Create an application gateway

On the Azure portal menu or from the Home page, select Create a resource. The New window appears.

Select Networking and then select Application Gateway in the Featured list.

provide the information

Note : For creating application gateway, need to have separate subnet(one for gateway subnet and other for vm,or other resources)

Frontends tab

On the Frontends tab, verify Frontend IP address type is set to Public.

Note : For the Application Gateway v2 SKU, there must be a Public frontend IP configuration. You can still have both a Public and a Private frontend IP configuration, but Private only frontend IP configuration (Only ILB mode) is currently not enabled for the v2 SKU.

Backends tab

The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant back-ends like Azure App Service. In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

Configuration tab

This have 3 configuration setting

frontend,backend and Routing rules

For the HTTP setting, select Create new to create a new HTTP setting. The HTTP setting will determine the behavior of the routing rule. In the Add an HTTP setting window that opens, enter HTTP setting name and 80 for the Backend port. Accept the default values for the other settings in the Add an HTTP setting window, then select Add to return to the Add a routing rule window.

Create a vm and install iis from azure cli(power shell)

Set-AzVMExtension `

-ResourceGroupName myagroapp `

-ExtensionName IIS `

-VMName web1 `

-Publisher Microsoft.Compute `

-ExtensionType CustomScriptExtension `

-TypeHandlerVersion 1.4 `

-SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"}' `

-Location NorthEurope

Add the servers to backend pool

Access the site using application gateway public IP

SSL termination

Create a self-signed certificate

New-SelfSignedCertificate `

-certstorelocation cert:\localmachine\my `

-dnsname www.contoso.com

Configuration tab

On the Configuration tab, you'll connect the frontend and backend pool you created using a routing rule.

Select Add a rule in the Routing rules column.

In the Add a routing rule window that opens, enter myRoutingRule for the Rule name.

A routing rule requires a listener. On the Listener tab within the Add a routing rule window, enter the following values for the listener:

Listener name: Enter myListener for the name of the listener.

Frontend IP: Select Public to choose the public IP you created for the frontend.

Protocol: Select HTTPS.

Port: Verify 443 is entered for the port.

Under HTTPS Certificate:

PFX certificate file - Browse to and select the c:\appgwcert.pfx file that you create earlier.

Certificate name - Type mycert1 for the name of the certificate.

Password - Type Azure123456 for the password.

Accept the default values for the other settings on the Listener tab, then select the Backend targets tab to configure the rest of the routing rule.

Multisite

You then configure listeners and rules based on domains that you own to make sure web traffic arrives at the appropriate servers in the pools. This tutorial assumes that you own multiple domains and uses examples of www.contoso.com and www.fabrikam.com.

Create a www A record in your domains and point the application gateway is created with its public IP address.

x.x.x.x www.growfarm.com and x.x.x.x www.greenfarm.com

Route based URL

You then create routing rules that make sure web traffic arrives at the appropriate servers in the pools.

Backends tab

On the Backends tab, select +Add a backend pool.

In the Add a backend pool window that opens, enter the following values to create an empty backend pool:

Name: Enter myBackendPool for the name of the backend pool.

Under Backend Targets, Target type, select Virtual machine from the drop-down list.

Under Target select the network interface for myVM1.

Select Add.

Repeat to add an Images backend pool with myVM2 as the target, and a Video backend pool with myVM3 as the target.

Rrdirect based webtraffic

You then create URL routing rules that make sure web traffic is redirected to the appropriate backend pool.

Application Gateway Ingress Controller

The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure's native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an Application Gateway, so that selected services are exposed to the Internet.

The Ingress Controller runs in its own pod on the customer’s AKS. AGIC monitors a subset of Kubernetes Resources for changes. The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the Azure Resource Manager (ARM).

Benefits of Application Gateway Ingress Controller

AGIC allows your deployment to control multiple AKS clusters with a single Application Gateway Ingress Controller. AGIC also helps eliminate the need to have another load balancer/public IP in front of AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. Application Gateway talks to pods using their private IP directly and does not require NodePort or KubeProxy services. This also brings better performance to your deployments.

Ingress Controller is supported exclusively by Standard_v2 and WAF_v2 SKUs, which also brings you autoscaling benefits. Application Gateway can react in response to an increase or decrease in traffic load and scale accordingly, without consuming any resources from your AKS cluster.

Using Application Gateway in addition to AGIC also helps protect your AKS cluster by providing TLS policy and Web Application Firewall (WAF) functionality.

AGIC is configured via the Kubernetes Ingress resource, along with Service and Deployments/Pods. It provides a number of features, leveraging Azure’s native Application Gateway L7 load balancer. To name a few:

URL routing

Cookie-based affinity

TLS termination

End-to-end TLS

Support for public, private, and hybrid web sites

Integrated web application firewall

AGIC is able to handle multiple namespaces and has ProhibitedTargets, which means AGIC can configure the Application Gateway specifically for AKS clusters without affecting other existing backends.

Install an Application Gateway Ingress Controller (AGIC) Using a New Application Gateway

https://docs.microsoft.com/en-us/azure/application-gateway/ingress-controller-install-new

Install an Application Gateway Ingress Controller (AGIC) using an existing Application Gateway

https://docs.microsoft.com/en-us/azure/application-gateway/ingress-controller-install-existing

Monitoring and logging

For Application Gateway, three logs are available:

Access log - The access log is generated only if you've enabled it on each Application Gateway instance, as detailed in the preceding steps. The data is stored in the storage account that you specified when you enabled the logging.

Performance log - The performance log is generated only if you have enabled it on each Application Gateway instance, as detailed in the preceding steps. The data is stored in the storage account that you specified when you enabled the logging.

Firewall log - The firewall log is generated only if you have enabled it for each application gateway, as detailed in the preceding steps. This log also requires that the web application firewall is configured on an application gateway.

To start collecting data, select Turn on diagnostics.

Metrics supported by Application Gateway V2 SKU

Timing metrics - Application Gateway provides several built‑in timing metrics related to the request and response, which are all measured in milliseconds.

Backend connect time - Time spent establishing a connection with the backend application.

Backend first byte response time - Time interval between start of establishing a connection to backend server and receiving the first byte of the response header.

Backend last byte response time - Time interval between start of establishing a connection to backend server and receiving the last byte of the response body.

Application gateway total time - Average time that it takes for a request to be received, processed and its response to be sent.

Client RTT - Average round trip time between clients and Application Gateway.