Merge pull request #299082 from MicrosoftDocs/main

Merged by Learn.Build PR Management system

Author: learn-build-service-prod[bot]

articles/application-gateway/application-gateway-troubleshooting-502.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: azure-application-gateway
 ms.topic: troubleshooting
-ms.date: 05/19/2023
+ms.date: 04/29/2025
 ms.author: greglin
 ms.custom: devx-track-azurepowershell
 ---
@@ -87,9 +87,9 @@ The following table lists the values associated with the default health probe:
 
 ### Solution
 
-* Host value of the request will be set to 127.0.0.1. Ensure that a default site is configured and is listening at 127.0.0.1.
+* Host value of the request is set to 127.0.0.1. Ensure that a default site is configured and is listening at 127.0.0.1.
 * Protocol of the request is determined by the BackendHttpSetting protocol.
-* URI Path will be set to */*.
+* URI Path is set to */*.
 * If BackendHttpSetting specifies a port other than 80, the default site should be configured to listen at that port.
 * The call to `protocol://127.0.0.1:port` should return an HTTP result code of 200. This code should be returned within the 30-second timeout period.
 * Ensure the configured port is open and there are no firewall rules or Azure Network Security Groups blocking incoming or outgoing traffic on the port configured.
@@ -130,7 +130,7 @@ Validate that the Custom Health Probe is configured correctly, as shown in the p
 
 ### Cause
 
-When a user request is received, the application gateway applies the configured rules to the request and routes it to a backend pool instance. It waits for a configurable interval of time for a response from the backend instance. By default, this interval is **20** seconds. In Application Gateway v1, if the application gateway doesn't receive a response from backend application in this interval, the user request gets a 502 error.  In Application Gateway v2, if the application gateway doesn't receive a response from the backend application in this interval, the request will be tried against a second backend pool member.  If the second request fails the user request gets a 504 error.
+When a user request is received, the application gateway applies the configured rules to the request and routes it to a backend pool instance. It waits for a configurable interval of time for a response from the backend instance. By default, this interval is **20** seconds. In Application Gateway v1, if the application gateway doesn't receive a response from backend application in this interval, the user request gets a 502 error.  In Application Gateway v2, if the application gateway doesn't receive a response from the backend application in this interval, the request is tried against a second backend pool member.  If the second request fails the user request gets a 504 error.
 
 ### Solution
 
@@ -192,17 +192,17 @@ If all the instances of BackendAddressPool are unhealthy, then the application g
 
 Ensure that the instances are healthy and the application is properly configured. Check if the backend instances can respond to a ping from another VM in the same VNet. If configured with a public end point, ensure a browser request to the web application is serviceable.
 
-## Upstream SSL certificate does not match
+## Upstream SSL certificate doesn't match
 
 ### Cause
 
-The TLS certificate installed on backend servers does not match the hostname received in the Host request header. 
+The TLS certificate installed on backend servers doesn't match the hostname received in the Host request header. 
 
-In scenarios where End-to-end TLS is enabled, a configuration that is achieved by editing the appropriate "Backend HTTP Settings", and changing there the configuration of the "Backend protocol" setting to HTTPS, it is mandatory to ensure that the CNAME of the TLS certificate installed on backend servers matches the hostname coming to the backend in the HTTP host header request.
+In scenarios where End-to-end TLS is enabled, a configuration that is achieved by editing the appropriate "Backend HTTP Settings", and changing there the configuration of the "Backend protocol" setting to HTTPS, it's mandatory to ensure that the DNS NAME of the TLS certificate installed on backend servers matches the hostname coming to the backend in the HTTP host header request.
 
-As a reminder, the effect of enabling on the "Backend HTTP Settings" the option of protocol HTTPS rather than HTTP, will be that the second part of the communication that happens between the instances of the Application Gateway and the backend servers will be encrypted with TLS.
+As a reminder, the effect of enabling on the "Backend HTTP Settings" the option of protocol HTTPS rather than HTTP, is that the second part of the communication that happens between the instances of the Application Gateway and the backend servers are encrypted with TLS.
 
