How configure Azure Application Gateway to allow connecting to a Container Instance - azure

I have a private network (10.0.0.0/16) which has multiple subnets. I have an Application Gateway configured in the 10.0.0.0/24 subnet and I would like to expose Container Instances from the 10.0.2.0/24 subnet to the internet via HTTP.
The gateway has only one HTTP rule simply mapping 80:80 from the internet to the backend pool. In the "Backend Health" section the status of my container (added via IP address) is unknown and the following error is displayed:
Unable to retrieve health status data. Check presence of NSG/UDR blocking access to ports 65503-65534 from Internet to Application Gateway.
Initially I had no NSG set but after setting one (and even allowing any:any) is not solving the status check problem.
When opening the url in the browser I get an 502 Bad Gateway error.
Note: I have added a container isntance which is not part of the VNet to the Application Gateway and despite also showing unknonw status in the Backend Pool the requests actually got redirected to the container, so I am almost certain I am misconfiguring someting in the VNet.
Note2: I have pushed a test container and the test container can reach the container I am trying to expose in the same subnet, so something goes wrong between the container and the application gateway.
My questions is what NSG rules I have to set to
make the container visible to the health check
make the redirect work between the Application Gateway and the Container

there is really nothing to misconfigure, you can create a vm in one of the subnets (create a third one) and test if it can access the container instance? if it can 0 this might be a platform limitation, tbh.
But looking at the error: you should detach all NSG\User Defined routes from the Vnet (for simplicity) and do several other checks: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-health-status-unknown

Related

I want to communicate normally with Container Inscance in the backend pool of Application Gateway even if the Private IP changes

In my environment, A Container Instance in the backend pool of the Application Gateway changes its Private IP when it is restarted.
Therefore, the communication from the frontend is interrupted every time it is restarted.
Is there a way to communicate with Application Gateway even if the private IP of Container Instance changes?
For example, activity log alerts detect the restart of Container Instance, and Automation runbook changes the routing rule of Application Gateway.
Thank you in advance!
I tested in my environment there is no change in private ip address after the container instance restarting.
Found one SO thread it is stating like below mention
When putting ACI into a subnet, your best bet may be to use subnets of
the smallest required size - and only use one ACI per subnet.
Except for checking if the IP has changed after a container has been
restarted, I don't believe there is a real workaround here.

Azure Application Gateway with ACI instance in the backendpool giving '502 Bad Gateway' error when invoked from postman

I created an application gateway in Azure. I have set an ACI instance as backend target. The ACI is a linux container instance. It contains my WebApis. When I try to invoke the WebAPI from Postman using the public IP address of the application gateway, I get '502 bad gateway error'. I could not find much resource online that was using an ACI as backend target in an Application Gateway.
I referred to this site - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal to configure application gateway. Here they have VM as backend target. Instead I used private IP address of my container instance as backend target.
In 'Backend Pool' of my application gateway, I selected 'IP address or FQDN' as target type and provided the private IP address of my container instance.
Would appreciate any input/help on this.
Thanks.
Have you solved your problem?
Locally the docker cpntainer works as expected (correct ports configured)
Http traffic or https ?
The ip address of the aci is the one you have in the backend pool?
Need more info to be able to help.

