Azure-docs: Clarification on NSG rules for health probes

Created on 6 Jun 2018 · 7Comments · Source: MicrosoftDocs/azure-docs

The article states: "If there is a network security group (NSG) on an Application Gateway subnet, open port ranges 65503-65534 on the Application Gateway subnet for inbound traffic. These ports are required for the back-end health API to work." Inbound from where? The internet? Other subnets on the vnet? Somewhere else?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: e5f080ad-843f-d7be-eba6-2837993d052b
Version Independent ID: b6f75acf-e3ed-f6c3-a29e-8f440eb0a9dd
Content: Monitor access logs, performance logs, back-end health, and metrics for Application Gateway
Content Source: articles/application-gateway/application-gateway-diagnostics.md
Service: application-gateway
GitHub Login: @amitsriva
Microsoft Alias: amitsriva

application-gatewasvc cxp doc-enhancement in-progress triaged

Source

adamgourd

Most helpful comment

When setting up an Application Gateway Standard V2, I am unable to retrieve health information from my components tied to my new AG. Same settings for a standard work just fine. I have added an nsg to the subnet of the AGV2 with updated rules documented (ports 65200 - 65535 for the v2 SKU); we are still unable to retrieve backend status of App Service and AGV2 reports as UNKNOWN backend health. It appears V2 is not quite working as expected by MS out of the box, or yet again, there is a new component without proper documentation on how to get the darned thing to work..

I can understand needing to have to use new settings or components, but that needs to be outlined and better defined by MS. Any time we try to upgrade to Standard_V2 to make use of a Static IP, nothing works: VMSS, App Service or IP..

WHY WAS THIS CLOSED WITHOUT A DETAILED EXPLANATION ON HOW TO AVOID??????!!!

wacsintegra on 2 Jan 2019

👍2

All 7 comments

@adamgourd Thanks for the feedback! We are currently investigating and will update you shortly.

YutongTie-MSFT on 6 Jun 2018

Thanks. The answer appears to be “Inbound from Internet” (or Inbound from Any).

From: YutongTie-MSFT notifications@github.com
Sent: Wednesday, June 6, 2018 12:36 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Adam Gordon Adam.Gordon@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Clarification on NSG rules for health probes (#9769)

@adamgourdhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadamgourd&data=02%7C01%7Cadam.gordon%40microsoft.com%7C0dc90ed7e5d4473f341008d5cbe4c65b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636639105807044571&sdata=cMz0EYD6I6ZHbXI8Az7tg3bj38U8hKKMH3kxRFmfV98%3D&reserved=0 Thanks for the feedback! We are currently investigating and will update you shortly.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F9769%23issuecomment-395188110&data=02%7C01%7Cadam.gordon%40microsoft.com%7C0dc90ed7e5d4473f341008d5cbe4c65b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636639105807054584&sdata=boImmRBa740aZG5mNfGaHcGEeBewhSYGQ2f4aCuM6G8%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVtOqMznrGnGsEWPY7Uhe0fYLLtxSPSvks5t6C8ygaJpZM4Ub9uZ&data=02%7C01%7Cadam.gordon%40microsoft.com%7C0dc90ed7e5d4473f341008d5cbe4c65b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636639105807064588&sdata=62cxtjKO3ENKFdJvHdD78ZjaOn5cRlWJhuLRcYfQGsI%3D&reserved=0.

adamgourd on 6 Jun 2018

@adamgourd I have verified this on my end as well.

allowing "VirtualNetwork" & "AzureLoadBalancer" will not allow the Status to appear as Healthy.

We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

TravisCragg-MSFT on 7 Jun 2018

Somewhat relevant on why this is bad practice:
https://chris408.com/post/microsoft-azure-application-gateway-exposes-your-backend-health-api-server/

ctolkien on 13 Jun 2018

👍2

WHY WAS THIS CLOSED WITHOUT A DETAILED EXPLANATION ON HOW TO AVOID??????!!!

wacsintegra on 2 Jan 2019

👍2

"If you see a back-end health status of Unknown, ensure that access to the back end is not blocked by ... custom DNS in the virtual network."

Is custom DNS not supported for the backend pools? If the VNET uses user-defined DNS Servers, will the application gateway honor that? Is that not supported? I am confused by the wording of that note box.

eta: I've reconfigured my backend pools to use IP addresses, reissued certs so everything would match up and I'm seeing health check traffic in the logs of the backend pools but still 'unknown' even though I'm sending back 200s. I believe the poster above me is correct in assuming that either the application gateway health probes are completely broken on v2 or there are additional configuration steps that aren't documented anywhere.

sumptersmartt on 22 Feb 2019

I'm using a AppGW:WAF V2 SKU and I'm unable to retrieve the health information from my backend pool (App Service web app - internal ASE). Status "UNKNOWN". NSG on AppGW subnet has the infrastructure ports allowed. I haven't tried a V1 SKU, as @wacsintegra mentions.

Symptom of v2 SKU?

I have a ticket open, expecting a call back. I will try to share here.