You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Historically, Application Gateway v2 SKUs, and to a certain extent v1, have required public IP addressing to enable management of the service. This requirement has imposed several limitations in using fine-grain controls in Network Security Groups and Route Tables. Specifically, the following challenges have been observed:
18
+
Historically, Application Gateway v2 SKUs, and to a certain extent v1, have required public IP addressing to enable management of the service. This requirement has imposed several limitations in using fine-grain controls in Network Security Groups and Route Tables. Specifically, the following challenges have been observed:
19
19
20
20
* All Application Gateways v2 deployments must contain public facing frontend IP configuration to enable communication to the **Gateway Manager** service tag.
21
21
* Network Security Group associations require rules to allow inbound access from GatewayManager and Outbound access to Internet.
@@ -32,13 +32,148 @@ Application Gateway v2 can now address each of these items to further eliminate
32
32
33
33
Each of these features can be configured independently. For example, a public IP address can be used to allow traffic inbound from the Internet and you can define a **_Deny All_** outbound rule in the network security group configuration to prevent data exfiltration.
34
34
35
+
## Onboard to public preview
36
+
37
+
The functionality of the new controls of private IP frontend configuration, control over NSG rules, and control over route tables, are currently in public preview. To join the public preview, you can opt in to the experience using the Azure portal, PowerShell, CLI, or REST API.
38
+
39
+
When you join the preview, all new Application Gateways provision with the ability to define any combination of the NSG, Route Table, or private IP configuration features. If you wish to opt out from the new functionality and return to the current generally available functionality of Application Gateway, you can do so by [unregistering from the preview](#unregister-from-the-preview).
40
+
41
+
For more information about preview features, see [Set up preview features in Azure subscription](../azure-resource-manager/management/preview-features.md)
42
+
43
+
## Register to the preview
44
+
45
+
# [Azure Portal](#tab/portal)
46
+
47
+
Use the following steps to enroll into the public preview for the enhanced Application Gateway network controls via the Azure portal:
48
+
49
+
1. Sign in to the [Azure portal](https://portal.azure.com/).
50
+
2. In the search box, enter _subscriptions_ and select **Subscriptions**.
4. From the left menu, under **Settings** select **Preview features**.
59
+
60
+
:::image type="content" source="../azure-resource-manager/management/media/preview-features/preview-features-menu.png" alt-text="Azure preview features menu.":::
61
+
62
+
5. You see a list of available preview features and your current registration status.
63
+
64
+
:::image type="content" source="../azure-resource-manager/management/media/preview-features/preview-features-list.png" alt-text="Azure portal list of preview features.":::
65
+
66
+
6. From **Preview features** type into the filter box **EnableApplicationGatewayNetworkIsolation**, check the feature, and click **Register**.
To enroll into the public preview for the enhanced Application Gateway network controls via Azure PowerShell, the following commands can be referenced:
A list of all Azure CLI references for Private Link Configuration on Application Gateway can be found here: [Azure CLI CLI - Private Link](/cli/azure/network/application-gateway/private-link)
101
+
102
+
---
103
+
104
+
>[!Note]
105
+
>Feature registration may take up to 30 minutes to transition from Registering to Registered status.
106
+
107
+
For more information about preview features, see [Set up preview features in Azure subscription](../azure-resource-manager/management/preview-features.md)
108
+
109
+
## Unregister from the preview
110
+
111
+
# [Azure Portal](#tab/portal)
112
+
113
+
To opt out of the public preview for the enhanced Application Gateway network controls via Portal, use the following steps:
114
+
115
+
1. Sign in to the [Azure portal](https://portal.azure.com/).
116
+
2. In the search box, enter _subscriptions_ and select **Subscriptions**.
4. From the left menu, under **Settings** select **Preview features**.
125
+
126
+
:::image type="content" source="../azure-resource-manager/management/media/preview-features/preview-features-menu.png" alt-text="Azure preview features menu.":::
127
+
128
+
5. You see a list of available preview features and your current registration status.
129
+
130
+
:::image type="content" source="../azure-resource-manager/management/media/preview-features/preview-features-list.png" alt-text="Azure portal list of preview features.":::
131
+
132
+
6. From **Preview features** type into the filter box **EnableApplicationGatewayNetworkIsolation**, check the feature, and click **Unregister**.
