Ryan sits down with Corey Quinn, Chief Cloud Economist at Duckbill, at AWS re:Invent to get Corey’s patented snarky take on all the happenings from the conference.

Hello Folks!

In a Zero Trust world, identity becomes the control plane and tokens become the gatekeepers.

Recently, in an E2E conversation with my colleague Vyshnavi Namani, we dug into a topic every ITPro supporting modern apps should understand: JSON Web Token (JWT) validation, specifically using Azure Application Gateway.

 

In this post we’ll distill that conversation into a technical guide for infrastructure pros who want to secure APIs and backend workloads without rewriting applications.

Why IT Pros Should Care About JWT Validation

JSON Web Token (JWT) is an open standard token format (RFC 7519) used to represent claims or identity information between two parties.

JWTs are issued by an identity provider (Microsoft Entra ID) and attached to API requests in an HTTP Authorization: Bearer <token> header. They are tamper-evident and include a digital signature, so they can be validated cryptographically.

JWT validation in Azure Application Gateway means the gateway will check every incoming HTTPS request for a valid JWT before it forwards the traffic to your backend service.

Think of it like a bouncer or security guard at the club entrance: if the client doesn’t present a valid “ID” (token), they don’t get in. This first-hop authentication happens at the gateway itself. No extra custom auth code is needed in your APIs. The gateway uses Microsoft Entra ID (Azure AD) as the authority to verify the token’s signature and claims (issuer/tenant, audience, expiry, etc.).

By performing token checks at the edge, Application Gateway ensures that only authenticated requests reach your application. If the JWT is missing or invalid, the gateway could deny the request depending on your configuration (e.g.  returns HTTP 401 Unauthorized) without disturbing your backend. If the JWT is valid, the gateway can even inject an identity header (x-msft-entra-identity) with the user’s tenant and object ID before passing the call along⁹. This offloads authentication from your app and provides a consistent security gate in front of all your APIs.

Key benefits of JWT validation at the gateway:

• Stronger security at the edge: The gateway checks each token’s signature and key claims, blocking bad tokens before they reach your app.
• No backend work needed: Since the gateway handles JWT validation, your services don’t need token‑parsing code. Therefore, there is less maintenance and lower CPU use.
• Stateless and scalable: Every request brings its own token, so there’s no session management. Any gateway instance can validate tokens independently, and Azure handles key rotation for you.
• Simplified compliance: Centralized JWT policies make it easier to prove only authorized traffic gets through, without each app team building their own checks.
• Defense in depth: Combine JWT validation with WAF rules to block malicious payloads and unauthorized access.

In short, JWT validation gives your Application Gateway the smarts to know who’s knocking at the door, and to only let the right people in.

How JWT Validation Works

At its core, JWT validation uses a trusted authority (for now it uses Microsoft Entra ID) to issue a token. That token is presented to the Application Gateway, which then validates:

• The token is legitimate
• The token was issued by the expected tenant
• The audience matches the resource you intend to protect

If all checks pass, the gateway returns a 200 OK and the request continues to your backend. If anything fails, the gateway returns 403 Forbidden, and your backend never sees the call.  You can check code and errors here:

• JSON Web Token (JWT) validation in Azure Application Gateway (Preview)

Setting Up JWT Validation in Azure Application Gateway

The steps to configure JWT validation in Azure Application Gateway are documented here:

• JSON Web Token (JWT) validation in Azure Application Gateway (Preview)

Use Cases That Matter to IT Pros

• Zero Trust
• Multi-Tenant Workloads
• Geolocation-Based Access
• AI Workloads

Next Steps

1. Identify APIs or workloads exposed through your gateways.
2. Audit whether they already enforce token validation.
3. Test JWT validation in a dev environment.
4. Integrate the policy into your Zero Trust architecture.
5. Collaborate with your dev teams on standardizing audiences.

Resources

• Azure Application Gateway JWT Validation
  • https://learn.microsoft.com/azure/application-gateway/json-web-token-overview 
• Microsoft Entra ID App Registrations
  • https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app 
• Azure Application Gateway Documentation
  • https://learn.microsoft.com/azure/application-gateway/overview
• Azure Zero Trust Guidance
  • https://learn.microsoft.com/security/zero-trust/zero-trust-overview
• Azure API Management and API Security Best Practices
  • https://learn.microsoft.com/azure/api-management/api-management-key-concepts
• Microsoft Identity Platform (Tokens, JWT, OAuth2
  • https://learn.microsoft.com/azure/active-directory/develop/security-tokens
• Using Curl with JWT Validation Scenarios
  • https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#request-an-access-token

Final Thoughts

JWT validation in Azure Application Gateway is a powerful addition to your skills for securing cloud applications.

