Introduction

Azure Application Gateway decides whether it can send traffic to a backend by running health probes and evaluating the response. If the backend health status becomes unhealthy, users may see 502 errors, intermittent outages, or complete loss of routing even though the application seems alive from inside the server. Most cases come down to probe configuration, TLS expectations, host header mismatches, or redirects and responses that the gateway does not accept as healthy.

Symptoms

  • Backend pool members show as unhealthy in Azure Application Gateway health status.
  • Users receive 502 Bad Gateway or intermittent failures through the gateway.
  • The application responds when accessed directly, but fails only through Application Gateway.
  • Health probes fail after a hostname change, certificate update, or listener reconfiguration.
  • Only one backend setting, site, or path is marked unhealthy while others remain healthy.

Common Causes

  • The health probe path is wrong or returns a status code outside the accepted range.
  • The backend expects a different host header than the one sent by Application Gateway.
  • TLS validation fails because the backend certificate does not match the configured host name.
  • The application redirects the probe to login, another hostname, or a path that does not return a healthy response.
  • Network security groups, user-defined routes, or firewall rules block gateway-to-backend traffic.
  • The backend is slow, overloaded, or resets the connection before the probe completes.

Step-by-Step Fix

  1. Open the backend health view in Azure Application Gateway and record which pool member, port, and probe is failing.
  2. Review the probe configuration, especially protocol, host header, path, interval, timeout, and accepted status codes.
  3. Test the probe path directly against the backend using the same protocol and host header the gateway should send. Confirm it returns the expected status code consistently.
  4. If the backend uses host-based routing, set the correct host header in the HTTP settings or probe configuration so the application serves the intended site.
  5. Check backend TLS configuration and certificate names. The certificate presented by the backend must match the hostname Application Gateway uses for validation.
  6. Look for redirects, authentication requirements, or custom error handling on the probe path. Health probes should reach a lightweight endpoint that returns a stable healthy response.
  7. Verify network reachability from the gateway subnet to the backend. Check NSGs, route tables, appliance firewalls, and private endpoint rules if applicable.
  8. Inspect backend server logs for probe requests, handshake failures, or connection resets. If the probe never arrives, focus on network and gateway settings. If it arrives but fails, focus on app response behavior.
  9. After fixing the probe, host header, or network path, wait for Application Gateway to refresh backend health and confirm the pool member returns to healthy.
  10. Finish by testing real user traffic through the gateway and confirming the probe endpoint stays healthy under normal load.