What is the difference between Azure Application Gateway, Load Balancer, Front Door and Firewall?
Published May 16 2019 12:33 AM 46.9K Views
Microsoft

  
Hello folks,

 

Last week at a conference in Toronto, an attendee came to the Microsoft booth and asked something that has been asked many times in the past.  So, I decided to cover it here for everyone’s benefit.

What are the differences between Azure Firewall, Azure Application Gateway, Azure Load Balancer, NSG, Azure Traffic Manager, and Azure Front Door?

 

Here's a high-level consolidation of what they each do.

 

Azure Application Gateway

 

The Azure Application Gateway (AAG) is a web traffic manager for your web applications (one or multiple). With AAG, on top of load balancing your workloads, you can make routing decisions based on URI path or host headers. For example, you can route traffic based on the incoming URL.  Therefore if /images are in the inbound URL, you can route traffic to a specific set of servers (or pool) configured for images. If /video is in the URL, that traffic is routed to another pool.

 

AAG.png

 

AAG includes a web application firewall called Web application firewall (WAF) that protects your workload from common exploits like SQL injection attacks or cross-site scripting attacks, to name a few.  This protection uses rules from the Open Web Application Security Project version 3.0 or 2.2.9.  However, it is not an L3-L7 stateful firewall.

 

The Azure Application Gateway can be used to do TLS/SSL termination. TLS/SSL termination can be useful to allow unencrypted traffic between the AAG and the backend servers saving some of the processing load needed to encrypt and decrypt said traffic. However, we strongly recommend against sending unencrypted communications to the servers since in most situations, it is not acceptable due to security requirements, compliance requirements, or the application may only accept a secure connection. In these situations, the Azure Application Gateway also supports end-to-end TLS/SSL encryption.

**This paragraph was corrected by (@heinrichg) Heinrich Gantenbein - Cybersecurity Architect - Microsoft Enterprise Services**

 

These are just a few of the capabilities of AAG.
 

Azure Front Door

 

Azure Front Door gives you the ability to define, manage, and monitor the global routing for your web traffic (across regions).  It optimizes your web traffic globally for performance (lowest latency) and for high-availability by enabling instant fail-over for all your Internet-facing applications hosted inside or outside of Azure.  It does so by using several traffic-routing methods (latency, Priority, weighted, and Session Affinity).  Just like the Azure Application Gateway Front Door can allow you to route traffic based on URL paths of the request but it does allow for more complex route matching scenarios
front-door.png

 

Azure Traffic Manager

 

Azure Traffic Manager enables you to control how traffic is distributed across your application endpoints. An endpoint can be any Internet-facing endpoint, hosted in Azure or outside Azure.  It really provides two key benefits:

 

  1. Distribution of traffic according to one of several traffic-routing methods (priority, weighted, performance, geographic, multivalued and subnet).
  2. Continuous monitoring of endpoint health and automatic failover when endpoints fail.

When an end user attempts to connect to a service endpoint, their client (PC, phone, etc.) must first resolve the DNS name in that endpoint to an IP address. The client then connects to that IP address to access the service.   Traffic Manager works at the DNS level. Traffic Manager uses DNS to direct end users to particular service endpoints, based on the chosen traffic-routing method and the current endpoint health. Clients then connect to the selected endpoint directly. Traffic Manager is not a proxy and does not see the traffic passing between the client and the service.

traffic-manager.jpg

 

Azure Load Balancer

 

The Azure Load Balancer Load Balancer distributes inbound traffic to a backend pool instances according to rules and health probes. It can also provide outbound connections for virtual machines (VMs) inside your virtual network by translating their private IP addresses to public IP addresses.  The Load Balancer is a TCP/UDP load balancing and port forwarding engine only.  It does not terminate, respond, or otherwise interact with the traffic.  It simply routes traffic based on source IP address and port, to a destination IP address and port. load-balancer-distribution.png

 

It can also be deployed both as a Public Load Balancer or an Internal Load Balancer to manage internal traffic.

load-balancer-2.png

 

Azure Firewall

 

Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network. It allows you to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

Just like any firewall currently found in your own datacenter, it can be used to limit outbound traffic to a specified list of fully qualified domain names (FQDN) including wild cards.  So.  Really you can set the rules to allow or deny network access by source and destination IP address, port, and protocol and since the Azure Firewall is fully stateful (L3-L7) it can distinguish legitimate packets for different types of connections.

