I’m running into some trouble with deployment of a Network Security Group (NSG) for a subnet in which an Application Gateway (AG) is placed.
During deployment I get the following error (I removed the resource paths for readability):
Network security group nsg-acc-waf blocks incoming internet traffic on ports 65200 – 65535 to subnet snet-acc-waf, associated with Application Gateway agw-acc. This is not permitted for Application Gateways that have V2 Sku.
All looks good according to the configuration instructions on https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#allow-access-to-a-few-source-ips
Here’s the Bicep that I’ve created with above instructions and my question is regarding nsgRule110:
resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
name: 'nsg-${environmentName}-waf'
location: location
resource nsgRule100 'securityRules' = {
name: 'AllowPublicIPAddress'
properties: {
access: 'Allow'
description: 'Allow traffic from Public IP Address.'
destinationAddressPrefix: '*'
destinationPortRange: '443'
direction: 'Inbound'
priority: 100
protocol: 'Tcp'
sourceAddressPrefix: publicIpAddress
sourcePortRange: '*'
}
}
resource nsgRule101 'securityRules' = {
name: 'AllowInternetAccess'
properties: {
access: 'Allow'
description: 'Allow traffic from Internet on port 443.'
destinationAddressPrefix: '*'
destinationPortRange: '443'
direction: 'Inbound'
priority: 101
protocol: 'Tcp'
sourceAddressPrefix: 'Internet'
sourcePortRange: '*'
}
}
resource nsgRule110 'securityRules' = {
name: 'AllowGatewayManager'
properties: {
access: 'Allow'
description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
destinationAddressPrefix: '*'
destinationPortRange: '65200-65535'
direction: 'Inbound'
priority: 110
protocol: '*'
sourceAddressPrefix: 'GatewayManager'
sourcePortRange: '*'
}
}
resource nsgRule120 'securityRules' = {
name: 'AllowAzureLoadBalancer'
properties: {
access: 'Allow'
description: 'Allow traffic from AzureLoadBalancer.'
destinationAddressPrefix: '*'
destinationPortRange: '*'
direction: 'Inbound'
priority: 120
protocol: '*'
sourceAddressPrefix: 'AzureLoadBalancer'
sourcePortRange: '*'
}
}
resource nsgRule4096 'securityRules' = {
name: 'DenyAllInboundInternet'
properties: {
access: 'Deny'
description: 'Deny all traffic from Internet.'
destinationAddressPrefix: '*'
destinationPortRange: '*'
direction: 'Inbound'
priority: 4096
protocol: '*'
sourceAddressPrefix: 'Internet'
sourcePortRange: '*'
}
}
}
I’ve also tried setting sourceAddressPrefix: 'Internet' and sourceAddressPrefix: '*' (where the astrix is Any). Answered in: Azure App Gateway V2 cannot be configured with NSG and Add NSG to Application Gateway Subnet
I can’t figure out what’s wrong with it. It looks like only during deployment this validation rule is triggered.
I’ve tried adding the rules manually, when bound to the subnet, and that works. Also adding the NSG without binding it directly to the subnet via deployment, but eventually binding it manually seems to work.
The only case it doesn’t work is when the NSG is already bound to the subnet (used by the AG) and then (re-)deployed.
Is there anybody able to help me with this please?
2
Answers
After a lot of trial and error, I found the issue was in the Bicep. First, I was using nested resources for the NSG rules. But the NSG itself has a property
securityRuleswhere you can also add these NSG rules, but it has one difference; it will add the NSG rules immediately to the NSG. The other method, using the nested resource will add them later on during deployment (so the validator thinks it doesn't have the GatewayManager rule) and this will make the validation rule go off.So here's a sample of the code that works :)
As error message shown, the
NSGis blocking incoming internet traffic on ports65200 - 65535to subnetsnet-acc-waf, which is associated with Application Gatewayagw-acc. That is why you are getting this blocker.Refer this document for Application gateway infrastructure configuration.
As you already specified the
'destinationPortRange: '65200-65535'for thensgrule110, it will no longer block ports within this range. You can add the same for other network rules if needed as follows.I tried the same code as yours in my environment and it worked successfully, as shown in the snapshot below.
Deployment succeeded: