Load balancing & Bastion

Load Balancer, App Gateway/WAF, Bastion, DNS.

Intermediate30 min · lesson 11 of 15

Distributing traffic and exposing applications reliably relies on Azure’s load-balancing and connectivity services. Choosing the right one — Load Balancer, Application Gateway, or others — depends on the layer and features you need.

Load Balancer vs Application Gateway

Azure offers load balancers at different layers. The Azure Load Balancer operates at Layer 4 (TCP/UDP), distributing traffic across backend instances with high performance and low latency — ideal for non-HTTP traffic or when you just need fast connection distribution. The Application Gateway operates at Layer 7 (HTTP/HTTPS), so it can route based on URL paths and hostnames, terminate TLS, and include a Web Application Firewall (WAF) to block common web attacks — the right choice for web applications needing content-based routing and web protection. For global HTTP applications, Azure Front Door adds CDN, global load balancing, and WAF at the edge, while Traffic Manager does DNS-based global routing. Match the service to the traffic type and the routing/security features required.

choose the load-balancing service
# NEED SERVICE
# L4 TCP/UDP distribution, high perf → Azure Load Balancer
# L7 HTTP routing + TLS + WAF → Application Gateway
# global HTTP + CDN + WAF at the edge → Azure Front Door
# DNS-based global routing → Traffic Manager
#
# App Gateway routes by path to different backend pools:
# /api/* → api-backend-pool
# /images/* → static-backend-pool
# /* → web-backend-pool (+ WAF filtering common exploits)

Secure access and DNS

Two more services round out an administrator’s networking toolkit. Azure Bastion provides secure RDP/SSH to VMs directly through the portal over TLS, with no public IP on the VMs and no open management ports — the recommended way to administer VMs securely. Azure DNS hosts your DNS domains and zones in Azure, managing name resolution for your applications, and integrates with private DNS zones for resolving Private Endpoints. Together with load balancing, these let you expose applications to users (via the right load balancer with TLS and WAF), resolve names (Azure DNS), and administer the infrastructure securely (Bastion) — all while keeping the underlying VMs private. The administrator’s job is composing these into a design that is available, performant, and secure.

Exposing and accessing applications
1DNS (Azure DNS)
resolve app names
2L7 (App Gateway/Front Door)
HTTP routing + TLS + WAF
3L4 (Load Balancer)
TCP/UDP distribution
4Bastion for admin
secure RDP/SSH, no public IPs
Route web traffic through L7 with WAF, distribute TCP/UDP at L4, resolve with Azure DNS, and administer VMs securely via Bastion.
A Layer 4 load balancer cannot do web routing or WAF
The Azure Load Balancer distributes TCP/UDP but cannot route by URL path, terminate TLS, or filter web attacks — using it alone for a web app leaves you without content-based routing and web protection. For HTTP applications use Application Gateway (or Front Door) so you get L7 routing, TLS termination, and a Web Application Firewall.