Azure web apps are by design not deployed in a Virtual network. For scenarios where we need to setup a Site-Site VPN to On-Premise network using Azure Virtual Network gateway (VPN Gateway), VNet Integration (azure web app) is the way to go to provide better continuity for your workloads in hybrid cloud setup with Azure.
Integrate Azure App Service with an Azure Virtual Network
The Azure App Service gets deployed in two forms.
- The multi-tenant web apps which are deployed in shared environment in Azure comes with Basic/Standard/premium pricing plans
- The App Service Environment (ASE) premium feature, which deploys into your VNet.
In this blog we are going to look at VNet Integration with multi-tenant web apps and not App Service Environment.
VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. A common scenario where you would use VNet Integration is enabling access from your web app to a database or azure resources running in your Azure virtual network.
The VNet Integration feature:
- requires a Standard, Premium, or Isolated pricing plan
- works with Classic or Resource Manager VNet
- supports TCP and UDP
- works with Web, Mobile, API apps, and Function apps
- enables an app to connect to only 1 VNet at a time
- enables up to five VNets to be integrated with in an App Service Plan
- allows the same VNet to be used by multiple apps in an App Service Plan
- supports a 99.9% SLA due to the SLA on the VNet Gateway
Accessing on-premises resources
One of the benefits of the VNet Integration feature is that if your VNet is connected to your on-premises network with a Site-to-Site VPN then your apps can have access to your on-premises resources from your app. For this to work though customer may need to update their on-premises VPN gateway with the routes for your Point-to-Site IP range. When the Site to Site VPN is first set up then the process used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site-to-Site VPN, then you need to update the routes manually.
Azure costs involved to setup VNet Integration
Below are the related charges to the use of this feature
- App Service Plan pricing tier requirements
- Data transfer costs
- VPN Gateway costs
For your apps to be able to use this feature, they need to be in a Standard or Premium App Service Plan. Due to how Point-to-Site VPNs are handled, you always have a charge for outbound data through your VNet Integration connection even if the VNet is in the same data center.
The last item is the cost of the VNet gateways. If you do not need the gateways for something else such as Site-to-Site VPNs, then you are paying for gateways to support the VNet Integration feature.
Process to setup VPN Integration for Azure Webapps
Create Virtual Network in Azure portal
Create Virtual network gateway
- Map the virtual network to the Gateway
- Create Public IP Address for gateway
Once Virtual Network gateway is created you can see that the Gateway subnet has been added to the virtual network automatically.
Next step is to configure point-to-site configure in the VPN gateway. You can select the tunnel type. The two tunnel options are SSTP and IKEv2. The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect. Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. You can choose to enable one of them or both.
Setup VNet Integration
Click on setup link on the VNet Integration screen and then it opens up a screen to select the Virtual network enabled with Point-Site configuration for selection.
Once the virtual network is selected, we can see that the VNet Integration setup starts and the web app integration with virtual network gets initiated.
Once the VNet Integration is completed in the Azure portal, you will be able to see the “Connected” status shown in the Networking tab for the web app selected.