When you deploy Dedicated Cloud Gateway in Konnect, Konnect hosts the Data Plane Nodes on Azure. Then, you can use Azure virtual network peering to establish a secure, low-latency connection between your Azure environment and the Konnect platform.
Azure peering
Uses:
Kong Gateway
Related Documentation
OpenAPI Specifications
Incompatible with
on-prem
Related Resources
Azure configuration for VNET peering
To enable virtual network peering between your Azure environment and Konnect, you must authorize Konnect to access and configure the necessary Azure resources.
This process includes three main steps:
-
Authorize the Konnect VNET Peering App in your Azure Tenant
Konnect uses a registered Azure application to create and manage peering connections. To authorize it:
- You must grant admin consent to the
kong-cgw-azure-vnet-peering-appfor your tenant. - This is done by visiting a URL that includes your Azure Tenant ID:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=207b296f-cf25-4d23-9eba-9a2c41dc62ca - You must grant admin consent to the
-
Define a Custom Role in Azure
Konnect requires permission to create and manage peering resources. You must define a role named
Kong Cloud Gateway Peering Creatorwith the following permissions:- Read and write access to Virtual Network peering configurations
- Permission to perform peering actions
Use the Azure CLI to define the role, replacing
$SUBSCRIPTION-IDwith your Azure subscription ID:az role definition create --output none --role-definition '{ "Name": "Kong Cloud Gateway Peering Creator - Kong", "Description": "Perform cross-tenant network peering.", "Actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", "Microsoft.Network/virtualNetworks/peer/action" ], "AssignableScopes": [ "/subscriptions/$SUBSCRIPTION-ID", ] }'Copied to clipboard! -
Assign the Role to the Konnect Service Principal
Once the role is created, assign it so it has permission to peer with your virtual network. Replace the values for
subscription-id,resource-group, andvnet-name:az role assignment create \ --role "Kong Cloud Gateway Peering Creator" \ --assignee "$(az ad sp list --filter "appId eq '207b296f-cf25-4d23-9eba-9a2c41dc62ca'" \ --output tsv --query '[0].id')" \ --scope "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/virtualNetworks/{vnet-name}"Copied to clipboard!
Konnect configuration for VNET peering
To configure peering in Konnect you need to input the following values from Azure into the Konnect Gateway Manager UI for your Dedicated Cloud Gateway:
- Azure Tenant ID
- Azure VNET Subscription ID
- Azure VNET Resource Group Name
- Azure VNET Name
DNS mappings
The following table describes how DNS is mapped in Azure VNET peering:
|
Mapping Type |
Description |
Example |
|---|---|---|
| 1-to-1 Mapping | Each domain is mapped to a unique IP address. |
example.com → 192.168.1.1
|
| N-to-1 Mapping | Multiple domains share the same IP address. |
example.com, example2.com → 192.168.1.1
|
| M-to-N Mapping | Multiple domains are mapped to multiple IP addresses, without a strict one-to-one relationship. |
example.com → 192.168.1.2 example3.com → 192.168.1.1
|