502 WAF to Appservice connection issue (domain name fails and Azure name passes)

Question

When we call domain url, www.foo.com it gives 502 error

"502 - Web server received an invalid response while acting as a gateway or proxy server."

But the technical url www.foo.azurewebsites.net is working fine.

How do we diagnose this?

1. Since the technical url is working fine we can rule out application or code error
2. We ran a Diagnosis of WAF (pdf removed the spaces, sorry)

DegradedBackendServerHealth:ApplicationGateway:'FOO',BackendServer:'foo.azurewebsites.net',HealthStatus:Down,BackendservercertificateisnotwhitelistedwithApplication Gateway.,Reportedat:7/14/20199:34:40AM.Mitigation:Reviewthehealthofthebackendserverfirst.Ifthebackend serverishealthyandcanrespondwithHTTP200viaotheraccesspaths,troubleshootnetworkconnectivityfromthe ApplicationGatewayinstancestothebackendserver.Troubleshootingincludes(butisnotlimitedto):SecurityRules, routing,networkperformance,andgeneralTCPconnectivitytroubleshooting. WehavefoundthatalltheinstancesofBackendAddressPoolareunhealthy.Ensurethattheinstancesarehealthyandthe applicationisproperlyconfigured.Checkiftheback-endinstancescanrespondtoapingfromanotherVMinthesame VNet.Ifconfiguredwithapublicendpoint,ensureabrowserrequesttothewebapplicationisserviceable.

1. We checked the certifcates configured, it is working fine
2. Pretty much all recommendation are verified and working fine

How can we diagnose this further and find rootcause?

Answer 1

It was resolved on slot swap. For some reason, one slot had some security restrictions in place. Not sure who did it or Why it was done. This is the immediate answer.

There seemed to have some script run which affected all live servers but the slots/staging were 'protected'. When the staging became production this issue was reverted(as they were 'protected')

Will update once more info available on this