Managing 200 Websites with Application Gateway and WAF Protection

Question

Hello,

I have a single server that is currently hosting over 200 websites. Is it possible to manage all these websites using an application gateway and protect them with a WAF?

Answer 1

Hello
Thanks for your question.

You have to consider that the application Gateway is Limited to 100 active listeners that are routing traffic. Active listeners = total number of listeners - listeners not active.

If a default configuration inside a routing rule is set to route traffic (for example, it has a listener, a backend pool, and HTTP settings) then that also counts as a listener. This is documented under the service limits here:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits

To set it up once you are in the correct service limit you can review the AGW and WAF docs here:

https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-application-gateway-waf?source=recommendations

Please let me know if you have further questions**

You can mark it 'Accept Answer' if this helped.

Answer 2

Hello @Nitin Arora ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to if it is possible to manage 200 websites using an Application gateway and protect them with a WAF.

Application Gateway allows host-based routing using multi-site HTTP(S) listener. Multi-site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. You can use wildcard characters like asterisk (*) and question mark (?) in the host name, and up to 5 host names per multi-site HTTP(S) listener.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview

The thing that you need to consider when using HTTPS is that - "if multiple host names are mentioned in the same listener, you must upload a SAN certificate (Subject Alternative Names) with the CNs matching the host names mentioned".

As per Application gateway limits,

And each active multi-site listener can have 5 hostnames, so you can have a total of 500 sites.

NOTE: The number of resources listed in the table applies to standard Application Gateway SKUs and WAF-enabled SKUs running CRS 3.2 or higher. For WAF-enabled SKUs running CRS 3.1 or lower, the supported number is 40.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#what-is-considered-an-active-listener-versus-an-inactive-listener

For example, a listener can contain contoso.com, fabrikam.com which accepts requests for both the host names.

When creating a listener, you should select the below options:

• Listener type: Multi-site
• Host type: Multiple/Wild card
• Hostnames: Add the hostnames of your sites

If using HTTPS protocol, make sure that you are using SAN certificate (Subject Alternative Names) with the CNs matching the host names configured in each listener.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/create-multiple-sites-portal

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.