As a consolidator for traffic to Azure application services, the Azure application gateway is empowered to be both a revere proxy and a firewall in addition to being a load balancer for the web applications. This enables it to rewrite the host header which informs the location of the source. Developers sometimes wonder when it is a right choice to preserve the original HTTP host name between a reverse proxy and its backend web application versus rewriting the location header. This article summarizes existing documentation from those products.

The App Service is a multitenant service, so it uses the host header in the request to route the request to the correct endpoint.  The significance of the original host header is that it is universally understood to be the internet domain name that was used by the browser to send the request towards the gateway and the service behind it. In some scenarios, the original host value can get changed by say a reverse proxy or some handler in the request chain. A reverse proxy can close a client network session and set up a new connection to the backend. Proxies can duplicate the original header name to some other header such as forwarded for but the backend needs to change to read from this other header.

The default domain name of the App Services, *.azurewebsites.net is different from the application gateway’s domain name. The backend App Service is missing the required context to generate redirect URL’s or cookies that align with the domain as seen by the browser.

The production-recommended solution is to configure the Application Gateway and App Service to not override the hostname. Custom domain names can be given to both the Application Gateway and the App Service in the backend.  This helps to avoid the reliance on the default *.azurewebsites.net and requires only a custom domain and associated certificate. When the same domain name is associated with both the Application gateway and app service in the backend pool, the request flow does not need to override the host name. The backend application will see the original host as was used by the client. The DNS configuration for the custom domain name will remain directed towards the Application Gateway. The TLS binding for App Services must be configured to accept connections using a custom dns name. The certificate for the custom domain can be pulled from the Azure Key Vault.

Another option is to have the application gateway access the App Service using its default domain suffixed as “.azurewebsites.net”.  The default domain is preconfigured to route traffic to the deployed instance. For app service, this default domain is azurewebsites.net. Each web app gets its own subdomain.

Potential problems that can arise from not preserving the host name might include incorrect absolute URLs, incorrect redirect URLs, broken cookies and such others. If the original name is not preserved and the app gateway uses absolute URLs to reach the backend, these backend domain might be disclosed to the end user.  This allows the client to bypass the application gateway and reach the  app services directly unless the app service restricts the caller to be only the gateway.

A common and more specific use case with these absolute redirect URLs is when they are passed to the identity servers by the client which then bypasses the application gateway. Leveraging the app services authentication and authorization capabilities avoids this.

A host name mismatch can also cause potential problems when the app service issues cookie that uses the incoming host name to construct the domain name of the cookie. In this case, the browser stores the cookie for that specific domain rather than the domain of the gateway that the user is actually using.

After these implications are assessed for the specific deployment, the location header can still be rewritten with the application gateway’s domain name by creating a rewrite rule with a condition that evaluates if the location header in the response contains azurewebsites.net and include the application gateway’s host name.