Azure Application Gateway

Question 1

What is Azure Application Gateway?

Answer 1

It is a layer seven load balancer, as in a load balancer for balancing HTTP, HTTPS, WebSocket, and HTTP/2 traffic.

Question 2

Explain Azure Application Gateway in the context of its deployment architecture?

Answer 2

1. It is deployed only in a region\n2. It can be deployed across a region or a single zone.

Question 3

What is its SLA availability?

Answer 3

99.99% for two or more VMs in two or more availability zones

Question 4

What is the approach to DR?

Answer 4

It’s a regional service, so there is no MS-provided DR.

Question 5

Can you have a private internal IP on a VNET?

Answer 5

Yes, 100%, this is supported.

Question 6

Can you terminate SSL and TLS with the Azure App Gateway?

Answer 6

Yes, both TLS and SSL termination are supported.

Question 7

Scenario: I have an on-prem application that is a web server on 443

Answer 7

presenting a web interface for users; I am adding a second instance of the web server in Azure for high availability. I also currently have an express router between on-prem and Azure.

Question 8

Question: How can I load-balance between them using a layer seven load balancer?

Answer 8

Use the Azure Application Gateway; this enables load-balancing between on-prem and Azure web apps. As described, an express route is required to enable traffic from the load balancer to reach the on-prem web app instance.

Question 9

Can I use the Azure App Gateway to send traffic to a public endpoint?

Answer 9

Yes

Question 10

Can I use the Azure App Gateway to send traffic to a private endpoint on-prem?

Answer 10

Yes, provided you have a VPN or ExpressRoute to enable the backend traffic to reach the on-prem private endpoint.

Question 11

Can I use the Azure App Gateway to send traffic to a private endpoint on-prem without a VPN or express route?

Answer 11

You could expose the on-prem endpoint using the Azure Relay so that the Azure App Gateway can send the traffic using the Azure Relay.

Question 12

Can I use the Azure App Gateway as a cross-regional load balancer?

Answer 12

No, it’s a regional load balancer.

Question 13

Is the App Gateway deployed automatically as a zone-redundant load balancer?

Answer 13

No, you get to deploy the load balancer at either a Single-Zone or Zone-Redundant configuration.

Question 14

Do you need to set the scale using the load balancer at deployment time?

Answer 14

No, the Azure App Gateway will automatically scale as required.

Question 15

I require a virtual IP to always be static for layer seven load balancing. What option do I have

Answer 15

and can you explain it?

Question 16

Does the Application Gateway support session affinity?

Answer 16

Yes, you can use cookie-based session affinity.

Question 17

How does cookie-based session affinity work?

Answer 17

Azure Application Gateway adds several headers to forwarded requests: x-forwarded-for, x-forwarded-port, x-forwarded-proto, x-original-host, x-original-url, and x-appgw-trace-id. You can configure header and URL modifications using Rewrite HTTP headers, URL, or path-override settings.

Question 18

Does the Application Gateway support WebSockets?

Answer 18

Application Gateway provides native support for the WebSocket and HTTP/2 protocols. There’s no user-configurable setting to enable or disable WebSocket support selectively.

Question 19

I require the ability for connection draining with a layer seven load balancer; what options do I have?

Answer 19

The Azure Application Gateway supports connection draining.

Question 20

What is connection draining?

Answer 20

Connection draining helps you achieve graceful removal of backend pool members during planned service updates or problems with backend health. This setting is enabled via the Backend Setting and is applied to all backend pool members during rule creation. Once enabled, the application gateway ensures all deregistering instances of a backend pool don’t receive any new requests while allowing existing requests to be completed within a configured time limit.

Question 21

Does the Azure Application Gateway support custom error pages?

Answer 21

Application Gateway allows you to create custom error pages instead of displaying default error pages. You can use your branding and layout using a custom error page.

Question 22

Can I use the Azure App Gateway to send traffic to another internet-based endpoint?

Answer 22

Yes, 100%; you can configure an IP on the internet as a backend endpoint.

Question 23

I have a virtual machine in a VNET and want to access the Azure Application Gateway API securely without going over the Internet. How can I achieve this?

Answer 23

Use a private link with Azure App Gateway.

Question 24

I require an Azure Kubernetes Service (AKS) Ingress controller; what is the best service?

Answer 24

Azure Application Gateway with its Ingress controller is a suitable option.

Question 25

I require a layer seven service that can rewrite headers; what are my options?

Answer 25

Azure Application Gateway has the capability to rewrite HTTP headers.

Question 26

I require automated management of my Azure Application Gateway certificates for terminating HTTPS; how can I achieve this?

Answer 26

Azure Application Gateway supports Azure Key Vault integration for certificate management.

Question 27

Can you associate an NSG with the Azure App Gateway subnet?

Answer 27

You can associate NSGs with the Application Gateway subnet to apply security rules.

Question 28

Does Azure Application Gateway support private IP frontend?

Answer 28

1. Azure Application Gateway allows for a private frontend configuration, meaning it only has a private IP address and doesn’t expose a public IP.\n2. This configuration is ideal for internal applications that do not require internet access and must remain within a private network (for example, internal-facing web apps).\n3. When combined with other network controls, such as NSGs and UDRs, the Private IP Frontend can be fully secured and isolated from external traffic.

Question 29

Can you associate an NSG with the Azure App Gateway interface?