A list of all Azure CLI references for Private Link Configuration on Application Gateway can be found here: [Azure CLI CLI - Private Link](/cli/azure/network/application-gateway/private-link)
167
+
168
+
---
169
+
35
170
## Regions and availability
36
171
37
-
The Private Application Gateway is available to all public cloud regions [where Application Gateway v2 sku is supported](./overview-v2.md#unsupported-regions).
172
+
The Private Application Gateway preview is available to all public cloud regions [where Application Gateway v2 sku is supported](./overview-v2.md#unsupported-regions).
38
173
39
174
## Configuration of network controls
40
175
41
-
Configuration of NSG, Route Table, and private IP address frontend configuration can be performed using any methods. For example: REST API, ARM Template, Bicep deployment, Terraform, PowerShell, CLI, or Portal. No API or command changes are introduced with this feature.
176
+
After registration into the public preview, configuration of NSG, Route Table, and private IP address frontend configuration can be performed using any methods. For example: REST API, ARM Template, Bicep deployment, Terraform, PowerShell, CLI, or Portal. No API or command changes are introduced with this public preview.
42
177
43
178
## Resource Changes
44
179
@@ -57,7 +192,7 @@ Application Gateway Subnet is the subnet within the Virtual Network where the Ap
57
192
58
193
## Outbound Internet connectivity
59
194
60
-
Application Gateway deployments that contain only a private frontend IP configuration (don't have a public IP frontend configuration) aren't able to egress traffic destined to the Internet. This configuration affects communication to backend targets that are publicly accessible via the Internet.
195
+
Application Gateway deployments that contain only a private frontend IP configuration (do not have a public IP frontend configuration) aren't able to egress traffic destined to the Internet. This configuration affects communication to backend targets that are publicly accessible via the Internet.
61
196
62
197
To enable outbound connectivity from your Application Gateway to an Internet facing backend target, you can utilize [Virtual Network NAT](../virtual-network/nat-gateway/nat-overview.md) or forward traffic to a virtual appliance that has access to the Internet.
63
198
@@ -73,14 +208,14 @@ Common scenarios where public IP usage is required:
73
208
74
209
## Network Security Group Control
75
210
76
-
Network security groups associated to an Application Gateway subnet no longer require inbound rules for GatewayManager, and they don't require outbound access to the Internet. The only required rule is **Allow inbound from AzureLoadBalancer** to ensure health probes can reach the gateway.
211
+
Network security groups associated to an Application Gateway subnet no longer require inbound rules for GatewayManager, and they don't require outbound access to the Internet. The only required rule is **Allow inbound from AzureLoadBalancer** to ensure health probes can reach the gateway.
77
212
78
-
The following configuration is an example of the most restrictive set of inbound rules, denying all traffic but Azure health probes. In addition to the defined rules, explicit rules are defined to allow client traffic to reach the listener of the gateway.
213
+
The following configuration is an example of the most restrictive set of inbound rules, denying all traffic but Azure health probes. In addition to the defined rules, explicit rules are defined to allow client traffic to reach the listener of the gateway.
79
214
80
215
[](./media/application-gateway-private-deployment/inbound-rules.png#lightbox)
81
216
82
217
> [!Note]
83
-
> Application Gateway will display an alert asking to ensure the `Allow LoadBalanceRule` is specified if a `DenyAll` rule inadvertently restricts access to health probes.
218
+
> Application Gateway will display an alert asking to ensure the **Allow LoadBalanceRule** is specified if a **DenyAll** rule inadvertently restricts access to health probes.
