Share via

Problem_forward_taffic_from_Application_Gateway

Bassam Elsayed 1 Reputation point
2021-04-28T18:48:03.18+00:00

I have configured an App gateway with 2 backend pools (staging&production) each pool has 1 VM each VM has a public and private IP address.

We have provided third parties companies with the public IP address of the APP gateway to white list

we hosted application on staging VM which will communicate with third party to process request . The third party whitelisted the APPgateway IP address.now after accessing our API it should communicate with the third party API but we are receving unauthorised access resposne . I guess the VM is communicating directly with its public IP address which is not whitelisted . How to figure this out and solve it and force the VM to forward the traffic using Application gateway

Azure Application Gateway
Azure Application Gateway

An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. UJTyagi-MSFT 1,095 Reputation points Microsoft Employee
    2023-05-23T07:49:39.7366667+00:00

    @Bassam Elsayed

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are facing issues with forwarding traffic from application Gateway.

    Below is my understanding from your post:

    • The application gateway is using 2 backend pools created for staging and production environment
    • Each pool has 1 VM each and the VM has both public and private ip address.
    • Third party companies will access these applications through the application gateway and application gateway frontend ip is whitelisted.
    • Staging VM is ready with application hosting.
    • When it is attempted to access the staging application, you receive unauthorized access response.
    • Kindly add anything specific detail I missed.

    Kindly fine the response to your query

    • If the backend VM in the pool has both public and private IP addresses, the application gateway will use the private IP address to forward traffic to the backend VM.
    • I assume you have configured the listeners, rule, backend pool and backend settings correctly and your health probe is showing healthy.
    • The certificates are uploaded correctly based on if you are using ssl termination or end to end encryption model.
    • https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview
    • I assume your website hostname dns resolution is pointing correctly to your application gateway frontend public ip address and you are able to telnet to the frontend ip of app gateway on your application desired port 80/443.
    • If above all configuration parameters are configured correctly, This can be further verified by checking the ApplicationGatewayAccessLogs by running the below query under the logs section of the application gateway.
    • The access log is generated only if you've enabled it on Application Gateway instance under diagnostics settings, refer below page to configure the same.
    • https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#enable-logging-through-the-azure-portal
    • Once logging is enabled under diagnostics settings page you can run below query 
    AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where TimeGenerated > ago(1d)
| project TimeGenerated, BackendIP, BackendPort, Method, Url, Protocol, ResponseCode, SentBytes, ReceivedBytes, TimeTaken, SslEnabled, SslCipher, SslProtocol, Host, Referer, UserAgent, ClientIP, RequestId, RuleSetType, RuleSetVersion, RuleId, ListenerId, ListenerType, BackendId, BackendHealth, BackendResponseTime, BackendProtocol, BackendPort, BackendSslEnabled, BackendSslCipher, BackendSslProtocol, BackendCertIssuer, BackendCertSubject, BackendCertThumbprint, serverRouted_s,serverStatus_s
    • This query retrieves the logs from the AzureDiagnostics table where the Category is ApplicationGatewayAccessLog. It also filters the logs to show only the logs generated in the last 24 hours. The project operator is used to select the fields that you want to see in the output. You can modify the query to include additional fields or filters as needed.
    • In the query output you can see the logs of all the http/https requests hits in last 24 hours and you can see whether the correct listener, rule, backend settings and pool were selected for your Staging application rule, you may also check if the https response received from the backend server itself is giving unauthorized access response 401. This usually happens when the client fails to provide valid authentication credentials for the server.
    • If the response unauthorized access is received from the backend server, you may have to check the application configuration on your backend server VM.

    If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thanks, Ujjawal

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.