From 32e339ac498c8bb4b50dd6b48c40cccfb1fbe1ff Mon Sep 17 00:00:00 2001 From: Angel Date: Fri, 6 Sep 2024 17:39:38 -0400 Subject: [PATCH 1/8] Azure vnet peering --- app/_data/docs_nav_konnect.yml | 2 + .../data-plane-nodes/azure-peering.md | 89 +++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 app/konnect/gateway-manager/data-plane-nodes/azure-peering.md diff --git a/app/_data/docs_nav_konnect.yml b/app/_data/docs_nav_konnect.yml index a2b894f1e92a..0055a7b8f464 100644 --- a/app/_data/docs_nav_konnect.yml +++ b/app/_data/docs_nav_konnect.yml @@ -60,6 +60,8 @@ url: /gateway-manager/data-plane-nodes/custom-dp-labels - text: Transit Gateways url: /gateway-manager/data-plane-nodes/transit-gateways + - text: Azure Peering + url: /gateway-manager/data-plane-nodes/azure-peering - text: Provision a Dedicated Cloud Gateway url: /gateway-manager/provision-cloud-gateway/ - text: Control Plane Groups diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md new file mode 100644 index 000000000000..74125c56d054 --- /dev/null +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -0,0 +1,89 @@ +--- +title: How to configure Azure VNET Peering +--- + + + +## How does VNET Peering Work +Add a diagram + +In this diagram, the User Azure Cloud represents Azure Subscription you are running your microservices in, APIs, or applications. You can connect your infrastructure securely to {{site.konnect_short_name}} through Azure VNET Peering. On the Kong side, the Kong Azure Cloud is the azure subscription running your Dedicated Cloud Gateways, which ingests traffic coming in from the User VNET and securely exposes it to the internet. + + +## Prerequisites + +* A {{site.konnect_short_name}} control plane +* An Azure Tenant account with administrative privileges to create resources and manage peering, including the following information: + * Azure tenant ID + * Azure VNET subscription ID + * Azure VNET resource group name + * Azure VNET name + + +## Configure VNET Peering + +### Configure Azure + +Grant access to your Azure AD Tenant: + +1. Navigate to the following URL makign sure to replace `` with your own Azure tenant ID and approve? Approve what? + + `https://login.microsoftonline.com//adminconsent?client_id=207b296f-cf25-4d23-9eba-9a2c41dc62ca` + +1. Input the following command into the Azure CLI making sure to replace `` with your Azure VNET subscription ID + + ```bash + az role definition create --output none --role-definition '{ + "Name": "Kong Cloud Gateway Peering Creator - Kong", + "Description": "Perform cross-tenant network peering.", + "Actions": [ + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", + "Microsoft.Network/virtualNetworks/peer/action" + ], + "AssignableScopes": [ + "/subscriptions/", + ] + }' + ``` +1. Run this command with your Azure VNET Subscription ID ``, Azure VNET resource group name ``, and Azure VNET Name `` specified to assign the role to the service principal: + + ```bash + az role assignment create + --role "Kong Cloud Gateway Peering Creator" + --assignee "$(az ad sp list --filter "appId eq '207b296f-cf25-4d23-9eba-9a2c41dc62ca'" + --output tsv --query '[0].id')" + --scope "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/" + ``` + + +### Configure {{site.konnect_short_name}} + +1. From {{site.konnect_short_name}}, navigate to the **Gateway Manager**. +1. Within the **Networks** tab, select the desired network, then select **Configure VNET Peering**. +1. In the form that appears, enter the following values: + * Azure Tenant ID + * Azure VNET Subscription ID + * Azure VNET Resource Group Name + * Azure VNET Name. +1. For DNS configuration, add the IP addresses of DNS servers that will resolve to your private domains, along with any domains you want associated with your DNS. {{site.konnect_short_name}} supports the following mappings: + + * 1-1 Mapping + * Each domain is mapped to a unique IP address. + * For example: `example.com` -> `192.168.1.1` + * N-1 