Azure Front door with App Gateway with ASEv3-ILB (services aren't available right now)

Question

Azure Front door with App Gateway with ASEv3-ILB (services aren't available right now)

Mohamed Elashkr 21

Hallo,

I use Hub-Spoke architecture to do a request form Azure Front door to App Service over App-Gateway in the middle. The App Service is running in ASEv3-ILB(in Spoke-Vnet). But if i tried to call App Service from Azure Front door, then i actually got this Error "services aren't available right now"

I created Application Gateway in Hub and then created ASEv3-ILB in Spoke and did peering between the both Hub-Spoke. I deployed an App Service with .NET core Web-Application(Web-App) in ASEv3-ILB and want to call the Web-App from Azure Front door over App Gateway but it did not work!

To be clear, i tried those steps until now:

i set "Certificate subject name validation" to "disabled " in Azure Front door
i configured App Gateway with ASE-ILB without Azure-Front door and used "routable domain name", then it worked and could call my Web-App from App Gateway
i used also NSG with App-Gateway subnet and set the necessary inbound-rules(as here: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups) but did not work too. (i tried with and without NSG for App-Gateway Subnet )
if i am configuring the App Gateway with ASE-ILB and then configuring App Gateway with Azure-Front door, then it is not possible to call the Web-App in ASE-ILB and have got this Error:
"Our services aren't available right now
We're working to restore all services as soon as possible. Please check back soon.
0c6g8YgAAAAC1GeS+ECSHRYRPvvIMnPQSTVVDMzBFREdFMDMxNQA4ODk4MDU4YS1iOWZhLTQ0YmUtYmE2OC02NjU1ZjE3NDIwYmY="

What could the problem be? What's a easy way of troubleshooting for this error?

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-28T11:11:10.277+00:00

Hello @Mohamed Elashkr ,

Could you please let me know what you have configured in the backend host name and backend host header of your Azure Front Door backend pool?

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-03-28T12:17:58.7+00:00

Hello,

"Backend host name" is the public-ip von Application-Gateway: 20.xxx.xx.xxx
"Backend host header": i tried two things, the first one i have set it to "blank", and the second I have set it to the host-name of web-app which is running in ASE:
"myfirstapp.internal-asetest.appserviceenvironment.net"

For Info: SKU of public-ip ist "Standard"
Is that right?

Thank you,
Mohamed
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-28T12:25:50.21+00:00

Hello @Mohamed Elashkr ,

Thank you for the update.

Not the SKU of Public IP. The SKU/tier of Application gateway found as below:

However, if the Public IP of Application gateway is Standard SKU, I believe you have Application gateway v2 SKU.
Still could you please confirm this by browsing to your Application gateway configuration as shown in the screenshot above and let me know the tier you see there?

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-03-28T18:54:24.477+00:00

Hello,

the Tier is "Standard V2" for my App-Gateway, It is possible to change the Tier to "WAF V2". Should the Tier be set to "WAF V2" if yes why?

thank you,
Best wishes
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-29T08:55:35.69+00:00
Hello @Mohamed Elashkr ,

Thank you for the confirmation.

No, you do not need to change the tier to WAF v2 for this issue. But it is possible to change the Tier to "WAF V2" via portal.

Could you please let me know what is the listener configuration on your Application gateway?
You mentioned "App Gateway with ASE-ILB without Azure-Front door worked", may I know how you accessed the App gateway in this case? Did you use an FQDN? Do you have a multi-site listener configured on App gateway with a specific host name as shown below?

If yes, let's try the below configuration changes in your Azure Front Door backend pool:

Change the backend host type to "Custom host".

In the Backend host name, add the FQDN/host name from App gateway listener instead of the IP Address and also add your Backend host header value same as your Backend host name or you can leave your Backend host header as Empty.

