![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 32%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello Abhishek Kumar Raj
After you configure an application gateway, one of the errors that you may see is Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server. This error may happen for the following main reasons:
- NSG, UDR, or Custom DNS is blocking access to backend pool members.
- Backend VMs or instances of virtual machine scale set aren't responding to the default health probe.
- Invalid or improper configuration of custom health probes.
- Azure Application Gateway's backend pool isn't configured or empty.
- None of the VMs or instances in virtual machine scale set are healthy.
- Request time-out or connectivity issues with user requests.
Meantime,
- Ensure that the Common Name (CN) in the SSL certificate installed on your backend VMs matches the Host name configured in the Application Gateway Backend HTTP settings. If, for example, your Application Gateway is calling the backend using a domain name (like
myapp.example.com), the leaf certificate on the backend server also needs to havemyapp.example.comas its CN or include it as a Subject Alternative Name (SAN). - Validate your health probe settings. Make sure that the probe's host name corresponds with the CN of the backend server's SSL certificate.
- Since you're using a Private CA, you must upload the corresponding Root CA certificate to the Application Gateway. If there's any intermediate certificate involved in your chain, it also needs to be installed correctly on both the backend VM and the Application Gateway.
- Ensure the installation order on your backend VM is correct: Leaf certificate first, followed by Intermediate, and finally the Root certificate. You can check this by using OpenSSL commands.
- Confirm that the Backend HTTP Settings are set to use HTTPS and that you have the appropriate certificates uploaded for specific backend pools.
- Revalidate your full configuration if you paste the CN/SAN.
Reference Docs:
Troubleshooting bad gateway errors in Application Gateway
Troubleshoot backend health issues in Application Gateway)
If you've tried the above solutions and are still facing issues, here are some follow-up questions that could help narrow down the problem:
- What hostname are you using in the Application Gateway to connect to the backend VMs?
- Can you confirm that the SSL certificate has the correct CN or SAN entries that match the hostname?
- Have you validated that the Root CA certificate used to sign the backend certificates is uploaded to the Application Gateway?
- Have the health probe settings been verified to ensure the correct path and port are set for the probe?
Can you please update us if the action plan provided was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Please upvote if you found the information helpful. This will help us and other members of the community as well