azure | iis | azure-application-gateway

Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway

This article brief about the steps involved in making an end to end HTTPS website which hosted in a VM IIS, in Azure and the traffic need to be routed via Application Gateway.

Abhith Rajan
Abhith RajanSeptember 24, 2019 · 3 min read · Last Updated:

For most cases we do SSL offloading at the Application Gateway end. i.e, HTTPS traffic between public and application gateway, HTTP traffic between application gateway and websites hosted under it. But in some cases we need end to end SSL. In our case, it was for the Identity Server.

So lets start, We pointed the domain to the Application Gateway Public IP and We assume you purchased the SSL for your domain and we need the SSL certificate in two formats.

  1. PFX format for application gateway HTTPS listener.
  2. CER format for application gateway HTTP Settings.

Now we need to do the following,

  1. Add an HTTPS listener for that domain with the Certificate.
  2. Create a backend pool with the VM where we will publish the website in the IIS.
  3. Add an HTTP Settings with the Certificate as shown in the picture.
Application Gateway HTTP Settings
Application Gateway HTTP Settings
  1. Create a rule which connects the listener (1) and backend pool(2) via the newly created HTTP settings (3).

Once all this done, user will be able to hit Application Gateway with HTTPS and probably will see 404 since the VM not responding to the requests. So lets configure the VM to accept the traffic through 443 port. In the VM,

  • Install the SSL certificate.
  • Configure the HTTPS website in the IIS with that certificate and the hostname (domain).

After this done, check whether you are able to reach the website successfully. If you are getting any 502 errors, check the following

  • In the Application Gateway, check the unhealthy backend pools.
  • If our backend pool with the HTTPS HTTP settings name is in that unhealthy list, that indicates the VM in the backend pool not responding 200 back to the health probe check.
  • By default health probe check for HTTPS will sent health check requests to the VM’s IP on 443 port, and in the IIS, no website will be listening for 443 port (Without any hostname specified).
  • To overcome, all we have to do is, on the default website (if there is no default site, add another binding to our site) as shown below,
IIS default 443 port binding
IIS default 443 port binding

Once this done, watch the unhealthy backend pools and you may notice that our backend pool is healthy now (It will take at least 30 seconds to update). Now application gateway will route traffic to our VM over HTTPS and the VM will serve the website and we are done.

Additional Resources

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.

Is this page helpful?

Related ArticlesView All

Related VideosView All

Creating WordPress sites on Azure App Service | Azure Friday

High Availability and SLA for Azure SQL Managed Instance

How to Configure Autoscaling on Microsoft Azure Virtual Machine Scale Sets (VMSS)