Connecting Web Apps to API across Subscriptions

padraig denihan 1 Reputation point
2020-04-09T14:08:40.317+00:00

Hi

Our customer has a series of Web Apps - incl. App1 - built in App Service - under Subscription SubA.

There is an integration service API (Svc1) - running on an IaaS Windows VM (vm1), on Vnet1 - under Subscription SubB - same Region as SubA

App1 needs to consume Svc1

How to allow this Outbound access??

From reading, it looks like "VNet Integration" is not a runner due to there being 2 different subscriptions

Other possible seems to be "Hybrid connections" - but this seems more oriented towards connecting to on-premise resources, e.g. backend DB. Thats not the use case here - we need to allow App1 to consume Svc1, programmatically.

Any ideas please?

(PS my background is infrastructure, not apps :-)

Tks

Padraig

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,826 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 25,476 Reputation points Microsoft Employee
    2020-04-13T21:01:14.12+00:00

    Hi Ryan

    Yes we are aware of VNet peering to connect VNets. What we need here is an outbound connection from Azure App Service, where there is no VNet as such - to a VNet in a different subscription. Is it possible to:

    a) Use VNet Integration to connect the app to a VNet in the same SubA b) peer from that VNet to a VNet in the other SubB c) From the app, access the service on the VNet in SubB via the peered connection?

    Maybe thats what you're recommending here? Can it be done?

    Thanks Padraig

    If you're wanting to use an outbound connection, then you should be able to reference SvcA/SubB by simply requesting svca.azurewebsites.net/*. But if you're protecting SvcA from the outside world, VNet peering is still the way to go. This link gives the steps to establish communication between different deployments/different subscriptions which I believe is your situation.

    Once you establish your peering, youi can take SvcA, associate it with that VNet and only allow access through that VNet, so to answer your question; yes.

    0 comments
  2. padraig denihan 1 Reputation point
    2020-04-14T08:57:17.953+00:00

    Hi again Ryan

    I really appreciate you taking the time to answer but I just want to try and be crystal clear in my understanding. Just to repeat our scenario:

    We have: App1 - built in App Service - under Subscription SubA.

    This app needs to call an integration service API - Svc1 - which is running on an IaaS Windows VM (i.e. not an App Service app), on a Vnet under SubB - in the same Region as SubA

    So, if I understand your proposal, we can:

    • create a VNet in SubA
    • peer this VNet with the VNet in SubB
    • "associate" App1 with the VNet created in SubA (using the "VNet Integration" feature?)
    • App1 can then make the outbound call to Svc1 via the peered VNet connection

    Do I have this right?
    Is a Hybrid Connection another option?

    Sorry to keep going over this

    Thanks
    Padraig