Share via

502 Bad Gateway when calling a container app via the application gateway

AzureRACO 20 Reputation points
2026-02-24T11:51:08.5966667+00:00

I've followed the guide here: https://learn.microsoft.com/en-us/azure/container-apps/waf-app-gateway?tabs=custom-domain

I have:

  • 1 container app running on port 8080
  • 1 container app environment, set to internal, in a subnet in a vnet with a network endpoint
  • 1 private DNS zone, with the container app environment IP added to the records
  • 1 application gateway, in a subnet in the same vnet as above, with a network endpoint added.
  • 1 frontend
  • 1 backend pool, with the container app added

The backend health shows 'Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port. To learn more visit - https://aka.ms/servernotreachable.'. Clicking 'troubleshoot' shows 'Probes sent: 30, probes failed: 30', but seeing the details shows both as healthy.

I've checked the app (it's healthy), the frontend and backend pool, everything is as it should be (I believe).

I'm at a loss as to where to look next.

Azure Container Apps
Azure Container Apps

An Azure service that provides a general-purpose, serverless container platform.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 10,725 Reputation points Microsoft External Staff Moderator
    2026-02-26T11:57:07.0066667+00:00

    Hi @AzureRACO ,

    Thanks for reaching out to Microsoft Q&A.

    Since the app was working before and is now throwing a 502 Bad Gateway, the issue is likely with the Application Gateway configuration or network routing. Double-check:

    1. NSG/UDR rules: Double-check the NSGs on the subnets where both the Application Gateway and container app are located. Ensure that both incoming and outgoing traffic are allowed, especially for traffic from the Application Gateway’s frontend to the container app environment.
      • Inbound NSG: Ensure it's allowing traffic from the Application Gateway subnet.
      • Outbound NSG: Ensure outbound traffic is allowed from the container app to the Application Gateway.
      • If you're using User-Defined Routes (UDRs), make sure there are no conflicting routes that might block the traffic to your container app.
    2. Health Probe Configuration:

    You mentioned both probes show healthy, but it’s worth diving into probe settings:

    • Protocol: Confirm the probe is set to HTTP/HTTPS (depending on your app’s setup).
      • Path: Ensure the probe path is correct (e.g., /health if that’s how your container app is set up).
      • Port: Confirm the probe is checking the right port (8080 in your case).
      • Interval and Timeout: Double-check if the probe settings are too aggressive (timeouts too short, or probe interval too long). A smaller interval (e.g., 10 seconds) or longer timeout (e.g., 10 seconds) might help.
    1. Private DNS: You mentioned using private DNS. Verify that:
      • The DNS resolution is correctly pointing to the correct backend IP.
      • Ensure the DNS record has propagated correctly across the VNet (sometimes DNS issues can be subtle and take time to resolve across the network).
    2. App Gateway settings: Verify the correct backend pool, HTTP settings, and health probes are configured.
    3. Direct access: Test accessing the container app directly (bypassing AAG) to isolate if the issue is with the AAG.

    A misconfiguration or missing setting in the AAG could be causing the 502 error. Hope this helps!

    If the resolution was helpful, kindly take a moment to click on User's imageand click on Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.