![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 23%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
956 questions
Hello @anil kumar ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if there is any use case which requires you to put NAT gateway in front of Application gateway.
You cannot put a NAT gateway in front of Application gateway like you can do with Azure Front Door or Traffic Manager as they have a concept of backend pool which NAT gateway doesn't have.
But you can certainly use both Application gateway and NAT gateway together for their respective uses.
NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network. Inbound initiated traffic is not affected by the addition of NAT gateway.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications, which means it provides inbound connectivity to your webapps.
Refer : https://learn.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints
Now, if you have a requirement where your webapps should have outbound traffic, you cannot control the outbound IP address by default as there are many IP addresses that are used for webapp outbound calls. The outbound addresses used by your app for making outbound calls are listed in the properties for your app. These addresses are shared by all the apps running on the same worker VM family in the App Service deployment. Azure app service don't automatically provide dedicated static IP addresses for outbound traffic.
Refer : https://learn.microsoft.com/en-us/azure/app-service/networking-features#outbound-addresses
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
You may have a requirement to control the outbound IP address and have a static IP for IP whitelisting purposes.
You can control the IP address of outbound traffic from your app by using regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address. Regional VNet integration is available on Standard, Premium, PremiumV2 and PremiumV3 App Service plans.
Refer : https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-outbound-ip
https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/nat-gateway
https://learn.microsoft.com/en-us/azure/app-service/networking/nat-gateway-integration
In such a case where you would like to load balance inbound traffic to your webapps + control the IP address of outbound traffic from your app, you can use both Application gateway and NAT gateway for their respective features.
You can see such an architecture with AKS in the below template:
https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/aks-nat-agic/
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 20%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E0%3C/text%3E%3C/svg%3E)