I deploy a application Gateway on Azure, but Backend health say "unknown" as satus all the time.
If I request via
Get-AzureRmApplicationGatewayBackendHealth -Name $appGwName -ResourceGroupName $myRg
I receive
"BackendHttpSettings": {
"ProbeEnabled": false,
"Id": "/subscriptions/XXX"
},
"Servers": [
{
"Address": "X.X.X.X",
"Health": "Unknown"
}
]
But I did not find a way to activate the probe. I created the probe via Portal and via powershell, in both cases I run into the same Problem.
$helthProbe01 = New-AzureRmApplicationGatewayProbeConfig -Name "httpsProbe" -Protocol Https -HostName "127.0.0.1" -Path "/page/index.aspx" -Interval 30 -Timeout 60 -UnhealthyThreshold 3
How can I activate the Health probe?
Thanks
Daniel
This properties can Flag if probe should be enabled, not the status of the probe.
But,whether the probe is enabled, Default value is false. So, it means that it does nothing about whether your probe is active.
Backend health say "unknown" as satus all the time.
Ensure you have configure all settings correctly, you can refer to this document to add a probe to your Applicaiton gateway.
Don't use the IP address like 127.0.0.1 as your hostname, please add a hostname which can be access from public Network.
Hope this helps!
Related
I have configured an Azure Web Application Firewall in-front of my App Service and it is successfully passing requests through. I have followed the instructions a the following microsoft docs.
I have the following configuration:
Custom domain: test.[customdomain].com the DNS records points to the public IP configured against the WAF. The custom domain is also configured on the Web App.
The WAF has a backendpool which is configured to use "IP Address or FQDN" with the following record:
[customwebsite].azurewebsites.net
When I navigate to test.[customdomain].com I am successfully receiving the website, however it appears as though the WAF is rewriting the request when forwarding to the App Service.
As such, my App Service receives the request and it has the URL [customwebsite].azurewebsites.net, instead of test.[customdomain].com.
Is this intended? Reviewing the multi-tenant documentation it should not be rewriting the host by default?
The solution was to ensure you do not use the option -PickHostNameFromBackendAddress when specifying the New-AzureRmApplicationGatewayBackendHttpSettings. I should have noticed, but this setting tells the WAF to rewrite using the addresses specified in the BackendHttpSettings.
You also then need to reconfigure your probe to specify manual hostnames. e.g. do not specify -PickHostNameFromBackendHttpSettings when setting AzureRmApplicationGatewayProbeConfig.
For me what has worked is in the HTTP Settings to make sure -PickHostNameFromBackendAddress is NOT selected. Also the interface doesn't let you set the -HostName so drop to PowerShell and set the -HostName and the probe like this:
$GW = Get-AzureRmApplicationGateway -ResourceGroupName "MY-APP-WAF-RG" -Name "APP-WAF"
$PROBE = Get-AzureRmApplicationGatewayProbeConfig -ApplicationGateway $GW -Name "my-api-https-probe"
Set-AzureRmApplicationGatewayBackendHttpSettings -ApplicationGateway $GW -Probe $PROBE -HostName "my-api.example.org" -CookieBasedAffinity "enabled" -AffinityCookieName "AGAffinity" -Protocol "HTTPS" -Port 443 -Name "my-api-https-settings"
Set-AzureRmApplicationGateway -ApplicationGateway $GW
Also on the probe I have the -PickHostNameFromBackendHttpSettings selected.
Using the above way I have two web apps with custom domain and SSL configured behind the WAF.
Terrible experience setting this up.
I have set up a new application Gateway following the MS document. I have configured the back end pool .it is connected to an App Service via FQDN. Somehow I receive 502 immediately every time I browse to the application gateway. Browsing to the website directly works with no issues .
I have resolved this issue. Here is the solution.
If you have web apps in your backend pools you CAN'T set up the health probes via Azure portal.
You need to set them up via resource templates or Powershell. The key is that you need to leave the host field empty and set -PickHostNameFromBackendAddress property.
