Backend heath status of Application Gateway
We deployed the Application Gateway on the subnet where NSG's In-Bound rules is set. In the result, we got the status of backend health is 'unknown'. We got the 'Healthy' status when the NSG doesn't associate to subnet. Even if NSG's In-Bound rules is set, We'd like to confirm the backend health.
Q. Are Network Security Groups supported on the Application Gateway subnet?
Network Security Groups are supported on the Application Gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534 for backend health to work correctly.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Craig Hunter commented
Currently inbound internet traffic on port ranges 65503-65534 should be opened for health probes to work. This is documented in FAQ at https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq.
Edmar Cardoso commented
I have the same issue.