Privatizing your Azure App

A Traditional Approach

Traditionally an azure app service has been privatized by linking it with an Isolated app service plan which deploys an App service Environment thereby integrating with an Azure Vnet. This ensures that your app is seating privately in an Azure Vnet, thus all inbound and outbound calls to the app will be facilitated by the Azure Vnet. Now if the app wants to communicate to other azure services then it can enable the service endpoint on its subnet and also can allow this subnet through the azure services firewall and networks. A simple visualization of the same pattern can be found below.

App Service Plan – Isolated Approach

Though this approach provides entire isolation and can be best fit for privatization for many customer requirements, but it comes with cost implications. ASE’s are quite costly and it increases customer monthly azure budgets.

Azure Introduces new feature

Azure now has introduced the capability of VNET integration with Standard and Premium Sku’s of App service plans. It comes along with a support of TCP and UDP. This feature comes in real handy when the outbound communications from the app service needs to be over Azure Vnet to other Azure resources thus ensuring your communicating traffic from the app service doesn’t go public. A simple visualization is shown below.

Vnet Integration

This feature comes along with two options. Regional Vnet Integration – this is for networks to communicate in the same region. Gateway Vnet Integration – for communications across regions. A deeper look into the Regional Vnet integration architecture with a visualization.

App Service – Outbound Vnet Integration

Enabling Vnet integration can be done from Azure portal as well through ARM or Terraform while deploying. A snapshot of the feature from azure portal is given below.

Vnet Integration – Configuration

IAC Patterns for deployment

ARM code block:

ARM example

Terraform code block:

Terraform Example

Few important points to note

  1. This feature is really handy for users requiring to make their communications from app services to other azure resources through VNET. It helps users also to avoid the cost implications of ASE.
  2. This feature doesn’t grant inbound private access to the app from VNET. Vnet integration feature can be used for outbound calls from the app to the Vnet.
  3. There is an open issue which I faced while integrating this concept from azure function app to Azure storage account. It seems that the monitoring agent of function app can’t communicate to storage service through endpoints with this feature enabled. The details of this issue can be found here.


Integrate app with Vnet Feature