top of page


  • Writer's pictureRoman Guoussev-Donskoi

Application Gateway - Monitor and upgrade

Below some items found useful for Application Gateway monitoring and upgrade to version 2.

Enable Logs

First have to enable application Gateway Logs in Diagnostic Setting blade.

So far our monitoring is based on query of Application Gateway logs therefore usually direct App Gateway diagnostics to Log Analytics workspace. But for the future Event Hub destination looks very useful.

Monitor in Log Analytics

Below some of the queries we found useful.

Check for errors

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where httpStatus_d == "500"

Check for request with specific URL

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog"

| where requestUri_s contains "..."

Check client IP accessign specific host

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where TimeGenerated > ago(1h) | summarize count() by clientIP_s, host_s | order by count_ desc

Check Http codes, SSL enabled for clientIP and host

AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where TimeGenerated > ago(1h) | summarize count() by clientIP_s, host_s, httpStatus_d, sslEnabled_s | order by count_ desc

Upgrade to Application Gateway v2

We usually find safest build an instance of Application Gateway v2 and place it in parallel with existing v1 instance behind Traffic Manager. This allows for safe testing, easy switching by directing traffic via Traffic Manager to desired Application Gateway and if required quick rollback to old application gateway version.

So far the migrations have been pretty smooth with one item to be aware of - self-signed certificates.

Self-Signed Certificates

From our experience plain self-signed certificates do not work if you use them as server certificates and also upload them as trusted root certificate into Application Gateway v2. But you can create self-signed "CA" certificate and use it to sign back-end server certificate.

The process described in Generate an Azure Application Gateway self-signed certificate with a custom root CA.

Unfortunately Microsoft docs does not mention serverAuth extended Key usage, which will prevents generated certificate from being bound to Azure App Service. Therefore below included a modification that will work with Application Gateway v2 and can be bound to App Service as well.

create config file e.g. server-dns.config.txt

[ req ] prompt = no distinguished_name = my dn [ my dn ] # The bare minimum is probably a commonName commonName = countryName = XX localityName = City organizationName = myOrg organizationalUnitName = My Dept. stateOrProvinceName = YY emailAddress = name = John Doe surname = Doe givenName = John [ my server exts ] extendedKeyUsage = # extendedKeyUsage = serverAuth

Then use following command to create CA certificate and the key

Then use following command to generate server certificate and the pfx file


Application Gateway does not yet work very well with Network Watcher. We confirmed with Microsoft Support that flow logs are not yet captured.

510 views0 comments

Recent Posts

See All

Databricks is an amazing platform for data engineering, data science and machine learning. One of the critical requirements of secure data processing is data audit - the ability to identity what data

SAS access to storage account is very convenient and easy and while Microsoft recommends that you use Azure AD credentials when possible as security best practice still SAS sometimes hard to avoid. Le

Home: Blog2


Home: GetSubscribers_Widget


Your details were sent successfully!

Home: Contact
bottom of page