Merge pull request #307775 from MicrosoftDocs/main

Auto Publish – main to live - 2025-11-04 23:00 UTC

Author: learn-build-service-prod[bot]

articles/application-gateway/configuration-infrastructure.md

@@ -93,7 +93,7 @@ Depending on whether you're creating new resources or using existing ones, add t
 For more information, see [Azure permissions for Networking](../role-based-access-control/permissions/networking.md) and [Virtual network permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
 
 > [!NOTE]
-> When deploying an Application Gateway as part of an [Azure Managed Applicaton](../azure-resource-manager/managed-applications/overview.md), ensure that any deny assignments do not conflict with the RBAC Owner role assignment, as deny assignments take precedence over RBAC permissions.
+> When deploying an Application Gateway as part of an [Azure Managed Application](../azure-resource-manager/managed-applications/overview.md), ensure that any deny assignments do not conflict with the RBAC Owner role assignment, as deny assignments take precedence over RBAC permissions.
 
 ## Roles scope
 In the process of custom role definition, you can specify a role assignment scope at four levels: management group, subscription, resource group, and resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

articles/application-gateway/create-url-route-portal.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-application-gateway
 ms.topic: tutorial
-ms.date: 02/05/2025
+ms.date: 10/06/2025
 ms.author: mbender
 ms.custom: sfi-image-nochange
 #Customer intent: As an IT administrator, I want to use the Azure portal to set up an application gateway so I can route my app traffic based on path-based routing rules.
@@ -49,7 +49,6 @@ In this example, you create three virtual machines to be used as backend servers
     - **Username**: Type a user name
     - **Password**: Type a password
 
-
 4. Select **Next:Disks**.
 5. Select **Next:Networking**
 6. For **Virtual network**, select **Create new** and then type these values for the virtual network:
@@ -60,6 +59,7 @@ In this example, you create three virtual machines to be used as backend servers
    - *10.0.1.0/24* - for the subnet address space.
    - *myAGSubnet* - for the second subnet name.
    - *10.0.0.0/24* - for the subnet address space.
+   
 7. Select **OK**.
 
 8. Ensure that under **Subnet**, **myBackendSubnet** is selected for the subnet, and then select **Next: Management**.
@@ -70,9 +70,6 @@ In this example, you create three virtual machines to be used as backend servers
 ### Install IIS
 
 1. Open the interactive shell and make sure that it's set to **PowerShell**.
-
-    ![Screenshot of install custom extension](./media/application-gateway-create-url-route-portal/application-gateway-extension.png)
-
 2. Run the following command to install IIS on the virtual machine: 
 
     ```azurepowershell

articles/application-gateway/how-to-troubleshoot-application-gateway-session-affinity-issues.md

@@ -128,7 +128,7 @@ Enable logging using the Azure portal.
 
 ### Use web debugger to capture and analyze the HTTP or HTTPS traffics
 
-Web debugging tools like Fiddler can help you debug web applications by capturing network traffic between the Internet and test computers. These tools enable you to inspect incoming and outgoing data as the browser receives/sends them. Fiddler, in this example, has the HTTP replay option that can help you troubleshoot client-side issues with web applications, especially for authenticaton issues.
+Web debugging tools like Fiddler can help you debug web applications by capturing network traffic between the Internet and test computers. These tools enable you to inspect incoming and outgoing data as the browser receives/sends them. Fiddler, in this example, has the HTTP replay option that can help you troubleshoot client-side issues with web applications, especially for authentication issues.
 
 Use the web debugger of your choice. In this sample we'll use Fiddler to capture and analyze http or https traffics, follow the instructions:
 

articles/application-gateway/ingress-controller-letsencrypt-certificate-application-gateway.md

@@ -95,13 +95,13 @@ Use the following steps to install [cert-manager](https://docs.cert-manager.io)
         # you prove ownership of a domain by ensuring that a particular
         # file is present at the domain
         solvers:
-          - http01:
+        - http01:
             ingress:
-             #   class: azure/application-gateway
-               ingressTemplate:
-                 metadata:
-                   annotations:
-                     kubernetes.io/ingress.class: azure/application-gateway
+              # class: azure/application-gateway
+              ingressTemplate:
+                metadata:
+                  annotations:
+                    kubernetes.io/ingress.class: azure/application-gateway
     EOF
     ```
 

articles/application-gateway/media/create-url-route-portal/application-gateway-create.PNG

@@ -1,7 +1,7 @@
 ---
 title: Monitoring data reference for Azure Application Gateway
 description: This article contains important reference material you need when you monitor Azure Application Gateway.
-ms.date: 06/04/2025
+ms.date: 11/04/2025
 ms.topic: reference
 author: mbender-ms
 ms.author: mbender
@@ -75,7 +75,7 @@ For Application Gateway v1 SKU, the following metrics are available. What follow
 
 - **Current connections**. Count of current connections established with Application Gateway.
 
