I have a basic Hub and Spoke network topology set up with Azure VNets. My Hub Network seems to be unable to reach IPs/Private domains in my spoke network:
When I look at my AppGateway Probe/backend health I get the following error message:
"The backend health status could not be retrieved. This happens when an NSG/UDR/Firewall on the application gateway subnet is blocking traffic on ports 65503-65534 in case of v1 SKU, and ports 65200-65535 in case of the v2 SKU or if the FQDN configured in the backend pool could not be resolved to an IP address. To learn more visit - https://aka.ms/UnknownBackendHealth."
Which leads me to believe that my Hub Network is unable to resolve api.contonso.com in my spoke network? Perhaps I don't quite understand how peering and private DNS Zones actually works? Shouldn't my hub be able to resolve private addresses in my Spoke if they are peered and the DNS Zone is linked to both VNets? I also tried deploying a VM in my Hub network and still unable to resolve the DNS.
Any tips to debug this issue?
Turns out I had created my DNS A record entry for the APIM gateway as api.contoso.com.constoso.com instead of api.contoso.com
I ended up creating a VM in my hub network and doing an nslookup for api.contoso.com and came up as a non existent domain which made me think to go back and check my DNS records