Access Web Page (hosted in VM) using Application Gateway's public IP

Zeeshan 6

Hi,

I am facing some issues accessing my web page using application gateway's public IP.

My configuration is as below:

VNET:

FrontendSubnet -> associated with NSG (frontend)
- (frontend)NSG has rules:
-Destination Port: 9443
-Protocol: TCP
-Source: Any
-Destination: Any
- frontendSubnet is associated with VM
VM has application server deployed in it which I am able to access it using it's public IP on port 9443. i.e.:
https://<VM Public IP>:9443/

ApplicationGatwaySubnet:
-Appgw subnet has no any NSG
-Appgw has backend pool with targeting above VM (NIC (Private IP)
-HttpSetting is configured with port 9443 because I want to allow traffic on port 9443
-Listener is configured with Basic type.

Note: I am able to browse (access) web page (hosted in VM) using application gateway's private IP. i.e.:
https://<appgw's private ip>:9443/

Issue: I am not able to browse web page using Application Gateway's public IP

What I've done:

I've tried to create a rule in frontEnd NSG as below:
Destination Port: 9443
Protocol: TCP
Source IP: <Application Gateway public (frontend) IP>
Destination: <VM's private IP>,<VM's public IP>

What I followed:

I followed this document which is working fine for me because there is no NSG associated with backend subnet (in this document)
https://learn.microsoft.com/en-us/azure/application-gateway/quick-create-portal

What I am supposed to achieve:

I want to access my web application (hosted in VM) using Application Gateway's Public IP.

I've no further clue about how I can access web page using application gateway's public ip.

1 answer

GitaraniSharma-MSFT 47,696 Reputation points Microsoft Employee

2020-08-06T12:11:02.303+00:00

Hello @Zeeshan ,

What are the listener and rule configuration on the Application gateway?

If you have a listener created for Private IP only, then you would not be able to access the Application gateway with the Public IP.
The listener should have Public IP selected in the Frontend IP and it should be associated to a rule with the respective backend pool and HTTP settings.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Zeeshan 6 Reputation points

2020-08-06T12:33:32.857+00:00

Hi @GitaraniSharma-MSFT

Thank You for prompt response.

Listener already is configured with Public IP as you can see in attached screenshot.

I've also attached rule configuration on the Application Gateway. Please let me know if you need any more information.

GitaraniSharma-MSFT 47,696 Reputation points Microsoft Employee

2020-08-06T14:44:08.117+00:00

Could you check the backend health in Application gateway and share the screenshot (if possible). Also what is the error that you receive while trying to access the web page with Application gateway's Public IP?

Zeeshan 6 Reputation points

2020-08-06T19:33:55.333+00:00

Hi @GitaraniSharma-MSFT

I am getting this error in backend health which I believe will resolve after adding 400 in "Health Probes" but it wont resolve my main issue (accessing vm hosted web page using application gateway's public ip).

Received invalid status code: 400 in the backend’s HTTP response. Per the health probe configuration, 200-399 is the acceptable status code. Either modify probe configuration or resolve backend issues. To learn more visit - https://aka.ms/StatusCodeMismatch

Here is the screenshot while trying to access the web page:

GitaraniSharma-MSFT 47,696 Reputation points Microsoft Employee

2020-08-07T08:57:42.65+00:00

Thank you for the information @Zeeshan . I have seen such errors in past where there is an issue with the Application gateway itself and a stop/start of application gateway have helped.

I am not sure if you are using Application gateway SKU V1 or V2. But I would like to inform you that in case of a stop/start - V1 SKU App gateway IP address will change where as V2 App gateway IP address will not since it supports static IP.

Now, considering the above if you would like to give a try to stop/start App gateway, you can do so by using PowerShell commands as below:

Stop-AzureRmApplicationGateway - https://learn.microsoft.com/en-us/powershell/module/azurerm.network/stop-azurermapplicationgateway?view=azurermps-6.13.0
Start-AzureRmApplicationGateway -
https://learn.microsoft.com/en-us/powershell/module/azurerm.network/start-azurermapplicationgateway?view=azurermps-6.13.0

Let me know your thoughts on same and we can decide on next steps accordingly.

Zeeshan 6 Reputation points

2020-08-07T16:26:27.73+00:00

Hi @GitaraniSharma-MSFT

Thank you for your assistance. As suggested, I've restart App gateway by following your documents but I am still facing the same error.

I am using V2 App gateway as you can see in screenshot.

Worth sharing screenshot of restarting appgw. Please let me know if you need further information.

GitaraniSharma-MSFT 47,696 Reputation points Microsoft Employee

2020-08-10T09:31:34.71+00:00

@Zeeshan , could you please send an email to azcommunity@microsoft.com in below format for further investigation?

Subject of the email : Attn: Gishar - Q&A Issue title
Body of the email containing below
Your Subscription ID :
Affected Application gateway name :
Q&A thread link : https://learn.microsoft.com/en-us/answers/questions/60749/index.html

Thank you for your cooperation on this matter and I look forward to your reply.

Zeeshan 6 Reputation points

2020-08-11T06:31:06.947+00:00

Hi @GitaraniSharma-MSFT ,

I've send an email to your provided email address. Please check and let me know if you need any more information.

GitaraniSharma-MSFT 47,696 Reputation points Microsoft Employee

2020-09-10T05:38:53.55+00:00

Hello @Zeeshan , since we have been discussing this issue offline over emails, I am proceeding to close this thread as of now. Please feel free to leave a comment in case of any issues.

GitaraniSharma-MSFT 47,696 Reputation points Microsoft Employee

2020-10-08T11:07:46.503+00:00

Hello @Zeeshan ,

Updating the thread to post the final solution:

In our investigation, we found that your web application was not accepting HTTP connection and also your backend certificate had a common name mismatch. We followed the below documents to fix the issue:

https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-certificate-invalid-common-name-cn

Thanks,
Gita

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment