Azure firewall behind AGW

Question

Azure firewall behind AGW

Brajesh Kumar 20

Hi All,

we want to configure azure firewall behind application gateway to translate further to project specific spoke Internal AGW.

Internet client -> HUB Public application gateway -> HUB Azure firewall -> Spoke Internal Application gateway.

Can we configure Azure firewall Private IP as backend pool of Public AGW ?
How to configure health probe for this if not healthy cant forward traffic?
Do we have to force traffic on HUB Public AGW subnet using route to Azure firewall Private IP ?
Do we need to create custom route on Spoke internal AGW for return traffic (only from ingress traffic)?

Harish Peddapally 1,590 Reputation points Microsoft External Staff Moderator

2025-10-28T09:14:17.26+00:00
Hi Brajesh Kumar,

Welcome to Microsoft Q&A and thank you for posting your query here!

If you want to place Azure Firewall behind your Application Gateway, so that all inbound traffic first hits the Application Gateway, then passes through the Firewall, and finally reaches the spoke’s internal Application Gateway, here’s how you can achieve it:

1. Can you use Azure Firewall’s Private IP as the AGW Backend Pool?

Yes, you can, but with an important consideration.

Azure Firewall is a stateful device and is not designed to respond directly to HTTP/S health probes or host-based requests like a typical backend server. So, while you can technically add the Firewall’s private IP to the Application Gateway backend pool, it will not respond to Layer 7 health probes. This setup works best if the firewall is performing DNAT to forward traffic to downstream internal resources (like your internal AGW).

Recommendation: Use Azure Firewall DNAT rules to forward inbound traffic from the public AGW to the internal AGW’s private IP. The public AGW will send traffic to the Firewall’s private IP (backend pool entry), and the Firewall will then forward it based on DNAT configuration.

2. Health Probe for the Firewall Backend:

Since Azure Firewall won’t respond to standard health probes, your Application Gateway probe will show the backend as “unhealthy” if you probe the firewall directly.

Options:

Use a custom probe that points to a known reachable endpoint behind the firewall (e.g., a health endpoint on the internal AGW).

Or configure the AGW to ignore probe results (not ideal but sometimes necessary in inspection-only designs).
Refer: Create a custom probe.

3. Routing All Outbound Traffic through the Firewall:

Yes, you’ll need a User-Defined Route (UDR) on the Application Gateway subnet in the HUB to send all outbound traffic (0.0.0.0/0 or specific destination prefixes) to the Azure Firewall’s private IP as the next hop. This ensures that all egress traffic from AGW passes through the firewall for inspection.

4. Custom Route on Spoke/Internal AGW Subnet:

Yes, for return traffic, create a custom route on the internal AGW’s subnet so that response packets are also sent back out via the firewall’s private IP. This keeps both request and reply streams passing through your security controls, an important best practice for visibility and security posture

Reference guides for your setup:

Example design and best practices: Microsoft Docs Scenario

Custom probe steps: Configure probes

Secure routing with UDRs: Routing via firewall

Zero trust routing example: AGW before Firewall reference

You can place Azure Firewall behind Application Gateway using its private IP as a backend, but make sure to:

Configure DNAT rules on the firewall,

Set up a custom probe or point probes to a reachable target, and

Apply UDRs on both HUB and spoke subnets for symmetric routing.

This design ensures your inbound flows are securely inspected and properly routed through the firewall.

I hope this helps! If you need any further assistance, feel free to reach out to us.

Thanks,

Harish.
Brajesh Kumar 20 Reputation points

2025-10-28T09:33:04.5233333+00:00

Thank you Harish.

we want use multi site listener to forward traffic to multiple project internal AGW.

Client 1-> xyz.com > Public AGW -> AzFW -> DNAT on source port 8888 translate to Internal AGW1.

Client 2-> abc.com > Public AGW -> AzFW -> DNAT on source port 8889 translate to Internal AGW2.
Harish Peddapally 1,590 Reputation points Microsoft External Staff Moderator

2025-10-29T06:40:13.3533333+00:00
Hi Brajesh Kumar,

Good day, i hope you are doing grea!

Thanks for the details.

