Testing behind a firewall

To ensure endpoint availability behind firewalls, enable public availability tests or run availability tests in disconnected or no ingress scenarios.

Public availability test enablement

Ensure your internal website has a public Domain Name System (DNS) record. Availability tests fail if DNS can't be resolved. For more information, see Create a custom domain name for internal application.


The IP addresses used by the availability tests service are shared and can expose your firewall-protected service endpoints to other tests. IP address filtering alone doesn't secure your service's traffic, so it's recommended to add extra custom headers to verify the origin of web request. For more information, see Virtual network service tags.

Authenticate traffic

Set custom headers in standard availability tests to validate traffic.

  1. Generate a token or GUID to identify traffic from your availability tests.

  2. Add the custom header "X-Customer-InstanceId" with the value ApplicationInsightsAvailability:<GUID generated in step 1> under the "Standard test info" section when creating or updating your availability tests.

  3. Ensure your service checks if incoming traffic includes the header and value defined in the previous steps.

    Screenshot that shows custom validation header.

Alternatively, set the token as a query parameter. For example, https://yourtestendpoint/?x-customer-instanceid=applicationinsightsavailability:<your guid>.

Configure your firewall to permit incoming requests from Availability Tests


This example is specific to network security group service tag usage. Many Azure services accept service tags, each requiring different configuration steps.

  • To simplify enabling Azure services without authorizing individual IPs or maintaining an up-to-date IP list, use Service tags. Apply these tags across Azure Firewall and network security groups, allowing the Availability Test service access to your endpoints. The service tag ApplicationInsightsAvailability applies to all Availability Tests.

    1. If you're using Azure network security groups, go to your network security group resource and under Settings, select inbound security rules. Then select Add.

      Screenshot that shows the inbound security rules tab in the network security group resource.

    2. Next, select Service Tag as the source and select ApplicationInsightsAvailability as the source service tag. Use open ports 80 (http) and 443 (https) for incoming traffic from the service tag.

      Screenshot that shows the Add inbound security rules tab with a source of service tag.

  • To manage access when your endpoints are outside Azure or when service tags aren't an option, allowlist the IP addresses of our web test agents. You can query IP ranges using PowerShell, Azure CLI, or a REST call with the Service Tag API. For a comprehensive list of current service tags and their IP details, download the JSON file.

    1. In your network security group resource, under Settings, select inbound security rules. Then select Add.

    2. Next, select IP Addresses as your source. Then add your IP addresses in a comma-delimited list in source IP address/CIRD ranges.

      Screenshot that shows the Add inbound security rules tab with a source of IP addresses.

Disconnected or no ingress scenarios

  1. Connect your Application Insights resource to your internal service endpoint using Azure Private Link.
  2. Write custom code to periodically test your internal server or endpoints. Send the results to Application Insights using the TrackAvailability() API in the core SDK package.


For more information, see the troubleshooting article.

Next steps