Azure App Gateway - Source and Destination NAT Query

Question

I am currently t/shooting app gw and running wireshark on the BACKEND HOST.

The webpage loads for me perfectly, but when I look at Wireshark captures my public IP (Client), does not appear in packet traces (at all). I have another colleague who is unable to load the webpage hence why we are t.shooting.

We are both accessing webpage via public internet.

There is a AZ FW sitting just in front of the App GW which is performing DNAT and the flow is allowed and appearing in the logs correctly.

Again, I am unable to associate any of the packets captured in Wireshark which is running on the only server in backend pool.

Any help would be appreciated.

Answer 1

Hello @Ajaz Nawaz , Hope you are well.

From your question I understand that you have set-up an Azure Firewall in front of an Application Gateway. You are running a packet capture at your backend host, but your public IP (client) does not appear in packet traces.

Since you have an Azure Firewall in front of your Application Gateway this is an expected behavior, as Azure Firewall will also do a SNATs when doing DNAT and the source client IP is not preserved. This traffic flow is described step by step in this documentation here. The work around in such scenario is to have an Azure Front Door in front of the Azure firewall as it will preserve the client IP as HTTP header.

Regarding the issue your colleague is facing, if it helps.

• You can validate that their local environment is not blocking the connectivity like OS firewall etc.
• As described in this thread here you can run Kusto query for particular source and destination IP to check if firewall blocked any communication.
• You can go through this documentation if you observed any bad gateway errors in Application Gateway.
• You can also validate if you are observing any error in the backend application.

Hope this helps!