Remove NSG validation from App Gateway V2 deployment
This is more of a bug report than an idea.
I tried deploying new WAF_V2 app gateway through ARM templates. My gateway subnet has a hardened NSG applied.
Validation is applied to check whether certain traffic is blocked to the gateway. I have many problems with this:
1) The validation is never satisfied with my rules. It will only be satisfied when I have my entire VNET way too open.
I am refering to this error message when deploying:
"Network security group <NSGID> blocks incoming internet traffic on ports 65200 - 65535 to subnet <SUBNETID>, associated with Application Gateway <GATEWAY_ID>. This is not permitted for Application Gateways that have V2 Sku."
After trying multiple rules, the validation was only satisfied once I had this inbound rule defined:
Any Source, Any Port, Any Protocol -> Any Destination, Port 65200-65535
Once I had this defined, another error message popped up:
"Network security group <NSGID> blocks outgoing internet traffic on subnet <SUBNETID>, associated with Application Gateway <GATEWAY_ID>. This is not permitted for Application Gateways that have fast update enabled or have V2 Sku."
This is despite having the following outbound rule defined:
VirtualNetwork Source, Any Port, TCP Protocol -> Internet Destination, Port 80,443
This is unacceptable for any security hardened system. As I said here: https://github.com/MicrosoftDocs/azure-docs/issues/18737, you should strive to define the most strict rules for network access.
What I found out with App Gateway V1 is that inbound, you only need the following rule:
GatewayManager Source, Any Port, Any Protocol -> Subnet CIDR Destination, Port 65503-65534
2) Deployment should not validate NSG rules.
This validation rule is unprecedented from any other resource I deployed via ARM so far. None are as restrictive as App Gateway V2.
The deployment is not nearly smart enough to take my rules into account, forcing me to use a less secure solution.
Also, I may want to apply NSG rules out of order. I would still want the Gateway deployment to finish, even if I have a completely locked down NSG to be modified later.
As such I suggest that this validation rule be removed, and the NSG requirements be meticulously documented instead.
Finally this worked for me,
Allow traffic from Source as GatewayManager service tag and Destination as Any and Destination port as 65200-65535. This port range is required for Azure infrastructure communication.
These ports are protected (locked down) by certificate authentication. External entities, including the Gateway user administrators, can't initiate changes on those endpoints without appropriate certificates in place
Michael Sundgaard commented
For me navigating to the subnet instead and adding the NSG to the subnet instead of adding the subnet to the NSG worked.
Instead of using virtual network use the full CIDR as the destination and it works without issue
Update: I finally got the deployment to work by removing a custom blocking outbound rule (which was lower prio than the required allowing rule -- but the rule validation check seems to ignore this)
I have gotten the inbound rule to work as suggested above. However still no luck with the outbound rule.
Even with Any, Any, Any, Any -> Allow I am still getting the "ApplicationGatewaySubnetOutboundTrafficBlockedByNetworkSecurityGroup" rule validation error during deployment.
It's just impossible to deploy AppGateway v2 due to this rule validation issue
Struggling with the exact same thing here. I have the ports allowed, but the NSG rule is not "open enough" as it seems, and the error message is not helpful at all as it states the contradiction of the actual rules we have...