The DNS records for Front Door were deleted as well. We have an app gateway to the app service, which is under an app service env. I can see traffic on my app gateway:
But none on the app service:
The error I get when I try to access the web app is generic:
:( Application Error If you are the application administrator, you can
access the
The health probe on the app gateway was changed to 200-600 to show this error, because it was just a generic 502 at first. I'm not really sure where to even begin troubleshooting this. Any ideas on where I can start checking things?
Did you changed the CNAME dns entry to point to your app service instead of the frontdoor address?
I suspect that you have completely removed the CNAME entry instead of changing it to point to your my-app.azurewebsites.net address.
Also check if you have correctly configured the binding to your custom domain for the app service
Did you originally use the DNS record pointing to the AFD endpoint to point to the App Gateway? If so did you point it back to the App Gateway?
What's the backend settings for the App Gateway look like? Are you overriding the hostname, choosing it from the backend pool name, or not overriding (forwarding hostname from client)?
Also, on the App Service, when you implemented AFD in front did you setup access restrictions under the networking blade? Usually when placing AFD in front of App Service there is a rule to only allow the AFD service tag to reach the App Service so it can't be bypassed.
Lastly, check the environment variables for what port your app service is listening on. From searching that error message I see a lot of mentions about it being NodeJS and there being a mismatch in port configuration. Ensure the app service is listening on the same port as is configured on the App Gateway's backend settings as well as the probe.
Related
I have an app service which runs web app.
I created application gateway on the front of wab app.
But when i hit Application Gatway's Public IP, i get redirected to https://somename.azurewebsites.net:80/
My Questions
Why it does not goes to go <ApplicationGatwayPublicIP> directly instead of https://somename.azurewebsites.net:80/
Let's assume that i accepte to https://somename.azurewebsites.net:80/. Why it adds 80 at the end (which i have to delete manually in oreder to work)?
Thank you in advance for your help!
PS: I will make some screenshot which can be helpul:
Backend Pool (app service):
Backend Settings (for app service):
If you need more informations, please make me a comment
Thank you again
To resolve this issue, you need configure your backend pool with use of custom domain as below:
Make sure to add authentication/trusted root certificates of back-end servers and upload a certificate as below:
And configure a request to routing rule in setting under rules in backend targets try to add the Backend Pool which App Service has been configured and HTTP setting add which app gateway to connect app service and save
Once a backend pool is healthy stage now you can able to use public IP addresses that can be accessed directly. Now you can try to restrict access. check this similar issue answer by jeremy
The main cause of issue you need to add custom domain Configure App Service with Application Gateway along with certificate.
Reference:
Manage traffic to App Service - Azure Application Gateway | Microsoft Learn
Working on a project where we are starting to use Deployment Slots in our App Services.
All our Prod apps are located behind Application Gateway, and we would like to also have our Slots located behind Application Gateway.
I understand we can not do this using "App Services" as target type in the Backend Pools as of now, but wondered if it is doable using "IP Address or FQDN" as target type.
I have tried to set it up, with various changes in the "HTTP Settings", Probe and so, but haven´t gotten it up spinning.
Can anyone confirm if this is possible, and have any tips on how this should be configured?
Thanks!
I was able to get this working on one of my slots.
Basically setup the listener with your necessary protocol, port cert, hostname, etc... I'm using multi-site listeners so I can have multiple URLs for the one AppGW/Public IP.
The rule points to the listenter, backend pool and appropriate http setting.
The HTTP setting should be configured to connect to your app service URL accordingly. I'm using the azurewebsite.net URL, so I use well known CA cert & override hostname from backend target:
The backend pool then points to the azurewebsites.net URL:
Make sure that GET / works on your app service and returns 200-399 HTTP status codes. Anything outside that range is a failure and the backend pool will be removed. If you need to create a custom health probe to a URL that will respond properly, or adjust the acceptable HTTP status code (if 401 or 403 due to required auth, then just override it with that for testing purposes for now).
I'm trying to do it again with a second slot and running into 502 errors from the App Gateway... However, I'm also waiting on DNS changes from my network team. My first one with my company domain works via hosts file edit, but the 2nd slot (which has 2 different URLs/listeners configured in the AppGW) doesn't want to work the same way for some reason.
I have created a Webapp and have added an IP restriction so that it can only be accessed via the Azure Application Gateway Public IP.
In the Application Gateway, I navigated to the BackEnd Pools, clicked to ADD backend pool and copied the web app URL e.g. https://mywebapp.azurewebsites.net, it complained it only wanted FQDN so I removed the https:// and entered in mywebapp.azurewebsites.net
I then navigated to my Application Gateway and copied the public IP address of the gateway and entered it in my browser to test the app but it won't see the web app, I get the error "This site can’t be reached."
Have I missed a step, is the FQDN incorrect? Do I need to use a custom Domain?
One of the things I would look for is if a listener and a rule has been created. This is required to enable the application gateway to route traffic appropriately to the backend pool.
More info here -
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-powershell
I tried adding an existing app service web app to the backend pool like you mentioned and realized that it was not adding the listener/rule for it. When i used the powershell script as mentioned in the link above which creates a listener and a rule , i was able to successfully hit backend pool website when i browsed using the Application Gateway public ip/dns.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-arm
I have created an application gateway with WAF (default detection mode) in an Azure Resource Group (no ASE) with an App Service Web App backendPool member/target MS link (followed instructions to the letter both via the Azure Portal and via PowerShell).
Im not using any custom domains, just the basic config with my backendPool member being an Azure Web App ie mywebapp.azurewebsites.net (Web App is a basic ASP.NET test site which runs fine on its .azurewebsites.net address).
MS application gateway documentation states they now support App Services as backendPool targets (FQDN/which I use).
My basic httpSettings, basic listener and rule are all setup correctly as far as Im aware (HTTP port 80.
So in essence my app gateway should listen on port 80 of the public IP attached to it and forward any incoming requests to the backendPool member (Web App).
But when I try to access the gateways public IP (or DNS address) I keep getting an 'Azure 404 Web Site not found.' page/error.
Strangely if I stop the Web App from the Azure portal I get a 502/bad gateway error until I restart the Web App where the 404 page returns.
I dont know if Im missing anything here? Does anyone have any suggestions at all? I cannot seem to get this working.
You probably are missing a couple of configuration elements. Backend http settings should require 'PickHostNameFromBackendAddress' flag. You should also use a custom probe which has 'PickHostNameFromBackendHttpSettings' flag set. The end to end PowerShell documentation is at link which details your scenario.
What am I trying to do
I have to azure apps deployed as App services. To make rest post easy let's call them "blog" and "landing_page". Both of them are hosted, so they URL are blog.azurewebsites.net and landing_page.azurewebsites.net.
I want to configure "something" in Azure with following rules:
if user access http://mydomain/ - content of landing_page.azurewebsites.net
if user access http://mydomain/blog - content of blog.azurewebsites.net
What I tried
After reading documentation, I have to reject Traffic Manager because it works on DNS level. From the other two I decided to use Application Gateway, because it should work on eny Endpoint (Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service).
I configured my Application Gateway setting backend to: landing_page.azurewebsites.net. But in "Backend health" the app status is unhealthy. I tried also:
blog.azurewebsites.net - unhealthy
www.wp.pl (polish news portal) - is working
gazeta.pl (polish news portal) - is working
stapp.space (my blog) - this is same as piotrstapp.azurewebsites.net and status is unhealthy
Question :)
What did I wrong? Maybe should I use something else on Azure? Or am I missing something?
Make sure that custom probes is turned on and configured in the HTTP settings of the WAF for your site. If you don't the Application Gateway will try to go to the IP of the App Service Environment without passing a Host header, which won't work and will throw the probe into an unhealthy state resulting in a "502 Gateway Proxy" error.
There is a great article here
You may want to check out Azure's application gateway path-based rules function:
Create a path-based rule for an application gateway by using the Azure portal