After you make the changes, please save and then perform a Purge all and wait for some time for the changes to be affected.
Refer this doc on how to perform a purge on Front Door: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-caching?pivots=front-door-classic#cache-purge

After sometime check if it is working or not.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-30T12:08:20.707+00:00

Hello @Mohamed Elashkr ,

I'm following up on my above comment to check if you tried the suggested changes. Do you have any updates on this?

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-04-04T09:48:30.4+00:00

Hello @GitaraniSharma-MSFT ,

Apologies for the delay for my response!
thank you for your update und your patient.

That is the configuration for Listner of the App-GW
ListnerType: Multi site
Host type: Multiple/Wildcard
Host names: myfirstapp.yourdomainname.com (is subdomain of routable-domain-name, you could create a public-DNS and using the routable domain name there)

For Info: To connect to the application gateway from internet, you need a routable domain name. In this case, I used a routable domain name yourdomainname.com and planning to connect to an App Service with this domain name myfirstapp.yourdomainname.com

Best regards,
Mohamed
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-06T11:33:14.717+00:00

Hello @Mohamed Elashkr ,

Thank you for the details.

Let's try the below configuration changes in your Azure Front Door backend pool:

1) Change the backend host type to "Custom host".

2) In the Backend host name, add the FQDN/host name from App gateway listener (i.e. myfirstapp.yourdomainname.com) instead of the IP Address and also add your Backend host header value same as your Backend host name or you can leave your Backend host header as Empty.

3) After you make the changes, please save and then perform a Purge all and wait for some time for the changes to be affected.
Refer this doc on how to perform a purge on Front Door: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-caching?pivots=front-door-classic#cache-purge

After sometime check if it is working or not.

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-04-06T13:35:47.003+00:00

Hi @GitaraniSharma-MSFT ,

thank you for your response.

I used Azure Front Door Classic before and i am using now Azure Front Door Premium and did all above steps but the request from Az-FD to App-Gateway still not working!
I have got this message after i configured Az-FD:
"Oops! We weren't able to find your Azure Front Door Service configuration. If it’s a new configuration that you recently created, it might not be ready yet. You should check again in a few minutes. If the problem persists, please contact Azure support."

I tried to create a rule in "Rule set" and forward the traffic to App-Gateway and this way worked for but not the right way what i need.
What could be the problem, that Azure Front Door can not direct the traffic to App-Gateway (by Azure Front Door, i create Origin Group which is as "Backend-pool" )?
How long time could take after i configured the Azure Front Door with App-Gateway to get working?

Thank you!
Best regards,
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-08T12:56:06.397+00:00
Hello @Mohamed Elashkr ,

Thank you for the update.

Could you please share your healthprobes and route settings in Azure Front Door?
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/origin?pivots=front-door-standard-premium
https://learn.microsoft.com/en-us/azure/frontdoor/how-to-configure-endpoints

Do you have any NSG associated to your Application gateway subnet?

Some of the reasons why Azure Front Door cannot direct traffic to App gateway are as below:

DNS mapping to Front Door FQDN done but custom domain not onboarded to Azure Front Door.

Adding IP address of Application gateway in the backend of Azure Front Door.

Most new Front Door creates and updates take about 3 to 20 minutes to deploy across all our edge location globally. Custom TLS/SSL certificate updates take from several minutes to an hour to be deployed globally. Any updates to routes or backend pools etc. are seamless and will cause zero downtime (if the new configuration is correct).
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-long-does-it-take-to-deploy-an-azure-front-door--does-my-front-door-still-work-when-being-updated-

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-04-08T13:44:25.68+00:00
Hello @GitaraniSharma-MSFT ,

there are no any healthprobes configured for Az-FD until now,
My Rout settings for Az-FD is:

Domains: myfirstfd.mydomain.com(this domain is managed by Azure DNS)

Origin group -> Origin -> Origin host name: ApGW-Public-IP(20.xx.xxx) (i tested also with/without routable-domain name also but did not work!)

