Getting HTTP 502 Error when trying to access Azure Functions behind Application Gateway

Question

Getting HTTP 502 Error when trying to access Azure Functions behind Application Gateway

FlyingInCloud 21

I will start with the previous (working) setup. I have a couple of Azure Functions. I added APIManagement in front of that to redirect all of the Functions endpoint into a single endpoint provided by APIM. That works well without hassle.

Now I am adding Application Gateway in front of APIM and my intention is to manage the web-traffic workload in a single place. The Application Gateway itself has been configured with three health probes (gateway, developer, and management). And I also added all three (AppGateway, APIM, Functions) into the same Virtual Networks instance. Each of them assigned a separate Subnet, though. To summarize, the Virtual Network now contains:

Application Gateway --> APIM --> Functions

Now I cannot access the endpoint anymore. I kept getting HTTP Error 502 notresolvable.

This is relatively new to me so somewhere there has to be a misconfiguration.

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-20T06:53:41.1+00:00

Hello @FlyingInCloud ,

Apologies for the delay in response.

Could you please go through the below article to make sure your configuration matches to the one described?
Refer : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

Could you also validate if you've created DNS A-records mapping each of the API Management endpoint host names that you configured to the application gateway's static public IP address?
This mapping ensures that the host name header and certificate sent to Application Gateway and forwarded to API Management are ones that API Management recognizes as valid.

Also, could you please check the backend health status of your Application gateway and let me know what is showing under the status and details field?
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#how-to-check-backend-health

Regards,
Gita
FlyingInCloud 21 Reputation points

2022-12-20T09:34:11.287+00:00

Hi @GitaraniSharma-MSFT

Yes I have the correct A-record and the backend health status is healthy meaning that the communication between AppGateway to APIM should be fine.
However now I noticed when I used postman to send the request, a specific error "Unable to verify the first certificate" appear. When I hover it, the issuer is still from my company (we are connecting via VPN).

Is this might be the reason of the 502 Error as well?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-20T12:33:00.173+00:00

Hello @FlyingInCloud ,

Thank you for the update.

When you say you are connecting from VPN, what exactly is the traffic flow?

Could you also refer the below troubleshooting doc and validate if you have any similarities?
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-22T17:32:09.237+00:00

Hello @FlyingInCloud ,

Could you please provide an update on this post?

Regards,
Gita
FlyingInCloud 21 Reputation points

2022-12-23T14:47:01.083+00:00

Hi @GitaraniSharma-MSFT

I managed to resolve the issue, it is indeed due to other certificates overriding the Issuer CN, so when the Issuer is correct everything works as intended.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-23T15:28:55.147+00:00

Thank you for the update, @FlyingInCloud .

I've added the summary in the below answer section for better visibility.

Kindly let us know if you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-20T06:53:41.1+00:00

Hello @FlyingInCloud ,

Apologies for the delay in response.

Could you please go through the below article to make sure your configuration matches to the one described?
Refer : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

Could you also validate if you've created DNS A-records mapping each of the API Management endpoint host names that you configured to the application gateway's static public IP address?
This mapping ensures that the host name header and certificate sent to Application Gateway and forwarded to API Management are ones that API Management recognizes as valid.

Also, could you please check the backend health status of your Application gateway and let me know what is showing under the status and details field?
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#how-to-check-backend-health

Regards,
Gita
FlyingInCloud 21 Reputation points

2022-12-20T09:34:11.287+00:00

Hi @GitaraniSharma-MSFT

Yes I have the correct A-record and the backend health status is healthy meaning that the communication between AppGateway to APIM should be fine.
However now I noticed when I used postman to send the request, a specific error "Unable to verify the first certificate" appear. When I hover it, the issuer is still from my company (we are connecting via VPN).

Is this might be the reason of the 502 Error as well?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-20T12:33:00.173+00:00

Hello @FlyingInCloud ,

Thank you for the update.

When you say you are connecting from VPN, what exactly is the traffic flow?

Could you also refer the below troubleshooting doc and validate if you have any similarities?
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-22T17:32:09.237+00:00

Hello @FlyingInCloud ,

Could you please provide an update on this post?

Regards,
Gita
FlyingInCloud 21 Reputation points

2022-12-23T14:47:01.083+00:00

Hi @GitaraniSharma-MSFT

I managed to resolve the issue, it is indeed due to other certificates overriding the Issuer CN, so when the Issuer is correct everything works as intended.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-23T15:28:55.147+00:00

Thank you for the update, @FlyingInCloud .

I've added the summary in the below answer section for better visibility.

Kindly let us know if you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello @FlyingInCloud ,

I understand that you were getting HTTP 502 Error when trying to access Azure Functions behind Application Gateway.

We validated that your configuration matches to the one described in the below doc:
Refer : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

We also validated that you you've created DNS A-records mapping each of the API Management endpoint host names that you configured to the application gateway's static public IP address which ensures that the host name header and certificate sent to Application Gateway and forwarded to API Management are ones that API Management recognizes as valid.

Later we checked the backend health status of your Application gateway and it was showing healthy, however, you noticed that when you send a request via postman, a specific error "Unable to verify the first certificate" appears.

Requested you to refer the below troubleshooting doc and validate your configuration again:
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

You found that this issue was caused due to other certificates overriding the Issuer CN. So, when the Issuer is correct everything works as intended. And you have now managed to resolve the issue.

For more information, I'm sharing the below doc which talks about some certificate related issues that you can come across when working with Azure Application gateway:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-server-certificate-invalid-ca

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Getting HTTP 502 Error when trying to access Azure Functions behind Application Gateway

0 additional answers

Your answer