Choosing between Basic and standard V2 app GW

Question

Choosing between Basic and standard V2 app GW

WinTechie 286

Hi,

I do have a need to deploy application gateway with more features like "header rewrites", high availability but that should only support my internal applications from my private NW only.

when I choose standard v2 over V1, it tell me that currently "only private frontend" isn't supported, hence I need to go with both. therefore I am planning to add a dummy public IP and once it is provisioned I will disassociate that public IP and only keep private IP from intended subnet.

Is that feasible to do so I am suspecting it might always expect to have at least one public IP associated (i am hoping i am wrong in this analogy)?

Also, while provisioning App GW standard V2, It always expects to assign a "Static private IP" from the subnet as "Application Gateway with SKU tier Standard_v2 can only use private IP address with allocation method as Static" (no dynamic is supported)

Since i have couple of WAF V2 app GWs already running in the same subnet, I am afraid to cause any conflict with IPs which are already used by existing application gateway instances (WAF V2) as there is currently no way you can view what specific private IPs are used by gateway instances from concerned subnet so i can you pick a unused IP for my new App GW private frontend IP.

Clarity on these 2 points would be very much appreciated.

Accepted answer

0 additional answers

Your answer

Answer 1

Hello @WinTechie ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to deploy Application gateway with features like "header rewrites", high availability but that should only support your internal applications from your private network.

As you correctly mentioned, Application Gateway V2 currently doesn't support only private IP mode. It supports the following combinations:

Private IP and Public IP
Public IP only

But if you'd like to use Application Gateway V2 with only private IP, you can follow the process below:

Create an Application Gateway with both public and private frontend IP address
Don't create any listeners for the public frontend IP address. Application Gateway won't listen to any traffic on the public IP address if no listeners are created for it.
Create and attach a Network Security Group for the Application Gateway subnet to allow traffic only from GatewayManager & AzureLoadBalancer and deny traffic from Internet while keeping the default rules like allowing VirtualNetwork inbound so that the access on private IP address isn't blocked.
NOTE : Outbound internet connectivity can't be blocked. Otherwise, you will face issues with logging, metrics, etc.

Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#how-do-i-use-application-gateway-v2-with-only-private-frontend-ip-address

The Azure Application Gateway V2 SKU can be configured to support either both static internal IP address and static public IP address, or only static public IP address. It cannot be configured to support only static internal IP address.
For a private IP address, you can specify a private IP address from the subnet where the application gateway is created. For Application Gateway v2 sku deployments, a static IP address must be defined when adding a private IP address to the gateway.
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-frontend-ip

To determine the available capacity of a subnet that has existing Application Gateways provisioned, take the size of the subnet and subtract the five reserved IP addresses of the subnet reserved by the platform. Next, take each gateway and subtract the max-instance count. For each gateway that has a private frontend IP configuration, subtract one additional IP address per gateway as well.

Please refer the below doc to find the calculation method on how to determine the next available Private IP address in an Application gateway subnet:
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

WinTechie 286 Reputation points

2022-12-27T09:36:11.503+00:00

Hi @GitaraniSharma-MSFT

Thanks for getting back and and answering first question, Although, I am really interested to see if public IP can be disassociated after provisioning standard V2 app GW.

Regarding second question, I wanted to know how do I determine what specific static IP address from subnet I need to assign to gateway. I know what you have explained about reserved IPs and all that calculations.

for example: I have /26 subnet so available IPs would be (64-5), considering I can't see what specific usable IPs are already assigned to existing gateway instances, How do I pick static IP for my new app GW so it doesn't conflict with existing gateway IPs
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-27T19:51:11.203+00:00

Hello @WinTechie ,

As mentioned in the Tip section of this doc,

IP addresses are always allocated from the beginning of the defined subnet space for gateway instances.
To be able to determine the next address to use for a future gateway and have a contiguous addressing theme for frontend IPs, consider assigning frontend IP addresses from the upper half of the defined subset space.

For example, if your subnet address space is 10.5.5.0/24, consider setting the private frontend IP configuration of your gateways starting with 10.5.5.254 and then following with 10.5.5.253, 10.5.5.252, 10.5.5.251, and so forth for future gateways.

Hope this helps!

Regards,
Gita

Share via

Choosing between Basic and standard V2 app GW

0 additional answers

Your answer