0

I'm running into some trouble with deployment of a Network Security Group (NSG) for a subnet in which an Application Gateway (AG) is placed.

During deployment I get the following error (I removed the resource paths for readability):

Network security group nsg-acc-waf blocks incoming internet traffic on ports 65200 - 65535 to subnet snet-acc-waf, associated with Application Gateway agw-acc. This is not permitted for Application Gateways that have V2 Sku.

All looks good according to the configuration instructions on https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#allow-access-to-a-few-source-ips

Here's the Bicep that I've created with above instructions and my question is regarding nsgRule110:

resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
  name: 'nsg-${environmentName}-waf'
  location: location

  resource nsgRule100 'securityRules' = {
    name: 'AllowPublicIPAddress'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from Public IP Address.'
      destinationAddressPrefix: '*'
      destinationPortRange: '443'
      direction: 'Inbound'
      priority: 100
      protocol: 'Tcp'
      sourceAddressPrefix: publicIpAddress
      sourcePortRange: '*'
    }
  }

  resource nsgRule101 'securityRules' = {
    name: 'AllowInternetAccess'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from Internet on port 443.'
      destinationAddressPrefix: '*'
      destinationPortRange: '443'
      direction: 'Inbound'
      priority: 101
      protocol: 'Tcp'
      sourceAddressPrefix: 'Internet'
      sourcePortRange: '*'
    }
  }

  resource nsgRule110 'securityRules' = {
    name: 'AllowGatewayManager'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
      destinationAddressPrefix: '*'
      destinationPortRange: '65200-65535'
      direction: 'Inbound'
      priority: 110
      protocol: '*'
      sourceAddressPrefix: 'GatewayManager'
      sourcePortRange: '*'
    }
  }

  resource nsgRule120 'securityRules' = {
    name: 'AllowAzureLoadBalancer'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from AzureLoadBalancer.'
      destinationAddressPrefix: '*'
      destinationPortRange: '*'
      direction: 'Inbound'
      priority: 120
      protocol: '*'
      sourceAddressPrefix: 'AzureLoadBalancer'
      sourcePortRange: '*'
    }
  }

  resource nsgRule4096 'securityRules' = {
    name: 'DenyAllInboundInternet'
    properties: {
      access: 'Deny'
      description: 'Deny all traffic from Internet.'
      destinationAddressPrefix: '*'
      destinationPortRange: '*'
      direction: 'Inbound'
      priority: 4096
      protocol: '*'
      sourceAddressPrefix: 'Internet'
      sourcePortRange: '*'
    }
  }
}

I've also tried setting sourceAddressPrefix: 'Internet' and sourceAddressPrefix: '*' (where the astrix is Any). Answered in: Azure App Gateway V2 cannot be configured with NSG and Add NSG to Application Gateway Subnet

I can't figure out what's wrong with it. It looks like only during deployment this validation rule is triggered.

I've tried adding the rules manually, when bound to the subnet, and that works. Also adding the NSG without binding it directly to the subnet via deployment, but eventually binding it manually seems to work. The only case it doesn't work is when the NSG is already bound to the subnet (used by the AG) and then (re-)deployed.

Is there anybody able to help me with this please?

rdvanbuuren
  • 596
  • 6
  • 13
  • Have you tried changing the priority on your rules ? I have the same implementation except that the rules `AllowGatewayManager` and `AllowAzureLoadBalancer` are before the other ones. – Thomas Mar 31 '23 at 01:00
  • Yes, I did try that as well. It didn't have any effect. But I've found the issue and posted the answer. – rdvanbuuren Mar 31 '23 at 07:38

2 Answers2

0

As error message shown, the NSG is blocking incoming internet traffic on ports 65200 - 65535 to subnet snet-acc-waf, which is associated with Application Gateway agw-acc. That is why you are getting this blocker.

Refer this document for Application gateway infrastructure configuration.

As you already specified the 'destinationPortRange: '65200-65535' for the nsgrule110, it will no longer block ports within this range. You can add the same for other network rules if needed as follows.

 resource nsgRule120 'securityRules' = {
    name: ''
    properties: {
      access: 'Allow'
      description: 'Allow traffic'
      destinationAddressPrefix: '*'
      destinationPortRange: '65200-65535'
      direction: 'Inbound'
      priority: 120
      protocol: '*'
      sourceAddressPrefix: 'AzureLoadBalancer'
      sourcePortRange: '*'
    }
  }

I tried the same code as yours in my environment and it worked successfully, as shown in the snapshot below.

Deployment succeeded:

enter image description here

enter image description here

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • Thank you for your answer. I was already able to deploy the NSG as standalone. But when it's connected to the subnet that the AG uses, it will come up with that specific error. It was caused by the nested resources. I've elaborated on it in my answer. – rdvanbuuren Mar 31 '23 at 07:37
  • The part `sourceAddressPrefix: 'AzureLoadBalancer'` seems to be incorrect. Shouldn't that be `sourceAddressPrefix: 'GatewayManager'` ? – rdvanbuuren Mar 31 '23 at 07:50
  • @rdvanbuuren Let me elaborate in this way. If it is for managing the traffic, then it should be `'GatewayManager'` and `'Loadbalancer'` is for including probe traffic but not real traffic. You can refer for more relevant information in this [MSDoc](https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview). So, you can change the `sourceAddressPrefix` as per the requirement in your environment. – Jahnavi Mar 31 '23 at 08:05
-1

After a lot of trial and error, I found the issue was in the Bicep. First, I was using nested resources for the NSG rules. But the NSG itself has a property securityRules where you can also add these NSG rules, but it has one difference; it will add the NSG rules immediately to the NSG. The other method, using the nested resource will add them later on during deployment (so the validator thinks it doesn't have the GatewayManager rule) and this will make the validation rule go off.

So here's a sample of the code that works :)

resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
  name: 'nsg-${environmentName}-waf'
  location: location
  properties: {
    securityRules: [
      {
        name: 'AllowGatewayManager'
        properties: {
          access: 'Allow'
          description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
          destinationAddressPrefix: '*'
          destinationPortRange: '65200-65535'
          direction: 'Inbound'
          priority: 100
          protocol: '*'
          sourceAddressPrefix: 'GatewayManager'
          sourcePortRange: '*'
        }
      }
      // put additional NSG rules here
    ]
  }
}
rdvanbuuren
  • 596
  • 6
  • 13
  • so you changed the priority for the rule, that s it ? – Thomas Mar 31 '23 at 08:26
  • No, it had nothing to do with the priority. It did give me exact same error. The fix is to use the `securityRules` property on the networkSecurityGroups instead of the nested resources. – rdvanbuuren Mar 31 '23 at 10:05
  • you did change the priority tho, is it working if you re putting back this rule to 120 ? – Thomas Apr 01 '23 at 05:26
  • I did try your suggestions before and had no success with altering the priority (in combination with the nested resources). Setting it back to 120 in the `securityRules` property still works tho. – rdvanbuuren Apr 03 '23 at 06:52