AzureAzure Application GatewayNetworking

`azurerm_application_gateway` cost estimation

A Layer 7 load balancer with WAF support. Priced by gateway hours, capacity units, and optional WAF tier.

An azurerm_application_gateway is Azure's Layer 7 load balancer with optional Web Application Firewall (WAF). Pricing has two main components: gateway-hour and capacity-unit charges.

Gateway hours: a flat hourly rate by SKU. Standard_v2 is $0.246/hour ($180/month). WAF_v2 is $0.443/hour ($323/month). The older Standard and WAF SKUs (without v2) are deprecated and shouldn't be used.

Capacity units: in addition to gateway hours, you pay per capacity unit consumed. A capacity unit roughly represents 50 connections per second, 2,500 active connections, 2.22 Mbps throughput, or 1 compute unit (whichever is highest). Standard_v2 charges $0.008/CU-hour. WAF_v2 charges more per CU for the WAF processing.

The bill = gateway-hour rate + CU consumption. For a small Application Gateway handling ~100 requests/second, the CU charges are roughly $50-100/month on top of the $180 base.

WAF policies (azurerm_web_application_firewall_policy) are free as configuration, but enabling WAF on the gateway means using the WAF_v2 SKU (the higher tier).

Data transfer follows standard Azure rules: free within the same region/VNet, charged for egress.

Autoscaling capacity (min_capacity, max_capacity in autoscale_configuration) gives Azure room to scale; you only pay for actual capacity units consumed.

c3x reads sku.name and sku.tier. Request volume drives CU consumption and requires c3x-usage.yml entries.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "azurerm_application_gateway" "main" {
  name                = "production-appgw"
  resource_group_name = azurerm_resource_group.main.name
  location            = "eastus"

  sku {
    name = "Standard_v2"
    tier = "Standard_v2"
  }

  autoscale_configuration {
    min_capacity = 2
    max_capacity = 10
  }

  gateway_ip_configuration {
    name      = "config"
    subnet_id = azurerm_subnet.appgw.id
  }

  frontend_port {
    name = "https"
    port = 443
  }

  frontend_ip_configuration {
    name                 = "public"
    public_ip_address_id = azurerm_public_ip.appgw.id
  }

  backend_address_pool {
    name = "backend"
  }

  backend_http_settings {
    name                  = "http"
    cookie_based_affinity = "Disabled"
    port                  = 8080
    protocol              = "Http"
    request_timeout       = 30
  }

  http_listener {
    name                           = "listener"
    frontend_ip_configuration_name = "public"
    frontend_port_name             = "https"
    protocol                       = "Https"
    ssl_certificate_name           = "cert"
  }

  request_routing_rule {
    name                       = "rule"
    rule_type                  = "Basic"
    http_listener_name         = "listener"
    backend_address_pool_name  = "backend"
    backend_http_settings_name = "http"
    priority                   = 100
  }
}

Pricing dimensions

What you actually pay for when you provision azurerm_application_gateway.

Dimension	Unit	What's being charged
Standard_v2 gateway hours	per gateway-hour	Base hourly rate for the Standard v2 SKU. $0.246/hour ≈ $180/month
WAF_v2 gateway hours	per gateway-hour	Application Gateway with WAF enabled. Higher base rate. $0.443/hour ≈ $323/month
Capacity unit hours (Standard_v2)	per CU-hour	Variable capacity units consumed by traffic. Min capacity is your floor. $0.008/CU-hour
Capacity unit hours (WAF_v2)	per CU-hour	Higher per-CU rate because of WAF processing overhead.
Data transfer out	per GB	Standard Azure egress rates for traffic leaving Azure.

Optimization tips

Common ways to reduce azurerm_application_gateway cost without changing the workload.

Use Standard_v2 unless you specifically need WAF

About 45%

WAF_v2 is roughly 80% more expensive per hour. If you don't need OWASP rules, custom rules, or geo-blocking at the edge, Standard_v2 is the right choice.

Set min_capacity low for predictable workloads

Off-peak capacity

Minimum capacity is your floor for billable CU. If your traffic spikes only during business hours, min_capacity = 2 with max_capacity = 10 lets the gateway scale down between peaks.

Consolidate multiple apps on one Application Gateway

$180/month per consolidated gateway

Application Gateway supports multiple listeners, multiple backend pools, and host-header-based routing. Three separate gateways at $180/month each can become one at $180 with negligible CU increase.

Use Azure Front Door for global edge instead

Workload-dependent

Front Door is a global edge service with its own pricing model. For multi-region or global apps, Front Door is often cheaper than running Application Gateways in each region.

FAQ

Standard_v2 or WAF_v2?

WAF_v2 only if you need OWASP rule sets, custom rules, IP/geo blocking, or bot protection. For pure load balancing without security inspection, Standard_v2 is roughly 45% cheaper.

How does c3x estimate capacity unit consumption?

c3x reads min_capacity from autoscale_configuration as the floor. For real traffic, specify monthly_capacity_units in c3x-usage.yml. The Application Gateway documentation has a calculator for converting requests/sec to CU.

What about the older Standard and WAF SKUs (without v2)?

Deprecated. The non-v2 SKUs have lower base hourly rates but lack autoscaling, zone redundancy, and other v2 features. AWS is migrating users to v2; new deployments should always use v2.

Does the public IP cost extra?

Yes. The associated azurerm_public_ip is billed separately at ~$3/month for a Standard SKU static IP. Negligible compared to the Application Gateway itself.