Configure Availability tests for webapps which are behind the Azure Firewall.

Question

Configure Availability tests for webapps which are behind the Azure Firewall.

Yashas Manjunath 186

I have a hub and spoke architecture deployed in my tenant. In one of the spokes I have a web app deployed. I have quad zero in the route table in the spoke which forwards all the traffic to the Azure firewall in the hub. All the policies and management take place in the firewall. There are no NSG's associated with the spoke Vnets.

Before the setup the availability tests/ping tests on the webapps were working as expected. Now that the spoke(webapp) is behind the firewall, the availability tests are naturally failing. What should be my course of action now.

Yashas Manjunath 186 Reputation points

2025-08-25T08:46:32.4333333+00:00
@Praveen Bandaru
I forgot to mention kind of an important detail about the app. The webapp's public access setting was disabled making it private. It's set up with a private endpoint and proper resolution happens and I have verified this once I am connected to the VPN. Is this why the test is not able to reach the app at all? In scenarios like this how does one make use of the availability test.

I am using Application insights Standard Availability test.

The web application has a public DNS that resolves properly. When I am connected to the VPN i can hit the health endpoint and get a positive response.

The test frequency is set to 5 minutes. The weird this is I dont see the test in the firewall logs at all. Not in application or network rule logs.
Praveen Bandaru 7,810 Reputation points Microsoft External Staff Moderator

2025-08-26T06:55:40.5666667+00:00

Hello Yashas Manjunath
Thank you for your response. If possible, could you run a nslookup test on your source machine and share the results with us?

Meanwhile, please also run a psping test on the source machine and share a screenshot of the results.

psping privateip:portnumber

Check the PsPing public document.

Have you seen the firewall logs for both forward and reverse traffic?
Praveen Bandaru 7,810 Reputation points Microsoft External Staff Moderator

2025-08-27T05:52:30.0933333+00:00

Hello Yashas Manjunath

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Yashas Manjunath 186 Reputation points

2025-08-27T07:57:19.4633333+00:00

Hello, Praveen Bandaru
nslookup from my local machine when I am connected to the VPN resolves as expected. I can successfully perform postman calls on my local machine and can also get a positive response on the health endpoint.

I have a private endpoint configured on my webapp. 2 private DNS zones. one privatelink.azurewebsites.net which the private endpoint automatically created and one azurewebsites.net which contains a CNAME record for the privatelink DNS zone.

I cannot use psping as I am using a mac. Can you suggest an alternative. When I call the webapp api from my local i dont see any firewall logs.

How does the Availability test work? does azure use the normal networking layer or some backbone stuff directly and go behind everything.
Praveen Bandaru 7,810 Reputation points Microsoft External Staff Moderator

2025-08-27T13:20:32.9733333+00:00

Hello Yashas Manjunath

Please try to check the below command and share the result with us.

nc -vz <destination IP> <port>

How does the Availability test work? does azure use the normal networking layer or some backbone stuff directly and go behind everything.

When you use a private endpoint in Azure, it utilizes the backbone network. If it is public, it uses the public internet. Azure's Availability Tests, which are included in Application Insights within Azure Monitor, help track and assess the availability and responsiveness of your applications.

Check the below public document:

https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability?tabs=standard

I have initiated a private message. Please check and provide the required information for further investigation of the issue.

1 answer

Your answer

Yashas Manjunath 186 Reputation points

2025-08-25T08:46:32.4333333+00:00

@Praveen Bandaru
I forgot to mention kind of an important detail about the app. The webapp's public access setting was disabled making it private. It's set up with a private endpoint and proper resolution happens and I have verified this once I am connected to the VPN. Is this why the test is not able to reach the app at all? In scenarios like this how does one make use of the availability test.

I am using Application insights Standard Availability test.

The web application has a public DNS that resolves properly. When I am connected to the VPN i can hit the health endpoint and get a positive response.

The test frequency is set to 5 minutes. The weird this is I dont see the test in the firewall logs at all. Not in application or network rule logs.
Praveen Bandaru 7,810 Reputation points Microsoft External Staff Moderator

2025-08-26T06:55:40.5666667+00:00

Hello Yashas Manjunath
Thank you for your response. If possible, could you run a nslookup test on your source machine and share the results with us?

Meanwhile, please also run a psping test on the source machine and share a screenshot of the results.

psping privateip:portnumber

Check the PsPing public document.

Have you seen the firewall logs for both forward and reverse traffic?
Praveen Bandaru 7,810 Reputation points Microsoft External Staff Moderator

2025-08-27T05:52:30.0933333+00:00

Hello Yashas Manjunath

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Yashas Manjunath 186 Reputation points

2025-08-27T07:57:19.4633333+00:00

Hello, Praveen Bandaru
nslookup from my local machine when I am connected to the VPN resolves as expected. I can successfully perform postman calls on my local machine and can also get a positive response on the health endpoint.

I have a private endpoint configured on my webapp. 2 private DNS zones. one privatelink.azurewebsites.net which the private endpoint automatically created and one azurewebsites.net which contains a CNAME record for the privatelink DNS zone.

I cannot use psping as I am using a mac. Can you suggest an alternative. When I call the webapp api from my local i dont see any firewall logs.

How does the Availability test work? does azure use the normal networking layer or some backbone stuff directly and go behind everything.
Praveen Bandaru 7,810 Reputation points Microsoft External Staff Moderator

2025-08-27T13:20:32.9733333+00:00

Hello Yashas Manjunath

Please try to check the below command and share the result with us.

nc -vz <destination IP> <port>

How does the Availability test work? does azure use the normal networking layer or some backbone stuff directly and go behind everything.

When you use a private endpoint in Azure, it utilizes the backbone network. If it is public, it uses the public internet. Azure's Availability Tests, which are included in Application Insights within Azure Monitor, help track and assess the availability and responsiveness of your applications.

Check the below public document:

https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability?tabs=standard

I have initiated a private message. Please check and provide the required information for further investigation of the issue.

Answer 1

Hello Yashas Manjunath

I understand that your web app in the spoke VNet is now secured behind an Azure Firewall in the hub, with all traffic routed through it using a quad-zero (0.0.0.0/0) route. As a result, availability tests such as ping or HTTP checks from external sources will not succeed unless the firewall is configured to allow them.

Please let me know which monitoring tools or services are you using for availability tests?

Azure Monitor and Application Insights generally use designated IP ranges for their availability tests.
You can view the latest list of IPs used by Azure services here: https://www.microsoft.com/en-us/download/details.aspx?id=56519 (Azure IP Ranges and Service Tags – Public Cloud)

In your Azure Firewall, set up Network Rules or Application Rules to permit traffic from these IP ranges to reach your web app are go with service tag to allow the traffic.

Please verify that your DNS configuration is correct. The web application should have a public DNS entry that resolves properly.

Once you have applied the rules, run the availability tests again. Check the Azure Firewall logs to ensure that traffic is permitted and not being blocked.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Configure Availability tests for webapps which are behind the Azure Firewall.

1 answer

Your answer