Overview:
In my previous blog, we discussed the various features offered by App Service networking. In this post, we will explore each of the listed scenarios in detail.
1. Access Restrictions
2. VNet Integration
3. Private Endpoints
4. Azure Firewall
5. Application Gateway
6. NAT Gateway
7. Traffic Manager
8. Hybrid Connections
9. Web PubSub
| ID# | Scenario | Description | Services Used |
| 1 | Access Restrictions | Restrict access to your web app based on IP addresses, service endpoints, or authentication. | Azure App Service, Network Security Groups, Service Endpoints, Azure Active Directory |
| 2 | VNet Integration | Connect your web app to a virtual network and access other resources within the same network. | Azure App Service, Virtual Network, VPN Gateway, ExpressRoute |
| 3 | Private Endpoints | Map your web app to a private IP address within your virtual network and secure it from public access. | Azure App Service, Private Endpoints, Private DNS Zone |
| 4 | Azure Firewall | Control outbound traffic from your web app using firewall rules and policies. | Azure App Service, Azure Firewall, Virtual Network |
| 5 | Application Gateway | Load balance and secure your web traffic using Application Gateway and Web Application Firewall. | Azure App Service, Application Gateway, Web Application Firewall, Virtual Network |
| 6 | NAT Gateway | Route outbound traffic from your web app through a NAT gateway and use a predictable IP address. | Azure App Service, NAT Gateway, Virtual Network |
| 7 | Traffic Manager | Distribute user traffic across multiple web app instances based on performance, priority, or geography. | Azure App Service, Traffic Manager, DNS |
| 8 | Hybrid Connections | Connect your web app to on-premises resources using Hybrid Connections and Azure Relay. | Azure App Service, Hybrid Connections, Azure Relay, Service Bus |
| 9 | Web PubSub | Build real-time web applications using Web PubSub and WebSocket. | Azure App Service, Web PubSub, WebSocket |
Architecture for these Scenario
Access Restrictions
| Scenario | Description | Services Used |
| Access Restrictions | Restrict access to your web app based on IP addresses, service endpoints, or authentication. | Azure App Service, Network Security Groups, Service Endpoints, Azure Active Directory |
App Service Access restrictions – Azure App Service | Microsoft Learn
VNet Integration
| VNet Integration | Connect your web app to a virtual network and access other resources within the same network. | Azure App Service, Virtual Network, VPN Gateway, ExpressRoute |
Integrate your app with an Azure virtual network – Azure App Service | Microsoft Learn
Private End point
| Private Endpoints | Map your web app to a private IP address within your virtual network and secure it from public access. | Azure App Service, Private Endpoints, Private DNS Zone |
Connect privately to an App Service apps using private endpoint
You can use private endpoint for your App Service apps to allow clients located in your private network to securely access the app over Azure Private Link. The private endpoint uses an IP address from your Azure virtual network address space. Network traffic between a client on your private network and the app traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.
Using private endpoint for your app enables you to:
- Secure your app by configuring the private endpoint and disable public network access to eliminating public exposure.
- Securely connect to your app from on-premises networks that connect to the virtual network using a VPN or ExpressRoute private peering.
- Avoid any data exfiltration from your virtual network.
Conceptual overview
A private endpoint is a special network interface (NIC) for your App Service app in a subnet in your virtual network. When you create a private endpoint for your app, it provides secure connectivity between clients on your private network and your app. The private endpoint is assigned an IP Address from the IP address range of your virtual network.
From <https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint>
Azure Firewall
| Azure Firewall | Control outbound traffic from your web app using firewall rules and policies. | Azure App Service, Azure Firewall, Virtual Network |
App Service outbound traffic control with Azure Firewall – Azure App Service | Microsoft Learn
This article shows you how to lock down the outbound traffic from your App Service app to back-end Azure resources or other network resources with Azure Firewall. This configuration helps prevent data exfiltration or the risk of malicious program implantation.
By default, an App Service app can make outbound requests to the public internet (for example, when installing required Node.js packages from NPM.org.). If your app is integrated with an Azure virtual network, you can control outbound traffic with network security groups to a limited extent, such as the target IP address, port, and protocol. Azure Firewall lets you control outbound traffic at a much more granular level and filter traffic based on real-time threat intelligence from Microsoft Cyber Security. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks (see Azure Firewall features).
