Application Gateway TCP/TLS proxy doubts

Question

Hello,

Good day!

I registered for the preview feature of TCP/TLS proxy of Application Gateway and tested few configurations.

Wanted to share across the experience and feedback, to enhance the capabilities of this feature.

1. If the AppGw is already having HTTPS/443 listeners, it is not allowing to create TLS/443 or TCP/443 listeners.
   1. Technically, in the backend, I think it is not possible to bind the same port for different protocols, but AppGw being a service offering, would it be possible to allow listeners with same port/different protocols and managing that in different backend instances? Just my two cents. :)
2. The 'Insights' page always fails to fetch the backend health or connection status when the AppGw is having HTTPS, TCP and TLS listeners, but 'Backend Health' page works fine.

Cheers.

Answer 1

Hello @Alex ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have some doubts and feedback regarding the Azure Application Gateway TCP/TLS proxy feature.

If the AppGw is already having HTTPS/443 listeners, it is not allowing to create TLS/443 or TCP/443 listeners.

This is a by design limitation of Azure Application gateway where 2 Public listeners cannot have the same port except in case of multi-site listeners with different hostnames.

Application gateway supports same port on public and private listener but same port for public and private listeners is not supported yet for Azure Application Gateway TCP/TLS proxy. It is planned for future release but no ETA yet.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-listeners

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#can-i-use-the-same-port-for-public-facing-and-private-facing-listeners

Technically, in the backend, I think it is not possible to bind the same port for different protocols, but AppGw being a service offering, would it be possible to allow listeners with same port/different protocols and managing that in different backend instances?

If you wish you may leave your feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

The 'Insights' page always fails to fetch the backend health or connection status when the AppGw is having HTTPS, TCP and TLS listeners, but 'Backend Health' page works fine.

I checked internally and only found an issue related to Application gateway insights from 1.5 year ago but no recent issues. I also tested in my lab and the insights for the Application gateway works fine.

Could you please try to check the Application gateway insights via the Azure Monitor and validate if you see the details?

Go to Azure Monitor --> Under Insights, select Network, you will see Application gateway --> click on it and to access the resource view of an application gateway, select the topology icon next to the application gateway name in the metrics grid view.

Refer: https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-overview#resource-view

Also, make sure that microsoft.insights resource provider is registered in your subscription.

Refer: https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/azure-networking-analytics#troubleshooting

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.