AKS-Construction icon indicating copy to clipboard operation
AKS-Construction copied to clipboard
verified publisher icon Azure

Application Gateway Subnet Inbound Traffic Blocked By Network Security Group

Open khowling opened this issue 3 years ago • 2 comments

Describe the bug

"ApplicationGatewaySubnetInboundTrafficBlockedByNetworkSecurityGroup "Network security group /subscriptions//resourceGroups/az-k8s-5jtu-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-appgw-sn-az-k8s-5jtu blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions//resourceGroups/az-k8s-5jtu-rg/providers/Microsoft.Network/virtualNetworks/vnet-az-k8s-5jtu/subnets/appgw-sn, associated with Application Gateway /subscriptions/***/resourceGroups/az-k8s-5jtu-rg/providers/Microsoft.Network/applicationGateways/agw-az-k8s-5jtu. This is not permitted for Application Gateways that have V2 Sku.

To Reproduce

Provision a cluster with "I want a managed environment" & "Private cluster with isolating network". Then run the same script again

	resourceName=az-k8s-5jtu \
	agentCount=2 \
	upgradeChannel=stable \
	JustUseSystemPool=true \
	custom_vnet=true \
	CreateNetworkSecurityGroups=true \
	bastion=true \
	enable_aad=true \
	AksDisableLocalAccounts=true \
	enableAzureRBAC=true \
	adminPrincipalId=$(az ad signed-in-user show --query id --out tsv) \
	registries_sku=Premium \
	acrPushRolePrincipalId=$(az ad signed-in-user show --query id --out tsv) \
	imageNames="[\"k8s.gcr.io/external-dns/external-dns:v0.11.0\"]" \
	azureFirewalls=true \
	certManagerFW=true \
	privateLinks=true \
	kvIPAllowlist="[\"5.67.72.204/32\"]" \
	omsagent=true \
	retentionInDays=30 \
	networkPolicy=azure \
	azurepolicy=audit \
	enablePrivateCluster=true \
	dnsZoneId=/subscriptions/xxx/resourceGroups/kh-common/providers/Microsoft.Network/dnszones/xxx \
	ingressApplicationGateway=true \
	appGWcount=0 \
	appGWsku=WAF_v2 \
	appGWmaxCount=10 \
	appgwKVIntegration=true \
	azureKeyvaultSecretsProvider=true \
	createKV=true \
	kvOfficerRolePrincipalId=$(az ad signed-in-user show --query id --out tsv) \
	acrPrivatePool=true

Expected behavior Successful provisioning

khowling avatar Jul 20 '22 19:07 khowling

This sounds like #206 @khowling

Gordonby avatar Jul 20 '22 21:07 Gordonby

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.

github-actions[bot] avatar Aug 20 '22 09:08 github-actions[bot]

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.

github-actions[bot] avatar Nov 15 '22 09:11 github-actions[bot]