is it possible to block the traffic to one node with in the AAG(azure application gateway) using the port check

Srinivasa Rao Keerty 1 Reputation point
2020-07-08T09:50:26.823+00:00

is it possible to block the traffic to one node with in the AAG(azure application gateway) using the port check, For example if i bring down the traffic port 15999 in node , how would AAG redirect the traffic to other node and not complete the existing connections and not allow any new traffic to that particular node.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,005 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee
    2020-07-15T12:45:36.977+00:00

    Hello anonymous user ,

    Sorry for the delay in response.

    From your question, I gather that you would like to understand the behaviour of traffic routing in Application gateway when one of the backend nodes is down.

    Azure Application Gateway by default monitors the health of all resources in its back-end pool and automatically removes any resource considered unhealthy from the pool. Application Gateway continues to monitor the unhealthy instances and adds them back to the healthy back-end pool once they become available and respond to health probes. By default, Application gateway sends the health probes with the same port that is defined in the back-end HTTP settings.

    For example: You configure your application gateway to use back-end servers A, B, and C to receive HTTP network traffic on port 80. The default health monitoring tests the three servers every 30 seconds for a healthy HTTP response with a 30 second timeout for each request. A healthy HTTP response has a status code between 200 and 399. In this case, the HTTP GET request for the health probe will look like http://127.0.0.1/.

    If the default probe check fails for server A, the application gateway stops forwarding requests to this server. The default probe still continues to check for server A every 30 seconds. When server A responds successfully to one request from a default health probe, application gateway starts forwarding the requests to the server again.
    Please refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-probe-overview
    https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-health-status-unhealthy

    In case your backend VMs are configured to receive HTTP traffic on port 15999 and one of the nodes has a NSG blocking this port, then the health check for this particular node will fail and the Application gateway will stop forwarding requests to this server and will route the traffic/requests to the remaining healthy servers/nodes.

    Port Check is a simple tool for checking open ports on your computer/device and is not useful in blocking a port on Azure. Rather using NSGs to block a particular port on a node/VM will serve your test purpose.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Srinivasa Rao Keerty 1 Reputation point
    2020-07-16T09:57:02.19+00:00

    Hello @GitaraniSharmaMSFT-4262 , Thanks for the reply , however though i blocked the port 15999 (http) from server end and i see the node has become unhealthy in few seconds in Backend Health check but i see the incoming traffic to the particular unhealthy node is flowing in .
    Just to add more how our application is designed we have an http traffic port with 15999(Health check port. A load balancer uses this port to determine if the Router is available) in server and the 8443 port for the communication between message processor and router ( When TLS is enabled between the Router and Message Processor, you must open port 8443 on the Message Processor for access by the Router.)
    As we are blocking port 15999 from server to avoid the incoming traffic from AAG as it should route the traffic to other nodes when ever the backend health check fails for this port , i had created an health probe for 15999 and blocked the port from server and still see the server A is receiving the incoming traffic .
    Could you please let me know if AAG has an facility to redirect the traffic to other node when port 15999 is down ?