Azure Application Gateway in the Hub or in the Spokes? That’s the dilemma!
The Cloud Adoption Framework recommends deploying L7 Load Balancers (such as the Azure Application Gateway) in the spokes instead of in the hub, thus treating it as an application’s infrastructure resource. This has generated a lot of discussions between Cloud Architects about which is the correct choice. But what is the right solution?
Don’t deploy Layer 7 inbound NVAs, such as Azure Application Gateway, as a shared service in the central-hub virtual network. Instead, deploy them together with the application in their respective landing zones. ( cit. Microsoft Cloud Adoption Framework Best Practices)
Let’s start to discuss the traditional approach where the Application Gateway is deployed as a shared service in the HUB
Scenario Application Gateway in HUB
What are the needs that lead to deploying the Application Gateway in the HUB?
- Centralized Inbound Traffic: If you need to centralize incoming traffic within the HUB to manage and monitor it from a single point, allowing you to enforce security policies, manage traffic routing and provide advanced features such as the Web Application Firewall (WAF).
- Centralized Security Requirements: If you need to apply centralized…
