“Use for App Service” and Application Gateway Unexpected Consequences: redirect URL, odd App Behavior, failed Authentication, and broken ARR Affinity

The default behavior for an Application Gateway with App Service instance in the backend pool is that the Host header is overridden to match the Web App’s default hostname: * This is caused by the “Use for App Service” and “Pick host name from backend address” configuration options on the Application Gateway. These requests arrive at the App Service frontend and route to the destination based upon matching Host header.

While these settings make initial configuration easier, they do have a few consequences:

  1. Backend URL exposed when there is a redirect or URL that is built in application logic
  2. Application behavior issues when the client’s hostname or HTTP protocol do not match what arrives at the backend Web App
  3. Failed authentication when the auth provider sees the backend Host header, rather than the custom domain accessed by the user
  4. ARR Affinity is broken to the backend instances, because the Host header is mismatched

App Service with Application Gateway v2: High Security in Azure PaaS

Azure App Services (Web Apps) are publicly exposed to the Internet by default, accessible with their * URL. This means that anyone in the world can access your site simply by knowing its URL, including hackers and spammers.

We can secure our site by using an Application Gateway as a frontend. Azure App Gateway is an HTTP load balancer that allows you to manage traffic to your web apps. App Gateway operates at layer 7 (application layer) and can scan incoming requests using OWASP common vulnerabilities rule set and/or route based on URL syntax. The App Gateway offers many other features including DDoS protection:

Application Gateway v2 is currently in public preview with upcoming general availability. Organizations and individuals concerned with security/compliance in the cloud can leverage these services for an isolated environment where their backend Web App is entirely secured.

Here’s what it looks like: