How can I require SSL when I offload at an Azure application gateway?

I do this with close to 300 sites running though 3 separate application gateways, once you get it configured, it works well.

The answer lies in the configuration of the Listener/Rule pairs.

You will need two Listeners (one for HTTP, and one for HTTPS) and two Rules (again one for HTTP, and one for HTTPS) for each site to achieve this.

Here it is laid out step by step for you:

1. Create a new HTTP Listener: Give it a name like 'Listener_HTTP', Port 80, HTTP Protocol, Multi site listener type, put in your host name like so:

2. Create a new HTTPS Listener: Name 'Listener_HTTPS, Port 443, HTTPS Protocol, either choose an existing, or create a new SSL cert, Multi site listener type, put in your host name like so:

3. Create a new HTTP Rule: Create a new Rule, name 'Rule_HTTP'. On the 'Listener tab, link it to the HTTP listener created in Step 1 above like so:

On the 'Backend Targets' tab, the Target Type should be 'Redirection', redirection type should be 'Found', and redirection target should be your HTTPS listener created in Step 2 above as follows:

4. Create a new HTTPS Rule: Create a new rule, name 'Rule_HTTPS', on the 'Listener' tab point it at the HTTPS Listener created in Step 2 above, as follows:

On the 'Backend Targets' tab, Set Target type to 'Backend Pool' and point it at your chosen Backend Pool and HTTP settings as follows (this answer assumes you already have those setup):

An voila! There you have it! Any requests that hit HTTPS directly will go straight through to the backend pool. Any that hit HTTP, will get looped back to the HTTPS Listener effectively achieving the forced redirection you are looking for.

Don't know if this will help or not. https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-portal

If you are moving to web apps instead of vms, you will probably need to configure for end to end ssl.