Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

applicationGateways

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Ensure Autoscale feature has been enabledMediumScalabilityYesVerified
Secure all incoming connections with SSLHighSecurityYesVerified
Enable Web Application Firewall policiesLowSecurityYesVerified
Migrate to Application Gateway v2HighScalabilityYesVerified
Monitor and Log the configurations and trafficHighMonitoring and AlertingNoVerified
Use Health Probes to detect backend availabilityHighMonitoring and AlertingYesVerified
Deploy Application Gateway in a zone-redundant configurationHighHigh AvailabilityYesVerified
Plan for backend maintenance by using connection drainingMediumHigh AvailabilityYesVerified
Ensure Application Gateway Subnet is using a /24 subnet maskHighOther Best PracticesYesVerified

Details


Ensure Autoscale feature has been enabled

Impact:  Medium Category:  Scalability PG Verified:  Verified

APRL GUID:  823b0cff-05c0-2e4e-a1e7-9965e1cfa16f

Description:

Azure Application Gateways v2 are always deployed in a highly available fashion with multiple instances by default. Enabling autoscale ensures the service is not reliant on manual intervention for scaling.

Potential Benefits:

Enhances uptime and enables autoscaling
Learn More:
Application Gateway Autoscaling Zone-Redundant

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1
resources
| where type =~ "microsoft.network/applicationGateways"
| where isnull(properties.autoscaleConfiguration) or properties.autoscaleConfiguration.minCapacity <= 1
| project recommendationId = "823b0cff-05c0-2e4e-a1e7-9965e1cfa16f", name, id, tags, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
| order by id asc




Secure all incoming connections with SSL

Impact:  High Category:  Security PG Verified:  Verified

APRL GUID:  233a7008-71e9-e745-923e-1a1c7a0b92f3

Description:

Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers.

Potential Benefits:

Enhanced security and privacy
Learn More:
Application Gateway Security
Application Gateway SSL Overview
Application Gateway SSL Policy Overview
Application Gateway KeyVault Certs
Application Gateway SSL Cert Management

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// You can use the following Azure Resource Graph query to check if an HTTP rule is using an SSL certificate or is using Azure Key Vault to store the certificates
resources
| where type =~ "microsoft.network/applicationGateways"
| mv-expand frontendPorts = properties.frontendPorts
| mv-expand httpListeners = properties.httpListeners
| where isnull(parse_json(httpListeners.properties.sslCertificate))
| project recommendationId="233a7008-71e9-e745-923e-1a1c7a0b92f3", name, id, tags, param1=strcat("frontendPort: ", frontendPorts.properties.port), param2="tls: false"



Enable Web Application Firewall policies

Impact:  Low Category:  Security PG Verified:  Verified

APRL GUID:  8d9223c4-730d-ca47-af88-a9a024c37270

Description:

Use Application Gateway with Web Application Firewall (WAF) in an application virtual network to safeguard inbound HTTP/S internet traffic. WAF offers centralized defense against potential exploits through OWASP core rule sets-based rules.

Potential Benefits:

Enhanced security for HTTP/S traffic
Learn More:
Well-Architected Framework Application Gateway Overview
Application Gateway - Web Application Firewall

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will return all Application Gateways that do not have WAF enabled
Resources
| where type =~ "microsoft.network/applicationGateways"
| where properties.firewallpolicy != ""
| project recommendationId = "8d9223c4-730d-ca47-af88-a9a024c37270", name, id, tags, param1 = "webApplicationFirewallConfiguration: isNull"
| order by id asc




Migrate to Application Gateway v2

Impact:  High Category:  Scalability PG Verified:  Verified

APRL GUID:  7893f0b3-8622-1d47-beed-4b50a19f7895

Description:

Use Application Gateway v2 for built-in features like autoscaling, static VIPs, Azure KeyVault integration for better traffic management and performance, unless v1 is necessary.

