic
Explain Application Gateway & WAF and its use cases.
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Azure. Mark it forged?
6 min read · try the examples if you haven't