Create, start, or delete an application gateway by using Azure Resource Manager

Azure Application Gateway is a layer-7 load balancer. It provides failover and performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises. Application Gateway provides many application delivery controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others. To find a complete list of supported features, visit Application Gateway overview.

This article walks you through the steps to create, configure, start, and delete an application gateway.


Before you work with Azure resources, it is important to understand that Azure currently has two deployment models: Resource Manager and classic. Make sure that you understand deployment models and tools before working with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article. This document covers creating an application gateway by using Azure Resource Manager. To use the classic version, go to Create an application gateway classic deployment by using PowerShell.

Before you begin

  1. Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. You can download and install the latest version from the Windows PowerShell section of the Downloads page.
  2. If you have an existing virtual network, either select an existing empty subnet or create a subnet in your existing virtual network solely for use by the application gateway. You cannot deploy the application gateway to a different virtual network than the resources you intend to deploy behind the application gateway.
  3. The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.

What is required to create an application gateway?

  • Backend server pool: The list of IP addresses, FQDNs, or NICs of the backend servers. If IP addresses are used, they should either belong to the virtual network subnet or should be a public IP/VIP.
  • Backend server pool settings: Every pool has settings like port, protocol, and cookie-based affinity. These settings are tied to a pool and are applied to all servers within the pool.
  • frontend port: This port is the public port that is opened on the application gateway. Traffic hits this port, and then gets redirected to one of the backend servers.
  • Listener: The listener has a frontend port, a protocol (Http or Https, these values are case-sensitive), and the SSL certificate name (if configuring SSL offload).
  • Rule: The rule binds the listener, the backend server pool and defines which backend server pool the traffic should be directed to when it hits a particular listener.

Create a resource group for Resource Manager

Make sure that you are using the latest version of Azure PowerShell. More info is available at Using Windows PowerShell with Resource Manager.

  1. Log in to Azure and enter your credentials.

  2. Check the subscriptions for the account.

  3. Choose which of your Azure subscriptions to use.

    Select-AzureRmSubscription -Subscriptionid "GUID of subscription"
  4. Create a resource group (skip this step if you're using an existing resource group).

    New-AzureRmResourceGroup -Name ContosoRG -Location "West US"

Azure Resource Manager requires that all resource groups specify a location. This location is used as the default location for resources in that resource group. Make sure that all commands to create an application gateway uses the same resource group.

In the example above, we created a resource group called ContosoRG and location East US.


If you need to configure a custom probe for your application gateway, visit: Create an application gateway with custom probes by using PowerShell. Check out custom probes and health monitoring for more information.

Create the application gateway configuration objects

All configuration items must be set up before creating the application gateway. The following steps create the configuration items that are needed for an application gateway resource.

# Create a subnet and assign the address space of
$subnet = New-AzureRmVirtualNetworkSubnetConfig -Name subnet01 -AddressPrefix

# Create a virtual network with the address space of and add the subnet
$vnet = New-AzureRmVirtualNetwork -Name ContosoVNET -ResourceGroupName ContosoRG -Location "East US" -AddressPrefix -Subnet $subnet

# Retrieve the newly created subnet

# Create a public IP address that is used to connect to the application gateway. Application Gateway does not support custom DNS names on public IP addresses.  If a custom name is required for the public endpoint, a CNAME record should be created to point to the automatically generated DNS name for the public IP address.
$publicip = New-AzureRmPublicIpAddress -ResourceGroupName ContosoRG -name publicIP01 -location "East US" -AllocationMethod Dynamic

# Create a gateway IP configuration. The gateway picks up an IP addressfrom the configured subnet and routes network traffic to the IP addresses in the backend IP pool. Keep in mind that each instance takes one IP address.
$gipconfig = New-AzureRmApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $subnet

# Configure a backend pool with the addresses of your web servers. These backend pool members are all validated to be healthy by probes, whether they are basic probes or custom probes.  Traffic is then routed to them when requests come into the application gateway. Backend pools can be used by multiple rules within the application gateway, which means one backend pool could be used for multiple web applications that reside on the same host.
$pool = New-AzureRmApplicationGatewayBackendAddressPool -Name pool01 -BackendIPAddresses,,

