Configure an application gateway for SSL offload by using the classic deployment model

Azure Application Gateway can be configured to terminate the Secure Sockets Layer (SSL) session at the gateway to avoid costly SSL decryption tasks to happen at the web farm. SSL offload also simplifies the front-end server setup and management of the web application.

Before you begin

  1. Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. You can download and install the latest version from the Windows PowerShell section of the Downloads page.
  2. Verify that you have a working virtual network with a valid subnet. Make sure that no virtual machines or cloud deployments are using the subnet. The application gateway must be by itself in a virtual network subnet.
  3. The servers that you configure to use the application gateway must exist or have their endpoints that are created either in the virtual network or with a public IP address or virtual IP address (VIP) assigned.

To configure SSL offload on an application gateway, complete the following steps in the order listed:

  1. Create an application gateway
  2. Upload SSL certificates
  3. Configure the gateway
  4. Set the gateway configuration
  5. Start the gateway
  6. Verify the gateway status

Create an application gateway

To create the gateway, enter the New-AzureApplicationGateway cmdlet, replacing the values with your own. Billing for the gateway does not start at this point. Billing begins in a later step, when the gateway is successfully started.

New-AzureApplicationGateway -Name AppGwTest -VnetName testvnet1 -Subnets @("Subnet-1")

To validate that the gateway was created, you can enter the Get-AzureApplicationGateway cmdlet.

In the sample, Description, InstanceCount, and GatewaySize are optional parameters. The default value for InstanceCount is 2, with a maximum value of 10. The default value for GatewaySize is Medium. Small and Large are other available values. VirtualIPs and DnsName are shown as blank, because the gateway has not started yet. These values are created after the gateway is in the running state.

Get-AzureApplicationGateway AppGwTest

Upload SSL certificates

Enter Add-AzureApplicationGatewaySslCertificate to upload the server certificate in PFX format to the application gateway. The certificate name is a user-chosen name and must be unique within the application gateway. This certificate is referred to by this name in all certificate management operations on the application gateway.

The following sample shows the cmdlet. Replace the values in the sample with your own.

Add-AzureApplicationGatewaySslCertificate  -Name AppGwTest -CertificateName GWCert -Password <password> -CertificateFile <full path to pfx file>

Next, validate the certificate upload. Enter the Get-AzureApplicationGatewayCertificate cmdlet.

The following sample shows the cmdlet on the first line, followed by the output:

Get-AzureApplicationGatewaySslCertificate AppGwTest
VERBOSE: 5:07:54 PM - Begin Operation: Get-AzureApplicationGatewaySslCertificate
VERBOSE: 5:07:55 PM - Completed Operation: Get-AzureApplicationGatewaySslCertificate
Name           : SslCert
SubjectName    :
Thumbprint     : AF5ADD77E160A01A6......EE48D1A
ThumbprintAlgo : sha1RSA
State..........: Provisioned


The certificate password must be between 4 to 12 characters made up of letters or numbers. Special characters are not accepted.

Configure the gateway

An application gateway configuration consists of multiple values. The values can be tied together to construct the configuration.

The values are:

  • Back-end server pool: The list of IP addresses of the back-end servers. The IP addresses listed should belong to the virtual network subnet or should be a public IP or VIP address.
  • Back-end server pool settings: Every pool has settings like port, protocol, and cookie-based affinity. These settings are tied to a pool and are applied to all servers within the pool.
  • Front-end port: This port is the public port that is opened on the application gateway. Traffic hits this port, and then gets redirected to one of the back-end servers.
  • Listener: The listener has a front-end port, a protocol (Http or Https; these values are case-sensitive), and the SSL certificate name (if configuring an SSL offload).
  • Rule: The rule binds the listener and the back-end server pool and defines which back-end server pool to direct the traffic to when it hits a particular listener. Currently, only the basic rule is supported. The basic rule is round-robin load distribution.

Additional configuration notes

For SSL certificates configuration, the protocol in HttpListener should change to Https (case sensitive). Add the SslCert element to HttpListener with the value set to the same name used in the Upload SSL certificates section. The front-end port should be updated to 443.

To enable cookie-based affinity: You can configure an application gateway to ensure that a request from a client session is always directed to the same VM in the web farm. To accomplish this, insert a session cookie that allows the gateway to direct traffic appropriately. To enable cookie-based affinity, set CookieBasedAffinity to Enabled in the BackendHttpSettings element.

You can construct your configuration either by creating a configuration object or by using a configuration XML file. To construct your configuration by using a configuration XML file, enter the following sample:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationGatewayConfiguration xmlns:i="" xmlns="">
    <FrontendIPConfigurations />

Set the gateway configuration

Next, set the application gateway. You can enter the Set-AzureApplicationGatewayConfig cmdlet with either a configuration object or a configuration XML file.

Set-AzureApplicationGatewayConfig -Name AppGwTest -ConfigFile D:\config.xml

Start the gateway

After the gateway has been configured, enter the Start-AzureApplicationGateway cmdlet to start the gateway. Billing for an application gateway begins after the gateway has been successfully started.


The Start-AzureApplicationGateway cmdlet can take 15-20 minutes to finish.

Start-AzureApplicationGateway AppGwTest

Verify the gateway status

Enter the Get-AzureApplicationGateway cmdlet to check the status of the gateway. If Start-AzureApplicationGateway succeeded in the previous step, the State should be Running, and the VirtualIPs and DnsName should have valid entries.

This sample shows an application gateway that is up, running, and ready to take traffic:

Get-AzureApplicationGateway AppGwTest
Name          : AppGwTest2
Description   :
VnetName      : testvnet1
Subnets       : {Subnet-1}
InstanceCount : 2
GatewaySize   : Medium
State         : Running
VirtualIPs    : {}
DnsName       :

Next steps

For more information about load-balancing options in general, see: