Create an application gateway with URL path-based redirection using Azure PowerShell

2025-07-16

You can use Azure PowerShell to configure URL-based routing rules when you create an application gateway. In this tutorial, you create backend pools using virtual machine scale sets. You then create URL routing rules that redirect web traffic to the appropriate backend pool based on the request URL path. You can use Azure PowerShell to configure advanced URL-based routing rules when you create an application gateway.

This tutorial covers production-ready configurations including security best practices, performance optimization, and monitoring setup.

In this tutorial, you learn how to:

Set up the network infrastructure
Create an application gateway with path-based routing
Add listeners and routing rules for URL redirection
Create virtual machine scale sets for backend pools
Test the application gateway routing and redirection functionality

The following example shows site traffic coming from both ports 8080 and 8081 and being directed to the same backend pools:

Prerequisites

If you prefer, you can complete this procedure using Azure CLI.

Before you begin this tutorial, ensure you have:

An active Azure subscription. Create a free account if you don't have one.
Azure PowerShell module version 5.4.1 or later installed locally, or access to Azure Cloud Shell
Contributor or Owner permissions on the target Azure subscription
A basic understanding of Application Gateway concepts and PowerShell scripting

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option	Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal.

To use Azure Cloud Shell:

Start Cloud Shell.
Select the Copy button on a code block (or command block) to copy the code or command.
Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.
Select Enter to run the code or command.

If you choose to install and use PowerShell locally, this tutorial requires the Azure PowerShell module version 5.4.1 or later. To find the version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Create an Azure resource group using New-AzResourceGroup.

# Define variables for consistent naming and easier management
$resourceGroupName = "myResourceGroupAG"
$location = "eastus"

# Create the resource group
New-AzResourceGroup -Name $resourceGroupName -Location $location

# Verify the resource group creation
Write-Output "Resource group '$resourceGroupName' created successfully in '$location'"

Create network resources

Create the subnet configurations for myBackendSubnet and myAGSubnet using New-AzVirtualNetworkSubnetConfig. Create the virtual network named myVNet using New-AzVirtualNetwork with the subnet configurations. Finally, create the public IP address named myAGPublicIPAddress using New-AzPublicIpAddress. These resources provide network connectivity to the application gateway and its associated resources.

Important

The application gateway subnet (myAGSubnet) can contain only application gateways. No other resources are allowed in this subnet. Create the subnet configurations for myBackendSubnet and myAGSubnet using New-AzVirtualNetworkSubnetConfig. The Application Gateway requires a dedicated subnet with minimum /24 CIDR for proper operation and future scaling. Create the virtual network named myVNet using New-AzVirtualNetwork with the subnet configurations. Finally, create the public IP address with Standard SKU and static allocation for improved security and performance using New-AzPublicIpAddress.

# Create backend subnet configuration with appropriate CIDR for scale sets
$backendSubnetConfig = New-AzVirtualNetworkSubnetConfig `
  -Name myBackendSubnet `
  -AddressPrefix 10.0.1.0/24

# Create Application Gateway subnet - dedicated subnet required
$agSubnetConfig = New-AzVirtualNetworkSubnetConfig `
  -Name myAGSubnet `
  -AddressPrefix 10.0.2.0/24

New-AzVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Location eastus `
  -Name myVNet `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $backendSubnetConfig, $agSubnetConfig

New-AzPublicIpAddress `
  -ResourceGroupName myResourceGroupAG `
  -Location eastus `
  -Name myAGPublicIPAddress `
  -AllocationMethod Dynamic

Create an application gateway

In this section, you create resources that support the application gateway, and then finally create it. The resources that you create include:

IP configurations and frontend port - Associates the subnet that you previously created to the application gateway and assigns a port to use to access it.
Default pool - All application gateways must have at least one backend pool of servers.
Default listener and rule - The default listener listens for traffic on the port that was assigned and the default rule sends traffic to the default pool.

Create the IP configurations and frontend port

Associate myAGSubnet that you previously created to the application gateway using New-AzApplicationGatewayIPConfiguration. Assign myAGPublicIPAddress to the application gateway using New-AzApplicationGatewayFrontendIPConfig. Then create the HTTP port using New-AzApplicationGatewayFrontendPort.

