Application gateway handling of non http traffic

Assaf L 261

According to documentation (details) the app gateway supports HTTP, HTTPS, HTTP/2, and WebSocket protocols
Considering the above, in case MQTT traffic arrives at the service, what will occur at the service level

Will the traffic get ignored and forwarded to the backend pool
Will the traffic get blocked and rejected by the service with some return code?

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-03T11:15:25.3033333+00:00
@Assaf L

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know what would happen if you were to reach the Application gateway with unsupported protocols.

As far as I know, since this is an unsupported scenario, traffic will simply be dropped.

I shall check this behavior internally and confirm the same.

Meanwhile, may I ask if you have this set up already?

If so, what is the behavior you are seeing?

Cheers,

Kapil
Assaf L 261 Reputation points

2023-10-04T07:47:07.43+00:00

Hi @KapilAnanth-MSFT thanks for getting back,

Meanwhile, may I ask if you have this set up already - No I didn't, I need to understand the behaviour as part of planning of the environment
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-04T11:37:57.7833333+00:00
@Assaf L

I got a confirmation from our Internal Team and they informed us that you will receive a 400 HTTP Status Code.

As stated by @msrini-MSFT , the TCP connection/handshake will pass through but the Application layer traffic will not, resulting in 400.

From the same reference document you have shared,

400 - Bad Request happens when Non-HTTP / HTTPS traffic is initiated to an application gateway with an HTTP or HTTPS listener.

https://learn.microsoft.com/en-us/azure/application-gateway/http-response-codes#400--bad-request

Wrt why this status code is returned,

5XX Codes for Server side error.

Here, the error is from Client side as the client tried to invoke a protocol not supported by Server to begin with.

Hence we get a 4XX Code, 400

Hope that helps.

Request you to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-05T09:54:13.8166667+00:00
@Assaf L

I see you have raised a support incident to get this clarified as well.

I have further updates from our Product Group.

In case you are interested in using MQTT via AppGW, then we can sign you up for TLS/TCP proxy feature on a limited preview.

In this case, could you please send an email to AzCommunity[At]Microsoft[Dot]Com with the below details.

Subject : Attn Kaananth | AppGw MQTT traffic

Thread URL: Link to this thread.

Subscription ID : Subscription ID of the App gateway

Please let us know if we can be of any further assistance here.

If not, request you to Accept the answer and close this thread

Thanks,

Kapil
Assaf L 261 Reputation points

2023-10-05T16:39:37.9833333+00:00

@KapilAnanth-MSFT thanks for the information, good timing :)

I will verify this internally and update in case its relevant
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-06T09:58:45.0166667+00:00

@Assaf L

Sure.

I shall also track the support request internally.

Meanwhile, I would appreciate if you could Accept the below answer.

As this will benefit other community members.

Cheers,

Kapil
Assaf L 261 Reputation points

2023-10-08T10:37:16.7033333+00:00

Hi @KapilAnanth-MSFT I would be happy to set your comment as answer but it must be set as an answer rather than a comment, once you update it I will set it as one
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-09T06:03:40.7333333+00:00

@Assaf L

You are welcome.

Sure, I have summarized the comments as a new answer.

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-11T06:00:06.88+00:00

Hi @Assaf L

Request you to please Accept the answer and close this thread.

Should there be any questions/follow ups , please do let me know

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-09T06:03:04.4+00:00
@Assaf L

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know what would happen if you were to reach the Application gateway with undocumented protocols. (especially, MQTT).

I got a confirmation from our Internal Team and they informed us that you will receive a 400 HTTP Status Code.

As stated by @msrini-MSFT , the TCP connection/handshake will pass through but the Application layer traffic will not, resulting in 400.

400 - Bad Request happens when Non-HTTP / HTTPS traffic is initiated to an application gateway with an HTTP or HTTPS listener.

https://learn.microsoft.com/en-us/azure/application-gateway/http-response-codes#400--bad-request

Should you be interested in using MQTT via AppGW, then we can sign you up for TLS/TCP proxy feature on a limited preview with the support incident you have raised.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

1 additional answer

msrini-MSFT 9,276 Reputation points Microsoft Employee

2023-10-04T07:22:00.29+00:00

Hi,

Lets say you have a Listener on port 443 and you are trying to send MQTT traffic over TCP port 443 to Application Gateway.

Your TCP handshake will be successful but the Application layer is not handled by Application Gateway to support 443 and you get a timeout. I don't think there will be a response code sent. Maybe status code 400.

Regards,

Karthik Srinivas
Please sign in to rate this answer.
Assaf L 261 Reputation points

2023-10-04T07:45:44.9+00:00

Hi @msrini-MSFT thanks for the details,

If I understand correctly, the traffic will be blocked? It will not pass through by any chance?

And the result will be either timeout of the request or a status code?

Shouldn't it be one of the 5XX errors (details)?

msrini-MSFT 9,276 Reputation points Microsoft Employee

2023-10-04T13:48:14.7733333+00:00

5xx is server side error, as far as application gateway is concerned, it receives the request with a protocol that it doesn't support and it just thinks as malformed client request.
Sign in to comment

Share via

Application gateway handling of non http traffic

1 additional answer