VNet Integration With Azure Web apps

Introduction

Azure web apps are by design not deployed in a Virtual network. For scenarios where we need to setup a Site-Site VPN to On-Premise network using Azure Virtual Network gateway (VPN Gateway), VNet Integration (azure web app) is the way to go to provide better continuity for your workloads in hybrid cloud setup with Azure.

Integrate Azure App Service with an Azure Virtual Network

The Azure App Service gets deployed in two forms.

  • The multi-tenant web apps which are deployed in shared environment in Azure comes with Basic/Standard/premium pricing plans
  • The App Service Environment (ASE) premium feature, which deploys into your VNet.

In this blog we are going to look at VNet Integration with multi-tenant web apps and not App Service Environment.

VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. A common scenario where you would use VNet Integration is enabling access from your web app to a database or azure resources running in your Azure virtual network.

The VNet Integration feature:

  • requires a Standard, Premium, or Isolated pricing plan
  • works with Classic or Resource Manager VNet
  • supports TCP and UDP
  • works with Web, Mobile, API apps, and Function apps
  • enables an app to connect to only 1 VNet at a time
  • enables up to five VNets to be integrated with in an App Service Plan
  • allows the same VNet to be used by multiple apps in an App Service Plan
  • supports a 99.9% SLA due to the SLA on the VNet Gateway

Accessing on-premises resources

One of the benefits of the VNet Integration feature is that if your VNet is connected to your on-premises network with a Site-to-Site VPN then your apps can have access to your on-premises resources from your app. For this to work though customer may need to update their on-premises VPN gateway with the routes for your Point-to-Site IP range. When the Site to Site VPN is first set up then the process used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site-to-Site VPN, then you need to update the routes manually.

Azure costs involved to setup VNet Integration

Below are the related charges to the use of this feature

  • App Service Plan pricing tier requirements
  • Data transfer costs
  • VPN Gateway costs

For your apps to be able to use this feature, they need to be in a Standard or Premium App Service Plan. Due to how Point-to-Site VPNs are handled, you always have a charge for outbound data through your VNet Integration connection even if the VNet is in the same data center.

The last item is the cost of the VNet gateways. If you do not need the gateways for something else such as Site-to-Site VPNs, then you are paying for gateways to support the VNet Integration feature.

Process to setup VPN Integration for Azure Webapps

Create Virtual Network in Azure portal

new-vnet

createvnet

Create Virtual network gateway

  • Map the virtual network to the Gateway
  • Create Public IP Address for gateway

createvnetgway

Once Virtual Network gateway is created you can see that the Gateway subnet has been added to the virtual network automatically.

mapvnetgway

Next step is to configure point-to-site configure in the VPN gateway. You can select the tunnel type. The two tunnel options are SSTP and IKEv2. The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect. Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. You can choose to enable one of them or both.

pointsite

Setup VNet Integration

setupvnetint

Click on setup link on the VNet Integration screen and then it opens up a screen to select the Virtual network enabled with Point-Site configuration for selection.

selectvnet

Once the virtual network is selected, we can see that the VNet Integration setup starts and the web app integration with virtual network gets initiated.

addvnetto webapp

Once the VNet Integration is completed in the Azure portal, you will be able to see the “Connected” status shown in the Networking tab for the web app selected.

connected

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s