load balancing / cookie affinity

Question

load balancing / cookie affinity

stephane clavel 66

Hello

I'm asked to find an Azure load balancing solution that would fit the following requirements:

app runs on VMs
2 instances of the app run on each VM, listening to a different TCP port (say 9000 and 9001)
cookie based affinity is required

My take:

Azure LB could meet the requirement for 2 instances on single VM
Azure App GW could meet requirement for cookie affinity
but I fail to find a solution that meets all requirements Can you please help me ? Thanks

stephane clavel 66 Reputation points

2026-05-13T15:00:05.3+00:00
based on AI answer, I may add that it is required that both app instances on each VM is used.

If I set 2 rules such as :

one pointing to backend pool with backend settings on port 9000

one pointing to backend pool with backend settings on port 9001

only instances listening on port 9000 would receive traffic, as long as they are healthy

2 answers

Your answer

stephane clavel 66 Reputation points

2026-05-13T15:00:05.3+00:00

based on AI answer, I may add that it is required that both app instances on each VM is used.

If I set 2 rules such as :

one pointing to backend pool with backend settings on port 9000

one pointing to backend pool with backend settings on port 9001

only instances listening on port 9000 would receive traffic, as long as they are healthy

Answer 1

Ravi Varma Mudduluru 11,955 Microsoft External Staff Moderator

Hello @ stephane clavel,

Thank you for reaching out to Microsoft Q&A.
You’re right that no single Azure “L4” load-balancer can do cookie-based affinity (that’s an L7 feature), so you have two main Azure options depending on whether your app is HTTP/HTTPS or truly raw TCP:

If your app speaks HTTP/HTTPS on ports 9000 and 9001

• Use Azure Application Gateway (v2)

Create two HTTP listeners (one on port 9000, one on 9001)
Point both listeners to the same backend pool (your VMs)
In each HTTP setting, set the backend port (9000 or 9001) and enable cookie-based affinity
App Gateway will insert its affinity cookie (ApplicationGatewayAffinity) on the first response and stick subsequent requests to the same VM+port • Pros: full L7 termination, cookie-based “sticky sessions,” SSL offload, WAF, path-based routing, etc. • Docs: – https://docs.microsoft.com/azure/application-gateway/configuration-overview#cookie-based-affinity

If you need a global front-end or additional edge acceleration, still HTTP/HTTPS:

Use Azure Front Door Standard/Premium

Define an Origin Group with your VMs on ports 9000/9001

Enable “Cookies-based session affinity” at the Origin Group level -Front Door will add ASLBSA and ASLBSACORS cookies to keep traffic on the same origin+port.

Reference list

Application Gateway cookie-based session affinity https://docs.microsoft.com/azure/application-gateway/configuration-overview#cookie-based-affinity
Troubleshoot Application Gateway session affinity https://docs.microsoft.com/troubleshoot/azure/application-gateway/how-to-troubleshoot-application-gateway-session-affinity-issues
Front Door session affinity (Standard/Premium) https://docs.microsoft.com/azure/frontdoor/routing-methods#affinity
Configure cookie-based affinity in Front Door origins https://docs.microsoft.com/azure/frontdoor/how-to-configure-origin#create-a-new-origin-groupfigure-origin#create-a-new-origin-group

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

stephane clavel 66 Reputation points

2026-05-14T05:18:37.81+00:00

Hi @Ravi Varma Mudduluru

Thanks a lot for your answer.

I see I missed to provide clear requirements sorry.

As described, there would be 2 instances of the same app on multiple VMs.

When a user would connect to the app, he/she would be load balanced between any app instance on any VM. We also need cookie based persistence.

Written differently, app user would connect to https://myapp.contoso.com and would get connected to any app instance, whether the ones that listen on port 9000 or the ones that listen on port 9001. Say there are 2 VMs, VM1 and VM2. We're looking for a solution to load balance to 4 backend endpoints: VM1 port 9000, VM1 port 9001, VM2 port 9000, VM2 port 9001.

This is what we're tasked to deliver.

I hope it makes sense.

Thanks
Vallepu Venkateswarlu 9,830 Reputation points Microsoft External Staff Moderator

2026-05-14T18:24:15.8066667+00:00
Hi @ stephane clavel,

Thanks for the Detailed information.

It is not possible to configure your App gateway listener/httpSetting in a way that a server in backend pool can listen on more than 1 port publicly on the same FQDN/hostname.

A basic routing rule only allows one backend HTTP setting. It is not possible to configure an App Gateway listener/HTTP setting so that a single backend pool can route to more than one port on the same FQDN/hostname under a basic rule.

Please refer : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-request-routing-rules#associated-back-end-http-setting

This means you cannot have a single rule that randomly distributes across all 4 endpoints (VM1:9000, VM1:9001, VM2:9000, VM2:9001) in one shot directly.

Please refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#can-one-backend-pool-serve-many-applications-on-different-ports

https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview

The workaround architecture is

The recommended pattern — App Gateway → VM → local reverse proxy (NGINX/HAProxy) → port 9000/9001 — is the correct and widely accepted solution. It preserves:

A single frontend URL

Cookie-based affinity (App Gateway pins the user to the VM)

Local distribution across both instances on that VM

Please "upvote" if the information helped you. This will help us and others in the community as well.
stephane clavel 66 Reputation points

2026-05-18T08:36:21.56+00:00

Thanks a lot @Vallepu Venkateswarlu

what about the following solution : have multiple IP addresses on each VM and have each app instance listen on one of the IP addresses? would that work? what would be the pros & cons compared to having NGINX/HAproxy on each VM please?
Vallepu Venkateswarlu 9,830 Reputation points Microsoft External Staff Moderator

2026-05-18T23:02:05.7366667+00:00
Hi @ stephane clavel,

Yes ,that approach can work.

You can assign multiple private IPs to each VM NIC and bind each app instance to a different IP address. Application Gateway would then treat each IP pair as a separate backend endpoint.

Example:

VM1: 10.0.0.4:9000 10.0.0.5:9001 VM2: 10.0.0.6:9000 10.0.0.7:9001

This avoids the App Gateway limitation around multiple backend ports under a single backend HTTP setting.

References:

Multiple IP addresses for Azure VMs

Application Gateway backend pools

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 2

Azure Load Balancer alone cannot meet the cookie-based affinity requirement because it is a Layer 4 (TCP/UDP) load balancer and does not support cookie-based session affinity. Cookie affinity requires a Layer 7 (HTTP/HTTPS) load balancer that can inspect and set cookies.

To satisfy all requirements (VM-based app, multiple instances per VM on different ports, and cookie-based affinity), use Azure Application Gateway in front of the VMs and configure:

Application Gateway as a Layer 7 load balancer with cookie-based session affinity enabled in the HTTP settings.
Backend pool containing the VMs.
HTTP settings that:
- Enable Cookie based affinity.
- Forward traffic to the appropriate backend ports (9000 and/or 9001). This can be done with:
  - Separate HTTP settings per port (one for 9000, one for 9001) and corresponding routing rules, or
  - Path-/host-based routing if the application can distinguish instances that way.

Application Gateway supports:

Layer 7 routing and cookie-based session affinity.
Round-robin distribution across backend instances.
Hosting multiple “sites” or routes behind a single gateway, which can be mapped to different ports on the same VM.

If the application absolutely requires TCP-level access without HTTP/TLS termination, Azure Load Balancer can be used, but then cookie-based affinity is not possible. In that case, either remove the cookie requirement or use a different affinity mechanism (for example, X-Forwarded-For–based stickiness behind a Layer 7 proxy as described for Entra Application Proxy scenarios).

In summary, the Azure-native way to meet all listed requirements is to front the VM-based application with Azure Application Gateway, configure backend HTTP settings per port, and enable cookie-based session affinity.

References:

Share via

load balancing / cookie affinity

2 answers

Your answer