For lift & shift of legacy systems, application gateway is very useful as we have different kinds of backends (VMs, service fabric, other PaaS services, etc.). The only missing capability is authentication, so we have to implement and configure authentication in various services, which is a big overhead. Otherwise, we have to give up application gateway but set up Nginx VMs instead.
I have also looked at Azure API Gateway, but it seems to be too specialized for public APIs but our services also service static contents and ever-changing private APIs without swagger definition.236 votes
Thank you for all the votes. We need more feedback on your scenarios. If you would like to get in touch with us for a discussion, please fill this form: https://aka.ms/ApplicationGatewayCohort
Expose Azure blob storage via Application Gateway.
I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.
This would allow scanning for malicious content via virtual appliances before content is stored in blob.158 votes
We are still under consideration for this feature. In the meanwhile, could you use Azure CDN to accomplish this?
Provide a way to monitor Application Gateway CPU/Memory in order to track load. It's hard to know only based on current access/http errors when the WAF is under heavy preasure and we need to scale it up.150 votes
There is no plan currently to offer these system level metrics for Application Gateway Standard (V1). However, we are planning to offer more observability with our new Autoscaling version (V2) of Application Gateway/WAF. We already offer Capacity Units as a metric which gives you a sense of the traffic load on your Application Gateway. More are planned for V2. Please send in your specific feedback via https://aka.ms/ApplicationGatewayCohort
Application Gateway WAF does not support gzipped content in the request body.76 votes
Thanks for reaching out, can you please share your use case scenario?
When we deploy SSL listener with default settings, ssl configuration in not very secure (although acceptable for some services). Popular checker https://www.ssllabs.com gives just B-rate for this. You can check recommendations for example looking at report for our sample AGW deployed with default settings https://www.ssllabs.com/ssltest/analyze.html?d=tb-ag-dev.textback.io9 votes
Default setting are for backward compatibility. Please use pre-configured SSL policy with the newer policies like AppGwSslPolicy20170401 or AppGwSslPolicy20170401S.
We see 400 errors in Log Analytics. We don't see these connections on the web servers. We think the App gateway is dropping traffic. Support doesnt seem to know why this happens. We don't have enough good information to track these issues. requestQuery_s is blank, MS support cannot tell me what this is, let alone what it means if it is blank.
We need more information.7 votes
requestQuery_s contains the queryString. It might be that these requests did not have querystring in http request. Could you look at requestUri_s field to confirm?
Occasionally we need to take one of the member in the pool for troubleshooting/debugging. This require to bring down the gateway at least 15-30 minutes. If possible to quickly enable/disable the member vm without long downtime.6 votes
Adding/removing backend pool member would not affect live traffic – even while updates are ongoing. Updates on the gateway today are slow and we are working on enhancing this experience. We have a private preview program ongoing currently, for quicker updates and you can sign up for it by emailing me.
Currently, Application Gateway is the only service on Azure that supports offloading certificates for SSL, but Application Gateway can take a long time to provision and update with changes, and is unable to handle the high stress levels imposed by some apps. Application Gateway should be quick to provision and update after configuration changes, and it should be able to handle large numbers of requests per minute (e.g., 6,000 per minute).1 vote
We recently introduced changes which make any updates to Gateway complete in less than a minute. We are also working on reducing provisioning time. Regarding SSL offload performance – you should be able to increase the number of instances to scale out and handle increased load. 6000 new SSL connections per minute is not a lot and should be able to be served by a single Large instance. Please open a support ticket if you are seeing issues with performance at this scale.
- Don't see your idea?