πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 3
Domain 3 β€” Module 3 of 5 60%
16 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 3: Application Delivery Services Premium ⏱ ~13 min read

Application Gateway: Layer 7

Configure Azure Application Gateway for HTTP-aware load balancing β€” listeners, routing rules, path-based routing, TLS termination, and autoscaling.

Application Gateway: Layer 7

Application Gateway is Azure’s regional HTTP/HTTPS load balancer. Unlike Azure Load Balancer (Layer 4), Application Gateway understands HTTP β€” it can route based on URLs, host headers, and cookies.

🎬 Video coming soon

Application Gateway Components and Routing

Application Gateway Components and Routing

~13:00
β˜• Simple explanation

Application Gateway is a smart bouncer at a nightclub β€” it reads your ticket (URL) and sends you to the right room. Unlike Load Balancer (routes by IP/port), Application Gateway understands HTTP. It can route /api/* to one backend and /images/* to another, handles TLS certificates, and includes WAF.

Azure Application Gateway is a regional Layer 7 application delivery controller. It terminates TLS, inspects HTTP/HTTPS traffic, and routes based on URL paths, hostnames, headers. Capabilities: path-based routing, multi-site hosting, TLS termination/end-to-end TLS, cookie affinity, URL rewrite/redirect, WAF integration.

Component Flow

Traffic flows through Application Gateway in this order:

Client
  ↓
Frontend IP (public or private)
  ↓
Listener (port + protocol + hostname)
  ↓
Routing Rule (basic or path-based)
  ↓
HTTP Settings (backend port, protocol, affinity, timeout)
  ↓
Backend Pool (VMs, VMSS, App Service, IPs)
  ↓
Health Probe (checks backend health)

Component details:

ComponentPurposeOptions
Frontend IPIP that clients connect toPublic IP, private IP, or both
ListenerListens on a port/protocol for incoming requestsBasic: single site on a port. Multi-site: multiple hostnames on the same port (Host header routing).
Routing ruleMaps listener to backendBasic: all traffic to one backend pool. Path-based: different URL paths to different pools (e.g., /images/* to pool A, /api/* to pool B).
HTTP settingsDefines how AG talks to the backendBackend port, protocol (HTTP/HTTPS), cookie affinity, connection draining, request timeout, hostname override
Backend poolTarget serversVMs, VMSS, App Services, IP addresses, FQDNs
Health probeChecks backend healthCustom path, interval, unhealthy threshold, match conditions

Multi-Site Listeners

A single Application Gateway can host multiple websites using multi-site listeners:

ListenerHostnameBackend Pool
Listener 1app.pinnacle.comPool-App
Listener 2api.pinnacle.comPool-API
Listener 3portal.pinnacle.comPool-Portal

All three share the same frontend IP and port (443). The listener matches the Host header to route to the correct backend.

Path-Based Routing

Path-based routing sends different URL paths to different backend pools:

Path RuleURL PatternBackend Pool
Rule 1/images/*Pool-Static (storage-optimised VMs)
Rule 2/api/*Pool-API (compute-optimised VMs)
Default/* (everything else)Pool-Web (general web servers)

🏒 Ravi’s scenario: Pinnacle Financial’s web application serves static images, an API, and web pages. Path-based routing lets Ravi optimise each backend pool independently β€” more CPU for the API, more storage for images.

Scaling

ModeHow It WorksBest For
ManualYou set a fixed instance count (1-125)Predictable traffic, cost control
AutoscaleSet minimum and maximum instance count; AG scales based on trafficVariable traffic, spiky workloads

Autoscale is recommended for production. You set min=2 (for HA) and max=125. Application Gateway scales within these bounds based on concurrent connections, throughput, and compute utilisation.

