I am trying to set up ADFS Proxy servers behind an Azure Application Gateway but keep getting unknown error. Please try again when testing backend health.
I have 2 VMS in the backend pool with Windows 2012 Datacenter. I have set up the probes as follows :
Host: 127.0.0.1
Protocol : HTTPS
Path : /
Interval : 30
Timeout : 30
Unhealthy Threshold : 3
NSGs on the Backend VMs have been opened to allow all traffic for testing but still get the error
Since you say your NSGs allow traffic, check to ensure that your Firewalls on the VM itself are not blocking anything. In the Firewall settings check the boxes next to "enable file and printer sharing."
This seems obvious, but double-check that your VMs are all turned on and can ping each other. Also ensure that they are all joined to the domain.
Try removing the NSG temporarily to see if it works without it.
Allow the ports 65503-65534 in your NSGs and then check the status. These are necessary to be allowed to ensure that the App Gateway monitoring API can reach the endpoint for checking the health status.
Refer to this troubleshooting guide. https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502
Check the Azure status to make sure there is not an outage. We recently had some outages in the Central South region. https://azure.microsoft.com/en-us/status/
Related
Due to a recent layoff I got bombarded to azure admin out of the blue. I am pretty new to this and haven't yet got the chance to follow an admin course.
Facing the following issue: We host a couple of websites on an Azure Windows Server VM running IIS. These are accessible through an application gateway with a public IP. I was asked to add two new listeners for a new part of the website. I created the appropriate targeting in the backend pool, created http and https settings and added the listeners and Rules. However, when browsing to the site, it throws a 502 error and when i check the backend health, it gives below error.
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port.
I opened up the appropriate inbound ports on the NSG of the AZ Web interface on the VM and also on the local firewall of the server hosting IIS. AFAIK there are no additional NSG rules on the application gateway.
What am i missing here? :s
I have extensive experience working with Application Gateways and I can tell you that a 502 Bad Gateway means something is definitely wrong at the backend or misconfigured AGW settings - that's what the error says, so nothing surprising. From my experience here are different scenarios I've faced for this error:
Backend server can't be reached due to an NSG Rule controlling access from the AGW subnet to the backend subnet.
Backend server can be reached but the port is not opened at the server's firewall.
Backend server can be reached, port is opened but application is not listening on those ports or application is not even running.
AGW listeners were misconfigured.
Here's what you can try:
First validate whether the Application and VM are fine by trying to access the application from another VM in the same subnet.
Next, try to get a VM in a different subnet and try to access the application, to mimic the AGW trying to connect to the backend. This will help you validate whether your NSGs are properly configured.
Lastly, revisit all the AGW settings and look for any misconfiguration in the listeners or other settings. (Added this based on your comments).
Taking this approach to troubleshooting will quickly help you identify which layer is causing the issue. Also, it would be a good practice to start documenting all AGW errors you get along your journey and also the remediation steps etc. This will help you tremendously in the future - this is not the last time you'll face issues with your AGW!
If you've checked your firewall issues and it's not solving the problem it could be user permissions on your VM.
I then ran the following command in ps and it sorted it for me.
** netsh http add urlacl url="http://*:{port}/" user="Everyone" **
A good test to see if this will work is if you can access your app using invoke-webrequest and using a localhost URI, but not using the server's NIC Private IP.
You'll also need to set your host address to use the wildcard in your config file.
I'm having an issue with hosting multiple .NET websites on Windows Server/IIS and Azure Application Gateway.
We host multiple sites on a single Azure Windows VM running IIS, sitting behind Azure Application Gateway WAFv2. The VM is connected to App Gateway using a backend pool configured to point to the private IP of the VM, with the VNets peering configured between the App Gateway and VM VNets.
When I stop the default website in IIS, ALL websites then return a '502 Bad Gateway' error from Azure Application Gateway, and the backend health status changes to 'Unhealthy' for the backend pool where the VM resides.
Can anyone tell me why stopping the Default site would cause Application Gateway to error for all sites?
EDIT:
Screenshot of IIS bindings as requested
EDIT 2: Apparently I can't answer my own question, however after working through this with our CSP I have the answer. By default the App Gateway Backend Health check looks at the default IIS site. If you stop that then the Backend Health Check fails and goes Unhealthy. At this point APP Gateway will no longer even ATTEMPT to route any requests, regardless of URL to that backend pool.
If the application gateway has no VMs or virtual machine scale set configured in the back-end address pool, it can’t route any customer request and sends a bad gateway error.
Following the below command to show back-end address pool JSON result.
