Create an application gateway with an internal load balancer (ILB)
Azure Application Gateway can be configured with an Internet-facing VIP or with an internal endpoint that is not exposed to the Internet, also known as an internal load balancer (ILB) endpoint. Configuring the gateway with an ILB is useful for internal line-of-business applications that are not exposed to the Internet. It's also useful for services and tiers within a multi-tier application that sit in a security boundary that is not exposed to the Internet but still require round-robin load distribution, session stickiness, or Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), termination.
This article walks you through the steps to configure an application gateway with an ILB.
Before you begin
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.
- Install the latest version of the Azure PowerShell module by following the install instructions.
- You create a virtual network and a subnet for Application Gateway. Make sure that no virtual machines or cloud deployments are using the subnet. Application Gateway must be by itself in a virtual network subnet.
- The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.
What is required to create an application gateway?
- Back-end server pool: The list of IP addresses of the back-end servers. The IP addresses listed should either belong to the virtual network but in a different subnet for the application gateway or should be a public IP/VIP.
- Back-end server pool settings: Every pool has settings like port, protocol, and cookie-based affinity. These settings are tied to a pool and are applied to all servers within the pool.
- Front-end port: This port is the public port that is opened on the application gateway. Traffic hits this port, and then gets redirected to one of the back-end servers.
- Listener: The listener has a front-end port, a protocol (Http or Https, these are case-sensitive), and the SSL certificate name (if configuring SSL offload).
- Rule: The rule binds the listener and the back-end server pool and defines which back-end server pool the traffic should be directed to when it hits a particular listener. Currently, only the basic rule is supported. The basic rule is round-robin load distribution.
Create an application gateway
The difference between using Azure Classic and Azure Resource Manager is the order in which you create the application gateway and the items that need to be configured. With Resource Manager, all items that make an application gateway is configured individually and then put together to create the application gateway resource.
Here are the steps that are needed to create an application gateway:
- Create a resource group for Resource Manager
- Create a virtual network and a subnet for the application gateway
- Create an application gateway configuration object
- Create an application gateway resource
Create a resource group for Resource Manager
Make sure that you switch PowerShell mode to use the Azure Resource Manager cmdlets. More info is available at Using Windows PowerShell with Resource Manager.
Check the subscriptions for the account.
You are prompted to authenticate with your credentials.
Choose which of your Azure subscriptions to use.
Select-AzSubscription -Subscriptionid "GUID of subscription"
Create a new resource group (skip this step if you're using an existing resource group).
New-AzResourceGroup -Name appgw-rg -location "West US"
Azure Resource Manager requires that all resource groups specify a location. This is used as the default location for resources in that resource group. Make sure that all commands to create an application gateway uses the same resource group.
In the preceding example, we created a resource group called "appgw-rg" and location "West US".
Create a virtual network and a subnet for the application gateway
The following example shows how to create a virtual network by using Resource Manager:
$subnetconfig = New-AzVirtualNetworkSubnetConfig -Name subnet01 -AddressPrefix 10.0.0.0/24
This step assigns the address range 10.0.0.0/24 to a subnet variable to be used to create a virtual network.
$vnet = New-AzVirtualNetwork -Name appgwvnet -ResourceGroupName appgw-rg -Location "West US" -AddressPrefix 10.0.0.0/16 -Subnet $subnetconfig
This step creates a virtual network named "appgwvnet" in resource group "appgw-rg" for the West US region using the prefix 10.0.0.0/16 with subnet 10.0.0.0/24.
$subnet = $vnet.subnets
This step assigns the subnet object to variable $subnet for the next steps.
Create an application gateway configuration object
$gipconfig = New-AzApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $subnet
This step creates an application gateway IP configuration named "gatewayIP01". When Application Gateway starts, it picks up an IP address from the subnet configured and route network traffic to the IP addresses in the back-end IP pool. Keep in mind that each instance takes one IP address.