Azure-firewall.png

 

 

Network Security Groups

 

Network Security Groups or NSGs allow you to filter traffic to and from your resources in an Azure virtual network.  NSG security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. NSGs can be assigned to subnets or network interfaces in the Resource Manager deployment model.  NSGs are not a firewall.  They have no visibility in the payload, just the addresses, ports and protocols.

NSG2.png

 

 

I really hope this makes sense to you.  There is some overlap across all these services, however, each is well suited to its own specific scenarios.

 

Cheers!

 

Pierre

 

18 Comments
Microsoft

Nice article, Pierre!  What about NSGs, though?

Microsoft

Hey @Karen McGregor.  I added the NSG section.  hope it makes sence.

 

Copper Contributor

Great article. May I suggest to:

  • Say TLS instead of SSL
  • And recommend against offloading TLS offloading. Many security professionals consider it an anti-patter; especially with the minimal overhead of TLS processing on established communications.
Microsoft

@heinrichg Thanks for the suggestion about TLS vs. SSL, I will keep it in mind.  As for whether someone should or should not use TLS Offloading is up to them and their security teams.  We just make sure that we support it both ways so we can cover all the scenarios.

 

Thanks

Copper Contributor

Hi @Pierre Roman , Can application gateway go across regions like Azure Front Door? I understanding is No. Please comment. 

Copper Contributor

thank u for the post. i have a SaaS web app deployed on azure web app. the users are from China and Australia. I want region load balance like Chinese users uses web app on china azure region and australian users use au azure region. in addition, i want to prevent attacking so i want to add access rate limitation from one ip. can you pls advise what service i should use?

Copper Contributor

good to have this on one page – and then, it would be great to look at this from a use case perspective, as opposed to product/feature. What are the common problems we're trying to solve for web apps, API endpoints etc. and which solution helps?

Copper Contributor

very nicely articulated! thanks 

Copper Contributor
Hi Pierre, thanks for the article. I'd like to give you a feedback. What I see here is not an article that relates each other's functionality, and its more something that put together the definitions. My expectation was that I would come here and read where they difference from each other and some other info on when to use each. Thaanks
Copper Contributor

@Pierre Roman , can Application Gateway handle sticky sessions? I've configured basic Load balancer that need to do SSL termination (https from browser to load balancer and then have a rule that sends traffic to bak-end pool on port  80. It looks like this is only possible with Application Gateway but I'm wondering if it can do sticky sessions. Thanks

Copper Contributor

@Pierre Roman , Thank you for putting this information together. I'll think if add to each product (or in another post) what are the main scenarios/Best Practices to use with each one of them it will centralize all info together and clear the questions when should we use each product or products together? (not only what the different). 

Microsoft

It would be great if you can create some decision tree graph users can walk through to reach a decision of when to choose which service.

Microsoft

Checkout this latest guidance we published on when to pick which load balancing service or which combination of load balancing services on Azure - https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview. Hope this helps and your feedback is truly appreciated. 

 

Microsoft

@sharad_chai  Thanks!!  that's great.  I will definitely tell people about this.

Copper Contributor

Team ..

As few of the above discussed products offers both few security features and load balancing/routing, can we just end up using a single product which serves the purpose of both firewall and load balancing ?

Copper Contributor

Very nice article and succinctly cleared lots of the concepts very precisely. Though I am still not 100% clear about the difference between Azure Traffic Manager and Azure Front Door? 

Microsoft

@avixorld they are both a way to manage traffic.  however, If you are looking for a DNS based global routing and, if you do not have requirements for Transport Layer Security (TLS) protocol termination ("SSL offload") or per-HTTP/HTTPS request, application-layer processing, use Traffic Manager.  if you do need these capabilities, use Front Door.

 

Microsoft

@avixorld , @Pierre Roman  - Front Door can do super fast failover unlike Traffic Manager. Traffic Manager is a DNS based load balancer and can take minutes to hours for 100% failover (global). Front Door is in the datapath and also is Anycast based so, you can see 100% failover happen globally under a minute, predictably. 

Version history
Last update:
‎May 30 2019 01:11 PM
Updated by: