Azure network security group and Application Gateway

Question

I have the next azure setup:

1. Application gateway balancer with it's own vnet .

2. Two vms in Application gateway backend pool which have their own vnet and a network security group applied to the vms.

Main problem: How can I instruct the network security group to allow http/https traffic only from the application gateway ?

What I've tried :

a) added inbound rule in network security group with source having tag AzureBalancer . Is not working . Probes are telling me that the vms are in an unhealthy state.

b) I've peered the two vnets and I've added an inbound rule having source tag VirtualNetwork . Same as above, probes telling me that the vms are in an unhealthy state.

c) I've added an inbound rule in nsg to allow traffic only from the public ip of the application gateway. This is working fine , probes are seeing the vms in a healthy state.

The only problem is that the public ip address of the application gateway is dynamic and it cannot be made static.
So when the ip will change my rule will not work.

I am curios to find out how to make this setup works.

All the examples I saw on azure documentation site are with one single vnet with multiples subnets.

Answer 1

If there is an NSG on Application Gateway subnet, port ranges 65503-65534 should be opened on the Application Gateway subnet for Inbound traffic. These ports are required for the backend health API to work. I've copied the above sentence verbatim from this document: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics ... as I ran into the same issue. After adding the above to my NSG, my health-check probes worked.