Configure Azure Application Gateway Private Link

Application Gateway Private Link allows you to connect your workloads over a private connection spanning across VNets and subscriptions. For more information, see Application Gateway Private Link.

Diagram showing Application Gateway Private Link

Configuration options

Application Gateway Private Link can be configured via multiple options, such as, but not limited to, the Azure portal, Azure PowerShell, and Azure CLI.

Define a subnet for Private Link Configuration

To enable Private Link Configuration, a subnet, different from the Application Gateway subnet, is required for the private link IP configuration. Private Link must use a subnet that doesn't contain any Application Gateways. Subnet sizing is determined by the number of connections required for your deployment. Each IP address allocated to this subnet ensures 64-K concurrent TCP connections that can be established via Private Link at single point in time. Allocate more IP addresses to allow more connections via Private Link. For example: n * 64K; where n is the number of IP addresses being provisioned.

Note

The maximum number of IP addresses per private link configuration is eight. Only dynamic allocation is supported.

Complete the following steps to create a new subnet:

Add, change, or delete a virtual network subnet

Configure Private Link

The Private link configuration defines the infrastructure used by Application Gateway to enable connections from Private Endpoints. While creating the Private Link configuration ensure a listener is actively utilizing the respected frontend IP configuration.Complete the following steps to create the Private Link configuration:

  1. Go to the Azure portal

  2. Search for and select Application Gateways.

  3. Select the name of the application gateway you want to enable private link.

  4. Select Private link

  5. Configure the following items:

    • Name: The name of the private link configuration.
    • Private link subnet: The subnet IP addresses should be consumed from.
    • Frontend IP Configuration: The frontend IP address that private link should forward traffic to on Application Gateway.
    • Private IP address settings: specify at least one IP address
  6. Select Add.

  7. Within your Application Gateways properties blade, obtain and make a note of the Resource ID, this is required if you are setting up a Private Endpoint within a different Microsoft Entra tenant.

Configure Private Endpoint

A private endpoint is a network interface that uses a private IP address from the virtual network containing clients wishing to connect to your Application Gateway. Each of the clients uses the private IP address of the Private Endpoint to tunnel traffic to the Application Gateway. To create a private endpoint, complete the following steps:

  1. Select the Private endpoint connections tab.
  2. Select Create.
  3. On the Basics tab, configure a resource group, name, and region for the Private Endpoint. Select Next.
  4. On the Resource tab, select Next.
  5. On the Virtual Network tab, configure a virtual network and subnet where the private endpoint network interface should be provisioned to. Configure whether the private endpoint should have a dynamic or static IP address. Select Next.
  6. On the Tags tab, optionally configure resource tags. Select Next.
  7. Select Create.

Note

If the public or private IP configuration resource is missing when trying to select a Target sub-resource on the Resource tab of private endpoint creation, please ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener won't be shown as a Target sub-resource.

Note

If you're provisioning a Private Endpoint from within another tenant, you will need to utilize the Azure Application Gateway Resource ID and the Name of the Frontend IP configuration as the target sub-resource. For example, if I had a private IP associated to the Application Gateway and the Name listed in Frontend IP configuration of the portal for the private IP is PrivateFrontendIp, the target sub-resource value would be: PrivateFrontendIp.

Note

If you have to move a Private Endpoint to another subscription, you must first delete the existing Private Endpoint connection between the Private Link and Private Endpoint. Once this is completed, you have to re-create a new Private Endpoint connection in the new subscription to establish connection between Private Link and Private Endpoint.

Next steps