-1

I have my VMSS deployed in the subnet "APPSubet" and I have my application Gateway Deployed in subnet "appgatewaysubnet", in my "APPSubet" I have an NSG which allows traffic from PIP of the application gateway into "appsubnet", but I keep getting error in my health probe that it cannot reach the back end . if I add an NSG to allow traffic from any source it starts working. not sure why my initial NSG is blocking the health probe

Sanath Shetty
  • 484
  • 1
  • 7
  • 24

2 Answers2

2

Please modify the NSG such that they allow traffic from Applicaton Gateway subnet space. The health probes are sent by individual instances of Application Gateway and they would not appear to be coming from Application Gateway public VIP within the VNet.

amsriva-msft
  • 319
  • 1
  • 5
0

You can check if there is an NSG from the virtual network---subnets---"APPSubet" or "appgatewaysubnet". You also need to check NSGs associated with Application Gateway subnet. Ensure that communication to the backend is not blocked. Refer this Troubleshooting bad gateway errors in Application Gateway

For each of NSG rules. You can filter the network traffic for a subnet or NIC level by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. If you allow traffic from PIP of the application gateway, it only allows the initial traffic from the application gateway. But in fact, you access the backend VMSS via application gateway from a client. The source should be an initial IP address of a client for every TCP/UDP connection.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • you mean to say i have to enable any source in my appsubnet ? since only enabling the PIP to connect to appgatewaysubnet is not enough – Sanath Shetty Sep 19 '18 at 05:47
  • No, you do not need to enable the PIP of application gateway, you only restrict it by allowing the public-facing IP of your client. – Nancy Sep 19 '18 at 05:49
  • the application gateway PIP is the public facing IP , what exactly you mean by pip of client – Sanath Shetty Sep 19 '18 at 05:54
  • Where do you access to your application gateway? on-premise network or Azure VM or others, I mean these are clients in this case. – Nancy Sep 19 '18 at 05:56
  • the backend pool VMSS is used as web server farms, i have a couple web applications deployed in there and i have application gateway with WAF enabled as an entry point to those web apps , so basically anywhere from internet – Sanath Shetty Sep 19 '18 at 05:59
  • If so, you only need to add any source traffic rule. You do not need to add the PIP of application gateway. If you want to restrict it from specific IP or service tag or ASG. You just need to add the PIP of which the source traffic from, you also do not need to add the PIP of application gateway. – Nancy Sep 19 '18 at 06:06
  • so my source in application gateway to be any – Sanath Shetty Sep 19 '18 at 06:15