Configure an Azure Dedicated Cloud Gateway with virtual WAN

Uses: Konnect Platform

Incompatible with

on-prem

Prerequisites

Kong Konnect

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

Microsoft Entra

To approve the Dedicated Cloud Gateway app, you need a Microsoft Entra admin account with the Application Administrator role.

Copy your Entra tenant ID from your dashboard.

Microsoft Azure CLI

Install the Azure CLI and authenticate:

az login

Copied!

Azure virtual WAN

To configure virtual hub peering in Konnect, you’ll need:

A virtual network configured in Azure that is associated with a virtual WAN
A virtual hub associated with your virtual WAN

Copy your virtual WAN subscription ID and resource group name, and the name of the virtual hub associated with your virtual WAN.

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited. The Azure virtual network and virtual WAN must also use CIDRs that don’t overlap.

Create an Azure Dedicated Cloud Gateway

First, configure a Dedicated Cloud Gateway with an Azure network.

In the Konnect sidebar, click API Gateways.
From the New dropdown menu, select “New API gateway”.
Select Dedicated Cloud.
In the Gateway name field, enter Azure.
Click Create and configure.
From the Provider dropdown menu, select “Azure”.
From the Region dropdown menu, select the region you want to configure the cluster in.
Edit the Network range as needed.

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.
From the Access dropdown menu, select “Public” or “Private”.
Click Create data plane node.

Important: Wait until your Azure network displays as Ready before proceeding to the next step.

Configure Azure virtual hub peering in Konnect

Now that your Dedicated Cloud Gateway Azure network is ready, you can configure virtual hub peering to connect your Azure virtual WAN to your Dedicated Cloud Gateway.

In the Konnect sidebar, click API Gateways.
Click your Azure Dedicated Cloud Gateway.
In the API Gateways sidebar, click Networks.
From the action menu next to your Azure network, select “Configure private networking”.
Click Virtual hub peering.
In the Tenant ID field, enter your Microsoft Entra tenant ID.
In the Subscription ID field, enter your virtual WAN’s subscription ID.
In the Resource group name field, enter your virtual WAN’s resource group name.
In the Virtual hub name field, enter your virtual WAN’s hub name.
Click Next.
Grant access to the Dedicated Cloud Gateway app in Microsoft Entra using the link provided in the setup wizard.

Important: You need an admin account to approve the app.
Create a peering role with the Azure CLI using the command in the UI wizard.

Konnect requires permission to create and manage peering resources. You must define a role named Kong Cloud Gateway Peering Creator with the following permissions:
- Read and write access to virtual hub configurations
- Permission to perform peering actions
Assign the role to the service principal so it has permission to peer with your virtual hub using the command in the UI wizard.
Select I’ve completed the Azure setup steps above.
Click Done.

Validate

After your virtual hub peering configuration displays as ready, you can begin using your Dedicated Cloud Gateway. To verify that it’s ready, do the following:

In the Konnect sidebar, click API Gateways.
Click your Azure Dedicated Cloud Gateway.
In the API Gateways sidebar, click Networks.
Scroll until you see Ready for virtual hub peering.

Next Steps

Dedicated Cloud Gateways production readiness checklist