Application gateway timeout issue

Question

Application gateway timeout issue

Dinesh Nimmagadda 25

The Application Gateway is unable to establish connections to the backend Container Apps, resulting in unhealthy backend pools. Health probes are failing with "Cannot connect to backend server" errors.

Network Flow

External users connect to Application Gateway public IP
Application Gateway attempts to proxy traffic to backend Container Apps
Application Gateway sends health probes to Container Apps on ports 8080/5464
Health probes fail with "Cannot connect to backend server" errors
Traffic from ACI test instance to Container Apps times out

Troubleshooting Steps Performed

Verified DNS resolution: DNS lookups for Container Apps FQDNs work correctly
Tested direct connectivity from ACI: TCP connection attempts to the Container Apps on ports 8080/5464 time out
Reviewed NSG rules: Added explicit rules to allow traffic from AppGW subnet (10.0.2.0/24) to Container subnet (10.0.3.0/24) on ports 8080/5464
Modified Container Apps ingress settings: Changed from "Limited to Container Apps Environment" to "Limited to VNet"
Verified Application Gateway health probe settings: Configured to use correct ports (8080/5464) for the respective backends

Root Cause

Despite having proper NSG rules in place and configuring Container Apps to accept VNet traffic, the connectivity continues to fail. The Container Apps platform's internal firewall ("GuestFirewall") appears to be blocking incoming connections from other resources in the VNet.

Are we missing any configuration steps in our infrastructure setup? We've configured an Application Gateway to route traffic to Container Apps (api and ui) within the same VNet (tutors24x7-staging-vnet), but the Application Gateway health probes fail with GuestFirewall errors.

Specifically:

Is there any additional configuration needed to allow Application Gateway to communicate with Container Apps in a VNet-integrated environment?
Are there known limitations when using Application Gateway with Container Apps in the same VNet?
Do we need to configure any specific DNS settings or private endpoints for this scenario to work?
Are there any platform-level settings in the Container Apps Environment that might be blocking the Application Gateway health probes?

We've followed all documentation but still can't establish connectivity. Any guidance would be greatly appreciated.

Alex Burlachenko 9,780 Reputation points

2025-03-19T16:50:29.05+00:00
Hi Dinesh,

I agree with Ganesh Patapati and would like to provide simple sum if it will help...

Issue: Application Gateway health probes fail due to Container Apps’ internal firewall ("GuestFirewall") blocking connections.

Steps Taken: Verified DNS, tested connectivity, updated NSG rules, and adjusted ingress settings.

Root Cause: GuestFirewall is blocking traffic, even within the same VNet.

Steps:

Test connectivity from a VM in the same VNet.

Verify Container Apps Environment settings and logs.

Double-check NSG rules and DNS.

Contact Azure Support if unresolved.

Best regards, Alex

P.S. If my answer help to you, please Accept my answer
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-03-20T12:29:40.7566667+00:00

Hello Dinesh Nimmagadda

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Dinesh Nimmagadda 25 Reputation points

2025-03-20T14:42:23.34+00:00
Hello,

Thank you for your response. I've completed the suggested troubleshooting steps:

I deployed a VM within the same VNet as the Container Apps and Application Gateway, and performed connectivity tests:

DNS resolution works (nslookup successfully resolves the Container App FQDNs)

TCP connectivity fails (nc command cannot establish connection to either Container App on ports 8080/5464)

HTTP requests time out (curl -v shows connection timeouts)

I've also tested from an ACI instance in the same VNet with identical results - DNS resolves but TCP connections fail.

I've already verified and updated NSG rules to explicitly allow:

Traffic from App Gateway subnet (10.0.2.0/24) to Container Apps subnet (10.0.3.0/24) on ports 8080/5464

Traffic from VM/ACI subnet to Container Apps subnet on ports 8080/5464

I've updated the Container Apps ingress settings from "Limited to Container Apps Environment" to "Limited to VNet" to ensure they accept traffic from within the VNet.