It brings identity awareness right into your networking layer, which is a huge win for security and simplicity. If you manage infrastructure and worry about unauthorized access to your APIs, give it a try. It can drastically reduce the “attack surface” by catching invalid requests early.

As always, I’d love to hear about your experiences. Have you implemented JWT validation on App Gateway, or do you plan to? Let me know how it goes! Feel free to drop a comment or question.

Cheers!

Pierre Roman

---

This week, we discuss Oracle’s AI vibes, Chainguard’s EmeritOSS, and GitHub’s pricing U-turn. Plus, a robust robot vacuum debate.

Watch the YouTube Live Recording of Episode 551

Runner-up Titles

• It has CarPlay
• iPad Range Anxiety
• an Australian documentary
• Oracle got popped
• Intentions
• I don’t feel bad for them
• Open Source old folks home
• Spreadsheets love it
• Robots are going to take care of us
• The Median User
• Nobody feels bad for the whales
• I have a dog
• I have a Korean microwave
• We’re the Neal Stephenson of podcasts

Rundown

• Ford pulls the plug on the all-electric F-150 Lightning pickup truck
• AI Investment
  • Oracle plummets 11% on weak revenue, pushing down AI stocks like Nvidia and CoreWeave
  • Oracle Shares Drop the Most Since 2001 on Mounting AI Spending
  • OpenAI in Talks to Raise At Least $10 Billion From Amazon and Use Its AI Chips
  • S&P 500 falls after nearing record as Oracle disappointment drags down AI stocks
  • Inside The $1T AI Economy
• Introducing Chainguard EmeritOSS: Sustainable stewardship for mature open source
• Runners
  • Announcing powerful upgrades & a new pricing model for self-hosted runners
  • GitHub to charge for self-hosted runners from March 2026
  • GitHub postpones changes to self-hosted runners pricing plans
  • Why GitHub Why?
• Coursera to buy Udemy, creating $2.5 billion firm to target AI training
• Roomba Maker iRobot Files for Bankruptcy, With Chinese Supplier Taking Control

Relevant to your Interests

• Harness raises a $240M Series E at a $5.5B valuation
• A great platform as a product paper, and a fun platform philosophy thereof
• Google Launches Managed Remote MCP Servers for Its Cloud Services
• Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
• Useful patterns for building HTML tools
• Waymo Seeking Over $15 Billion Near $100 Billion Valuation
• Write your CV or resume as YAML, then run RenderCV, and get a PDF with perfect typography. No template wrestling. No broken layouts. Consistent spacing, every time
• Roomba Maker iRobot Files for Bankruptcy, With Chinese Supplier Taking Control

Nonsense

• The Full Text of Marco Rubio’s Directive on State Department Typography, Re-Establishing Times New Roman

Listener Feedback

• Sent stickers to Jelle in Belgium

Conferences

• cfgmgmtcamp 2026, February 2nd to 4th, Ghent, BE.
  • Coté speaking and doing live SDI with John Willis.
• DevOpsDayLA at SCALE23x, March 6th, Pasadena, CA
  • Use code: DEVOP for 50% off.
• Devnexus 2026, March 4th to 6th, Atlanta, GA.
• Whole bunch of VMUGs, mostly in the US. The CFPs are open, go speak at them! Coté speaking in Amsterdam.
  • Amsterdam (March 17-19, 2026), Minneapolis (April 7-9, 2026), Toronto (May 12-14, 2026), Dallas (June 9-11, 2026), Orlando (October 20-22, 2026)

SDT News & Community

• Join our Slack community
• Email the show: questions@softwaredefinedtalk.com
• Free stickers: Email your address to stickers@softwaredefinedtalk.com
• Follow us on social media: Twitter, Threads, Mastodon, LinkedIn, BlueSky
• Watch us on: Twitch, YouTube, Instagram, TikTok
• Book offer: Use code SDT for $20 off "Digital WTF" by Coté
• Sponsor the show: ads@softwaredefinedtalk.com

Recommendations

• Brandon: Humble Audiobook Bundle: Shadows, Stars & Screams: Epic Audiobooks
• Matt: Termination Shock - Neal Stephenson

Photo Credits

• Header

Download audio: https://aphid.fireside.fm/d/1437767933/9b74150b-3553-49dc-8332-f89bbbba9f92/685f4198-419a-4f95-9fee-e5f70d614dff.mp3

---

---