Is it possible to move an already setup app gateway from one subnet to another?
As of now haven't seen any way from the portal to do so.
How to change VNet and Subnet of an existing Azure Application Gateway?
Asked Answered
You can use this script to change the VNet or Subnet. Please test it to see if it meets your needs, before applying it to a production gateway. Also, take into account that there will be some downtime during the change.
#Login to Azure RM
Login-AzureRmAccount
#Get the Application Gateway config
$gw=Get-AzureRmApplicationGateway -Name GatewayName -ResourceGroupName RGName
#Set the new virtual network and store the config into a new variable
$gw2=Set-AzureRmApplicationGatewayIPConfiguration -SubnetId "/subscriptions/999999-9915-4b1c-accf-0c984bed2311/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/NewVirtualNetwork/subnets/default" -ApplicationGateway $gw -Name $gw.GatewayIPConfigurations.name
#Stop the Gateway (you can't change the virtual network / subnet if the Gateway is running)
Stop-AzureRmApplicationGateway -ApplicationGateway $gw
#Set the new config
Set-AzureRmApplicationGateway -ApplicationGateway $gw2
Does this affect the external IP address? –
Wassyngton
Suggestion: First get the subnet with a
$subnet = Get-AzureRmVirtualNetworkSubnetConfig, then use -Subnet -argument. That's more PowerShellish / object-based approach. –
Symptomatology Yes, this can change the external IP address. External IP addresses for application gateways are always dynamic. The current external address is released when the gateway is stopped, and it is unlikely that the same external address will be assigned when the gateway is started again. –
Negron
This script is reporting to me that the FrontendIpConfiguration cannot be a different subnet from the gateway subnet. Is there a way to change both simultaneously? –
Topotype
In case you're wondering how to deal with the FrontendIpConfiguration issue, I manually deleted the Private Frontend IP configuration in the portal and then I could run this script. Afterward I had re-created the private frontend IP config to use the new subnet. –
Topotype
Seeing how easily this can be done in a few lines of code, I wonder what's preventing MS from providing an option to do this manually in the portal? –
Gsuit
@BronDavies you can't simply delete a FrontendIP config if there are listeners bound to it. You have to switch all your listeners to a public FrontendIP, then delete your private FrontendIP, switch the subnet, recreate private FrontendIP, an re-switch all your listeners again. –
Sollie
The accepted answer by andresm53 is excellent.
However, as the PowerShell AzureRm module is being phased out in favor of the newer Az module, here is an Az version (with a slight improvement to save from having to look up the subnet id in order to paste it into the code).
This is based, in addition to andresm53's code, also on an example in the MS docs.
### Fill in your values ###
$GatewayResourceGroupName = "MyRG1"
$GatewayName = "MyGw"
$VnetResourceGroupName = "MyRG2" #may or may not be the same as $GatewayResourceGroupName
$VNetName = "MyVNet"
$SubnetName = "Subnet1"
###########################
$AppGw = Get-AzApplicationGateway -Name $GatewayName -ResourceGroupName $GatewayResourceGroupName
Stop-AzApplicationGateway -ApplicationGateway $AppGw
$VNet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $VnetResourceGroupName
$Subnet = Get-AzVirtualNetworkSubnetConfig -Name $SubnetName -VirtualNetwork $VNet
$AppGw = Set-AzApplicationGatewayIPConfiguration -ApplicationGateway $AppGw -Name $AppGw.GatewayIPConfigurations[0].Name -Subnet $Subnet
Set-AzApplicationGateway -ApplicationGateway $AppGw
Start-AzApplicationGateway -ApplicationGateway $AppGw
I couldn't find my (newly created) subnet using Get-AzVirtualNetworkSubnetConfig (not sure if it should contain something first?). Set the SubnetId in the Set-AzApplicationGatewayIPConfiguration cmdlet (like @andresm53), which worked. –
Cocoa
This was perfect and worked first time –
Joachim
I did it using azure cli, it's necessary to perform some steps:
- Stop the application gateway
- Change the subnet
- Start the application gateway (this will take some minutes)
Using azure cli:
1. stopping application gateway
az network application-gateway stop --subscription YOUR_SUBSCRIPTION_NAME --resource-group YOUR_APP_GATEWAY_RESOURCE_GROUP --name YOUR_APP_GATEWAY_NAME
2. Change the subnet.
2.1 At this point, you need to know your current vnet data, given by next command
az network application-gateway show \
--subscription YOUR_SUBSCRIPTION_NAME \
--resource-group YOUR_APP_GATEWAY_RESOURCE_GROUP \
--name YOUR_APP_GATEWAY_NAME
The output we need is at JSON section gatewayIpConfigurations
[
{
"etag": "REDACTED",
"id": "REDACTED",
"name": "REDACTED",
"provisioningState": "REDACTED",
"resourceGroup": "REDACTED",
"subnet": {
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/virtualNetworks/YOUR_CURRENT_VNET/subnets/YOUR_CURRENT_SUBNET",
"resourceGroup": "REDACTED"
},
"type": "Microsoft.Network/applicationGateways/gatewayIPConfigurations"
}
]
2.2 To change the subnet, you need to modify YOUR_CURRENT_SUBNET by your new subnet
[
{
"etag": "REDACTED",
"id": "REDACTED",
"name": "REDACTED",
"provisioningState": "REDACTED",
"resourceGroup": "REDACTED",
"subnet": {
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/virtualNetworks/YOUR_CURRENT_VNET/subnets/YOUR_NEW_SUBNET",
"resourceGroup": "REDACTED"
},
"type": "Microsoft.Network/applicationGateways/gatewayIPConfigurations"
}
]
2.3 Copy the previous subnet id, put the proper subnet name you want now, and update it
az network application-gateway update \
--subscription YOUR_SUBSCRIPTION_NAME \
--resource-group YOUR_APP_GATEWAY_RESOURCE_GROUP \
--name YOUR_APP_GATEWAY_NAME \
--set gatewayIpConfigurations[0].subnet.id='/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/virtualNetworks/YOUR_CURRENT_VNET/subnets/YOUR_NEW_SUBNET'
3. Start the application gateway
az network application-gateway start \
--subscription YOUR_SUBSCRIPTION_NAME \
--resource-group YOUR_APP_GATEWAY_RESOURCE_GROUP \
--name YOUR_APP_GATEWAY_NAME
Not sure if this was tested at the time, but tried it now and your command at 2.3 doesn't work. It's not expecting a full JSON array of information, it just wants the new SubnetID. –
Sollie
thanks for the headsup, i will take a look as soon as possible. –
Anthropophagite
az network application-gateway update --resource-group MyResourceGroup --name my-application-gateway --set gatewayIpConfigurations[0].subnet.id="/subscriptions/SOME-UUID/resourceGroups/SOME_RESOURCE_GROUP/providers/Microsoft.Network/virtualNetworks/SOME_VNET_NAME/subnets/SOME_SUBNET_NAME" works for me. –
Buber
pls keep in mind that stop/start will release and renew your public IP address (unless it's static of course). –
Didymium
2.3 Didn't work for me, I had to do something like this : az network application-gateway update --resource-group REDACTED --name REDACTED --set properties.gatewayIPConfigurations[0].properties.subnet.id=/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/virtualNetworks/foo-Prod-vnet/subnets/foo-appgateway –
Pesky
You cannot change Subnet/VNet association on a running Gateway. It needs to be in stopped state first. Also the VIP on the Gateway would change once it is started post update. Subnet move can be done via PowerShell/CLI and is not supported in portal currently.
How do you stop a running App Gateway? –
Spiffing
It will affects the external IP address. Therefore the app gateway have to use dynamic ip address.
Once the app gateway has been stopped than the external IP will release so you will have a new one after it's started up.
© 2022 - 2024 — McMap. All rights reserved.