Configuring networking for Azure App Service
Web applications must often connect with various services. Those can be other apps, databases, container registries, and many more. Some of them will not be available publicly, hence you will have to find a way to reach them. Remember that Azure App Service is a public service and if you are not using an App Service environment, by default it will not be integrated with your networks. Let's verify what options we have to overcome that problem.
The Networking blade
The very first thing you will need to do is go to the Networking blade of your App Service resource, as illustrated in the following screenshot:
Figure 1.40 – Networking blade
This will provide all the necessary information about your app networking stack, as follows:
- Inbound/outbound addresses
- Access restrictions
- Private endpoints
- Virtual network (VNet) integrations
- Hybrid connections
Note
To have access to all networking features, you will need to scale up your application to at least the P1V2 tier.
Access Restrictions
Let's consider a scenario—you want your application to respond only to a single Internet Protocol (IP) address. If a user reaches it using a different one, they should not have access. This feature is especially useful if you allow users to access your web APIs via API managers (such as Azure API Management). As such, a manager usually offers a static IP, and you normally blacklist all the IPs but this one. This can be done using the Access Restrictions feature, as illustrated in the following screenshot:
Figure 1.41 - Enabling Access Restrictions
Once such a rule is set, and if I try to access my website and my IP is not whitelisted, I will get an HTTP 403 Forbidden response, as follows:
Figure 1.42 – Effect of enabling Access Restrictions
As you can see, with only a few simple clicks, you can block access to your application and whitelist only a specific set of IP addresses.
Private endpoints
Private endpoints are an advanced networking feature of Azure. They are used to ensure that all the traffic stays within the Azure backbone network and never reaches the public internet. They usually work in connection with Azure Private Link to secure a connection between different networks and act as an entry point for communication. We will not go into details of these advanced concepts, but if you are interested in learning more, see an overview of the service here: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview.
VNet integration
This feature is an interesting capability of Azure App Service and allows you to reach services enclosed in a VNet while preserving the public availability of your web application. It is worth remembering that even if VNet integration is enabled and you can fetch data, for example, from a database, the database will not be able to call your application. If in the integrated VNet you have a service, it will not be able to communicate with App Service, though opposite communication is possible.
VNet integration is enabled via the Add VNet button, as illustrated in the following screenshot:
Figure 1.43 – VNet configuration
You will be able to choose a network and subnet that you would like to use for the integration. Remember, though, that you will be able to see networks that are in the same region as your Azure App Service resource. Once a connection is established, the VNet Configuration view will change its appearance so that it looks like this:
Figure 1.44 – VNet integration enabled
However, take into consideration that VNet integration is not that simple—you will have to consider additional scenarios, such as these:
- Connectivity with service endpoints, which will require connecting to a specific subnet and configuring those endpoints against the selected subnet.
- Connectivity with private endpoints, for which you will have to ensure that Domain Name System (DNS) lookups resolve to them. This implies integrating a DNS server with your VNet and managing it.
- Using network security groups (NSGs) for control over outbound traffic.
If you find those scenarios interesting, check out the following link to learn more: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet.