Resolving Azure Application Gateway Backend Health Issues

Question

Resolving Azure Application Gateway Backend Health Issues

GitaraniSharma-MSFT 50,021 Microsoft Employee Moderator

How can I troubleshoot and resolve issues with unhealthy or unknown backends in my Azure Application Gateway?

PS - Based on common issues that we have seen from customers and other sources; we are posting these questions to help the Azure community.

1 answer

Your answer

Answer 1

To troubleshoot and resolve issues with unhealthy or unknown backends in your Azure Application Gateway, follow these steps:

Check Backend Health Status:
- Navigate to the Azure portal, go to your Application Gateway, and check the backend health status. This can be found under "Backend Health" in the monitoring section.
Verify Backend Configuration:
- Ensure that the backend pool is correctly configured with the right IP addresses or FQDNs.
- Check that the backend servers are running and reachable.
Examine Health Probes:
- Health probes are used to determine the health status of your backends. Verify that the health probes are correctly configured.
- Ensure the probe settings (protocol, path, interval, timeout) match the configuration of your backend application.
Review Network Security:
- Ensure that network security groups (NSGs) and firewalls are not blocking traffic between the Application Gateway and the backend servers.
- Check for any IP restrictions on your backend servers that might prevent the Application Gateway from accessing them.
Analyze Logs:
- Check the diagnostic logs for any errors or warnings that can provide clues about the issue.
- Enable and review the Application Gateway access logs, performance logs, and firewall logs if not already enabled.
Backend Server Health:
- Ensure the backend servers are healthy and not experiencing high CPU, memory usage, or other resource constraints.
- Look for application-specific issues that might be causing the backend to be unhealthy.
SSL/TLS Configuration:
- If you are using HTTPS, ensure that the SSL/TLS certificates are correctly configured and not expired.
- Verify that the SSL settings on the Application Gateway match those on the backend servers.

For further details, refer to the official Azure documentation:

Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

Roy Kim (Azure MVP) 191 Reputation points MVP

2025-05-22T17:32:34.0566667+00:00

@GitaraniSharma-MSFT Thank you for post. Do you have guide for App Gateway in front of ADFS VM within same VNET. I have backend settings with https 443, "Backend server’s certificate is issued by a well-known CA": Yes. (Root cert is AAA certificate services which is trusted).
Health Probe:
HTTPS, Host:<vm name>, Path:"/adfs/ls/idpinitiatedsignon"

Error:
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port. To learn more visit - https://aka.ms/servernotreachable.

I tried VM connectivity troubleshooter to adfds VM. Ensure NSG is open and non blocking. No Firewall and UDR.

I have tried many possible combinations of settings with probe, backend settings, listener, etc.

Any suggestions to work with ADFS?

Share via

Resolving Azure Application Gateway Backend Health Issues

1 answer

Your answer