Skip to main content
Back to the Azure Footguns Database
ReliabilityCostHighOccasionalAZF-0038

An Application Gateway with empty backend pools returns silent 502s while billing hourly

An Application Gateway whose backend pools have no targets answers every request with a 502. It keeps billing until someone stops or deletes it, so it charges the whole time it serves errors.

Footgun ID
AZF-0038 (Azure Footgun No. 38)
Azure service
Azure Application Gateway
Resource type
Microsoft.Network/applicationGateways
Updated
July 1, 2026

What it is

An Azure Application Gateway whose backend address pools contain no members. Nothing is registered to receive traffic, so the gateway has nowhere to forward a request. Clients that hit its listener get an HTTP 502 (Bad Gateway) instead of a response, and the gateway keeps running and billing the entire time.

Impact (reliability)
Every request through the gateway fails with HTTP 502 (traffic routed to nothing)
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

An Application Gateway stores its backends in backendAddressPools, and a pool can be populated two independent ways: IP/FQDN entries (backendAddresses) or NIC references (backendIPConfigurations). A pool is only "occupied" if one of those is non-empty. When the VMs, scale set, or App Service behind the gateway are deleted, migrated, or scaled to zero, the pool empties out but the gateway, listeners, and public IP all stay exactly as they were.

Azure treats this as a perfectly valid configuration, not an error, so there is no warning that the gateway now forwards to nothing. The failure only shows up as 502s in client traffic, which are easy to blame on the app rather than on an empty pool. And a running gateway keeps billing the whole time: the only ways to end the charge are to stop it or delete it, so an empty-pool gateway left in place pays its hourly rate to serve errors.

What it costs / blast radius

The primary harm is an outage: every request that reaches the gateway is black-holed and returned as a 502, with no backend to serve it. If this is your production ingress, the site is down for as long as the pool stays empty, and the cause hides behind a generic gateway error.

The secondary harm is cost. A Standard_v2 gateway runs roughly $144 to $288/month at list price depending on capacity units, and it keeps billing until someone stops or deletes it, so it charges that the whole time it is serving errors. (List price; your contract and capacity may differ.)

See it

Find them: Application Gateways where every backend pool is empty
Resources
| where type =~ 'microsoft.network/applicationGateways'
| extend pools = properties.backendAddressPools
| mv-apply pool = pools on (
    extend members = array_length(pool.properties.backendAddresses)
                   + array_length(pool.properties.backendIPConfigurations)
    | summarize occupiedPools = countif(members > 0)
  )
| where occupiedPools == 0
| project name, resourceGroup, subscriptionId, location,
          sku = properties.sku.name
Fix: re-register the backend that should serve traffic, or delete the gateway
// Point the pool back at the servers that should receive traffic...
az network application-gateway address-pool update \
  --gateway-name appgw-prod --resource-group rg-prod \
  --name backend-pool --servers 10.1.0.4 10.1.0.5

// ...or, if nothing should be behind it anymore, stop paying for it.
az network application-gateway delete \
  --name appgw-prod --resource-group rg-prod

How StratoLens helps

StratoLens checks every Application Gateway across every subscription for empty backend pools, flags the ones routing traffic to nothing, and shows how long they have been that way plus what they last pointed at. Azure Advisor does not cover this case, so a gateway quietly returning 502s in a subscription nobody opens gets surfaced automatically instead of waiting for a customer to report the outage.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.