Share via

VMSS Health Probe Showing Unhealthy Status Despite Whitelisting Wireserver IP 168.63.129.16

Niket Kumar Singh 390 Reputation points
2024-10-17T05:56:43.6833333+00:00

We are currently exploring the configuration of our production Virtual Machine Scale Sets (VMSS), which are behind an Azure Application Gateway. We have implemented a health extension check using the HTTP protocol on port 80. However, we are encountering an issue when attempting to whitelist specific IP addresses for the VMSS, resulting in instances being marked as unhealthy for the health probe.

Key details:

  • We have restricted access to port 80 and created a whitelist of specific IP addresses allowed to access the VMSS, while all others are denied.
  • We have already whitelisted the Wireserver IP 168.63.129.16 for health probes, as per Azure's recommendations.
  • Health probe communication is allowed to originate from 168.63.129.16, but despite these settings, our VMSS instances still show an unhealthy status.
  • We cannot implement a NAT Gateway to ensure that a consistent IP is used for any outbound communication due to cost constraints.

Questions:

  1. Is there a specific IP range or additional set of IPs that Azure VMSS uses to perform health checks on its instances (besides the Wireserver IP 168.63.129.16) that should be whitelisted?
  2. Are there any additional configurations or settings that need to be considered for health probes in this context?
  3. Could there be any other reasons why the VMSS instances are showing as unhealthy despite the Wireserver IP being allowed?
  4. Is there any alternative to NAT that can ensure a consistent outbound IP for the VMSS without incurring additional costs?

We would greatly appreciate any insights or guidance on resolving this issue.We are currently exploring the configuration of our production Virtual Machine Scale Sets (VMSS), which are behind an Azure Application Gateway. We have implemented a health extension check using the HTTP protocol on port 80. However, we are encountering an issue when attempting to whitelist specific IP addresses for the VMSS, resulting in instances being marked as unhealthy for the health probe.

Key details:

  • We have restricted access to port 80 and created a whitelist of specific IP addresses allowed to access the VMSS, while all others are denied.
  • We have already whitelisted the Wireserver IP 168.63.129.16 for health probes, as per Azure's recommendations.
  • Health probe communication is allowed to originate from 168.63.129.16, but despite these settings, our VMSS instances still show an unhealthy status.
  • We cannot implement a NAT Gateway to ensure that a consistent IP is used for any outbound communication due to cost constraints.

Questions:

  1. Is there a specific IP range or additional set of IPs that Azure VMSS uses to perform health checks on its instances (besides the Wireserver IP 168.63.129.16) that should be whitelisted?
  2. Are there any additional configurations or settings that need to be considered for health probes in this context?
  3. Could there be any other reasons why the VMSS instances are showing as unhealthy despite the Wireserver IP being allowed?
  4. Is there any alternative to NAT that can ensure a consistent outbound IP for the VMSS without incurring additional costs?

We would greatly appreciate any insights or guidance on resolving this issue.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,087 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
    2024-10-17T06:58:10.0166667+00:00

    @Niket Kumar Singh ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I am afraid you are confusing Load Balancer and Application Gateway.

    • May I ask where did you see "168.63.129.16" will be the source IP of the health probes?
      • Can you share the doc please
    • Wireserver IP is supposed to be the health probe's origin IP in case of Load Balancer only, not App Gateway

    See : Probe Behavior | Source IP address

    The source IP address of the probes depends on the backend server type:

    • If the server in the backend pool is a public endpoint, the source address will be your application gateway's frontend public IP address.
    • If the server in the backend pool is a private endpoint, the source IP address will be from your application gateway subnet's address space.

    Now, to address your queries

    1 . Is there a specific IP range or additional set of IPs that Azure VMSS uses to perform health checks on its instances (besides the Wireserver IP 168.63.129.16) that should be whitelisted?

    • Yes
    • Whitelist the App gateway Subnet's IP Range in the VMSS Subnet

    2 . Are there any additional configurations or settings that need to be considered for health probes in this context?

    3 . Could there be any other reasons why the VMSS instances are showing as unhealthy despite the Wireserver IP being allowed?

    • On the VMSS Subnet, please whitelist the App gateway Subnet's IP Range

    4 . Is there any alternative to NAT that can ensure a consistent outbound IP for the VMSS without incurring additional costs?

    Hope this helps.

    Can you please let us know if the issue persists after whitelisting the App Gateway's subnet in NSG?

    Cheers,

    Kapil

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.