Private testing

If you want to use availability tests on internal servers that run behind a firewall, there are two possible solutions: public ping test enablement and disconnected/no ingress scenarios.

Public ping test enablement

Note

If you don’t want to allow any ingress to your environment, then use the method in the Disconnected or no ingress scenarios section.

Ensure you have a public DNS record for your internal website. The test will fail if the DNS cannot be resolved. Create a custom domain name for internal application.

Configure your firewall to permit incoming requests from our service.

  • Service tags are a simple way to enable Azure services without having to authorize individual IPs or maintain an up-to-date list. Service tags can be used across Azure Firewall and Network Security Groups to allow our service access. ApplicationInsightsAvailability is the Service tag dedicated to our ping testing service.

    1. If you are using Azure Network Security Groups, go to your Network Security group resource and select inbound security rules under Settings then select Add.

      Screenshot of the inbound security rules tab in the network security group resource.

    2. Next, select Service Tag as the source and ApplicationInsightsAvailability as the source service tag. Use open ports 80 (http) and 443 (https) for incoming traffic from the service tag.

      Screenshot of the Add inbound security rules tab with a source of service tag.

  • If your endpoints are hosted outside of Azure or Service Tags aren't available for your scenario, then you'll need to individually allowlist the IP addresses of our web test agents. You can query the IP ranges directly from PowerShell, Azure CLI, or a REST call using the Service tag API You can also download a JSON file to get a list of current service tags with IP addresses details.

    1. In your Network Security group resource and select inbound security rules under Settings, then select Add.

    2. Next, select IP Addresses as your source then add your IP addresses in a comma delimited list in source IP address/CIRD ranges.

      Screenshot of the Add inbound security rules tab with a source of IP addresses.

Disconnected or no ingress scenarios

Your test server will need to have outgoing access to the Application Insights ingestion endpoint, which is a significantly lower security risk than the alternative of permitting incoming requests. The results will appear in the availability web tests tab with a simplified experience from what is available for test created via the Azure portal. Custom availability test will also appear as availability results in Analytics, Search, and Metrics.

  1. Connect your Application Insights resource and disconnected environment using Azure Private Link
  2. Write custom code to periodically test your internal server or endpoints. You can run the code using Azure Functions or a background process on a test server behind your firewall. Your test process can send its results to Application Insights by using the TrackAvailability() API in the core SDK package.

Troubleshooting

Dedicated troubleshooting article.

Next steps