Solved: Azure Front Door 502 Bad Gateway Error (2025)
Quick Fix Summary
TL;DRCheck your backend pool health in Azure Front Door and verify your origin server is reachable and responding within the timeout limit.
Azure Front Door returns a 502 error when it cannot establish a successful connection to your configured origin server. This indicates a gateway or proxy failure between Front Door and your backend.
Diagnosis & Causes
Recovery Steps
Step 1: Validate Backend Pool Health
First, check the health status of your origin servers in the Azure portal. Unhealthy backends are automatically taken out of rotation.
# Check health probe status via Azure CLI
az network front-door backend-pool list --resource-group <RG-Name> --front-door-name <FD-Name> --query '[].backends[].{Address:address, EnabledState:enabledState, Priority:priority, Weight:weight, Health:health}'Step 2: Verify Origin Connectivity & Firewalls
Ensure your origin (e.g., App Service, VM, Load Balancer) is running and its firewall (NSG, App Service Access Restrictions) allows traffic from Azure Front Door's IP ranges.
# Get current Azure Front Door service tags/IP ranges (simplified)
az network list-service-tags --location global --query 'values[?name=="AzureFrontDoor.Backend"].properties.addressPrefixes[]'Step 3: Increase Origin Response Timeout
If your origin is slow, Front Door's default 30-second timeout may be exceeded. Increase it in the Backend Pool settings.
# Update backend pool settings (e.g., increase timeout to 60 sec) via CLI
az network front-door backend-pool update --resource-group <RG-Name> --front-door-name <FD-Name> --name <BackendPoolName> --set backendPools[0].settings.responseTimeoutInSeconds=60Step 4: Review WAF & Custom Rules
A misconfigured WAF policy or custom rule can block legitimate traffic, causing a 502. Check the Front Door WAF logs for blocked requests.
# Check Front Door WAF logs (example query for Log Analytics)
AzureDiagnostics
where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontDoorWebApplicationFirewallLog"
where action_s == "Block"
project timeGenerated, requestUri_s, clientIp_s, ruleName_s, details_message_sStep 5: Test Direct Origin Access
Bypass Front Door temporarily by accessing your origin's public endpoint directly. This isolates the issue to Front Door configuration vs. origin health.
# Use curl to test origin directly (replace with your origin URL)
curl -v -H "Host: <your-origin-hostname>" https://<your-origin-public-ip-or-url>/Step 6: Enable & Analyze Diagnostic Logs
Enable Front Door access and health probe logs to see detailed request failures, latency, and backend responses.
# Enable diagnostics via CLI (send to Log Analytics)
az monitor diagnostic-settings create --resource /subscriptions/<SubID>/resourceGroups/<RG-Name>/providers/Microsoft.Network/frontDoors/<FD-Name> --name FrontDoorLogs --workspace <LogAnalyticsWorkspaceID> --logs '[{"category": "FrontdoorAccessLog", "enabled": true}, {"category": "FrontdoorHealthProbeLog", "enabled": true}]'Architect's Pro Tip
"For App Service origins, use the 'AzureFrontDoor.Backend' service tag in Access Restrictions, not static IPs. Front Door's backend IPs can change, and the service tag is automatically updated."
Frequently Asked Questions
My backend is healthy, but I still get 502s. What's next?
Check for TLS/SSL certificate mismatches (Front Door expects the origin's certificate to be valid), SNI issues, or if your origin is returning a malformed response (e.g., wrong headers, chunked encoding).
Can a DNS issue cause a 502 from Azure Front Door?
Yes. If Front Door cannot resolve your origin's hostname (A/AAAA/CNAME record), it cannot route traffic, resulting in a 502. Verify your origin's DNS resolution from Azure's network.