Add NSG to Application Gateway Subnet

Question

My requirement is simple. I need to associate NSG to the subnet containing my application gateway.

As soon as I associate NSG to this subnet, I am getting connection timed out error.

As per Microsoft's documentation, I added exception for port range 65503-65534.

From https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

Network Security Groups (NSGs) are supported on the application gateway subnet with the following restrictions:

Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.

Outbound internet connectivity can't be blocked.

Traffic from the AzureLoadBalancer tag must be allowed.

Am I missing something? Any help would be greatly appreciated.

Answer 1

I was also having the same requirement to associate NSG with an app gateway subnet.

Just adding a inbound rule in NSG to allow Port range as per the AppGW SKU did not help. it actually blocked all traffic to the app.

I had to add one more rule to allow traffic from IP range specified in AppGW subnet. (Ref: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#inbound-rules)

Rule1: for allowing gateway manager

• Source: Service Tag
• Source Service Tag: GatewayManager
• Source port ranges: *
• Destination: Any
• Service: Custom
• Destination Port range: 62500-65535 for V2 sku or 65503-65534 for V1 sku
• Protocol: TCP
• Action: Allow
• Priority: as per your setup e.g. 100
• Name and Desc. : as per your naming convention

Rule2: for allowing traffic from AppGW subnet

• Source: IP Addresses
• Source IP Addresses/CIDR ranges:
• Source port ranges: *
• Destination: IP Addresses
• Destination IP addresses/CIDR ranges: the IP range for your AppGW subnet
• Service: HTTPS
• Destination Port range: 443
• Protocol: TCP
• Action: Allow
• Priority: as per your setup e.g. 110
• Name and Desc. : as per your naming convention

Answer 2

To associate NSG to the subnet containing an application gateway, allow traffic from

1. from source: 'GatewayManager', port: Any to Destination: 'GatewayManager' service tag, Destination port: 65503-65534
2. Traffic from the AzureLoadBalancer tag with the destination subnet as Any must be allowed.

Also,

1. Outbound Internet connectivity can't be blocked

Reference : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups

Answer 3

this is a sample nsg application gateway exclusion rule that works for me:

    {
        "apiVersion": "2017-06-01",
        "name": "NameGoesHere",
        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
        "location": "[resourceGroup().location]",
        "properties": {
            "description": "This rule is needed for application gateway probes to work",
            "protocol": "*",
            "destinationAddressPrefix": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "65503-65534",
            "sourceAddressPrefix": "*",
            "access": "Allow",
            "priority": "literally any priority",
            "direction": "Inbound"
        }
    }

try adding nsg with this rule to the application gateway subnet, it will work. also, make sure you are not explicitly blocking access from application gateway to the backend with your NSG.