Application gateway

An application gateway is a network security service (often a type of reverse proxy) that sits between clients and back-end applications to manage and secure incoming traffic. Sometimes called an application proxy or application-level gateway, it operates at the application layer (Layer 7) and can inspect, filter, and route requests based on defined rules. 

Application gateways are commonly used to publish internal web applications to external users in a secure way. For example, an organization might use an app gateway to allow employees to access an intranet site from home: the gateway will accept the user’s connection, require them to authenticate, and only then forward the request to the internal site​. 

These gateways often include features like load balancing, SSL/TLS termination, and web application firewall (WAF) capabilities (protecting against SQL injection, XSS, etc.). They can also add identity context to traffic – for instance, validating an OAuth token or injecting an authenticated user’s ID into request headers before passing the request to the application​.

In cloud environments, examples include Azure Application Gateway, AWS API Gateway, or identity-aware proxies. In summary, an application gateway acts as a dedicated entry point for application traffic, enforcing security policies and orchestrating how users reach the app.

How does it affect identity security?

Application gateways play a crucial role in identity security by ensuring that only authenticated and authorized traffic reaches applications. Since the gateway stands in front of applications, it can require users to prove their identity (via login, SSO tokens, API keys, etc.) and can apply access controls based on user roles or attributes. This means you can centralize authentication at the gateway rather than relying on each individual app to handle it, which is especially useful for legacy apps that don’t natively support modern auth methods. 

A well-configured app gateway helps prevent unauthorized access – for example, it can block requests that lack a valid session or JWT token, thereby integrating tightly with IAM systems. Additionally, gateways protect applications from various attacks (like injection attacks or DDoS) which indirectly protects the integrity of user identities and sessions. From an identity perspective, the gateway can also perform single sign-on and propagate the user’s identity to back-end services​, ensuring consistent enforcement of who is acting in the system. 

On the flip side, if an application gateway is misconfigured or vulnerable, it can become an attack vector. A compromised gateway could bypass the very security it’s supposed to provide, allowing attackers to impersonate users or sneak into internal services. Therefore, securing the gateway itself (with patches, proper config, and IAM integration) is a high priority. 

Overall, application gateways are a linchpin in a Zero Trust model – they broker every request, verify identity, and only then grant access, significantly strengthening identity security for applications.

Case study

A prominent example of how an application gateway flaw can lead to a breach is the Capital One incident of 2019. In that breach, a malicious actor exploited a misconfiguration in Capital One’s web application firewall – a component acting as an application gateway – to obtain access to sensitive data stored in Amazon S3 buckets​.

The attacker discovered a Server-Side Request Forgery (SSRF) vulnerability in the AWS-hosted application firewall (WAF), which allowed them to trick the gateway into executing requests on their behalf. Through this loophole, the attacker accessed the AWS instance’s identity credentials (an IAM role) and then used those credentials to retrieve ~100 million customer records from storage​.

Essentially, the application gateway should have blocked such requests or at least not had permissions to sensitive data, but a misconfiguration meant it became an unexpected identity pivot point for the attacker. Capital One’s case highlights that while application gateways and WAFs are meant to protect, they must be correctly configured with least privilege.