Microsoft has recently released a Public Preview of Private Link for Azure App Service. This preview is available in limited regions for all PremiumV2 Windows and Linux web apps. Until this point securing App Services through Virtual Network Isolation was only possible through App Service Environments(ASE). ASE’s are generally expensive and have long initial deployment cycles as a drawback.
Private Link exposes your app on an address in your VNet and removes it from public access. This not only secures the app but can also be combined with Network Security Groups to secure your network.
The feature is currently available in East US and West US 2. For the scope of this blog post i will be creating the azure resources in West US 2 region.
Create an P1V2 App Service Plan in West US 2 region and create a Private Endpoint in the same region.
Once the Private Link Endpoint is created, you would see a Network Interface created with a Virtual Network mapped to a subnet.
Typically testing such a topology can be done by creating a VM in the same virtual network under different subnet and updating Etc/Hosts file. But for Production scenarios i would suggest deployment of Application gateway and get the Private Endpoint mapped to the App gateway Backend to provide Production ready solution.
Create an Application Gateway(V1) Standard tier mapping the Virtual Network used earlier to create the private link end point.
Create a Https-Routing rule to map the Https-Listener and backend targets and the .pfx certificate if your website needs a secure HTTPS access.
While creating the HTTP/HTTPS Settings please ensure you configure
- Request time-out as 120 secs for the backend instances.
- Update the Host name domain to the App service host name to avoid 400 Invalid Host name error
- Add a custom probe for HTTP/HTTPS and map it to the setting
Important point to note while creating the HTTPS Probe is to create the probe with “PickHostNameFromBackendHTTPSettings” as Yes so that the host name is correctly picked from HTTPS Settings and avoid multiple Host name overrides.
Once the above steps are completed you can verify the Backend health of the Application Gateway and makesure the Status column shows healthy
Once the backend status shows healthy you should be able to access the website through App Gateway’s Public IP. So even though the website is publicly available through a public endpoint the Actual App Service hosting the website will be secured by a Private IP with in Azure Network Perimeter and the traffic communications goes through a Virtual Network
Hope this helps securing Multi-Tenant App Service deployments on Azure PAAS.