Merge pull request #252210 from jaesoni/be-health-improv

Dedicated page for backend health report

Author: JamesJBarnett

articles/application-gateway/application-gateway-backend-health.md

@@ -0,0 +1,93 @@
+---
+title: Backend health
+titleSuffix: Azure Application Gateway
+description: Learn how to use Backend health report in Azure Application Gateway
+services: application-gateway
+author: jaesoni
+ms.service: application-gateway
+ms.topic: article
+ms.date: 09/19/2023
+ms.author: jaysoni 
+---
+
+# Application Gateway - Backend health
+
+Application Gateway health probes (default and custom) continuously monitor all the backend servers in a pool to ensure the incoming traffic is sent only to the servers that are up and running. These health checks enable a seamless data plane operation of a gateway. When a backend server can receive traffic, the probe is successful and considered healthy. Otherwise, it's considered unhealthy. The precise representation of the health probes report is also made available for your consumption through the Backend Health capability.
+
+## Backend health report
+The possible statuses for a server's health report are:
+1. Healthy - Shows when the application gateway probes receive an expected response code from the backend server.
+1. Unhealthy - Shows when probes don't receive a response, or the response doesn't match the expected response code or body.
+1. Unknown - Occurs when the application gateway's control plane fails to communicate (for Backend Health call) with your application gateway instances or in case of [DNS resolution](application-gateway-backend-health-troubleshooting.md#updates-to-the-dns-entries-of-the-backend-pool) of the backend server's FQDN.
+
+For complete information on the cause and solution of the Unhealthy and Unknown states, visit the [troubleshooting article](application-gateway-backend-health-troubleshooting.md).
+
+> [!NOTE]
+> The Backend health report is updated based on the respective probe's refresh interval and doesn't depend on the moment of page refresh or Backend health API request.
+
+## Methods to view Backend health
+The backend server health report can be generated through the Azure portal, REST API, PowerShell, and Azure CLI.
+
+### Using Azure portal
+The Application Gateway portal provides an information-rich backend health report with visualizations and tools for faster troubleshooting. Each row shows the exact target server, the backend pool it belongs to, its backend setting association (including port and protocol), and the response received by the latest probe. Visit the [Health Probes article](application-gateway-probe-overview.md) to understand how this report is composed based on the number of Backend pools, servers, and Backend settings.
+
+For Unhealthy and Unknown statuses, you will also find a Troubleshoot link presenting you with the following tools:
+
+1. **Azure Network Watcher's Connection troubleshoot** - Visit the [Connection Troubleshoot](../network-watcher/network-watcher-connectivity-portal.md) documentation article to learn how to use this tool. 
+1. **Backend server certificate visualization** - The Backend server certificate visualization makes it easy to understand the problem area, allowing you to act on the problem quickly. The three core components in the illustration provide you with a complete picture — The client, the Application Gateway, and the Backend Server. However, the problems explained in this troubleshooting section only focus on the TLS connection between the application gateway and the backend server.
+
+    :::image type="content" source="media/application-gateway-backend-health/backend-certificate-error.png" alt-text="Screenshot and explanation of a certificate error on the Backend Health page.":::
+
+**Reading the illustration**
+- The red lines indicate a problem with the TLS connection between the gateway and the backend server or the certificate components on the backend server.
+- If there is red text in the Application Gateway or the Backend Server blocks, this indicates problems with the Backend Settings or the server certificate, respectively.
+- You must act on the respective property (Application Gateway's Backend Setting or the Backend Server) depending on the error indication and location.
+- A solution for each error type is provided. A documentation link is also provided for more information.
+
+### Using PowerShell
+
+The following PowerShell code shows how to view backend health by using the `Get-AzApplicationGatewayBackendHealth` cmdlet:
+
+```powershell
+Get-AzApplicationGatewayBackendHealth -Name ApplicationGateway1 -ResourceGroupName Contoso
+```
+
+### Using Azure CLI
+
+```azurecli
+az network application-gateway show-backend-health --resource-group AdatumAppGatewayRG --name AdatumAppGateway
+```
+
+### Results
+
+The following snippet shows an example of the response:
+
+```json
+{
+"BackendAddressPool": {
+    "Id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendAddressPools/appGatewayBackendPool"
+},
+"BackendHttpSettingsCollection": [
+    {
+    "BackendHttpSettings": {
+        "Id": "/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendHttpSettingsCollection/appGatewayBackendHttpSettings"
+    },
+    "Servers": [
+        {
+        "Address": "hostname.westus.cloudapp.azure.com",
+        "Health": "Healthy"
+        },
+        {
+        "Address": "hostname.westus.cloudapp.azure.com",
+        "Health": "Healthy"
+        }
+    ]
+    }
+]
+}
+```
+
+## Next steps
+* Understanding [Application Gateway probes behavior](application-gateway-probe-overview.md).
+* [Generate a self-signed certificate](self-signed-certificates.md) with a custom root CA.
+

articles/application-gateway/application-gateway-create-probe-portal.md

@@ -118,7 +118,7 @@ Now that the probe has been created, it's time to add it to the gateway. Probe s
 
 ## Next steps
 
-View the health of the backend resources as determined by the probe using the [backend health view](./application-gateway-diagnostics.md#backend-health).
+View the health of the backend servers as determined by the probe using the [Backend health view](application-gateway-backend-health.md).
 
 [1]: ./media/application-gateway-create-probe-portal/figure1.png
 [2]: ./media/application-gateway-create-probe-portal/figure2.png

articles/application-gateway/application-gateway-diagnostics.md

@@ -1,94 +1,24 @@
 ---
-title: Backend health and diagnostic logs
+title: Diagnostic logs
 titleSuffix: Azure Application Gateway
-description: Learn how to enable and manage access logs and performance logs for Azure Application Gateway
+description: Learn how to enable and manage logs for Azure Application Gateway
 services: application-gateway
 author: greg-lindsay
 ms.service: application-gateway
 ms.topic: article
-ms.date: 05/19/2023
+ms.date: 09/19/2023
 ms.author: greglin 
 ---
 
-# Backend health and diagnostic logs for Application Gateway
+# Diagnostic logs for Application Gateway
 
-You can monitor Azure Application Gateway resources in the following ways:
+Application Gateway logs provide detailed information for events related to a resource and its operations. These logs are available for events such as Access, Activity, Firewall, and Performance (only for V1). The granular information in logs is helpful when troubleshooting a problem or building an analytics dashboard by consuming this raw data.
 
-* [Backend health](#backend-health): Application Gateway provides the capability to monitor the health of the servers in the backend pools through the Azure portal and through PowerShell. You can also find the health of the backend pools through the performance diagnostic logs.
+Logs are available for all resources of Application Gateway; however, to consume them, you must enable their collection in a storage location of your choice. Logging in Azure Application Gateway is enabled by the Azure Monitor service. We recommend using the Log Analytics workspace as you can readily use its predefined queries and set alerts based on specific log conditions.
 
-* [Logs](#diagnostic-logging): Logs allow for performance, access, and other data to be saved or consumed from a resource for monitoring purposes.
+## <a name="diagnostic-logging"></a>Types of Diagnostic logs
 
-* [Metrics](application-gateway-metrics.md): Application Gateway has several metrics that help you verify your system is performing as expected.
-
-[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
-
-## Backend health
-
-Application Gateway provides the capability to monitor the health of individual members of the backend pools through the portal, PowerShell, and the command-line interface (CLI). You can also find an aggregated health summary of backend pools through the performance diagnostic logs.
-
-The backend health report reflects the output of the Application Gateway health probe to the backend instances. When probing is successful and the back end can receive traffic, it's considered healthy. Otherwise, it's considered unhealthy.
-
-> [!IMPORTANT]
-> If there is a network security group (NSG) on an Application Gateway subnet, open port ranges 65503-65534 for v1 SKUs, and 65200-65535 for v2 SKUs on the Application Gateway subnet for inbound traffic. This port range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, won't be able to initiate any changes on those endpoints.
-
-
-### View backend health through the portal
-
-In the portal, backend health is provided automatically. In an existing application gateway, select **Monitoring** > **Backend health**.
-
-Each member in the backend pool is listed on this page (whether it's a NIC, IP, or FQDN). Backend pool name, port, backend HTTP settings name, and health status are shown. Valid values for health status are **Healthy**, **Unhealthy**, and **Unknown**.
-
-> [!NOTE]
-> If you see a backend health status of **Unknown**, ensure that access to the back end is not blocked by an NSG rule, a user-defined route (UDR), or a custom DNS in the virtual network.
-
-![Backend health][10]
-
-### View backend health through PowerShell
-
-The following PowerShell code shows how to view backend health by using the `Get-AzApplicationGatewayBackendHealth` cmdlet:
-
-```powershell
-Get-AzApplicationGatewayBackendHealth -Name ApplicationGateway1 -ResourceGroupName Contoso
-```
-
-### View backend health through Azure CLI
-
-```azurecli
-az network application-gateway show-backend-health --resource-group AdatumAppGatewayRG --name AdatumAppGateway
-```
-
-### Results
-
-The following snippet shows an example of the response:
-
-```json
-{
-"BackendAddressPool": {
-    "Id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendAddressPools/appGatewayBackendPool"
-},
-"BackendHttpSettingsCollection": [
-    {
-    "BackendHttpSettings": {
-        "Id": "/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendHttpSettingsCollection/appGatewayBackendHttpSettings"
-    },
-    "Servers": [
-        {
-        "Address": "hostname.westus.cloudapp.azure.com",
-        "Health": "Healthy"
-        },
-        {
-        "Address": "hostname.westus.cloudapp.azure.com",
-        "Health": "Healthy"
-        }
-    ]
-    }
-]
-}
-```
-
-## <a name="diagnostic-logging"></a>Diagnostic logs
-
-You can use different types of logs in Azure to manage and troubleshoot application gateways. You can access some of these logs through the portal. All logs can be extracted from Azure Blob storage and viewed in different tools, such as [Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics), Excel, and Power BI. You can learn more about the different types of logs from the following list:
+You can use different types of logs in Azure to manage and troubleshoot application gateways. You can learn more about these types below:
 
 * **Activity log**: You can use [Azure activity logs](../azure-monitor/essentials/activity-log.md) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal.
 * **Access log**: You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.
@@ -98,11 +28,16 @@ You can use different types of logs in Azure to manage and troubleshoot applicat
 > [!NOTE]
 > Logs are available only for resources deployed in the Azure Resource Manager deployment model. You cannot use logs for resources in the classic deployment model. For a better understanding of the two models, see the [Understanding Resource Manager deployment and classic deployment](../azure-resource-manager/management/deployment-models.md) article.
 