# Get the virtual network and subnet references
$vnet = Get-AzVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Name myVNet

$subnet=$vnet.Subnets[0]

# Get the public IP address
$pip = Get-AzPublicIpAddress `
  -ResourceGroupName myResourceGroupAG `
  -Name myAGPublicIPAddress

# Create IP configuration for the Application Gateway
$gipconfig = New-AzApplicationGatewayIPConfiguration `
  -Name myAGIPConfig `
  -Subnet $subnet

# Create frontend IP configuration
$fipconfig = New-AzApplicationGatewayFrontendIPConfig `
  -Name myAGFrontendIPConfig `
  -PublicIPAddress $pip

# Create frontend port for HTTP traffic
$frontendport = New-AzApplicationGatewayFrontendPort `
  -Name myFrontendPort `
  -Port 80

Write-Output "Application Gateway IP configurations created successfully"

Create the default pool and settings

Create the default backend pool named appGatewayBackendPool for the application gateway using New-AzApplicationGatewayBackendAddressPool. Configure the settings for the backend pool using New-AzApplicationGatewayBackendHttpSettings.

# Create default backend pool
$defaultPool = New-AzApplicationGatewayBackendAddressPool `
  -Name appGatewayBackendPool

# Create backend HTTP settings with optimized configuration
$poolSettings = New-AzApplicationGatewayBackendHttpSettings `
  -Name myPoolSettings `
  -Port 80 `
  -Protocol Http `
  -CookieBasedAffinity Enabled `
  -RequestTimeout 120

Create the default listener and rule

A listener is required to enable the application gateway to route traffic appropriately to backend pools. In this tutorial, you create multiple listeners for different routing scenarios. The first basic listener expects traffic at the root URL. The other listeners expect traffic at specific URL paths, such as http://203.0.113.1:8080/images/ or http://203.0.113.1:8081/video/.

Create a listener named defaultListener using New-AzApplicationGatewayHttpListener with the frontend configuration and frontend port that you previously created. A rule is required for the listener to know which backend pool to use for incoming traffic. Create a basic rule named rule1 using New-AzApplicationGatewayRequestRoutingRule.

# Create default HTTP listener
$defaultlistener = New-AzApplicationGatewayHttpListener `
  -Name defaultListener `
  -Protocol Http `
  -FrontendIPConfiguration $fipconfig `
  -FrontendPort $frontendport

# Create basic routing rule that directs traffic to default pool
$frontendRule = New-AzApplicationGatewayRequestRoutingRule `
  -Name rule1 `
  -RuleType Basic `
  -HttpListener $defaultlistener `
  -BackendAddressPool $defaultPool `
  -BackendHttpSettings $poolSettings `
  -Priority 100

Write-Output "Default listener and routing rule created successfully"

Create the application gateway

Now that you created the necessary supporting resources, specify parameters for the application gateway named myAppGateway using New-AzApplicationGatewaySku, and then create it using New-AzApplicationGateway.

# Create SKU configuration for Application Gateway v2
$sku = New-AzApplicationGatewaySku `
  -Name Standard_Medium `
  -Tier Standard `
  -Capacity 2

New-AzApplicationGateway `
  -Name myAppGateway `
  -ResourceGroupName myResourceGroupAG `
  -Location eastus `
  -BackendAddressPools $defaultPool `
  -BackendHttpSettingsCollection $poolSettings `
  -FrontendIpConfigurations $fipconfig `
  -GatewayIpConfigurations $gipconfig `
  -FrontendPorts $frontendport `
  -HttpListeners $defaultlistener `
  -RequestRoutingRules $frontendRule `
  -Sku $sku

Add backend pools and ports

You can add backend pools to your application gateway using Add-AzApplicationGatewayBackendAddressPool. In this example, imagesBackendPool and videoBackendPool are created for routing specific content types. You add frontend ports for the pools using Add-AzApplicationGatewayFrontendPort. Submit the changes to the application gateway using Set-AzApplicationGateway.

# Get the current Application Gateway configuration
$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

# Add specialized backend pools for different content types
Add-AzApplicationGatewayBackendAddressPool `
  -ApplicationGateway $appgw `
  -Name imagesBackendPool

Add-AzApplicationGatewayBackendAddressPool `
  -ApplicationGateway $appgw `
  -Name videoBackendPool

# Add frontend ports for specialized listeners
Add-AzApplicationGatewayFrontendPort `
  -ApplicationGateway $appgw `
  -Name bport `
  -Port 8080

Add-AzApplicationGatewayFrontendPort `
  -ApplicationGateway $appgw `
  -Name rport `
  -Port 8081

# Apply the configuration changes
Set-AzApplicationGateway -ApplicationGateway $appgw

Add listeners and rules

Add listeners

Add the listeners named backendListener and redirectedListener that are needed to route traffic using Add-AzApplicationGatewayHttpListener.

