Azure Application Gateway v2 now supports Private Application Gateway, a major networking enhancement that allows customers to deploy Application Gateway with private IPâonly connectivity and full network isolation. This capability significantly improves security posture, routing flexibility, and compliance readiness for enterprise workloads. This blog explains what Private Application Gateway is, why it matters, how to enable it, and realâworld scenarios where it delivers immediate value.
đ What Is Private Application Gateway?
Historically, Application Gateway v2 required a public IP address to communicate with the Azure control plane (GatewayManager). This requirement imposed several constraints:
- Mandatory public IP exposure
- Restricted Network Security Group (NSG) rules
- Limited route table flexibility
- No support for forced tunneling
Private Application Gateway removes these limitations by introducing Application Gateway Network Isolation, enabling:
- Private IPâonly frontend
- No public IP requirement
- Full NSG and route table control
- Forced tunneling support
- Controlled outbound connectivity
All management and data traffic remains on the Azure backbone network.
â Key Capabilities (Now Generally Available)
| Capability | Description |
|---|---|
| Private IPâonly frontend | Application Gateway can be deployed without any public IP |
| Network Isolation | Removes dependency on GatewayManager service tag |
| Custom NSG rules | Full control of inbound and outbound rules |
| Deny All outbound support | Prevent unintended internet egress |
| Route table flexibility | Support for 0.0.0.0/0 to virtual appliances |
| Forced tunneling | Works with onâpremises or hub firewalls |
𧊠Architecture Overview
Private Application Gateway Architecture
â
No public IP
â
No internet dependency
â
Fully private traffic flow
đ ď¸ How to Enable Application Gateway Network Isolation
(Required for Private Application Gateway)
The Network Isolation feature must be enabled at deployment time.
â Option 1: Azure Portal (Recommended)
- Go to Create Application Gateway
- Select SKU: Standard_v2 or WAF_v2
- During Advanced configuration:
- Enable Network isolation
- Configure:
- Private frontend IP only
- No public IP
- Deploy the gateway
Once enabled, the gateway no longer requires inbound GatewayManager access or unrestricted outbound internet access.
â Option 2: Azure CLI / PowerShell / ARM
When deploying via automation:
- Enable the private deployment / network isolation capability during creation
- Apply:
- Custom NSG rules
- Custom route tables
- Private DNS resolution
Existing gateways cannot be retrofittedânetwork isolation must be enabled at creation time.
đ Reference:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment
đ Recommended NSG & Routing Model
NSG
- Allow only required inbound ports (for application traffic)
- Explicit outbound allow rules for:
- Azure Monitor
- Key Vault (if used)
- Final rule: Deny All outbound
Route Table
- 0.0.0.0/0 â Virtual Appliance (Firewall / NVA)
- Supports forced tunneling and traffic inspection
đ RealâWorld Scenarios
â Scenario 1: Financial Services â Regulatory Compliance
Banks deploy Application Gateway privately behind a hub firewall, ensuring:
- No public IP exposure
- All traffic inspected
- Full audit control
â Scenario 2: Enterprise Landing Zones
Platform teams deploy standardized, policyâcompliant gateways:
- Azure Policy blocks public IP creation
- Private Application Gateway fully supported
â Scenario 3: Hybrid Connectivity with Forced Tunneling
Traffic from Application Gateway flows through:
- Azure Firewall
- Onâpremises inspection devices
- Central logging systems
â Scenario 4: Internal LineâofâBusiness Apps
HR, Finance, and internal portals:
- Accessible only from corporate networks
- No internet attack surface
â ď¸ Important Considerations
- Network Isolation must be enabled at creation
- Requires Standard_v2 or WAF_v2
- Private DNS planning is critical
- Monitoring endpoints must be explicitly allowed
đ When Should You Use Private Application Gateway?
â
You want zero public exposure
â
You require forced tunneling
â
You enforce Deny All outbound
â
You operate in regulated environments
â
You follow Enterprise Landing Zone patterns
đŻ Final Thoughts
Private Application Gateway fundamentally changes how Application Gateway fits into secure Azure architectures. With Network Isolation now generally available, customers can finally deploy Application Gateway in fully private, firewallâcontrolled, enterpriseâgrade environmentsâwithout workarounds.
This feature unlocks new design patterns for:
- Landing Zones
- Hubâandâspoke networks
- Regulated workloads
- Hybrid connectivity
đ Learn More
Microsoft