3
votes

Scenario:

Configured Azure Application Gateway to route traffic to different Azure Web Apps to leverage the Web Application Firewall (WAF).

Initial configuration worked fine except that the final URL in the browser is the {mysite}.azurewebsites.net. I want this to be the custom domain name {subdomain}.{mysite}.com. This was configured by having the backend pool bound to an app service. Changing it to FQDN is not working. Screen shots below.

CNAME is already pointing to the gateway.

Desired result

When someone hits {subdomain}.{mysite}.com (which is already configured to point to the gateway) I should get {subdomain}.{mysite}.com not {mysite}.azurewebsites.net

Current setup:

The gateway is configured with a multi-site listener with its rule pointing to a backend pool and also bound to the http setting.

Listener is listening on {subdomain}.{mysite}.com

Backend pool config pool config

Probe config probe config

Http setting config setting config

The following links provide some partial answers/configurations but none of them worked for me. Application Gateway - 502 error

https://docs.microsoft.com/en-us/azure/application-gateway/troubleshoot-app-service-redirection-app-service-url

https://docs.microsoft.com/en-us/azure/application-gateway/create-web-app

UPDATE

Here are a list of steps used to configure an azure app service with a custom domain behind the Azure Application Gateway and WAF (Web Application Firewall) using the azure portal UI.

  1. Configure a Backend pool with target pointing to your App Service.
  2. Configure Health Probe with the following settings

    • Protocol: HTTP or HTTPS
    • Host: {appservice}.azurewebsites.net
    • Path: /
  3. Configure Http setting

    • Use App Service unchecked.
    • Use custom probe checked.
    • Pick host name from backend address unchecked (you might have to check this to configure the rule and then uncheck it).
  4. Configure listener

    • HostName: {subdomain}.{domain}.com (your domain)
  5. Configure basic rule

    • Bind it to the appropriate http setting, backend pool and listener
    • Caveat: If there are no http settings with Pick host name from backend checked, you might need to change it, attach it, and then remove that flag again.
1

1 Answers

2
votes

Probably, you get a 502 error because you change to FQDN subdomain.mysite.com in the targets of backend pool. However, In this scenario, you have not changed the custom domains in your web app service, you only could access the web site via the default domain mysite.azurewebsites.net. I suggest changing back to the App service in the targets.

Initial configuration worked fine except that the final URL in the browser is the {mysite}.azurewebsites.net.

Please check if you have an HTTPS Only setting ON in the Custom domains of web app service. This will redirect all Http to Https. For me, usually, it will cause the final URL in the browser is the mysite.azurewebsites.net.

Update

If you have no HTTPS Only on, this issue may happen due to the following main reasons:

  • You have redirection configured on your App Service. Redirection can be as simple as adding a trailing slash to the request.
  • You have Azure AD authentication which causes the redirection.
  • You have enabled “Pick Host Name from Backend Address” switch in the HTTP settings of Application Gateway.
  • You don’t have your custom domain registered with your App Service.

This issue can be resolved by not having a redirection on the Application side, however, if that’s not possible, you can follow this solution to resolve it.

  1. Register the domain subdomain.mysite.com to the custom domain list of the App Service. For more information, see Map an existing custom DNS name to Azure App Service.
  2. Once that is done, your App Service is ready to accept the hostname subdomain.mysite.com. Now change your CNAME entry in DNS to point it back to Application Gateway’s FQDN. For example, appgw.eastus.cloudapp.azure.com.
  3. Uncheck the checkbox Pick Hostname from Backend HTTP Settings in probe settings. In the hostname field of the probe, enter your App Service's FQDN mysite.azurewebsites.net as the probe requests sent from Application Gateway will carry this in the host header.
  4. Uncheck the checkbox Pick Hostname from Backend Address in your Application Gateway’s HTTP settings.
  5. Associate the custom probe back to the backend HTTP settings and verify the backend health if it is healthy.

Once this is done, Application Gateway should now forward the same hostname subdomain.mysite.com to the App Service and the redirection will happen on the same hostname.