The two lines below did the magic to make the 502s go away
# Create a probe with the PickHostNameFromBackendHttpSettings switch for web apps
$probeconfig = New-AzureRmApplicationGatewayProbeConfig -name webappprobe -Protocol Http -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -PickHostNameFromBackendHttpSettings
# Define the backend http settings
$poolSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name appGatewayBackendHttpSettings -Port 80 -Protocol Http -CookieBasedAffinity Disabled -RequestTimeout 120 -PickHostNameFromBackendAddress -Probe $probeconfig
I have a VM running SQL Server. I have port 1433 open on the Windows firewall and an Endpoint on the corresponding cloud service forwarding port 57501 to 1433. I haven't specified any ACLs on that endpoint. I want the endpoint to only be accessible from a specific subnet in the VNet where the VM exists.
If I set that in the ACL, it doesn't work - the ACL only seems to care about the public IP of the client. Since the public IP may change, this isn't an option.
What's the recommended approach here? Note that I don't want to connect directly to the VM hostname because I want to use the CNAME that the cloud service sets up for me (the actual Windows computer name is a random long string).
NSGs apply rules on the incoming/outgoing traffic at a VM or cloud-service-role-instance level.
Note that NSGs default rules allow traffic within the virtual network, and outbound to Internet. All other traffic is denied by default. You need to explicitly specify rules to change this behavior or allow any other traffic in/out.
You can create an NSG rule like below to allow only traffic from a specific subnet within a VNet.
Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `
| Set-AzureNetworkSecurityRule -Name rdp-rule `
-Action Allow -Protocol TCP -Type Inbound -Priority 100 `
-SourceAddressPrefix 192.168.1.0/24 -SourcePortRange '*' `
-DestinationAddressPrefix '*' -DestinationPortRange '1433'
I have written a small service to grab files from one ftp server, edit them, and then send them to another ftp server. The catch being the ftp server being sent to requires a white-list of IP's. Now I chose to host this service on a Azure VM set up with a virtual public reserved IP address, thinking it would create a static IP that I could use for the white-list.
Unfortunately even though the VM states the virtual public reserved IP is connected to the VM, when opening up a browser and going to whatismyip.com I get a completely different IP and of course Azure shuts all VMs down once every 2-3 months for maintenance (which I assume flushes the IP).
Now I understand that the IP received from whatismyip.com is probably connected to the Azure load balancer but I can't figure out for the life of me why that would be the one that shows up for outbound connections.
My questions are:
Is it possible to obtain a static public IP for outbound connections for that whitelist?
Is there some obvious workaround I'm missing?
Will Azure scheduled maintenance shutdowns save IP information?
Is Azure just not a good platform for this kind of work? If so what is?
Now it is indeed possible. Please see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-reserved-public-ip/ for details.
The powershell code is as follows:
New-AzureReservedIP –ReservedIPName MyReservedIP –Location "Central US"
$image = Get-AzureVMImage|?{$_.ImageName -like "*RightImage-Windows-2012R2-x64*"}
New-AzureVMConfig -Name TestVM -InstanceSize Small -ImageName $image.ImageName `
| Add-AzureProvisioningConfig -Windows -AdminUsername adminuser -Password MyP#ssw0rd!! `
| New-AzureVM -ServiceName TestService -ReservedIPName MyReservedIP -Location "Central US"
Besides, now outbound connections only use a handful IPs by default. You can see them in new portal: https://portal.azure.com in site's Settings → Properties
I've got a load-balanced end-point being served by 2 vms, and I shut down one of them through the web interface, however it seems that the shut-down endpoint is still being included in the load-balancer rotation. Is this the case or am I missing a silly mistake on my part?
Are you talking about new "Windows Azure Virtual Machines" or "Web/Worker based VM"?
With Windows Azure Virtual Machine, you can create multiple separate Virtual Machines and use Powershell cmdlets "get-azurevm" with parameter "-LBSetName" to set probe Load balancing undersame -LBSetName setting as below:
get-azurevm -ServiceName "XXXX" -Name "XXX" | Set-AzureEndpoint -Name "HttpIn" -Protocol "tcp" -PublicPort 80 -LocalPort 80 -LBSetName "XXX" -ProbePort 80 -ProbeProtocol "http" -ProbePath "/" | Update-AzureVM
If you configured the Load Balancer and shutdown the instance, the Load Balancer will still shows all machines configured with probe.