Azure Gateway Subnet Setup and Configuration Guide

Setting up an Azure Gateway subnet is a crucial step in creating a secure and efficient virtual network.

To begin, you'll need to create a subnet for your Azure Gateway. This subnet is used to route traffic between your on-premises network and Azure.

The Azure Gateway subnet must be a /27 or shorter subnet, which means it must have at least 64 addresses available.

This is a requirement to ensure that the gateway can be properly configured and function correctly.

The subnet IP address must be unique and not overlap with any other subnets in your virtual network.

To set up an Azure gateway, you first need to create a virtual network gateway. This can be done using the command "az network vnet-gateway create".

Once you've created the virtual network gateway, you can get its details using the command "az network vnet-gateway show". This command will provide you with the necessary information to manage your gateway.

The virtual network gateway is a critical component of an Azure gateway subnet, and understanding its details is essential for a successful setup.

Before you set up your local gateway, make sure your environment meets the necessary criteria. This includes having a functioning route-based VPN gateway, which can be created by following the instructions in the "Create a VPN gateway" section.

Verify that you have a clear understanding of your on-premises network configuration, including the IP address ranges. If you're unfamiliar with these details, coordinate with someone who can provide them for you.

You'll need to specify the IP address range prefixes that Azure routes to your on-premises location when creating the configuration. None of the subnets of your on-premises network can overlap with the virtual network subnets you want to connect to.

To set up your local gateway, you'll need to create a local network gateway (LNG) in Azure. This is typically your on-premises location, and it's not the same as a virtual network gateway.

The LNG has a name that Azure uses to refer to it, and you'll specify the IP address of your on-premises VPN device to create a connection. You'll also specify the IP address prefixes that are routed through the VPN gateway to the VPN device.

The GatewayIPAddress is the IP address of your on-premises VPN device, not your Azure VPN gateway. The AddressPrefix is your on-premises address space, which you'll need to specify when creating the LNG.

Here's a summary of the key details to keep in mind when setting up your local gateway:

Remember to update the IP address prefixes if your on-premises network changes. This makes it easy to keep your LNG configuration up to date.

NAT Gateway architecture is a key component of Azure Gateway Setup, and it's essential to understand how it works.

NAT Gateway uses software defined networking to operate as a distributed and fully managed service, allowing it to withstand multiple failures without affecting the service.

This means you can rely on NAT Gateway to provide a stable connection to the internet for your Azure virtual network.

NAT Gateway provides source network address translation (SNAT) for private instances within subnets of your Azure virtual network.

No extra routing configurations are required when a NAT gateway is attached to a subnet within a virtual network.

It assumes the subnet's default next hop type for all outbound traffic directed to the internet.

However, NAT Gateway doesn't provide unsolicited inbound connections from the internet.

This is a key limitation to keep in mind when setting up your Azure Gateway.

Here are some important limitations to be aware of:

To configure network access for your Azure gateway subnet, you'll need to set up inbound rules. These rules allow traffic from specific sources to reach your application gateway.

The first rule should allow incoming traffic from your expected clients, such as source IP or IP range, to your application gateway's entire subnet IP prefix and inbound access ports. For example, if you have listeners configured for ports 80 and 443, you must allow these ports.

You can also set this rule to "Any" if needed. The source should be set to "as per need", source ports to "Any", destination to your subnet IP prefix, destination ports to your listener ports, protocol to "TCP", and access to "Allow."

Another rule is required when you use the same port configuration for active public and private listeners. In this case, the destination of all inbound flows is changed to the frontend IPs of your gateway, so you must include these IPs in the destination of the inbound rule.

Here's a summary of the required inbound rules:

Additionally, you'll need to allow incoming requests from the GatewayManager service tag and any destination, with destination port ranges depending on the SKU.

In a virtual network, an Application Gateway is a dedicated deployment that requires a dedicated subnet. You can have multiple instances of a specific Application Gateway deployment in a subnet, but not other resources.

A subnet named GatewaySubnet is reserved for VPN gateways, and Application Gateway v1 resources using this subnet need to be moved to a different subnet or migrated to the v2 SKU by September 30, 2023.

To deploy an Application Gateway, you need to verify that the users and service principals have at least the following permissions on the virtual network or subnet: Microsoft.Network/virtualNetworks/subnets/join/action and Microsoft.Network/virtualNetworks/subnets/read.

The Network contributor built-in role already supports these permissions, but you can create and assign a custom role if needed.

A NAT gateway can be attached to multiple subnets within a virtual network, but it assumes the default route to the internet and cannot be used with a gateway subnet.

Here are the subnet configurations that can't be used with a NAT gateway:

To get the details of a virtual network gateway, you can use the az network vnet-gateway show command.

The size of a network configuration can vary greatly, with some configurations having only a few devices connected, while others can span entire cities with thousands of nodes.

In a typical small office network, there are usually around 10-20 devices connected, including computers, printers, and servers.

The number of devices in a network is directly related to the complexity of the configuration, with more devices requiring more configuration and management.

A large enterprise network, on the other hand, can have tens of thousands of devices connected, making it a much more complex and challenging configuration to manage.

The size of a network also affects the scalability and reliability of the configuration, with larger networks requiring more robust and redundant systems to ensure uptime and performance.

In a large network, it's not uncommon to see multiple layers of network devices, such as routers, switches, and firewalls, working together to ensure reliable data transmission.

Inbound rules are crucial for allowing incoming traffic to your application gateway. You need to allow incoming traffic from the expected clients, such as source IP or IP range, to your application gateway's entire subnet IP prefix and inbound access ports.

