Azure App Service Networking ,Vnet Integration and Access Restriction
Azure App Service is a fully managed platform as a service (PaaS) for hosting web applications, REST APIs, and mobile back ends .
There are two ways to deploy Azure App Service.
- The multitenant public service hosts App Service plans where your infrastructure will be shared among multiple customers.
- You will choose following App Service plans for this option : Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKUs.
2. The single-tenant App Service Environment (ASE) hosts Isolated SKU App Service plans directly in your Azure virtual network.
App Service Environment deployment option directly deploys over your dedicated virtual network which provides security but it comes with a heavy price and scaling issues . Thus , multitenant public service hosts App Service plans are suggested now a days.
We will concentrate over multitenant public service hosts App Service option Here.
Challenges with multitenant public service hosts App Service option
When we deploy App service using this option , our infrastructure is shared with other customers. So we can not directly connect App service Network with our network.
Security has been highest priority for every organization and we want our traffic flows over secured network .By default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. But for many applications, we need to control the inbound and outbound network traffic. Microsoft provided various features to achieve this .
Two commonly used featured which can handle most of security requirements are :
- App Service access restrictions (For Securing inbound traffic to App service):
This feature enables you to control your inbound traffic to App Service. Here you can configure Subnets from where your traffic flows towards App Service.
Some use Cases:
- If you want to restrict your inbound traffic directly hitting your app , instead you want all of your traffic flows from application gateway . Then you can configure application gateway subnet in App service access restrictions.
- Restrict access to your app to resources in your virtual network. These resources can include VMs, ASEs, or even other apps that use VNet Integration.
Note: If you are using this feature with Multitenant option , you need to use service endpoints to restrict traffic to select subnets in your virtual network.
2. VNet Integration(For Securing outbound traffic to App service):
Virtual network integration is used only to make outbound calls from your app into your virtual network. Virtual network integration gives your app access to resources in your virtual network, but it doesn’t grant inbound private access to your app from the virtual network.
The VNet integration feature behaves differently when it’s used with virtual networks in the same region and with virtual networks in other regions. The VNet integration feature has two variations:
- Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you’re integrating with.
- Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in the target virtual network.
We will concentrate over Regional virtual network integration as it solves most of the use cases.
Some use Cases of Regional virtual network integration :
- Let’s say if you have a IAAS Sql server deployed in your vnet then your app can use this feature to connect to database over private ip.
- If your app service calls storage account/Key Vault , it can be used with service endpoint for secure connection.
- Using this feature , your app can connect securely to a resource in a other virtual network which is peered to the virtual network your app is integrated.
Conclusion :
App Service Access restrictions can be used to restrict your inbound traffic to app service. We can configure subnets from where we want to restrict traffic. Virtual network integration is used only to make outbound calls from your app into your virtual network. Virtual network integration gives your app access to resources in your virtual network, but it doesn’t grant inbound private access to your app from the virtual network.
Further Reading :
- If you are lazy and don’t want to go through Microsoft documentations
I will highly recommend below documentations from Microsoft .
- App Service networking feature
- Integrate your app with an Azure virtual network
- Set up Azure App Service access restrictions
Be Grateful ! Pray for Peace ! Keep Learning !