Azure App Gateway V2 cannot be configured with NSG
I have provisioned App Gateway with WAF V2 SKU. Then, I have configured back-end pool to point to WebApp and added IP restrictions to allow only traffic from WAF IP. Then, i am attempting to add NSG to the provisioned Subnet to further restrict traffic to the Frontend IP address. I am getting an error (see below). Per Application Gateway FAQ this should be possible, but having trouble. Here is are the details of the deployment error:
Network security group /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/networkSecurityGroups/BannerCIDRNsg blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/virtualNetworks/dbt-sc-platform-rg/subnets/default, associated with Application Gateway /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/applicationGateways/dbt-sc-appgw. This is not permitted for Application Gateways that have V2 Sku.
The error message displays that you need to add incoming internet traffic on ports 65200 - 65535 to subnet-default in your Network security group-BannerCIDRNsg.
Per Application Gateway FAQ, you can whitelist Application Gateway access to a few source IPs.
This scenario can be done using NSGs on Application Gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:
Allow incoming traffic from source IP/IP range.
Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.
Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the NSG.
Block all other incoming traffic with a Deny all rule.
Allow outbound traffic to the internet for all destinations.
- Can't signin into microsoft account
- TenantGuidNotFound when trying to send email using Microsfot GraphAPI
- Azure Function App Kudu Functions API with empty response
- Get Azure Active Directory password expiry date in PowerShell
- Provision new SQL Azure database into existing, non-terraform managed SQL Server instance
- Azure Logic App HTTP Request Authentication Scope
- Get Log analytics workspace ID of a virtual machine in Azure connected to a workspace in a different subscription
- Enabling minimum apiVersion to 2021-08-01 in Azure API Management causing saving issues or deployment errors for existing logic apps
- Privileged Identity Management - My roles
- Creating a VM in Azure using Powershell
- Creating multiple function apps with one Flex Consumption plan
- Azure Bicep reference existing resources from different subscriptions using ternary operators inside scope property
- Trigger azure function on user registration in b2c
- Migrating from validate-jwt to validate-azure-ad-token policy
- Azure DevOps Pipeline Expression Evaluation
- Using Event Hubs binding for Azure Functions with managed identities?
- How to connect a microsoft SQL Server database to Open Data Discovery (odd-odd-platform)?
- Cosmos DB for MongoDB private endpoint requests blocked by network firewall
- Specifying SAS Token Authorization header with Azure REST API
- Databricks ui is different between different Azure Tenants with activated SCIM Integration
- Download large files in Azure image builder process
- TriggerBuild Could not queue the build because there were validation errors or warnings
- How to filter users in directory by company name with Microsoft Graph Java SDK?
- How to get the azure subscription current cost using PowerShell
- How to automate Azure Data Factory (ADF) credential updates from development to production using Azure DevOps?
- Azure Form Recognizer Set API Version
- Is there a way to deploy a azure function directly to a storage account with private endpoint
- How do I flatten certain properties in a nested structure using Linq for Cosmos noSQL?
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- "We're sorry, your sql database is unavailable" What does this mean exactly in Azure SQL?