Create azure application gateway with static private ip address via terraform

Question

I can't find a way to create an application gateway via terraform with private IP without manually inserting hard coded IP private address.

I tried:

Create a private IP in the application gateway subnet - failed because Azure blocks (attached error from the UI, but terraform raises the same error) it
Create a dynamic private IP in the application gateway subnet - Failed

Only when creating an application gateway with hard coded ip address it works.

This solution is not good enough for me because we handle many environents and we don't want to relay on developers to remember adding a private IP.

Is there a good solution?

Ansuman Bal · Accepted Answer · 2021-07-05 08:15:28Z

Application Gateway v2 SKU supports the static VIP type exclusively, whereas the V1 SKU can be configured to support static or dynamic internal IP address and dynamic public IP address.

Refer: Application Gateway frontend-ip-addresses

Application Gateway V2 currently does not support only private IP mode. The Azure Application Gateway V2 SKU can be configured to support either both static internal IP address and static public IP address, or only static public IP address. It cannot be configured to support only static internal IP address.

Refer: Application gateway v2 with only private-ip

While deploying using terraform, we should define two frontend_ip_configuration blocks, one is used for public IP configuration, another is used for private IP configuration.

Scenario 1: When trying to create a new application gateway with dynamic private IP and dynamic public IP using terraform it gets created for Standard or V1 SKU only.

terraform { 

  required_providers { 

    azurerm = { 

      source  = "hashicorp/azurerm" 

      version = "~> 2.65" 

    } 

  } 

 

  required_version = ">= 0.14.9" 

} 

 

provider "azurerm" { 

  features {} 

} 

resource "azurerm_resource_group" "test" { 

  name     = "Terraformtest" 

  location = "West Europe" 

} 

resource "azurerm_virtual_network" "test" { 

  name                = "terraformvnet" 

  resource_group_name = azurerm_resource_group.test.name 

  location            = azurerm_resource_group.test.location 

  address_space       = ["10.254.0.0/16"] 

} 

 

resource "azurerm_subnet" "frontend" { 

  name                 = "frontend" 

  resource_group_name  = azurerm_resource_group.test.name 

  virtual_network_name = azurerm_virtual_network.test.name 

  address_prefixes     = ["10.254.0.0/24"] 

} 

 

resource "azurerm_subnet" "backend" { 

  name                 = "backend" 

  resource_group_name  = azurerm_resource_group.test.name 

  virtual_network_name = azurerm_virtual_network.test.name 

  address_prefixes     = ["10.254.2.0/24"] 

} 

 

resource "azurerm_public_ip" "test" { 

  name                = "test-pip" 

  resource_group_name = azurerm_resource_group.test.name 

  location            = azurerm_resource_group.test.location 

  allocation_method   = "Dynamic" 

} 

locals { 

  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap" 

  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport" 

  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip" 

  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst" 

  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn" 

  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt" 

  redirect_configuration_name    = "${azurerm_virtual_network.test.name}-rdrcfg" 

} 

 

resource "azurerm_application_gateway" "network" { 

  name                = "test-appgateway" 

  resource_group_name = "${azurerm_resource_group.test.name}" 

  location            = "${azurerm_resource_group.test.location}" 

 

  sku { 

    name     = "Standard_Small" 

    tier     = "Standard" 

    capacity = 2 

  } 

 

  gateway_ip_configuration { 

    name      = "my-gateway-ip-configuration" 

    subnet_id = "${azurerm_subnet.frontend.id}" 

  } 

 

  frontend_port { 

    name = "${local.frontend_port_name}" 

    port = 80 

  } 

 

  frontend_ip_configuration { 

    name                 = "${local.frontend_ip_configuration_name}" 

    public_ip_address_id = "${azurerm_public_ip.test.id}" 

  } 

 

 frontend_ip_configuration { 

    name                 = "${local.frontend_ip_configuration_name}-private" 

    subnet_id = "${azurerm_subnet.frontend.id}" 

    private_ip_address_allocation = "Dynamic" 

  } 

  backend_address_pool { 

    name = "${local.backend_address_pool_name}" 

  } 

 

  backend_http_settings { 

    name                  = "${local.http_setting_name}" 

    cookie_based_affinity = "Disabled" 

    path                  = "/path1/" 

    port                  = 80 

    protocol              = "Http" 

    request_timeout       = 1 

  } 

 

  http_listener { 

    name                           = "${local.listener_name}" 

    frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}-private" 

    frontend_port_name             = "${local.frontend_port_name}" 

    protocol                       = "Http" 

  } 

 

  request_routing_rule { 

    name                       = "${local.request_routing_rule_name}" 

    rule_type                  = "Basic" 

    http_listener_name         = "${local.listener_name}" 

    backend_address_pool_name  = "${local.backend_address_pool_name}" 

    backend_http_settings_name = "${local.http_setting_name}" 

  } 

}

Scenario 2: While creating a Standard V2 we can create a private IP but it doesn’t support dynamic allocation yet so it must be static, and you must mention the IP address you want to use. and to use that you must select standard sku for public IP and static IP address allocation for public as well.

z

So, after updating private_ip_address_allocation = "Static" and private_ip_address = "10.254.0.10" it will get created successfully.

