Skip to content

Use two or more Application Gateway instances#

Reliability · Application Gateway · Rule · 2020_06 · Important

Application Gateways should use a minimum of two instances.

Description#

Application Gateway should use two or more instances to be covered by the Service Level Agreement (SLA).

By having two or more instances this allows the App Gateway to meet high availability requirements and reduce downtime.

When autoscaling is enabled, Application Gateway v2 SKUs:

  • Always include two instances internally within the service, even when minimum capacity is set to 0.
  • Use these internal instances to provide high availability, handle initial traffic load, and scale out the Application Gateway.
  • Can be set a higher minimum capacity greater than 2 if you expect sudden traffic spikes or unpredictable traffic patterns.

When manually deploying Application Gateway v2 via the Azure Portal, by default autoscale is enabled.

If manually scaling Application Gateway, specify at least two instances for high availability and to support network traffic based on expected load.

With zero reserved instances, the variable costs are calculated based on actual usage.

Recommendation#

Consider using Application Gateway v2 with autoscale enabled which includes two instances by default. Alternatively, if using manual scaling specify the number of instances to be two or more.

Examples#

Configure with Bicep#

To configure Applications Gateways that pass this rule:

  • With v2 and autoscaling enabled:
    • Set the autoscaleConfiguration.minCapacity property to 0 or more.
  • With manual scaling:
    • Set the sku.capacity property to 2 or more.

For example with v2 and autoscaling enabled:

Azure Bicep snippet
resource appgw 'Microsoft.Network/applicationGateways@2024-07-01' = {
  name: name
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
    autoscaleConfiguration: {
      minCapacity: 0
      maxCapacity: 4
    }
    firewallPolicy: {
      id: waf.id
    }
  }
}

For example manual scaling:

Azure Bicep snippet
resource appgw_manual 'Microsoft.Network/applicationGateways@2024-07-01' = {
  name: name
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
      capacity: 2
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
    firewallPolicy: {
      id: waf.id
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/application-gateway:<version>

To use the latest version:

br/public:avm/res/network/application-gateway:0.6.0

Configure with Azure template#

To configure Applications Gateways that pass this rule:

  • With v2 and autoscaling enabled:
    • Set the autoscaleConfiguration.minCapacity property to 0 or more.
  • With manual scaling:
    • Set the sku.capacity property to 2 or more.

For example with v2 and autoscaling enabled:

Azure Template snippet
{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2024-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2"
    },
    "sslPolicy": {
      "policyType": "Custom",
      "minProtocolVersion": "TLSv1_2",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      ]
    },
    "autoscaleConfiguration": {
      "minCapacity": 0,
      "maxCapacity": 4
    },
    "firewallPolicy": {
      "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
  ]
}

For example manual scaling:

Azure Template snippet
{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2024-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2",
      "capacity": 2
    },
    "sslPolicy": {
      "policyType": "Custom",
      "minProtocolVersion": "TLSv1_2",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      ]
    },
    "firewallPolicy": {
      "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
  ]
}

Comments