Load Balancers
Azure Load Balancer and Azure Application Gateway are both load balancing services, but they serve different purposes and offer distinct functionalities. Here's an overview of the main differences:
Azure Load Balancer​
Azure Load Balancer is a network-level load balancer (Layer 4 of the OSI model). It distributes incoming traffic among multiple virtual machine (VM) instances to ensure high availability and scalability.
- Load balancing distributes traffic based on IP and ports.
- Uses balancing rules to distribute traffic across instances.
- Configures backend pools where instances are added.
- Includes basic monitoring with health probes.
- Supports public and private IPs
It's widely used in applications that need to distribute network traffic and serves a general purpose.
Azure Application Gateway​
Azure Application Gateway is an application-level load balancer (Layer 7 of the OSI model). It's designed for web applications and provides advanced features for traffic management and security.
- Operates at the application layer, enabling balancing based on URLs, HTTP headers, and other application layer data.
- Includes an integrated web application firewall to protect against common web threats. Protection against web attacks with integrated WAF.
- Allows traffic routing based on specific URLs.
- Terminates SSL/TLS connections and can redirect traffic to backends in unencrypted text.
- Allows creation of complex rules for traffic routing.
| Feature | Azure Load Balancer | Azure Application Gateway |
|---|---|---|
| Operating Layer | Layer 4 (TCP/UDP) | Layer 7 (HTTP/HTTPS) |
| Protocol Support | Any TCP/UDP | HTTP/HTTPS (Layer 7) |
| Routing Method | IP address, port | URL path, host headers, cookies |
| Health Probes | Basic TCP/HTTP checks | Advanced HTTP/HTTPS health checks |
| SSL Offloading | No | Yes, with an end-to-end encryption option |
| Web Application Firewall | No | Yes, with OWASP rulesets |
| Autoscaling | Manual | Automatic based on load |
| Zone Redundancy | Available | Available (v2 SKU) |
| Scenarios | General TCP/UDP load balancing | Layer 7 for web apps and APIs |
| Use Cases | Internal and external traffic distribution, outbound NAT for VMs | Multi-site hosting, secure web apps, URL-based routing |
| Other Features | High throughput, HA ports, diagnostics logs | Visual end-to-end monitoring, TLS policy management, customizations |
| Cost | Lower | Higher with advanced capabilities |
Let's take as an example an AKS that needs a load balancer: which should we use?
If we use Azure Load Balancer, we'll need to deploy nginx which will consume some resources from our cluster but will filter the requests. In case of a DDOS attack, it's very good to be behind a service that can help us stop the attack like Cloudflare.
If we use Application Gateway, the rules will be applied directly to it, avoiding nginx deployment in our cluster, taking all request filtering to Application Gateway. This also has WAF resources to help mitigate a possible attack. Obviously, you'll pay more for this. Nothing prevents you from still being behind Cloudflare to have two layers of protection.
It all depends on the cluster's purpose.