Azure application gateway

dev eloper 20 Reputation points
2024-05-29T12:48:31.4933333+00:00

Hello everyone
I have an Azure Application Gateway pricing plan standard v2. I have an Azure Function that I want to protect using the Application Gateway. Now, when I create the backend pools in the Application Gateway, I add the Azure Function to give it the route. To set up everything, I created an SSH certificate in Azure Key Vault, and as the subject, I put CN=myfunction.azurewebsites.net.

The problem is that the Application Gateway gives me the following error: 'The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate.'

Can anyone help me understand? Also, do you think it makes sense to protect the API exposed by the Azure Function with the Application Gateway? Thank you

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,081 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2024-05-29T23:37:02.63+00:00

    @dev eloper Thank you for reaching out.

    I understand you are getting the following error message on your Application Gateway

    "The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate."This issue occurs when the hostname specified in the backend settings of the application gateway does not match the with CN in backend server certificate as it is used for the Server Name Indication (SNI) during TLS handshake.

    As documented here below is the solution you can apply to resolve the issue.

    Solution: The hostname information is critical for backend HTTPS connection since that value is used to set the Server Name Indication (SNI) during TLS handshake. You can fix this problem in the following ways based on your gateway’s configuration.

    For V2,

    • If you’re using a Default Probe – You can specify a hostname in the associated Backend setting of your application gateway. You can select “Override with specific hostname” or “Pick hostname from backend target” in the backend setting.
    • If you’re using a Custom Probe – For Custom Probe, you can use the “host” field to specify the Common Name of the backend server certificate. Alternatively, if the Backend Setting is already configured with the same hostname, you can choose “Pick hostname from backend setting” in the probe settings.

    Based on your additional question above

    Also, do you think it makes sense to protect the API exposed by the Azure Function with the Application Gateway? Thank you

    You can follow this guideline to determine if using an Application Gateway as a L-7 load balancer and a proxy satisfies your requirements.

    One advantage of using App Gateway here is that you can integrate it with Azure Web Application Firewall which safeguards your web applications against common exploits and vulnerabilities. As web applications become more frequent targets for malicious attacks, these attacks often exploit well-known vulnerabilities such as SQL injection and cross-site scripting. More details here.

    Hope this helps! Please let me know if you have any additional questions or if the issue still persists. Thank you!


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.