You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The example image above illustrates configuration of an application with 3 listeners. First two are multi-site listeners for http://acme.com/* and http://fabrikam.com/*, respectively. Both are listening on port 80. The third listener is a basic listener with end to end SSL termination.
20
+
19
21
## Prerequisites
20
22
21
23
### Azure virtual network and dedicated subnet
22
24
23
-
Application gateway is a dedicated deployment in your virtual network. You require an virtual network with a dedicated subnet for application gateway. You can have multiple instances of a given application gateway deployment in this subnet. You can also deploy other application gateways in the subnet but you cannot deploy any other resource in the application gateway subnet.
25
+
Application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for your application gateway. You can have multiple instances of a given application gateway deployment in this subnet. You can also deploy other application gateways in the subnet but you cannot deploy any other resource in the application gateway subnet.
24
26
25
27
> [!NOTE]
26
28
> Mixing Standard_v2 and Standard Application Gateway on the same subnet is not supported.
27
29
28
30
#### Size of the subnet
29
31
30
-
Application Gateway consumes one private IP address per instance, plus another private IP address if a private frontend IP configuration is configured. Also, Azure reserves the first four and last IP address in each subnet for internal usage. For example, if an application gateway is set to three instances and no private frontend IP, then a /29 subnet size or greater is needed. In this case, the application gateway uses three IP addresses. If you have three instances and an IP address for the private frontend IP configuration, then a /28 subnet size or greater is needed as four IP addresses are required.
32
+
In case of v1 SKU, application Gateway consumes one private IP address per instance, plus another private IP address if a private frontend IP configuration is configured. Also, Azure reserves the first four and last IP address in each subnet for internal usage. For example, if an application gateway is set to three instances and no private frontend IP, then a /29 subnet size or greater is needed. In this case, the application gateway uses three IP addresses. If you have three instances and an IP address for the private frontend IP configuration, then a /28 subnet size or greater is needed as four IP addresses are required.
31
33
32
34
#### Network Security Groups supported on the Application Gateway subnet
33
35
@@ -39,23 +41,23 @@ Network Security Groups (NSGs) are supported on the Application Gateway subnet w
39
41
40
42
- Traffic from the AzureLoadBalancer tag must be allowed.
41
43
42
-
##### Whitelist Application Gateway access to a few source IPs
44
+
##### Whitelist Application Gateway access to a few source IPs
43
45
44
-
This scenario can be done using NSGs on the application gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:
46
+
This scenario can be done using NSGs on the application gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:
45
47
46
-
1. Allow incoming traffic from source IP/IP range.
47
-
2. Allow incoming requests from all sources to ports 65503-65534 for [backend health communication](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics). This port range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.
48
-
3. Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the [NSG](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
49
-
4. Block all other incoming traffic with a Deny all rule.
50
-
5. Allow outbound traffic to the internet for all destinations.
48
+
1. Allow incoming traffic from source IP/IP range.
49
+
2. Allow incoming requests from all sources to ports 65503-65534 for [backend health communication](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics). This port range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.
50
+
3. Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the [NSG](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
51
+
4. Block all other incoming traffic with a Deny all rule.
52
+
5. Allow outbound traffic to the internet for all destinations.
51
53
52
54
#### User-defined routes supported on the Application Gateway subnet
53
55
54
-
User-defined routes (UDRs) are supported on the application gateway subnet, as long as they do not alter the end-to-end request/response communication.
56
+
In case of v1 SKU, User-defined routes (UDRs) are supported on the application gateway subnet, as long as they do not alter the end-to-end request/response communication.
55
57
56
58
For example, you can set up a UDR in the application gateway subnet to point to a firewall appliance for packet inspection, but you must ensure that the packet can reach its intended destination post inspection. Failure to do so might result in incorrect health probe or traffic routing behavior. This includes learned routes or default 0.0.0.0/0 routes propagated by ExpressRoute or VPN Gateways in the virtual network.
57
59
58
-
UDRs on the application gateway subnet are not supported on the v2 SKU. For more information, see [Autoscaling and Zone-redundant Application Gateway (Public Preview)](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#known-issues-and-limitations).
60
+
In case of v2 SKU, UDRs on the application gateway subnet are not supported. For more information, see [Autoscaling and Zone-redundant Application Gateway (Public Preview)](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#known-issues-and-limitations).
0 commit comments