Share via

Getting 502 error while using Azure Front Door instead of Traffic Manager

Puja Manna (Accenture International Limited) 0 Reputation points Microsoft External Staff
2025-03-06T04:42:07.6366667+00:00

Currently we have the existing architecture
Client -> Traffic Manager -> Load Balancer -> VMSS
where the API is deployed in the VMSS Instance.
Now due to security issue, we have to replace the traffic manager to Azure Front Door.
I have made the current changes,
1> DNS record updated with Azure FD endpoint.
2> Uploaded the Microsoft CA certificate with same name of the domain name in the secrets.
3> Created the Domain.
4> Created the origin using Custom as a type and put the VIP of the Load Balancer. Kept the Origin host header empty so that the custom domain name would get passed as it is.
5> Microsoft CA certificate is present in the VMSS instances for the validation of the domain name validation.
Do you think I am missing any configuration here?

The testing output provided the below output:
System.Net.WebException: The remote server returned an error: (502) Bad Gateway.    at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)    at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
776 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 700 Reputation points Microsoft External Staff
    2025-03-06T12:42:35.9+00:00

    Hello Puja Manna (Accenture International Limited)

    Greetings!

    I understand that you are encountering a 502 error at the front door, and after removing the certificate name validation, you are facing a 403 error.

    Please check if any WAF is configured at the front door level. If so, review the WAF rules blocking the request.

    Examine the logs to identify which rule is causing the blockage and check the server status.

    If the server is also returning a 403-status code, check if the backend is terminating the request and verify the connection status as well.

    Additionally, review the health probe logs to determine if the backend is healthy or unhealthy, and what response it is providing.

    Verify if there are any network restrictions on the backend. If there are, allow the front door to reach the backend VMSS. This should result in a 200 response instead of 403, and the system should function as expected.

    Regarding the certificate, I understand you are using a BYOC certificate. Ensure it is properly bundled and added at the backend level as well.

    Refer to the following document for more information:

    Use your own certificate

    You can also collect the tracking reference ID in the access logs when encountering the 403 error. Use this reference ID to check logs in your Azure portal. Please refer to the following document for collecting the logs:

    https://learn.microsoft.com/en-us/azure/frontdoor/refstring?source=recommendations&tabs=edge

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.