# Configure backend http settings to determine the protocol and port that is used when sending traffic to the backend servers. Cookie-based sessions are also determined by the backend HTTP settings.  If enabled, cookie-based session affinity sends traffic to the same backend as previous requests for each packet.
$poolSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "besetting01" -Port 80 -Protocol Http -CookieBasedAffinity Disabled -RequestTimeout 120

# Configure a frontend port that is used to connect to the application gateway through the public IP address
$fp = New-AzureRmApplicationGatewayFrontendPort -Name frontendport01  -Port 80

# Configure the frontend IP configuration with the public IP address created earlier.
$fipconfig = New-AzureRmApplicationGatewayFrontendIPConfig -Name fipconfig01 -PublicIPAddress $publicip

# Configure the listener.  The listener is a combination of the front end IP configuration, protocol, and port and is used to receive incoming network traffic. 
$listener = New-AzureRmApplicationGatewayHttpListener -Name listener01 -Protocol Http -FrontendIPConfiguration $fipconfig -FrontendPort $fp

# Configure a basic rule that is used to route traffic to the backend servers. The backend pool settings, listener, and backend pool created in the previous steps make up the rule. Based on the criteria defined traffic is routed to the appropriate backend.
$rule = New-AzureRmApplicationGatewayRequestRoutingRule -Name rule01 -RuleType Basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool

# Configure the SKU for the application gateway, this determines the size and whether or not WAF is used.
$sku = New-AzureRmApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2

# Create the application gateway
$appgw = New-AzureRmApplicationGateway -Name ContosoAppGateway -ResourceGroupName ContosoRG -Location "East US" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig  -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku

When complete, retrieve DNS and VIP details of the application gateway from the public IP resource attached to the application gateway.

Get-AzureRmPublicIpAddress -Name publicIP01 -ResourceGroupName ContosoRG

Delete the application gateway

The following example deletes the application gateway.

# Retrieve the application gateway
$gw = Get-AzureRmApplicationGateway -Name ContosoAppGateway -ResourceGroupName ContosoRG

# Stops the application gateway
Stop-AzureRmApplicationGateway -ApplicationGateway $gw

# Once the application gateway is in a stopped state, use the `Remove-AzureRmApplicationGateway` cmdlet to remove the service.
Remove-AzureRmApplicationGateway -Name ContosoAppGateway -ResourceGroupName ContosoRG -Force


The -force switch can be used to suppress the remove confirmation message.

To verify that the service has been removed, you can use the Get-AzureRmApplicationGateway cmdlet. This step is not required.

Get-AzureRmApplicationGateway -Name ContosoAppGateway -ResourceGroupName ContosoRG

Get application gateway DNS name

Once the gateway is created, the next step is to configure the front end for communication. When using a public IP, application gateway requires a dynamically assigned DNS name, which is not friendly. To ensure end users can hit the application gateway, a CNAME record can be used to point to the public endpoint of the application gateway. To do this, retrieve details of the application gateway and its associated IP/DNS name using the PublicIPAddress element attached to the application gateway. This can be done with Azure DNS or other DNS providers, by creating a CNAME record that points to the public IP address. The use of A-records is not recommended since the VIP may change on restart of application gateway.


An IP address is assigned to the application gateway when the service starts.

Get-AzureRmPublicIpAddress -ResourceGroupName ContosoRG -Name publicIP01
Name                     : publicIP01
ResourceGroupName        : ContosoRG
Location                 : westus
Id                       : /subscriptions/<subscription_id>/resourceGroups/ContosoRG/providers/Microsoft.Network/publicIPAddresses/publicIP01
Etag                     : W/"00000d5b-54ed-4907-bae8-99bd5766d0e5"
ResourceGuid             : 00000000-0000-0000-0000-000000000000
ProvisioningState        : Succeeded
Tags                     : 
PublicIpAllocationMethod : Dynamic
IpAddress                :
PublicIpAddressVersion   : IPv4
IdleTimeoutInMinutes     : 4
IpConfiguration          : {
                                "Id": "/subscriptions/<subscription_id>/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/ContosoAppGateway/frontendIP
DnsSettings              : {
                                "Fqdn": ""

Delete all resources

To delete all resources created in this article, complete the following step:

Remove-AzureRmResourceGroup -Name ContosoRG

Next steps

If you want to configure SSL offload, visit: Configure an application gateway for SSL offload.

If you want to configure an application gateway to use with an internal load balancer, visit: Create an application gateway with an internal load balancer (ILB).

If you want more information about load balancing options in general, visit: