Private Application Gateway V2 with private IP only does not respect EnableApplicationGatewayNetworkIsolation

Jonas Slotte 0 Reputation points
2023-05-19T10:41:50.0433333+00:00

Hi,

I want to set up an Application Gateway Standard_v2 for use as an Application Gateway Ingress Controller (AGIC) with an AKS cluster in the same region, resource group and subscription.
The application gateway will be created in a dedicated empty /24 subnet.

The documentation clearly states that this is a feature in preview and has to be enabled:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal

I have confirmed the EnableApplicationGatewayNetworkIsolation feature to be in "Registered" state in the correct subscription.

I noted that in the Portal UI for creating a new Application Gateway, it no longer displays an error message when selecting "Frontend IP address type" as "Private", as it did previously with the feature disabled. At this point, I assume that the feature has been enabled correctly.

The problem is that when I try to create the Application Gateway, the deployment fails with error message:

Application Gateway <id> does not support Application Gateway without Public IP for the selected SKU tier Standard_v2. Supported SKU tiers are Standard,WAF. Error code: "ApplicationGatewayFeatureCannotBeEnabledForSelectedSku"

This is unexpected. It would mean that the feature had no effect on the API, but the Portal UI has changed.

What can I do about this?

This subnet has previously had other Standard_v2 Application Gateways deployed before the feature was enabled (they have been removed). Is it possible that the subnet has to be re-created to support the new gateway feature?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,007 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jonas Slotte 0 Reputation points
    2023-05-19T11:41:26.7+00:00

    Seems I almost answered my own question there.

    Re-creating the subnet for the Application Gateway exactly the same way seems to have solved the problem.
    Assume that a subnet itself can become "tainted" by having a Standard_v2 gateway without the network isolation flag deployed, requiring it to be re-created after enabling the feature.


  2. GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee
    2023-05-19T11:50:53.1033333+00:00

    @Jonas Slotte ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to create an Azure Application Gateway V2 with private IP only but even after registering for the "EnableApplicationGatewayNetworkIsolation", you are getting the following error: "Application Gateway <id> does not support Application Gateway without Public IP for the selected SKU tier Standard_v2. Supported SKU tiers are Standard,WAF. Error code: ApplicationGatewayFeatureCannotBeEnabledForSelectedSku".

    I tried to replicate it in my lab but was able to create an Application gateway v2 with private IP only successfully.

    enter image description here

    Regarding your question "This subnet has previously had other Standard_v2 Application Gateways deployed before the feature was enabled (they have been removed). Is it possible that the subnet has to be re-created to support the new gateway feature?", there is a FAQ available in the below doc:

    https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal#coexisting-v2-application-gateways-created-prior-to-enablement-of-enhanced-network-control

    And it says:

    Application gateways provisioned prior to enablement of the new functionality must either be reprovisioned, or newly created gateways must use a different subnet to enable enhanced network security group and route table features.

    So, my suggestion would be to create a new subnet and try the deployment again.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments