top of page


  • Writer's pictureRoman Guoussev-Donskoi

Application Gateway - Monitor and upgrade

Below some items found useful for Application Gateway monitoring and upgrade to version 2.

Enable Logs

First have to enable application Gateway Logs in Diagnostic Setting blade.

So far our monitoring is based on query of Application Gateway logs therefore usually direct App Gateway diagnostics to Log Analytics workspace. But for the future Event Hub destination looks very useful.

Monitor in Log Analytics

Below some of the queries we found useful.

Check for errors

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where httpStatus_d == "500"

Check for request with specific URL

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog"

| where requestUri_s contains "..."

Check client IP accessign specific host

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where TimeGenerated > ago(1h) | summarize count() by clientIP_s, host_s | order by count_ desc

Check Http codes, SSL enabled for clientIP and host

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where TimeGenerated > ago(1h) | summarize count() by clientIP_s, host_s, httpStatus_d, sslEnabled_s | order by count_ desc

Upgrade to Application Gateway v2

We usually find safest build an instance of Application Gateway v2 and place it in parallel with existing v1 instance behind Traffic Manager. This allows for safe testing, easy switching by directing traffic via Traffic Manager to desired Application Gateway and if required quick rollback to old application gateway version.

So far the migrations have been pretty smooth with one item to be aware of - self-signed certificates.

Self-Signed Certificates

From our experience plain self-signed certificates do not work if you use them as server certificates and also upload them as trusted root certificate into Application Gateway v2. But you can create self-signed "CA" certificate and use it to sign back-end server certificate.

Unfortunately Microsoft docs does not mention serverAuth extended Key usage, which will prevents generated certificate from being bound to Azure App Service. Therefore below included a modification that will work with Application Gateway v2 and can be bound to App Service as well.

create config file e.g. server-dns.config.txt

[ req ] prompt = no distinguished_name = my dn [ my dn ] # The bare minimum is probably a commonName commonName = countryName = XX localityName = City organizationName = myOrg organizationalUnitName = My Dept. stateOrProvinceName = YY emailAddress = name = John Doe surname = Doe givenName = John [ my server exts ] extendedKeyUsage = # extendedKeyUsage = serverAuth

Then use following command to create CA certificate and the key

Then use following command to generate server certificate and the pfx file


Application Gateway does not yet work very well with Network Watcher. We confirmed with Microsoft Support that flow logs are not yet captured.

534 views0 comments

Recent Posts

See All

Query SQL using OpenAI and Langchain

LLMs (such as OpenAI) are good for reasoning but they lack capability interface with outside world. This is where Langchain agents step in: agents provide LLMs with tools to perform actions (for examp


Home: Blog2


Home: GetSubscribers_Widget


Your details were sent successfully!

Home: Contact
bottom of page