AzureAZ-104

Azure Load Balancer and Application Gateway Explained for AZ-104

Traffic distribution in Azure comes in several flavors, each built for a different layer of the network stack. Azure Load Balancer operates at Layer 4, routing TCP and UDP traffic based on port and protocol without inspecting the content of the connection. Application Gateway operates at Layer 7, understanding HTTP and HTTPS well enough to route based on URL paths, host headers, and cookie values, and to terminate TLS and apply a web application firewall. Azure Front Door and Traffic Manager extend these capabilities globally. The AZ-104 exam focuses on when to use each, their SKU differences, and how health probes ensure traffic only reaches healthy backends.

8 min

3 sections · 7 exam key points

Azure Load Balancer

Azure Load Balancer distributes inbound TCP and UDP traffic across backend pool members using a hash-based algorithm that considers the source IP, source port, destination IP, destination port, and protocol. This five-tuple hash ensures that all packets in a given session go to the same backend (session affinity at the connection level). Load Balancer does not inspect application content, cannot route based on URLs, and does not terminate TLS.

Azure Load Balancer comes in two SKUs. The Basic SKU is free, supports backend pools up to 300 instances, does not support Availability Zones, and offers a 99.99% SLA only when combined with an Availability Set. The Standard SKU supports backend pools up to 1000 instances, is zone-redundant by default, supports outbound rules for SNAT, supports HTTPS health probes, and provides a 99.99% SLA without requiring an Availability Set. Standard SKU is required for zone-redundant deployments and is the recommended choice for any production workload.

Load Balancer supports public (internet-facing) and internal (private) configurations. A public load balancer has a public frontend IP and distributes internet traffic to the backend pool. An internal load balancer has a private frontend IP within a VNet and distributes traffic between internal services. Health probes monitor backend instances and remove unhealthy instances from rotation. HTTP, HTTPS, and TCP probes are supported on Standard SKU.

Application Gateway, Front Door, and Traffic Manager

Application Gateway is a Layer 7 load balancer that understands HTTP and HTTPS. It can route traffic based on URL path (/images/* to one backend pool, /api/* to another), route based on host headers (shop.example.com to one pool, api.example.com to another), terminate TLS at the gateway (offloading decryption from backend servers), and apply a Web Application Firewall (WAF) that filters OWASP Top 10 threats. Application Gateway is deployed within a VNet in its own dedicated subnet.

Azure Front Door is a global load balancing and content delivery service that operates at the edge, closer to users. It combines load balancing, SSL offloading, WAF, and caching across globally distributed points of presence. Front Door routes users to the fastest backend based on measured latency and can fail over to a secondary region if the primary becomes unhealthy. Use Front Door when you have backends in multiple Azure regions and want to serve users from the closest available point.

Traffic Manager is a DNS-based load balancing service. It does not proxy traffic: it returns DNS responses that direct clients to the appropriate endpoint. Traffic Manager supports routing methods including Priority (failover), Weighted (traffic splitting), Performance (lowest latency endpoint), Geographic (region-based), and Multivalue. Because it is DNS-based, Traffic Manager cannot inspect or modify traffic, and it cannot guarantee connection affinity the way Load Balancer can.

How to choose the correct answer

Azure Load Balancer: Layer 4, TCP/UDP, hash-based distribution, no content inspection. Internal or public. Standard SKU for production.

Application Gateway: Layer 7, HTTP/HTTPS, URL-path routing, host-based routing, TLS termination, WAF. Regional.

Front Door: global Layer 7, multi-region, edge caching, WAF, failover across regions. For worldwide traffic.

Traffic Manager: DNS-based, global, no traffic proxy, routing methods: Priority, Weighted, Performance, Geographic.

WAF SKU: Application Gateway WAF tier and Front Door Premium both include WAF. Load Balancer has no WAF.

Standard LB vs Basic LB: Standard for production, zone-redundancy, larger backend pools, HTTPS probes.

Internal load balancer: private frontend IP, routes traffic within VNet. No internet exposure.

Azure load balancing services comparison

Service	Layer	Scope	Key capability	Best for
Azure Load Balancer	4 (TCP/UDP)	Regional	High throughput, low latency, zone-redundant	Internal and public Layer 4 load balancing
Application Gateway	7 (HTTP/HTTPS)	Regional	URL routing, TLS termination, WAF	Web app routing, WAF, TLS offload
Azure Front Door	7 (HTTP/HTTPS)	Global (edge)	Global routing, CDN caching, WAF	Multi-region web apps, global users
Traffic Manager	DNS	Global	DNS-based routing, failover, geography	Global endpoint routing, DR failover

Key exam facts — AZ-104

Azure Load Balancer Standard SKU: zone-redundant, 1000 backend instances, HTTPS probes, required for AZ support.
Application Gateway: requires dedicated subnet, supports multi-site hosting, cookie-based session affinity.
Application Gateway WAF: OWASP Core Rule Set, detection or prevention mode.
Front Door: anycast routing, split TCP, global WAF, built-in caching. Not a regional service.
Traffic Manager: DNS TTL affects failover speed. Health checks determine endpoint availability.
Internal Load Balancer: private IP frontend, used for multi-tier apps (web tier balances to app tier).
Load Balancer health probes: mark unhealthy backends as down after consecutive failures, removed from rotation.

Common exam traps

Application Gateway and Azure Load Balancer can be used interchangeably for web applications.

Azure Load Balancer operates at Layer 4 and has no knowledge of HTTP. It cannot route based on URLs, host headers, or cookies, cannot terminate TLS, and cannot apply a WAF. Application Gateway understands HTTP and provides all of these capabilities. For web applications that need URL-based routing or WAF protection, Application Gateway is required. For high-throughput TCP/UDP applications or internal service-to-service load balancing, Azure Load Balancer is appropriate.

Traffic Manager provides true load balancing with session affinity.

Traffic Manager works at the DNS layer. It returns a DNS response pointing the client to an endpoint, but it does not proxy or inspect any traffic after that. Because it relies on DNS TTL for propagation, failover is not instantaneous. It cannot provide session affinity at the connection level because it only controls the initial DNS resolution. For true connection-level load balancing with affinity, use Azure Load Balancer or Application Gateway.

Azure Front Door and Application Gateway are the same product at different scales.

Application Gateway is a regional, VNet-integrated Layer 7 load balancer for routing traffic within a region to backends in that region. Front Door is a global, edge-based service that sits outside your VNets, uses Microsoft's global network edge locations, provides caching, and routes users to the best regional backend. They can be used together: Front Door at the global edge routing to regional Application Gateways that then distribute to backend pools.

Practice this topic

AZ-104practice questions

Test yourself on Load Balancer & App Gateway

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime