This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 37%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hi,
We are having trouble setting up the Access Restrictions for App Services. We have an Application Gateway that routes the traffic accordingly. App Services are not exposed to the public and all traffic must go through the Application Gateway that has WAF enabled. The AG has a health probe for the App Services to check if the app is running. The issue we are currently facing is how to set up the Access Restrictions in the App Services, such that it allows certain IPs AND the health probe to work.
All unmatched rule action is set to deny, and rules that check the traffic on the AG subnet and the X-Forwarded-For header for IP whitelisting. However, this approach stops the health probe from working properly because any unmatched rule will be rejected.
Any suggestions will be appreciated. Thank you.
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 51%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Hello @Damian
Thank you for reaching out Microsoft Q&A. This behavior is expected as App Service access restrictions apply to all inbound traffic, including Application Gateway health probes. Since probes originate from the Application Gateway subnet, they must be explicitly allowed; otherwise, the backend is marked unhealthy when “Unmatched rule action” is set to Deny. The recommended approach is to add an Allow rule for the Application Gateway subnet in App Service access restrictions with a higher priority than the deny rule. This allows both health probes and routed traffic while keeping the app private. Microsoft documentation confirms this behavior and design.
Reference :
App Service Access restrictions - Azure App Service | Microsoft Learn
Health monitoring overview for Azure Application Gateway | Microsoft Learn
Troubleshoot backend health issues in Azure Application Gateway | Azure Docs
Tutorials : Integrate Application Gateway with App Service behind Private Endpoint | Microsoft Comm…
Hi Aditya,
Thank you for the suggestion. Wouldn't that imply all traffic coming from the gateway will be whitelisted as well? We only want traffic from the Gateway if the traffic is generated from the Health Probe, OR coming from the whitelisted IPs that we set explicitly.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 7.000000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello @Damian
This is a valid concern and your understanding is correct. App Service access restrictions evaluate traffic before headers are processed, and both health probes and forwarded requests originate from the same Application Gateway source. Because of this, App Service cannot differentiate health probe traffic from other traffic coming via the gateway.
To keep probes working when Unmatched rule action = Deny, Microsoft’s supported approach is to allow the Application Gateway subnet and enforce client‑level restrictions at the Application Gateway/WAF layer.
If stricter isolation is required, using Private Endpoint for App Service is the recommended architecture, as it removes public exposure entirely.
This behavior is by design and documented in App Service access restriction and Application Gateway health probe guidance.
Reference :
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli
https://docs.azure.cn/en-us/application-gateway/application-gateway-backend-health-troubleshooting
Kindly let us know if the above helps or you need further assistance on this issue.
Please "upvote" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 85%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Hello @Damian,
I'm just reaching out to see if your issue has been resolved or if you've had a chance to review our engineer previous comment?
We are implementing our own in-app whitelisting tool to assist the issue as there is no existing solution that could resolve it. As mentioned in a response from one of the staffs:
This behavior is by design and documented in App Service access restriction and Application Gateway health probe guidance.
Thank you for your time and assistance.
Hello @Damian
We completely understand your concern with incoming traffic. As per your requirement you need strict network control, your idea of implementing an in-app IP whitelisting might work. Please feel free to reach out to us for any assistance.
To set up Access Restrictions for your App Services while allowing the health probe from the Application Gateway, you can consider the following approach:
X-Forwarded-For header for IP whitelisting, ensure that your rules are configured to allow the health probe's IPs through this header as well. This allows the health probe to pass through even if the unmatched rule action is set to deny.By following these steps, you should be able to configure the Access Restrictions to allow the health probe while still maintaining security for your App Services.
References: