Ubuntu - 502 Bad Gateway error for Azure Application Gateway

VasuD
October 30, 2023
101 views
0 votes
2 Answers

App GW can’t connect to a backend ubuntu VM when Azure VMSS is being used. When I tested, my python application is responding with 200 status code locally.
curl https://0.0.0.0:8000/v2/get_api_version -k
{"code":200,"message":"AI API 2.0","version":2.1,"api date":"October 2021"}

When accessing the URL from browser it is timing out with a message, "This site can’t be reached".

The App GW health probe responding with, "Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port".
App GW health probe response here

I made sure that port 8000 is added to NSG inbound security rule, Load balancer rule and listens to port 8000 on App GW. This VM is pingable but can be accessed from other devices on the same subnet. There were no firewalls that’s blocking the incoming traffic. I tried to follow majority of the recommendations but nothing seems to be working.

I understand the incoming traffic is blocked which is causing 502 bad gateway error. Appreciate your suggestions or sharing your experiences.

Thank you

Tags: azure-application-gateway

Answers

Chosen as BEST ANSWER
- VasuD
- October 30, 2023 at 5:05 pm
- 0 votes
0
Thank you @Imran.I tried your recommendations for backend settings like backend protocol and port as well as host name override. Health probe is still unhealthy.

It appears like I have digital certificate issue where in Health probe erroring out, "Health Probe showing Unhealthy status and the reason is "The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate".

Looks like it is a certificate issue where in current certificate is not recognized. Trying to link up current certificate to the crt file so that, I can renew since it is already expired.

(Edit)

- Imran
- October 28, 2023 at 9:52 am
- 0 votes
0
As per MsDoc Make sure to add the backend setting. The default probe request is sent in the format of http://127.0.0.1:80 for an HTTP probe on port 80.

Only HTTP status codes of 200 through 399 are considered healthy.

Add host name override -> pick host name from backend target and add custom domain like below:

Now in a healthy probe, select pick host name from the backend setting as yes and interval timeout like below:

Now, application gateway healthy probes have reached healthy status, and Application runs successfully like below:

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Ubuntu – 502 Bad Gateway error for Azure Application Gateway

Answers