- LB where considered as Network device (sometimes it might be software not just physical device and works at Network Layer of OSI model
- WAF considered as kind of Software and works at Application Layer of OSI model
Issue: Application Gateway falling into failed state not allowing configuration changes & Back-end health status show as unknown
- Check if you have proper rules in place at Application Gateway NSG which allows communication with the Gateway manager, which is used for control plane communication
This rule will not affect the health status of the back-end devices but the Application Gateway will work correctly even without it. This rule allows control plane data from the Gateway Manager which include information about the back-end health.
- Thus, if this rule is missing, there will be no information on the Gateway manager regarding some App GW options and functionalities. One of them is the health status of the back-end. This means the application gateway will not work, but the health of the back-end in the Azure control platform will be unknown and we can see a report of unknown status (even if it is Ok).
- Additionally, it turns out that if the communication with the Gateway manager is blocked it may end up with Application Gateway in failed state. This is why its recommended not to apply NSG on the Application Gateway sub-net.
- When the proper rule is in place it should always display Healthy or Unhealthy status as well as not causing Failed State anymore. do note that the lack of communication with the Gateway manager may cause different kind of issues
- Rule can be applied as per the documentation mentioned over here