You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/application-gateway-private-deployment.md
+29Lines changed: 29 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -177,10 +177,15 @@ The following regions are available for public preview. Provisioning in regions
177
177
- East Asia
178
178
- East US
179
179
- East US 2
180
+
- France Central
180
181
- Japan East
182
+
- Korea Central
183
+
- Korea South
181
184
- North Central US
182
185
- North Europe
186
+
- Norway East
183
187
- Southeast Asia
188
+
- South Africa North
184
189
- South Central US
185
190
- Switzerland North
186
191
- UK South
@@ -204,6 +209,22 @@ The resource tag is cosmetic, and serves to confirm that the gateway has been pr
204
209
> [!TIP]
205
210
> The **EnhancedNetworkControl** tag can be helpful when existing Application Gateways were deployed in the subscription prior to feature enablement and you would like to differentiate which gateway can utilize the new functionality.
206
211
212
+
## Outbound internet connectivity
213
+
214
+
Application Gateway deployments that contain only a private frontend IP configuration (do not have a public IP frontend configuration) will not be able to egress traffic destined to the internet. This will affect communication to a backend targets that are publicly accessible via the internet.
215
+
216
+
To enable outbound connectivity from your Application Gateway to an internet facing backend target, you may utilize [Virtual Network NAT](../virtual-network/nat-gateway/nat-overview.md) or forward traffic to a virtual appliance that has access to the internet.
217
+
218
+
Virtual Network NAT offers control over what IP address or prefix should be used as well as configurable idle-timeout. To configure, create a new NAT Gateway with a public IP address or public prefix and associate it with the subnet containing Application Gateway.
219
+
220
+
If a virtual appliance is required for internet egress, see the [route table control](#route-table-control) section in this document for more information.
221
+
222
+
Common scenarios where public IP usage is required:
223
+
- Communication to key vault without use of private endpoints or service endpoints
224
+
- Outbound communication is not required for pfx files uploaded to Application Gateway directly
225
+
- Communication to backend targets via internet
226
+
- Communication to internet facing CRL or OCSP endpoints
227
+
207
228
## Network Security Group Control
208
229
209
230
Network security groups associated to an Application Gateway subnet no longer require inbound rules for GatewayManager, and they don't require outbound access to the Internet. The only required rule is **Allow inbound from AzureLoadBalancer** to ensure health probes can reach the gateway.
@@ -417,6 +438,14 @@ While in public preview, the following limitations are known.
417
438
418
439
[Private link configuration](private-link.md) support for tunneling traffic through private endpoints to Application Gateway is unsupported with private only gateway.
419
440
441
+
### Coexisting v2 Application Gateways created prior to enablement of enhanced network control
442
+
443
+
If a subnet shares Application Gateway v2 deployments that were created prior and post enablement of the enhanced network control functionality, Network Security Group (NSG) and Route Table functionality will be limited to prior gateway deployment. Application gateways provisioned prior to enablement of the new functionality should either reprovision the existing gateways or provision newly created gateways to a new subnet to take advantage of the enahanced network security group and route table features.
444
+
445
+
If a gateway deployed prior to enablement of the new functionality exists in the subnet, you may see errors such as "For routes associated to subnet containing Application Gateway V2, please ensure '0.0.0.0/0' uses Next Hop Type as 'Internet'." when adding route table entries or "Failed to create security rule 'DenyAnyCustomAnyOutbound'. Error: Network security group <NSG-Name> blocks outgoing internet traffic on subnet \<AppGWSubnetId\>, associated with Application Gateway \<AppGWResourceId\>. This is not permitted for Application Gateways that have fast update enabled or have V2 Sku." when adding network security group rules to the subnet.
446
+
447
+
[Private link configuration](private-link.md) support for tunneling traffic through private endpoints to Application Gateway is unsupported with private only gateway.
448
+
420
449
### Private Endpoint Network Policy is unsupported
421
450
422
451
[Private endpoint network policy](../private-link/disable-private-endpoint-network-policy.md) applied to subnets containing Private Endpoints is unsupported for this preview. If enabled, traffic from Application Gateway to Private Endpoints may be dropped, resulting in unhealthy backend health. If the subnet is enabled for private endpoint network policy, you will need to provision a new subnet with private endpoint network policy disabled. Changed Enabled to Disabled on an existing subnet will still result in private endpoints dropping traffic.
0 commit comments