1
votes

My requirement is simple. I need to associate NSG to the subnet containing my application gateway.

As soon as I associate NSG to this subnet, I am getting connection timed out error.

As per Microsoft's documentation, I added exception for port range 65503-65534.

From https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

Network Security Groups (NSGs) are supported on the application gateway subnet with the following restrictions:

Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.

Outbound internet connectivity can't be blocked.

Traffic from the AzureLoadBalancer tag must be allowed.

Am I missing something? Any help would be greatly appreciated.

2

2 Answers

1
votes

this is a sample nsg application gateway exclusion rule that works for me:

    {
        "apiVersion": "2017-06-01",
        "name": "NameGoesHere",
        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
        "location": "[resourceGroup().location]",
        "properties": {
            "description": "This rule is needed for application gateway probes to work",
            "protocol": "*",
            "destinationAddressPrefix": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "65503-65534",
            "sourceAddressPrefix": "*",
            "access": "Allow",
            "priority": "literally any priority",
            "direction": "Inbound"
        }
    }

try adding nsg with this rule to the application gateway subnet, it will work. also, make sure you are not explicitly blocking access from application gateway to the backend with your NSG.

0
votes

To associate NSG to the subnet containing an application gateway, allow traffic from

  1. from source: 'GatewayManager', port: Any to Destination: 'GatewayManager' service tag, Destination port: 65503-65534
  2. Traffic from the AzureLoadBalancer tag with the destination subnet as Any must be allowed.

Also,

  1. Outbound Internet connectivity can't be blocked

Reference : https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups