What it is
An Azure Application Gateway whose backend address pools contain no members. Nothing is registered to receive traffic, so the gateway has nowhere to forward a request. Clients that hit its listener get an HTTP 502 (Bad Gateway) instead of a response, and the gateway keeps running and billing the entire time.
Why it happens
An Application Gateway stores its backends in backendAddressPools, and a pool can be populated two independent ways: IP/FQDN entries (backendAddresses) or NIC references (backendIPConfigurations). A pool is only "occupied" if one of those is non-empty. When the VMs, scale set, or App Service behind the gateway are deleted, migrated, or scaled to zero, the pool empties out but the gateway, listeners, and public IP all stay exactly as they were.
Azure treats this as a perfectly valid configuration, not an error, so there is no warning that the gateway now forwards to nothing. The failure only shows up as 502s in client traffic, which are easy to blame on the app rather than on an empty pool. And a running gateway keeps billing the whole time: the only ways to end the charge are to stop it or delete it, so an empty-pool gateway left in place pays its hourly rate to serve errors.
What it costs / blast radius
The primary harm is an outage: every request that reaches the gateway is black-holed and returned as a 502, with no backend to serve it. If this is your production ingress, the site is down for as long as the pool stays empty, and the cause hides behind a generic gateway error.
The secondary harm is cost. A Standard_v2 gateway runs roughly $144 to $288/month at list price depending on capacity units, and it keeps billing until someone stops or deletes it, so it charges that the whole time it is serving errors. (List price; your contract and capacity may differ.)
See it
Resources
| where type =~ 'microsoft.network/applicationGateways'
| extend pools = properties.backendAddressPools
| mv-apply pool = pools on (
extend members = array_length(pool.properties.backendAddresses)
+ array_length(pool.properties.backendIPConfigurations)
| summarize occupiedPools = countif(members > 0)
)
| where occupiedPools == 0
| project name, resourceGroup, subscriptionId, location,
sku = properties.sku.name// Point the pool back at the servers that should receive traffic...
az network application-gateway address-pool update \
--gateway-name appgw-prod --resource-group rg-prod \
--name backend-pool --servers 10.1.0.4 10.1.0.5
// ...or, if nothing should be behind it anymore, stop paying for it.
az network application-gateway delete \
--name appgw-prod --resource-group rg-prodHow StratoLens helps
StratoLens checks every Application Gateway across every subscription for empty backend pools, flags the ones routing traffic to nothing, and shows how long they have been that way plus what they last pointed at. Azure Advisor does not cover this case, so a gateway quietly returning 502s in a subscription nobody opens gets surfaced automatically instead of waiting for a customer to report the outage.