-- **Failed Requests**. Number of requests that failed due to connection issues. This count includes requests that failed due to exceeding the "Request time-out" HTTP setting and requests that failed due to connection issues between Application gateway and backend. This count doesn't include failures due to no healthy backend being available. 4xx and 5xx responses from the backend are also not considered as part of this metric.
+- **Failed Requests**. Number of requests that failed due to connection issues. This count includes requests that failed due to exceeding the "Request timeout" HTTP setting and requests that failed due to connection issues between Application gateway and backend. This count doesn't include failures due to no healthy backend being available. 4xx and 5xx responses from the backend are also not considered as part of this metric.
 
 - **Response Status**. HTTP response status returned by Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.
 
@@ -174,7 +174,7 @@ Application Gateway's layer 4 proxy provides the capability to monitor the healt
 
 [!INCLUDE [Microsoft.Network/applicationgateways](~/reusable-content/ce-skilling/azure/includes/azure-monitor/reference/logs/microsoft-network-applicationgateways-logs-include.md)]
 
-- **Access log**. You can use the Access log to view Application Gateway access patterns and analyze important information. This information includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. This log contains one record per instance of Application Gateway. The `instanceId` property identifies the Application Gateway instance.
+- **Access log**. You can use the Access log to view Application Gateway access patterns and analyze important information. This information includes the caller's IP, requested URL, response latency, return code, and bytes in and out. Access log collection occurs every 60 seconds. This log contains one record per instance of Application Gateway. The `instanceId` property identifies the Application Gateway instance.
 
 - **Firewall log**. You can use the Firewall log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall. Firewall logs are collected every 60 seconds.
 