Mapping + * Multiple domains are mapped to a single IP address. + * `example.com`, `example2.com` -> `192.168.1.1` + * M-N Mapping + * Multiple domains are mapped to multiple IP addresses, not necessarily in a one-to-one relationship. + * `example.com`, `example2.com` -> `192.168.1.1`, `192.168.1.2` + * `example3.com` -> `192.168.1.1` + +1. Click **Next** and move on to configuring Azure in the next section. + + + +After the VNET Peering is successfully established, set up a route for the upstream services and configure it to forward all traffic from the {{site.konnect_short_name}} managed VNET through the VNET Peering. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. + From c6742904dae744df286249b5279728c845494b84 Mon Sep 17 00:00:00 2001 From: Angel Date: Mon, 9 Sep 2024 14:19:15 -0400 Subject: [PATCH 2/8] diagram --- app/_includes/md/konnect/azure-peering.md | 45 +++++++++++++++++++ .../data-plane-nodes/azure-peering.md | 5 +-- 2 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 app/_includes/md/konnect/azure-peering.md diff --git a/app/_includes/md/konnect/azure-peering.md b/app/_includes/md/konnect/azure-peering.md new file mode 100644 index 000000000000..0557ed81b434 --- /dev/null +++ b/app/_includes/md/konnect/azure-peering.md @@ -0,0 +1,45 @@ + +{% mermaid %} +flowchart LR + +A(API or service) +B(API or service) +C(API or service) + +G(Konnect \n#40;fully-managed \ndata plane#41;) +H(Konnect \n#40;fully-managed \ndata plane#41;) +J(fa:fa-wifi \n Internet) + +subgraph 1 [User Azure Cloud] + subgraph 2 [Region] + subgraph 3 [Virtual Network #40;VNET#41;] + A + B + C + end + end +end +3 <--VNET Peering \n Private API Access--> 6 + +subgraph 4 [Kong Azure Cloud] + subgraph 5 [Region] + subgraph 6 [Virtual Network #40;VNET#41;] + G + H + end + end +end + +G & H <--public API \n access--> J + +style A stroke:#e07113 +style B stroke:#e07113 +style C stroke:#e07113 +style 2 stroke:#167eba,color:#167eba,stroke-dasharray:3 +style 5 stroke:#167eba,color:#167eba,stroke-dasharray:3 +style 3 stroke:#238813,color:#238813,stroke-dasharray:3 +style 6 stroke:#238813,color:#238813,stroke-dasharray:3 + + +{% endmermaid %} + \ No newline at end of file diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index 74125c56d054..b89d2d6b9691 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -5,10 +5,9 @@ title: How to configure Azure VNET Peering ## How does VNET Peering Work -Add a diagram - -In this diagram, the User Azure Cloud represents Azure Subscription you are running your microservices in, APIs, or applications. You can connect your infrastructure securely to {{site.konnect_short_name}} through Azure VNET Peering. On the Kong side, the Kong Azure Cloud is the azure subscription running your Dedicated Cloud Gateways, which ingests traffic coming in from the User VNET and securely exposes it to the internet. +{% include_cached /md/konnect/azure-peering.md %} +> _**Figure 1:** In this diagram, the User Azure Cloud represents Azure subscription you are running your microservices in. You can connect your infrastructure securely to {{site.konnect_short_name}} using Azure VNET Peering. The Kong Azure Cloud is the Azure subscription running your Dedicated Cloud Gateways, which ingests traffic coming in from the user VNET and securely exposing it to the internet._ ## Prerequisites From 9be12a2717e7da5215514382fd76b45e2e177a2d Mon Sep 17 00:00:00 2001 From: Angel Date: Mon, 9 Sep 2024 14:29:43 -0400 Subject: [PATCH 3/8] spelling --- app/konnect/gateway-manager/data-plane-nodes/azure-peering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index b89d2d6b9691..ccdf3644d5eb 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -29,7 +29,7 @@ Grant access to your Azure AD Tenant: `https://login.microsoftonline.com//adminconsent?client_id=207b296f-cf25-4d23-9eba-9a2c41dc62ca` -1. Input the following command into the Azure CLI making sure to replace `` with your Azure VNET subscription ID +1. Input the following command into the Azure CLI making sure to replace `` with your Azure VNET subscription ID ```bash az role definition create --output none --role-definition '{ From 947dd3e4e3e845718cb3f7fa379dd73a3b1214d6 Mon Sep 17 00:00:00 2001 From: Angel Date: Tue, 10 Sep 2024 12:57:09 -0400 Subject: [PATCH 4/8] Apply suggestions from code review Co-authored-by: Prateek Gupta Co-authored-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --- app/_data/docs_nav_konnect.yml | 2 +- .../data-plane-nodes/azure-peering.md | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/_data/docs_nav_konnect.yml b/app/_data/docs_nav_konnect.yml index 0055a7b8f464..93977c1b5790 100644 --- a/app/_data/docs_nav_konnect.yml +++ b/app/_data/docs_nav_konnect.yml @@ -60,7 +60,7 @@ url: /gateway-manager/data-plane-nodes/custom-dp-labels - text: Transit Gateways url: /gateway-manager/data-plane-nodes/transit-gateways - - text: Azure Peering + - text: Azure VNET Peering url: /gateway-manager/data-plane-nodes/azure-peering - text: Provision a Dedicated Cloud Gateway url: /gateway-manager/provision-cloud-gateway/ diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index ccdf3644d5eb..4240a88ec23d 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -47,7 +47,7 @@ Grant access to your Azure AD Tenant: ] }' ``` -1. Run this command with your Azure VNET Subscription ID ``, Azure VNET resource group name ``, and Azure VNET Name `` specified to assign the role to the service principal: +1. Run the following command with your Azure VNET Subscription ID ``, Azure VNET resource group name ``, and Azure VNET Name `` specified to assign the role to the service principal: ```bash az role assignment create @@ -61,7 +61,7 @@ Grant access to your Azure AD Tenant: ### Configure {{site.konnect_short_name}} 1. From {{site.konnect_short_name}}, navigate to the **Gateway Manager**. -1. Within the **Networks** tab, select the desired network, then select **Configure VNET Peering**. +1. On the **Networks** tab, select the desired network, then select **Configure VNET Peering**. 1. In the form that appears, enter the following values: * Azure Tenant ID * Azure VNET Subscription ID @@ -74,15 +74,15 @@ Grant access to your Azure AD Tenant: * For example: `example.com` -> `192.168.1.1` * N-1 Mapping * Multiple domains are mapped to a single IP address. - * `example.com`, `example2.com` -> `192.168.1.1` + * For example: `example.com`, `example2.com` -> `192.168.1.1` * M-N Mapping * Multiple domains are mapped to multiple IP addresses, not necessarily in a one-to-one relationship. - * `example.com`, `example2.com` -> `192.168.1.1`, `192.168.1.2` - * `example3.com` -> `192.168.1.1` + * For example: `example.com`, `example2.com` -> `192.168.1.1`, `192.168.1.2` + * For example: `example3.com` -> `192.168.1.1` 1. Click **Next** and move on to configuring Azure in the next section. -After the VNET Peering is successfully established, set up a route for the upstream services and configure it to forward all traffic from the {{site.konnect_short_name}} managed VNET through the VNET Peering. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. +After the VNET Peering is successfully established, [set up a route](/konnect/api/control-plane-configuration/latest/#/Routes/list-route) for the upstream services and configure it to forward all traffic from the {{site.konnect_short_name}} managed VNET through the VNET Peering. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. From ba0067453a38b24f89a50cfe4b16e33ab74c406c Mon Sep 17 00:00:00 2001 From: Angel Date: Tue, 10 Sep 2024 14:05:19 -0400 Subject: [PATCH 5/8] diana feedback --- .../data-plane-nodes/azure-peering.