Can I add azure-application-gateway in an existing virtual network?

Question

Can I add azure-application-gateway in an existing virtual network?

Satya Komatineni 26

I have a virtual machine in an existing virtual network, and a subnet.

this VM has a public IP address.

Can I add an application gateway in this existing virtual network? (to control the traffic, SSL termination etc)

When I try to do so, it is refusing to consider a new subnet inside that virtual network (A new subnet is apparently needed by the application gateway)

It appears grayed out to the "Create Gateway resource" screen.

Your help is much appreciated.

Answer 1

KapilAnanth-MSFT 11,366 Microsoft Employee

Hi @Satya Komatineni ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to deploy an Application gateway into an existing VNet.

This is supported. You can deploy an Application Gateway in an existing VNet.

The catch here is that,

The subnet where you are trying to deploy the App Gateway must not contain any other resource.
In you case, "GatewaySubnet" is for creating VNet Gateways, not Application Gateways.
Hence, you are seeing the subnet as grayed out.
You can create a new subnet with a normal naming convention such as "myAGSubnet" or any and deploy the App Gateway in it.
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/create-multiple-sites-portal

I hope this helps.
Please feel free to let us know if you have any follow-up queries on this.

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Satya Komatineni 26 Reputation points

2022-09-06T17:30:23.687+00:00

anonymous user-MSFT Thanks for taking the time.

other than the name I created the subnet from scratch.

To my knowledge it is not used for any other gateways. I just called it "GatewaySubnet".

is the name the problem?

In fact I have created that subnet from the prompt of "New Subnet" of the "Create Application Gateway".

The Application Gateway is trying to analyze that subnet for something that is not obvious.

I did submit a ticket as well through dev support to MS.

Please add what is special of such a subnet (other than no other one is using it)

I will try again with a different name.
KapilAnanth-MSFT 11,366 Reputation points Microsoft Employee

2022-09-07T03:13:05.193+00:00
Hi @Satya Komatineni ,

Thanks for the update.

The name "GatewaySubnet" is reserved for VNet Gateways.
This means, this particular subnet can only contain VNet Gateways.
Deploying of any other resource is not supported whether or not the subnet has a Gateway in it.

For Application gateway v2, the requirements are,

There should not be any other resource deployed in the subnet

The subnet name should not be a reserved one. (one more e.g is "AzureBastionSubnet", which is reserved for Azure Bastion)

You may try with a different name, and let us know if that helps or you need further assistance.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Satya Komatineni 26 Reputation points

2022-09-07T17:27:17.167+00:00

anonymous user-MSFT

oh my!

what a coincidence!! Of course not to my advantage.

ok thanks. Let me try with "any other name" :)

I will report back here how that goes!!!!
KapilAnanth-MSFT 11,366 Reputation points Microsoft Employee

2022-09-09T13:40:44.597+00:00

Hi @Satya Komatineni ,

Just checking in to see if you were able to create the App gateway.

If yes, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

And, if you have any further query do let us know.

Thanks,
Kapil

Answer 2

kilian goëtz 121

Hello,

Yes you can add an app gateway into the same VNet. Nonetheless, you need to create another one subnet for app gateway and connect your VMs to app gateway with private endpoint.

An infrastructure like this.

Kind regards, Kilian GOËTZ.

Satya Komatineni 26 Reputation points

2022-09-06T14:59:54.87+00:00
Thank you Kilian for the response.

Really appreciate it.

When I created the dedicated subnet it is showing "grayed out" in the "Create App Gateway" screen.

Same vnet as I have a VM in there (it has its own default subnet that was created)

I have created a new subnet for the gateway (Looks like something odd about this subnet)

I am adding a an image here. (Hope it shows up)
Satya Komatineni 26 Reputation points

2022-09-06T15:01:23.793+00:00

Not sure what special qualities the "GatewaySubnet" needs to have... other than the correct CIDR and network address (which I took it from the default)

Answer 3

Quick summary.

It has been a few days.

First of all thanks for actively engaging in this forum. Thanks

Goal

Setup a App gateway in the same vnet as I have a VM that is hosting a tomcat website
(Use that app gateway as a WAF - Web Application Firewall, protecting for SQL Ingection, bad web clients, etc - This is still under exploration)

Problem I ran into

Create App Gateway Resource is failing not allowing subnet to be chosen.

Resolution

It has to be a new dedicated subnet (This is easy to figure out)
The name cannot be one of the reserved names!! (This is not clear from the docs)
One of the reserved names, which by accident, and first choice, I chose was "Application Gateway". And THAT my friends is reserved as anonymous user-MSFT here had educated me on. (Thank you)
So once I chose a different name, it worked and successfully created the gateway

Further on

I was able to forward requests to a back end webserver (No significant surprises)
But I am a bit early on completing my overall mission.
I will keep you posted
My next immediate job is
5. Prevent all other traffic but from the gateway into the backend VM for http
6. Offload ssl
7. Enable WAF
8. Examine what bad sites are hitting mine (if possible)

Hope this helps others as well
Thanks
Satya

Can I add azure-application-gateway in an existing virtual network?

2 additional answers

Activity