-You have three options for storing your logs:
+## Storage locations
+
+You have the following options to store the logs in your preferred location.
+
+1. **Log Analytic workspace**: Recommended as it allows you to readily use the predefined queries, visualizations and set alerts based on specific log conditions.
+1. **Azure Storage account**: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
+1. **Azure Event Hubs**: Event hubs are a great option for integrating with other security information and event management (SIEM) tools to get alerts on your resources.
+1. **Azure Monitor partner integrations**
 
-* **Storage account**: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
-* **Event hubs**: Event hubs are a great option for integrating with other security information and event management (SIEM) tools to get alerts on your resources.
-* **Azure Monitor logs**: Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.
+[Learn more](../azure-monitor/essentials/diagnostic-settings.md?WT.mc_id=Portal-Microsoft_Azure_Monitoring&tabs=portal#destinations) about the Azure Monitor's Diagnostic settings destinations.
 
 ### Enable logging through PowerShell
 

articles/application-gateway/application-gateway-probe-overview.md

@@ -10,7 +10,7 @@ ms.author: greglin
 ms.custom: devx-track-azurepowershell
 ---
 
-# Application Gateway health monitoring overview
+# Application Gateway health probes overview
 
 Azure Application Gateway monitors the health of all the servers in its backend pool and automatically stops sending traffic to any server it considers unhealthy. The probes continue to monitor such an unhealthy server, and the gateway starts routing the traffic to it once again as soon as the probes detect it as healthy. 
 
@@ -28,7 +28,7 @@ A gateway starts firing probes immediately after you configure a Rule by associa
 
 :::image type="content" source="media/application-gateway-probe-overview/appgatewayprobe.png" alt-text="Diagram showing Application Gateway initiating health probes to individual backend targets within a backend pool":::
 
-The required probes are determined based on the unique combination of the Backend Server and Backend Setting. For example, consider a gateway with a single backend pool with two servers and two backend settings, each having different port numbers. When these distinct backend settings are associated with the same backend pool using their respective rules, the gateway creates probes for each server and the combination of the backend setting. You can view this on the [Backend health page](./application-gateway-diagnostics.md#backend-health).
+The required probes are determined based on the unique combination of the Backend Server and Backend Setting. For example, consider a gateway with a single backend pool with two servers and two backend settings, each having different port numbers. When these distinct backend settings are associated with the same backend pool using their respective rules, the gateway creates probes for each server and the combination of the backend setting. You can view this on the [Backend health page](application-gateway-backend-health.md).
 
 :::image type="content" source="media/application-gateway-probe-overview/multiple-be-settings.png" alt-text="Diagram showing health probes report on the Backend Health page":::
 
@@ -97,7 +97,7 @@ For example:
 $match = New-AzApplicationGatewayProbeHealthResponseMatch -StatusCode 200-399
 $match = New-AzApplicationGatewayProbeHealthResponseMatch -Body "Healthy"
 ```
-Once the match criteria is specified, it can be attached to probe configuration using a `-Match` parameter in PowerShell.
+Match criteria can be attached to probe configuration using a `-Match` operator in PowerShell.
 
 ### Some use cases for Custom probes
 - If a backend server allows access to only authenticated users, the application gateway probes will receive a 403 response code instead of 200. As the clients (users) are bound to authenticate themselves for the live traffic, you can configure the probe traffic to accept 403 as an expected response.

articles/application-gateway/configuration-infrastructure.md

@@ -149,7 +149,7 @@ Fine grain control over the Application Gateway subnet via Route Table rules is
 With current functionality there are some restrictions: 
 
 > [!IMPORTANT]
-> Using UDRs on the Application Gateway subnet might cause the health status in the [backend health view](./application-gateway-diagnostics.md#backend-health) to appear as **Unknown**. It also might cause generation of Application Gateway logs and metrics to fail. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the backend health, logs, and metrics.
+> Using UDRs on the Application Gateway subnet might cause the health status in the [backend health view](application-gateway-backend-health.md) to appear as **Unknown**. It also might cause generation of Application Gateway logs and metrics to fail. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the backend health, logs, and metrics.
 
 - **v1**
 

articles/application-gateway/media/application-gateway-backend-health/backend-certificate-error.png

@@ -105,7 +105,9 @@
       href: monitor-application-gateway.md
     - name: Health probe
       href: application-gateway-probe-overview.md
-    - name: Diagnostic logs and backend health
+    - name: Backend health
+      href: application-gateway-backend-health.md      
+    - name: Diagnostic logs
       href: application-gateway-diagnostics.md
     - name: Metrics
       href: application-gateway-metrics.md