...
The listener can use an SSL certificate to decrypt the traffic that enters the gateway.
The listener then uses a rule that you define to direct the incoming requests to a backend pool.
The backend pool has an HTTP setting that references a certificate used to authenticate the backend servers.
The gateway re-encrypts the traffic by using this certificate before sending it to one of your servers in the backend pool.
If you're using Azure App Service to host the backend application, you don't need to install any certificates in Application Gateway to connect to the backend pool.
All communications are automatically encrypted
...
Application Gateway configuration overview
A public IP is required when you host a back end that clients must access over the Internet via an Internet-facing virtual IP (VIP).
A listener is a logical entity that checks for incoming connection requests by using the port, protocol, host, and IP address.
When you configure the listener, you must enter values for these that match the corresponding values in the incoming request on the gateway.
After you create the gateway, you can edit the settings of the default rule or create new rules.
After you create an HTTP setting, you must associate it with one or more request-routing rules.
After you create a back-end pool, you must associate it with one or more request-routing rules.
You must also configure health probes for each back-end pool on your application gateway.
...
Application Gateway HTTP settings configuration
...