84
219
85
220
### Example scenario
86
221
@@ -146,7 +281,7 @@ These rules are assigned a priority of 400, 401, and 4096, respectively.
146
281
To create these rules:
147
282
- Select **Outbound security rules**
148
283
- Select **Add**
149
-
- Enter the following information for each rule into the `Add outbound` security rule** pane.
284
+
- Enter the following information for each rule into the **Add outbound security rule** pane.
150
285
- When you've entered the information, select **Add** to create the rule.
151
286
- Creation of each rule takes a moment.
152
287
@@ -175,15 +310,17 @@ Result:
175
310
176
311
## Route Table Control
177
312
178
-
The ability to forward traffic to a virtual appliance is now possible via definition of a route table rule that defines 0.0.0.0/0 with a next hop to Virtual Appliance.
313
+
In the current offering of Application Gateway, association of a route table with a rule (or creation of rule) defined as 0.0.0.0/0 with a next hop as virtual appliance is unsupported to ensure proper management of Application Gateway.
314
+
315
+
After registration of the public preview feature, the ability to forward traffic to a virtual appliance is now possible via definition of a route table rule that defines 0.0.0.0/0 with a next hop to Virtual Appliance.
179
316
180
-
Forced Tunneling or learning of 0.0.0.0/0 route through BGP advertising doesn't affect Application Gateway health, and is honored for traffic flow. This scenario can be applicable when using VPN, ExpressRoute, Route Server, or Virtual WAN.
317
+
Forced Tunneling or learning of 0.0.0.0/0 route through BGP advertising does not affect Application Gateway health, and is honored for traffic flow. This scenario can be applicable when using VPN, ExpressRoute, Route Server, or Virtual WAN.
181
318
182
319
### Example scenario
183
320
184
-
In the following example, we create a route table and associate it to the Application Gateway subnet to ensure outbound Internet access from the subnet will egress from a virtual appliance. At a high level, the following design is summarized in Figure 1:
321
+
In the following example, we create a route table and associate it to the Application Gateway subnet to ensure outbound Internet access from the subnet will egress from a virtual appliance. At a high level, the following design is summarized in Figure 1:
185
322
- The Application Gateway is in spoke virtual network
186
-
- There's a network virtual appliance (a virtual machine) in the hub network
323
+
- There is a network virtual appliance (a virtual machine) in the hub network
187
324
- A route table with a default route (0.0.0.0/0) to the virtual appliance is associated to Application Gateway subnet
188
325
189
326
@@ -208,7 +345,7 @@ To create a route table and associate it to the Application Gateway subnet:
208
345
209
346
## Limitations / Known Issues
210
347
211
-
The following limitations are known.
348
+
While in public preview, the following limitations are known.
212
349
213
350
### Private link configuration
214
351
@@ -239,8 +376,8 @@ If a subnet shares Application Gateway v2 deployments that were created both pri
239
376
240
377
### Unknown Backend Health status
241
378
242
-
If backend health is _Unknown_, you might see the following error:
243
-
+ The backend health status could not be retrieved. This happens when an NSG/UDR/Firewall on the application gateway subnet is blocking traffic on ports 65503-65534 (v1 SKU) and ports 65200-65535 (v2 SKU). This error can also occur if the FQDN configured in the backend pool could not be resolved to an IP address. To learn more visit - https://aka.ms/UnknownBackendHealth.
379
+
If backend health is _Unknown_, you may see the following error:
380
+
+ The backend health status could not be retrieved. This happens when an NSG/UDR/Firewall on the application gateway subnet is blocking traffic on ports 65503-65534 if there is v1 SKU, and ports 65200-65535 if there is v2 SKU or if the FQDN configured in the backend pool could not be resolved to an IP address. To learn more visit - https://aka.ms/UnknownBackendHealth.
244
381
245
382
This error can be ignored and will be clarified in a future release.
0 commit comments