Application Gateways are Layer 7 load balancers built for regional solutions. When you create an Azure Application Gateway it will complete it’s load balancing from a specific region unlike Azure Front Door, so it is imperative that this is understood. All applications gateways also need a public IP address. You don’t need to expose the public IP address over the internet, you could theoretically lock it down entirely with an NSG and just use a private IP as the front end but for this lab we will keep it generic. For this lab I will be using an application gateway and an arm template consisting of 2VM’s. The 2 VM’s will be placed on the backend subnet of the vnet.

The ARM template is below but you can also find it here on my GitHub repo.
Parameters.json:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachines_BackEndVM1_name": {
"value": null
},
"virtualMachines_BackEndVM2_name": {
"value": null
},
"virtualNetworks_BackEndVnet_name": {
"value": null
},
"networkInterfaces_backendvm112_name": {
"value": null
},
"networkInterfaces_backendvm2454_name": {
"value": null
},
"publicIPAddresses_BackEndVM1_ip_name": {
"value": null
},
"publicIPAddresses_BackEndVM2_ip_name": {
"value": null
},
"networkSecurityGroups_BackEndVM1_nsg_name": {
"value": null
},
"networkSecurityGroups_BackEndVM2_nsg_name": {
"value": null
},
"networkSecurityGroups_BackEndPoolVM1_nsg_name": {
"value": null
}
}
}
Template.json:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachines_BackEndVM1_name": {
"defaultValue": "BackEndVM1",
"type": "String"
},
"virtualMachines_BackEndVM2_name": {
"defaultValue": "BackEndVM2",
"type": "String"
},
"virtualNetworks_BackEndVnet_name": {
"defaultValue": "BackEndVnet",
"type": "String"
},
"networkInterfaces_backendvm112_name": {
"defaultValue": "backendvm112",
"type": "String"
},
"networkInterfaces_backendvm2454_name": {
"defaultValue": "backendvm2454",
"type": "String"
},
"publicIPAddresses_BackEndVM1_ip_name": {
"defaultValue": "BackEndVM1-ip",
"type": "String"
},
"publicIPAddresses_BackEndVM2_ip_name": {
"defaultValue": "BackEndVM2-ip",
"type": "String"
},
"networkSecurityGroups_BackEndVM1_nsg_name": {
"defaultValue": "BackEndVM1-nsg",
"type": "String"
},
"networkSecurityGroups_BackEndVM2_nsg_name": {
"defaultValue": "BackEndVM2-nsg",
"type": "String"
},
"networkSecurityGroups_BackEndPoolVM1_nsg_name": {
"defaultValue": "BackEndPoolVM1-nsg",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2024-01-01",
"name": "[parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name')]",
"location": "eastus",
"properties": {
"securityRules": [
{
"name": "RDP",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'), 'RDP')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "HTTP",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'), 'HTTP')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 320,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "HTTPS",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'), 'HTTPS')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 340,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2024-01-01",
"name": "[parameters('networkSecurityGroups_BackEndVM1_nsg_name')]",
"location": "eastus",
"properties": {
"securityRules": [
{
"name": "RDP",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndVM1_nsg_name'), 'RDP')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "HTTPS",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndVM1_nsg_name'), 'HTTPS')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 320,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "HTTP",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndVM1_nsg_name'), 'HTTP')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 340,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2024-01-01",
"name": "[parameters('networkSecurityGroups_BackEndVM2_nsg_name')]",
"location": "eastus",
"properties": {
"securityRules": [
{
"name": "RDP",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndVM2_nsg_name'), 'RDP')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "HTTP",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndVM2_nsg_name'), 'HTTP')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 320,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "HTTPS",
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('networkSecurityGroups_BackEndVM2_nsg_name'), 'HTTPS')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 340,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2024-01-01",
"name": "[parameters('publicIPAddresses_BackEndVM1_ip_name')]",
"location": "eastus",
"sku": {
"name": "Standard",
"tier": "Regional"
},
"properties": {
"ipAddress": "40.88.32.224",
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"idleTimeoutInMinutes": 4,
"ipTags": []
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2024-01-01",
"name": "[parameters('publicIPAddresses_BackEndVM2_ip_name')]",
