How to setup an application gateway with private webapp ?

Younes 36

Hello,

I created a private web application only accessible through a private endpoint, my virtual network is connected to my on premise network and I can access my web application just fine. When I tried to integrate the application gateway i get the error Status unknown

The backend health status could not be retrieved. This happens when an NSG/UDR/Firewall on the application gateway subnet is blocking traffic on ports 65503-65534 in case of v1 SKU, and ports 65200-65535 in case of the v2 SKU or if the FQDN configured in the backend pool could not be resolved to an IP address. To learn more visit - https://aka.ms/UnknownBackendHealth.|I added a network security group with the following configuration to the gateway subnet:

User's image

in which I allow connection from GatewayManager to the required ports and i allow connection between the webapp subnet and gateway subnet, what I am missing ?

Thanks

KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee

2023-01-18T08:09:36.24+00:00
@Younes

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are getting the error message as BackendHealth Unknown.

While this error may appear in the BackendHealth section, what exactly is the error message you are getting when you try to access the front end of the App gateway?

Is it some 5xx error or a different error message?

Can you please share the screenshot the error message received while accessing the App gateway IP/FQDN

Also, we are not able to see the NSG screenshot you have posted. I would appreciate if you can reshare that one too.

You can also go ahead and give @Manu Philip 's action plan a try.

Updates to the DNS entries of the backend pool

Cheers,

Kapil
Younes 36 Reputation points

2023-01-18T09:22:53.51+00:00

Hello, thank you for your response

Even after running the command suggested by @Manu Philip the problem persists , for the error message i get when trying to access the app gateway ip is "This site can't be reached , application gateway ip took too long to respond", as for the nsg configuration attached to the application gateway subnet view the attached image, to my web application I attached a basic nsg with only the default rules which allow visibility between subnets.

nsg config.png

Thanks for your help
Younes 36 Reputation points

2023-01-18T09:23:37.5366667+00:00

I also just noticed that after running the command suggested by @Manu Philip that in the json that azure shows that backendIpConfigurations is null, note that when I am adding my app to the back-end pool I used App services as target type.
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee

2023-01-18T10:40:29.3866667+00:00

@Younes

I see you have set the backend type as App Service in App gateway.

And you have disabled public access on your App Service.

Instead, can you use the IP of the Private EndPoint and add it as the backend?

Please let us know if the above works

Cheers,

Kapil
Younes 36 Reputation points

2023-01-19T09:14:28.1833333+00:00

Hello,

I was able using the IP of the private endpoint get a healthy back-end pool, the health probe returned a positive result but I still can't access my web app using the the public IP address i created, I get an error : gateway public IP took too long to respond "connection time-out".

What I am still missing ?

Thanks.
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee

2023-01-20T08:50:39.7566667+00:00
@Younes

There could be a lot of things that is resulting in the above error.

I shall provide a summary of points to check/configure, please make sure they are followed.

Prerequisites:

For testing, please only use HTTP and not HTTPS. So,
In the AppGw, use a Listener with Port 80 and HTTPSettings as HTTP.
In the AppService, disable HTTPS only under TLS/SSL settings.

Create a testVM in the same Vnet/subnet as the Private EndPoint (for Testing purposes)

Using the IP of PE in the backend was just to check the DNS resolution from App Gateway

From this testVM, do nslookup <yourwebapp>.azurewebsites.net and make sure it is resolving to the Private EndPoint IP and not the Public IP address of the AppService

From this VM, access http://<yourwebapp>.azurewebsites.net and make sure it is working.

In case, it is resolving to the Public IP address, you have to attach the private DNS Zone to this VNet

Configuration

After making sure the FQDN is resolving to the private IP of PE, add the FQDN to the backend pool, not the IP.

In the BackendSettings, use HTTP and a custom Probe.

In the custom Probe, use Protocol as HTTP and host as <yourwebapp>.azurewebsites.net

Test the Probe configuration and save it. It should give us a 200.

I was able to do a lab for this and get this working as expected.

Let me know if you face any issues on this.

Cheers,

Kapil.
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee

2023-01-23T06:12:53.03+00:00

@Younes

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

2 answers

Manu Philip 16,986 Reputation points MVP

2023-01-17T20:57:20.2733333+00:00

The following link shows a solution to the issue you are looking for. Application Gateway must be restarted after any modification to the backend server DNS entries to begin to use the new IP addresses.

In short, the following cli can help to refresh the backend pool.

az network application-gateway address-pool update -g <rg name> -n appGatewayBackendPool --gateway-name <gw name> --servers "${appName}.azurewebsites.net"

Updates to the DNS entries of the backend pool

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Manu Philip 16,986 Reputation points MVP

2023-01-19T04:18:46.7566667+00:00

I have detailed a similar use case in my blog as below. Have a look and see, if you are missing any of the step needed

Secure Azure Web Apps in private end point with Azure Application Gateways
Please sign in to rate this answer.
Younes 36 Reputation points

2023-01-19T09:07:15.5966667+00:00

Thank you for the step by step details.
Sign in to comment