Home / Dedicated Cloud Gateways
Edit
Report

Configure an Azure Dedicated Cloud Gateway with VNET peering and private DNS

Uses: Konnect Platform
Incompatible with
on-prem
Related Documentation
Konnect Platform Documentation
Tags
#azure #network
Related Resources
Dedicated Cloud Gateways
Configure an Azure Dedicated Cloud Gateway with VNET peering
Configure an Azure Dedicated Cloud Gateway with VNET peering and outbound DNS resolution
TL;DR

Using a virtual network, virtual network link, and private DNS zone in Azure, you can create a Dedicated Cloud Gateway in Konnect with Azure as the network provider. When the Azure network is Ready in Konnect, you can configure VNET peering by creating the peering role and assigning it to the service principal. Configure private DNS for your Azure network in Konnect. You can use your Azure Dedicated Cloud Gateway after it displays as Ready for your private hosted zone.

Prerequisites

Kong Konnect

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

Microsoft Entra

To approve the Dedicated Cloud Gateway app, you need a Microsoft Entra admin account with the Application Administrator role.

Copy your Entra tenant ID from your dashboard.

Microsoft Azure CLI

Install the Azure CLI and authenticate:

az login

Azure virtual network

To configure VNET peering in Konnect, you’ll need a virtual network configured in Azure.

Copy and export the following:

export VNET_SUBSCRIPTION_ID='YOUR VNET SUBSCRIPTION ID'
export RESOURCE_GROUP_NAME='RESOURCE GROUP NAME FOR YOUR VNET'
export RESOURCE_GROUP_ID='RESOURCE GROUP ID FOR YOUR VNET'
export VNET_NAME='YOUR VNET NAME'

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.

Azure private DNS zone

Configuring Azure private DNS for Dedicated Cloud Gateways involves creating a private DNS zone in Azure, linking the private DNS zone to your virtual network, and configuring a private hosted zone in Konnect.

  1. Create a private DNS zone in Azure in the same resource group as the virtual network that you’re using for VNET peering.
  2. Copy and save your domain name, private DNS zone name, private DNS subscription ID, and private DNS resource group name.

When you deploy Dedicated Cloud Gateway in Konnect, Konnect hosts the data plane nodes on Azure. Then, you can use Azure virtual network peering to establish a secure, low-latency connection between your Azure environment and the Konnect platform.

 
flowchart LR

A(API or service)
B(API or service)
C(API or service)

G(Konnect 
#40;fully-managed 
data plane#41;)
H(Konnect 
#40;fully-managed 
data plane#41;)
J(Internet)

subgraph 1 [User Azure Cloud]
      subgraph 3 [Virtual Network #40;VNET#41;]
      A
      B
      C
      end
end
3 <--VNET Peering 
 Private API Access--> 6

subgraph 4 [Kong Azure Cloud]
      subgraph 6 [Virtual Network #40;VNET#41;]
      G
      H
      end
end

G & H <--public API 
 access--> J

Create an Azure Dedicated Cloud Gateway
  1. In the Konnect sidebar, click API Gateways.
  2. From the New dropdown menu, select “New API gateway”.
  3. Select Dedicated Cloud.
  4. In the Gateway name field, enter Azure.
  5. Click Create and configure.
  6. From the Provider dropdown menu, select “Azure”.
  7. From the Region dropdown menu, select the region you want to configure the cluster in.

  8. Edit the Network range as needed.

    Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.

  9. From the Access dropdown menu, select “Public” or “Private”.
  10. Click Create data plane node.

Important: Wait until your Azure network displays as Ready before proceeding to the next step.

Configure VNET peering in Konnect

Now that your Dedicated Cloud Gateway Azure network is ready, you can configure VNET peering to connect your Azure virtual network to your Dedicated Cloud Gateway.

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure VNET peering”.
  5. In the Tenant ID field, enter your Microsoft Entra tenant ID.
  6. In the Subscription ID field, enter your virtual network’s subscription ID.
  7. In the Resource group name field, enter your virtual network’s resource group name.
  8. In the VNET Name field, enter your virtual network’s name.
  9. Click Next.

  10. Grant access to the Dedicated Cloud Gateway app in Microsoft Entra using the link provided in the setup wizard.

    Important: You need an admin account to approve the app.

  11. Create a peering role with the Azure CLI using the command in the UI wizard.

    Konnect requires permission to create and manage peering resources. You must define a role named Kong Cloud Gateway Peering Creator with the following permissions:

    • Read and write access to Virtual Network peering configurations
    • Permission to perform peering actions
  12. Assign the role to the service principal so it has permission to peer with your virtual network using the command in the UI wizard.
  13. Select Please confirm if you have completed the above mentioned steps.
  14. Click Done.

Configure private DNS for your Azure network in Konnect
  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure private DNS”.
  5. Click Private hosted zone.
  6. In the Name field, enter the fully qualified domain name for your private hosted zone in Azure.
  7. In the Tenant ID field, enter your tenant ID from Microsoft Entra.
  8. In the Subscription ID field, enter the subscription ID for your private DNS zone.
  9. In the Resource group ID field, enter the resource group ID that your private DNS zone is in.
  10. In the VNet link name field, enter the name of the virtual network link.
  11. Create a DNS link creator role with the Azure CLI using the command in the UI wizard.
  12. Assign the role to the service principal so it has permission to peer with your virtual network with the Azure CLI using the command in the UI wizard.
  13. Link your private DNS zone to your virtual network using the command provided by the private DNS wizard in the UI.
  14. Select I confirm that I completed all required steps and understand that incorrect configuration can cause DNS resolution issues.
  15. Click Connect.

Validate

After your private DNS configuration displays as ready, you can begin using your Dedicated Cloud Gateway. To verify that it’s ready, do the following:

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure private DNS”.
  5. Scroll until you see Ready for private DNS.

FAQs

When I try to create the VNET peering role and assign the role to the service principal, I get the following errors: (RoleDefinitionWithSameNameExists) A custom role with the same name already exists in this directory. and Role 'Kong Cloud Gateway Peering Creator - Kong' doesn't exist.. How do I fix this?

This error can occur because you have multiple subscriptions in the same Entra tenant and the Azure CLI can’t assign another subscription to the role. To resolve this in Azure, search for the role and manually add additional subscription IDs to it instead of using the CLI.

Next Steps

Dedicated Cloud Gateways production readiness checklist
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support