@@ -211,19 +211,21 @@ For Application Gateway and WAF v2 SKU:
 |sslEnabled | Whether communication to the backend pools used TLS. Valid values are on and off. |
 |sslCipher | Cipher suite being used for TLS communication (if TLS is enabled). |
 |sslProtocol | SSL/TLS protocol being used (if TLS is enabled). |
-|sslClientVerify | Shows the result of client certificate verification as SUCCESS or FAILED. Failed status will include error information.|
+|sslClientVerify | Shows the result of client certificate verification as SUCCESS or FAILED. Failed status includes error information.|
 |sslClientCertificateFingerprint|The SHA1 thumbprint of the client certificate for an established TLS connection.|
 |sslClientCertificateIssuerName|The issuer DN string of the client certificate for an established TLS connection.|
 |serverRouted | The backend server that application gateway routes the request to. |
 |serverStatus | HTTP status code of the backend server. |
 |serverResponseLatency | Latency of the response (in **seconds**) from the backend server. |
+|serverConnectTime | Time spent establishing a connection with an upstream server. |
+|serverHeaderTime | Time between establishing a connection to the upstream server and receiving the first byte of the response header. |
 |host | Address listed in the host header of the request. If rewritten using header rewrite, this field contains the updated host name. |
 |originalRequestUriWithArgs | This field contains the original request URL. |
 |requestUri | This field contains the URL after the rewrite operation on Application Gateway. |
 |upstreamSourcePort | The source port used by Application Gateway when initiating a connection to the backend target. |
 |originalHost | This field contains the original request host name. |
 |error_info | The reason for the 4xx and 5xx error. Displays an error code for a failed request. More details in the error code tables in this article. |
-|contentType | The type of content or data that is being processed or delivered by the application gateway. |
+|contentType | The type of content or data that's being processed or delivered by the application gateway. |
 
 ```json
 {
@@ -262,6 +264,8 @@ For Application Gateway and WAF v2 SKU:
         "serverRouted": "52.239.221.65:443",
         "serverStatus": "200",
         "serverResponseLatency": "0.028",
+        "serverConnectTime":"0.008",
+        "serverHeaderTime":"0.028"
         "upstreamSourcePort": "21564",
         "originalHost": "20.110.30.194",
         "host": "20.110.30.194",
@@ -338,26 +342,26 @@ If the application gateway can't complete the request, it stores one of the foll
 | ERRORINFO_HTTP_TO_HTTPS_PORT | The client sent a plain HTTP request to an HTTPS port. |
 | ERRORINFO_HTTPS_NO_CERT | Indicates client isn't sending a valid and properly configured TLS certificate during Mutual TLS authentication. |
 | ERRORINFO_INVALID_HEADER (4xx) | Indicates that the HTTP request from the client contains a malformed or improperly structured Host header, which prevents the Application Gateway from correctly processing and routing the request to the backend server |
-| ERRORINFO_CLIENT_TIMED_OUT | This error indicates that the client terminated the connection because it did not receive a response from the backend server within its configured timeout period. This is typically caused by a backend server that is slow, overloaded, or experiencing operational issues. |
+| ERRORINFO_CLIENT_TIMED_OUT | This error indicates that the client terminated the connection because it didn't receive a response from the backend server within its configured timeout period. This is typically caused by a backend server that's slow, overloaded, or experiencing operational issues. |
 | ERRORINFO_REQUEST_URI_TOO_LARGE | This error indicates URL in an HTTP request exceeds the maximum length that the server is configured to accept. The default limit on URL length (including query parameters), is 8kb |
-| ERRORINFO_REQUEST_HEADER_TOO_LARGE | This error indicates that the total size of the HTTP request headers sent by the client exceeds the 32KB limit enforced by Application Gateway. Please note that this limit is fixed and cannot be customized. |
+| ERRORINFO_REQUEST_HEADER_TOO_LARGE | This error indicates that the total size of the HTTP request headers sent by the client exceeds the 32KB limit enforced by Application Gateway. Note that this limit is fixed and can't be customized. |
 | ERRORINFO_REQUEST_URI_UNSAFE | This error shows that the WAF found unsafe or malformed content in the request URI. Check the WAF logs to see which rule was triggered and decide if the request was malicious or mistakenly flagged, possibly needing WAF rule adjustments. |
 | ERRORINFO_HTTPS_CERT_VERIFY_ERROR | This error is thrown if the client's TLS certificate presented during the Mutual TLS handshake is either invalid or untrusted.  |
 | ERRORINFO_HTTP_MISDIRECTED_REQUEST | Application Gateway returns Misdirected Request error if the backend server isn't configured to respond to that hostname in the client’s request especially in SSL/TLS scenarios involving Server Name Indication (SNI)  |
-| ERRORINFO_HTTP_NOT_FOUND | Application Gateway returns Not found error when the backend server cannot find the requested resource. This usually occurs when the requested URL path does not exist on the backend server or there are misconfigurations in routing rules in the Application Gateway, causing requests to be forwarded to the wrong backend pool  |
-| ERRORINFO_CLIENT_SSL_CERT_ERROR |The Application Gateway encountered a problem with the client's SSL certificate during the TLS handshake, preventing successful authentication. This typically occurs when AppGW is configured for Mutual authentication and the client certificate is not provided  |
+| ERRORINFO_HTTP_NOT_FOUND | Application Gateway returns Not found error when the backend server can't find the requested resource. This usually occurs when the requested URL path doesn't exist on the backend server or there are misconfigurations in routing rules in the Application Gateway, causing requests to be forwarded to the wrong backend pool  |
+| ERRORINFO_CLIENT_SSL_CERT_ERROR |The Application Gateway encountered a problem with the client's SSL certificate during the TLS handshake, preventing successful authentication. This typically occurs when AppGW is configured for Mutual authentication and the client certificate isn't provided  |
 
 | 5XX Errors | Description |
 |:-----------|:------------|
 | ERRORINFO_UPSTREAM_NO_LIVE | The application gateway is unable to find any active or reachable backend servers to handle incoming requests. |
-| ERRORINFO_EMPTY_BACKEND_POOL | This indicates that the AppGW cannot fulfil the request because the backend pool is empty. |
-| ERRORINFO_UPSTREAM_CLOSED_CONNECTION | The backend server closed the connection unexpectedly or before the request was fully processed. This condition could happen due to backend server reaching its limits, crashing etc. |
+| ERRORINFO_EMPTY_BACKEND_POOL | This indicates that the AppGW can't fulfill the request because the backend pool is empty. |
+| ERRORINFO_UPSTREAM_CLOSED_CONNECTION | The backend server closed the connection unexpectedly or before the request was fully processed. This condition could happen due to backend server reaching its limits, crashing, etc. |
 | ERRORINFO_UPSTREAM_TIMED_OUT | The established TCP connection with the server was closed as the connection took longer than the configured timeout value. |
-| ERRORINFO_INVALID_HEADER | Application Gateway detected a partial invalid header and forwarded the remaining header to the backend, which responded with 500. Ensure the client's request header does not contain CR, LF, NULL, or similar characters. Replace such characters with SP (whitespace). |
-| ERRORINFO_EMPTY_BACKEND_POOL | This indicates that the Application Gateway cannot fulfil the request because the backend pool is empty. |
-| ERRORINFO_UPSTREAM_RESPONSE_HEADER_TOO_LARGE | The backend server's HTTP response headers exceed the maximum size that Azure Application Gateway can process. Application Gateway enforces a fixed limit of 32 KB for response headers, and exceeding this limit can result in a 502 Bad Gateway . |
-| ERRORINFO_UPSTREAM_NO_RESOLVER | This error indicates that the Virtual Network does not have a DNS resolver configured to translate hostnames into IP addresses |
-| ERRORINFO_UPSTREAM_SSL_CERT_VERIFY_ERROR | This error occurs when Application Gateway can't verify the backend certificate due to issues like trust failure, expiration, incomplete chain etc. AppGW will fail the SSL/TLS handshake and mark the backend as unhealthy |
+| ERRORINFO_INVALID_HEADER | Application Gateway detected a partial invalid header and forwarded the remaining header to the backend, which responded with 500. Ensure the client's request header doesn't contain CR, LF, NULL, or similar characters. Replace such characters with SP (whitespace). |
+| ERRORINFO_EMPTY_BACKEND_POOL | This indicates that the Application Gateway can't fulfill the request because the backend pool is empty. |
+| ERRORINFO_UPSTREAM_RESPONSE_HEADER_TOO_LARGE | The backend server's HTTP response headers exceed the maximum size that Azure Application Gateway can process. Application Gateway enforces a fixed limit of 32 KB for response headers, and exceeding this limit can result in a 502 Bad Gateway. |
+| ERRORINFO_UPSTREAM_NO_RESOLVER | This error indicates that the Virtual Network doesn't have a DNS resolver configured to translate hostnames into IP addresses |
+| ERRORINFO_UPSTREAM_SSL_CERT_VERIFY_ERROR | This error occurs when Application Gateway can't verify the backend certificate due to issues like trust failure, expiration, incomplete chain, etc. AppGW fails the SSL/TLS handshake and mark the backend as unhealthy |
 | ERRORINFO_UPSTREAM_SSL_CERT_MISMATCH | This error is caused by a mismatch between the Common Name/SAN in the backend server certificate and the expected hostname in the FQDN configured in the backend pool or specified in the HTTP settings.  |
 ### Firewall log category
 
@@ -525,4 +529,4 @@ Azure generates activity logs by default. The logs are preserved for 90 days in
 ## Related content
 
 - See [Monitor Azure Application Gateway](monitor-application-gateway.md) for a description of monitoring Application Gateway.
-- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.
+- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

articles/application-gateway/media/create-url-route-portal/application-gateway-subnet.PNG

@@ -7,7 +7,7 @@ author: mbender-ms
 ms.service: azure-application-gateway
 ms.custom: devx-track-azurecli
 ms.topic: how-to
-ms.date: 04/27/2023
+ms.date: 10/06/2025
 ms.author: mbender
 # Customer intent: As a network engineer, I want to configure an application gateway for HTTP to HTTPS redirection using CLI, so that I can enhance security by ensuring all traffic is encrypted.
 ---

articles/application-gateway/media/create-url-route-portal/application-gateway-vnet.png

@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-application-gateway
 ms.topic: how-to
-ms.date: 05/19/2023
+ms.date: 10/05/2023
 ms.author: mbender 
 ms.custom:
   - devx-track-azurepowershell