Your approach to use multi-site listeners on the Public Application Gateway (AGW) to route traffic for different domains (e.g., xyz.com, abc.com) through the Azure Firewall to separate internal Application Gateways is a solid and flexible design. Here’s how you can configure it correctly:

1. Multi-Site Listener Setup:

On the Public Application Gateway, create multi-site listeners for each domain — for example, one for xyz.com and another for abc.com.

Each listener should have its own HTTP setting that sends traffic to the Azure Firewall’s private IP, but on a unique destination port (e.g., 8888 for xyz.com, 8889 for abc.com).

This differentiation by destination port allows the Azure Firewall to apply specific DNAT rules for each internal AGW.

2. Azure Firewall DNAT Configuration:

In Azure Firewall, configure DNAT rules that translate based on the destination port, not the source port (since AGW uses random ephemeral source ports).

Example:

xyz.com → AzFW Private IP:8888 if dest port = 8888 → Internal AGW1:443

abc.com → AzFW Private IP:8889 if dest port = 8889 → Internal AGW2:443

So the flow looks like this:

Client → Public AGW (xyz.com listener) → Backend to AzFW Private IP:8888 → AzFW DNAT (dest port 8888 → Internal AGW1:443) Client → Public AGW (abc.com listener) → Backend to AzFW Private IP:8889 → AzFW DNAT (dest port 8889 → Internal AGW2:443)

This ensures that traffic for each domain is properly routed through the firewall to its respective internal Application Gateway.

3. Health Probes:

Because the Azure Firewall won’t respond to HTTP probes directly:

Configure custom health probes on the AGW that point to reachable endpoints behind the firewall (for example, /health on each internal AGW).

If end-to-end health probing is not possible, you can temporarily disable probe enforcement, though this is not recommended for production.

4. Routing and UDRs:

On the Public AGW subnet, create a User-Defined Route (UDR) with the next hop as the Azure Firewall’s private IP.

On each Internal AGW subnet, add a UDR to route return traffic back through the Azure Firewall. This ensures symmetric routing, which is essential for stateful inspection and proper session handling.

for more info: https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

Please do let me know if you have any questions on this!

Thanks,

Harish.
Brajesh Kumar 20 Reputation points

2025-10-29T10:31:26.5833333+00:00

Thank you very much.

Understood that we have to seperate traffic for separate destination on destination port level of DNAT rule.
Harish Peddapally 1,590 Reputation points Microsoft External Staff Moderator

2025-10-30T04:23:14.15+00:00

Hi Brajesh Kumar,

Good day, i hope you are doing grea!

You’re absolutely right. The separation of traffic based on the destination port in the Azure Firewall DNAT rules is the correct approach for your multi‑site listener setup.

This way, each domain (xyz.com, abc.com, etc.) received on the Public Application Gateway is forwarded to a unique port on the firewall, which then translates it to the corresponding internal Application Gateway.

Just make sure that:

Each domain listener on the Public AGW uses a distinct HTTP setting with the correct destination port.

The DNAT rules in Azure Firewall map those ports accurately to the internal AGW private IP and port 443 (or whichever your internal AGW listens on).

Symmetric routing through the firewall is maintained in both directions with proper UDRs.

Glad to see your design taking shape, this setup will provide clean separation and secure inspection for all inbound traffic paths.

Thanks,

Harish

1 answer

Your answer

Brajesh Kumar 20 Reputation points

2025-10-28T09:33:04.5233333+00:00

Thank you Harish.

we want use multi site listener to forward traffic to multiple project internal AGW.

Client 1-> xyz.com > Public AGW -> AzFW -> DNAT on source port 8888 translate to Internal AGW1.

Client 2-> abc.com > Public AGW -> AzFW -> DNAT on source port 8889 translate to Internal AGW2.
Brajesh Kumar 20 Reputation points

2025-10-29T10:31:26.5833333+00:00

Thank you very much.

Understood that we have to seperate traffic for separate destination on destination port level of DNAT rule.
Harish Peddapally 1,590 Reputation points Microsoft External Staff Moderator

2025-10-30T04:23:14.15+00:00

Hi Brajesh Kumar,

Good day, i hope you are doing grea!

You’re absolutely right. The separation of traffic based on the destination port in the Azure Firewall DNAT rules is the correct approach for your multi‑site listener setup.

This way, each domain (xyz.com, abc.com, etc.) received on the Public Application Gateway is forwarded to a unique port on the firewall, which then translates it to the corresponding internal Application Gateway.

