Application Gateway - Monitor and upgrade
Below some items found useful for Application Gateway monitoring and upgrade to version 2.
First have to enable application Gateway Logs in Diagnostic Setting blade.
So far our monitoring is based on query of Application Gateway logs therefore usually direct App Gateway diagnostics to Log Analytics workspace. But for the future Event Hub destination looks very useful.
Monitor in Log Analytics
Below some of the queries we found useful.
Check for errors
AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where httpStatus_d == "500"
Check for request with specific URL
AzureDiagnostics | where Category == "ApplicationGatewayAccessLog"
| where requestUri_s contains "..."
Check client IP accessign specific host
AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where TimeGenerated > ago(1h) | summarize count() by clientIP_s, host_s | order by count_ desc
Check Http codes, SSL enabled for clientIP and host
AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where TimeGenerated > ago(1h) | summarize count() by clientIP_s, host_s, httpStatus_d, sslEnabled_s | order by count_ desc
Upgrade to Application Gateway v2
We usually find safest build an instance of Application Gateway v2 and place it in parallel with existing v1 instance behind Traffic Manager. This allows for safe testing, easy switching by directing traffic via Traffic Manager to desired Application Gateway and if required quick rollback to old application gateway version.
So far the migrations have been pretty smooth with one item to be aware of - self-signed certificates.
From our experience plain self-signed certificates do not work if you use them as server certificates and also upload them as trusted root certificate into Application Gateway v2. But you can create self-signed "CA" certificate and use it to sign back-end server certificate.
The process described in Generate an Azure Application Gateway self-signed certificate with a custom root CA.
Unfortunately Microsoft docs does not mention serverAuth extended Key usage, which will prevents generated certificate from being bound to Azure App Service. Therefore below included a modification that will work with Application Gateway v2 and can be bound to App Service as well.
create config file e.g. server-dns.config.txt
[ req ] prompt = no distinguished_name = my dn [ my dn ] # The bare minimum is probably a commonName commonName = secure.example.com countryName = XX localityName = City organizationName = myOrg organizationalUnitName = My Dept. stateOrProvinceName = YY emailAddress = email@example.com name = John Doe surname = Doe givenName = John [ my server exts ] extendedKeyUsage = 18.104.22.168.22.214.171.124.1 # extendedKeyUsage = serverAuth
Then use following command to create CA certificate and the key
Then use following command to generate server certificate and the pfx file
Application Gateway does not yet work very well with Network Watcher. We confirmed with Microsoft Support that flow logs are not yet captured.