How to configure NSG for WAF v2 Application Gateway subnet?
I want to configure Network Security Group(NSG) for my Application gateway(AG) subnet. I tried to follow this doc - here but after applying the inbound rules to my NSG, I am getting timeout when hitting the webapp url(which is in the backend pool of my AG).
Here is the snippet of configuration of my NSG inbound rule that I added -
This is the snapshot of all the inbound rules of nsg - pic3
I have also tried with making destination as 'Service Tag' and value as 'Gateway Manager' but still got the same timeout issue. I have also tried with making source as 'Any' and destination as 'Any' but got same issue. Also tried with making Protocol as 'TCP' but no luck here too.
What am I missing here? Or do I need to add anything else in AG or vnet settings?
My AG is WAF-v2 tier with https on both listener settings and backend settings. Everything is working without NSG.
I am getting timeout when hitting the webapp URL(which is in the backend pool of my AG
This error may cause:
When a user request is received, The application gateway processes the request in accordance with the set rules before sending it to a backend pool instance It waits for a configurable interval of time for a response from the backend instance.
By default, this interval is 20 seconds.If the backend application doesn't respond within this time frame, Application Gateway v2 will try to send the request to a different backend pool member. If the second request fails the user request gets a 502 error.
In your application gateway -> Backend setting -> change Request time-out second 3600 like below:
In Healthy probes add timeout like below:
You can make use of below powershell command like below:
New-AzApplicationGatewayBackendHttpSettings -Name 'Setting01' -Port 80 -Protocol Http -CookieBasedAffinity Enabled -RequestTimeout 60
Output
Port : 80
Protocol : Http
CookieBasedAffinity : Enabled
RequestTimeout : 60
ConnectionDraining :
Probe :
AuthenticationCertificates :
TrustedRootCertificates :
HostName :
PickHostNameFromBackendAddress :
AffinityCookieName :
Path :
ProvisioningState :
Type :
ConnectionDrainingText : null
ProbeText : null
AuthenticationCertificatesText : null
Name : Http
Etag :
Id : /subscriptions/09e8ad18-7bdb-43b8-80c4-43XXXXXX/resourceGroups/ResourceGroupNotSet/providers/Microsoft.Network/applicat
ionGateways/ApplicationGatewayNameNotSet/backendHttpSettingsCollection/Http
References:
azure public ip - Causes for Application Gateway Connection Timeout - Stack Overflow
Update
Based on your information NSG rule which you configure is correct, This issue may cause on another factor
- Ensure that the NSG is associated with the subnet that contains your Application Gateway. In the NSG resource, select Subnets from the Settings menu, and verifying whether the proper subnet is linked.
- Verify if the backend pool settings in your Application Gateway are right. Make that the appropriate IP addresses or DNS names for your web application are in the backend pool.
- Verfiy any other network security groups or firewall rules are blocking the traffic to your web application.
- Setting Up Prometheus, Grafana, and Loki on Azure VM with HTTPS Using Azure Application Gateway
- 400 The SSL certificate error from Azure Application Gateway with mTLS setup by Terraform
- Azure App Gateway: change public IP zero downtime?
- App service gateway IP shows This site can’t provide a secure connection Diagnostics. ERR_SSL_PROTOCOL_ERROR
- Can't create Private Link for Azure Application Gateway because I need to delete external resources before deploying into this subnet
- Azure Application Gateway http/2 not working
- When to use Azure Network interfaces' application_gateway_backend_address_pools
- Azure app gateway redirection does not rewrite the default azure url to custom domain name
- Azure - Configuring authentication to a blob storage in an Azure Storage Account from an Application Gateway
- How to prevent AKS Ingress from overwriting Application Gateway's existing services?
- Azure Application Gateway backendpool to Azure Container Apps internal load balancer
- Specify custom backend pool name in Application Gateway via Application Gateway Ingress Controller for Service in AKS
- Bicep code to deploy WAF policy for Azure Application gateway
- How do I set the User Idle Timeout for Azure App Service
- Azure Application Gateway : Backend server certificate expired. Please upload a valid certificate
- Azure Log Analytics - How to view logs from last x days but only between certain hours?
- Azure : Load Balance multiple instance of application from different VM's
- Azure Web Application Gate (w/WAF) public IP opening/redirecting Azure App Services on port 80 instead of actual Web App
- Azure FrontDoor Premium, using rule engine to rewrite HTTP response based on returned 301
- How can I add support for IPv6 to and Azure application Gateway knowing that it does not support it
- Azure App Gateway V2 cannot be configured with NSG
- Azure Alerts for an Application Gateway Availability SLI
- Issue within certification chain using azure application gateway
- Troubleshooting Rule Priority Configuration in Azure Application Gateway Ingress for Kubernetes
- Adding new VM IP Address to Azure Gateway Backend Pool failing
- Why is Azure Application Gateway Returning a 502
- Terraform - Create Azure Application Targeting Two Web-Apps
- Configuring multiple sites(IIS application Pools) with multiple VMs on Azure App Gateway
- I created an app gateway and linked web app but getting 502 Bad Gateway, even that probe is healthy
- Secure cookies and TLS termination in Azure Application Gateway