Get-AzApplicationGateway -Name "SampleGateway" -ResourceGroupName "ExampleResourceGroup"
Here is an official guideline for troubleshooting the 502 error.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502#overview
Also, here is a simple troubleshooter.
https://support.microsoft.com/en-us/help/4504111/azure-application-gateway-with-bad-gateway-502-errors
If I were to try and troubleshoot this, I would likely start with a brand new "test" instance of IIS and set up a reverse proxy on port 80 whose only job is to listen to incoming requests to port 80. Those requests would then be forwarded by your reverse proxy to your actual websites bound to different ports (e.g. 81, 82, 83, etc).
The idea here is to have all of your websites running on different ports such that when you stop one of your sites, the others continue to run without a problem.
Given your setup with up to 40 sites hosted in a single instance of IIS, I would only attempt this type of troubleshooting with a brand new "test" instance of IIS.
Create a brand new "test" instance of IIS.
Create a reverse proxy. To do this, create a new site and name it (e.g. rev-proxy) and give it a binding of port 80.
Deploy one actual site (e.g. myfirstsite). Give it a port binding of something other than 80 (e.g. 81).
Double click your rev-proxy site and add a URL Rewrite -> Inbound Rules -> Blank rule. See attached picture. Add a rule such that when a user requests "myfirstsite" that request is forwarded onto port 81. Use the "Test Pattern" button to test your pattern. The image is only a suggestion and your pattern should correspond to the URL your users are using to request your site and not necessarily to the name you give your site in IIS.
An example of a reverse proxy with a URL Rewrite
Found the answer to this after many months of messing about!
With Azure Application Gateway, the default health probes for each backend pool ping and look for a response on the configured IP address or FQDN in the backend pool itself.
In my case this is set to the local IP address of the Virtual machine (when I configured this 18-24 months ago I recall our Azure CSP telling me there was a bug with using the FQDN in the backend pool configuration).
This means, that when the Health Probe is attempting to communicate with the VM, the Default Website in IIS is the only thing configured to respond to any requests on this IP address.
If you stop the Default Site, the Health Probe gets no response to it's requests a the Backend Pool status goes to Unhealthy as you would expect.
The really interesting thing here is that as soon as the Backend Pool Health Probe status goes Unhealthy, Azure Application Gateway ceases to even attempt to route any traffic to the affected backend pool. Instead it immediately reports the 502 Bad gateway error, and will continue to do so until the Health Probe status is corrected and goes back to healthy!
Following a how-to book's guide on setting up a VM through the Azure Portal and getting the error when trying to connect
Remote Desktop can't connect to the remote computer for one of these reasons: 1) Remote access to the service is not enabled 2) The remote computer is turned off [Verified through the Azure Portal it is turned on because Start is faded, while Restart and Stop are not] 3) The remote computer is not available on the network.
The error occurs before I'm able to enter any credentials - it doesn't find the IP at all. The RDP file details (IP removed of course):
full address:s:[IPAddress]:3389
prompt for credentials:i:1
administrative session:i:1
What I've tried:
Even though the How-To book doesn't show where/how to specify a port, when I download the RDP file from the Connect option, it specifies the port 3389. The book seems to imply that simply downloading this file and connecting will work and there's no need to specify the port. I get the above error.
Flushed DNS on my computer, ipconfig /flushdns
In the Network Security Group option for the VM, I verified that port 3389 allowed any source and wasn't specific.
I did miss associating the subnet part of the Network Security Group to a virtual network, so I did associate my NSG with the default subnet set up for my Virtual Network.
From the Quick start option, I don't see how to connect to this either; I'm guessing, I need to specify a different port, but don't see where to do it here either => Update: this appears to be in the Network Security Group's Inbound security rules in the Azure portal.
Boot Diagnostics option shows the login screen. A ping to the IP address fails four times with "Request timed out."
Note: this is not a Virtual Machine (classic).
just wanted to share what worked for me.
After receiving an error prompt:
Connect is disabled for this virtual machine because of the following
issues: Network interface 'vmwindows1094': Network security group
'VMWindows10-nsg' does not have inbound security rule that allows port
3389. VMWindows10-nsg
I have added an inbound port rule. Under VM > Settings > Add inbound port rules.
Port: 3389 Protocol/Source/Destination: Any (this can be configured based on your security rules) Action: Allow
On the Azure portal, Select your VM -> Settings -> Boot diagnostics. Make sure that you can see the login screen. You might need to enable diagnostics (under Monitoring section) if not enabled already.
If you don't see the login screen, trying the 'Redeploy' option under 'Support and Troubleshooting' section of settings.
If you can see that the machines has booted correctly, the connectivity issue might be because of a firewall at your end or on the VM. See if you can ping the machine. If you are behind a corporate firewall, try connecting from elsewhere and check your PC's firewall.
