Configure an Azure Dedicated Cloud Gateway with VNET peering and outbound DNS resolution

Uses: Kong Gateway
TL;DR

Using a virtual network and a private DNS resolver in Azure, you can create a Dedicated Cloud Gateway in Konnect with Azure as the network provider. When the Azure network is Ready in Konnect, you can configure VNET peering by creating the peering role and assigning it to the service principal. Configure an outbound DNS resolver for your Azure network in Konnect. You can use your Azure Dedicated Cloud Gateway after it displays as Ready for your outbound DNS resolver.

Prerequisites

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

To approve the Dedicated Cloud Gateway app, you need a Microsoft Entra admin account with the Application Administrator role.

Copy your Entra tenant ID from your dashboard.

Install the Azure CLI and authenticate:

az login

To configure VNET peering in Konnect, you’ll need a virtual network configured in Azure.

Copy and export the following:

export VNET_SUBSCRIPTION_ID='YOUR VNET SUBSCRIPTION ID'
export RESOURCE_GROUP_NAME='RESOURCE GROUP NAME FOR YOUR VNET'
export RESOURCE_GROUP_ID='RESOURCE GROUP ID FOR YOUR VNET'
export VNET_NAME='YOUR VNET NAME'

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.

Before you can configure outbound DNS in Konnect, you must configure private resolvers in Azure:

  1. Create a DNS resolver inside your virtual network in Azure. Save the name of your DNS resolver.
  2. Configure the outbound endpoints in your DNS resolver in Azure.
  3. Configure a DNS forwarding ruleset in Azure.

When you deploy Dedicated Cloud Gateway in Konnect, Konnect hosts the data plane nodes on Azure. Then, you can use Azure virtual network peering to establish a secure, low-latency connection between your Azure environment and the Konnect platform.

 
flowchart LR

A(API or service)
B(API or service)
C(API or service)

G(Konnect 
#40;fully-managed
data plane#41;) H(Konnect
#40;fully-managed
data plane#41;) J(Internet) subgraph 1 [User Azure Cloud] subgraph 3 [Virtual Network #40;VNET#41;] A B C end end 3 <--VNET Peering
Private API Access--> 6 subgraph 4 [Kong Azure Cloud] subgraph 6 [Virtual Network #40;VNET#41;] G H end end G & H <--public API
access--> J

Create an Azure Dedicated Cloud Gateway

  1. In the Konnect sidebar, click API Gateways.
  2. From the New dropdown menu, select “New API gateway”.
  3. Select Dedicated Cloud.
  4. In the Gateway name field, enter Azure.
  5. Click Create and configure.
  6. From the Provider dropdown menu, select “Azure”.
  7. From the Region dropdown menu, select the region you want to configure the cluster in.
  8. Edit the Network range as needed.

    Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.

  9. From the Access dropdown menu, select “Public” or “Private”.
  10. Click Create data plane node.

Important: Wait until your Azure network displays as Ready before proceeding to the next step.

Configure VNET peering in Konnect

Now that your Dedicated Cloud Gateway Azure network is ready, you can configure VNET peering to connect your Azure virtual network to your Dedicated Cloud Gateway.

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure VNET peering”.
  5. In the Tenant ID field, enter your Microsoft Entra tenant ID.
  6. In the Subscription ID field, enter your virtual network’s subscription ID.
  7. In the Resource group name field, enter your virtual network’s resource group name.
  8. In the VNET Name field, enter your virtual network’s name.
  9. Click Next.
  10. Grant access to the Dedicated Cloud Gateway app in Microsoft Entra using the link provided in the setup wizard.

    Important: You need an admin account to approve the app.

  11. Create a peering role with the Azure CLI using the command in the UI wizard.

    Konnect requires permission to create and manage peering resources. You must define a role named Kong Cloud Gateway Peering Creator with the following permissions:

    • Read and write access to Virtual Network peering configurations
    • Permission to perform peering actions
  12. Assign the role to the service principal so it has permission to peer with your virtual network using the command in the UI wizard.
  13. Select Please confirm if you have completed the above mentioned steps.
  14. Click Done.

An outbound DNS resolver is already created when the VNET peering is set up. We just need to add additional outbound endpoints.

Configure an outbound DNS resolver for your Azure network in Konnect

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure private DNS”.
  5. Click Outbound DNS resolver.
  6. In the Outbound Resolver name field, enter the name of your private DNS resolver in Azure.
  7. In the Domain name field, enter your domain.
  8. In the Target IP address field, enter the IP addresses of your outbound endpoint subnets.
  9. Click Save.

DNS mappings

The following table describes how DNS is mapped in Azure VNET peering:

Mapping Type

Description

Example

1-to-1 Mapping Each domain is mapped to a unique IP address. example.com192.168.1.1
N-to-1 Mapping Multiple domains share the same IP address. example.com, example2.com192.168.1.1
M-to-N Mapping Multiple domains are mapped to multiple IP addresses, without a strict one-to-one relationship. example.com192.168.1.2

example3.com192.168.1.1

Validate

Once your outbound DNS resolver configuration displays as ready, you can begin using your Dedicated Cloud Gateway. To verify that it’s ready, do the following:

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure private DNS”.
  5. Scroll until you see Ready for your outbound DNS resolver.

FAQs

This error can occur because you have multiple subscriptions in the same Entra tenant and the Azure CLI can’t assign another subscription to the role. To resolve this in Azure, search for the role and manually add additional subscription IDs to it instead of using the CLI.

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!