Skip to main content

Azure - Application Gateway falling into failed state not allowing configuration changes

Did you ever got the error while doing any changes in Azure Application gateway which goes into failed state ? if yes then you are landed in correct blog post.

here in this post i will try to share the solution for same issue i faced in past.But before that lets try to understand what is Azure AG (application gateway). Below diagram will help you to understand what is Application gateway.

In simpler words, Application gateway consists of Load balancer (a device who decide where to send the traffic based on the configuration done on it, although that is completely different topic to discuss) and acts as WAF (Web Application Firewall - which monitors the incoming traffic based on the application behavior hosted on back-end servers)
  • LB where considered as Network device (sometimes it might be software not just physical device and works at Network Layer of OSI model
  • WAF considered as kind of Software and works at Application Layer of OSI model 

Issue: Application Gateway falling into failed state not allowing configuration changes & Back-end health status show as unknown

Possible Solution: 

  • Check if you have proper rules in place at Application Gateway NSG which allows communication with the Gateway manager, which is used for control plane communication

 This rule will not affect the health status of the back-end devices but the Application Gateway will work correctly even without it. This rule allows control plane data from the Gateway Manager which include information about the back-end health.
  •  Thus, if this rule is missing, there will be no information on the Gateway manager regarding some App GW options and functionalities. One of them is the health status of the back-end. This means the application gateway will not work, but the health of the back-end in the Azure control platform will be unknown and we can see a report of unknown status (even if it is Ok).

  • Additionally, it turns out that if the communication with the Gateway manager is blocked it may end up with Application Gateway in failed state. This is why its recommended not to apply NSG on the Application Gateway sub-net.
  • When the proper rule is in place it should always display Healthy or Unhealthy status as well as not causing Failed State anymore. do note that the lack of communication with the Gateway manager may cause different kind of issues
  • Rule can be applied as per the documentation mentioned over here

Linuxforeveryone started with the focus of solving linux related issues a sys admin faces everyday. So as System Admin whatever i learn through my experience i try to write it down for rest of opensource community.

If you appreciate what you have read or this blog writeup helped you can considering buying me COFFEE, this will help me keep writing and helping community further.



Popular posts from this blog

Solution and Step to fix CVE-2019-5736 Vulnerability - Docker

Recently a new vulnerability has been discovered in the the internet market having target to Docker services. What is this Vulnerability: In short, Docker service uses another service called as runc which is container run time to spawn and run containers. which simply means if docker task is to create docker images then runc task would be running them and attaching a process to container. So as per the recent discovery by the maintainers of runc, the code of this service was having some bug which can be used by attackers to gain the root level of access of the host machine on which docker containers are running. How it can be Exploited: This vulnerability can be exploited in two ways (1) if the docker images are in use is vulnerable making the containers build from it vulnerable also (2) if somehow attacker got the access of containers and then trying to exploit using the bug present in runc and trying to get root privileges. Solution to Fix Vulnerability: Ce

How to Generate CSR using Openssl in Linux

Before Generating CSR ,let see what is Openssl. It is nothing but a core library ,which is used for general purpose in cryptography,it is an open source product which work towards the implementation of SSL and TLS protocols. Talking about openssl, some people called the certificates generated from openssl as "self signed certificate". lets go towards now,creating CSR and private key using openssl command, Just log in to any of your Linux box and run following command as  root user  replacing the required information as per your need . [root@SVR home]#   openssl req -new -newkey  rsa:2048 -nodes -sha256 -out domain_name.csr -keyout domain_name.key -subj "/C=US/ST=state/L=locality/O=organization/OU=organization unit Dept/"  You will get output like : Then check whether ,all the information we have entered ,while creating CSR is proper ,by decoding the CSR from some online tool. First do the cat to the csr file [root@SVR home]#  cat

Multiple instances of redis

In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache and session cache which is stored under /var/session_cache. Note : Discussion about cache/full page cache/session is not under the scope for this document.