# Get the current Application Gateway configuration
$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

# Get frontend port references
$backendPort = Get-AzApplicationGatewayFrontendPort `
  -ApplicationGateway $appgw `
  -Name bport

$redirectPort = Get-AzApplicationGatewayFrontendPort `
  -ApplicationGateway $appgw `
  -Name rport

# Get frontend IP configuration
$fipconfig = Get-AzApplicationGatewayFrontendIPConfig `
  -ApplicationGateway $appgw

# Add listeners for different ports
Add-AzApplicationGatewayHttpListener `
  -ApplicationGateway $appgw `
  -Name backendListener `
  -Protocol Http `
  -FrontendIPConfiguration $fipconfig `
  -FrontendPort $backendPort

Add-AzApplicationGatewayHttpListener `
  -ApplicationGateway $appgw `
  -Name redirectedListener `
  -Protocol Http `
  -FrontendIPConfiguration $fipconfig `
  -FrontendPort $redirectPort

# Apply the configuration changes
Set-AzApplicationGateway -ApplicationGateway $appgw

Add the default URL path map

URL path maps ensure that specific URLs are routed to specific backend pools. You can create URL path maps named imagePathRule and videoPathRule using New-AzApplicationGatewayPathRuleConfig and Add-AzApplicationGatewayUrlPathMapConfig.

# Get the current Application Gateway configuration
$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

# Get backend HTTP settings
$poolSettings = Get-AzApplicationGatewayBackendHttpSettings `
  -ApplicationGateway $appgw `
  -Name myPoolSettings

# Get backend address pools
$imagePool = Get-AzApplicationGatewayBackendAddressPool `
  -ApplicationGateway $appgw `
  -Name imagesBackendPool

$videoPool = Get-AzApplicationGatewayBackendAddressPool `
  -ApplicationGateway $appgw `
  -Name videoBackendPool

$defaultPool = Get-AzApplicationGatewayBackendAddressPool `
  -ApplicationGateway $appgw `
  -Name appGatewayBackendPool

# Create path rules for different content types
$imagePathRule = New-AzApplicationGatewayPathRuleConfig `
  -Name imagePathRule `
  -Paths "/images/*" `
  -BackendAddressPool $imagePool `
  -BackendHttpSettings $poolSettings

$videoPathRule = New-AzApplicationGatewayPathRuleConfig `
  -Name videoPathRule `
  -Paths "/video/*" `
  -BackendAddressPool $videoPool `
  -BackendHttpSettings $poolSettings

# Add URL path map configuration
Add-AzApplicationGatewayUrlPathMapConfig `
  -ApplicationGateway $appgw `
  -Name urlpathmap `
  -PathRules $imagePathRule, $videoPathRule `
  -DefaultBackendAddressPool $defaultPool `
  -DefaultBackendHttpSettings $poolSettings

# Apply the configuration changes
Set-AzApplicationGateway -ApplicationGateway $appgw

Add redirection configuration

You can configure redirection for the listener using Add-AzApplicationGatewayRedirectConfiguration.

# Get the current Application Gateway configuration
$appgw = Get-AzApplicationGateway `
  -ResourceGroupName $resourceGroupName `
  -Name myAppGateway

# Get the target listener for redirection
$backendListener = Get-AzApplicationGatewayHttpListener `
  -ApplicationGateway $appgw `
  -Name backendListener

# Add redirection configuration with query string and path preservation
$redirectConfig = Add-AzApplicationGatewayRedirectConfiguration `
  -ApplicationGateway $appgw `
  -Name redirectConfig `
  -RedirectType Found `
  -TargetListener $backendListener `
  -IncludePath $true `
  -IncludeQueryString $true

# Apply the configuration changes
Set-AzApplicationGateway -ApplicationGateway $appgw

Write-Output "Redirection configuration added successfully"
Write-Output "Redirect type: HTTP 302 Found"
Write-Output "Target: backendListener (Port 8080)"
Write-Output "Preserves: Path and Query String"

Add the redirection URL path map

Create a separate URL path map for redirection scenarios. This map will handle traffic on port 8081 and redirect specific paths to the appropriate listener on port 8080.

