0

I am trying to configure Azure application gateway WAF with a backendpool set to a VM in a different Azure tenant using its public IP address on port 443. All the SSL certificates are configured properly. However, I keep getting following error while browsing the site via WAF.

502 - Web server received an invalid response while acting as a gateway or proxy server.

I have confirmed that the NSG is on the mentioned back-end VM is allowing all traffic on port 443. What could be going wrong here?

double-beep
  • 5,031
  • 17
  • 33
  • 41
LogicIO
  • 627
  • 7
  • 15
  • In case you’re using SSL offloading/termination at App gateway (which is pretty common).. then you’ll need to allow traffic thru port 80 (or whatever port you use) – Rohit Saigal Apr 22 '19 at 01:19

1 Answers1

1

Generally, you can check the status of Backend health in the monitoring of Application Gateway and compare with the DETAILS referring to these possible reasons on your side.

  • NSG, UDR or Custom DNS is blocking access to backend pool members.
  • Back-end VMs or instances of virtual machine scale set are not responding to the default health probe.
  • Invalid or improper configuration of custom health probes.
  • Azure Application Gateway's back-end pool is not configured or empty.
  • None of the VMs or instances in virtual machine scale set are healthy.
  • Request time-out or connectivity issues with user requests.

For each reason, you can get a solution from that link. I think you could make sure you can directly access the backend with public IP from one tenant to another tenant. Then if you have an NSG in the app gateway subnet, you must include exceptions for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for the v2 SKU. You could get more details here. You could also whitelist the app gateway public IP address in the NSG of backend VM.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • It works when I am giving the DNS name of the VM which is again pointed to the same public IP address. However, the DNS name mentioned here has to be changed to be pointing to the front end IP address of application gateway, so not sure how to proceed. Any ideas? – LogicIO Apr 22 '19 at 03:57
  • `when I am giving the DNS name of the VM which is again pointed to the same public IP address.` What's the DNS name of VM? It sounds like you use a custom DNS name for that VM instead of Azure provided DNS name like this `mytestvmxxx.centralus.cloudapp.azure.com`. So you change the custom DNS name from mapping to the public IP address of VM to PIP of frontend APP GW. – Nancy Apr 25 '19 at 07:30
  • 1
    I am not using DNS name of VM, I am using DNS name of website which matches the CN of SSL certificate. This DNS name is pointing to the public IP address of the VM. When I am pointing to this name, I am getting the gateway error. However, When I point to another dns name which is a cname to the actual dns name everything works fine. – LogicIO Apr 29 '19 at 12:56