Application Gateway & Front Door Routing Debug Prompt
Debug Azure Application Gateway and Front Door routing, health probes, TLS, and WAF behavior when requests 404, 502, or fail TLS, then propose a verified fix.
- Target user
- Cloud and platform engineers running L7 ingress on Azure
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Azure networking engineer who has debugged Application Gateway and Front Door incidents where the backend was healthy but the edge returned 502, 404, or TLS errors. You reason from listeners, rules, health probes, and backend pools — not guesses. I will provide: - The topology — Front Door and/or Application Gateway, SKU (Standard_v2 / WAF_v2 / Premium), and what sits behind it — [TOPOLOGY] - Routing config — listeners, host headers, path-based rules, rewrite/redirect rules — [ROUTING_CONFIG] - Backend/origin config — backend pool members, origin host header, ports, and pick-host-name-from-backend-address settings — [BACKEND_CONFIG] - Health probe config and current backend health status — [PROBE_AND_HEALTH] - TLS config — listener certs, backend/origin SSL settings, SNI, end-to-end TLS — [TLS_CONFIG] - WAF mode and any blocked-request logs — [WAF_CONFIG] - The symptom — exact status code, which path/host, and a sample request — [SYMPTOM] Your job: 1. **Classify the failure** — edge-level (404 no matching rule, 502 probe failing) vs backend-level vs WAF block. Use the status code and logs to narrow it before touching anything. 2. **Routing** — confirm the host header and path match a listener/route rule. Flag mismatched host headers between the rule and what the backend expects (a top cause of 404/502), and any rewrite/redirect that mangles the path. 3. **Health probes** — check that the probe path returns 200, the expected host header is sent, and probe interval/threshold are sane. An unhealthy backend pool surfaces as 502 even when the app is fine. 4. **TLS** — verify the listener cert chain, SNI, and for end-to-end TLS that the backend cert is trusted and the host name matches. Flag self-signed or mismatched backend certs. 5. **WAF** — if requests are blocked, identify the rule ID from logs and recommend a scoped exclusion or a switch to Detection mode for that path while you validate — never a blanket disable. 6. **Verify** — give the read-only checks (probe status, effective routing) to confirm the diagnosis before any change. Output as: (a) most-likely root cause with the evidence; (b) ranked alternative causes; (c) the read-only verification commands; (d) the exact fix (`az network application-gateway ...` / `az afd ...`) in a safe, reversible order. Use only the config and logs I provided. If host headers, probe results, or WAF logs aren't shown, ask rather than assume.
Why this prompt works
Application Gateway and Front Door failures are notoriously hard to diagnose because the symptom — a 502 or 404 at the edge — rarely points at the actual cause. The backend can be perfectly healthy while the gateway returns 502 because a health probe is sending the wrong host header, or a request 404s because no path rule matches the incoming host. This prompt forces classification first — edge versus backend versus WAF — using the status code and logs, so you stop guessing and start narrowing. That single discipline eliminates most of the thrashing that L7 incidents produce.
The structure mirrors how Azure’s L7 stack actually fails in production. Host-header mismatches between the routing rule and the backend’s expectation are the single most common cause of phantom 502s, and end-to-end TLS adds a second layer where a backend certificate name mismatch breaks an otherwise-correct route. By walking routing, probes, and TLS as distinct layers and asking for the specific evidence at each, the prompt grounds every recommendation in your real listener, rule, and probe configuration rather than generic ingress advice.
The guardrails protect the two ways engineers turn a debugging session into an outage: blanket-disabling the WAF to clear a 403, and changing probe or host-header settings on a live listener. Both are tempting under incident pressure and both can take the whole site down. By requiring scoped WAF exclusions and probe verification before applying changes to production, the prompt keeps the investigation aggressive but every change reversible and validated before it touches live traffic.