What Is Subnet Address Block In App Service Environment

In one of my videos on my YouTube aqueduct, I discuss Azure App Services with Private Link. The video describes how it works and provides an example of deploying the infrastructure with Bicep. The Bicep templates are on GitHub.

If you want to jump directly to the video, hither it is:

In the rest of this blog post, I provide some more groundwork information on the dissimilar pieces of the solution.

Azure App Service

Azure App Service is a slap-up way to host web awarding and APIs on Azure. It's PaaS (platform as a service), and so you do non have to bargain with the underlying Windows or Linux servers every bit they are managed by the platform. I ofttimes see AKS (Azure Kubernetes Service) implementations to host only a couple of web APIs and spider web apps. In most cases, that is overkill and you still accept to deal with Kubernetes upgrades, node patching or image replacements, draining and rebooting the nodes, etc… And then I did non even discuss controlling ingress and egress traffic. Even if you standardize on packaging your app in a container, Azure App Service volition gladly accept the container and serve it for you lot.

By default, Azure App Service gives y'all a public IP address and FQDN (Fully Qualified Domain Name) to reach your app securely over the Internet. The default proper noun ends with azurewebsites.net but you tin easily add custom domains and certificates.

Things go a bit more complicated when you want a private IP accost for your app, reachable from Azure virtual networks and on-premises networks. 1 solution is to use an App Service Environment. Information technology provides a fully isolated and dedicated environment to run App Service apps such as web apps and APIs, Docker containers and Functions. You can create an internal ASE which results in an Internal Load Balancer in front of your apps that is configured in a subnet of your pick. There is no need to configure Individual Endpoints to make apply of Private Link. This is often chosen native virtual network integration.

At the network level, an App Service Environment v2, works equally follows:

Looking at the above diagram, an ILB ASE (simply too an External ASE) as well makes information technology easy to connect to back-end systems such every bit on-premises databases. The outbound connection to internal resources originates from an IP in the chosen integration subnet.

The downside to ASE is that its isolated instances (I1, I2, I3) are rather expensive. It also takes a long time to provision an ASE merely that is less of an consequence. In reality though , I would like to run into App Service Environments go away and replaced by "regular" App Services with toggles that give you the options y'all require. You would just deploy App Services and set the options you require. In whatever case, native virtual network integration should non depend on dedicated or shared compute. One can only dream correct? 😉

Notation: App Service Environs v3, in preview at the time of this writing, provides a simplified deployment experience and also costs less. Run across App Service Environment v3 public preview – Azure App Service

Every bit an culling to an ASE for a individual app, consider a non-ASE App Service that, in production, uses Premium V2 or V3 instances. The question then becomes: "How practise you get a private IP accost?" That's where Private Link comes in…

Azure Individual Link with App Service

Azure Private Link provides connectivity to Azure services (such equally App Service) via a Private Endpoint. The Private Endpoint creates a virtual network interface card (NIC) on a subnet of your choice. Connections to the NICs IP address end up at the Private Link service the Private Endpoint is connected to. Below is an example with Azure SQL Database where one Private Endpoint is mapped, via Azure Private Link, to one database. The other databases are non reachable via the endpoint.

Individual Endpoint connected to Azure SQL Database (PaaS) via Private Link (source: Microsoft website)

To create a regular App Service that is accessible via a private IP, we can do the same matter:

create a individual endpoint in the subnet of your option
connect the private endpoint to your App Service using Individual Link

Both deportment can be performed at the aforementioned time from the portal. In the Networking section of your App Service, click Configure your private endpoint connections. You will run across the following screen:

Private Endpoint connection of App Service

At present click Add together to create the Private Endpoint:

The higher up creates the private endpoint in the default subnet of the selected VNET. When the creation is finished, the private endpoint will be continued to App Service and automatically approved. There are scenarios, such as connecting individual endpoints from other tenants, that require you to corroborate the connection commencement:

When yous click on the private endpoint, yous will see the subnet and NIC that was created:

From the to a higher place, you can click the link to the network interface (NIC):

Network interface created by the private endpoint

Annotation that when your delete the Individual Endpoint, the interface gets deleted too.

