Plan for application delivery

This section explores key recommendations to deliver internal-facing and external-facing applications in a secure, highly scalable, and highly available way.

Design considerations:

  • Azure Load Balancer (internal and public) provides high availability for application delivery at a regional level.

  • Azure Application Gateway allows the secure delivery of HTTP/S applications at a regional level.

  • Azure Front Door allows the secure delivery of highly available HTTP/S applications across Azure regions.

  • Azure Traffic Manager allows the delivery of global applications.

Design recommendations:

  • Perform application delivery within landing zones for both internal-facing and external-facing applications.

  • For secure delivery of HTTP/S applications, use Application Gateway v2 and ensure that WAF protection and policies are enabled.

  • Use a partner NVA if you can't use Application Gateway v2 for the security of HTTP/S applications.

  • Deploy Azure Application Gateway v2 or partner NVAs used for inbound HTTP/S connections within the landing-zone virtual network and with the applications that they're securing.

  • Use a DDoS standard protection plan for all public IP addresses in a landing zone.

  • Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S applications that span Azure regions.

  • When you're using Front Door and Application Gateway to help protect HTTP/S applications, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.

  • Use Traffic Manager to deliver global applications that span protocols other than HTTP/S.