Table of Contents
- π― What Youβll Learn
- STEP 1 : π₯οΈ Creating Two Ubuntu Web Servers
- STEP 2:π¦ Implement URL Routing Using Application Gateway
- π‘οΈ Web Application Firewall (WAF)
π― What Youβll Learn
In this blog, we dive deeper into Azure Application Gateway and explore how it can be used as a smart and secure entry point for multiple web applications. By the end of this guide, you will understand how to design real-world traffic routing and protect your applications from common web attacks.
Hereβs what we will be doing:
- Understand what Azure Application Gateway is and why it works at Layer 7 (Application Layer)
- Deploy two Ubuntu virtual machines running Nginx as independent web servers
- One serving video content
- One serving image content
- Configure Network Security Groups (NSG) to allow:
- SSH access for administration
- HTTP access for users
- Create an Application Gateway as the single public entry point
- Implement URL-based routing so that:
/videosβ goes to the video server/imagesβ goes to the image server
- Keep backend servers private and protected, exposing only the gateway to the internet
- Enable Web Application Firewall (WAF) to defend against:
- SQL Injection
- Cross-Site Scripting (XSS)
- Protocol violations and other malicious requests
- Learn the difference between:
- Detection mode β monitor attacks
- Prevention mode β actively block threats
By the end of this blog, you will have a clear, hands-on understanding of how Application Gateway can:
β Route traffic intelligently
β Secure multiple apps with one public IP
β Protect web applications using enterprise-grade WAF
Letβs get started π
STEP 1 : π₯οΈ Creating Two Ubuntu Web Servers
To demonstrate URL-based routing with Application Gateway, we first need two separate web servers. Each server will handle a different type of content, and later the gateway will decide where to send traffic based on the request URL.
π― Goal of This Setup
- Create 2 Ubuntu Virtual Machines in the same subnet
- One VM will serve video pages
- The other VM will serve image pages
- Application Gateway will later route:
/videosβ Video VM/imagesβ Image VM
π‘ We do NOT attach NSG directly to each VM.
Instead, we attach a single NSG to the subnet for centralized control.
π Network & NSG Configuration
While creating the VMs:
- You can assign Public IPs to make SSH access easy for testing
- Skip NSG at VM level (we manage it at subnet level)
Modify NSG Rules
We need two inbound rules:
1οΈβ£ Allow SSH to the VMs
- Destination: Private IPs of the VMs
- Service: SSH (port 22)
- Purpose: Admin access to configure the servers
2οΈβ£ Allow HTTP Traffic
Since these VMs will act as web servers:
- Source: Internet (Service Tag)
- Destination Port: 80 (HTTP)
- Destination: Private IPs of the VMs
This allows users to browse the pages hosted on the servers.
π§° Install Nginx on Both VMs
Now we turn both Ubuntu machines into web servers.
SSH into each VM and run:
sudo apt update
sudo apt install nginx
After installation, Nginx starts serving files from:
/var/www/html
π¬ Configure First VM β Video Web Server
On VM 1, we create content for videos:
cd /var/www/html
sudo chmod 777 /var/www/html
mkdir videos
cd videos
echo "Videos for you" > Default.html
Now this server responds to:
π http://<VM1-Public-IP>/videos/Default.html
and shows:
Videos for you
πΌοΈ Configure Second VM β Image Web Server
On VM 2, repeat the same steps but for images:
cd /var/www/html
sudo chmod 777 /var/www/html
mkdir images
cd images
echo "Images for you" > Default.html
This server is available at:
π http://<VM2-Public-IP>/images/Default.html
and displays:
Images for you
β What We Have Achieved So Far
At this stage:
β Two independent Ubuntu web servers are running
β Both are in the same subnet
β NSG allows SSH and HTTP access
β Each server serves different content
β We can browse them directly using their IPs
But users currently need to remember two different IP addresses β
In the next step, we will:
Use Application Gateway to provide a single entry point and route traffic automatically based on URL π¦
STEP 2:π¦ Implement URL Routing Using Application Gateway
Now that we have two web servers readyβone for videos and one for imagesβitβs time to place Application Gateway in front of them.
The goal is simple:
Users will access a single public IP, and the gateway will decide which VM should handle the request based on the URL.
𧱠Prerequisite β Empty Subnet for Application Gateway
Application Gateway must be deployed in its own dedicated subnet.
It cannot share a subnet with VMs or other resources.
