Is it possible to Add Firewall PublicIP as an endpoint to traffic manager

Hello Gokul R Dev

Unfortunately, Azure Traffic Manager doesn’t support adding Azure Firewall directly as an endpoint. Traffic Manager is a DNS-based load balancer and expects endpoints like:

• Azure App Services
• Azure VMs or VM Scale Sets
• Public IP addresses (such as those of Application Gateways or Load Balancers)
• External endpoints (custom FQDNs)

However, you can create a solution where Traffic Manager routes to Application Gateway, and Application Gateway forwards traffic through Azure Firewall—or vice versa—depending on your security and routing needs.

Traffic Flow:

Traffic Manager ----> Application Gateway + WAF ----> Azure Firewall (DNAT rule or Network rule) ----> Backend Services

1. Traffic Manager handles global DNS-based routing.
2. It directs to Application Gateway public IPs as endpoints.
3. Application Gateway performs SSL termination, WAF inspection, and path-based routing.
4. Traffic is then routed to Azure Firewall (if needed) for deeper inspection or outbound control.
5. Finally, traffic reaches your backend services.

This setup is detailed in Microsoft’s multi-region load balancing architecture, which includes both Application Gateway and Azure Firewall in the flow. The key is that Traffic Manager only sees the public-facing Application Gateway, not the internal firewall.

If you're aiming for double inspection (WAF + Firewall), this layered approach is ideal. 

I hope this has been helpful!

If above is unclear and/or you are unsure about something add a comment below.

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.