AZ-500 Microsoft Azure Security Technologies Exam
Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!
Practice Test
Expert
Practice Test
Expert
Plan and implement an Azure Application Gateway
Configure Listeners, Routing and WAF Policies
Azure Application Gateway is a layer-7 load balancer that directs web traffic to backend servers. It uses listeners to accept incoming HTTP or HTTPS requests on specific IP addresses, ports, and protocols. Proper listener setup ensures that your gateway can receive client requests securely and reliably. You can configure both HTTP listeners for unencrypted traffic and HTTPS listeners that require SSL/TLS certificates.
Routing rules define how requests move from listeners to backend targets. You can implement:
- Basic routing to link one listener with a single backend pool.
- Path-based routing to inspect URL paths and send traffic to different pools.
- Multi-site hosting to serve multiple domains behind the same gateway. Understanding URL-path maps lets you route traffic efficiently based on hostnames and paths.
SSL/TLS offloading at the gateway boosts performance by terminating encryption on the front end. You can still use end-to-end TLS by re-encrypting traffic to backend servers. To manage certificates, integrate with Azure Key Vault by:
- Creating a user-assigned managed identity for the gateway.
- Granting that identity access to Key Vault certificates.
- Pointing your HTTPS listener to the Key Vault reference. When backends use self-signed certificates, upload the root certificate to the gateway for validation.
Web Application Firewall (WAF) on Application Gateway defends against OWASP Top 10 threats like SQL injection and cross-site scripting. You can pick an OWASP rule set (2.2.9 or 3.0) and:
- Enable or disable specific rules.
- Turn on bot protection and protocol anomaly detection.
- Use centralized WAF management for consistent updates. Custom rule tuning helps reduce false positives while keeping applications safe.
To keep up with security events, enable diagnostic logging and alerts for both the gateway and WAF. Logs capture:
- Request details and firewall actions.
- Health probe results and connection failures.
- SSL handshake errors and authentication issues. By routing logs to Azure Monitor or Log Analytics, you can set alerts for unusual traffic patterns and react quickly to incidents.
Conclusion
In this section, we covered how listeners accept and secure incoming traffic and how routing rules send requests to the correct backend pools. We also explored SSL/TLS offloading and full end-to-end encryption using certificates stored in Azure Key Vault, emphasizing the role of managed identities.
Finally, we reviewed the Web Application Firewall for protecting against OWASP threats and the importance of continuous monitoring through diagnostic logging and alerts. Together, these features ensure your Azure Application Gateway is both secure and efficient in handling web traffic.