So first ensure:
β A separate subnet exists (e.g., appgw-subnet01)
β No VMs or other services are inside this subnet
π Create Frontend IP
While creating the Application Gateway:
- Add a new Public IP address
- This IP becomes the single entry point for all users
π‘ After this setup, users will no longer connect directly to the web serversβonly to this frontend IP.
𧩠Create Backend Pools
We need two backend pools, one for each server:
- π¬ videoserver β points to Video VM
- πΌοΈ imageserver β points to Image VM
Each pool contains the private IP of the corresponding Ubuntu VM.
π§ Configure Listener
The Listener decides when routing rules should be applied.
We create a listener with:
- Protocol: HTTP
- Port: 80
- Frontend IP: Application Gateway public IP
π Listener = βWait for requests on this IP and port before applying any routing logic.β
π― Configure Backend Targets
Next we connect the listener to a backend pool:
- Select a backend pool (e.g., videoserver)
- Create Backend Settings
- Just provide a name like
settings01
- Just provide a name like
Backend settings define how the gateway communicates with the servers.
π Add Path-Based Routing Rules
This is the heart of the demo π₯.
We click:
π Add multiple targets to create a path-based rule
Then create two paths:
Rule 1 β Videos
- Path:
/videos/* - Target: videoserver
- Backend settings: settings01
Rule 2 β Images
- Path:
/images/* - Target: imageserver
- Backend settings: settings01
π§ Now the gateway can read the URL and decide where to send the request.
π§ͺ Test the Setup
Access the Application Gateway public IP:
π http://<appgw-ip>/videos/Default.html
β‘ Shows βVideos for youβ
π http://<appgw-ip>/images/Default.html
β‘ Shows βImages for youβ
π URL-based routing is working!
π Final Architecture Result
β Only Application Gateway needs a public IP
β Web servers can stay private
β Users access one endpoint
β Traffic is routed intelligently by URL
| URL | Destination |
|---|---|
| /videos | Video VM |
| /images | Image VM |
π‘ What We Achieved
- Implemented Layer 7 routing
- Reduced public exposure
- Centralized traffic control
- Prepared foundation for WAF security
In the next section, we will:
Enable Web Application Firewall (WAF) to protect these applications from real attacks π‘οΈ.
π‘οΈ Web Application Firewall (WAF)
So far, we have used Application Gateway for routing traffic intelligently.
Now we add the most important layer β Web Application Firewall (WAF).
π‘ WAF is enabled and managed directly from the Application Gateway resource, not from the backend VMs or App Service.
WAF protects web applications from common and dangerous attacks such as:
- π SQL Injection
- 𧨠Cross-Site Scripting (XSS)
- π« Protocol violations
- π€ Malicious bots and scanners
Instead of exposing our web servers directly to the internet, WAF acts like a smart shield in front of them.
π Creating a WAF Policy
To enable WAF on the Application Gateway:
- Open the Application Gateway resource
- Go to the Web Application Firewall blade
- Click Create new to create a WAF policy
This policy will be attached to the gateway and will inspect all incoming requests.
π Detection Mode vs Prevention Mode
After the policy is created, its default mode is:
π Detection Mode
- WAF only logs suspicious requests
- Traffic is still allowed to reach the application
- Useful for testing without blocking real users
You can switch to:
π Prevention Mode
- Malicious requests are actively blocked
- Real protection for production environments
π‘ Best Practice
Start with Detection, monitor logs, then move to Prevention.
π¦ Managed Rules
Inside the WAF policy:
- Go to Policy settings β Managed rules
Here you will see a large set of built-in rules provided by Microsoft (based on OWASP standards).
These rules automatically detect:
- SQL injection patterns
- XSS payloads
- Illegal HTTP methods
- Malformed requests
β No need to write complex security logic β WAF handles it for you.
β Adding Custom Rules
Apart from managed rules, we can create our own logic.
From the Custom rules blade:
- Click + Add custom rule
- Define conditions such as:
- Block specific IP addresses
- Allow only certain countries
- Rate-limit requests
- Deny traffic matching patterns
Example:
Block traffic if request comes from a specific IP range β Deny traffic
This gives full control over application security.
π§ What We Achieved
By enabling WAF:
β Application Gateway inspects every request
β Common attacks are detected and blocked
β Security is centralized
β Backend VMs stay protected
π Final Architecture
User β Internet
β‘ Application Gateway + WAF
β‘ URL Routing
β‘ Video / Image Web Servers
Our web apps are now not just reachable β they are secure and enterprise-ready π.
Leave a Reply