`az network application-gateway` operations reset 'Dedicated backend connection' setting to false

[stefan-dgs]

Describe the bug

Azure Application Gateway has a 'Dedicated backend connection' Backend Setting with a default value of false. If you set this to true in the portal UI and then attempt to update the ssl-cert on any Listener record using the az CLI, then this setting is reset back to false.

Related command

az network application-gateway ssl-cert update

Errors

No error message shown.

Issue script & Debug output

# Set the Dedicated backend connection flag to true in one of the Backend Settings

# Fill these in
export SUBSCRIPTION=858...
export RESOURCE_GROUP=rg-...
export GATEWAY_NAME=gw-...

url="https://management.azure.com/subscriptions/$SUBSCRIPTION/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Network/applicationGateways/$GATEWAY_NAME?api-version=2025-05-01"
data_selector='.properties.backendHttpSettingsCollection | map({name: .name, dedicatedBackendConnection: .properties.dedicatedBackendConnection})'

# One of the dedicatedBackendConnection values should be true at this point (you set this via the Portal UI).

ORIG_DATA="$(az rest --method get --url "$url")"
printf "%s\n" "$ORIG_DATA" | jq "$data_selector"

# Call the cert update code (don't need to actually change anything)
cert_to_update=$(printf "%s\n" "$ORIG_DATA" | jq -r -c '.properties.sslCertificates | map({name: .name, val: .properties.keyVaultSecretId}) | first')
cert_name=$(printf "%s\n" "$cert_to_update" | jq -r '.name')
cert_value=$(printf "%s\n" "$cert_to_update" | jq -r '.val')

az network application-gateway ssl-cert update --gateway-name "$GATEWAY_NAME" --resource-group "$RESOURCE_GROUP" --subscription "$SUBSCRIPTION" --name "$cert_name" --key-vault-secret-id "$cert_value"

# The bug is that your dedicatedBackendConnection value is now false
ORIG_DATA="$(az rest --method get --url "$url")"
printf "%s\n" "$ORIG_DATA" | jq "$data_selector"

This outputs something like:

[
  {
    "name": "appone",
    "dedicatedBackendConnection": false
  },
  {
    "name": "apptwo",
    "dedicatedBackendConnection": true
  }
]
{
  "etag": "W/\"680010cb-d3e4-462a-ba5f-05e196839e3e\"",
  "id": "/subscriptions/mysub/resourceGroups/myrg/providers/Microsoft.Network/applicationGateways/mygw/sslCertificates/mycert",
  "keyVaultSecretId": "https://mykv.vault.azure.net/secrets/mycert/53145fba18664ea6b6776b1013217b3e",
  "name": "mycert",
  "provisioningState": "Succeeded",
  "resourceGroup": "myrg",
  "type": "Microsoft.Network/applicationGateways/sslCertificates"
}
[
  {
    "name": "appone",
    "dedicatedBackendConnection": false
  },
  {
    "name": "apptwo",
    "dedicatedBackendConnection": false
  }
]

Expected behavior

Since I'm just trying to update my SSL certificates, I don't want my dedicatedBackendConnection setting to change.

Environment Summary

azure-cli 2.82.0

core 2.82.0
telemetry 1.1.0

Extensions:
aks-preview 19.0.0b20
authV2 1.0.1
communication 1.14.0
costmanagement 1.0.0
monitor-control-service 1.2.0
purview 0.1.0
resource-graph 2.1.1
ssh 2.0.6
storage-preview 1.0.0b7

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location '/opt/homebrew/Cellar/azure-cli/2.82.0/libexec/bin/python'
Config directory '/Users/myuser/.azure'
Extensions directory '/Users/myuser/.azure/cliextensions'

Python (Darwin) 3.13.11 (main, Dec 5 2025, 16:06:33) [Clang 17.0.0 (clang-1700.4.4.1)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

After investigating the issue, the problem is the az CLI is using an buggy version of the ARM API for managing the Application Gateway. Specifically it's currently using version 2023-11-01. If that is switched to 2025-05-01 I believe this will fix the issue.

I know this because if I use some bash like the following, my setting doesn't get reset:

API_VERSION=2025-05-01
url="https://management.azure.com/subscriptions/$SUBSCRIPTION/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Network/applicationGateways/$GATEWAY_NAME?api-version=$API_VERSION"
az rest --method get --url "$url" > data.json
az rest --method put --url "$url" --body @data.json

And if I change API_VERSION to 2023-11-01, then it does get reset.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

[necusjz]

would you mind provide the debugging with appending --debug? it seems a behavior from server side.

[stefan-dgs]

Hello necusjz, the problem is indeed with the server. But it can be fixed by updating the API version used by the client. See my investigation under the 'Additional context' header. It would also be good to report the bug to the server API team, but I'm not sure how to do that, and it is against a 2 year old version of their API.

In terms of the --debug output, there's a bit too much sensitive data in there for me to share it here, but the summary from running my attached script is that it does a single GET request to https://management.azure.com/subscriptions/mysub/resourceGroups/myrg/providers/Microsoft.Network/applicationGateways/mygw?api-version=2023-11-01, then a PUT to that same path with a large blob of JSON (that does not include the affected dedicatedBackendConnection parameter). Then a bunch of GET polling to the https://management.azure.com/subscriptions/mysub/providers/Microsoft.Network/locations/australiaeast/operations/... endopoint to wait for the update to complete.