Potential Benefits:

Better performance, autoscaling, more features
Learn More:
Application Gateway Overview V2
Application Gateway Feature Comparison Between V1 and V2
Application Gateway V1 Retirement

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Get all Application Gateways, which are using the deprecated V1 SKU
resources
| where type =~ 'microsoft.network/applicationgateways'
| extend tier = properties.sku.tier
| where tier == 'Standard' or tier == 'WAF'
| project recommendationId = "7893f0b3-8622-1d47-beed-4b50a19f7895", name, id, tags



Monitor and Log the configurations and traffic

Impact:  High Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  5d035919-898d-a047-8d5d-454e199692e5

Description:

Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights. If using NSGs, enable NSG flow logs to be stored, providing in-depth traffic analysis into Azure Cloud.

Potential Benefits:

Enhanced traffic insight and audit
Learn More:
Application Gateway Metrics
Application Gateway Diagnostics

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Use Health Probes to detect backend availability

Impact:  High Category:  Monitoring and Alerting PG Verified:  Verified

APRL GUID:  847a8d88-21c4-bc48-a94e-562206edd767

Description:

Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.

Potential Benefits:

Ensures backend uptime monitoring.
Learn More:
Application Gateway Probe Overview
Well-Architected Framework Application Gateway Overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Application Gateways are not using health probes to monitor the availability of the backend systems
resources
| where type =~ "microsoft.network/applicationGateways"
| where array_length(properties.probes) == 0
| project recommendationId="847a8d88-21c4-bc48-a94e-562206edd767", name, id, tags, param1="customHealthProbeUsed: false"



Deploy Application Gateway in a zone-redundant configuration

Impact:  High Category:  High Availability PG Verified:  Verified

APRL GUID:  c9c00f2a-3888-714b-a72b-b4c9e8fcffb2

Description:

Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available.

Potential Benefits:

Enhanced uptime and customer access
Learn More:
Well-Architected Framework Application Gateway Reliability
Application Gateway V2 Overview

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// list Application Gateways that are not configured to use at least 2 Availability Zones
resources
| where type =~ "microsoft.network/applicationGateways"
| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
| where isnull(zones) or array_length(zones) < 2
| extend zoneValue = iff((isnull(zones)), "null", zones)
| project recommendationId = "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Zones value: ", zoneValue )



Plan for backend maintenance by using connection draining

Impact:  Medium Category:  High Availability PG Verified:  Verified

APRL GUID:  10f02bc6-e2e7-004d-a2c2-f9bf9f16b915

Description:

Using connection draining for backend maintenance ensures graceful removal of backend pool members during updates or health issues. It's enabled via Backend Setting and applies to all members during rule creation.

Potential Benefits:

Smooth updates, no dropped users
Learn More:
Application Gateway Connection Draining
Application Gateway Connection Draining HTTP Settings

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will check if connection draining is enabled
resources
| where type =~ "microsoft.network/applicationGateways"
| mv-expand backendHttpSettings = properties.backendHttpSettingsCollection
| extend connectionDrainingEnabled = backendHttpSettings.properties.connectionDraining.enabled
| where connectionDrainingEnabled != true
| extend backendPoolName = backendHttpSettings.name
| project recommendationId = "10f02bc6-e2e7-004d-a2c2-f9bf9f16b915", name, id, tags, param1 = "connectionDraining: Disabled", param2 = strcat("backendSettingsName: ", backendPoolName)



Ensure Application Gateway Subnet is using a /24 subnet mask

Impact:  High Category:  Other Best Practices PG Verified:  Verified

APRL GUID:  8364fd0a-7c0e-e240-9d95-4bf965aec243

Description:

Application Gateway v2 (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. A /24 subnet isn't mandatory for deployment but is advised to provide enough space for autoscaling and maintenance upgrades.

Potential Benefits:

Allows autoscaling and maintenance
Learn More:
Azure Application Gateway infrastructure configuration | Microsoft Learn

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This query will validate the subnet id for an appGW ends with a /24

resources
| where type =~ 'Microsoft.Network/applicationGateways'
| extend subnetid = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id)
| join kind=leftouter(resources
    | where type == "microsoft.network/virtualnetworks"
    | mv-expand properties.subnets
    | extend subnetid = tostring(properties_subnets.id)
    | extend addressprefix = tostring(properties_subnets.properties.addressPrefix)
    | project subnetid, addressprefix) on subnetid
| where addressprefix !endswith '/24'
| project recommendationId = "8364fd0a-7c0e-e240-9d95-4bf965aec243", name, id, tags, param1 = strcat('AppGW subnet prefix: ', addressprefix)