Azure App Service behind Azure Application Gateway

I'm trying to serve multiple Azure App Services behind an Application Gateway. These services should only be reachable through the application gateway endpoint. To achieve this, I've done the following:
Added a VNet
Added a subnet, and added all app services to it
Added an application gateway with appropriate rules for pointing to the app service
Added access restrictions to the app service to only allow the subnet of the application gateway, and the public IP of the application gateway
The health probe of the application gateway indicates the service is healthy (and thus reachable), but when I try to make a request to the service trough the gateway using Postman, I get a 403 IP forbidden error. However, when I add my local IP as an allowed IP address to the app service, the request comes through just fine
From what I've read online, adding the public IP of the gateway should be sufficient for allowing access through the gateway, but it seems that requests from my local machine are blocked. Am I getting something fundamentally wrong here?
Edit: I also tried assigning a front-end private IP address to the gateway and adding access for that in the app service, but that also did not work
Edit 2: My configuration
Access restrictions for app service:
access restrictions
Backend pool:
Backend pool
HTTP settings:
HTTP settings
Listener:
Listener
Rule:
Rule
From your description "Added a subnet, and added all app services to it", I assume that you are meaning integrating app with Azure VNet or enable the service endpoint with Microsoft.Web for the subnet. If so, you could remove them. Both are useless in this scenario.
To restrict the access through the gateway, you only need to add the frontend IP address to the Azure App Service access restrictions. For more details, you could refer to this blog https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#
If you have NSG associated with the subnets, you could follow the prerequisites here
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#network-security-groups-on-the-application-gateway-subnet
Edit
You may have redirection configured on your app service or have Azure Active Directory authentication, which causes the redirection. So when redirection happens, the client makes the request directly to app service URL Path contoso.azurewebsites.net/xxx instead of going through the application gateway URL path contoso.com/xxx.
To fix it, you could use a custom domain name to pass the same host name that the application gateway receives to the app service as well, instead of doing a host override. Get more details about this solution here.

Set kubernetes VM with nodeports as backend for application gateway

I have two VMs that are part of a kubernetes cluster. I have a single service that is exposed as NodePort (30001). I am able to reach this service on port 30001 through curl on each of these VMs. When I create an Azure application gateway, the gateway is not directing traffic to these VMs.
I've followed the steps for setting up the application gateway as listed in the Azure documentation.
I constantly get a 502 from the gateway.
In order for the Azure Application Gateway to redirect or route traffic to the NodePort you need to add the Backend servers to the backend pool inside the Azure Application Gateway.
There are options to choose Virtual Machines as well.
A good tutorial explaining how to configure an application gateway in azure and direct web traffic to the backend pool is:
https://learn.microsoft.com/en-us/azure/application-gateway/quick-create-portal
I hope this solves your problem.
So I finally ended up getting on a call with the support folks. It turned out that the UI on Azure's portal is slightly tempremental.
For the gateway to be able to determine which of your backends are healthy it needs to have a health probe associated with the HTTP setting (the HTTP Setting is the one that determines how traffic from the gateway flows to your backends).
Now, when you are configuring the HTTP setting, you need to select the "Use Custom Probe" but when you do that it doesn't show the probe that you have already created. Hence, I figured that wasn't required.
The trick to first check the box below "Use Custom probe" which reads "Pick hostname from backend setttings", and then click on custom probe and your custom probe will show up and things will work.

Azure application Gateway WAF

I am trying to configure Azure application gateway WAF with a backendpool set to a VM in a different Azure tenant using its public IP address on port 443. All the SSL certificates are configured properly. However, I keep getting following error while browsing the site via WAF.
502 - Web server received an invalid response while acting as a gateway or proxy server.
I have confirmed that the NSG is on the mentioned back-end VM is allowing all traffic on port 443. What could be going wrong here?
Generally, you can check the status of Backend health in the monitoring of Application Gateway and compare with the DETAILS referring to these possible reasons on your side.
NSG, UDR or Custom DNS is blocking access to backend pool members.
Back-end VMs or instances of virtual machine scale set are not responding to the default health probe.
Invalid or improper configuration of custom health probes.
Azure Application Gateway's back-end pool is not configured or empty.
None of the VMs or instances in virtual machine scale set are healthy.
Request time-out or connectivity issues with user requests.
For each reason, you can get a solution from that link. I think you could make sure you can directly access the backend with public IP from one tenant to another tenant. Then if you have an NSG in the app gateway subnet, you must include exceptions for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for the v2 SKU. You could get more details here. You could also whitelist the app gateway public IP address in the NSG of backend VM.

Resources