Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

applicationGateways

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Ensure Autoscale feature has been enabledMediumScalabilityYesYes
Migrate to Application Gateway v2HighScalabilityYesNo
Monitor and Log the configurations and trafficHighMonitoring and AlertingNoNo
Use Health Probes to detect backend availabilityHighMonitoring and AlertingYesNo
Deploy Application Gateway in a zone-redundant configurationHighHigh AvailabilityYesYes
Plan for backend maintenance by using connection drainingMediumHigh AvailabilityYesNo
Ensure Application Gateway Subnet is using a /24 subnet maskHighOther Best PracticesYesNo

Details


Ensure Autoscale feature has been enabled

Impact:  Medium Category:  Scalability

APRL GUID:  823b0cff-05c0-2e4e-a1e7-9965e1cfa16f

Description:

Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.

Potential Benefits:

Enhances uptime and enables autoscaling
Learn More:
Application Gateway Autoscaling Zone-Redundant

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1
resources
| where type =~ "microsoft.network/applicationGateways"
| where isnull(properties.autoscaleConfiguration) or properties.autoscaleConfiguration.minCapacity <= 1
| project recommendationId = "823b0cff-05c0-2e4e-a1e7-9965e1cfa16f", name, id, tags, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
| order by id asc




Migrate to Application Gateway v2

Impact:  High Category:  Scalability

APRL GUID:  7893f0b3-8622-1d47-beed-4b50a19f7895

Description:

Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.

Potential Benefits:

Better performance, autoscaling, more features
Learn More:
Application Gateway Overview V2
Application Gateway Feature Comparison Between V1 and V2
Application Gateway V1 Retirement

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Get all Application Gateways, which are using the deprecated V1 SKU
resources
| where type =~ 'microsoft.network/applicationgateways'
| extend tier = properties.sku.tier
| where tier == 'Standard' or tier == 'WAF'
| project recommendationId = "7893f0b3-8622-1d47-beed-4b50a19f7895", name, id, tags



Monitor and Log the configurations and traffic

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  5d035919-898d-a047-8d5d-454e199692e5

Description:

Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights.

Potential Benefits:

Enhanced traffic insight and audit
Learn More:
Application Gateway Metrics
Application Gateway Diagnostics

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Use Health Probes to detect backend availability

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  847a8d88-21c4-bc48-a94e-562206edd767

Description:

Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.

Potential Benefits:

Ensures backend uptime monitoring.
Learn More:
Application Gateway Probe Overview
Well-Architected Framework Application Gateway Overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Application Gateways are not using health probes to monitor the availability of the backend systems
resources
| where type =~ "microsoft.network/applicationGateways"
| where array_length(properties.probes) == 0
| project recommendationId="847a8d88-21c4-bc48-a94e-562206edd767", name, id, tags, param1="customHealthProbeUsed: false"



Deploy Application Gateway in a zone-redundant configuration

Impact:  High Category:  High Availability

APRL GUID:  c9c00f2a-3888-714b-a72b-b4c9e8fcffb2

Description:

Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.

Potential Benefits:

Enhanced uptime and customer access
Learn More:
Well-Architected Framework Application Gateway Reliability
Application Gateway V2 Overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// list Application Gateways that are not configured to use at least 2 Availability Zones
resources
| where type =~ "microsoft.network/applicationGateways"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where isnull(zones) or array_length(zones) < 2
| extend zoneValue = iff((isnull(zones)), "null", zones)
| project recommendationId = "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Zones value: ", zoneValue )



Plan for backend maintenance by using connection draining

Impact:  Medium Category:  High Availability

APRL GUID:  10f02bc6-e2e7-004d-a2c2-f9bf9f16b915

Description:

Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.

Potential Benefits:

Smooth updates, no dropped users
Learn More:
Application Gateway Connection Draining
Application Gateway Connection Draining HTTP Settings

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will check if connection draining is enabled
resources
| where type =~ "microsoft.network/applicationGateways"
| mv-expand backendHttpSettings = properties.backendHttpSettingsCollection
| extend connectionDrainingEnabled = backendHttpSettings.properties.connectionDraining.enabled
| where connectionDrainingEnabled != true
| extend backendPoolName = backendHttpSettings.name
| project recommendationId = "10f02bc6-e2e7-004d-a2c2-f9bf9f16b915", name, id, tags, param1 = "connectionDraining: Disabled", param2 = strcat("backendSettingsName: ", backendPoolName)



Ensure Application Gateway Subnet is using a /24 subnet mask

Impact:  High Category:  Other Best Practices

APRL GUID:  8364fd0a-7c0e-e240-9d95-4bf965aec243

Description:

Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.

Potential Benefits:

Allows autoscaling and maintenance
Learn More:
Azure Application Gateway infrastructure configuration | Microsoft Learn

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will validate the subnet id for an appGW ends with a /24

resources
| where type =~ 'Microsoft.Network/applicationGateways'
| extend subnetid = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)
| join kind=leftouter(resources
    | where type == "microsoft.network/virtualnetworks"
    | mv-expand properties.subnets
    | extend subnetid = tostring(properties_subnets.id)
    | extend addressprefix = tostring(properties_subnets.properties.addressPrefix)
    | project subnetid, addressprefix) on subnetid
| where addressprefix !endswith '/24'
| project recommendationId = "8364fd0a-7c0e-e240-9d95-4bf965aec243", name, id, tags, param1 = strcat('AppGW subnet prefix: ', addressprefix)