Forum Discussion

ShehzadUIT's avatar
ShehzadUIT
Brass Contributor
Mar 19, 2021

Access to the delegated container subnet from the rest of the network

Hi All,

 

We have an on-premise network: ONPREM-VLAN  which is connected to an Azure VLAN: AZUREVLAN1 using Site to Site VPN connection. This AZUREVLAN1 is in subscription-1. We have another subscription: subscription-2 which has two more VLANs: AZUREVLAN2 and AZUREVLAN3. AZUREVLAN2 is one Azure region (same as AZUREVLAN1 i.e. Australia Southeast) and AZUREVLAN3 is in another Azure region (i.e. In Australia East). We have enabled Vnet peering between all the three VLANs. We have also established routing from our on-premise network: ONPREM-VLAN to all the three Azure VLANs.

 

However, when we created a delegated container subnet in AZUREVLAN3 it is only accessible from other subnets within AZUREVLAN3. it is not accessible from any other VLANs (AZUREVLAN2, AZUREVLAN1 and ONPREM-VLAN) in the network. Here is the screenshot of that delegated container subnet:

Is there a way i can enable routing from the rest of the network to this delegated subnet?

 

virtual network

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Oct 30, 2025

    How about following this once again:

     

    1. Check Network Security Groups (NSGs)
    •    Ensure the NSG attached to the delegated subnet allows inbound traffic from: 
    o    AZUREVLAN1 and AZUREVLAN2 address ranges
    o    Your on-prem network range
    •    Add rules to allow traffic on required ports (e.g., TCP 443, TCP 80, or container-specific ports).
    2. Update Route Tables
    •    Delegated subnets may override custom routes. Check if a User-Defined Route (UDR) is attached.
    •    If not, create a route table and associate it with the delegated subnet: 
    o    Add routes for AZUREVLAN1, AZUREVLAN2, and ONPREM-VLAN pointing to the appropriate next hop (e.g., Azure Firewall, NVA, or VPN Gateway).
    3. Enable VNet Peering with “Use Remote Gateway”
    •    For cross-subscription peering: 
    o    Ensure “Allow forwarded traffic” and “Allow gateway transit” are enabled on AZUREVLAN3.
    o    On AZUREVLAN1 and AZUREVLAN2, enable “Use remote gateway” to route traffic through AZUREVLAN3’s VPN Gateway.
    4. Check Delegation Restrictions
    •    Some services (e.g., Azure Container Instances) restrict external access by default.
    •    Review the delegation documentation to confirm whether the service supports external routing.
    5. Use Private Endpoints or Service Endpoints
    •    If the container service supports Private Link, deploy a Private Endpoint in AZUREVLAN1 or AZUREVLAN2 that connects to the container in AZUREVLAN3.
    •    Alternatively, configure Service Endpoints to allow access from other VNets.

Resources