Configure App Service with Application Gateway

Application gateway allows you to have an App Service app or other multi-tenant service as a backend pool member. In this article, you learn to configure an App Service app with Application Gateway. The configuration for Application Gateway will differ depending on how App Service will be accessed:

  • The first option makes use of a custom domain on both Application Gateway and the App Service in the backend.
  • The second option is to have Application Gateway access App Service using its default domain, suffixed as ".chinacloudsites.cn".

This configuration is the easiest and doesn't require a custom domain. As such it allows for a quick convenient setup.

Warning

This configuration comes with limitations. We recommend to review the implications of using different host names between the client and Application Gateway and between Application and App Service in the backend. For more information, please review the article in Architecture Center: Preserve the original HTTP host name between a reverse proxy and its backend web application

When App Service doesn't have a custom domain associated with it, the host header on the incoming request on the web application will need to be set to the default domain, suffixed with ".chinacloudsites.cn" or else the platform won't be able to properly route the request.

The host header in the original request received by the Application Gateway will be different from the host name of the backend App Service.

Scenario overview for Application Gateway to App Service using the default App Service domain towards the backend

In this article you'll learn how to:

  • Configure DNS
  • Add App Service as backend pool to the Application Gateway
  • Configure HTTP Settings for the connection to App Service
  • Configure an HTTP Listener
  • Configure a Request Routing Rule

Prerequisites

Configuring DNS

In the context of this scenario, DNS is relevant in two places:

  • The DNS name, which the user or client is using towards Application Gateway and what is shown in a browser
  • The DNS name, which Application Gateway is internally using to access the App Service in the backend

When no custom domain is available, the user or client can access Application Gateway using either the IP address of the gateway or its DNS address. The Application Gateway DNS address can be found on the overview page of the associated Public IP address. Not having a custom domain available implies that no publicly signed certificate will be available for TLS on Application Gateway. Clients are restricted to use HTTP or HTTPS with a self-signed certificate, both of which are undesired.

To connect to App Service, Application Gateway uses the default domain as provided by App Service (suffixed "chinacloudsites.cn").

Add App service as backend pool

  1. In the Azure portal, select your Application Gateway.

  2. Under Backend pools, select the backend pool.

  3. Under Target type, select App Services.

  4. Under Target select your App Service.

    App service backend

    Note

    The dropdown only populates those app services which are in the same subscription as your Application Gateway. If you want to use an app service which is in a different subscription than the one in which the Application Gateway is, then instead of choosing App Services in the Targets dropdown, choose IP address or hostname option and enter the hostname (example.chinacloudsites.cn) of the app service.

  5. Select Save.

Edit HTTP settings for App Service

An HTTP Setting is required that instructs Application Gateway to access the App Service backend using the default ("chinacloudsites.cn") domain name. To do so, the HTTP Setting will explicitly override the host name.

  1. Under HTTP Settings, select an existing HTTP setting or add a new one.
  2. When creating a new HTTP Setting, give it a name
  3. Select HTTPS as the desired backend protocol using port 443
  4. If the certificate is signed by a well known authority, select "Yes" for "User well known CA certificate". Alternatively Add authentication/trusted root certificates of backend servers
  5. Make sure to set "Override with new host name" to "Yes"
  6. Under "Host name override", select "Pick host name from backend target". This setting will cause the request towards App Service to use the "chinacloudsites.cn" host name, as is configured in the Backend Pool.

Configure H T T P Settings to use default domain towards App Service backend by setting Pick host name from backend target

Configure an HTTP listener

To accept traffic we need to configure a Listener. For more info on this see Application Gateway listener configuration.

Assuming there's no custom domain available or associated certificate, we'll configure Application Gateway to listen for HTTP traffic on port 80. Alternatively, see the instructions on how to Create a self-signed certificate

  1. Open the "Listeners" section and choose "Add listener" or click an existing one to edit
  2. For a new listener: give it a name
  3. Under "Frontend IP", select the IP address to listen on
  4. Under "Port", select 80
  5. Under "Protocol", select "HTTP"

Add a listener for H T T P traffic

Configure request routing rule

Using the earlier configured Backend Pool and the HTTP Settings, the request routing rule can be set up to take traffic from a listener and route it to the Backend Pool using the HTTP Settings. For this, make sure you have an HTTP or HTTPS listener available that is not already bound to an existing routing rule.

  1. Under "Rules", click to add a new "Request routing rule"
  2. Provide the rule with a name
  3. Select an HTTP or HTTPS listener that is not bound yet to an existing routing rule
  4. Under "Backend targets", choose the Backend Pool in which App Service has been configured
  5. Configure the HTTP settings with which Application Gateway should connect to the App Service backend
  6. Select "Add" to save this configuration

Add a new Routing rule from the listener to the App Service Backend Pool using the configured H T T P Settings

Testing

Before we do so, make sure that the backend health shows as healthy:

Open the "Backend health" section and ensure the "Status" column indicates the combination for HTTP Setting and Backend Pool shows as "Healthy".

Check backend health in Azure portal

Now browse to the web application using either the Application Gateway IP Address or the associated DNS name for the IP Address. Both can be found on the Application Gateway "Overview" page as a property under "Essentials". Alternatively the Public IP Address resource also shows the IP address and associated DNS name.

Pay attention to the following non-exhaustive list of potential symptoms when testing the application:

  • redirections pointing to ".chinacloudsites.cn" directly instead of to Application Gateway
  • this includes authentication redirects that try access ".chinacloudsites.cn" directly
  • domain-bound cookies not being passed on to the backend
  • this includes the use of the "ARR affinity" setting in App Service

The above conditions (explained in more detail in Architecture Center) would indicate that your web application doesn't deal well with rewriting the host name. This is commonly seen. The recommended way to deal with this is to follow the instructions for configuration Application Gateway with App Service using a custom domain. Also see: Troubleshoot App Service issues in Application Gateway.

Restrict access

The web apps deployed in these examples use public IP addresses that can be accessed directly from the Internet. This helps with troubleshooting when you're learning about a new feature and trying new things. But if you intend to deploy a feature into production, you'll want to add more restrictions. Consider the following options: