Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,172 questions
Application becomes inaccessible after applying NSG rule in AKS + Application Gateway setup
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 0%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
swati
0
Reputation points
I have set up an AKS architecture where my application is accessed through an Azure Application Gateway's public IP. The architecture includes a Virtual Network with multiple subnets:
- One subnet for the Application Gateway
- Another for the AKS
Each of these subnets is associated with a Network Security Group (NSG). The application was accessible without issues through the Application Gateway public IP.
However, after adding a specific NSG rule to one of the subnets (specifically the one associated with either AKS or the Application Gateway), the application became inaccessible. I suspected the rule might be causing the problem, so I deleted the NSG, but the application still remains inaccessible.
What I’ve tried:
Verified that Application Gateway backend health is reporting "Unhealthy."
- Deleted the problematic NSG to roll back changes.
Request:
Could you please help investigate:
Why the application is still inaccessible even after removing the NSG?
Whether any residual configuration or hidden deny rule might be persisting?
How to properly configure NSG rules to secure the architecture without disrupting application availability?
Let me know if you need the subscription ID, resource names, or any diagnostic logs.
Thank you,
Swati
<Mod remove PII>
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Praveen Bandaru 2,665 Reputation points Microsoft External Staff2025-04-14T17:13:14.46+00:00 Hello swati
I understand you are encountering an issue while accessing the application gateway URL. Could you please provide the following information:
- Share a screenshot of the error when accessing the application gateway URL.
- Test the connection troubleshooter in the application gateway of your backend (IP or FQDN).
- Try to bypass the backend from the application gateway and access the backend directly to verify if it is working.
- If possible, share a screenshot of the NSG. And also, share the health probe error message screen shot.
- Also, please share the screenshot of the NSG of your backend subnet.
Hope the above answer helps! Please let us know do you have any further queries.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Praveen Bandaru 2,665 Reputation points Microsoft External Staff
2025-04-15T11:10:07.5733333+00:00 Hello swati
Thank you for your response. Please try to share a screenshot of your health probe for further investigation of the issue.
To understand better about your issue lets connect offline, please see private message for more details. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Venkat V 1,485 Reputation points Microsoft External Staff2025-04-16T07:10:26.1733333+00:00 Hello swati ,
As I can see, you already deleted the NSG and are still facing an issue after deleting the NSG. The application gateway might still retain outdated health probe results and not automatically retry. You can manually restart the application gateway to trigger a fresh probe cycle.
az network application-gateway stop --name <appgw-name> --resource-group <rg> az network application-gateway start --name <appgw-name> --resource-group <rg>Verify NSG removal from the subnet to confirm that the NSG has been completely detached from the subnet, run the following command:
az network vnet subnet show --resource-group <rg> --vnet-name <vnet-name> --name <subnet-name> --query "networkSecurityGroup"I hope this is helpful! Do not hesitate to let me know if you have any other questions.`
-
Sign in to comment
Sign in to answer