Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Summary
This article explains how to investigate a gateway in Microsoft Azure Application Gateway that's stuck in Failed provisioning state.
A failed state typically indicates a misconfiguration during the most recent create or update operation. The following steps help you identify the customer-facing error message and the root cause in most cases.
Symptoms
The Provisioning state of the application gateway appears as Failed in the following locations:
- The Azure portal (for example, the Properties blade)
- Azure PowerShell
- Azure CLI
Identify the last failed operation
To identify the last failed operation that caused the application gateway to enter the Failed provisioning state, follow these steps:
In the Azure portal, go to Application Gateway > Activity log.
Apply the following filters:
- Resource: [Your Application Gateway resource name]
- Status: Failed
- Time range: Relevant window when the issue occurred
Open the most recent failed event. If multiple failures exist, start with the first failed operation because, often, subsequent failures are cascading effects.
Review the operation details:
- Operation name indicates the failed action.
- Error code and Error message are visible in the Summary section.
- For detailed diagnostics, expand the event, and review the statusMessage field inside the Properties section in the JSON view.
(Optional) Check the change history. Select the Change history tab to see configuration changes that were made up to 30 minutes before and after the failed operation. This information can help you pinpoint the change that triggered the failure.
Note
Azure Monitor collects activity log entries by default without a required configuration. Azure retains activity log events for 90 days, and then deletes them. You aren't charged for entries during this time, regardless of volume.
Common error messages
ApplicationGatewayKeyVaultSecretException
If you receive this error message, or the "Problem occurred while accessing and validating KeyVault Secrets associated with Application Gateway" error message, verify the following configuration prerequisites:
- Make sure that the user‑assigned managed identity that's associated with the application gateway has
Getpermission on secrets in the key vault. For more information, see Delegate user-assigned managed identity to Key Vault. - If you're using service endpoints to access the key vault, the Application Gateway virtual network and subnet must be explicitly allowed in the Azure Key Vault firewall and virtual network settings. For more information, see Verify Firewall Permissions to Key Vault.
- If you're using private endpoints to access Azure Key Vault, a subnet allow listing isn't required in the vault's settings. However, you have to link the
privatelink.vaultcore.azure.netprivate DNS zone to the virtual network that contains the gateway. This private DNS zone also contains the corresponding record to the referenced key vault. For more information, see Understanding DNS resolution in Application Gateway. - Verify that the managed identity that's assigned to the application gateway exists and isn't deleted.
- Verify that the associated key vault and the certificate object aren't deleted or soft-deleted.
- Verify that the referenced secret and certificate are in an Enabled state.
Internal Server Error
This error message doesn't indicate the cause of failure. In this case, open a support request. Provide the failed operation timestamp together with the correlationId from the Properties section of the failed activity log event in the JSON view.