Limited IP traffic getting to app in VM

andrew 21 Reputation points
2020-09-30T15:09:52.807+00:00

My Azure network does not appear to be allowing IP traffic through except when I use the http://<ip_address>:<app_test_port> URL format. The following services are in place:

Public IP address is:

  • Associated to Network Interface (which has a local IP), which has/is: Network Security Group with several open inbound ports Associated with a Virtual Network Attached to a Virtual Machine

I am running Traefik in a Docker container, and another Docker application container. Traefik is listening on a couple of ports and should forward requests to the Docker app. However, the Traefik logs are empty so it may not be receiving any inbound requests. I am able to SSH to the host from my laptop and execute Docker commands in the shell.

  1. Am I missing any obvious services?
  2. I am attempting to view the NSG logs, and created a Logs Analytics workspace and assigned it to the NSG.
    • When I query the NSG logs for 'rejected' it returns "where' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
    • If I run the canned query 'Logs of the last 100 calls' the table name in the above message changes to 'ApiManagementGatewayLogs'
  3. What sequence of troubleshooting would be appropriate?

Thank you.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,267 questions
0 comments
Accepted answer
  1. D.D 86 Reputation points
    2020-10-01T14:36:55.377+00:00

    You state you can connect to <app_test_port> so I am assuming the problem is that you cannot connect to a non-test port (i.e. operational port).

    So, probably not "the" answer. But I would recommend the troubleshooting path is to start closest to the application and work your way out.

    1. Get in the container. Is the app listening on the port you think (netstat or ss)? Can you connect from there?
    2. Is your container configured to expose the operational port? Is docker mapping external ports to internal ports? Is the mapping correct?
    3. From the VM, curl (or wget) to the app using the app. This ignores NSG (network security group, etc.).
    4. From the VM can you connect to Traefik. If 1-3 worked but failed here, then your Traefik mappings aren't right.
    5. From a VM on the same virtual network, try to connect. If you can connect but failed here then the NSG is probably wrong. Also, maybe there's a firewall in your way on the VM

    You get the idea. Without a lot more specific information I'm guessing you'll find a disconnect somewhere in steps 1-4.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TravisCragg-MSFT 5,681 Reputation points Microsoft Employee
    2020-09-30T23:43:50.887+00:00

    If you are able to access the resources with the IP:Port, then NSGs are not what is blocking your access.

    Are you trying to use a DNS name to access your website? If so, make sure that your DNS is set up correctly. If your site is hosted on a port that is not 80 or 443, you will still need to specify the port when you make the request. For Example, If your website example.com is hosted on port 8080, use www.example.com:8080

    Also, make sure that your DNS is resolving to the correct IP using a NSLOOKUP.