How to Fix Azure 502 Bad Gateway
Quick Fix Summary
TL;DRCheck backend pool health in Application Gateway and restart unhealthy instances.
Azure returns a 502 when the Application Gateway cannot connect to a healthy backend instance. This indicates a failure between the gateway and your application servers.
Diagnosis & Causes
Recovery Steps
Step 1: Diagnose Backend Health in Application Gateway
First, verify the health status of your backend pool members directly in the Azure portal.
# Navigate to: Azure Portal -> Your Application Gateway -> Backend health
# Look for status: 'Unhealthy' (Red) or 'Healthy' (Green)
# Click 'Details' on unhealthy backends for specific error messages.Step 2: Verify Network Connectivity & NSG Rules
Ensure the Application Gateway subnet can reach your backend on the configured port (e.g., 80, 443).
# 1. Get the Application Gateway's private frontend IP and subnet.
# 2. Check NSG on backend subnet: Allow source = 'GatewayManager' service tag OR the AG subnet CIDR.
# 3. Test basic connectivity from a VM in the AG subnet:
telnet <backend-private-ip> <port>
# 4. If using App Service, verify the AG integrates with the VNet and the backend is VNet-integrated.Step 3: Validate & Fix Health Probe Configuration
A misconfigured probe marks healthy backends as down. Ensure the probe path, protocol, and expected status code match your app.
# Check current probe settings in the Azure portal or CLI.
az network application-gateway probe show --gateway-name <ag-name> --resource-group <rg-name> --name <probe-name>
# Key settings to verify:
# - Protocol (Http/Https) matches backend.
# - Path (e.g., '/health' or '/') is accessible.
# - 'Pick host name from backend HTTP settings' is often best set to 'Yes'.
# - Interval and Unhealthy threshold are not too aggressive.Step 4: Inspect Application Logs & Timeouts
The backend may be responding with an error or timing out. Check application logs and adjust gateway timeouts.
# 1. Check your VM/App Service application logs for errors at the probe or request time.
# 2. Review Application Gateway access logs for 502s:
az network application-gateway show --name <ag-name> --resource-group <rg-name> --query enableHttp2 -o tsv
# 3. Increase backend timeout if app is slow (Portal -> HTTP Settings):
# Default is 30 seconds. Increase cautiously.
# 4. For App Service, check 'Diagnose and solve problems' blade for runtime issues.Architect's Pro Tip
"For intermittent 502s, enable WAF logs and check for request body inspection blocking large POST requests. Also, scale your backend - a single instance failing probes causes all traffic to fail."
Frequently Asked Questions
My backend is healthy, but I still get 502s. Why?
This is often a TLS/SSL issue. Verify the backend certificate is valid, trusted by the gateway (for HTTPS probes), and the SNI matches. Also, check if the gateway's 'Trusted Root Certificate' is uploaded for HTTPS backends.
How do I distinguish between a gateway and backend issue?
Check Application Gateway Metrics for 'Unhealthy Host Count'. If >0, it's a backend health issue. If healthy, check 'Failed Requests' and correlate with backend logs - the failure is in your application.
Can a 502 be caused by Azure DNS or Private Endpoints?
Yes. If using private endpoints or custom DNS, ensure the Application Gateway's VNET DNS resolves the backend's private IP correctly. Use `nslookup` from a VM in the gateway subnet.