Status: Enabled

Provisioning state: succeeeded

There is no NSG to my AppGW-Subnet

Thank you,
Best wishes,

1 answer

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-28T11:11:10.277+00:00

Hello @Mohamed Elashkr ,

Could you please let me know what you have configured in the backend host name and backend host header of your Azure Front Door backend pool?

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-03-28T12:17:58.7+00:00

Hello,

"Backend host name" is the public-ip von Application-Gateway: 20.xxx.xx.xxx
"Backend host header": i tried two things, the first one i have set it to "blank", and the second I have set it to the host-name of web-app which is running in ASE:
"myfirstapp.internal-asetest.appserviceenvironment.net"

For Info: SKU of public-ip ist "Standard"
Is that right?

Thank you,
Mohamed
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-28T12:25:50.21+00:00

Hello @Mohamed Elashkr ,

Thank you for the update.

Not the SKU of Public IP. The SKU/tier of Application gateway found as below:

However, if the Public IP of Application gateway is Standard SKU, I believe you have Application gateway v2 SKU.
Still could you please confirm this by browsing to your Application gateway configuration as shown in the screenshot above and let me know the tier you see there?

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-03-28T18:54:24.477+00:00

Hello,

the Tier is "Standard V2" for my App-Gateway, It is possible to change the Tier to "WAF V2". Should the Tier be set to "WAF V2" if yes why?

thank you,
Best wishes
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-29T08:55:35.69+00:00

Hello @Mohamed Elashkr ,

Thank you for the confirmation.

No, you do not need to change the tier to WAF v2 for this issue. But it is possible to change the Tier to "WAF V2" via portal.

Could you please let me know what is the listener configuration on your Application gateway?
You mentioned "App Gateway with ASE-ILB without Azure-Front door worked", may I know how you accessed the App gateway in this case? Did you use an FQDN? Do you have a multi-site listener configured on App gateway with a specific host name as shown below?

If yes, let's try the below configuration changes in your Azure Front Door backend pool:

Change the backend host type to "Custom host".

In the Backend host name, add the FQDN/host name from App gateway listener instead of the IP Address and also add your Backend host header value same as your Backend host name or you can leave your Backend host header as Empty.

After you make the changes, please save and then perform a Purge all and wait for some time for the changes to be affected.
Refer this doc on how to perform a purge on Front Door: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-caching?pivots=front-door-classic#cache-purge

After sometime check if it is working or not.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-30T12:08:20.707+00:00

Hello @Mohamed Elashkr ,

I'm following up on my above comment to check if you tried the suggested changes. Do you have any updates on this?

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-04-04T09:48:30.4+00:00

Hello @GitaraniSharma-MSFT ,

Apologies for the delay for my response!
thank you for your update und your patient.

That is the configuration for Listner of the App-GW
ListnerType: Multi site
Host type: Multiple/Wildcard
Host names: myfirstapp.yourdomainname.com (is subdomain of routable-domain-name, you could create a public-DNS and using the routable domain name there)

For Info: To connect to the application gateway from internet, you need a routable domain name. In this case, I used a routable domain name yourdomainname.com and planning to connect to an App Service with this domain name myfirstapp.yourdomainname.com

Best regards,
Mohamed
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-06T11:33:14.717+00:00

Hello @Mohamed Elashkr ,

Thank you for the details.

Let's try the below configuration changes in your Azure Front Door backend pool:

1) Change the backend host type to "Custom host".

2) In the Backend host name, add the FQDN/host name from App gateway listener (i.e. myfirstapp.yourdomainname.com) instead of the IP Address and also add your Backend host header value same as your Backend host name or you can leave your Backend host header as Empty.

3) After you make the changes, please save and then perform a Purge all and wait for some time for the changes to be affected.
Refer this doc on how to perform a purge on Front Door: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-caching?pivots=front-door-classic#cache-purge

After sometime check if it is working or not.

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-04-06T13:35:47.003+00:00

Hi @GitaraniSharma-MSFT ,

thank you for your response.