Answer 29

NSGs provide network interface or subnet security, allowing you to define rules to control inbound and outbound traffic.

Question 30

In the context of Azure App Gateway

Answer 30

what is URL-based routing?

Question 31

In the context of Azure App Gateway

Answer 31

what is multiple-site hosting?

Question 32

What type of authentication does Azure Application Gateway support through its reverse proxy?

Answer 32

NTLM authentication.

Question 33

Does Azure Application Gateway support NTLM authentication for backend servers?

Answer 33

Yes, it supports NTLM authentication for backend servers.

Question 34

What is the limitation of NTLM authentication with Azure Application Gateway?

Answer 34

NTLM authentication cannot be used for end-to-end SSL.

Question 35

When should you use Azure Application Gateway with NTLM authentication?

Answer 35

Use when the backend server requires NTLM for client authentication.

Question 36

What is the purpose of connection draining in Azure Application Gateway?

Answer 36

To allow in-progress requests to complete before removing a backend server.

Question 37

When is connection draining useful in Azure Application Gateway?

Answer 37

During backend server maintenance or scaling to avoid disrupting client requests.

Question 38

How does connection draining affect backend instances in Azure Application Gateway?

Answer 38

It prevents new connections while allowing existing connections to finish processing.

Question 39

You need to configure a web application on Azure App Gateway to support efficient

Answer 39

multiplexed communication with clients using modern browsers. Which protocol feature should you enable to achieve this?

Question 40

A client reports that a web application behind Azure App Gateway is experiencing slow page loads due to connection limitations. What feature could help improve load times by allowing multiple requests over a single connection?

Answer 40

Enable HTTP/2 support.

Question 41

You want to use Azure App Gateway to support a backend service that requires both HTTP/1.1 and HTTP/2 for compatibility purposes. Can you enable both protocols simultaneously on Azure App Gateway?

Answer 41

Yes, both HTTP/1.1 and HTTP/2 can be enabled simultaneously.

Question 42

Describe the Azure App Gateway architecture when deployed.

Answer 42

1. It is a regional-based service\n2. You select a single-zone or multi-zone deployment\n3. Scales automatically

Question 43

Does Azure Application Gateway support WAF (Web Application Firewall) integration?

Answer 43

Yes, Azure Application Gateway has a WAF SKU that provides built-in WAF capabilities to protect against common vulnerabilities.

Question 44

How can you configure Azure Application Gateway to handle traffic for multiple backend pools depending on different domains?

Answer 44

Use multiple-site hosting to route requests based on the requested hostname to specific backend pools.

Question 45

What are the two tiers available for Azure Application Gateway?

Answer 45

Standard and WAF.

Question 46

What is the difference between the Standard and WAF tiers of Azure Application Gateway?

Answer 46

The WAF tier includes all the features of the Standard tier along with Web Application Firewall capabilities.

Question 47

How does autoscaling work in Azure Application Gateway?

Answer 47

Azure Application Gateway automatically scales based on traffic load to meet performance requirements.

Question 48

Can Azure Application Gateway be used with Azure Traffic Manager?

Answer 48

Yes

Question 49

What is the maximum number of backend pools supported by Azure Application Gateway?

Answer 49

Azure Application Gateway supports up to 100 backend pools.

Question 50

How does Azure Application Gateway handle health probes?

Answer 50

Azure Application Gateway uses health probes to monitor the health of backend servers and remove unhealthy instances from the backend pool.

Question 51

What are the available protocols for Azure Application Gateway listeners?

Answer 51

HTTP and HTTPS.

Question 52

How can you enable end-to-end SSL in Azure Application Gateway?

Answer 52

Configure SSL certificates for both the frontend listener and backend server settings.

Question 53

What is the benefit of using rewrite rules in Azure Application Gateway?

Answer 53

Rewrite rules allow for modifications of request and response headers

Question 54

Can Azure Application Gateway support redirection?

Answer 54

Yes

Question 55

How does Azure Application Gateway integrate with Azure Key Vault?

Answer 55

Azure Application Gateway can use Azure Key Vault to manage SSL certificates for secure communication.

Question 56

What are SSL profiles in Azure Application Gateway?

Answer 56

SSL profiles allow you to configure SSL policy settings

Question 57

What is a custom probe in Azure Application Gateway?

Answer 57

A custom probe allows you to specify the URL path

Question 58

How can Azure Application Gateway enhance the security of backend services?

Answer 58

Azure Application Gateway provides TLS termination

Question 59

How does Azure Application Gateway handle backend instance failures?

Answer 59

Unhealthy instances are removed from the backend pool based on health probe results

Question 60

What is an Azure Application Gateway listener?

Answer 60

A listener is an entity that checks for incoming client requests on a specific IP and port combination.

Question 61

What is URL Path-based Routing in Azure Application Gateway?

Answer 61

URL Path-based Routing allows routing of requests to different backend pools based on the URL structure of incoming requests.

Question 62

What is Azure Application Gateway’s role in DDoS protection?

Answer 62

Azure Application Gateway can be combined with Azure DDoS Protection for enhanced mitigation of distributed denial-of-service attacks.

Question 63

Is it possible to have TLS traffic passed to the backend?

Answer 63

No, it has to be terminated at the front end first, and it tends to have TLS to the back end from the front end.

Question 64

What is End-to-End TLS Encryption in Azure Application Gateway?

Answer 64

This is where traffic is first terminated at front end and then unencrypted