To do this, you can create a rule with the following settings: Source as per need, Source ports Any, Destination Subnet IP Prefix, Destination ports listener ports, Protocol TCP, and Access Allow.

For example, if you have listeners configured for ports 80 and 443, you must allow these ports. You can also set this rule to Any.

It's worth noting that after you configure active public and private listeners with the same port number, your application gateway changes the Destination of all inbound flows to the frontend IPs of your gateway. This means you must include your gateway's frontend public and private IP addresses in the Destination of the inbound rule when you use the same port configuration.

Here are the specific settings for this rule: Source as per need, Source ports Any, Destination Public and Private frontend IPs, Destination ports listener ports, Protocol TCP, and Access Allow.

You also need to allow incoming requests from the source as the GatewayManager service tag and Any destination. The destination port range differs based on SKU and is required for communicating the status of the backend health.

Here are the specific settings for this rule: Source GatewayManager, Source ports Any, Destination Any, Destination ports 65200-65535 for V2 and 65503-65534 for V1, Protocol TCP, and Access Allow.

Finally, you can block all other incoming traffic by using a Deny All rule.

A NAT gateway can be associated with static public IP addresses or public IP prefixes for providing outbound connectivity. NAT Gateway supports IPv4 addresses.

You can use a total of 16 IP addresses in any combination of public IP addresses or prefixes. If you assign a public IP prefix, the entire prefix is used.

A public IP prefix can be distributed directly or across multiple NAT gateway resources.

You can configure your Azure Application Gateway to use custom DNS servers, which is useful if you need more control over name resolution. This setting must be applied to the virtual network resource and will be honored by the instances of your application gateway.

To use custom DNS servers, you'll need to restart your application gateway, as the changes won't take effect until then. This is a simple step, but it's essential to ensure that your setup is working as intended.

Application Gateway requires custom DNS servers to be able to resolve public internet names, so make sure yours can do that.

Here are some supported user-defined routes (UDRs) scenarios for the Application Gateway subnet:

When you configure DNS servers for your virtual network resource, you can choose between Azure-provided default or custom DNS servers.

The instances of your application gateway will honor this DNS configuration for any name resolution, which means they'll use the chosen DNS servers to resolve names.

You'll need to restart your application gateway after changing the DNS server setting for these changes to take effect on the instances.

The first DNS server to respond will have its value used for the DNS query issued by an instance of your Application Gateway.

Custom DNS servers used in the Application Gateway virtual network must be able to resolve public internet names.

Application Gateway requires this capability to function properly.

If you're looking to fine-tune your Application Gateway subnet, you can use user-defined routes (UDRs) in public preview. However, there are some restrictions to keep in mind.

For the v1 SKU, UDRs are supported on the Application Gateway subnet if they don't alter end-to-end request/response communication. For example, you can set up a UDR to point to a firewall appliance for packet inspection, as long as the packet can reach its intended destination after inspection.

There are specific scenarios where UDRs are supported in the v2 SKU. To ensure proper routing, all management/control plane traffic should be sent directly to the internet and not through a virtual appliance.

You can use UDRs to disable Border Gateway Protocol (BGP) route propagation to the Application Gateway subnet. This is done by creating a route table resource in Azure, disabling virtual network gateway route propagation, and associating the route table to the appropriate subnet.

Alternatively, you can use a UDR to send 0.0.0.0/0 traffic directly to the internet. This is useful in scenarios where you need to bypass BGP route propagation.

If you're using Azure Kubernetes Service (AKS) with kubenet and Application Gateway Ingress Controller, you'll need a route table to allow traffic sent to the pods from Application Gateway to be routed to the correct node.

Here are the steps to use a route table for kubenet:

Note that you don't need to use a route table if you use Azure Container Networking Interface.

To ensure secure operations, it's essential to verify that users and service principals have the necessary permissions on the virtual network resource.

The Application Gateway resource is deployed inside a virtual network, so checks are performed to verify the permission on the virtual network resource. This validation is performed during both creation and management operations and also applies to the managed identities for Application Gateway Ingress Controller.

To grant the required permissions, check Azure role-based access control to verify that users and service principals have at least the following permissions on the virtual network or subnet: Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/read

Using built-in roles, such as Network contributor, can simplify the process as they already support these permissions. If a built-in role doesn't provide the right permission, creating and assigning a custom role is an option.

Network security groups are a crucial aspect of securing your Application Gateway subnet.

You can use NSGs, but be aware of some key points and restrictions. For example, these NSG limitations are relaxed when you use Private Application Gateway deployment (preview).

Network security groups can be used to control incoming and outgoing traffic to your Application Gateway subnet.

These NSGs are a powerful tool for securing your application, but it's essential to understand their limitations and how they work with Private Application Gateway deployment.

To use an NSG with your application gateway, you need to create or retain some essential security rules. These rules are crucial for ensuring the smooth operation of your application gateway.

You'll need to allow incoming traffic from expected clients, which can be specified by source IP or IP range. The destination should be your application gateway's entire subnet IP prefix and inbound access ports.

You can set this rule to allow traffic from any source, but be aware that this may not be the most secure option. If you have listeners configured for ports 80 and 443, you must allow these ports.

Here are the essential security rules you'll need to create or retain:

You can block all other incoming traffic by using a Deny All rule.

Virtual Permission is a crucial aspect of security and permissions in Azure. The Application Gateway resource is deployed inside a virtual network, so checks are performed to verify the permission on the virtual network resource.

To ensure proper functioning, you need to check your Azure role-based access control to verify that the users and service principals that operate application gateways have at least the following permissions on the virtual network or subnet:

You can use built-in roles, such as Network contributor, which already support these permissions. If a built-in role doesn't provide the right permission, you can create and assign a custom role.