Overview:
When considering how to connect Azure Web Apps to on-premises resources, there are several options available, each with its own set of considerations:
VNet Integration:
Ideal for app services that need to connect to a virtual network. It allows the app service to communicate with resources in an Azure VNet or on-premises network via site-to-site VPN1. However, it’s not available for the Basic tier, and the VPN speed is limited by gateway.
Hybrid Connections:
A feature suitable for accessing TCP-based services in a remote network without altering WAN, VPN, or inbound firewall rules. It requires installing a Hybrid Connection Manager on a server within the same network as the on-premises resource. This option is not viable if you cannot install the manager, such as on a partner/customer network.
App Service Environment (ASE):
Provides an isolated and highly scalable environment for Azure Web Apps, with simpler networking compared to VNet integration. ASE is a premium service that offers dedicated resources and enhanced performance for high-traffic web apps.
Options to connect your on prem DB:
Let’s explore these options in details.
Your on-premise database is located in your private on-premise network, so Azure WebApp cannot connect to it.
There are several variants:
Note: You could expose a public IP for the on-premise database.
1. Use Azure web app service VNet integration with Azure VPN gateway to securely access the resource in an Azure VNet or on-premise network.
2. Another recommended method is to use an Azure App Service Hybrid Connections.
To do this, you need to add and create Hybrid Connections in your app. You will download and install an agent (the Hybrid Connection Manager) in the database server or another server which is in the same network as the on-premise database.
You configure a logical connection on your app service or web app.
A small agent, the Hybrid Connection Manager, is downloaded and installed on a Windows Server (2012 or later) running in the remote network (on-premises or anywhere) that you need to communicate with.
You log into your Azure subscription in the Hybrid Connection manager and select the logical connection in your app service.
The Hybrid Connection Manager will initiate a secure tunnel out (TCP 80/443) to your app service in Azure.
Your app service can now communicate with TCP-based services, on Windows or Linux, in the remote network via the Hybrid Connection Manager.
You could get more details on how to Connect Azure Web Apps To On-Premises.
3. ExpressRoute and ACE, it would be possible to access the OnPremise SQL Database from the App Service by using regional VNet Integration
What to Use?
With all these options, what should you do? I think there will be lots of variables to consider, but here are some thoughts:
- If you require an app service to connect to a virtual network, then VNet integration is probably a good choice.
- If you are using VNet integration with a virtual network, then you can relay to on-premises via site-to-site VPN.
- Note that a gateway will limit VPN speeds and VNet integration is not available to the Basic tier.
- If you are using the Basic tier, hybrid connections are the only option.
- Hybrid connections are good for accessing TCP-based services in a remote network without messing with WAN, VPN, or inbound firewall rules.
- Unfortunately, hybrid connections might be ruled out if installing a Hybrid Connection Manager is not possible, for example, on a partner/customer network.
- ASE is suitable if you need an isolated deployment, and offers much greater scalability and simpler networking than VNet integration.
| Option | Description | When to Use | Limitations/Drawbacks | Cost |
| Public IP | Expose your on-premises SQL server on a public IP address. This allows the Azure Web App to connect to it | Use this method when you want a direct connection and have the necessary security measures in place. | Security risks associated with exposing a public IP. | Depends on your network provider. |
| VNet Integration with Azure VPN Gateway | Use Azure web app service VNet integration with Azure VPN gateway to securely access the resource in an Azure VNet or on-premises network. | Use this method when you need a secure connection to your on-premises network. | Requires configuration of VPN gateway. | Depends on the VPN Gateway SKU. |
| Azure App Service Hybrid Connections | This involves adding and creating Hybrid Connections in your app. You will download and install an agent (the Hybrid Connection Manager) in the database server or another server which is in the same network as the on-premises database. | Use this method when you need to communicate with TCP-based services, on Windows or Linux, in the remote network via the Hybrid Connection Manager. | Requires installation of Hybrid Connection Manager. | Free for up to 5 Hybrid Connection endpoints. |
Conclusion
Choosing the right connectivity option for Azure Web Apps depends on the specific requirements of the service and the tier being used. VNet Integration is a robust choice for Standard, Premium, or Isolate tiers, offering direct access to virtual networks and on-premises resources. Hybrid Connections are a flexible alternative for scenarios where changes to the network infrastructure are not feasible, and ASE is the go-to for isolated, high-scale deployments. It’s essential to balance the needs for security, scalability, and ease of deployment when selecting the connectivity method for Azure Web Apps.