@John McCulloch Thank you for reaching out.
Based on your question above
For example -
users accessing domain.com over port 80 get directed to the public IP of an application gateway. users accessing domain.com over port 21 get directed to the public IP of an Azure firewall. I have looked at different options with traffic manager and application gateway configurations but can't figure out the best way to achieve this. Or if this is even possible.
I do not think it will be possible to implement the scenario described above because DNS translates domain names to IP addresses only and there is no port mapping possible. So, in your example above
domain.com:21 will translate to the same IP address.
For such scenario you will have to add different domain for web / ftp server. For example
Hope this helps! Please let me know if you have any additional questions or need any information. Thank you!
---Please "Accept the answer" if the information helped you. This will help us and others in the community as well.