Azure Application Gateway, a versatile yet sometimes misunderstood solution, can be likened to a Swiss army knife for efficiently managing inbound traffic and fortifying web endpoints with an added layer of security. In this blog post, we'll provide a detailed comparison of its tiers and features.
The Swiss army knife
Application Gateway is a interesting product. It is often misunderstood and it seems like most cloud solution architects refer to as the Swiss army knife, essentially being marketed as jack of all trades service.
While there are numerous scenarios where this holds true, Application Gateway can indeed prove highly beneficial, there are also certain considerations to be aware of. Specifically, it's important to be cautious when dealing with HTTP/2 related workloads.
So let us dive deeper into this.
When it comes to HTTP/2 support you need to be very carefully and look very closely to the documentation.
Microsoft Docs
HTTP/2 support
As of August 2023 "The document mentions that HTTP/2 is supported natively for front-end connections without requiring user action. However, it's important to note that this native support is specific to the front-end and is not explicitly detailed in the 'WebSocket and HTTP/2 Traffic' section of the documentation:
Microsoft Application Gateway features jump point http2 traffic
It's worth highlighting that enabling HTTP/2 support for back-end servers does require user action, and you can find instructions on how to do so in the following section:
Configuration Listeners HTTP/2 Application Gateway documentation
In summary, while HTTP/2 protocol support is readily available for client connections to application gateway listeners, communication with back-end server pools is performed using HTTP/1.1 by default. To enable HTTP/2 support for back-end connections, specific user configurations are necessary."
SignalR support
SignalR is supported via Azure SignalR Service with Azure Application Gateway.
Signal Reference Implementation Application Gateway
Well, we have spend a significant amount of time with Microsoft Azure Fasttrack, Microsoft Support and the Product Units and can confirm that, to the best of our knowledge:
A self-hosted SignalR service, which could be hosted in AKS, Service Fabric, VM, App Services, or just somewhere else, might or might not be supported under certain conditions by Application Gateway.
Websocket Communication support
Websockets are available and implemented as in RFC6455. See Reference documentation for more details.
Application Gateway Websocket support
gRPC support
Plain simple not available as of 30th of August 2023. However it is on the Backlog of Application Gateway as well as Application Gateway Ingress Controller for Kubernetes. See GitHub for more information.
UDP support
Everything UDP and MQTT and ... is not supported as of the publishing date of this writing.
Also we like to mention there are a lot of limitations regarding Application Gateway and its Reverse Proxy capabilities compared to other solutions like Traefik and NGINX.
So to summarize our experience with Application Gateway. Rewrite rules can do magic but magic can only do so much. In other words everything http/https and WebSockets RFC6455 is supported anything else is worth a Proof of Concept.
Feature Table
| Feature | Standart v1 | WAF v1 | Standart v2 | WAF v2 |
|---|---|---|---|---|
| Autoscaling | ✓ | ✓ | ||
| Zone redundancy | ✓ | ✓ | ||
| Static VIP | ✓ | ✓ | ||
| Azure Kubernetes Service (AKS) Ingress controller - Overview | ✓ | ✓ | ||
| Azure Key Vault integration | ✓ | ✓ | ||
| Rewrite HTTP(S) headers | ✓ | ✓ | ||
| Enhanced Network Control (Route Table, NSG, Private IP Frontend only | ✓ | ✓ | ||
| URL-based routing | ✓ | ✓ | ✓ | ✓ |
| Multiple-site hosting | ✓ | ✓ | ✓ | ✓ |
| Mutual Authentication (mTLS) | ✓ | ✓ | ||
| Private Link support | ✓ | ✓ | ||
| Traffic redirection | ✓ | ✓ | ✓ | ✓ |
| Web Application Firewall (WAF) | ✓ | ✓ | ✓ | ✓ |
| WAF Ruleset | OWASP core rule sets - 3.0, 2.2.9 | OWASP core rule sets - 3.0, 2.2.9 | OWASP core rule sets - 3.0, 2.2.9 | OWASP core rule sets - 3.1, 3.0, 2.2.9 |
| WAF custom rules | ✓ | ✓ | ||
| WAF policy associations | ✓ | ✓ | ||
| Transport Layer Security (TLS)/Secure Sockets Layer (SSL) termination | ✓ | ✓ | ||
| End-to-end TLS encryption | ✓ | ✓ | ✓ | ✓ |
| Session affinity | ✓ | ✓ | ✓ | ✓ |
| Custom error pages | ✓ | ✓ | ✓ | ✓ |
| WebSocket support | ✓ | ✓ | ✓ | ✓ |
| HTTP/2 support | ✓ | ✓ | ✓ | ✓ |
| Connection draining | ✓ | ✓ | ✓ | ✓ |
| Proxy NTLM authentication | ✓ | ✓ | ||
| performance enhancements | up to 5X better TLS offload performance as compared to the Standard/WAF SKU | up to 5X better TLS offload performance as compared to the Standard/WAF SKU | ||
| Faster deployment and update time | faster deployment and update time as compared to Standard/WAF SKU. This also includes WAF configuration changes | faster deployment and update time as compared to Standard/WAF SKU. This also includes WAF configuration changes | ||
| Max frontend public IP’s | 1 | 1 | 1 | 1 |
| Max frontend private IP's | 1 | 1 | 1 | 1 |
| Frontend IP configurations | 2 | 2 | 2 | 2 |
| Public IP Assignment | dynamic | dynamic | static | static |
| Private IP Assignment | static, dynamic | static, dynamic | static | static |
Conclusion
In conclusion, Azure Application Gateway, often compared to a versatile Swiss army knife, offers efficient ingress management and heightened web endpoint security. However, it's essential to be mindful of its capabilities and limitations.
Our extensive experience and interactions with clients have underscored essential factors to consider, such as disparities in documentation, partial or non-supported communication technologies and frameworks. Some of these necessitate custom configurations, while others are simply not supported.
It's worth noting that while Application Gateway proves to be an excellent fit for most clients, addressing their specific needs, it may not align with every client's unique technical requirements.
It's important to remember that Application Gateway's rewrite rules often perform admirably, even in complex and edge cases. However, they do have certain limitations when compared to alternatives like Traefik and NGINX. On the flip side, Application Gateway's user-friendly interface and seamless portal integration make it an accessible choice for adoption.
Additionally, note that the V1 SKU of Application Gateway is deprecated, emphasizing the importance of transitioning to the V2 SKU.
As you evaluate Azure Application Gateway, remember it's a valuable addition, but assess your specific needs beforehand and keep in mind you can explore alternative solutions in the Azure marketplace, such as F5 Nginx, and various WAF providers.
Ensure your applications operate seamlessly and securely in your Azure journey.
Thank you for reading, and we hope this comprehensive comparison aids your Azure endeavors. We a curious about your Application Gateway story and experience – please let us know in the comments below.
More information & resources
Limits, Quotas and constraints
Pricing
- Application Gateway Pricing Details
- Understanding Pricing for Azure Application Gateway and Web Application Firewall
- Pricing Calculator | Microsoft Azure
Private fronted IP
How to activate Preview features in Azure
Application Gateway & Kubernetes Ingress
- Application Gateway Ingress Controller
What is Application Gatway Ingress Controler - Successor of Application Gateway Ingress Controller is Application Gateway for Containers
What is Application Gateway for Containers? (preview)
Private Application Gateway deployment is in preview
