...
The listener can use an SSL certificate to decrypt the traffic that enters the gateway.
The listener then uses a rule that you define to direct the incoming requests to a backend pool.
The backend pool has an HTTP setting that references a certificate used to authenticate the backend servers.
The gateway re-encrypts the traffic by using this certificate before sending it to one of your servers in the backend pool.
If you're using Azure App Service to host the backend application, you don't need to install any certificates in Application Gateway to connect to the backend pool.
All communications are automatically encrypted
...
Application Gateway HTTP settings configuration
The application gateway routes traffic to the back-end servers by using the configuration that you specify here.
After you create an HTTP setting, you must associate it with one or more request-routing rules.
Host name override
This capability replaces the host header in the incoming request on the application gateway with the host name that you specify.
For example, if www.contoso.com is specified in the Host name setting, the original request *
https://appgw.eastus.cloudapp.azure.com/path1is changed to *https://www.contoso.com/path1when the request is forwarded to the back-end server.
Application Gateway support for multi-tenant back ends such as App service
In multi-tenant architectural designs in web servers, multiple websites are running on the same web server instance.
Hostnames are used to differentiate between the different applications which are hosted.
By default, application gateway does not change the incoming HTTP host header from the client and sends the header unaltered to the back end.
This setting lets you configure an optional custom forwarding path to use when the request is forwarded to the back end.
Any part of the incoming path that matches the custom path in the override backend path field is copied to the forwarded path.
...
TLS termination and end to end TLS with multi-tenant services
TLS termination and end to end TLS with multi-tenant services
Both TLS termination and end to end TLS encryption is supported with multi-tenant services.
For TLS termination at the application gateway, TLS certificate continues to be required to be added to the application gateway listener.
However, in case of end to end TLS, trusted Azure services such as Azure App service web apps do not require allowing the backends in the application gateway.
Therefore, there is no need to add any authentication certificates.
...
Notice that in the above image, there is no requirement to add authentication certificates when App service is selected as backend.
...
Application Gateway Routing
The gateway routes requests to a selected web server in the back-end pool, using a set of rules configured for the gateway to determine where the request should go.
There are two primary methods of routing traffic, path-based routing and multiple site hosting.
Path-based routing enables you to send requests with different paths in the URL to a different pool of back-end servers.
Multiple site hosting enables you to configure more than one web application on the same application gateway instance. In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site.
...