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index 4240a88ec23d..a8df5208ada5 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -1,13 +1,13 @@ --- -title: How to configure Azure VNET Peering +title: How to configure Azure Virtual Network Peering --- +{{site.konnect_short_name}} can leverage [Azure Virtual Network Peering](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview) to create virtual networks, and ingest data from your Azure services and expose them to the internet via {{site.konnect_short_name}}. - -## How does VNET Peering Work +## How does virtual network peering Work {% include_cached /md/konnect/azure-peering.md %} -> _**Figure 1:** In this diagram, the User Azure Cloud represents Azure subscription you are running your microservices in. You can connect your infrastructure securely to {{site.konnect_short_name}} using Azure VNET Peering. The Kong Azure Cloud is the Azure subscription running your Dedicated Cloud Gateways, which ingests traffic coming in from the user VNET and securely exposing it to the internet._ +> _**Figure 1:** In this diagram, the "User Azure Cloud", represents the Azure infrastructure that runs your microservices. The "Kong Azure Cloud", powers your Kong data planes. Using virtual network peering, you can ingest traffic from your Azure enviroment and expose it to the internet._ ## Prerequisites @@ -18,18 +18,17 @@ title: How to configure Azure VNET Peering * Azure VNET resource group name * Azure VNET name - ## Configure VNET Peering ### Configure Azure Grant access to your Azure AD Tenant: -1. Navigate to the following URL makign sure to replace `` with your own Azure tenant ID and approve? Approve what? +1. Navigate to the following URL making sure to replace `` with your own Azure tenant ID and approve the `kong-cgw-azure-vnet-peering-app`. `https://login.microsoftonline.com//adminconsent?client_id=207b296f-cf25-4d23-9eba-9a2c41dc62ca` -1. Input the following command into the Azure CLI making sure to replace `` with your Azure VNET subscription ID +1. Input the following command into the Azure CLI making sure to replace `` with your Azure VNET subscription ID: ```bash az role definition create --output none --role-definition '{ @@ -80,9 +79,11 @@ Grant access to your Azure AD Tenant: * For example: `example.com`, `example2.com` -> `192.168.1.1`, `192.168.1.2` * For example: `example3.com` -> `192.168.1.1` -1. Click **Next** and move on to configuring Azure in the next section. + {:.note} + > **Note**: You will need to create an inbound endpoint for private DNS zone within your tenant. The IP of the inbound endpoint should the IP of the DNS server. +1. Click **Next** and move on to configuring Azure in the next section. -After the VNET Peering is successfully established, [set up a route](/konnect/api/control-plane-configuration/latest/#/Routes/list-route) for the upstream services and configure it to forward all traffic from the {{site.konnect_short_name}} managed VNET through the VNET Peering. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. +After VNET Peering is successfully established you will be able to configure a [route](/konnect/api/control-plane-configuration/latest/#/Routes/list-route) for the upstream service and forward all traffic throgh the virtual network to the data plane. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. From 070c6dfb6472d6659fc45ffc10e2453cba8fc4c4 Mon Sep 17 00:00:00 2001 From: Angel Date: Tue, 10 Sep 2024 14:26:41 -0400 Subject: [PATCH 6/8] Apply suggestions from code review --- app/konnect/gateway-manager/data-plane-nodes/azure-peering.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index a8df5208ada5..c1ad23a760af 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -7,7 +7,7 @@ title: How to configure Azure Virtual Network Peering ## How does virtual network peering Work {% include_cached /md/konnect/azure-peering.md %} -> _**Figure 1:** In this diagram, the "User Azure Cloud", represents the Azure infrastructure that runs your microservices. The "Kong Azure Cloud", powers your Kong data planes. Using virtual network peering, you can ingest traffic from your Azure enviroment and expose it to the internet._ +> _**Figure 1:** In this diagram, the "User Azure Cloud", represents the Azure infrastructure that runs your microservices. The "Kong Azure Cloud", powers your Kong data planes. Using virtual network peering, you can ingest traffic from your Azure environment and expose it to the internet._ ## Prerequisites @@ -85,5 +85,5 @@ Grant access to your Azure AD Tenant: 1. Click **Next** and move on to configuring Azure in the next section. -After VNET Peering is successfully established you will be able to configure a [route](/konnect/api/control-plane-configuration/latest/#/Routes/list-route) for the upstream service and forward all traffic throgh the virtual network to the data plane. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. +After VNET Peering is successfully established you will be able to configure a [route](/konnect/api/control-plane-configuration/latest/#/Routes/list-route) for the upstream service and forward all traffic through the virtual network to the data plane. This guarantees that traffic from the {{site.konnect_short_name}} data plane reaches the services and that response packets are routed back properly. From 69327f208b07435e4247c4ca69db8eec98066065 Mon Sep 17 00:00:00 2001 From: Angel Date: Tue, 10 Sep 2024 15:42:57 -0400 Subject: [PATCH 7/8] Apply suggestions from code review Co-authored-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --- app/konnect/gateway-manager/data-plane-nodes/azure-peering.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index c1ad23a760af..3f9fb9bb237f 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -4,7 +4,7 @@ title: How to configure Azure Virtual Network Peering {{site.konnect_short_name}} can leverage [Azure Virtual Network Peering](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview) to create virtual networks, and ingest data from your Azure services and expose them to the internet via {{site.konnect_short_name}}. -## How does virtual network peering Work +## How virtual network peering works {% include_cached /md/konnect/azure-peering.md %} > _**Figure 1:** In this diagram, the "User Azure Cloud", represents the Azure infrastructure that runs your microservices. The "Kong Azure Cloud", powers your Kong data planes. Using virtual network peering, you can ingest traffic from your Azure environment and expose it to the internet._ @@ -65,7 +65,7 @@ Grant access to your Azure AD Tenant: * Azure Tenant ID * Azure VNET Subscription ID * Azure VNET Resource Group Name - * Azure VNET Name. + * Azure VNET Name 1. For DNS configuration, add the IP addresses of DNS servers that will resolve to your private domains, along with any domains you want associated with your DNS. {{site.konnect_short_name}} supports the following mappings: * 1-1 Mapping From 74dca4ddb513a90ef8bcd1b3985253ac31b7a960 Mon Sep 17 00:00:00 2001 From: Angel Date: Tue, 10 Sep 2024 20:54:58 -0400 Subject: [PATCH 8/8] Update app/konnect/gateway-manager/data-plane-nodes/azure-peering.md Co-authored-by: Prateek Gupta --- .../gateway-manager/data-plane-nodes/azure-peering.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md index 3f9fb9bb237f..b4264a79de06 100644 --- a/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md +++ b/app/konnect/gateway-manager/data-plane-nodes/azure-peering.md @@ -49,10 +49,10 @@ Grant access to your Azure AD Tenant: 1. Run the following command with your Azure VNET Subscription ID ``, Azure VNET resource group name ``, and Azure VNET Name `` specified to assign the role to the service principal: ```bash - az role assignment create - --role "Kong Cloud Gateway Peering Creator" - --assignee "$(az ad sp list --filter "appId eq '207b296f-cf25-4d23-9eba-9a2c41dc62ca'" - --output tsv --query '[0].id')" + az role assignment create \ + --role "Kong Cloud Gateway Peering Creator" \ + --assignee "$(az ad sp list --filter "appId eq '207b296f-cf25-4d23-9eba-9a2c41dc62ca'" \ + --output tsv --query '[0].id')" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/" ```