![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 47%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,849 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Azure Load Balancer's health probes operate independently of the inbound port rules configured on the individual virtual machines (VMs). The behavior you're seeing is expected:
1. Health Probe Behavior and Inbound Port Rules
- How Health Probes Work: Azure Load Balancer health probes send requests directly to the backend VMs over the configured probe protocol (TCP or HTTP). These probes bypass the Network Security Group (NSG) rules for the specific health probe IP ranges used by Azure. This means that even if an inbound port rule blocks port 80 for general traffic, health probes can still reach the VM if the application on port 80 is running and responding.
- Why the VM Showed as Healthy: When you removed the inbound port rule for port 80, the load balancer health probe continued to reach the VM because Azure bypasses NSG rules for probe traffic. The VM remained healthy as long as the application responded to the health probe requests. Only when the VM was stopped did it fail the health probe checks and get marked as unhealthy.
2. Restricting Traffic to the Load Balancer’s Frontend IP When you restricted the VMs to only accept traffic from the load balancer's frontend IP using NSG rules:
- Impact on Accessibility: This likely blocked the load balancer's health probes because the health probes originate from a specific Azure IP range, not from the load balancer's frontend IP. By restricting traffic to the frontend IP, you inadvertently blocked the health probes, leading to a failure in accessing the websites.
- Health Probe IP Ranges: Azure health probes originate from specific IP ranges depending on the Azure region. These IP ranges are documented here, and your NSG rules need to allow these IP ranges for the health probes to function.
To address these issues:
- Allow Health Probes in NSG Rules:
- Ensure your NSG rules allow traffic on the probe port (e.g., port 80) from Azure's health probe IP ranges. You can add an inbound rule to explicitly permit traffic from
168.63.129.16(used by health probes) or the documented probe IP ranges for your region.
- Ensure your NSG rules allow traffic on the probe port (e.g., port 80) from Azure's health probe IP ranges. You can add an inbound rule to explicitly permit traffic from
- Validate NSG Rules:
- Use the Network Watcher in Azure to validate effective NSG rules and ensure that health probe traffic is not being inadvertently blocked.
- Restrict Traffic Securely:
- If you want to restrict access to your application, consider combining NSG rules with Azure Load Balancer configurations to allow traffic only from the load balancer frontend IP for non-health-probe traffic.
- Testing:
- After making changes, confirm the health probe status and test accessibility to the application using the load balancer's public IP.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin