Technical Lab: Map requirements to features and capabilities of Azure Application Gateway
Questionsβ
Question 1 β Multiple Choiceβ
An architecture team needs to expose three distinct web applications using a single Azure Application Gateway resource. Each application has its own hostname (app1.contoso.com, app2.contoso.com, app3.contoso.com) and should be routed to a different backend pool.
Which combination of Application Gateway features enables this hostname-based routing?
A) One multi-site listener for each hostname, combined with path-based routing rules pointing to the three backend pools.
B) One basic listener shared between the three hostnames, with priority-based routing rules.
C) One multi-site listener for each hostname, each associated with an independent routing rule pointing to its respective backend pool.
D) Three distinct frontend IP configurations, one per hostname, with basic listeners associated with each one.
Question 2 β Technical Scenarioβ
A developer reports that requests to https://loja.contoso.com/api/pagamentos are being routed to the incorrect backend pool. The Application Gateway is configured as follows:
Listener: loja-https (port 443, hostname: loja.contoso.com)
Rule: loja-rule (type: path-based)
Path: /api/pedidos β pool-pedidos
Path: /api/clientes β pool-clientes
Default backend: pool-estatico
To which backend pool are requests to /api/pagamentos being sent and why?
A) The request is rejected with HTTP 404, as there is no corresponding path configured.
B) The request is forwarded to pool-estatico, as no configured path matches /api/pagamentos and the default backend is triggered.
C) The request is forwarded to pool-pedidos, as Application Gateway applies partial prefix matching between /api/pagamentos and /api/pedidos.
D) The request is blocked by the Application Gateway WAF due to absence of explicit rule.
Question 3 β True or Falseβ
Azure Application Gateway with WAF enabled in Detection mode automatically blocks requests identified as malicious, logging the event in diagnostic logs.
Question 4 β Technical Scenarioβ
A company needs to ensure that users from the same session are always forwarded to the same backend instance, as the application stores state locally in memory. The Application Gateway is already deployed with default configurations.
Which adjustment resolves this requirement without changing the application architecture?
A) Enable Connection Draining in the backend pool, configuring a sufficient timeout to preserve active sessions.
B) Enable cookie-based session affinity in the backend pool HTTP settings.
C) Configure a custom health probe with reduced interval to detect failures before the session is interrupted.
D) Change the load balancing algorithm to Least Connections in the backend pool HTTP settings.
Question 5 β Multiple Choiceβ
When comparing the Standard_v2 and WAF_v2 SKUs of Azure Application Gateway, which statement accurately describes a functional difference relevant to the solution design process?
A) Only the WAF_v2 SKU supports autoscaling and availability zones; the Standard_v2 operates with fixed capacity.
B) The Standard_v2 SKU does not support URL path-based routing; this functionality is restricted to WAF_v2.
C) The WAF_v2 SKU includes all Standard_v2 capabilities and adds HTTP/HTTPS traffic inspection against known threats through OWASP rules.
D) The WAF_v2 SKU completely replaces the use of Network Security Groups in the Application Gateway subnet, making them unnecessary.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
Hostname-based routing in Application Gateway is enabled by multi-site listeners, which allow distinguishing requests based on the Host field in the HTTP header. Each hostname requires its own multi-site listener. Associating each listener with an independent routing rule directs traffic to the correct backend pool.
Alternative A represents a common misconception: path-based rules resolve routing by URL path, not by hostname. Combining them with multi-site listeners is not incorrect per se, but it's not the mechanism that differentiates hostnames in this scenario. Alternative D confuses frontend IP configuration (which defines the public or private IP of the gateway) with the ability to distinguish hostnames, which is not its function. Alternative B is technically unfeasible: a basic listener does not inspect the Host field and cannot differentiate multiple hostnames.
Answer Key β Question 2β
Answer: B
Application Gateway applies exact prefix matching on configured paths. Since /api/pagamentos does not match any registered path in the rule (/api/pedidos or /api/clientes), the gateway triggers the default backend, which in this case is pool-estatico.
Alternative C represents a critical misconception: Application Gateway does not perform partial or phonetic matching between paths. /api/pagamentos and /api/pedidos share the /api/ prefix, but this does not constitute a valid rule match. Alternative A is wrong because the absence of a corresponding path does not result in HTTP 404 from the gateway; the default backend exists precisely to absorb this traffic. Alternative D confuses default routing behavior with WAF action, which operates on request content, not on the absence of a path rule.
Answer Key β Question 3β
Answer: False
In Detection mode, the Application Gateway WAF logs suspicious requests in diagnostic logs but does not block them. Actual blocking only occurs in Prevention mode. This distinction is fundamental in WAF onboarding scenarios, where Detection mode is used to calibrate rules without impacting legitimate traffic. Assuming that Detection mode offers active protection is an operational error with direct security consequences.
Answer Key β Question 4β
Answer: B
Cookie-based session affinity instructs Application Gateway to insert a cookie in the first response to the client. In subsequent requests, the gateway reads this cookie and forwards the request to the same backend instance that originally served it, preserving the application's in-memory state.
Alternative A describes Connection Draining, whose purpose is to allow active connections to complete before removing an instance from the pool, not to maintain session affinity. Alternative C describes a health probe, which monitors availability but does not influence which instance a request is sent to. Alternative D is incorrect because Azure Application Gateway does not expose the Least Connections algorithm as a directly configurable option in HTTP settings; the default balancing mechanism is round-robin, and session affinity is the correct mechanism for the described requirement.
Answer Key β Question 5β
Answer: C
The WAF_v2 SKU is a functional superset of Standard_v2: all routing, autoscaling, availability zones, and TLS termination capabilities are present in both. The central difference is that WAF_v2 adds the Web Application Firewall, which inspects HTTP/HTTPS traffic based on managed rule sets (such as OWASP CRS) to detect and block known threats like SQL injection and XSS.
Alternative A is factually incorrect: autoscaling and availability zone support are available in both v2 SKUs. Alternative B is false: path-based routing is available in Standard_v2 without any restrictions. Alternative D represents a dangerous misconception in network design: Network Security Groups in the Application Gateway subnet continue to be recommended and necessary for management plane traffic control and between resources; the WAF does not replace this layer.