Private Application Gateway V2 with private IP only does not respect EnableApplicationGatewayNetworkIsolation

Question

Hi,

I want to set up an Application Gateway Standard_v2 for use as an Application Gateway Ingress Controller (AGIC) with an AKS cluster in the same region, resource group and subscription.
The application gateway will be created in a dedicated empty /24 subnet.

The documentation clearly states that this is a feature in preview and has to be enabled:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal

I have confirmed the EnableApplicationGatewayNetworkIsolation feature to be in "Registered" state in the correct subscription.

I noted that in the Portal UI for creating a new Application Gateway, it no longer displays an error message when selecting "Frontend IP address type" as "Private", as it did previously with the feature disabled. At this point, I assume that the feature has been enabled correctly.

The problem is that when I try to create the Application Gateway, the deployment fails with error message:

Application Gateway <id> does not support Application Gateway without Public IP for the selected SKU tier Standard_v2. Supported SKU tiers are Standard,WAF. Error code: "ApplicationGatewayFeatureCannotBeEnabledForSelectedSku"

This is unexpected. It would mean that the feature had no effect on the API, but the Portal UI has changed.

What can I do about this?

This subnet has previously had other Standard_v2 Application Gateways deployed before the feature was enabled (they have been removed). Is it possible that the subnet has to be re-created to support the new gateway feature?

Answer 1

Seems I almost answered my own question there.

Re-creating the subnet for the Application Gateway exactly the same way seems to have solved the problem.
Assume that a subnet itself can become "tainted" by having a Standard_v2 gateway without the network isolation flag deployed, requiring it to be re-created after enabling the feature.

Answer 2

@Jonas Slotte ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to create an Azure Application Gateway V2 with private IP only but even after registering for the "EnableApplicationGatewayNetworkIsolation", you are getting the following error: "Application Gateway <id> does not support Application Gateway without Public IP for the selected SKU tier Standard_v2. Supported SKU tiers are Standard,WAF. Error code: ApplicationGatewayFeatureCannotBeEnabledForSelectedSku".

I tried to replicate it in my lab but was able to create an Application gateway v2 with private IP only successfully.

Regarding your question "This subnet has previously had other Standard_v2 Application Gateways deployed before the feature was enabled (they have been removed). Is it possible that the subnet has to be re-created to support the new gateway feature?", there is a FAQ available in the below doc:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal#coexisting-v2-application-gateways-created-prior-to-enablement-of-enhanced-network-control

And it says:

Application gateways provisioned prior to enablement of the new functionality must either be reprovisioned, or newly created gateways must use a different subnet to enable enhanced network security group and route table features.

So, my suggestion would be to create a new subnet and try the deployment again.

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.