Skip to main content

Technical Lab: Configure HTTP Settings

Questions​

Question 1 β€” Multiple Choice​

When configuring an HTTP Setting in Azure Application Gateway, you need to ensure that the gateway validates the TLS certificate presented by the backend server during communication. Which configuration should be enabled to meet this requirement?

A) Enable Cookie-based affinity with HTTPS protocol in the HTTP Setting

B) Enable Override backend path pointing to the secure endpoint

C) Check the Use well-known CA certificate option or provide a custom authentication certificate in the HTTP Setting

D) Configure a Custom probe with HTTPS protocol associated with the HTTP Setting

Question 2 β€” Technical Scenario​

A team configured Azure Application Gateway to route requests to two distinct backend pools. Pool A responds on port 8080 and pool B on port 9090. Both use HTTP. The current HTTP Setting is configured as follows:

Protocol: HTTP
Port: 8080
Request timeout: 30s
Cookie-based affinity: Disabled

After associating this single HTTP Setting to both pools through separate rules, requests destined for pool B start failing with connection refused errors. What is the most likely cause?

A) HTTP protocol is not supported in HTTP Settings associated with multiple pools simultaneously

B) A single HTTP Setting defines a fixed port; since pool B listens on port 9090, it will never receive requests correctly

C) Disabled cookie-based affinity prevents correct routing when there is more than one backend pool

D) The 30s timeout is insufficient for pools configured on non-standard ports

Question 3 β€” True or False​

An HTTP Setting in Azure Application Gateway with the protocol configured as HTTPS and the Override with new host name option set to "Pick host name from backend target" sends the original client request's Host header to the backend server without modification.

Question 4 β€” Technical Scenario​

An application hosted in Azure App Service is being exposed via Application Gateway. The operations team reports that after enabling Connection draining in the HTTP Setting with a timeout of 60 seconds, instances removed from the backend pool still receive new connections for a few seconds after removal. The expected behavior is not occurring. Which analysis is most accurate about the situation?

A) Connection draining only works with HTTPS protocol; the HTTP Setting must be updated to work correctly

B) Connection draining only controls connections already established at the time of removal; new connections to draining instances are blocked, but there may be a brief delay in control plane state change propagation

C) The 60 second timeout is the period during which new connections are still allowed; only after this period do new connections start being blocked

D) Connection draining requires a Custom probe to be associated with the HTTP Setting to detect instance removal from the pool

Question 5 β€” Multiple Choice​

You are configuring an HTTP Setting for communication between the Application Gateway and a backend that requires the URL path to be prefixed with /api/v2, regardless of the path sent by the client. Which HTTP Setting feature directly addresses this need?

A) Host name override, which rewrites the Host header to include the desired path prefix

B) Override backend path, which allows defining a fixed path to be used in all requests forwarded to the backend

C) Custom probe, configured with the /api/v2 path to ensure the backend responds on that endpoint

D) Affinity cookie name, customized to reflect the route prefix used by the backend

Answer Key and Explanations​

Answer Key β€” Question 1​

Answer: C

Explanation:

  • When the HTTP Setting uses HTTPS protocol to communicate with the backend, the Application Gateway can be configured to validate the backend server's TLS certificate. For this, it's necessary to enable Use well-known CA certificate (when the backend certificate is issued by a recognized public CA) or upload an authentication certificate (for private CAs or self-signed certificates).
  • Alternative A is a common misconception: Cookie-based affinity controls session persistence, not certificate validation.
  • Alternative D confuses the Custom probe function, which serves to check backend health, not to establish TLS trust with it.
  • Choosing D as an answer would lead to a gateway that monitors the backend without ever validating its certificate, creating a false sense of security.

Answer Key β€” Question 2​

Answer: B

Explanation:

  • The HTTP Setting statically defines the destination port used to reach backend servers. When a single HTTP Setting with port 8080 is associated with two pools, all outbound connections from the gateway will be established on port 8080, including those destined for pool B, which only listens on 9090. The result is a connection refused by pool B.
  • The correct solution is to create a separate HTTP Setting for each pool when ports differ.
  • Alternative C is a common distractor: affinity has no relation to port-based routing.
  • Alternative A is technically incorrect; HTTP protocol has no limitation on association with multiple pools.

Answer Key β€” Question 3​

Answer: False

Explanation:

  • When Override with new host name is set to "Pick host name from backend target", the Application Gateway replaces the original request's Host header with the backend server's hostname (for example, the App Service FQDN). This is especially necessary for services like Azure App Service, which use the Host header for internal routing (SNI and virtual hosting).
  • Sending the client's original Host to an App Service, for example, usually results in HTTP 404 error or rejection, because the service doesn't recognize that hostname.
  • This behavior is a frequent source of incorrect diagnosis in environments that mix custom domains with managed backends.

Answer Key β€” Question 4​

Answer: B

Explanation:

  • Connection draining ensures that after an instance is removed from the backend pool (manually or by probe failure), the Application Gateway continues to process already active connections on that instance for the period defined in the timeout, while blocking the sending of new requests to it.
  • The brief delay observed is characteristic of state propagation in the Application Gateway control plane, not a configuration failure.
  • Alternative C represents a dangerous misconception: interpreting the timeout as a permission period for new connections completely reverses the feature's semantics.
  • Alternative A is incorrect; connection draining works independently of the protocol configured in the HTTP Setting.

Answer Key β€” Question 5​

Answer: B

Explanation:

  • The Override backend path field in the HTTP Setting allows defining a fixed path that will replace the path present in the request when forwarded to the backend. For example, configuring /api/v2 will make every request reach the backend with this prefix, regardless of the original path sent by the client.
  • Alternative A is a clear misconception: host name override affects the HTTP Host header, not the URL path.
  • Alternative C confuses the Custom probe function, which checks availability, with request transformation.
  • Using alternative A would lead to a backend receiving a malformed Host header with an embedded path, undefined behavior and likely causing errors.