Private endpoint with virtual network gateway

Question

I want to make a Postgres DB available on-premise using a VPN / Virtual Network Gateway. I've created the Virtual Network Gateway with GatewaySubnet, the Local Network Gateway and the VPN Connection.

Now I want to create a private endpoint in the GatewaySubnet but I am getting the following errors:

Portal: "The selected subnet GatewaySubnet is restricted and cannot be used with a private endpoint"

or

ARM: "Subnet with name 'GatewaySubnet' can be used only for the Gateway resource."

Am I missing something? I thought the GatewaySubnet is exactly the Subnet that will be made accessible over the VPN?

Answer 1

The GatewaySubnet is a special subnet that contains the IP addresses that the virtual network gateway services use. Never deploy anything else (for example, additional VMs) to the gateway subnet. You can only leave it empty without any other resources deployed to this subnet.

When you deploy a VPN gateway in one Azure virtual network. With site-to-site VPN connection, all subnets in that VPN VNet could access the on-premise network because by default resources in all subnets in the same virtual network could communicate with each other. So you can deploy another subnet in the same VPN VNet used for your private endpoint.

See the diagram for using cases of Private Link for Azure Database for PostgreSQL