azure | iis | azure-application-gateway

Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway

This article brief about the steps involved in making an end to end HTTPS website which hosted in a VM IIS, in Azure and the traffic need to be routed via Application Gateway.

Abhith Rajan
Abhith RajanSeptember 24, 2019 · 3 min read · Last Updated:
Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway

For most cases we do SSL offloading at the Application Gateway end. i.e, HTTPS traffic between public and application gateway, HTTP traffic between application gateway and websites hosted under it. But in some cases we need end to end SSL. In our case, it was for the Identity Server.

So lets start, We pointed the domain to the Application Gateway Public IP and We assume you purchased the SSL for your domain and we need the SSL certificate in two formats.

  1. PFX format for application gateway HTTPS listener.
  2. CER format for application gateway HTTP Settings.

Now we need to do the following,

  1. Add an HTTPS listener for that domain with the Certificate.
  2. Create a backend pool with the VM where we will publish the website in the IIS.
  3. Add an HTTP Settings with the Certificate as shown in the picture.
Application Gateway HTTP Settings
Application Gateway HTTP Settings
  1. Create a rule which connects the listener (1) and backend pool(2) via the newly created HTTP settings (3).

Once all this done, user will be able to hit Application Gateway with HTTPS and probably will see 404 since the VM not responding to the requests. So lets configure the VM to accept the traffic through 443 port. In the VM,

  • Install the SSL certificate.
  • Configure the HTTPS website in the IIS with that certificate and the hostname (domain).

After this done, check whether you are able to reach the website successfully. If you are getting any 502 errors, check the following

  • In the Application Gateway, check the unhealthy backend pools.
  • If our backend pool with the HTTPS HTTP settings name is in that unhealthy list, that indicates the VM in the backend pool not responding 200 back to the health probe check.
  • By default health probe check for HTTPS will sent health check requests to the VM’s IP on 443 port, and in the IIS, no website will be listening for 443 port (Without any hostname specified).
  • To overcome, all we have to do is, on the default website (if there is no default site, add another binding to our site) as shown below,
IIS default 443 port binding
IIS default 443 port binding

Once this done, watch the unhealthy backend pools and you may notice that our backend pool is healthy now (It will take at least 30 seconds to update). Now application gateway will route traffic to our VM over HTTPS and the VM will serve the website and we are done.

Additional Resources

azureiisazure-application-gateway

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.
Connect

Is this page helpful?

Buy me a coffee

Related ArticlesView All

Cost Optimization: Auto Shutdown and Startup of Tagged VMs with Azure Automation
Cost Optimization: Auto Shutdown and Startup of Tagged VMs with Azure Automation
May 30, 2023 · 6 min read

Unlock cost savings in Azure environments through automated VM shutdown and startup. Implement Azure Automation to optimize resource management and cut unnecessary expenses

abhith rajan
by Abhith Rajan
azure
Azure Application Gateway - List of Failed Requests
Azure Application Gateway - List of Failed Requests
September 19, 2020 · 2 min read

Get an insight about the failed requests in the Azure Application Gateway.

abhith rajan
by Abhith Rajan
azure-application-gatewaymonitoring
IIS - Disable CORS
IIS - Disable CORS
August 14, 2019 · 1 min read

Disable CORS for IIS 10 website by allowing all origins in two simple steps.

abhith rajan
by Abhith Rajan
iisweb-config
Azure Web App - Web Deploy to a Sub-folder
Azure Web App - Web Deploy to a Sub-folder
July 30, 2019 · 2 min read

Follow this tutorial to configure web deploy from Visual Studio to a sub-folder in your azure web app (App Service).

abhith rajan
by Abhith Rajan
azure
Azure Web App - Missing MIME types
Azure Web App - Missing MIME types
July 11, 2019 · 2 min read

If you are seeing "404 Not Found" for .woff, .woff2 or for .json files even if they exist on your azure web app, this is the post for you.

abhith rajan
by Abhith Rajan
azureweb-config
IIS - OPTIONS Requests Returns 404
IIS - OPTIONS Requests Returns 404
April 19, 2018 · 2 min read

If OPTIONS preflight request getting 404 and URLScan enabled on your hosting machine, check out this article.

abhith rajan
by Abhith Rajan
iisaspnet

Related VideosView All

Creating WordPress sites on Azure App Service | Azure Friday

azure

High Availability and SLA for Azure SQL Managed Instance

azuresql-server

How to Configure Autoscaling on Microsoft Azure Virtual Machine Scale Sets (VMSS)

azure

Related StoriesView All

Microsoft Azure
Azure Static Web App–Password protect your environments
bartwullems.blogspot.com · Feb 25, 2024

azure
Microsoft Azure
How to start/stop your AKS cluster on schedule
azureblue.io · May 05, 2023

This article describes how an Azure Automation Account can be used to automatically start and stop an AKS cluster on schedule

azure
Hosting
How can I convert a certificate file from .crt to .cer? | SonicWall
sonicwall.com · Nov 08, 2022

hostingazure-application-gateway
Microsoft Azure
General Availability of Azure Automation extension for Visual Studio Code - Microsoft Community Hub
techcommunity.microsoft.com · Oct 17, 2023

azurevscode
Microsoft Azure
Cloning Azure VMs - DEV Community
dev.to · Feb 27, 2023

azure
Microsoft Azure
Microsoft's metaverse rival Meta chooses Azure as strategic cloud provider
onmsft.com · Jul 20, 2022

Meta, formerly known as Facebook, has chosen Microsoft Azure as a strategic cloud provider for A.I. research and development

azure