locked
CDN with Application Gateway error 502 RRS feed

  • Question

  • This is our setup:

    Web App: site.azurewebsites.net

    Application Gateway: site.company.com pointing to Web App, works as expected on both HTTP and HTTPS; the AG is a WAF but only detection mode is enabled

    Premium Verizon CDN: site.azureedge.net pointing to the Application Gateway as a Custom Origin (both origin and hostname is set to the same), both HTTP and HTTPS are enabled, DSA optimization (the probe path is visible as well, and verified at the configuration step)

    Error:

    We constantly get 502 Bad Gateway errors on the CDN endpoint. The HTTP endpoint seems to be working, but it is a permanent redirect to HTTPS, but HTTPS throws 502 all the time.


    What we've already tried:

     - Recreate the endpoint with the same configuration.

     - Choose Standard Akamai instead of Premium Verizon. It works like a charm in a minute. But we need custom domain with HTTPS support, so we have to stick with Verizon.

     - Point the Premium Verizon CDN directly to the Web App. It works that way, but we need the WAF inbetween.

     - We can confirm, the WAF pointing to the Web App works alone both on HTTP and HTTPS. Typing into the browser or invoking a request programmatically. Since the CDN is a reverse proxy, we still can't get why it doesn't work.

    Thank you.




    Sunday, January 28, 2018 10:19 AM

All replies

  • Likely it's the case where the correct servername is not being passed to your origin (SNI) and that's where the 502 errors are coming from. Are you able to open a MSFT support ticket with your sub ID, custom domain info? If not please send me an email with these info and we'll take care of it for you.
    Monday, January 29, 2018 7:33 PM
  • Hey Manling, thank you for your response. Can I have your e-mail address, please? We are still in the middle of onboarding to Azure and we have only billing support yet.
    Monday, January 29, 2018 7:46 PM
  • Hi Juhasz, I see that you already have a ticket opened with MSFT and I'll work on your case together with the ticket owner to resolve your issue.
    Thursday, February 8, 2018 11:09 PM
  • Hi Manling, thank you very much.
    Friday, February 9, 2018 12:00 PM
  • Hi,

    I've the same issue. How have you resolved it ?

    We're using the premium Verizon on our actual on-prem production (multiple IIS behind a NLB and a HTTPS binding on IP hosted by the NLB). We have a new infra behing a LB/WAF in off-loading mode and so certificats hosted by the LB based on SNI. When we migrated our DNS records on this new infra we have same errror message on the image.

    Tks in advance.

    Monday, April 9, 2018 8:42 AM
  • If you are using one IP address to host multiple sites, please contact MSFT using Azure Portal to create a new Tech support case.

    Please add your sub ID, CDN profile name, endpoint name, origin host name, host header and custom doamin to the case note.

    One of MSFT support engineer will help you to get help from Verizon to enabled the SNI feature from backend. But it will take at least 5-8 business days.

    • Proposed as answer by FMisle Tuesday, May 15, 2018 4:55 PM
    • Unproposed as answer by FMisle Tuesday, May 15, 2018 4:55 PM
    Thursday, April 12, 2018 8:01 AM
  • Hi there

    We're experiencing the same issue, but can't open cases. How can we get this sorted?

    Thank you!


    EDIT: Azure Support granted us one free case
    • Edited by FMisle Tuesday, May 15, 2018 5:16 PM
    Tuesday, May 15, 2018 4:54 PM
  • Faisal, what is your custom domain? We need to enable something in the backend. 
    Tuesday, May 22, 2018 10:19 PM
  • Hi,

    We face the same problem and have a case running with MS. Did you solve yours?

    Monday, August 6, 2018 10:03 AM
  • I'm also experiencing the same issue. Has this been solved yet?
    Monday, October 22, 2018 1:38 AM