525 errors can be returned if your Azure "stamp" (the group of resources that host and operate infrastructure for multiple Azure customers) is experiencing a DDOS attack. Azure DDOS mitigation procedures appear to drop packets from any Azure App Service under said stamp, even if that app service is not sending malicious traffic. This can affect production workloads.
The problem appears to be exacerbated by/exclusive to those behind Cloudflare as the IP address makes it appear to be coming from a single source (perhaps the same IP as the malicious traffic).
For me, this took weeks of back and forwards with Azure support before they even acknowledged that it was a problem on their side. Cloudflare support were awesome in assisting here, showing clearly that it was due to the host server. In my case, the DDOS attack stopped occurring before support was able to offer any solutions to resolve - but they certainly didn't seem to be forthcoming with anything. It appeared as though the DDOS mitigation procedures were automated or otherwise outside of their control, so there wasn't much the support team (first level anyway) could do to help.
So I would suggest as a first step if you hit this error to ask support if they're experiencing any DDOS attack on the same stamp you're running.