Azure-docs: Application Gateway v2 Default Listener

Created on 3 Dec 2020 · 5Comments · Source: MicrosoftDocs/azure-docs

Application Gateway v2 with all listeners (multisite/HTTPS) defined with a hostname still allows the application gateway to be contacted via the AppGW dns name or the IP address even without anything defined. When accessing in this way the result is a 404 as there is no backend however a certificate is still shown which seems to be one from the first listener.

When configuring and testing the same on v1 the result is the site cannot be reached.

This was highlighted after using SSL Labs where two certificates are being identified when testing. A rating of T is being shown as certificate #1 does not match.

Is this correct behaviour? My expectation is if there is a listener present without a hostname then accessing via the AppGW url or IP address would access this however when there no listener the connection should be refused.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: faa5b8a2-11a1-6a2d-07cb-ffcf39643ed4
Version Independent ID: 298a134e-fb27-f16d-bff2-d43eb0f766fd
Content: Autoscaling and Zone-redundant Application Gateway v2
Content Source: articles/application-gateway/application-gateway-autoscaling-zone-redundant.md
Service: application-gateway
GitHub Login: @vhorne
Microsoft Alias: victorh

application-gatewasvc cxp product-question triaged

Source

AndrewSmithRS

All 5 comments

@AndrewSmithRS , thank you for your question. We'll review this and get back to you shortly.

GitaraniSharma-MSFT on 3 Dec 2020

@AndrewSmithRS , I have confirmed with the Application gateway backend team that when there's no matching listener, accessing App gateway V2 returns a 404 with the certificate from the first listener. This is a default behaviour of Application gateway V2 SKU.

We are closing this issue for now. If there are further questions regarding this matter, please reply and we will gladly continue the discussion.

GitaraniSharma-MSFT on 7 Dec 2020

Thanks for confirming the behaviour. Having the documentation updated to include this change would help.
Is there any technical reason for this occur? I know some of my customers will fail specific security audits due to this. I'm happy to raise a ticket if this is not the right forum.

AndrewSmithRS on 8 Dec 2020

@AndrewSmithRS , the difference between App gateway V1 and V2 SKU multi-site behaviour is documented in the below article:
https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview#frontend-tls-connection-client-to-application-gateway

GitaraniSharma-MSFT on 9 Dec 2020

👍1

Thanks for reminding me to read the documentation :)
I'll feedback via our partner team in regards to the implications of the new behaviour.

AndrewSmithRS on 9 Dec 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

"Invoke-WebRequest : Unable to retrieve certificates because the thumbprint is not valid. Verify the thumbprint and retry"

starforce · 61Comments

Azure DevOps Build Pipeline can't get secrets from Key Vault when secured with vnet and firewall

aspnet4you · 50Comments

How to get a SAML Assertion without another federated IDP

keithdv · 41Comments

Automatic device registration happens despite GPO control. Disabled doesn't work

TechTrooper · 41Comments

AKS with RBAC unable to view Dashboard with Azure AD

Sudharma · 48Comments