"location": "eastus",
"sku": {
"name": "Standard",
"tier": "Regional"
},
"properties": {
"ipAddress": "40.88.33.159",
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"idleTimeoutInMinutes": 4,
"ipTags": []
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2024-01-01",
"name": "[parameters('virtualNetworks_BackEndVnet_name')]",
"location": "eastus",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "AGSubnet",
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_BackEndVnet_name'), 'AGSubnet')]",
"properties": {
"addressPrefix": "10.0.0.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "BackEndSubnet",
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_BackEndVnet_name'), 'BackEndSubnet')]",
"properties": {
"addressPrefix": "10.0.1.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
}
],
"virtualNetworkPeerings": [],
"enableDdosProtection": false
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2024-03-01",
"name": "[parameters('virtualMachines_BackEndVM1_name')]",
"location": "eastus",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_backendvm112_name'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_B1s"
},
"additionalCapabilities": {
"hibernationEnabled": false
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsDesktop",
"offer": "Windows-10",
"sku": "win10-22h2-pro-g2",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"name": "[concat(parameters('virtualMachines_BackEndVM1_name'), '_OsDisk_1_b7708eb35cde4e03a418a3ac23fbf445')]",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "Standard_LRS",
"id": "[resourceId('Microsoft.Compute/disks', concat(parameters('virtualMachines_BackEndVM1_name'), '_OsDisk_1_b7708eb35cde4e03a418a3ac23fbf445'))]"
},
"deleteOption": "Delete",
"diskSizeGB": 127
},
"dataDisks": [],
"diskControllerType": "SCSI"
},
"osProfile": {
"computerName": "[parameters('virtualMachines_BackEndVM1_name')]",
"adminUsername": "CameronMoulder",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true,
"patchSettings": {
"patchMode": "AutomaticByOS",
"assessmentMode": "ImageDefault",
"enableHotpatching": false
},
"enableVMAgentPlatformUpdates": true
},
"secrets": [],
"allowExtensionOperations": true,
"requireGuestProvisionSignal": true
},
"securityProfile": {
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
},
"securityType": "TrustedLaunch"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_backendvm112_name'))]",
"properties": {
"deleteOption": "Delete"
}
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
},
"licenseType": "Windows_Client"
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2024-03-01",
"name": "[parameters('virtualMachines_BackEndVM2_name')]",
"location": "eastus",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_backendvm2454_name'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_B1s"
},
"additionalCapabilities": {
"hibernationEnabled": false
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsDesktop",
"offer": "Windows-10",
"sku": "win10-22h2-pro-g2",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"name": "[concat(parameters('virtualMachines_BackEndVM2_name'), '_OsDisk_1_803d2acd74ba4d638fcac18e808b6e62')]",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "Standard_LRS",
"id": "[resourceId('Microsoft.Compute/disks', concat(parameters('virtualMachines_BackEndVM2_name'), '_OsDisk_1_803d2acd74ba4d638fcac18e808b6e62'))]"
},
"deleteOption": "Delete",
"diskSizeGB": 127
},
"dataDisks": [],
"diskControllerType": "SCSI"
},
"osProfile": {
"computerName": "[parameters('virtualMachines_BackEndVM2_name')]",
"adminUsername": "CameronMoulder",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true,
"patchSettings": {
"patchMode": "AutomaticByOS",
"assessmentMode": "ImageDefault",
"enableHotpatching": false
},
"enableVMAgentPlatformUpdates": true
},
"secrets": [],
"allowExtensionOperations": true,
"requireGuestProvisionSignal": true
},
"securityProfile": {
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
},
"securityType": "TrustedLaunch"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_backendvm2454_name'))]",
"properties": {
"deleteOption": "Delete"
}
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
},
