Pro User
explore our new search
Optimize Network Security: Master Application Gateway TCP/TLS
Mar 14, 2024 12:56 AM

Optimize Network Security: Master Application Gateway TCP/TLS

by HubSite 365 about John Savill's [MVP]

Principal Cloud Solutions Architect

Pro UserNetworkingLearning Selection

Explore Azure App Gateways' new TCP/TLS features for advanced load balancing with John Savills insights

Key insights


  • Azure Application Gateway now supports Layer 4 (TCP) and Layer 7 (TLS) proxying, adding to its traditional HTTP/S, WebSockets, and HTTP/2 capabilities.
  • Comparative: Azure Load Balancer acts as a pass-through, while Azure Application Gateway performs as a terminating load balancer, enabling direct client connections and separate backend server connections.
  • Enhancements include serving HTTP and non-HTTP workloads with a single endpoint, configuring custom domains, and supporting backend servers from both Azure and remote locations.
  • Limited functionality such as no traffic inspection on TLS/TCP listeners for exploits and vulnerabilities, fixed 30-second draining timeout, and no support for client IP preservation.
  • Forward steps involve configuring the TCP/TLS proxy on Application Gateway and adapting to the new feedback system replacing GitHub Issues for content feedback.

Exploring Azure Application Gateway's New TCP/TLS Capabilities

The introduction of TCP and TLS proxy capabilities in Azure Application Gateway marks a significant enhancement, broadening the scope of its networking functionalities. This development enables the Application Gateway to manage not just HTTP and HTTPS traffic but also TCP and TLS protocols seamlessly. Businesses can now leverage this capability for a more diversified and secure networking architecture, catering to a range of application needs.


The ability to use a single endpoint for both HTTP and non-HTTP workloads simplifies network management and improves efficiency. In particular, the custom domain feature enhances brand visibility and security, offering a trustworthy interface for user interactions. On top of that, the support for backends located both in Azure and on-premises facilities fosters a flexible, hybrid network infrastructure.

Despite the advantages, there are certain limitations to consider, such as the lack of traffic inspection for TLS and TCP listeners and restrictions on client IP preservation. However, these nuances are counterbalanced by the overall value and utility the Application Gateway's expanded capabilities bring to the table. As Azure continues to evolve its services, users can look forward to an increasingly robust and versatile ecosystem to support their diverse networking needs.



Read the full article Application Gateway TCP and TLS Flows!



Application Gateway TCP and TLS Flows! When you need non-HTTP TLS features for your load balancing flows like TLS offload, you can now use App Gateway!

Introduction to Load Balancing options and Terminating TCP & TLS. Exploring Architecture, FE IP, Listener, Backend settings, Routing rules, and summarizing the feature. It's noted that WAF does not inspect TCP & TLS traffic.

Azure Application Gateway now supports Layer 4 (TCP protocol) and TLS (Transport Layer Security) proxying. This feature, currently in public preview, enhances Azure's networking by combining Layer 7 capabilities with Layer 4 operations.

The process involves a client initiating a connection with the Application Gateway, which then connects to a backend server. This setup compares Azure Load Balancer and Azure Application Gateway, highlighting their differences and use cases.

Key features include serving HTTP and non-HTTP workloads with a single endpoint, using a custom domain, and the ability to use backend servers from any location. Supported for a private-only gateway, it offers enhanced security for HTTP and non-HTTP clients.

However, there are limitations, such as a lack of inspection for TLS and TCP traffic by WAF v2 SKU gateway, no support for client IP preservation, and a fixed draining timeout value for backend servers.

To configure the Azure Application Gateway TCP/TLS proxy and for more information, including feedback mechanisms, the article directs readers to visit FAQs and upcoming changes in feedback systems.

Understanding Azure Application Gateway's Networking Capabilities

Azure Application Gateway introduces advanced Networking solutions by offering both Layer 4 (TCP) and Layer 7 (HTTP, HTTPS, WebSockets, and HTTP/2) support. This blend of capabilities allows for versatile usage scenarios, from handling simple web traffic to managing complex, encrypted data transmissions. The gateway's new TCP and TLS proxying features ensure more secure and efficient data handling, enabling seamless communication between clients and servers. Such advancements significantly improve Azure's overall networking architecture, providing users with a robust, secure, and scalable online infrastructure. These enhancements cater to a wide range of applications, from corporate websites to large-scale enterprise applications, ensuring high availability, reliability, and security in data transactions. The added support for custom domains and the ability to connect to backends located anywhere greatly increases flexibility, allowing businesses to tailor their networking solutions to meet specific needs. Lastly, despite some limitations like the non-inspection of TLS and TCP traffic and certain fixed configurations, Azure Application Gateway's TCP/TLS support represents a significant forward leap in cloud-based networking technologies.



People also ask

What protocol does Application Gateway support?

As a Microsoft expert, it's notable that Azure's Application Gateway provides support for a range of protocols including HTTP, HTTPS, HTTP/2, and WebSocket. This ensures versatile application delivery options for secure and efficient web services.

How does Application Gateway works?

When employing a Web Application Firewall (WAF) alongside an Application Gateway, the gateway scrutinizes the incoming request's headers and body, when available, in accordance with the WAF's rules. This process aids in discerning whether the incoming request is legitimate or poses a security risk. Once the legitimacy of the request is established, it is then forwarded to the designated backend for further processing.

Which two are characteristics of an Azure Application Gateway?

Azure Application Gateway boasts a suite of features designed to enhance security and improve performance, including SSL/TLS termination for encrypted communications, autoscaling capabilities to adjust resources based on demand, zone redundancy for high availability across different geographical locations, a static VIP ensuring predictable access, a robust Web Application Firewall for advanced security, an Ingress Controller to facilitate AKS integration, URL-based routing for improved traffic management, and support for hosting multiple sites efficiently.

Which OSI layer does Application Gateway route at?

The operability of Azure's Application Gateway extends to the application layer, which corresponds to Layer 7 in the OSI model. This strategic positioning allows Application Gateways to regulate access not merely based on port numbers but also on comprehensive application-specific parameters like permissible HTTP verbs, offering refined control over network traffic.



Application Gateway, TCP Flows, TLS Flows, Network Security, Web Traffic Management, Load Balancing, Secure Applications, Application Delivery Control