Deploy and configure an Azure Application Gateway for load balancing and website protection.

Azure Application Gateway provides layer 7 load balancing with integrated Web Application Firewall (WAF) capabilities, enabling traffic distribution across backend servers while protecting against common web exploits like SQL injection and DDoS attacks. This guide walks through deploying an Application Gateway to front-end two Windows Server IIS instances in an availability set.

Network Infrastructure Configuration

The first step you need to take is to prepare your Azure network infrastructure for Azure Application Gateway deployment. You can do this by performing the following steps:

Create Application Gateway Subnet

1. Navigate to Virtual Networks and select your IIS VNet
2. Select Subnets > Add Subnet
3. Configure the subnet:
• Name: app-GW-subnet
• Starting address: 10.0.1.0 (or next available subnet range)
• Leave other settings at defaults (no private endpoint policies or subnet delegation required)app-gateway-iis-vms-narrated-itopstalk.txt​

Configure NSG Rules for Backend Traffic

1. Select the first IIS VM's Network Security Group
2. Create an inbound rule:
• Source: Application Gateway subnet (10.0.1.0/24)
• Service: HTTP
• Provide priority and descriptive name
3. Repeat for the second IIS VM's NSG to allow traffic from the Application Gateway subnet on port 80app-gateway-iis-vms-narrated-itopstalk.txt​

Application Gateway Deployment

Once the Azure network infrastructure is prepared, you can then deploy the application gateway and configure network traffic protection policies.

Basic Configuration

1. Search for Application Gateways in the Azure Portal
2. Click Create > Application Gateway
3. Configure basic settings:
• Resource Group: Same as IIS VMs
• Name: (e.g., ZAVA-app-GW2)
• Region: Same as IIS VMs
• Tier: Standard V2
• IP Address Type: IPv4 only
4. Select Configure Virtual Network and choose the IIS VNet
5. Select the Application Gateway subnet created earlier
6. Create a new public IPv4 address for the gateway frontend.

Backend Pool Configuration

1. On the Backends page, select Add a backend pool
2. Provide a pool name
3. Add both IIS VM private IP addresses to the pool.

Routing Rule Configuration

1. On the Configuration page, select Add a routing rule
2. Configure the listener:
• Provide a rule name
• Create a listener with a descriptive name
• Protocol: HTTP
• Port: 80
• Listener type: Basic
3. Configure backend targets:
• Target type: Backend pool
• Backend pool: Select the pool created in the previous step
• Create new backend settings with port 80
• Configure optional settings (cookie affinity, connection draining) as needed
4. Specify a priority for the routing rule
5. Complete the wizard to deploy the gatewayapp-gateway-iis-vms-narrated-itopstalk.txt​

Verification and Testing

1. Navigate to Application Gateways and select your deployed gateway
2. Copy the Public IP Address from the overview page
3. Access the public IP in a browser and refresh multiple times to observe load balancing between IIS-1 and IIS-2
4. Navigate to Backend Pools to view backend health status for troubleshooting.

Web Application Firewall Protection

1. In your Application Gateway, navigate to Web Application Firewall
2. Select Create a web application firewall policy
3. Provide a policy name
4. Enable Bot Protection for enhanced security
5. Save the policy
6. Review the policy's Managed Rules to confirm OWASP Core Rule Set and bot protection rules are active.

The Application Gateway now distributes traffic across your IIS availability set while providing enterprise-grade security protection through integrated WAF capabilities.

Find out more at: https://learn.microsoft.com/en-us/azure/application-gateway/overview