Connect to Azure VM behind Application Gateway

alex.miro · June 16, 2025, 8:51am

I need guidance on how to set up self-hosted retool on Azure VM behind Application Gateway.

Expected Architecture: Retool VM located in a subnet with full outbound access on all ports and inbound access exclusively from Application Gateway in a separate subnet. App GW listens on 80 and 443 and redirects 80 to 443. App GW holds a certificate for the domain name. Ideally, I'd expect SSL termination behind the GW, but it looks like by default Retool isn't configured for that scenario. Okay, let's do double encryption, but how?

Reality: I've configured App GW, DNS and certificate, set up the VM following the guide "Deploy Self-hosted Retool on Azure Virtual Machines" and pointed 80 to 80 and 443 to 443. The only setting when I can ever reach the backend from its own subnet is:

docker.env
DOMAINS=<local private IP>

Putting domain name or public IP in DOMAINS makes the backend inaccessible.
Besides that, the backend is never accessible from the App GW, whatever setting ends up with 502.

Configure SSL and custom certificates

Jack_T · July 1, 2025, 5:03pm

Unfortunately, Retool doesn't do SSL termination, but you can spin up nginx if you want to accomplish this in your deployment.

Just to clarify, from my understanding, the set up should be set to your IP or domain name to contain an arrow for the redirect to the internal URL, example:DOMAINS=211.0.77.131 -> http://api:3000 not sure if you obfuscated that for your example snippet

alex.miro · July 1, 2025, 10:29pm

I understand that Retool doesn't do SSL termination. My question was: how to set up double encryption, that is, from internet to application gateway and from the gateway to the Retool server.

P.S.: yes, I omitted -> http://api:3000

Jack_T · July 8, 2025, 8:24pm

Ah ok thank you for clarifying.

Self hosted deployments are outside of my purview of knowledge but maybe some other Retool users on the forum can chime in if they have similar set ups.

From some research I just did into this subject, potential steps to troubleshoot this would be to do the following.

Set DOMAINS=your.domain.com in docker.env
Confirm App Gateway sends the right Host header
Configure Retool or a front proxy to handle HTTPS internally
Fix or customize the health probe (HTTP with correct path and Host)
(Optional) Use nginx as a reverse proxy for simpler double encryption

Topic		Replies	Views
"Hardening" Retool Self-Hosted 💬 Self Hosted Retool	3	823	August 2, 2023
Not resolving port 80 (http-portal container) 💬 Self Hosted Retool	2	140	December 2, 2024
Rest API behind https with self signed certificate 💬 Queries and Resources	6	4973	August 2, 2023
Self hosted install keeps redirecting to login page 💬 Self Hosted Retool	9	1255	March 4, 2024
SSO failing with Azure Entra 💬 Self Hosted Retool	7	893	January 17, 2024

Connect to Azure VM behind Application Gateway

Related topics