-Due to the fact that by default Application Gateway sends the same HTTP host header to the backend as it receives from the client, you will need to ensure that the TLS certificate installed on the backend server, is issued with a CNAME that matches the host name received by that backend server in the HTTP host header.
+Due to the fact that by default Application Gateway sends the same HTTP host header to the backend as it receives from the client, you need to ensure that the TLS certificate installed on the backend server, is issued with a DNS NAME that matches the host name received by that backend server in the HTTP host header.
 Remember that, unless specified otherwise, this hostname would be the same as the one received from the client.
 
 For example:
@@ -211,16 +211,16 @@ Imagine that you have an Application Gateway to serve the https requests for dom
 
 On that Application Gateway you should have a listener for the host www.contoso.com with a rule that has the "Backed HTTP Setting" forced to use protocol HTTPS (ensuring End-to-end TLS). That same rule could have configured a backend pool with two VMs running IIS as Web servers.
 
-As we know enabling HTTPS in the "Backed HTTP Setting" of the rule will make the second part of the communication that happens between the Application Gateway instances and the servers in the backend to use TLS.
+As we know enabling HTTPS in the "Backed HTTP Setting" of the rule makes the second part of the communication that happens between the Application Gateway instances and the servers in the backend to use TLS.
 
-If the backend servers do not have a TLS certificate issued for the CNAME www.contoso.com or *.contoso.com, the request will fail with **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server** because the upstream SSL certificate (the certificate installed on the backend servers) will not match the hostname in the host header, and hence the TLS negotiation will fail. 
+If the backend servers do not have a TLS certificate issued for the DNS NAME www.contoso.com or *.contoso.com, the request fails with **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server** because the upstream SSL certificate (the certificate installed on the backend servers) doesn't match the hostname in the host header, and hence the TLS negotiation fails. 
 
 
 www.contoso.com --> APP GW front end IP --> Listener with a rule that configures "Backend HTTP Settings" to use protocol HTTPS rather than HTTP  --> Backend Pool --> Web server (needs to have a TLS certificate installed for www.contoso.com) 
 
 ## Solution
 
-it is required that the CNAME of the TLS certificate installed on the backend server, matches the host name configured in the HTTP backend settings, otherwise the second part of the End-to-end communication that happens between the instances of the Application Gateway and the backend, will fail with "Upstream SSL certificate does not match", and will throw back a **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server**
+It's required that the DNS NAME of the TLS certificate installed on the backend server, matches the host name configured in the HTTP backend settings, otherwise the second part of the End-to-end communication that happens between the instances of the Application Gateway and the backend, fails with "Upstream SSL certificate doesn't match", and throws back a **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server**
 
 
 ## Next steps

articles/azure-signalr/media/signalr-howto-work-with-azure-front-door/afd-hostname.jpg

@@ -0,0 +1,255 @@
+---
+title: How to use SignalR Service with Azure Front Door
+description: This article provides information about using Azure SignalR Service with Azure Front Door.
+author: kevinguo-ed
+ms.author: kevinguo
+ms.date: 04/10/2025
+ms.service: azure-signalr-service
+ms.topic: how-to
+---
+
+# How to use Azure SignalR Service with Azure Front Door
+
+Azure Front Door is a modern cloud-native application delivery network (ADN) that provides dynamic site acceleration, global load balancing, TLS termination, and application layer security. It operates at the HTTP/HTTPS layer (Layer 7) and acts as the entry point for web applications—routing and optimizing traffic based on attributes such as URL paths, latency, and health status of backends.
+
+A key benefit of Azure Front Door is its native support for WebSocket and WebSocket Secure (WSS) connections. This support enables real-time, bi-directional communication between clients and backend services without requiring any special configuration.
+
+In this guide, we demonstrate how to use Azure Front Door with Azure SignalR Service to front-end your real-time applications. By routing traffic through Front Door, you can:
+
+- Apply WebSocket support with global reach and edge acceleration,
+- Apply centralized security policies, such as WAF rules and rate limiting,
+- Reduce public exposure of your backend services.
+
+As shown in the diagram, you configure Azure Front Door to route WebSocket traffic to your SignalR-powered application backend. This setup ensures that your real-time functionality benefits from low-latency, scalable, and secure traffic handling through Azure’s global edge network.
+
+## Set up and configure Azure Front Door
+
+### Create an Azure SignalR Service resource
+
+Follow [the article](./signalr-quickstart-azure-signalr-service-arm-template.md) and create a SignalR Service resource
+
+### Create an Azure Front Door resource
+
+On the [Azure portal](https://portal.azure.com/), search for **Front Door** and **Create**.
+
+  :::image type="content" source="./media/signalr-howto-work-with-azure-front-door/create-front-door.jpg" alt-text="Screenshot of creating an Azure Front Door resource.":::
+
+
+### Quick test
+Conduct quick tests to verify that SignalR endpoint is healthy and Azure Front Door resource is correctly configured.
+
+Send a request to `<your-SignalR-resource-endpoint>/client` and it should return _400_ with error message _'hub' query parameter is required._ This message means that the request arrived at SignalR Service and the service performed validation as expected.
+  ```bash
+  curl -v <your-SignalR-resource-endpoint>/client
+  ```
+  Returns
+  ```
+  < HTTP/1.1 400 Bad Request
+  < ...
+  <
+  'hub' query parameter is required.
+  ```
+Send a request to the same health endpoint of Azure SignalR through Azure Front Door `http://<the-hostname-of-your-Azure-Front-Door-resource>/client`. Go to the Overview tab of the created Azure Front Door resource, and locate the endpoint hostname.
+
+  :::image type="content" source="./media/signalr-howto-work-with-azure-front-door/afd-hostname.jpg" alt-text="Screenshot of the the hostname of Azure Front Door resource":::
+  
+  ```bash
+  curl -I http://<the-hostname-of-your-Azure-Front-Door-resource>/client
+  ```
+  It should also return _400_ with error message _'hub' query parameter is required._ This message confirms that the request successfully went through Azure Front Door to SignalR Service.
+
+  ```
+  < HTTP/1.1 400 Bad Request
+  < ...
+  <
+  'hub' query parameter is required.
+  ```
+
+### Run a SignalR sample app through Azure Front Door
+
+Now that we can verify that the traffic can reach SignalR Service through Azure Front Door. Next, we use a barebone sample app to demonstrate Azure Front Door's ability to route WebSocket traffic without configuration. We take a step-by-step approach so that you can follow along, if needed.
+
+#### Create the project
+```bash
+mkdir afd-demo 
+cd afd-demo
+
+touch afd-demo.csproj
+```
+
+Paste in the content to the `afd-demo.csproj` file. This project uses only the "Microsoft.Azure.SignalR" package.
+```json
+<Project Sdk="Microsoft.NET.Sdk.Web">
+  <PropertyGroup>
+    <TargetFramework>net7.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <RootNamespace>afd_demo</RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Azure.SignalR" Version="1.30.2" />
+  </ItemGroup>
+</Project>
+```
+
+#### Configure app settings
+Create an `appsettings.json` file and paste in the content. The values will be referenced in the `Program.cs` file, which we create in the next step.
+```bash
+touch appsettings.json
+```
+
+[!INCLUDE [Connection string security comment](includes/signalr-connection-string-security-comment.md)]
+
+```json
+{
+  "Azure": {
+    "SignalR": {
+      "ConnectionString": "<the-connection-string-of-your-Azure-SignalR-resource>"
+    },
+    "AFD": {
+      "Endpoint": "<the-endpoint-of-your-Azure-Front-Door-resource>"
+    }
+  }
+}
+```
+
+#### Create `Program.cs` file
+```bash
+touch Program.cs
+```
+
+Paste in the code to the `Program.cs` file. The web app defines a SignalR hub and serves `index.html` at the web root.