$pool = New-AzApplicationGatewayBackendAddressPool -Name pool01 -BackendIPAddresses 10.1.1.8,10.1.1.9,10.1.1.10
This step configures the back-end IP address pool named "pool01" with IP addresses "10.1.1.8, 10.1.1.9, 10.1.1.10". Those are the IP addresses that receive the network traffic that comes from the front-end IP endpoint. You replace the preceding IP addresses to add your own application IP address endpoints.
$poolSetting = New-AzApplicationGatewayBackendHttpSettings -Name poolsetting01 -Port 80 -Protocol Http -CookieBasedAffinity Disabled
This step configures application gateway setting "poolsetting01" for the load balanced network traffic in the back-end pool.
$fp = New-AzApplicationGatewayFrontendPort -Name frontendport01 -Port 80
This step configures the front-end IP port named "frontendport01" for the ILB.
$fipconfig = New-AzApplicationGatewayFrontendIPConfig -Name fipconfig01 -Subnet $subnet
This step creates the front-end IP configuration called "fipconfig01" and associates it with a private IP from the current virtual network subnet.
$listener = New-AzApplicationGatewayHttpListener -Name listener01 -Protocol Http -FrontendIPConfiguration $fipconfig -FrontendPort $fp
This step creates the listener called "listener01" and associates the front-end port to the front-end IP configuration.
$rule = New-AzApplicationGatewayRequestRoutingRule -Name rule01 -RuleType Basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool
This step creates the load balancer routing rule called "rule01" that configures the load balancer behavior.
$sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2
This step configures the instance size of the application gateway.
The default value for Capacity is 2. For Sku Name, you can choose between Standard_Small, Standard_Medium, and Standard_Large.
Create an application gateway by using New-AzureApplicationGateway
Creates an application gateway with all configuration items from the preceding steps. In this example, the application gateway is called "appgwtest".
$appgw = New-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Location "West US" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku
This step creates an application gateway with all configuration items from the preceding steps. In the example, the application gateway is called "appgwtest".
Delete an application gateway
To delete an application gateway, you need to do the following steps in order:
- Use the
Stop-AzApplicationGatewaycmdlet to stop the gateway.
- Use the
Remove-AzApplicationGatewaycmdlet to remove the gateway.
- Verify that the gateway has been removed by using the
Get the application gateway object and associate it to a variable "$getgw".
$getgw = Get-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg
Stop-AzApplicationGateway to stop the application gateway. This sample shows the
Stop-AzApplicationGateway cmdlet on the first line, followed by the output.
Stop-AzApplicationGateway -ApplicationGateway $getgw
VERBOSE: 9:49:34 PM - Begin Operation: Stop-AzureApplicationGateway VERBOSE: 10:10:06 PM - Completed Operation: Stop-AzureApplicationGateway Name HTTP Status Code Operation ID Error ---- ---------------- ------------ ---- Successful OK ce6c6c95-77b4-2118-9d65-e29defadffb8
Once the application gateway is in a stopped state, use the
Remove-AzApplicationGateway cmdlet to remove the service.
Remove-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Force
VERBOSE: 10:49:34 PM - Begin Operation: Remove-AzureApplicationGateway VERBOSE: 10:50:36 PM - Completed Operation: Remove-AzureApplicationGateway Name HTTP Status Code Operation ID Error ---- ---------------- ------------ ---- Successful OK 055f3a96-8681-2094-a304-8d9a11ad8301
The -force switch can be used to suppress the remove confirmation message.
To verify that the service has been removed, you can use the
Get-AzApplicationGateway cmdlet. This step is not required.
Get-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg
VERBOSE: 10:52:46 PM - Begin Operation: Get-AzureApplicationGateway Get-AzureApplicationGateway : ResourceNotFound: The gateway does not exist.
If you want to configure SSL offload, see Configure an application gateway for SSL offload.
If you want more information about load balancing options in general, see: