8

I have provisioned App Gateway with WAF V2 SKU. Then, I have configured back-end pool to point to WebApp and added IP restrictions to allow only traffic from WAF IP. Then, i am attempting to add NSG to the provisioned Subnet to further restrict traffic to the Frontend IP address. I am getting an error (see below). Per Application Gateway FAQ this should be possible, but having trouble. Here is are the details of the deployment error:

Network security group /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/networkSecurityGroups/BannerCIDRNsg blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/virtualNetworks/dbt-sc-platform-rg/subnets/default, associated with Application Gateway /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/applicationGateways/dbt-sc-appgw. This is not permitted for Application Gateways that have V2 Sku.
Improve this question
2
  • try using other sku? the error suggests v2 sku doesnt support it?
    – 4c74356b41
    Oct 6, 2018 at 7:18
  • v1 sku did work, btw. I am trying to figure this out for v2 sku.
    – Roman
    Oct 8, 2018 at 22:00

5 Answers 5

Reset to default
16

The error message displays that you need to add incoming internet traffic on ports 65200 - 65535 to subnet-default in your Network security group-BannerCIDRNsg.

enter image description here

Per Application Gateway FAQ, you can whitelist Application Gateway access to a few source IPs.

This scenario can be done using NSGs on Application Gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:

Allow incoming traffic from source IP/IP range.

Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.

Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the NSG.

Block all other incoming traffic with a Deny all rule.

Allow outbound traffic to the internet for all destinations.

Improve this answer
6
  • Yes, I have read that FAQ article and the NSG that i was adding has the default rules. I have rebuilt the set up using V1 version of the application gateway and it worked ok. My question is my V2 is giving me such error.
    – Roman
    Oct 8, 2018 at 22:00
  • Re-edit my reply, there is a difference on ports 65503-65534 for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2 SKU. Could you confirm that?
    – Nancy
    Oct 9, 2018 at 2:02
  • let me confirm that with my set up tomorrow and let you know.
    – Roman
    Oct 10, 2018 at 7:24
  • 1
    I have tried to create a inbound rule to either allow "Internet" service tag or "Any" on ports 65200 - 65535 to Any/Any destination and I am still getting this error.
    – Roman
    Oct 10, 2018 at 19:08
  • 2
    @Roman Please check my update picture, you should add the port range as the destination in inbound NSG rule.
    – Nancy
    Oct 11, 2018 at 8:59
10

I want to add on @Nancy's answer, that actually, as per the documentation, there is no need to allow traffic from Any protocol. Allowing TCP traffic is enough.

There is also no need to allow traffic from Any source, it is sufficient to allow traffic from GatewayManager service tag.

You must allow incoming Internet traffic on TCP ports 65503-65534 for the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2 SKU with the destination subnet as Any and source as GatewayManager service tag. This port range is required for Azure infrastructure communication.

So, I created the security rule as follows:

security rule on Azure

It should also be noted that:

These ports are protected (locked down) by Azure certificates. External entities, including the customers of those gateways, can't communicate on these endpoints.

Improve this answer
3

Thanks ccoutinho I wuldve added the following as a comment but my reputations not high enough yet so..

Az CLI command for this:

az network nsg rule create -g <resourcegroup> --nsg-name <nsgname> -n GatewayManager --priority 4096 --source-port-range '*' --access allow --destination-port-ranges 65200-65535 --source-address-prefixes GatewayManager --protocol Tcp
Improve this answer
2

I was getting the error message "Subnet associated to gateway with v2 sku" when trying to associate a subnet containing a Gateway V2 WAF to an existing NSG.

Strangely though it was no problem navigating to the VNET -> SubNet and after clicking the given SubNet then associating the NSG to that SubNet.

Improve this answer
1
  • Did you delete the security rule that allow incoming internet traffic on ports 65200 - 65535, as described in the accepted answer? I guess not :)
    – ccoutinho
    Aug 17, 2021 at 8:33
0

To associate NSG to the subnet containing an application gateway, allow traffic from

  1. source: 'GatewayManager', port: Any to Destination: 'GatewayManager' service tag, Destination port: 65503-65534
  2. Traffic from the AzureLoadBalancer tag with the destination subnet as Any must be allowed. Note: just be cautious that you don't add deny rule before these inbound rules, so give them a low priority no, to avoid accidental misconfiguration

Also,

  1. Outbound Internet connectivity can't be blocked

Reference : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.