What is Azure Application Gateway v2?

Application Gateway is available under a Standard_v2 SKU. Web Application Firewall (WAF) is available under a WAF_v2 SKU. The v2 SKU offers performance enhancements and adds support for critical new features like autoscaling, zone redundancy, and support for static VIPs. Existing features under the Standard and WAF SKU continue to be supported in the new v2 SKU, with a few exceptions listed in comparison section.

The new v2 SKU includes the following enhancements:

  • TCP/TLS proxy (Preview): Azure Application Gateway now also supports Layer 4 (TCP protocol) and TLS (Transport Layer Security) proxying. This feature is currently in public preview. For more information, see Application Gateway TCP/TLS proxy overview.

  • Autoscaling: Application Gateway or WAF deployments under the autoscaling SKU can scale out or in based on changing traffic load patterns. Autoscaling also removes the requirement to choose a deployment size or instance count during provisioning. This SKU offers true elasticity. In the Standard_v2 and WAF_v2 SKU, Application Gateway can operate both in fixed capacity (autoscaling disabled) and in autoscaling enabled mode. Fixed capacity mode is useful for scenarios with consistent and predictable workloads. Autoscaling mode is beneficial in applications that see variance in application traffic.

  • Zone redundancy: An Application Gateway or WAF deployment can span multiple Availability Zones, removing the need to provision separate Application Gateway instances in each zone with a Traffic Manager. You can choose a single zone or multiple zones where Application Gateway instances are deployed, which makes it more resilient to zone failure. The backend pool for applications can be similarly distributed across availability zones.

    Zone redundancy is available only where Azure Zones are available. In other regions, all other features are supported. For more information, see Regions and Availability Zones in Azure

  • Static VIP: Application Gateway v2 SKU supports the static VIP type exclusively. This ensures that the VIP associated with the application gateway doesn't change for the lifecycle of the deployment, even after a restart. There isn't a static VIP in v1, so you must use the application gateway URL instead of the IP address for domain name routing to App Services via the application gateway.

  • Header Rewrite: Application Gateway allows you to add, remove, or update HTTP request and response headers with v2 SKU. For more information, see Rewrite HTTP headers with Application Gateway

  • Key Vault Integration: Application Gateway v2 supports integration with Key Vault for server certificates that are attached to HTTPS enabled listeners. For more information, see TLS termination with Key Vault certificates.

  • Mutual Authentication (mTLS): Application Gateway v2 supports authentication of client requests. For more information, see Overview of mutual authentication with Application Gateway.

  • Azure Kubernetes Service Ingress Controller: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. For more information, see What is Application Gateway Ingress Controller.

  • Private link: The v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints.

  • Performance enhancements: The v2 SKU offers up to 5X better TLS offload performance as compared to the Standard/WAF SKU.

  • Faster deployment and update time: The v2 SKU provides faster deployment and update time as compared to Standard/WAF SKU. This also includes WAF configuration changes.

Diagram of auto-scaling zone.

Unsupported regions

The Standard_v2 and WAF_v2 SKU isn't currently available in the following regions:

  • UK North
  • UK South 2
  • China East
  • China North
  • US DOD East
  • US DOD Central


With the v2 SKU, the pricing model is driven by consumption and is no longer attached to instance counts or sizes. The v2 SKU pricing has two components:

  • Fixed price - This is hourly (or partial hour) price to provision a Standard_v2 or WAF_v2 Gateway. Please note that 0 additional minimum instances still ensures high availability of the service which is always included with fixed price.
  • Capacity Unit price - This is a consumption-based cost that is charged in addition to the fixed cost. Capacity unit charge is also computed hourly or partial hourly. There are three dimensions to capacity unit - compute unit, persistent connections, and throughput. Compute unit is a measure of processor capacity consumed. Factors affecting compute unit are TLS connections/sec, URL Rewrite computations, and WAF rule processing. Persistent connection is a measure of established TCP connections to the application gateway in a given billing interval. Throughput is average Megabits/sec processed by the system in a given billing interval. The billing is done at a Capacity Unit level for anything above the reserved instance count.

Each capacity unit is composed of at most: 1 compute unit, 2500 persistent connections, and 2.22-Mbps throughput.

To learn more, see Understanding pricing.

Feature comparison between v1 SKU and v2 SKU

The following table compares the features available with each SKU.

Feature v1 SKU v2 SKU
Zone redundancy
Static VIP
Azure Kubernetes Service (AKS) Ingress controller
Azure Key Vault integration
Rewrite HTTP(S) headers
Enhanced Network Control (NSG, Route Table, Private IP Frontend only)
URL-based routing
Multiple-site hosting
Mutual Authentication (mTLS)
Private Link support
Traffic redirection
Web Application Firewall (WAF)
WAF custom rules
WAF policy associations
Transport Layer Security (TLS)/Secure Sockets Layer (SSL) termination
End-to-end TLS encryption
Session affinity
Custom error pages
WebSocket support
HTTP/2 support
Connection draining
Proxy NTLM authentication


The autoscaling v2 SKU now supports default health probes to automatically monitor the health of all resources in its backend pool and highlight those backend members that are considered unhealthy. The default health probe is automatically configured for backends that don't have any custom probe configuration. To learn more, see health probes in application gateway.

Differences from v1 SKU

This section describes features and limitations of the v2 SKU that differ from the v1 SKU.

Difference Details
Mixing Standard_v2 and Standard Application Gateway on the same subnet Not supported
User-Defined Route (UDR) on Application Gateway subnet For information about supported scenarios, see Application Gateway configuration overview.
NSG for Inbound port range - 65200 to 65535 for Standard_v2 SKU
- 65503 to 65534 for Standard SKU.
Not required for v2 SKUs in public preview Learn more.
For more information, see the FAQ.
Performance logs in Azure diagnostics Not supported.
Azure metrics should be used.
FIPS mode Currently not supported.
Private frontend configuration only mode Currently in public preview Learn more.
Microsoft Defender for Cloud integration Not yet available.

Migrate from v1 to v2

An Azure PowerShell script is available in the PowerShell gallery to help you migrate from your v1 Application Gateway/WAF to the v2 Autoscaling SKU. This script helps you copy the configuration from your v1 gateway. Traffic migration is still your responsibility. For more information, see Migrate Azure Application Gateway from v1 to v2.

Next steps

Depending on your requirements and environment, you can create a test Application Gateway using either the Azure portal, Azure PowerShell, or Azure CLI.