Application Gateway
| Application Gateway | Load balance and secure your web traffic using Application Gateway and Web Application Firewall. | Azure App Service, Application Gateway, Web Application Firewall, Virtual Network |
Application Gateway integration – Azure App Service – Azure App Service | Microsoft Learn
Three variations of Azure App Service require slightly different configuration of the integration with Azure Application Gateway. The variations include regular App Service (also known as multitenant), an internal load balancer (ILB) App Service Environment, and an external App Service Environment.
This article walks through how to configure Application Gateway with App Service (multitenant) by using service endpoints to secure traffic.
The article also discusses considerations around using private endpoints and integrating with ILB and external App Service Environments. Finally, the article describes how to set access restrictions on a Source Control Manager (SCM) site.
Integration with App Service (multitenant)
App Service (multitenant) has a public internet-facing endpoint. By using service endpoints, you can allow traffic from only a specific subnet within an Azure virtual network and block everything else. In the following scenario, you use this functionality to ensure that an App Service instance can receive traffic from only a specific application gateway.
There are two parts to this configuration, aside from creating the App Service instance and the application gateway. The first part is enabling service endpoints in the subnet of the virtual network where the application gateway is deployed. Service endpoints ensure that all network traffic leaving the subnet toward App Service is tagged with the specific subnet ID.
The second part is to set an access restriction on the specific web app to ensure that only traffic tagged with this specific subnet ID is allowed. You can configure the access restriction by using different tools, depending on your preference.
NAT Gateway
| NAT Gateway | Route outbound traffic from your web app through a NAT gateway and use a predictable IP address. | Azure App Service, NAT Gateway, Virtual Network |
Azure NAT Gateway integration – Azure App Service – Azure App Service | Microsoft Learn
Azure NAT Gateway is a fully managed, highly resilient service that can be associated with one or more subnets.
It ensures that all outbound internet-facing traffic is routed through a network address translation (NAT) gateway.
With Azure App Service, there are two important scenarios where you can use a NAT gateway.
The NAT gateway gives you a static, predictable public IP address for outbound internet-facing traffic.
It also significantly increases the available source network address translation (SNAT) ports in scenarios where you have a high number of concurrent connections to the same public address/port combination.
Here are important considerations about Azure NAT Gateway integration:
- Using a NAT gateway with App Service is dependent on virtual network integration, so it requires a supported pricing tier in an App Service plan.
- When you’re using a NAT gateway together with App Service, all traffic to Azure Storage must use private endpoints or service endpoints.
- You can’t use a NAT gateway together with App Service Environment v1 or v2.
From <https://learn.microsoft.com/en-us/azure/app-service/overview-nat-gateway-integration>
Traffic Manager
| Traffic Manager | Distribute user traffic across multiple web app instances based on performance, priority, or geography. | Azure App Service, Traffic Manager, DNS |
Control traffic with Traffic Manager – Azure App Service | Microsoft Learn
You can use Azure Traffic Manager to control how requests from web clients are distributed to apps in Azure App Service. When App Service endpoints are added to an Azure Traffic Manager profile, Azure Traffic Manager keeps track of the status of your App Service apps (running, stopped, or deleted) so that it can decide which of those endpoints should receive traffic.
From <https://learn.microsoft.com/en-us/azure/app-service/web-sites-traffic-manager>
Hybrid Connections
| Hybrid Connections | Connect your web app to on-premises resources using Hybrid Connections and Azure Relay. | Azure App Service, Hybrid Connections, Azure Relay, Service Bus |
Hybrid connections – Azure App Service | Microsoft Learn
Hybrid Connections is both a service in Azure and a feature in Azure App Service. As a service, it has uses and capabilities beyond those that are used in App Service. To learn more about Hybrid Connections and their usage outside App Service, see Azure Relay Hybrid Connections.
Web PubSub
| Web PubSub | Build real-time web applications using Web PubSub and WebSocket. | Azure App Service, Web PubSub, WebSocket |
| Azure App Service | Provides the hosting environment for the backend application, which is built with Express | Fully managed environment for application backends, with no need to worry about infrastructure where the code runs |
| Azure Web PubSub | Provides low-latency, bi-directional data exchange channel between the backend application and clients | Drastically reduces server load by freeing server from managing persistent WebSocket connections and scales to 100 K concurrent client connections with just one resource |
Conclusion
App Service networking offers a wide range of features that empower developers to build secure and scalable apps.
By leveraging features such as access restrictions, VNet integration, private endpoints, Azure Firewall, Application Gateway, NAT Gateway, Traffic Manager, Hybrid Connections, and Web PubSub, developers can build robust and resilient applications that can scale and meet the demands of modern applications.