Home / Dedicated Cloud Gateways
Edit
Report

Configure an Azure Dedicated Cloud Gateway with VNET peering

Uses: Konnect Platform
Incompatible with
on-prem
Related Documentation
Konnect Platform Documentation
Tags
#azure #network
Related Resources
Dedicated Cloud Gateways
Configure an Azure Dedicated Cloud Gateway with VNET peering and private DNS
Configure an Azure Dedicated Cloud Gateway with VNET peering and outbound DNS resolution
TL;DR

Using a virtual network (VNET) in Azure, you can create a Dedicated Cloud Gateway in Konnect with Azure as the network provider. When the Azure network is Ready in Konnect, you can configure VNET peering by creating the peering role and assigning it to the service principal. You can use your Azure Dedicated Cloud Gateway after it displays as Ready for VNET peering.

Prerequisites

Kong Konnect

This tutorial requires a Konnect Plus account. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

Microsoft Entra

To approve the Dedicated Cloud Gateway app, you need a Microsoft Entra admin account with the Application Administrator role.

Copy your Entra tenant ID from your dashboard.

Microsoft Azure CLI

Install the Azure CLI and authenticate:

az login

Azure virtual network

To configure VNET peering in Konnect, you’ll need a virtual network configured in Azure.

Copy your virtual network subscription ID, resource group name, and virtual network name.

Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.

When you deploy Dedicated Cloud Gateway in Konnect, Konnect hosts the data plane nodes on Azure. Then, you can use Azure virtual network peering to establish a secure, low-latency connection between your Azure environment and the Konnect platform.

 
flowchart LR

A(API or service)
B(API or service)
C(API or service)

G(Konnect 
#40;fully-managed 
data plane#41;)
H(Konnect 
#40;fully-managed 
data plane#41;)
J(Internet)

subgraph 1 [User Azure Cloud]
      subgraph 3 [Virtual Network #40;VNET#41;]
      A
      B
      C
      end
end
3 <--VNET Peering 
 Private API Access--> 6

subgraph 4 [Kong Azure Cloud]
      subgraph 6 [Virtual Network #40;VNET#41;]
      G
      H
      end
end

G & H <--public API 
 access--> J

Create an Azure Dedicated Cloud Gateway
  1. In the Konnect sidebar, click API Gateways.
  2. From the New dropdown menu, select “New API gateway”.
  3. Select Dedicated Cloud.
  4. In the Gateway name field, enter Azure.
  5. Click Create and configure.
  6. From the Provider dropdown menu, select “Azure”.
  7. From the Region dropdown menu, select the region you want to configure the cluster in.

  8. Edit the Network range as needed.

    Important: Your Azure virtual network must use a different IP than your network in Konnect, which is 10.0.0.0/16 by default but can be edited.

  9. From the Access dropdown menu, select “Public” or “Private”.
  10. Click Create data plane node.

Important: Wait until your Azure network displays as Ready before proceeding to the next step.

Configure VNET peering in Konnect

Now that your Dedicated Cloud Gateway Azure network is ready, you can configure VNET peering to connect your Azure virtual network to your Dedicated Cloud Gateway.

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. From the action menu next to your Azure network, select “Configure VNET peering”.
  5. In the Tenant ID field, enter your Microsoft Entra tenant ID.
  6. In the Subscription ID field, enter your virtual network’s subscription ID.
  7. In the Resource group name field, enter your virtual network’s resource group name.
  8. In the VNET Name field, enter your virtual network’s name.
  9. Click Next.

  10. Grant access to the Dedicated Cloud Gateway app in Microsoft Entra using the link provided in the setup wizard.

    Important: You need an admin account to approve the app.

  11. Create a peering role with the Azure CLI using the command in the UI wizard.

    Konnect requires permission to create and manage peering resources. You must define a role named Kong Cloud Gateway Peering Creator with the following permissions:

    • Read and write access to Virtual Network peering configurations
    • Permission to perform peering actions
  12. Assign the role to the service principal so it has permission to peer with your virtual network using the command in the UI wizard.
  13. Select Please confirm if you have completed the above mentioned steps.
  14. Click Done.

Validate

After your VNET peering configuration displays as ready, you can begin using your Dedicated Cloud Gateway. To verify that it’s ready, do the following:

  1. In the Konnect sidebar, click API Gateways.
  2. Click your Azure Dedicated Cloud Gateway.
  3. In the API Gateways sidebar, click Networks.
  4. Scroll until you see Ready for VNET peering.

FAQs

When I try to create the VNET peering role and assign the role to the service principal, I get the following errors: (RoleDefinitionWithSameNameExists) A custom role with the same name already exists in this directory. and Role 'Kong Cloud Gateway Peering Creator - Kong' doesn't exist.. How do I fix this?

This error can occur because you have multiple subscriptions in the same Entra tenant and the Azure CLI can’t assign another subscription to the role. To resolve this in Azure, search for the role and manually add additional subscription IDs to it instead of using the CLI.

Next Steps

Dedicated Cloud Gateways production readiness checklist
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Forum
Contact Support