"licenseType": "Windows_Client"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'), '/HTTP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 320,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndVM1_nsg_name'), '/HTTP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM1_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 340,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndVM2_nsg_name'), '/HTTP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM2_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 320,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'), '/HTTPS')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 340,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndVM1_nsg_name'), '/HTTPS')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM1_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 320,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndVM2_nsg_name'), '/HTTPS')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM2_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 340,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'), '/RDP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndPoolVM1_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndVM1_nsg_name'), '/RDP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM1_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('networkSecurityGroups_BackEndVM2_nsg_name'), '/RDP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM2_nsg_name'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('virtualNetworks_BackEndVnet_name'), '/AGSubnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_BackEndVnet_name'))]"
],
"properties": {
"addressPrefix": "10.0.0.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2024-01-01",
"name": "[concat(parameters('virtualNetworks_BackEndVnet_name'), '/BackEndSubnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_BackEndVnet_name'))]"
],
"properties": {
"addressPrefix": "10.0.1.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2024-01-01",
"name": "[parameters('networkInterfaces_backendvm112_name')]",
"location": "eastus",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_BackEndVM1_ip_name'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_BackEndVnet_name'), 'BackEndSubnet')]",
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM1_nsg_name'))]"
],
"kind": "Regular",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_backendvm112_name')), '/ipConfigurations/ipconfig1')]",
"type": "Microsoft.Network/networkInterfaces/ipConfigurations",
"properties": {
"privateIPAddress": "10.0.1.4",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_BackEndVM1_ip_name'))]",
"properties": {
"deleteOption": "Delete"
}
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_BackEndVnet_name'), 'BackEndSubnet')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"disableTcpStateTracking": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM1_nsg_name'))]"
},
"nicType": "Standard",
"auxiliaryMode": "None",
"auxiliarySku": "None"
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2024-01-01",
"name": "[parameters('networkInterfaces_backendvm2454_name')]",
"location": "eastus",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_BackEndVM2_ip_name'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_BackEndVnet_name'), 'BackEndSubnet')]",
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM2_nsg_name'))]"
],
"kind": "Regular",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"id": "[concat(resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaces_backendvm2454_name')), '/ipConfigurations/ipconfig1')]",
"type": "Microsoft.Network/networkInterfaces/ipConfigurations",
"properties": {
"privateIPAddress": "10.0.1.5",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddresses_BackEndVM2_ip_name'))]",
"properties": {
"deleteOption": "Delete"
}
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_BackEndVnet_name'), 'BackEndSubnet')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"disableTcpStateTracking": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_BackEndVM2_nsg_name'))]"
},
"nicType": "Standard",
"auxiliaryMode": "None",
"auxiliarySku": "None"
}
}
]
}
Once everything is deployed I will begin creating the application gateway. You could create an application gateway without any backend targets but for this lab I will use my 2 VM’s.

I have created a resource group specifically for this called AG Resource, gave it a name and put it in the same area as my VM’s, East US. We needed to pick at least one availability zone so I went with Zone 1. Added it to my Backend vnet and onto the application gateway subnet. We then need to configure the front end where the requests will be coming into. I named my public ip AGpip

Next setup the backend pool to use the NIC of each VM

Now that we have configured our front end we need to tell the application gateway what to do with the requests once received. We need a routing rule. Firs we setup the listener.

Next configure the backend targets for the routing rule

Now we have something like this:

Now go make a cup of coffee or tea because the deployment for this could take 5-10 mins.
Now once we go to our public IP we get these screens:

and since App Gateway will round robin to the next available node:

We can check the backend health and see that all is OK:

You could put an app gateway infront of VM’s, VM Scale Sets or even more public IP’s. I’ll likely cover those in the near future.
I’d love to talk about ideas around App Gateway, leave a comment below!