I am planning to use App Gateway v2 and the backend will be a collection of Windows VMs hosting an application. The application will be used internally and the App Gateway will perform the SSL offloading. However when the App Gateway sends the traffic down stream to the VMs it makes sense to to also encrypt this traffic. MS advise that you have another certificate for the servers and the App Gateway will handle the encryption. So in summary traffic from User/App Gateway is encrypted with one key and then decrypted, then traffic between App Gateway/Backend (servers) is encrypted with another key. One of the benefits of SSL offloading is so that the servers (backend) do not have to process the decryption, however we still seek end-to-end encryption. My question is does not not just make sense to pass the traffic from the users straight to the servers and have the traffic decrypted there?
The link to the image below may help visualize the scenario.