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 2.65"
    }
  }

  required_version = ">= 0.14.9"
}

provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "test" {
  name     = "Terraformtest"
  location = "West Europe"
}
resource "azurerm_virtual_network" "test" {
  name                = "terraformvnet"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
  address_space       = ["10.254.0.0/16"]
}

resource "azurerm_subnet" "frontend" {
  name                 = "frontend"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefixes     = ["10.254.0.0/24"]
}

resource "azurerm_subnet" "backend" {
  name                 = "backend"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefixes     = ["10.254.2.0/24"]
}

resource "azurerm_public_ip" "test" {
  name                = "test-pip"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
  allocation_method   = "Static"
  sku  = "Standard"
}
locals {
  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
  redirect_configuration_name    = "${azurerm_virtual_network.test.name}-rdrcfg"
}

resource "azurerm_application_gateway" "network" {
  name                = "test-appgateway"
  resource_group_name = "${azurerm_resource_group.test.name}"
  location            = "${azurerm_resource_group.test.location}"

  sku {
    name     = "Standard_v2"
    tier     = "Standard_v2"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = "${azurerm_subnet.frontend.id}"
  }

  frontend_port {
    name = "${local.frontend_port_name}"
    port = 80
  }

  frontend_ip_configuration {
    name                 = "${local.frontend_ip_configuration_name}"
    public_ip_address_id = "${azurerm_public_ip.test.id}"
  }

 frontend_ip_configuration {
      name                 = "${local.frontend_ip_configuration_name}-private"
    subnet_id = "${azurerm_subnet.frontend.id}"
    private_ip_address_allocation = "Static"
    private_ip_address = "10.254.0.10"
  }
  backend_address_pool {
    name = "${local.backend_address_pool_name}"
  }

  backend_http_settings {
    name                  = "${local.http_setting_name}"
    cookie_based_affinity = "Disabled"
    path                  = "/path1/"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 1
  }

  http_listener {
    name                           = "${local.listener_name}"
    frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
    frontend_port_name             = "${local.frontend_port_name}"
    protocol                       = "Http"
  }

  request_routing_rule {
    name                       = "${local.request_routing_rule_name}"
    rule_type                  = "Basic"
    http_listener_name         = "${local.listener_name}"
    backend_address_pool_name  = "${local.backend_address_pool_name}"
    backend_http_settings_name = "${local.http_setting_name}"
  }
}

Note : 2 application gateway cannot use same subnet . So if you are creating a new appgw then you have to create a new subnet.

ValueError · Accepted Answer · 2021-07-02 10:39:42Z

1

Can you paste your terraform code?

For the latest terraform version documentation say that block frontend_ip_configuration supports private_ip_address_allocation parameter, which can hold value Dynamic.

Also remember that app gateway has to have a separate network with only application gateway in it. I am not sure, but I suppose that it is gateway per subnet, so 2 gateways in one subnet is impossible.

answered Jul 2, 2021 at 10:39

ValueError

1463 bronze badges

Add a comment |

Anthony Staunton · Accepted Answer · 2024-02-19 11:14:19Z

Although this question is from a long time back, for anyone that may see it / refer to it. The above states that a subnet is needed for each App gateway, that you can only have 1 instance of a gateway in a subnet.

https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure

Within your virtual network, a dedicated subnet is required for the application gateway. You can have multiple instances of a specific Application Gateway deployment in a subnet. You can also deploy other application gateways in the subnet. But you can't deploy any other resource in the Application Gateway subnet. You can't mix v1 and v2 Application Gateway SKUs on the same subnet.

I would read this as stating that you can have as many App Gateways in the same subnet once they are all the same version. The limitation is that the subnet can only be used for App Gateways.....defining a /24 subnet may not be optimal for your IP allocations

Collectives™ on Stack Overflow

Create azure application gateway with static private ip address via terraform

3 Answers 3

Your Answer

Not the answer you're looking for? Browse other questions tagged
terraform
terraform-provider-azure
azure-application-gateway
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Your Answer

Sign up or log in

Post as a guest

Not the answer you're looking for? Browse other questions tagged terraformterraform-provider-azureazure-application-gateway or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
terraform
terraform-provider-azure
azure-application-gateway
or ask your own question.