top of page


  • Writer's pictureRoman Guoussev-Donskoi

Azure Application Gateway - Sharing is Good

Below is my personal opinion and is not endorsed in any way by my former, current or any potential future employers :)

Why share Application Gateway?

One reason is cost. As of March 1st, 2019 the lowest monthly price for Application Gateway with Web Application Firewall is ~$110.38 as per This is before taking into the account the traffic cost. If your applications do not generate much traffic there is a good reason to consider them sharing the same Application Gateway

Application Gateway constraints

Azure Application Gateway uses one private and one public IP address on which it listens for traffic. Therefore if several applications share Application Gateway you need ensure your applications can be accessed via the same Application Gateway front-end port.

Multiple Applications sharing one Application Gateway

Following are the options to allow multiple applications to be deployed and share the same port on Azure Application Gateway.

  • Multi-site hosting

  • Path-based routing rules

Multi-site Hosting

Application Gateway configured with multi-site hosting determines the back-end pool that will serve the request received by Application Gateway based on the value of Host header in http request.

To enable multi-site hosting configure multi-site listeners (rather than basic listeners) on application gateway. Essentially specify host that every listener will serve. PowerShell snippet is below.

Add-AzureRmApplicationGatewayHttpListener -ApplicationGateway $AppGW -Name $appGwHttpsListenerName -Protocol Https -FrontendIPConfiguration $AGFEIPConfig ` -FrontendPort $AGFEPort -SslCertificate $AGFECert -HostName $appFQDN

The full example of adding back-end endpoint (Azure App Service or IaaS) with multi-site listener to Application Gateway is available here.

The screenshot of what to expect in Azure portal is shown below.

Limit: Up to 100 websites to one application gateway

Authentication certificates and back-end default SSL binding.

Following is rather important and can be a pain to debug so think it is good to note here.

The default probe gets the public key from the default SSL binding on the back-end's IP address and compares the public key value it receives to the public key value you provide here.

If you are using host headers and Server Name Indication (SNI) on the back end, the retrieved public key might not be the intended site to which traffic flows. If you're in doubt, visit on the back-end servers to confirm which certificate is used for the default SSL binding. Use the public key from that request in this section. If you are using host-headers and SNI on HTTPS bindings and you do not receive a response and certificate from a manual browser request to on the back-end servers, you must set up a default SSL binding on the them. If you do not do so, probes fail and the back end is not whitelisted.

Path-based routing rules

URL Path Based Routing allows you to route traffic to Azure Application Gateway back-end server pools based on URL Paths of the request.

To enable path-based routing configure path-based routing rules in Application Gateway.

The full example of adding back-end endpoints (Azure App Service or IaaS) with path-based routing rule is available here.

Note: this one works for me but is still very much work-in-progress.. so please use at your own risk.

The screenshot of what to expect in Azure portal is shown below.

Note: For Azure applications that are to serve as back-end endpoints for Application Gateway with path-based routing make sure you configure virtual path like below

Now we can test our Application Gateway

1,048 views0 comments

Recent Posts

See All

Query SQL using OpenAI and Langchain

LLMs (such as OpenAI) are good for reasoning but they lack capability interface with outside world. This is where Langchain agents step in: agents provide LLMs with tools to perform actions (for examp


Home: Blog2


Home: GetSubscribers_Widget


Your details were sent successfully!

Home: Contact
bottom of page