![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 26%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,048 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
I understand you are trying to set up a custom health probe for your App Gateway with wild card domains where CN of the certificate is formatted as *.develop.xyz.com. When you enter *.develop.xyz.com as the host name. You get the error "The Common Name (CN) of the backend server certificate is inconsistent with the host header specified in the health probe configuration (v2 SKU) or the Fully Qualified Domain Name (FQDN) in the backend pool (v1 SKU). Please confirm that the hostname aligns with the CN of the backend server certificate"
The observation above is expected as you need to enter a specific host name for the custom health probe as it is used both as host header and SNI.
A specific hostname in this case will be for example "abc.develop.xyz.com" that is accepted to establish a successful TLS probe and report that server as healthy. This host name is where the custom health probe will be sent to determine the health of the backend. This currently documented here.
When a backend server has a wildcard certificate (*.contoso.com) installed to serve different sub-domains, you can use a Custom probe with a specific hostname (required for SNI) that is accepted to establish a successful TLS probe and report that server as healthy. With "override hostname" in the Backend Setting set to NO, the different incoming hostnames (subdomains) will be passed as is to the backend.
I understand this way only one website will be probed to determine the health, this is currently documented here in the Considerations and limitations of using wildcard
For backend health check, you can't associate multiple custom probes per HTTP settings. Instead, you can probe one of the websites at the backend or use "127.0.0.1" to probe the localhost of the backend server.
Additional references:
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.