Why does Azure Application Gateway require an empty subnet

Question

When I try to execute New-AzureRmApplicationGatewayIPConfiguration to create an application gateway, I get an exception:

Subnet xxx cannot be used for application gateway yyy since subnet is not empty.

I encountered this error when I tried to add the application gateway to the same subnet as the backend servers.

Why is this not an option? Does each gateway require a separate subnet? What is the recommended configuration?

Related questions:

• The documentation says backend servers can be added when they belong to the virtual network subnet. How can a back-end server belong to the virtual network subnet of the application gateway if the application gateway must be in a separate subnet?
• How can the application gateway be configured without requiring a public IP address on the backend servers?

Answer 1

The application gateway must be in a subnet by itself as explained in the documentation, hence the reason it is not an option. Create a smaller address space for your application gateway subnet (CIDR 'x.x.x.x/29') so you're not wasting IP addresses unnecessarily.

It's a good practice to strive for a multi-tier network topology using subnets. This enables you to define routes and network security groups (ie: allow port 80 ingress, deny port 80 egress, deny RDP, etc.) to control traffic flow for the resources in the subnet. The routing and security group requirements for a gateway are generally going to be different than routing and security group requirements of other resources in the virtual network.

Answer 2

I had the same issue, so my virtual network was 10.0.0.0/24 which was not allowing me to create a separate subnet. I solved the issue as we added another address space into the azure virtual network e.g. 10.10.0.0.24, then created a new subnet so that the application gateway was happy to work with the backend servers.