Azure peering

Uses: Kong Gateway

Tags

#azure #security

Related Resources

When you deploy Dedicated Cloud Gateway in Konnect, Konnect hosts the Data Plane Nodes on Azure. Then, you can use Azure virtual network peering to establish a secure, low-latency connection between your Azure environment and the Konnect platform.

 
flowchart LR

A(API or service)
B(API or service)
C(API or service)

G(Konnect 
#40;fully-managed 
data plane#41;)
H(Konnect 
#40;fully-managed 
data plane#41;)
J(Internet)

subgraph 1 [User Azure Cloud]
      subgraph 3 [Virtual Network #40;VNET#41;]
      A
      B
      C
      end
end
3 <--VNET Peering 
 Private API Access--> 6

subgraph 4 [Kong Azure Cloud]
      subgraph 6 [Virtual Network #40;VNET#41;]
      G
      H
      end
end

G & H <--public API 
 access--> J

Azure configuration for VNET peering

To enable virtual network peering between your Azure environment and Konnect, you must authorize Konnect to access and configure the necessary Azure resources.

This process includes three main steps:

Authorize the Konnect VNET Peering App in your Azure Tenant

Konnect uses a registered Azure application to create and manage peering connections. To authorize it:
- You must grant admin consent to the kong-cgw-azure-vnet-peering-app for your tenant.
- This is done by visiting a URL that includes your Azure Tenant ID:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=207b296f-cf25-4d23-9eba-9a2c41dc62ca

Define a Custom Role in Azure

Konnect requires permission to create and manage peering resources. You must define a role named Kong Cloud Gateway Peering Creator with the following permissions:

Read and write access to Virtual Network peering configurations
Permission to perform peering actions

Use the Azure CLI to define the role, replacing $SUBSCRIPTION-ID with your Azure subscription ID:

 az role definition create --output none --role-definition '{
     "Name": "Kong Cloud Gateway Peering Creator - Kong",
     "Description": "Perform cross-tenant network peering.",
     "Actions": [
         "Microsoft.Network/virtualNetworks/read",
         "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
         "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
         "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
         "Microsoft.Network/virtualNetworks/peer/action"
     ],
     "AssignableScopes": [
         "/subscriptions/$SUBSCRIPTION-ID",
     ]
 }'

Assign the Role to the Konnect Service Principal

Once the role is created, assign it so it has permission to peer with your virtual network. Replace the values for subscription-id, resource-group, and vnet-name:

 az role assignment create \
     --role "Kong Cloud Gateway Peering Creator" \
     --assignee "$(az ad sp list --filter "appId eq '207b296f-cf25-4d23-9eba-9a2c41dc62ca'" \
     --output tsv --query '[0].id')" \
     --scope "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/virtualNetworks/{vnet-name}"

Konnect configuration for VNET peering

To configure peering in Konnect you need to input the following values from Azure into the Konnect Gateway Manager UI for your Dedicated Cloud Gateway:

Azure Tenant ID
Azure VNET Subscription ID
Azure VNET Resource Group Name
Azure VNET Name

DNS mappings

The following table describes how DNS is mapped in Azure VNET peering:

Mapping Type	Description	Example
1-to-1 Mapping	Each domain is mapped to a unique IP address.	`example.com` → `192.168.1.1`
N-to-1 Mapping	Multiple domains share the same IP address.	`example.com`, `example2.com` → `192.168.1.1`
M-to-N Mapping	Multiple domains are mapped to multiple IP addresses, without a strict one-to-one relationship.	`example.com` → `192.168.1.2` `example3.com` → `192.168.1.1`

Azure peering

Azure configuration for VNET peering

Konnect configuration for VNET peering

DNS mappings

Help us make these docs great!

Still need help