How to configure application gateway (WAF) to preserve client ip address

Gregorio Montaño 246 Reputation points


I have configured Application Gateway (WAF) to accept traffic for a backend (web) server. The "public" can access the web server. Good!

But, the backend server sees requests via its logs as coming from the Application Gateway (via its private IP Address) and not on the requesting "public" IP Address.

How do I configure WAF so that it will preserve/pass the requests as coming from public P address (not the private IP address)?


Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
993 questions
Azure Web Application Firewall
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. risolis 8,701 Reputation points

    Hello @Gregorio Montaño

    Thanks for posting your question.

    If I am not mistaken, you may need to use a Load balancer instance/appliance to do that... WAF is a L7 load Balancer so, it uses session-based cookie as it is described below:

    I hope this may help you...


  2. GitaraniSharma-MSFT 48,531 Reputation points Microsoft Employee

    Hello @Gregorio Montaño

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to configure your Application gateway WAF to preserve the client IP addresses, so that the backend server can see the actual client IP instead of Application gateway IP.

    We are unable to preserve the client IP because the Application gateway is a proxy. It will replace the original client IP with the Application gateway instance IP and forward requests to the backend server. However, Application gateway inserts extra headers to all requests before it forwards the requests to the backend. It includes the x-forwarded-for header which has the original client IP information.
    Refer :

    You can configure Application gateway to modify request and response headers and URL by using Rewrite HTTP headers and URL or to modify the URI path by using a path-override setting. However, unless configured to do so, all incoming requests are proxied to the backend.
    You can use header rewrite to remove the port information from the X-Forwarded-For header to only keep the IP addresses.
    Refer :

    Kindly let us know if the above helped or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.