Azure App Services: VNet Integration
This document provides a comprehensive guide to configuring and managing Virtual Network (VNet) integration for your Azure App Services. VNet integration allows your web app to access resources within an Azure Virtual Network securely and privately.
Understanding VNet Integration
VNet integration enables your App Service to establish a secure outbound connection to resources inside your Azure VNet. This is crucial for scenarios where your application needs to interact with databases, storage accounts, or other services hosted within your private network without exposing them to the public internet.
Key Benefits:
- Secure Access to VNet Resources: Connect to databases (SQL Database, Cosmos DB), Storage Accounts, Key Vault, and other services within your VNet.
- Private Communication: Traffic between your App Service and VNet resources stays within the Azure backbone network.
- Reduced Attack Surface: Avoid exposing sensitive backend resources to the public internet.
- Simplified Management: Integrate your web apps with your existing VNet infrastructure.
Types of VNet Integration
Azure App Services offer two primary methods for VNet integration:
1. Regional VNet Integration
This is the most common and recommended method. It allows your App Service to access resources in any subnet within a selected VNet in the same region.
Configuration Steps:
- Navigate to your App Service in the Azure portal.
- In the left-hand menu, under Networking, select VNet integration.
- Click on Add VNet.
- Select the desired Virtual Network and a dedicated subnet. If no suitable subnet exists, you may need to create one.
- Configure the networking settings, such as whether to route all outbound traffic through the VNet.
- Click OK to establish the integration.
2. Gateway-Required VNet Integration (Legacy)
This older method uses an Azure VPN Gateway to connect your App Service to an on-premises network or a VNet in a different region. It's generally less performant and more complex to set up than regional integration.
If you are using this method, ensure your VPN Gateway is properly configured and has the necessary routes established.
Routing Traffic
When using Regional VNet Integration, you can control how outbound traffic is routed:
- Route all outbound traffic: If enabled, all outbound traffic from your App Service, including traffic to public endpoints, will be routed through your VNet. This is useful for enforcing network policies or using Network Security Groups (NSGs).
- Route only to private IP addresses: If disabled, only traffic destined for private IP addresses within your VNet will be routed through the integration. Traffic to public endpoints will go directly to the internet.
Accessing VNet Resources from App Service
Once VNet integration is configured, your App Service can access resources within the connected VNet using their private IP addresses or their fully qualified domain names (FQDNs) if DNS is properly configured.
Example: Connecting to an Azure SQL Database
If your Azure SQL Database is within the same VNet as your App Service, you can connect to it using its server name and credentials. Ensure that firewall rules on the SQL Database allow access from the App Service's VNet integration subnet.
# Example connection string (replace placeholders)
Server=tcp:your-sql-server.database.windows.net,1433;Database=your_database;User ID=your_username;Password=your_password;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
Troubleshooting
Common issues include:
- Incorrect subnet configuration.
- Firewall rules blocking traffic.
- DNS resolution problems within the VNet.
- Incorrect routing settings.
Refer to the Azure App Services Networking Troubleshooting Guide for detailed solutions.
Next Steps
Explore other networking features like Private Endpoints and Access Restrictions to further secure and manage your App Services.