Share via

Azure LoadBalancer port 443 timing out for YARP service, while 8080 and /health endpoint work fine

Vishnu Sankar 0 Reputation points Microsoft Employee
2025-10-13T04:42:12.4333333+00:00

Hi everyone,

I’m running a YARP (Yet Another Reverse Proxy) application inside AKS (Azure Kubernetes Service), fronted by an Azure Load Balancer.

Here’s my service configuration:

apiVersion: v1
kind: Service
metadata:
  name: yarp-service
  namespace: code-search-yarp
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-resource-group: code-search-dev
    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
    service.beta.kubernetes.io/port_443_health-probe_protocol: "https"
    service.beta.kubernetes.io/port_443_health-probe_port: "443"
    service.beta.kubernetes.io/port_443_health-probe_request-path: "/health"
    service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout: "60"
spec:
  selector:
    app: yarp
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 8080

What’s working

  • kubectl port-forward svc/yarp-service 8443:443 -n code-search-yarp → Works fine, HTTPS request succeeds.

/health endpoint (used by the Azure probe) is accessible and returns HTTP 200.

Port 8080 (HTTP) is accessible externally — `Test-NetConnection -ComputerName.

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUNOJ KUMAR YELURU 17,326 Reputation points MVP Volunteer Moderator
    2025-10-13T07:27:03.2166667+00:00

    Hello @Vishnu Sankar

    The most likely cause of the Azure Load Balancer port 443 timing out is a failed TLS handshake during the health check. Temporarily change the probe protocol to HTTP to isolate the issue. If this resolves the timeout, configure a valid, trusted certificate for port 443 or configure the /health endpoint to be accessible via HTTP. Also, verify the health probe status in the Azure portal and review network policies and firewall rules.

    • The Azure Load Balancer uses health probes to determine the health of backend pods.
    • A failed TLS handshake during the health check is a common cause of timeouts on HTTPS ports.
    • Incorrect TLS/SSL configuration or missing/invalid certificates can cause the HTTPS health probe to fail.
    • Network policies or firewall rules might be blocking traffic.
    • Always verify the health probe status in the Azure portal to diagnose issues.

    If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

    0 comments
  2. Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator
    2025-10-13T18:05:38.1166667+00:00

    Hello @Vishnu Sankar,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand your question regarding the Azure LoadBalancer timing out on port 443 for the YARP service, even though port 8080 and the /health endpoint are working correctly.

    It appears that port 443 on your Azure Load Balancer is timing out, while port 8080 and the /health endpoint are functioning as expected for your YARP service on AKS. This typically suggests there may be a configuration mismatch between the Load Balancer and your Kubernetes service or backend pods.

    Your service is exposing ports 443 (HTTPS) and 8080 (HTTP) as expected, and the /health endpoint returns a 200-status code. Port 8080 is accessible externally, which shows backend connectivity is working for that port. The issue seems to be related to routing or traffic allowance on port 443.

    Common Causes:

    1. Load Balancer Rule Mismatch: Ensure the Load Balancer frontend rule for port 443 is correctly mapped to the backend pool and the pod’s listening port. If the backend port or NodePort is set incorrectly, traffic on port 443 may time out.
    2. Health Probe Setup: A successful health probe does not necessarily mean the frontend rule for port 443 is properly linked to the backend service.
    3. Network Security Group (NSG): Verify that inbound traffic on port 443 is permitted in your NSG for both the Load Balancer and AKS nodes.
    4. Kubernetes Service Configuration: Make sure the service is set to type LoadBalancer and that the targetPort matches the actual container port your application uses.

    Recommended Steps

    • Please review your Kubernetes service configuration:

    o   Run kubectl get svc yarp-service -n code-search-yarp

    o   Run kubectl describe svc yarp-service -n code-search-yarp

    Ensure that the ports and target ports match the container settings.

    1. In Azure Portal, verify the Load Balancer's frontend rules, backend pool, and health probe configurations for port 443.
    2. Check your NSG rules to confirm that inbound traffic on port 443 is permitted.
    3. If necessary, switch the externalTrafficPolicy between Local and Cluster to test functionality.
    4. Review pod logs for any HTTPS binding or certificate issues.

    If these steps do not resolve the issue, please consider the following questions to help clarify the problem:

    1. Can you verify if the YARP service is running and listening on port 443?
    2. Do your YARP logs show any error messages when you try to access the port?
    3. Is there any configuration in YARP that could impact how HTTPS traffic is handled?

    Troubleshoot Azure Load Balancer:

    Troubleshoot common problems with Azure Load Balancer | Microsoft Learn

    Use a public standard load balancer in Azure Kubernetes Service:

    Use a public load balancer in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn

    Azure Load Balancer health probes: Azure Load Balancer health probes | Microsoft Learn

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to "Accept the answer” and “up-vote it” wherever the information provided helps you, this can be beneficial to other community members__.__ It would be greatly appreciated and helpful to others.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.