I have created an application gateway with WAF (default detection mode) in an Azure Resource Group (no ASE) with an App Service Web App backendPool member/target MS link (followed instructions to the letter both via the Azure Portal and via PowerShell).
Im not using any custom domains, just the basic config with my backendPool member being an Azure Web App ie mywebapp.azurewebsites.net (Web App is a basic ASP.NET test site which runs fine on its .azurewebsites.net address).
MS application gateway documentation states they now support App Services as backendPool targets (FQDN/which I use).
My basic httpSettings, basic listener and rule are all setup correctly as far as Im aware (HTTP port 80.
So in essence my app gateway should listen on port 80 of the public IP attached to it and forward any incoming requests to the backendPool member (Web App).
But when I try to access the gateways public IP (or DNS address) I keep getting an 'Azure 404 Web Site not found.' page/error.
Strangely if I stop the Web App from the Azure portal I get a 502/bad gateway error until I restart the Web App where the 404 page returns.
I dont know if Im missing anything here? Does anyone have any suggestions at all? I cannot seem to get this working.
You probably are missing a couple of configuration elements. Backend http settings should require 'PickHostNameFromBackendAddress' flag. You should also use a custom probe which has 'PickHostNameFromBackendHttpSettings' flag set. The end to end PowerShell documentation is at link which details your scenario.
Related
The DNS records for Front Door were deleted as well. We have an app gateway to the app service, which is under an app service env. I can see traffic on my app gateway:
But none on the app service:
The error I get when I try to access the web app is generic:
:( Application Error If you are the application administrator, you can
access the
The health probe on the app gateway was changed to 200-600 to show this error, because it was just a generic 502 at first. I'm not really sure where to even begin troubleshooting this. Any ideas on where I can start checking things?
Did you changed the CNAME dns entry to point to your app service instead of the frontdoor address?
I suspect that you have completely removed the CNAME entry instead of changing it to point to your my-app.azurewebsites.net address.
Also check if you have correctly configured the binding to your custom domain for the app service
Did you originally use the DNS record pointing to the AFD endpoint to point to the App Gateway? If so did you point it back to the App Gateway?
What's the backend settings for the App Gateway look like? Are you overriding the hostname, choosing it from the backend pool name, or not overriding (forwarding hostname from client)?
Also, on the App Service, when you implemented AFD in front did you setup access restrictions under the networking blade? Usually when placing AFD in front of App Service there is a rule to only allow the AFD service tag to reach the App Service so it can't be bypassed.
Lastly, check the environment variables for what port your app service is listening on. From searching that error message I see a lot of mentions about it being NodeJS and there being a mismatch in port configuration. Ensure the app service is listening on the same port as is configured on the App Gateway's backend settings as well as the probe.
I am using a V1 WAF application gateway (dynamic IP) in front of a web app.
When i configure the web app access restrictions to Allow the application gateway i received a when i tryu to access the web app url (expected behavior). However, i also received a 403 when accessing throught the app gateway url (not expected !). i have try a rule to allow the app gateway ip and also a rule allowing the app gateway vnet (service endpoint) with both same result. Any idea why its not working ? Thx!
I suggest you to know about this topic. you are probably getting a VPC error.
https://azure.microsoft.com/en-us/services/virtual-network/#overview
I have setup a Azure Application Gateway in front of an Azure Web Application. I have added a IP restriction on Web app allowing access only from the Application gateway's public IP address. This works fine but the when I add the public IP address on the browser it re-directs to the web app's URL. How can I stop the application gateway redirecting to the web app URL but to return the response against the public IP?
I have deployed MVC web application behind Application gateway with following settings and when I type Ip address of application gateway, it shows web application on application gateway IP
Custom probe was automatically added when I saved page after selecting "HTTPS" and "Use for App Service" option.
Backend pool where WebApp was selected
if you still see any issues then I will post steps to configure everything tomorrow.
It turns out that you first need to configure the custom domain to the webapp and once the propagation happens the CNAME record of the custom domain should be changed to map the FQDN of the Application gateway.
I have created a Webapp and have added an IP restriction so that it can only be accessed via the Azure Application Gateway Public IP.
In the Application Gateway, I navigated to the BackEnd Pools, clicked to ADD backend pool and copied the web app URL e.g. https://mywebapp.azurewebsites.net, it complained it only wanted FQDN so I removed the https:// and entered in mywebapp.azurewebsites.net
I then navigated to my Application Gateway and copied the public IP address of the gateway and entered it in my browser to test the app but it won't see the web app, I get the error "This site can’t be reached."
Have I missed a step, is the FQDN incorrect? Do I need to use a custom Domain?
One of the things I would look for is if a listener and a rule has been created. This is required to enable the application gateway to route traffic appropriately to the backend pool.
More info here -
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-powershell
I tried adding an existing app service web app to the backend pool like you mentioned and realized that it was not adding the listener/rule for it. When i used the powershell script as mentioned in the link above which creates a listener and a rule , i was able to successfully hit backend pool website when i browsed using the Application Gateway public ip/dns.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-arm
What am I trying to do
I have to azure apps deployed as App services. To make rest post easy let's call them "blog" and "landing_page". Both of them are hosted, so they URL are blog.azurewebsites.net and landing_page.azurewebsites.net.
I want to configure "something" in Azure with following rules:
if user access http://mydomain/ - content of landing_page.azurewebsites.net
if user access http://mydomain/blog - content of blog.azurewebsites.net
What I tried
After reading documentation, I have to reject Traffic Manager because it works on DNS level. From the other two I decided to use Application Gateway, because it should work on eny Endpoint (Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service).
I configured my Application Gateway setting backend to: landing_page.azurewebsites.net. But in "Backend health" the app status is unhealthy. I tried also:
blog.azurewebsites.net - unhealthy
www.wp.pl (polish news portal) - is working
gazeta.pl (polish news portal) - is working
stapp.space (my blog) - this is same as piotrstapp.azurewebsites.net and status is unhealthy
Question :)
What did I wrong? Maybe should I use something else on Azure? Or am I missing something?
Make sure that custom probes is turned on and configured in the HTTP settings of the WAF for your site. If you don't the Application Gateway will try to go to the IP of the App Service Environment without passing a Host header, which won't work and will throw the probe into an unhealthy state resulting in a "502 Gateway Proxy" error.
There is a great article here
You may want to check out Azure's application gateway path-based rules function:
Create a path-based rule for an application gateway by using the Azure portal