I used Azure Front Door Classic before and i am using now Azure Front Door Premium and did all above steps but the request from Az-FD to App-Gateway still not working!
I have got this message after i configured Az-FD:
"Oops! We weren't able to find your Azure Front Door Service configuration. If it’s a new configuration that you recently created, it might not be ready yet. You should check again in a few minutes. If the problem persists, please contact Azure support."

I tried to create a rule in "Rule set" and forward the traffic to App-Gateway and this way worked for but not the right way what i need.
What could be the problem, that Azure Front Door can not direct the traffic to App-Gateway (by Azure Front Door, i create Origin Group which is as "Backend-pool" )?
How long time could take after i configured the Azure Front Door with App-Gateway to get working?

Thank you!
Best regards,
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-08T12:56:06.397+00:00

Hello @Mohamed Elashkr ,

Thank you for the update.

Could you please share your healthprobes and route settings in Azure Front Door?
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/origin?pivots=front-door-standard-premium
https://learn.microsoft.com/en-us/azure/frontdoor/how-to-configure-endpoints

Do you have any NSG associated to your Application gateway subnet?

Some of the reasons why Azure Front Door cannot direct traffic to App gateway are as below:

DNS mapping to Front Door FQDN done but custom domain not onboarded to Azure Front Door.

Adding IP address of Application gateway in the backend of Azure Front Door.

Most new Front Door creates and updates take about 3 to 20 minutes to deploy across all our edge location globally. Custom TLS/SSL certificate updates take from several minutes to an hour to be deployed globally. Any updates to routes or backend pools etc. are seamless and will cause zero downtime (if the new configuration is correct).
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-long-does-it-take-to-deploy-an-azure-front-door--does-my-front-door-still-work-when-being-updated-

Regards,
Gita
Mohamed Elashkr 21 Reputation points

2022-04-08T13:44:25.68+00:00

Hello @GitaraniSharma-MSFT ,

there are no any healthprobes configured for Az-FD until now,
My Rout settings for Az-FD is:

Domains: myfirstfd.mydomain.com(this domain is managed by Azure DNS)

Origin group -> Origin -> Origin host name: ApGW-Public-IP(20.xx.xxx) (i tested also with/without routable-domain name also but did not work!)

Status: Enabled

Provisioning state: succeeeded

There is no NSG to my AppGW-Subnet

Thank you,
Best wishes,

Answer 1

Mohamed Elashkr 21

Hi @GitaraniSharma-MSFT

i found the solution for my Problem(503-Error) in my case. The Problem was that i used Self-Signed Certficate on the AppGw-Listner(for testing the concept)

Solution:
If the AppGW behind Az-Front Door, then you need a valid certificate from CA on the Https-Listner of AppGW instead of Self-Signed Certificate!
And may be you to add a "rule" in Az-FD to disable "Accept-Encoding" for requests!
The Request is working now!

Here is a clue: https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls

Thank you for your Support,
Best regards,

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-04-18T09:29:02.067+00:00

Hello @Mohamed Elashkr ,

Thank you for the update and sharing the solution. I've added your comment as an answer for better visibility to help others in the community with similar issue.
Yes, Self-signed certificates aren't supported for Frontend TLS connection in Azure Front Door.

Regards,
Gita Sharma
Carlos Muñoz 0 Reputation points

2023-08-30T11:45:09.2766667+00:00

I have implemented in the same way the api-gateway with self-signed certificate following the steps:

https://srigunnala.com/azure-apim-application-gateway-integration/

It should be clarified that I enter by the host name provided by the same app-gateway since I only exposed the gateway of my APIM.

Will Azure Front Door reject the connection because of the certificates?

Is there a way to bypass that self-signed certificate validation?

Thank for you time.

Share via

Azure Front door with App Gateway with ASEv3-ILB (services aren't available right now)

1 answer

Your answer