az network application-gateway http-settings create: protocol Tcp not supported

[lacmar25]

Describe the bug

1)
Command: az network application-gateway http-settings create
Issue: protocol Tcp not supported
ERROR example:

az network application-gateway http-settings create \
    --resource-group my-rg \
    --gateway-name my-agw \
    --name my-bs \
    --port 5001 \
    --protocol Tcp \
    --timeout 1800 \
    --probe my-tcp-5001-probe
(ApplicationGatewayBackendHttpSettingsProtocolNotSupported) BackendHttpSettings /subscriptions/xx/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/backendHttpSettingsCollection/my-bs does not support protocol Tcp. Supported protocols are: Http and Https.
Code: ApplicationGatewayBackendHttpSettingsProtocolNotSupported
Message: BackendHttpSettings /subscriptionsxx/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/backendHttpSettingsCollection/my-bs does not support protocol Tcp. Supported protocols are: Http and Https.

But the documentation (https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/http-settings?view=azure-cli-latest#az-network-application-gateway-http-settings-create) states it is available:
[--protocol {Http, Https, Tcp, Tls}]

Related command

az network application-gateway http-settings create \
    --resource-group my-rg \
    --gateway-name my-agw \
    --name my-bs \
    --port 5001 \
    --protocol Tcp \
    --timeout 1800 \
    --probe my-tcp-5001-probe

Errors

(ApplicationGatewayBackendHttpSettingsProtocolNotSupported) BackendHttpSettings /subscriptions/xx/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/backendHttpSettingsCollection/my-bs does not support protocol Tcp. Supported protocols are: Http and Https.
Code: ApplicationGatewayBackendHttpSettingsProtocolNotSupported
Message: BackendHttpSettings /subscriptionsxx/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/backendHttpSettingsCollection/my-bs does not support protocol Tcp. Supported protocols are: Http and Https.

2)

az network application-gateway listener create --frontend-port 5001-fp --gateway-name my-agw --namemy-listener --resource-group my-rg --frontend-ip PrivateIp --host-names my.net
(ApplicationGatewayListenerProtocolNotSupportedWithHostNames) Hostnames property not supported with Tcp listener /subscriptions/x/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/listeners/my-listener.
Code: ApplicationGatewayListenerProtocolNotSupportedWithHostNames
Message: Hostnames property not supported with Tcp listener /subscriptions/x/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/listeners/my-listener.

BUT: [--host-names] avaibla in the documentation (https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/listener?view=azure-cli-latest#az-network-application-gateway-listener-create).

Issue script & Debug output

Debug for 1:

cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 714, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 1076, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 1063, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 108, in result
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 130, in wait
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 83, in _start
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure\cli\command_modules\network\aaz_compact\latest\network\application_gateway\http_settings\__cmds.py", line 1289, in _execute_operations
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure\cli\command_modules\network\aaz_compact\latest\network\application_gateway\http_settings\__cmds.py", line 1445, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_operation.py", line 327, in on_error
azure.core.exceptions.HttpResponseError: (ApplicationGatewayBackendHttpSettingsProtocolNotSupported) 

Expected behavior

1) Backend setting created with protocol TCP, as you can do in the Application Gateway via Azure portal manually.
2) Listener created with associated host name.

Environment Summary

** az --version
azure-cli 2.70.0

core 2.70.0
telemetry 1.1.0

Extensions:
account 0.2.5
aks-preview 7.0.0b1

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\laura.caballero.azure'
Extensions directory 'C:\Users\laura.caballero.azure\cliextensions'

Python (Windows) 3.12.8 (tags/v3.12.8:2dc476b, Dec 3 2024, 19:30:04) [MSC v.1942 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.**

Additional context

In my AKS cluster I use HTTPS ingresses in an Azure Application Gateway managed by the ingress-controller (AGIC).
It removes every few seconds my TCP listeners, TCP backendsettings and associated rules.
Aside from HTTP/S access, I need some debugging via TCP by URLs, therefore I need to keep that TCP configurations persistent.
I am trying to create a TCP listener with a hostname in order to use AzureIngressProhibitedTarget, but after several weeks it's been impossible, and the AZ CLI / PowerShell commands I found in the Microsoft documentation seem to be wrong and not as updated as the portal features.

If the commands cannot be aligned with those portal features, maybe you could help with some hints to make that TCP configuration persistent anyway? I was not able to find a solution via Internet. Further more, I found people giving up, and replacing Microsoft Application Gateway by other company's solutions instead.

Thanks in advance!

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Documentation bug for az network application-gateway http-settings create for TCP protocol #29947

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

The documentation for 'az network application-gateway http-settings create' incorrectly states that the --protocol property can have a value Tcp. This is not supported, and attempting to use Tcp will result in an error. The correct command should not use Tcp as a protocol.

Reference:

• Documentation bug for az network application-gateway http-settings create for TCP protocol #29947 (comment)

Powered by issue-sentinel

[lacmar25]

But if you want to add the hostname like the documentation says:

az network application-gateway settings create --gateway-name
                                               --name
                                               --port
                                               --resource-group
                                               [--backend-pool-host-name {0, 1, f, false, n, no, t, true, y, yes}]
                                               **[--host-name]**
                                               [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                               [--probe]
                                               [--protocol {Http, Https, Tcp, Tls}]
                                               [--root-certs]
                                               [--timeout]

You get the error:
az network application-gateway settings create --gateway-name tai-dts2-ci-agw --name manager-tcp-5001-bs --port 5001 --resource-group tai-dts2-ci-rg --backend-pool-host-name false --host-name manager.tcp.artisol.net --probe manager-tcp-5001-probe --protocol Tcp --timeout 1800
(ApplicationGatewayBackendSettingsProtocolNotSupportedForNonEmptyHostName) HostName for BackendSettings '/subscriptions/x/resourceGroups/my-rg/providers/Microsoft.Network/applicationGatewaysmy-agw/backendSettingsCollection/my-bs' with protocol 'Tcp' should be null or empty.
Code: ApplicationGatewayBackendSettingsProtocolNotSupportedForNonEmptyHostName
Message: HostName for BackendSettings '/subscriptions/x/resourceGroups/my-rg/providers/Microsoft.Network/applicationGateways/my-agw/backendSettingsCollection/my-bs' with protocol 'Tcp' should be null or empty.

If I can't use a hostname, AzureIngressProhibitedTarget won't work, so I won't be able to make the TCP configuration persistent.
Is there any way to avoid AGIC to remove TCP configs in the Application Gatewway?

Thanks again!

[necusjz]

afaik, http-xxxx group is designed for http/https and xxxx group is designed for tcp/tls: