I have 2 VMSS in azure with a internal LB infront of them. The LB has a 443 rule, and a probe to execute an https request with a request path pointing to healthcheck endpoint of the deployed application on the scalesets. All standard stuff, but the catch here is that we are using a self signed certificate from our Hashicorp Vault instance. I have installed and trusted the root CA cert on all the VMs in the scalesets. However, the probe is unable to hit the request path, and marks the instance as unhealthy. My suspicion is that probe is unable to execute the https request due to the cert being self signed.
After some digging around, I found that I can use Application Gateway instead of LB to enable end to end encryption since AG works at Layer 7 and allows SSL offloading. However, I cannot seem to find any documentation on how to use an "AG probe" for Automatic instance repair.
One solution would be enable port 80 on LB rule, NSG rule and on the nginx reverse proxy on each VM (current configured only with listen 443). Then the probe can execute http/80/requestpath and I expect it to work. However that is insecure and will enable outside traffic to hit the web app on 80 port. That is not an option.
Is there a one size fits all solution here which allows me to run HTTPS only with self signed cert and enable automatic instance repair? I can switch the probe to use TCP/443 instead of HTTPS/443/requestpath, but that feels inadequate due to the fact that the application could go down, but port 443 traffic works aboslutely fine.
