In this blog post series, I walk through different networking application delivery services with features and limitations on each service. To read about the Azure load balancer, please visit the first part of the blog post. In the second part of the networking series, let’s discuss the Azure application gateway, front door, and traffic manager.
- Azure Application Gateway
Features:
- This is a web-based traffic load balancer. This service operates at layer 7 of the OSI model and can perform URL-based routing.
- Azure Application Gateway supports:
- SSL termination
- Host multiple sites & route by URL
- HTTP load balancing
- Cookie-based session affinity
- End-to-end TLS
- SSL termination
- Azure provides public, private, or both options for Application Gateway and supports auto-scaling.
- A Virtual Network with a dedicated subnet is required.
- Integrates with Web Application Firewall (WAF).
- Supports two types of listeners: Basic and multi-site.
- Supports two types of Routing rules: Basic and path-based.
- It supports HTTP to HTTPs re-direction.
- Private IP configuration-only mode is currently in public preview at the time of writing.
- Using Azure PowerShell or the Azure CLI to stop and start Azure Application Gateway. When you stop and start Application Gateway, billing also stops and starts.
- Azure Application Gateway has two Sku (v1 and v2). Microsoft announced the deprecation of Application Gateway V1 SKU (Standard and WAF) on April 28, 2026.
- Application Gateway V2 SKU offers additional features such as autoscaling, availability, zone redundancy, higher performance, faster operations, and improved throughput compared to V1.
Limitations:
- An application gateway is bound to a single regional service and does not support cross-region availability.
2. Azure Traffic Manager
Features:
- This is a DNS-based traffic load balancer. It ensures network traffic is distributed optimally to services across global Azure regions while providing high availability and responsiveness.
- Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints.
- Traffic Manager provides a range of traffic-routing methods such as priority, weighted, performance, geographic, multi-value, or subnet to distribute traffic.
- Traffic Manager is resilient to failure, including losing an entire Azure region.
- An endpoint is any Internet-facing service hosted inside or outside of Azure.
- Traffic Manager improves application availability and performance.
- Traffic Manager supports external, non-Azure endpoints enabling it to be used with hybrid clouds and on-premises deployments.
Limitations:
- It does not support TLS protocol termination and Path-based routing (application layer).
3. Azure Front Door
Features:
- Its global routing feature for web traffic offers enhanced performance with instant failover and high availability.
- Azure Front Door is Microsoft’s modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between your users and your applications’ static and dynamic web content across the globe.
- Azure Front Door delivers the content using Microsoft’s global edge network with hundreds of global and local points of presence (PoPs) distributed worldwide close to enterprise and consumer end users.
- AFD supports application gateway features (SSL offload, session cookies, path-based, and multiple-site hosting).
- AFD can transform Global/Enterprise customers with high-visibility applications to reach global audiences.
- Integrates with Web Application Firewall (WAF) for Application layer security.
- Detection: This mode does not take any actions based on rules; it simply monitors and logs the request.
- Prevention: This mode takes specific action based on the rules defined, and if a match is found, no other rules are evaluated.
- Custom domain and certificate management
- Global Failover for cross-region availability.
- Azure Front Door provides two SKUs- Standard and Premium tiers were released in March 2022 as the next-generation content delivery network service. The newer tiers combine the capabilities of Azure Front Door (classic), Microsoft CDN (classic), and Web Application Firewall (WAF).
- With features such as Private Link integration, enhanced rules engine, and advanced diagnostics, customers can secure and accelerate their web applications to bring a better experience to their customers.
Limitations:
- The backend pools or Azure resources must have a public IP address or a publicly resolvable DNS hostname.
Summary of limitations for the different networking services:
| Azure Service | OSI layer | Regions | Limitations |
| Azure Application gateway | Layer 7 | Regional Bounded | No cross-region support. |
| Azure Front Door | Layer 7 or HTTP/ HTTPs layer | Global | Needs public IP address as the backend. |
| Azure Traffic Manager | DNS based | Global | Internet-facing endpoints and Path-based routing. |
| Azure Load balancer | Layer 4 | Regional bounded and Global | SSL offload & Cookie session affinity. |
Microsoft Azure provides various options for load-balancing applications. Every customer will have different requirements based on their needs. There is no hard rule to select the services other than the requirements matching. The below load balancing decision tree will be the best starting point.
I hope you enjoyed learning about networking services that scale and protect applications.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.