App Service VNet Integration

Azure App Service provides a robust way to deploy and scale web applications, APIs, and mobile backends. One of the key features for enterprise scenarios is VNet Integration, which allows your App Service to access resources within an Azure Virtual Network (VNet) or an on-premises network through a VPN connection.

What is VNet Integration?

VNet Integration extends the application's network capabilities to include private IP addresses within your VNet. This enables your applications to securely access resources such as:

Azure SQL Database instances configured with VNet service endpoints or private endpoints.
Storage accounts with VNet service endpoints.
Virtual machines and other resources within your VNet using their private IP addresses.
On-premises resources reachable via a VPN Gateway or ExpressRoute.

Benefits of VNet Integration

Enhanced Security: Access private resources without exposing them to the public internet.
Simplified Network Management: Integrate seamlessly with your existing VNet infrastructure.
Improved Performance: Reduced latency when accessing resources within the same VNet.
Hybrid Connectivity: Connect to on-premises resources securely.

How it Works

VNet Integration works by establishing a gateway within your VNet that routes traffic from your App Service to the desired resources. There are two main types:

Gateway-based VNet Integration: This is the traditional method that leverages a managed gateway.
VNet Integration (newer) / Isolated VNet Integration: This newer approach offers higher scale and uses a subnet within your VNet for integration.

Diagram illustrating App Service VNet Integration

Conceptual diagram of App Service VNet Integration.

Key Concepts

Subnet Allocation

When you configure VNet Integration, a dedicated subnet is typically allocated within your VNet. This subnet is used by the App Service integration components. It's crucial to ensure this subnet is not used by any other resources and has sufficient address space.

Route All Traffic

A critical setting is "Route All Traffic". If enabled, all outbound traffic from your App Service, including traffic destined for the public internet, will be routed through your VNet. This is essential for accessing resources that are only resolvable via your VNet's DNS servers or require egress through a specific firewall or NAT gateway.

Network Security Groups (NSGs) and Firewalls

You can apply Network Security Groups (NSGs) to the integration subnet to control inbound and outbound traffic to your App Service. This allows for fine-grained access control to and from your App Service.

Configuration Steps

Configuring VNet Integration typically involves the following steps within the Azure portal:

Navigate to your App Service.
Under 'Networking', select 'VNet integration'.
Click 'Add VNet'.
Choose the subscription, virtual network, and integration subnet.
Configure the 'Route All Traffic' setting as needed.
Click 'OK' to apply the integration.

Use Cases

Connecting to a private Azure SQL Database.
Accessing resources in an on-premises data center via ExpressRoute or VPN.
Ensuring all outbound traffic from your web application originates from a trusted network.
Implementing strict network isolation for sensitive applications.

Important: Ensure the integration subnet has an adequate CIDR range to accommodate the scale of your App Service.

Tip: For optimal performance and security, consider using the newer VNet Integration feature that allows you to deploy directly into your VNet's subnet.

Troubleshooting

Common issues include:

Incorrect subnet configuration or insufficient IP addresses.
Firewall rules or NSGs blocking traffic.
DNS resolution issues within the VNet.
Incorrectly routing all traffic when not intended.

Utilize Azure Network Watcher and App Service diagnostic logs to identify and resolve connectivity problems.