# Get the current Application Gateway configuration
$appgw = Get-AzApplicationGateway `
  -ResourceGroupName $resourceGroupName `
  -Name myAppGateway

# Get references to existing configurations
$poolSettings = Get-AzApplicationGatewayBackendHttpSettings `
  -ApplicationGateway $appgw `
  -Name myPoolSettings

$defaultPool = Get-AzApplicationGatewayBackendAddressPool `
  -ApplicationGateway $appgw `
  -Name appGatewayBackendPool

$redirectConfig = Get-AzApplicationGatewayRedirectConfiguration `
  -ApplicationGateway $appgw `
  -Name redirectConfig

# Create path rule for redirection - images traffic will be redirected
$redirectPathRule = New-AzApplicationGatewayPathRuleConfig `
  -Name redirectPathRule `
  -Paths "/images/*" `
  -RedirectConfiguration $redirectConfig

# Add redirection path map configuration
Add-AzApplicationGatewayUrlPathMapConfig `
  -ApplicationGateway $appgw `
  -Name redirectpathmap `
  -PathRules $redirectPathRule `
  -DefaultBackendAddressPool $defaultPool `
  -DefaultBackendHttpSettings $poolSettings

# Apply the configuration changes
Set-AzApplicationGateway -ApplicationGateway $appgw

Write-Output "Redirection URL path map added successfully"
Write-Output "Redirection rule: /images/* on port 8081 -> port 8080"

Add routing rules

The routing rules associate the URL maps with the listeners that you created. You can add the rules named defaultRule and redirectedRule using Add-AzApplicationGatewayRequestRoutingRule.

$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

$backendlistener = Get-AzApplicationGatewayHttpListener `
  -ApplicationGateway $appgw `
  -Name backendListener

$redirectlistener = Get-AzApplicationGatewayHttpListener `
  -ApplicationGateway $appgw `
  -Name redirectedListener

$urlPathMap = Get-AzApplicationGatewayUrlPathMapConfig `
  -ApplicationGateway $appgw `
  -Name urlpathmap

$redirectPathMap = Get-AzApplicationGatewayUrlPathMapConfig `
  -ApplicationGateway $appgw `
  -Name redirectpathmap

Add-AzApplicationGatewayRequestRoutingRule `
  -ApplicationGateway $appgw `
  -Name defaultRule `
  -RuleType PathBasedRouting `
  -HttpListener $backendlistener `
  -UrlPathMap $urlPathMap

Add-AzApplicationGatewayRequestRoutingRule `
  -ApplicationGateway $appgw `
  -Name redirectedRule `
  -RuleType PathBasedRouting `
  -HttpListener $redirectlistener `
  -UrlPathMap $redirectPathMap

Set-AzApplicationGateway -ApplicationGateway $appgw

Create virtual machine scale sets

In this example, you create three virtual machine scale sets that support the three backend pools that you created. The scale sets are named myvmss1, myvmss2, and myvmss3. Each scale set contains two virtual machine instances on which you install IIS. You assign the scale set to the backend pool when you configure the IP settings.

Important

Replace <username> and <password> with your own values before running the script. Use a strong password that meets Azure's security requirements. Security Note: Replace <username> and <password> with secure credentials. Consider using Azure Key Vault for credential management in production scenarios.

# Get network and Application Gateway references
$vnet = Get-AzVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Name myVNet

$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

# Get backend pool references
$backendPool = Get-AzApplicationGatewayBackendAddressPool `
  -Name appGatewayBackendPool `
  -ApplicationGateway $appgw

$imagesPool = Get-AzApplicationGatewayBackendAddressPool `
  -Name imagesBackendPool `
  -ApplicationGateway $appgw

$videoPool = Get-AzApplicationGatewayBackendAddressPool `
  -Name videoBackendPool `
  -ApplicationGateway $appgw

# Create three scale sets with improved configuration
for ($i=1; $i -le 3; $i++)
{
  if ($i -eq 1)
  {
     $poolId = $backendPool.Id
  }
  if ($i -eq 2) 
  {
    $poolId = $imagesPool.Id
  }
  if ($i -eq 3)
  {
    $poolId = $videoPool.Id
  }

