Resolving Application Gateway frontend listener that is not listening

5 minute read

This scenario is what I actually encountered and took me a few hours to understand, troubleshoot and resolve it. There was an Azure Application Gateway that did not had any configuration changes for the past few months. Although there were some Network Security Groups (NSGs) rule changes to the Virtual Network (VNet) subnet where the Application Gateway is connected, it might have caused the issue and the frontend listener stopped listening.

Scenario

What are those conditions?

  • The Application Gateway has always been working fine without issue until now
  • No configuration change was applied to the Application Gateway recently
  • Application Gateway Health Status is still showing Healthy state

Top


Problem

What is the current issue?

  • Discover Application Gateway Frontend Listener is not listening or responding

Top


What is needed to resolve this with minimal impact or change?

This is how I try resolving the Application Gateway Frontend Listener issue.

Find out Application Gateway Frontend IP Configuration

Firstly when someone escalate to you a problem with their website, I will have to find out where it is hosted and what is the IP address that is related to the URL.


Top


AzCLI

In this section, I will demonstrate an example on how to find out the Application Gateway’s frontend IP address using AzCLI.

1
2
3
az network application-gateway frontend-ip list \
  -g '$RESOURCE_GROUP_NAME' \
  --gateway-name '$APPLICATION_GATEWAY_NAME'

Once the command is executed, it will return the following similar output below where you can identify the IP address allocated to the Application Gateway’s frontend IP configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
  "etag": "W/\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"",
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-application-gateway/providers/Microsoft.Network/applicationGateways/appgateway-webapp/frontendIPConfigurations/appgateway-frontend-private-ip",
  "name": "appgateway-frontend-private-ip",
  "privateIpAddress": "10.0.0.10",
  "privateIpAllocationMethod": "Static",
  "provisioningState": "Succeeded",
  "publicIpAddress": null,
  "resourceGroup": "rg-application-gateway",
  "subnet": {
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-vnet-intranet/providers/Microsoft.Network/virtualNetworks/vnet-intranet/subnets/sub-intranet-loadbalancer",
    "resourceGroup": "rg-vnet-intranet"
  },
  "type": "Microsoft.Network/applicationGateways/frontendIPConfigurations"
}

Top


PowerShell

In this section, I will demonstrate an example on how to find out the Application Gateway’s frontend IP address using PowerShell Az module.

1
2
3
4
Get-AzApplicationGatewayFrontendIPConfig `
  -ApplicationGateway (Get-AzApplicationGateway `
    -Name "$APPLICATION_GATEWAY_NAME" `
    -ResourceGroupName "$RESOURCE_GROUP_NAME") ;

Once the command is executed, it will return the following similar output below where you can identify the IP address allocated to the Application Gateway’s frontend IP configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
PrivateIPAddress          : 10.0.0.10
PrivateIPAllocationMethod : Static
Subnet                    : Microsoft.Azure.Commands.Network.Models.PSResourceId
PublicIPAddress           : 
ProvisioningState         : Succeeded
Type                      : Microsoft.Network/applicationGateways/frontendIPConfigurations
SubnetText                : {
                              "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-vnet-intranet/providers/Microsoft.Network/virtualNetworks/vnet-intranet/subnets/sub-intranet-loadbalancer"
                            }
PublicIpAddressText       : null
Name                      : appgateway-frontend-private-ip
Etag                      : W/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Id                        : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-application-gateway/providers/Microsoft.Network/applicationGateways/appgateway-webapp/frontendIPConfigurations/appgateway-frontend-private-ip

Top


Test the IP Address is listening or responding

You can try to use a web browser to launch the website using the IP Address <http://10.0.0.10/> or try using curl command from a Linux machine from Bash.

1
curl 10.0.0.10

In the example if the Application Gateway’s frontend IP address listener is not working, you will encounter the following similar output from the curl command below.

1
curl: (7) Failed to connect to 10.0.0.10 port 80: Connection timed out

Top


Resolving the issue without making any configuration change

Since Application Gateway is offered as an Azure PaaS type of service, there isn’t a reboot/restart button on the portal. Although technically we know that it must be system instance (or VM) behind the scene, it is an offering that provides scalability and my Application Gateway has 2 instances.

Since there are 2 instances, the frontend IP address is a virtual IP (VIP), therefore the 2 instances will have their own IP addresses too. I probe the subnet remaining IP addresses for the 2 instance’s IP addresses and found out that it is using (Eg. 10.0.0.2 and 10.0.0.3). When I initiated the curl command on 10.0.0.2 and 10.0.0.3, there is a response back with the website content.

But I still could not get the frontend IP address to work and I know that a restart of the Application Gateway is required.


Top


AzCLI

In this section, I will demonstrate an example on how to restart an Application Gateway using AzCLI. Firstly, you will need to manually stop the Application Gateway with the command below.

1
2
3
az network application-gateway stop \
  -g 'gt-gccs-azuredashboard-iz-app' \
  -n 'appgateway-gcc-azure-dashboard'

Once the Application Gateway has stopped, you will need to manually start the Application Gateway with the command below.

1
2
3
az network application-gateway start \
  -g 'gt-gccs-azuredashboard-iz-app' \
  -n 'appgateway-gcc-azure-dashboard'

Top


PowerShell

In this section, I will demonstrate an example on how to restart an Application Gateway using Az PowerShell module. Firstly, you will need to manually stop the Application Gateway with the command below.

1
2
3
4
Stop-AzApplicationGateway `
  -ApplicationGateway (Get-AzApplicationGateway `
    -Name "$APPLICATION_GATEWAY_NAME" `
    -ResourceGroupName "$RESOURCE_GROUP_NAME") ;

Once the Application Gateway has stopped, you will need to manually start the Application Gateway with the command below.

1
2
3
4
Start-AzApplicationGateway `
  -ApplicationGateway (Get-AzApplicationGateway `
    -Name "$APPLICATION_GATEWAY_NAME" `
    -ResourceGroupName "$RESOURCE_GROUP_NAME") ;

Top


Resolving the issue with minor configuration change

Although this method is not the best recommended solution because configuration changes must be made.

But if you don’t really have the luxury to use the AzCLI or Az PowerShell module except through the Azure Portal, this is the only method to restart the Application Gateway with minimal changes without making any major functionality configuration change that may impact the loadbalancing functionality.

To do this on the Azure Portal:

  1. Launch Azure Portal
  2. Locate your Application Gateway resource
  3. Navigate to Settings -> Configuration
  4. Modify the Instance Count (Eg. Change from 2 instances to 1 instance)
  5. Select Save

This will cause a restart of Application Gateway. Once the Application Gateway completed updating configuration, you will need to repeat the steps 4 and 5 above to modify the Instance Count back to the original value (Eg. Change from 1 instance to 2 instances).

Until Microsoft decided to add a Restart button on the Azure Portal for Application Gateway, this might be the only way to restart it using the portal.


Top


References


Top



Top