Creating a new Virtual Machine on the new portal now creates a NSG (Network Security Group) along with the VM. You should be able to find it under all resources, same name as you VM. Make sure that there is an Inbound rule configured for Remote desktop (it is created by default but might be worth checking).
I had the same problem but adding an inbound security rule was not sufficient (although it is also needed).
I had to go to virtual machines > (myVm) > Reset password and then choose Reset configuration only
Try checking your VM has enough memory.
I had tried all of above suggestions and still didn't manage to access.
After trying many times I managed to get in a message appeared saying:
Your Computer is low on memory
Not 100% sure that was the reason though.
I faced the same issue. I had created an Azure VM but wasn't able to connect to it using RDP.
The culprit was a default "Inbound Port Rule" due to which all the inbound traffic was being blocked.
The solution is to create a new rule by clicking the "Add Inbound Port Rule" and allow traffic from port 3389. Make sure that the priority of this new rule is greater than the "DenyAllInBound" rule otherwise our new rule will not have any effect.
After adding the rule, try connecting to the VM using its public IP in RDP and you should be able to connect.
This worked for me, hope it helps you as well.
I'm trying to build a simple two-tier wordpress environment on CentOS 7.2 in Azure.
I've defined a virtual network, have connected it to my home-lab via IPsec VPN, and I've defined several subnets in Azure (for Web tier, SQL tier, and utility tier role segregation using Network Security Groups).
I have two web-tier VMs, both members of the same Availability Set, and are both on the web-tier subnet. They have internet access (outbound), I can SSH to them from my home-lab, and the seem fine operationally to me - httpd is listening on 80/tcp, and I can hit the web pages from my home-lab network by visiting each web server directly on its 192.168.x address.
I should mention my web servers DO NOT have public IPs assigned, but I can't see this being an issue.. they're intended to be behind the load balancer.
So, I've created a Load Balancer, and:
assigned a public IP to the LB
added a backend pool (selected my availability set, and chose my two web servers)
added a probe (http probing the two web servers)
added a load balancer rule
Notice I did NOT add an inbound NAT rule. I can't figure out what that's for, or if I need it.
On my web tier, I tcpdump port 80 and see the probes. In httpd logs, I see 200 success messages for the probes. I go to a web browser, hit the external VIP I assigned to the LB, and nothing. It just times out. I cannot connect to the LB VIP.
What am I missing? What are the NAT rules about?
Any help would be appreciated. All I can find online are examples doing this in powershell etc.. and I'm using the Azure web interface.
Thanks!
Edit: Found the issue - Needed the NSG to allow not just the AzureLoadBalancer, but "Internet" to hit port 80/tcp. Should have thought of that sooner..
Found the issue - Needed the NSG to allow not just the AzureLoadBalancer, but "Internet" to hit port 80/tcp. Should have thought of that sooner..
For a pet project I'm attempting to spin up a VM on Azure that can run as my webserver, providing an Umbraco powered site, as well as some other web applications (such as a forum + planner) that require PHP. Now I've followed the steps of every guide out there, but I cannot get an external connection through to the VM's IIS and I can't find out why.
I'm hoping someone else has been through the pain that I'm currently experiencing and might point me in the direction of whatever setting I'm missing.
Spun up the VM with Server 2012 R2.
Configured it to run IIS.
Installed Umbraco, disabling the default web site and setting the Umbraco site as my default on port 80.
Checked that http://localhost maps to Umbraco - this works.
So after I had it running internally, I started tackling the external connection setup.
Navigated to the Network Security group, and added the inbound Http rule on Port 80.
Disabled Windows Firewall entirely for the sake of testing.
Added a custom dns name to the front of the xxx.[azurecloudappurl].com
Now my requests resolve but then timeout and I can't see why or where? Has anyone else experienced this? Every guide states that it should be as easy as this.
As you can visit localhost on your VM env, so it seems there is no problem with your env on VM.
Have you added the endpoint with 80 port of your VM server on Azure manage portal? As by default, the endpoint with 80 port is not opened.
You can refer to How to set up endpoints on a classic Azure virtual machine for how to add an endpoint on Azure VM.
In addition to #Gary Liu's answer if you are doing it on Azure Portal(and not on classic one).
For any new VM added through Azure exists a Network Security Group (NSG). Ports need to be opened in order to make them accessible from outside the VM. Specifically to allow your VM to serve requests coming to port 80 you need to enable HTTP port in Network Security Group. Here are the steps:
Search for VM Name on Azure portal.
Select the VM by Clicking on VM Name.
Click on Network Interfaces from left menu and select(double click) the listed one. This will show overview of Network Interface.
Now click on Network Security Group.
Click on Inbound Rules.
Add new rule selecting service as HTTP(TCP/80).
Voila done!
And here is the answer to manage an inbound rule