Configure an Azure Dedicated Cloud Gateway with virtual hub peering and private DNS

Uses: Konnect Platform

Incompatible with

on-prem

Prerequisites

Kong Konnect

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

Microsoft Entra

To approve the Dedicated Cloud Gateway app, you need a Microsoft Entra admin account with the Application Administrator role.

Copy your Entra tenant ID from your dashboard.

Microsoft Azure CLI

Install the Azure CLI and authenticate:

az login

Copied!

Azure virtual WAN

To configure virtual hub peering in Konnect, you’ll need:

A virtual network configured in Azure that is associated with a virtual WAN
A virtual hub associated with your virtual WAN

Copy your virtual WAN subscription ID and resource group name, and the name of the virtual hub associated with your virtual WAN.

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited. The Azure virtual network and virtual WAN must also use CIDRs that don’t overlap.

Azure private DNS zone

Configuring Azure private DNS for Dedicated Cloud Gateways involves creating a private DNS zone in Azure, linking the private DNS zone to your virtual network, and configuring a private hosted zone in Konnect.

Create a private DNS zone in Azure in the same resource group as the virtual network that you’re using for virtual WAN.
Copy and save your domain name, private DNS zone name, private DNS subscription ID, and private DNS resource group name.

Create an Azure Dedicated Cloud Gateway

First, configure a Dedicated Cloud Gateway with an Azure network.

In the Konnect sidebar, click API Gateways.
From the New dropdown menu, select “New API gateway”.
Select Dedicated Cloud.
In the Gateway name field, enter Azure.
Click Create and configure.
From the Provider dropdown menu, select “Azure”.
From the Region dropdown menu, select the region you want to configure the cluster in.
Edit the Network range as needed.

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.
From the Access dropdown menu, select “Public” or “Private”.
Click Create data plane node.

Important: Wait until your Azure network displays as Ready before proceeding to the next step.

Configure Azure virtual hub peering in Konnect

Now that your Dedicated Cloud Gateway Azure network is ready, you can configure virtual hub peering to connect your Azure virtual WAN to your Dedicated Cloud Gateway.

In the Konnect sidebar, click API Gateways.
Click your Azure Dedicated Cloud Gateway.
In the API Gateways sidebar, click Networks.
From the action menu next to your Azure network, select “Configure private networking”.
Click Virtual hub peering.
In the Tenant ID field, enter your Microsoft Entra tenant ID.
In the Subscription ID field, enter your virtual WAN’s subscription ID.
In the Resource group name field, enter your virtual WAN’s resource group name.
In the Virtual hub name field, enter your virtual WAN’s hub name.
Click Next.
Grant access to the Dedicated Cloud Gateway app in Microsoft Entra using the link provided in the setup wizard.

Important: You need an admin account to approve the app.
Create a peering role with the Azure CLI using the command in the UI wizard.

Konnect requires permission to create and manage peering resources. You must define a role named Kong Cloud Gateway Peering Creator with the following permissions:
- Read and write access to virtual hub configurations
- Permission to perform peering actions
Assign the role to the service principal so it has permission to peer with your virtual hub using the command in the UI wizard.
Select I’ve completed the Azure setup steps above.
Click Done.

Configure private DNS for your Azure network in Konnect

After your Azure private networking configuration is ready in Konnect, you can configure private DNS.

In the Konnect sidebar, click API Gateways.
Click your Azure Dedicated Cloud Gateway.
In the API Gateways sidebar, click Networks.
From the action menu next to your Azure network, select “Configure private DNS”.
Click Private hosted zone.
In the Name field, enter the fully qualified domain name for your private hosted zone in Azure.
In the Tenant ID field, enter your tenant ID from Microsoft Entra.
In the Subscription ID field, enter the subscription ID for your private DNS zone.
In the Resource group name field, enter the resource group name that your private DNS zone is in.
In the Virtual network link name field, enter a unique name for the virtual network link.

Your virtual network link name must be unique and cannot match an existing virtual network link name. When you configure private DNS for a Dedicated Cloud Gateway, Konnect automatically creates a virtual network link in Azure using the name you specify here.
In the Private DNS zone name field, enter the name of your private DNS zone in Azure.
Create a DNS link creator role with the Azure CLI using the command in the UI wizard.
Assign the role to the service principal with the Azure CLI using the command in the UI wizard.
Link your private DNS zone to your virtual network using the command provided by the private DNS wizard in the UI.
Select I confirm that I completed all required steps and understand that incorrect configuration can cause DNS resolution issues.
Click Connect.

Validate

After your private DNS configuration displays as ready, you can begin using your Dedicated Cloud Gateway. To verify that it’s ready, do the following:

In the Konnect sidebar, click API Gateways.
Click your Azure Dedicated Cloud Gateway.
In the API Gateways sidebar, click Networks.
From the action menu next to your Azure network, select “Configure private DNS”.
Scroll until you see Ready for private DNS.

Next Steps

Dedicated Cloud Gateways production readiness checklist