Great! Now we take an IP address that we can employ to reach the App Service. If you apply the default name of the web app, in my instance https://web-geba.azurewebsites.net, y'all volition get:

Oops, no admission on the public name (resolves to public IP)

Indeed, when you enable Private Link on App Service, you cannot admission the website using its public IP. To solve this, you will need to do something at the DNS level. For the default domain, azurewebsites.net, it is recommended to use Azure Private DNS. During the cosmos of my Private Endpoint, I turned on that characteristic which resulted in:

Private DNS Zone for privatelink.azurewebsites.internet

You might wonder why this is a private DNS zone for privatelink.azurewebsites.net? From the moment you enable private link on your spider web app, Microsoft modifies the response to the DNS query for the public name of your app. For example, if the app is web-geba.azurewebsites.net and you query DNS for that name, information technology will answer with a CNAME of web-geba.privatelink.azurewebsites.net. If that cannot be resolved, you volition still get the public IP only that will upshot in a 403.

In my case, every bit long as the DNS servers I utilise tin can resolve spider web-geba.privatelink.azurewebsites.cyberspace and I tin can connect to ten.240.0.4, I am good to become. Notation however that the DNS story, including Individual DNS and your own DNS servers, is a fleck more complex that but checking a box! However, that is not the focus of this blogpost so moving on… 😉

Note: y'all still demand to connect to the website using https://web-geba.azurewebsites.cyberspace in your browser

Outbound connections to internal resources

Ane of the features of App Service Environments, is the ability to connect to back-end systems in Azure VNETs or on-bounds. That is the upshot of native VNET integration.

When y'all enable Individual Link on a regular App Service, you lot do non get that. Individual Link just enables private inbound connectivity but does zippo for outbound. Yous will demand to configure something else to make outbound connections from the Web App to resource such as internal SQL Servers piece of work.

In the network configuration of y'all App Service, at that place is another option for outbound connectivity to internal resources – VNet integration.

In the Networking department of App Service, find the VNet integration section and click Click here to configure. From in that location, you lot can add together a VNet to integrate with. You volition need to select a subnet in that VNet for this integration to piece of work:

Outbound connectivity for App Service to Azure VNets

There are quite some things to know when it comes to VNet integration for App Service so exist sure to check the docs.

Private Link with Azure Front Door

Often, a web app is made private considering you want to put a Web Awarding Firewall (WAF) in front of the app. Typically, that goal is achieved past putting Azure Application Gateway (AG) with WAF in forepart of an internal App Services Environment. As as culling to AG, yous tin besides use virtual appliances such as Barracuda WAF for Azure. This works because the App Services Environment is a first-class citizen of your Azure virtual network.

There are multiple ways to put a WAF in front of a (not-ASE) App Service. Y'all can use Front Door with the App Service as the origin, as long as you restrict direct access to the origin. To that end, App Services support access restrictions.

With Azure Forepart Door Premium, in preview at the time of this writing (June 2021), yous tin use Private Link as well. In that example, Azure Front Door creates a private endpoint. Yous cannot command or see that private endpoint considering it is managed by Front Door. Because the private endpoint is not in your tenant, you lot volition need to approve the connection from the private endpoint to your App Service. You tin can exercise that in multiple ways. One way is Private Link Center Pending Connections:

If you check the video at the meridian of this page, this is shown here.

Decision

The combination of Azure networking with App Services Environments (ASE) and "regular" App Services (not-ASE) tin be pretty disruptive. You have native network integration for ASE, individual access with individual link and private endpoints for not-ASE, private DNS for private link domains, virtual network service endpoints, VNet outbound configuration for non-ASE etc… Most of the fourth dimension, when I am asked for the easiest and most price-constructive selection for a individual web app in PaaS, I become for a regular non-ASE App Service and employ Private Link to make the app accessible from the internal network.