Does Azure App Gateway WAF V2 uses same static public IP for outbound calls?

Raghava Sai Akula 386 Reputation points
2024-07-16T14:53:48.47+00:00

To call our client APIs, I provided my client with my Azure WAF V2 Application Gateway public IP (2*..*.*9 (MY-AppGateway-pip)) to safelist our IP, and they successfully safelisted it.

However, I am still unable to hit their APIs. Upon further investigation, they informed me that my requests were coming from a different IP address than the provided Azure App Gateway public IP.

Could anyone shed some light on this issue?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,098 questions
Azure NAT Gateway
Azure NAT Gateway
NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.
42 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ahmed A Hammam 0 Reputation points
    2024-07-16T15:07:29.7666667+00:00

    Hello Raghava Sai Akula

    from my experiance the AppGW PIP uses only for the inbound traffics, if you want to whaitlisted your outpound Public IP check your NAT GW public IP or the other outbound Connectivity" Virual hub, experss route".

    -Ahmed Hammam

    Azure Arch certified

    0 comments No comments

  2. ChaitanyaNaykodi-MSFT 26,936 Reputation points Microsoft Employee
    2024-07-16T18:10:14.54+00:00

    @Raghava Sai Akula

    I understand you wish to know which IP address is used by Azure Application Gateway when it is reaching out to the Client API.

    The behavior here will actually depend on how the API call is implemented by the backend server.

    If the Client API endpoint is added as a Backend Pool member of your Application Gateway then the IP used by the Application Gateway will be as documented here

    Based on the API Endpoint Backend:

    • Is a public endpoint, the application gateway uses its frontend public IP to reach the server. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.
    • Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses.
    • Contains an external endpoint or an externally resolvable FQDN, the application gateway routes the request to the backend server by using its frontend public IP address. If the subnet contains service endpoints, the application gateway will route the request to the service via its private IP address. DNS resolution is based on a private DNS zone or custom DNS server, if configured, or it uses the default Azure-provided DNS. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.

    If the Client API endpoint is not added as the backend pool member of your Application Gateway. In this scenario if the Client API Endpoint is accessed over the internet then the request would be sent using the backend pools Public IP address.As mentioned by Ahmed above the Application Gateway's Public IP is only used for inbound traffic. If there is a requirement to send a outbound connection from the backend pool member then it recommended to use Azure Firewall for such communication as described here.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.