How to configure NSG for WAF v2 Application Gateway subnet?

Question

I want to configure Network Security Group(NSG) for my Application gateway(AG) subnet. I tried to follow this doc - here but after applying the inbound rules to my NSG, I am getting timeout when hitting the webapp url(which is in the backend pool of my AG).

Here is the snippet of configuration of my NSG inbound rule that I added -

pic1 pic2

This is the snapshot of all the inbound rules of nsg - pic3

I have also tried with making destination as 'Service Tag' and value as 'Gateway Manager' but still got the same timeout issue. I have also tried with making source as 'Any' and destination as 'Any' but got same issue. Also tried with making Protocol as 'TCP' but no luck here too.

What am I missing here? Or do I need to add anything else in AG or vnet settings?

My AG is WAF-v2 tier with https on both listener settings and backend settings. Everything is working without NSG.

Answer 1

I am getting timeout when hitting the webapp URL(which is in the backend pool of my AG

This error may cause:

When a user request is received, The application gateway processes the request in accordance with the set rules before sending it to a backend pool instance It waits for a configurable interval of time for a response from the backend instance. By default, this interval is 20 seconds.If the backend application doesn't respond within this time frame, Application Gateway v2 will try to send the request to a different backend pool member. If the second request fails the user request gets a 502 error.

In your application gateway -> Backend setting -> change Request time-out second 3600 like below:

In Healthy probes add timeout like below:

You can make use of below powershell command like below:

New-AzApplicationGatewayBackendHttpSettings -Name 'Setting01' -Port 80 -Protocol Http -CookieBasedAffinity Enabled -RequestTimeout 60

Output

Port                           : 80
Protocol                       : Http
CookieBasedAffinity            : Enabled
RequestTimeout                 : 60
ConnectionDraining             : 
Probe                          : 
AuthenticationCertificates     : 
TrustedRootCertificates        : 
HostName                       : 
PickHostNameFromBackendAddress : 
AffinityCookieName             : 
Path                           : 
ProvisioningState              : 
Type                           : 
ConnectionDrainingText         : null
ProbeText                      : null
AuthenticationCertificatesText : null
Name                           : Http
Etag                           : 
Id                             : /subscriptions/09e8ad18-7bdb-43b8-80c4-43XXXXXX/resourceGroups/ResourceGroupNotSet/providers/Microsoft.Network/applicat
                                 ionGateways/ApplicationGatewayNameNotSet/backendHttpSettingsCollection/Http

References:

azure public ip - Causes for Application Gateway Connection Timeout - Stack Overflow

---

Update

Based on your information NSG rule which you configure is correct, This issue may cause on another factor

• Ensure that the NSG is associated with the subnet that contains your Application Gateway. In the NSG resource, select Subnets from the Settings menu, and verifying whether the proper subnet is linked.
• Verify if the backend pool settings in your Application Gateway are right. Make that the appropriate IP addresses or DNS names for your web application are in the backend pool.
• Verfiy any other network security groups or firewall rules are blocking the traffic to your web application.