Application gateway error when create new rule for private listener

Question

Application gateway error when create new rule for private listener

Ricardo Gabriel Nima Montalban 0

Hello, I am trying to add a new rule and I got this error:

"Failed to save configuration changes to application gateway 'My_Appgw'. Error: Failed to save changes due to conflicting Application Gateway and Network Security Group configurations. When configuring or using common port for public and private listeners on application gateway, the Destination IP of the inbound flow changes to the frontend IPs of your gateway.You must thus update the Inbound rule for the NSG resource NSG-of-subnet-of-MyAppGW that is associated with the subnet"

I use public and private listener, with public and private IP, both listeners use 443 port (HTTPS).

In the NSG of the appgw subnet there are Inbound rule for public IP and subnet of private IP as destination on 443 port.

So please your help to solve the shown issue. What else do I need to add in NSG rules ?

ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-12-02T02:22:49.1+00:00

@Ricardo Gabriel Nima Montalban

Thank you for reaching out.

I understand you have created the inbound NSG rule for Application Gateway's subnet which also includes the Private Frontend IP. Can you still try adding the inbound NSG rule specifically for the Application Gateway's Private Frontend IP? and let me know if the issue still persists.

I am proposing the above change because the documentation specifically suggests inbound rule with Destination IP addresses as your application gateway's public and private frontend IPs.

If it does not help, can you please share a screenshot of the NSG rule added? Thank you!
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-12-04T18:19:24.33+00:00

@Ricardo Gabriel Nima Montalban

Just following up here to see if you were able take a look at my comment above. Thank you!
Ricardo Gabriel Nima Montalban 0 Reputation points

2023-12-05T16:48:33.14+00:00

Hello thanks for your suggestion, I realize I had a listener to port 80 (without traffic rules associated to), I just delete it because I don't need it and I don't have any NSG rule for 80 port. It was no necesary to change any rule and after I could create the new traffic rule for private listener.

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-12-02T02:22:49.1+00:00

@Ricardo Gabriel Nima Montalban

Thank you for reaching out.

I understand you have created the inbound NSG rule for Application Gateway's subnet which also includes the Private Frontend IP. Can you still try adding the inbound NSG rule specifically for the Application Gateway's Private Frontend IP? and let me know if the issue still persists.

I am proposing the above change because the documentation specifically suggests inbound rule with Destination IP addresses as your application gateway's public and private frontend IPs.

If it does not help, can you please share a screenshot of the NSG rule added? Thank you!
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-12-04T18:19:24.33+00:00

@Ricardo Gabriel Nima Montalban

Just following up here to see if you were able take a look at my comment above. Thank you!
Ricardo Gabriel Nima Montalban 0 Reputation points

2023-12-05T16:48:33.14+00:00

Hello thanks for your suggestion, I realize I had a listener to port 80 (without traffic rules associated to), I just delete it because I don't need it and I don't have any NSG rule for 80 port. It was no necesary to change any rule and after I could create the new traffic rule for private listener.

Answer 1

@Ricardo Gabriel Nima Montalban

Thank you for getting back and letting us know that the issue was resolved.

I am just summarizing the issue and the solution above for community benefit. As current limitations in Microsoft Q&A you can only accept answers from other users. It will be helpful if you could accept the answer for community benefit.

Issue:

You were trying to add a new rule for your Application Gateway and you received this error:

"Failed to save configuration changes to application gateway 'My_Appgw'. Error: Failed to save changes due to conflicting Application Gateway and Network Security Group configurations. When configuring or using common port for public and private listeners on application gateway, the Destination IP of the inbound flow changes to the frontend IPs of your gateway.You must thus update the Inbound rule for the NSG resource NSG-of-subnet-of-MyAppGW that is associated with the subnet"

Solution:

You were able to pin-point the issue when you realized that you had a private listener configured on port 80 which was not required, and it did not have any NSG rules associated with it. After deleting the port 80 private listener you were able to create new traffic rule for private listener on port 443 and had to make no changes in the NSG rules.

Thank you!

Share via

Application gateway error when create new rule for private listener

1 answer

Your answer