TLS Configuration

TLS termination (TLS offload):

  • Client connects to AG over HTTPS (port 443)
  • AG decrypts the traffic (using your certificate)
  • AG forwards to backend over HTTP (port 80)
  • Reduces backend CPU load; AG handles certificate management

End-to-end TLS:

  • Client connects to AG over HTTPS
  • AG decrypts, inspects (for routing and WAF), then re-encrypts
  • AG connects to backend over HTTPS
  • Backend must have its own certificate
  • Required when compliance mandates encryption in transit at every hop

Certificate management:

  • Upload PFX certificates to Application Gateway directly
  • Or reference certificates stored in Azure Key Vault (recommended β€” centralised, auto-renewal)
ℹ️ Rewrite Rules

Rewrite rule sets modify HTTP headers and URL paths on requests and responses:

Common uses:

  • Remove server headers (security: don’t expose backend server type)
  • Add security headers (HSTS, X-Content-Type-Options)
  • Redirect HTTP to HTTPS
  • Modify request URLs before forwarding to backend
  • Add/remove/modify cookies

Configuration:

  • Create a rewrite rule set
  • Add conditions (match on headers, URL, query string)
  • Add actions (set, delete, or append headers; rewrite URL)
  • Associate with routing rules

Rewrite rules are processed in order. You can have multiple rule sets associated with different routing rules.

When to Use Application Gateway vs Load Balancer

Application Gateway vs Azure Load Balancer
FeatureApplication GatewayAzure Load Balancer
OSI layerLayer 7 (HTTP/HTTPS)Layer 4 (TCP/UDP)
URL path routingYes β€” route /api/* and /images/* to different backendsNo β€” routes by IP and port only
Host header routingYes β€” multi-site listeners for multiple domainsNo
TLS terminationYes β€” offloads TLS and supports end-to-end TLSNo β€” passes through encrypted traffic
WAF integrationYes β€” built-in WAF v2 SKU availableNo
Cookie affinityYes β€” cookie-based session affinitySource IP affinity only (tuple hash)
Non-HTTP trafficNo β€” HTTP and HTTPS onlyYes β€” any TCP or UDP protocol
ScopeRegional onlyRegional (cross-region available with global tier)

Rule of thumb: If your application uses HTTP/HTTPS and needs URL routing, TLS termination, or WAF β€” use Application Gateway. For non-HTTP protocols (databases, custom TCP services) β€” use Load Balancer.

Key Takeaways

  • Application Gateway is a Layer 7 (HTTP/HTTPS) regional load balancer
  • Multi-site listeners route based on Host header; path-based rules route by URL
  • TLS termination offloads encryption; end-to-end TLS re-encrypts to backend
  • Autoscale (min 2, max 125) is recommended for production
  • Use AG for HTTP workloads; LB for non-HTTP or pure Layer 4

Test Your Knowledge

Question

What is path-based routing in Application Gateway?

Click or press Enter to reveal answer

Answer

Routing rules that send different URL paths to different backend pools. For example, /api/* goes to API servers and /images/* goes to storage-optimised servers. A default rule catches everything else.

Click to flip back
Question

What is the difference between TLS termination and end-to-end TLS?

Click or press Enter to reveal answer

Answer

TLS termination: AG decrypts HTTPS and forwards HTTP to backend (no encryption to backend). End-to-end TLS: AG decrypts, inspects, re-encrypts, and forwards HTTPS to backend (encrypted at every hop).

Click to flip back
Question

How do multi-site listeners work?

Click or press Enter to reveal answer

Answer

Multiple listeners share the same frontend IP and port (typically 443). Each listener matches a specific hostname from the Host header and routes to a different backend pool. This hosts multiple websites on one Application Gateway.

Click to flip back
Question

What is the recommended scaling mode for production Application Gateway?

Click or press Enter to reveal answer

Answer

Autoscale with minimum 2 instances (for HA) and maximum up to 125. AG scales based on concurrent connections, throughput, and CPU utilisation.

Click to flip back
Knowledge Check

Ravi's web application has three components: /api/*, /static/*, and general pages. Each needs different backend servers. Which Application Gateway feature should he use?
Knowledge Check

Aisha's compliance team requires encryption at every hop, including between Application Gateway and backend servers. What TLS mode should she configure?

Next up: Azure Front Door: Global Delivery β€” Global HTTP load balancing with CDN, WAF, and Private Link origins.

← Previous

Traffic Manager: DNS-Based Routing

Next β†’

Azure Front Door: Global Delivery

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.