  $ipConfig = New-AzVmssIpConfig `
    -Name myVmssIPConfig$i `
    -SubnetId $vnet.Subnets[1].Id `
    -ApplicationGatewayBackendAddressPoolsId $poolId

  # Create scale set configuration with modern VM size and settings
  $vmssConfig = New-AzVmssConfig `
    -Location eastus `
    -SkuCapacity 2 `
    -SkuName Standard_DS2 `
    -UpgradePolicyMode Automatic

  # Configure storage profile with Windows Server 2022
  Set-AzVmssStorageProfile $vmssConfig `
    -ImageReferencePublisher MicrosoftWindowsServer `
    -ImageReferenceOffer WindowsServer `
    -ImageReferenceSku 2016-Datacenter `
    -ImageReferenceVersion latest `
    -OsDiskCreateOption FromImage

  Set-AzVmssOsProfile $vmssConfig `
    -AdminUsername <username> `
    -AdminPassword "<password>" `
    -ComputerNamePrefix myvmss$i

  # Add network interface configuration
  Add-AzVmssNetworkInterfaceConfiguration `
    -VirtualMachineScaleSet $vmssConfig `
    -Name myVmssNetConfig$i `
    -Primary $true `
    -IPConfiguration $ipConfig

  New-AzVmss `
    -ResourceGroupName myResourceGroupAG `
    -Name myvmss$i `
    -VirtualMachineScaleSet $vmssConfig

  Write-Output "Virtual Machine Scale Set myvmss$i created successfully"
}

Write-Output "All Virtual Machine Scale Sets created successfully"

Install IIS

The following script installs IIS on the virtual machines in each scale set and configures them to display different content based on which backend pool they serve.

$publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/appgatewayurl.ps1"); 
  "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" }

# Install IIS on all scale sets
for ($i=1; $i -le 3; $i++)
{
  $vmss = Get-AzVmss -ResourceGroupName myResourceGroupAG -VMScaleSetName myvmss$i

  Add-AzVmssExtension -VirtualMachineScaleSet $vmss `
    -Name "customScript" `
    -Publisher "Microsoft.Compute" `
    -Type "CustomScriptExtension" `
    -TypeHandlerVersion 1.8 `
    -Setting $publicSettings

  Update-AzVmss `
    -ResourceGroupName myResourceGroupAG `
    -Name myvmss$i `
    -VirtualMachineScaleSet $vmss
}

Test the application gateway

Although IIS isn't required to create the application gateway, you installed it in this tutorial to verify if Azure successfully created the application gateway. Use IIS to test the application gateway:

Run Get-AzPublicIPAddress to get the public IP address of the application gateway:

Get-AzPublicIPAddress -ResourceGroupName myResourceGroupAG -Name myAGPublicIPAddress

Copy the public IP address, and then paste it into the address bar of your browser. For example:
- http://203.0.113.1 (base URL)
- http://203.0.113.1:8080/images/test.htm (images path)
- http://203.0.113.1:8080/video/test.htm (video path)
- http://203.0.113.1:8081/images/test.htm (redirection test)

Change the URL to http://<ip-address>:8080/images/test.htm, substituting your IP address for <ip-address>, and you should see something like the following example:

Change the URL to http://<ip-address>:8080/video/test.htm, substituting your IP address for <ip-address>, and you should see something like the following example:

Now, change the URL to http://<ip-address>:8081/images/test.htm, substituting your IP address for <ip-address>, and you should see traffic redirected back to the images backend pool at http://<ip-address>:8080/images.

Performance monitoring

Monitor key Application Gateway metrics for optimal performance:

Request Count: Total number of requests processed
Response Time: Average response time for requests
Unhealthy Host Count: Number of unhealthy backend servers
Throughput: Data transfer rate through the Application Gateway

Clean up resources

When no longer needed, remove the resource group, application gateway, and all related resources using Remove-AzResourceGroup.

Remove-AzResourceGroup -Name myResourceGroupAG

Next steps

Now that you learned URL path-based redirection with Application Gateway, explore these advanced scenarios:

Learn more about Application Gateway features and capabilities

Configure SSL termination with Application Gateway

Implement Web Application Firewall (WAF) policies

Set up Application Gateway with Azure Container Instances