+```csharp
+using Microsoft.Azure.SignalR;
+var builder = WebApplication.CreateBuilder(args);
+
+// Reads in the configuration from `appsettings.json`
+var azureSignalRConnectionString = builder.Configuration["Azure:SignalR:ConnectionString"];
+var afdEndpoint = builder.Configuration["Azure:AFD:Endpoint"];
+
+builder.Services.AddSignalR().AddAzureSignalR(o =>
+{
+    o.Endpoints = new Microsoft.Azure.SignalR.ServiceEndpoint[1]
+    {
+        new Microsoft.Azure.SignalR.ServiceEndpoint(azureSignalRConnectionString)
+        {   
+            // Instructs SignalR server to return a `ClientEndpoint` to SignalR clients, with which they establish a connection. In our case, it's the endpoint of the Azure Front Door resource you just created.
+            ClientEndpoint = new Uri(afdEndpoint),
+        }
+    };
+});
+
+var app = builder.Build();
+app.UseStaticFiles();
+
+app.UseRouting();
+
+app.MapHub<DemoHub>("/demohub");
+
+app.MapGet("/", async context =>
+{
+    var path = Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "index.html");
+    context.Response.ContentType = "text/html";
+    await context.Response.SendFileAsync(path);
+});
+
+app.Run();
+```
+
+#### Define a SignalR hub
+```bash
+mkdir hubs && cd hubs
+touch demohubs.cs
+```
+
+Paste in the code to the `demohubs.cs` file. For simplicity, the hub exposes only `BroadcastMessage` method to SignalR client, which broadcasts the received message to all connected SignalR clients.
+```csharp
+using Microsoft.AspNetCore.SignalR;
+
+public class DemoHub : Hub
+{
+    public Task BroadcastMessage(string message) =>
+        Clients.All.SendAsync("broadcastMessage", message);
+}
+```
+
+#### Define Web UI
+Make sure you're at the root of the project folder.
+```bash
+mkdir wwwroot && cd wwwroot
+touch index.html
+```
+
+Paste in the code to `index.html`. The user interface consists of a `<textarea>` to receive text input from user and a `<button>` to send the user input through a SignalR connection. Since we defined the SignalR server's behavior to broadcast received messages, you see the same message logged to the browser console. 
+```html
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+  <meta name="viewport" content="width=device-width">
+  <meta http-equiv="Pragma" content="no-cache" />
+  <meta http-equiv="Expires" content="0" />
+  <title>Azure SignalR with Azure Front Door as the reverse proxy</title>
+</head>
+
+<body>
+  <div>
+    <textarea id="message" style="display: block; width: 100%; padding: 5px 10px; max-width: 400px; margin-bottom: 8px;"
+      placeholder="Your message..."></textarea>
+    <button id="btn-send" disabled>Send</button>
+  </div>
+
+  <!--Reference the SignalR library. -->
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/microsoft-signalr/6.0.1/signalr.js"></script>
+
+  <script type="module">
+    document.addEventListener("DOMContentLoaded", async function () {
+      const connection = new signalR.HubConnectionBuilder()
+        .withUrl("/demohub")
+        .build();
+
+      connection.on("broadcastMessage", (msg) => {
+        console.log(msg)
+      })
+      await connection.start();
+      document.getElementById("btn-send").removeAttribute("disabled")
+
+      document.getElementById("btn-send").addEventListener("click", () => {
+        const message = document.getElementById("message").value
+        if (message !== "") {
+          connection.send("broadcastMessage", message)
+          document.getElementById("message").value = ""
+        } else {
+          alert("Message body is empty. Please enter message.")
+        }
+      })
+    })
+  </script>
+</body>
+
+</html>
+```
+
+#### Run the app and verify the flow of message through Azure Front Door
+That is all the code to the sample. Let's run the app.
+
+```bash
+  dotnet restore
+  dotnet run
+```
+
+Open http://localhost:5129 from the browser and use `F12` keyboard shortcut to open developer tools. Head to the network panel, you can see that the WebSocket connection is indeed established with Azure Front Door. 
+
+  :::image type="content" source="./media/signalr-howto-work-with-azure-front-door/network-panel-afd.jpg" alt-text="Screenshot of the running app establishing a WebSocket connection with Azure Front Door.":::
+
+Try to type something in the text box and hit the send button. You see the message is logged to browser console as expected.
+
+  :::image type="content" source="./media/signalr-howto-work-with-azure-front-door/console-log.jpg" alt-text="Screenshot of the received message in browser's console log.":::
+
+You can also inspect the flow of messages in the network panel. 
+  
+  :::image type="content" source="./media/signalr-howto-work-with-azure-front-door/network-panel-flow-of-messages.jpg" alt-text="Screenshot of flow of messages in the network panel.":::
+
+
+

articles/azure-signalr/media/signalr-howto-work-with-azure-front-door/console-log.jpg

@@ -498,6 +498,8 @@
       href: billing.md
     - name: Quotas
       href: quotas.md
+    - name: Make quota requests
+      href: quota-requests.md
 - name: Product updates
   items:
     - name: What's new