Despite all these configurations, connectivity fails with what appears to be a GuestFirewall error. This suggests there might be additional platform-level configurations needed specifically for Application Gateway to communicate with Container Apps in a VNet-integrated environment.

I've followed all the documentation I could find, but still cannot establish this connectivity. Are there any known limitations or additional configurations required for this specific scenario of Application Gateway communicating with Container Apps in a VNet-integrated environment?

Am I Missing anything?

1 answer

Your answer

Alex Burlachenko 9,780 Reputation points

2025-03-19T16:50:29.05+00:00

Hi Dinesh,

I agree with Ganesh Patapati and would like to provide simple sum if it will help...

Issue: Application Gateway health probes fail due to Container Apps’ internal firewall ("GuestFirewall") blocking connections.

Steps Taken: Verified DNS, tested connectivity, updated NSG rules, and adjusted ingress settings.

Root Cause: GuestFirewall is blocking traffic, even within the same VNet.

Steps:

Test connectivity from a VM in the same VNet.

Verify Container Apps Environment settings and logs.

Double-check NSG rules and DNS.

Contact Azure Support if unresolved.

Best regards, Alex

P.S. If my answer help to you, please Accept my answer
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-03-20T12:29:40.7566667+00:00

Hello Dinesh Nimmagadda

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Dinesh Nimmagadda 25 Reputation points

2025-03-20T14:42:23.34+00:00

Hello,

Thank you for your response. I've completed the suggested troubleshooting steps:

I deployed a VM within the same VNet as the Container Apps and Application Gateway, and performed connectivity tests:

DNS resolution works (nslookup successfully resolves the Container App FQDNs)

TCP connectivity fails (nc command cannot establish connection to either Container App on ports 8080/5464)

HTTP requests time out (curl -v shows connection timeouts)

I've also tested from an ACI instance in the same VNet with identical results - DNS resolves but TCP connections fail.

I've already verified and updated NSG rules to explicitly allow:

Traffic from App Gateway subnet (10.0.2.0/24) to Container Apps subnet (10.0.3.0/24) on ports 8080/5464

Traffic from VM/ACI subnet to Container Apps subnet on ports 8080/5464

I've updated the Container Apps ingress settings from "Limited to Container Apps Environment" to "Limited to VNet" to ensure they accept traffic from within the VNet.

Despite all these configurations, connectivity fails with what appears to be a GuestFirewall error. This suggests there might be additional platform-level configurations needed specifically for Application Gateway to communicate with Container Apps in a VNet-integrated environment.

I've followed all the documentation I could find, but still cannot establish this connectivity. Are there any known limitations or additional configurations required for this specific scenario of Application Gateway communicating with Container Apps in a VNet-integrated environment?

Am I Missing anything?

Answer 1

Hello Dinesh Nimmagadda

Deploy a VM on the same vnet and test the connectivity to the container apps on TCP port (8080/5464) and let me know what is the response?
Perform a connection troubleshoot from application gateway to the container app ip on TCP port 8080/5464, share me the result
How was the back pool configured on app gateway for Container app? I mean IP address or FQDN? If possible share the screenshot.

Meantime,

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#tcp-connect-error

Check whether you can connect to the backend server on the port mentioned in the HTTP settings by using a browser or PowerShell. For example, run the following command:

Test-NetConnection -ComputerName www.bing.com -Port 443.

If the port mentioned isn't the desired port, enter the correct port number for Application Gateway to connect to the backend server.

If the specified port is not the correct one, enter the appropriate port number for the Application Gateway to connect to the backend server.

If you are unable to connect to the port from your local machine, then:

Verify the network security group (NSG) settings of the backend server's network adapter and subnet to ensure inbound connections to the configured port are permitted. If not, create a new rule to allow these connections.
Confirm that the NSG settings of the Application Gateway subnet permit outbound public and private traffic to establish a connection.

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Share via

Application gateway timeout issue

1 answer

Your answer