Just make sure that:

Each domain listener on the Public AGW uses a distinct HTTP setting with the correct destination port.

The DNAT rules in Azure Firewall map those ports accurately to the internal AGW private IP and port 443 (or whichever your internal AGW listens on).

Symmetric routing through the firewall is maintained in both directions with proper UDRs.

Glad to see your design taking shape, this setup will provide clean separation and secure inspection for all inbound traffic paths.

Thanks,

Harish

Answer 1

Hi Brajesh Kumar,

Good day, i hope you are doing great!

Welcome to Microsoft Q&A and thank you for posting your query here!

Thank you for your detailed query and discussion here. Below is a consolidated answer on how to configure Azure Firewall behind a public Application Gateway (AGW) forwarding traffic to multiple spoke internal AGWs, addressing your key questions:

1. Can Azure Firewall Private IP be a Backend Pool for Public AGW?

Yes, you can configure the Azure Firewall's private IP as a backend pool target in the public AGW. However, keep in mind Azure Firewall is a stateful network device and does not respond to HTTP/S health probes directly like a backend server. Therefore, while the AGW can send traffic to the Firewall’s private IP, the Firewall itself won't respond to Layer 7 health probes.

Recommendation: Instead of probing the firewall, configure custom health probes on the public AGW that target reachable endpoints behind the firewall, such as health endpoints on internal AGWs, to verify backend health.

2. How to Configure Health Probes?

Use custom probes on the public AGW that point to a known healthy path on each internal AGW behind the firewall.

Alternatively, you can configure the AGW to ignore probe status for the firewall backend, but this is not recommended for production environments.

This approach ensures the health probe reflects actual backend service status rather than the firewall's health.

3. Do You Need to Force Traffic on the HUB Public AGW Subnet Using Routes to Azure Firewall?

Yes. You need to create a User-Defined Route (UDR) on the public AGW subnet in the HUB VNet that directs all outbound traffic (0.0.0.0/0) or specific destination prefixes toward the Azure Firewall’s private IP as the next hop. This forces all egress traffic through the firewall for inspection.

4. Routing Return Traffic from Spoke Internal AGWs:

To maintain symmetric routing and ensure return traffic passes back through the firewall:

Create appropriate custom routes (UDRs) on the internal AGW subnets in the spoke VNets.

These routes should direct return traffic destined for ingress sources back via the Azure Firewall’s private IP.

This is critical to keep both requests and responses flowing through your security inspection point.

5. Multi-Site Listener and DNAT Use Case:

For your design where you have multiple client domains (e.g., xyz.com, abc.com) forwarding traffic via the public AGW and firewall to separate internal AGWs:
Configure multi-site listeners on the public AGW for each domain.
Each listener uses a dedicated HTTP setting with a unique destination port on the firewall backend pool, for example:
xyz.com → destination port 8888
abc.com → destination port 8889

On the Azure Firewall, configure DNAT rules that translate traffic based on the destination port (not source port), forwarding to the respective internal AGW private IP and port (typically 443).

Traffic flow example:

Client → Public AGW (xyz.com listener) → Azure Firewall Private IP:8888 → DNAT to Internal AGW1:443

Client → Public AGW (abc.com listener) → Azure Firewall Private IP:8889 → DNAT to Internal AGW2:443

Summary:

Use Azure Firewall private IP in the public AGW backend pool.
Use custom health probes targeting internal AGWs behind the firewall.
Enforce routing via Azure Firewall by setting UDRs on both public AGW subnet and internal AGG spoke subnets.
Use multi-site listeners with unique ports and DNAT rules for different domains/internal AGWs.
Maintain symmetric traffic routing through the firewall using appropriate custom routes.
This design ensures secure, inspected, and properly routed inbound traffic paths from internet clients through your HUB public AGW, Azure Firewall, and finally to spoke internal AGWs.

For detailed guidance, you can also refer to Microsoft's official documentation:

Multi-site listeners: https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview

Firewall & Application Gateway example: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

If you have any further questions or need clarification, feel free to ask.

If the provided information answers your query, do click "Upvote" and "Accept Answer", it will help others who might be facing similar challenges.

Thanks,

Harish.

Share via

Azure firewall behind AGW

1 answer

Your answer