Home / Azure / Fix Azure Application Gateway Backend Pool Not Resolving

Azure

Fix Azure Application Gateway Backend Pool Not Resolving

Resolve Azure Application Gateway backend pool issues by checking health probes, DNS resolution, and backend target configuration.

Published: Apr 2, 20267 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

Azure Application Gateway routes traffic to backend pools containing your application servers. When backend pools don't resolve, the gateway returns 502 Bad Gateway errors, and no traffic reaches your backend services.

Symptoms

502 Bad Gateway from Application Gateway:

```bash $ curl -v https://app.example.com

HTTP/2 502 Bad Gateway {"Message":"Backend is unreachable"} ```

Backend health shows unhealthy:

```bash $ az network application-gateway show-backend-health \ --name my-appgw \ --resource-group my-rg

# All backends show "Unhealthy" status ```

DNS resolution failure:

bash

# In Application Gateway logs:
"BackendAddressResolutionFailed: Unable to resolve backend hostname 'api.internal.example.com'"

Common Causes

1.Custom probe host header wrong - Probe uses wrong hostname
2.Backend DNS not resolving - Private DNS zone missing
3.Backend FQDN unreachable - Network routing issues
4.Probe path incorrect - Health check path returns 404
5.Backend port mismatch - Application on different port
6.Certificate issues - HTTPS backend with invalid certificate
7.NSG blocking traffic - Network security group rules too restrictive

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Backend Pool Configuration

bash

# Get backend pool details
az network application-gateway address-pool show \
  --gateway-name my-appgw \
  --resource-group my-rg \
  --name my-backend-pool \
  --query '{Addresses:backendAddresses,BackendIPs:backendIPConfigurations}'

Step 2: Check Backend Health Status

```bash # Get detailed backend health az network application-gateway show-backend-health \ --name my-appgw \ --resource-group my-rg \ --query 'backendAddressPools[].backendHttpSettingsCollection[].servers[]'

# Check specific backend az network application-gateway show-backend-health \ --name my-appgw \ --resource-group my-rg \ --query "backendAddressPools[?name=='my-backend-pool']" ```

Step 3: Verify Health Probe Configuration

```bash # Get probe settings az network application-gateway probe show \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-probe \ --query '{Host:host,Path:path,Protocol:protocol,Port:port,Timeout:timeout,Interval:interval,Threshold:unhealthyThreshold}'

# Common issues: # - Host: Wrong hostname (should match backend server's expected Host header) # - Path: /health when backend expects /api/health # - Port: 80 when backend listens on 8080 ```

Step 4: Update Health Probe Settings

```bash # Update probe to match backend expectations az network application-gateway probe update \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-probe \ --host api.example.com \ --path /api/health \ --port 8080 \ --protocol Http \ --interval 30 \ --timeout 10 \ --threshold 3

# For HTTPS backends az network application-gateway probe update \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-probe \ --protocol Https \ --host backend.example.com ```

Step 5: Check Backend DNS Resolution

```bash # Test DNS resolution from Application Gateway subnet # Deploy a test VM in same subnet az vm create --name test-vm --resource-group my-rg --image Ubuntu2204 --subnet /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/appgw-subnet

# SSH to test VM and test DNS ssh testuser@test-vm-pip nslookup api.internal.example.com dig api.internal.example.com

# If resolution fails: # - Add private DNS zone link # - Add custom DNS servers # - Add hosts file entry (not recommended for production) ```

Step 6: Configure Private DNS Zone

```bash # Create private DNS zone for internal resolution az network private-dns zone create \ --resource-group my-rg \ --name internal.example.com

# Add A record for backend az network private-dns record-set a add-record \ --resource-group my-rg \ --zone-name internal.example.com \ --record-set-name api \ --ipv4-address 10.0.1.100

# Link DNS zone to VNet az network private-dns link vnet create \ --resource-group my-rg \ --zone-name internal.example.com \ --name my-vnet-link \ --virtual-network /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Network/virtualNetworks/my-vnet \ --registration-enabled false ```

Step 7: Check NSG Rules

```bash # Get NSG for Application Gateway subnet az network nsg show \ --name my-appgw-nsg \ --resource-group my-rg \ --query 'securityRules[]'

# Required rules for Application Gateway: # - Inbound: Allow ports 65503-65534 (v2) or 65503-65534 (v1) for management # - Inbound: Allow listener ports (80, 443) # - Outbound: Allow traffic to backend on backend ports

# Add missing rule az network nsg rule create \ --nsg-name my-appgw-nsg \ --resource-group my-rg \ --name AllowBackendTraffic \ --direction Outbound \ --priority 100 \ --source-address-prefixes 10.0.0.0/24 \ --destination-address-prefixes 10.0.1.0/24 \ --destination-port-ranges 80 8080 443 \ --protocol Tcp \ --access Allow ```

Step 8: Test Backend Connectivity

```bash # From test VM in same subnet, test backend curl -v http://api.internal.example.com:8080/health

# Check response: # - Should return 200 OK # - Response body should be expected content # - Response time should be < probe timeout

# For HTTPS backends, check certificate openssl s_client -connect api.internal.example.com:443 -servername api.internal.example.com ```

Step 9: Check HTTP Settings

```bash # Get HTTP settings az network application-gateway http-settings show \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-http-settings \ --query '{Port:port,Protocol:protocol,Probe:probe,HostName:hostName,CookieBasedAffinity:cookieBasedAffinity}'

# Update HTTP settings if needed az network application-gateway http-settings update \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-http-settings \ --port 8080 \ --host-name backend.example.com ```

Step 10: Review Application Gateway Logs

```bash # Enable diagnostic logs az monitor diagnostic-settings create \ --name appgw-logs \ --resource /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-appgw \ --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace \ --logs '[{"category":"ApplicationGatewayAccessLog","enabled":true},{"category":"ApplicationGatewayPerformanceLog","enabled":true},{"category":"ApplicationGatewayFirewallLog","enabled":true}]'

Application Gateway Backend Requirements

Requirement	Value
Backend response time	< probe timeout (default 30s)
Health probe response	200-399 status code
Certificate (HTTPS)	Valid, not expired, matching hostname
Network path	Route from AGIC subnet to backend

Verification

```bash # Check backend health after fixes az network application-gateway show-backend-health \ --name my-appgw \ --resource-group my-rg \ --query 'backendAddressPools[].backendHttpSettingsCollection[].servers[].health'

# Should show "Healthy" for all backends

# Test actual traffic curl -v https://app.example.com

# Should return expected response from backend ```

[Fix Azure Application Gateway WAF Blocking](/articles/fix-azure-application-gateway-waf-blocking)
[Fix Azure Load Balancer Probe Failing](/articles/fix-azure-load-balancer-probe-failing)
[Fix Azure SSL Policy Too Strict](/articles/fix-azure-ssl-policy-too-strict)

[Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
[Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
[Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
[Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
[Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

Azure Application Gateway Backend Pool Not Resolving Azure Application Gateway Backend Pool Not Resolving Azure Azure Application Gateway Backend Pool Not Resolving troubleshooting Azure Application Gateway Backend Pool Not Resolving fix Resolve Azure Application Gateway backend pool issues by checking health probes, DNS resolution, and backend target configuration Azure Resolve Azure Application Gateway backend pool issues by checking health probes, DNS resolution, and backend target configuration

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

Azure Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this azure-errors troubleshooting guide applies to my situation?

This guide is designed for azure-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these azure-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of azure-errors issue?

Most azure-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this azure-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for azure-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 2, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation