Technical Lab: Identify appropriate use cases for Azure Application Gateway
Questionsβ
Question 1 β Multiple Choiceβ
An architecture team needs to expose three internal web applications to external traffic. Each application runs on a different set of VMs and must be accessed through distinct paths: /app1, /app2, and /app3, all under the same public IP address. Additionally, the security team requires inspection of malicious HTTP traffic before requests reach the backends.
Which combination of Azure Application Gateway functionalities directly addresses these two requirements?
A. Host-based routing with multiple listeners and Network Security Groups (NSGs) on backend subnets
B. URL path-based routing with multiple backend pools and Web Application Firewall (WAF)
C. URL path-based routing with multiple backend pools and Azure Firewall integrated with Application Gateway
D. Multiple listeners with URL redirection and Microsoft Defender for Cloud enabled on the subscription
Question 2 β Technical Scenarioβ
A developer reports that after configuring Azure Application Gateway, HTTPS requests from clients arrive correctly at the gateway, but backend servers are receiving only plain HTTP traffic. The team claimed this was intentional to simplify certificates on the backends.
Client --> HTTPS (TLS 1.2) --> Application Gateway --> HTTP --> Backend Pool (VMs)
What is the correct name of the mechanism configured in this scenario and what is the direct risk associated with it?
A. TLS Passthrough β the gateway cannot inspect request content, making WAF ineffective
B. SSL Offloading β traffic between the gateway and backends travels unencrypted, exposing internal data if the network is not trusted
C. End-to-End TLS β the absence of certificate on the backend causes the gateway to automatically refuse connections
D. Backend SSL Termination β backends require a self-signed certificate installed on the gateway to function
Question 3 β True or Falseβ
Azure Application Gateway can be used as a direct replacement for Azure Load Balancer in any scenario, as it operates on layers 4 and 7 of the OSI model simultaneously, offering all Load Balancer balancing capabilities plus application features.
Question 4 β Technical Scenarioβ
An e-commerce company has a site that serves both the main store (loja.contoso.com) and the partner portal (parceiros.contoso.com). Both domains must respond on the same public IP address and be routed to completely distinct backend pools.
The architect proposes the following configuration in Application Gateway:
Listener 1: loja.contoso.com --> Backend Pool A (store frontend)
Listener 2: parceiros.contoso.com --> Backend Pool B (partner portal)
Which Application Gateway functionality is being applied in this configuration?
A. URL path-based routing, using path-based routing rules to separate domains
B. Custom HTTP header-based routing, inspecting the X-Forwarded-Host header
C. Multi-site routing, using listeners with hostname to direct traffic by domain name
D. URL redirection, converting requests from one domain to another before forwarding to backend
Question 5 β Multiple Choiceβ
An organization needs to ensure that its public web application is protected against attacks such as SQL injection and cross-site scripting (XSS). The solution should be managed with minimal rule maintenance by the internal team.
What is the most suitable approach using Azure Application Gateway?
A. Enable WAF on Application Gateway in Prevention mode with a managed ruleset (OWASP or DRS), leaving rule updates under Microsoft's responsibility
B. Enable WAF on Application Gateway in Detection mode and create custom rules for SQL injection and XSS manually
C. Configure NSGs on the Application Gateway subnet with denial rules for known attack patterns
D. Integrate Application Gateway with Microsoft Sentinel for automatic attack detection and real-time blocking via playbooks
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
URL path-based routing allows a single listener to distribute requests to different backend pools based on path suffix (e.g., /app1, /app2). Combined with WAF, which inspects HTTP/HTTPS traffic for known threats before forwarding to the backend, both requirements are natively addressed by Application Gateway.
- Alternative A incorrectly uses NSGs for application layer traffic inspection: NSGs operate at the network layer and do not inspect HTTP content.
- Alternative C confuses responsibilities: Azure Firewall is a separate service, and its integration does not replace the built-in WAF in Application Gateway for web application protection.
- Alternative D uses URL redirection, which changes destinations rather than distributing traffic by paths; Defender for Cloud does not perform inline inspection of HTTP requests.
Answer Key β Question 2β
Answer: B
The scenario describes SSL Offloading (also called SSL Termination): Application Gateway terminates the TLS session with the client and forwards requests to the backend in plain HTTP. The direct risk is that internal traffic between the gateway and backends travels unencrypted. In networks where the backend subnet is not fully trusted or isolated, sensitive data becomes exposed.
- Alternative A describes TLS Passthrough, which is the opposite: the gateway does not decrypt traffic. In this mode, WAF indeed cannot inspect content, but this is not what the scenario represents.
- Alternative C describes End-to-End TLS, where traffic is also encrypted in the gateway-backend segment. This does not correspond to the described behavior.
- Alternative D invents a term that does not correspond to any real Application Gateway functionality.
Answer Key β Question 3β
Answer: False
Application Gateway operates exclusively at layer 7 of the OSI model. It does not have layer 4 capabilities like Azure Load Balancer, which routes arbitrary TCP/UDP traffic without requiring HTTP/HTTPS protocol. Scenarios requiring balancing of non-HTTP protocols (e.g., SMTP, FTP, generic TCP connections) cannot be addressed by Application Gateway. The two services are complementary and designed for distinct use cases, not substitutes.
Answer Key β Question 4β
Answer: C
The functionality used is multi-site routing (multi-site hosting). In this configuration, each listener is configured with a specific hostname, and Application Gateway uses the Host header from the HTTP request to determine which routing rule to apply and, consequently, which backend pool should receive the traffic.
- Alternative A confuses the two types of routing: path-based routing differentiates by URL path (
/path), not by domain name. - Alternative B describes inspection of custom headers, which is not the native mechanism used for hostname routing in Application Gateway.
- Alternative D describes redirection, which forwards the client to another URL, rather than distributing traffic to distinct backends.
Answer Key β Question 5β
Answer: A
Enabling WAF in Prevention mode with a managed ruleset (such as OWASP CRS or Default Rule Set) is the approach that combines active protection against SQL injection and XSS with minimal internal maintenance. Microsoft is responsible for updating and publishing new ruleset versions, reducing the operational effort for the team.
- Alternative B uses Detection mode, which only logs attacks without blocking them, making it inadequate for effective protection.
- Alternative C uses NSGs, which operate at the network layer and lack the ability to identify attack patterns in HTTP payloads.
- Alternative D mixes responsibilities: Microsoft Sentinel is a SIEM/SOAR tool. Playbooks can automate responses but do not perform inline, real-time inspection of HTTP requests the way WAF does natively.