Search code examples

Deployment of NSG for Application Gateway V2 fails

I'm running into some trouble with deployment of a Network Security Group (NSG) for a subnet in which an Application Gateway (AG) is placed.

During deployment I get the following error (I removed the resource paths for readability):

Network security group nsg-acc-waf blocks incoming internet traffic on ports 65200 - 65535 to subnet snet-acc-waf, associated with Application Gateway agw-acc. This is not permitted for Application Gateways that have V2 Sku.

All looks good according to the configuration instructions on

Here's the Bicep that I've created with above instructions and my question is regarding nsgRule110:

resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
  name: 'nsg-${environmentName}-waf'
  location: location

  resource nsgRule100 'securityRules' = {
    name: 'AllowPublicIPAddress'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from Public IP Address.'
      destinationAddressPrefix: '*'
      destinationPortRange: '443'
      direction: 'Inbound'
      priority: 100
      protocol: 'Tcp'
      sourceAddressPrefix: publicIpAddress
      sourcePortRange: '*'

  resource nsgRule101 'securityRules' = {
    name: 'AllowInternetAccess'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from Internet on port 443.'
      destinationAddressPrefix: '*'
      destinationPortRange: '443'
      direction: 'Inbound'
      priority: 101
      protocol: 'Tcp'
      sourceAddressPrefix: 'Internet'
      sourcePortRange: '*'

  resource nsgRule110 'securityRules' = {
    name: 'AllowGatewayManager'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
      destinationAddressPrefix: '*'
      destinationPortRange: '65200-65535'
      direction: 'Inbound'
      priority: 110
      protocol: '*'
      sourceAddressPrefix: 'GatewayManager'
      sourcePortRange: '*'

  resource nsgRule120 'securityRules' = {
    name: 'AllowAzureLoadBalancer'
    properties: {
      access: 'Allow'
      description: 'Allow traffic from AzureLoadBalancer.'
      destinationAddressPrefix: '*'
      destinationPortRange: '*'
      direction: 'Inbound'
      priority: 120
      protocol: '*'
      sourceAddressPrefix: 'AzureLoadBalancer'
      sourcePortRange: '*'

  resource nsgRule4096 'securityRules' = {
    name: 'DenyAllInboundInternet'
    properties: {
      access: 'Deny'
      description: 'Deny all traffic from Internet.'
      destinationAddressPrefix: '*'
      destinationPortRange: '*'
      direction: 'Inbound'
      priority: 4096
      protocol: '*'
      sourceAddressPrefix: 'Internet'
      sourcePortRange: '*'

I've also tried setting sourceAddressPrefix: 'Internet' and sourceAddressPrefix: '*' (where the astrix is Any). Answered in: Azure App Gateway V2 cannot be configured with NSG and Add NSG to Application Gateway Subnet

I can't figure out what's wrong with it. It looks like only during deployment this validation rule is triggered.

I've tried adding the rules manually, when bound to the subnet, and that works. Also adding the NSG without binding it directly to the subnet via deployment, but eventually binding it manually seems to work. The only case it doesn't work is when the NSG is already bound to the subnet (used by the AG) and then (re-)deployed.

Is there anybody able to help me with this please?


  • After a lot of trial and error, I found the issue was in the Bicep. First, I was using nested resources for the NSG rules. But the NSG itself has a property securityRules where you can also add these NSG rules, but it has one difference; it will add the NSG rules immediately to the NSG. The other method, using the nested resource will add them later on during deployment (so the validator thinks it doesn't have the GatewayManager rule) and this will make the validation rule go off.

    So here's a sample of the code that works :)

    resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
      name: 'nsg-${environmentName}-waf'
      location: location
      properties: {
        securityRules: [
            name: 'AllowGatewayManager'
            properties: {
              access: 'Allow'
              description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
              destinationAddressPrefix: '*'
              destinationPortRange: '65200-65535'
              direction: 'Inbound'
              priority: 100
              protocol: '*'
              sourceAddressPrefix: 'GatewayManager'
              sourcePortRange: '*'
          // put additional NSG rules here