Application Gateway Firewall Changes Break Probes

Mark Fisher 1 Reputation point
2022-07-21T15:14:26.897+00:00

I have an Azure Application Gateway instance that was reporting healthy for all 3 probes (gateway, portal, and management). There is a warning message about disabling WAF rules that break the developer portal's functionality on this doc about 1/4 of the way down : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

Based on this warning, I disabled that list of rules in my application gateway, and that change alone caused the health probes to start reporting unhealthy. If I re-enable the rules, the probes are still reporting unhealthy, and I can't figure out what I need to do to get the probes back to a healthy state.

The error message tells me to check the NSG: Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port. To learn more visit - https://aka.ms/servernotreachable.
But nothing changed with the NSG, and nothing in the troubleshooting guide seems to be helping either.

Any ideas as to why only disabling a set of application gateway WAF rules would break the health probes?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,751 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
956 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,141 Reputation points
    2022-07-28T20:16:02.927+00:00

    Update:
    Thank you @Mark Fisher for providing more context on the issue and appreciate your time. The initial set up was done with A record as per docs: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway#create-dns-records-to-access-api-management-endpoints-from-the-internet and the probes were healthy. Later you changed it to CNAME record to fix a different issue but didn't restart the application gateway (as suggested in https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#updates-to-the-dns-entries-of-the-backend-pool).

    Then disabling WAF rules broke the probes which appears to be due to DNS changes. However, you were able to fix the probes by changing back to A record and restarting the application gateway. Please feel free to add if any.

    0 comments