The error I see when accessing https://www.example.com regardless of whether I have a listener (443) and rule is:
403 - Forbidden
You don't have permission to access / on this server.
If I add a listener on port 443, attach a valid certificate and rule, I get the same error message. If I dig www.example.com, I can see it's resolving to the public IP of the application gateway.
http://www.example.com works as expected with a listener on port 80 and rules directing traffic to backend virtual machines hosting Apache.
I should add that this has been set using the Azure Portal. Should I be using PowerShell? Some forums suggest the portal is flaky.
The issue was resolved and ties in with a redirection problem we were experiencing.
The problem appears to be a combination of the following:
We had a listener on port 443 without a hostname.
It appears the order of path-based rules is important when there's a listener without a hostname.
As a rule of thumb, path-based rules should be below basic rules. Also, if the app gateway is used for multiple sites, ensure hostnames are defined for listeners.