Configure an application gateway in a secured virtual hub topology.

Question

Hi everyone: I have a hub and spoke topology with a secured virtual hub, traffic of VNET, vpn site to site, point to site, internet is filtered by azure firewall. I have configured routing intent and routing policies in the secured virtual hub. I have read that UDR 0.0.0.0.0/0 to a virtual appliance is not supported for Application Gateway v2.

I need configure an application gateway in a hub and spoke topology, the application gateway subnet is configured in a vnet spoke. I have tried to configure it; however, I get issues.

Thank you. EF

Answer 1

Hello @Edwin Omar Fonseca Padilla ,

Thanks for reaching Microsoft Q and A platform.

1. I understand that you would like to use the Application Gateway in your Spoke Model and every traffic from Spoke you would like to pass it via the Virtual Appliance.
2. But, could you tell if your Application gateway is opened to Public or Private?
3. If its opened to Private than having a Route with 0.0.0.0/0 could be eliminated and include the Private Ranges instead.
4. But, if you would really need 0.0.0.0/0 on the Application Gateway Subnet, you must use the Application gateway v1 Version.
5. Still that has its own disadvantages your probes might fail, if its not routed correctly by the NVA configured.
6. So its suggested not to have a Internet route on the Application gateway Subnet.
7. Would like to encourage you to analyze the real purpose of the route 0.0.0.0/0 and if that justifies, we could go for the V1 version of the Application gateway but, Migrate your Application Gateways from V1 SKU to V2 SKU by April 28, 2026. Where post 2026 you would be forced to use V2.

--Please don't forget to "[Accept the answer]" and “[Upvote]” if the reply is helpful--

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards Priya Kumar