2.8 Azure Load Balancing and Content Delivery

Quick Answer: Load Balancer = Layer 4 (TCP/UDP), regional. Application Gateway = Layer 7 (HTTP), regional, with Web Application Firewall. Front Door = global Layer 7 + CDN + WAF. Traffic Manager = DNS-based global routing (no proxying). CDN = edge caching of static content.

Two Axes: Layer and Scope

Azure's four load-balancing services are easiest to memorize on two axes the exam relies on:

Layer 4 means the service routes by IP address and TCP/UDP port without understanding the payload. Layer 7 means it understands HTTP — it can read URLs, hostnames, headers, and cookies, enabling features such as path-based routing and SSL termination.

The other axis is regional vs. global: Load Balancer and Application Gateway distribute traffic within one region; Front Door and Traffic Manager distribute across regions worldwide.

A quick mental check the exam rewards: if a service can read a URL path or hostname, it is Layer 7 (Application Gateway, Front Door); if it only sees an IP and port, it is Layer 4 (Load Balancer). If a service spans multiple regions, it is global (Front Door, Traffic Manager); otherwise it is regional. Combining the two axes uniquely identifies every service in the table above.

The Four Services in Detail

Azure Load Balancer (Layer 4, regional)

Distributes inbound TCP/UDP flows across a backend pool of VMs in a region using a 5-tuple hash. It is non-HTTP-aware, extremely high throughput and low latency, and used for any protocol — databases, custom TCP services, or VM scale sets. It comes in Public (internet-facing) and Internal (private front-end) variants.

Azure Application Gateway (Layer 7, regional)

A web traffic load balancer that understands HTTP. Distinguishing features tested on AZ-900:

• URL path-based routing — send /images/* to one pool and /api/* to another.
• SSL/TLS termination (offload) — decrypt at the gateway to spare backend VMs.
• Web Application Firewall (WAF) — blocks OWASP Top 10 attacks such as SQL injection and cross-site scripting.
• Cookie-based session affinity.

When a question pairs "Layer 7" with a "built-in Web Application Firewall" within a single region, the answer is Application Gateway.

Azure Front Door (global Layer 7 + CDN + WAF)

Microsoft's global entry point for internet-facing web apps. It combines Layer 7 load balancing, CDN caching, SSL offload, and a WAF at the network edge, routing users to the closest healthy backend across regions. Choose it when the requirement is "global, fast, secure web application with failover."

Azure Traffic Manager (DNS-based, global)

Works at the DNS layer: a client's DNS query returns the IP of the best endpoint based on a routing method — Priority (failover), Weighted (split by percentage), Performance (lowest latency), or Geographic (by user location). Crucially, Traffic Manager does not see or proxy the actual traffic — once DNS resolves, the client connects straight to the endpoint. That "does not proxy" property is its signature exam fact.

Azure CDN (Content Delivery Network)

The Azure Content Delivery Network (CDN) caches static content — images, video, CSS, JavaScript, downloads — at a global network of edge points of presence (PoPs). When a user requests a cached file, it is served from the nearest PoP instead of the origin, which:

• Reduces latency for geographically distant users,
• Offloads the origin server, and
• Smooths traffic spikes (e.g., a viral download).

The primary, exam-correct benefit of CDN is lower latency by serving cached content close to users — not security, not compute, not storage durability. Cached objects honor a time-to-live (TTL) so they refresh from the origin periodically; until the TTL expires the edge serves the stored copy.

Selection Decision Tree

Match the scenario keywords:

1. Static files, faster delivery worldwide → Azure CDN.
2. Global web app, edge security + caching + failover → Azure Front Door.
3. Route users to different regions by DNS, no proxying → Traffic Manager.
4. HTTP routing by URL path + WAF, single region → Application Gateway.
5. Plain TCP/UDP across VMs in one region → Load Balancer.

Note that these services are often combined: Traffic Manager can route users to the regional endpoint hosting an Application Gateway, which in turn balances across VMs behind an internal Load Balancer — a layered design AZ-900 may describe to test whether you can separate each service's role.

Common Traps to Memorize

• Layer 4 vs. Layer 7: Load Balancer is Layer 4 and cannot do URL routing; Application Gateway is Layer 7 and can.
• WAF lives on Application Gateway and Front Door, not on Load Balancer or Traffic Manager.
• Traffic Manager is DNS-based and does NOT proxy traffic — a wrong answer often claims it proxies like a load balancer.
• Regional vs. global: Load Balancer/Application Gateway = one region; Front Door/Traffic Manager = global.
• CDN is for static content caching, not dynamic application logic or compute.
• Front Door = global; do not confuse it with the regional Application Gateway even though both are Layer 7 with WAF.