question

padraigdenihan-4575 avatar image
padraigdenihan-4575 asked ·

Connecting Web Apps to API across Subscriptions

Hi

Our customer has a series of Web Apps - incl. App1 - built in App Service - under Subscription SubA.

There is an integration service API (Svc1) - running on an IaaS Windows VM (vm1), on Vnet1 - under Subscription SubB - same Region as SubA

App1 needs to consume Svc1

How to allow this Outbound access??

From reading, it looks like "VNet Integration" is not a runner due to there being 2 different subscriptions

Other possible seems to be "Hybrid connections" - but this seems more oriented towards connecting to on-premise resources, e.g. backend DB. Thats not the use case here - we need to allow App1 to consume Svc1, programmatically.

Any ideas please?

(PS my background is infrastructure, not apps :-)

Tks

Padraig

azure-webapps
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @padraigdenihan-4575,


You can use VNet peering across your two different subscriptions. Have look at https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions on how you can get that set up.


Hope this helps.


0 Votes 0 · ·
ryanchill avatar image
ryanchill answered ·

Hi Ryan

Yes we are aware of VNet peering to connect VNets. What we need here is an outbound connection from Azure App Service, where there is no VNet as such - to a VNet in a different subscription. Is it possible to:

a) Use VNet Integration to connect the app to a VNet in the same SubA b) peer from that VNet to a VNet in the other SubB c) From the app, access the service on the VNet in SubB via the peered connection?

Maybe thats what you're recommending here? Can it be done?

Thanks Padraig

If you're wanting to use an outbound connection, then you should be able to reference SvcA/SubB by simply requesting svca.azurewebsites.net/*. But if you're protecting SvcA from the outside world, VNet peering is still the way to go. This link gives the steps to establish communication between different deployments/different subscriptions which I believe is your situation.

Once you establish your peering, youi can take SvcA, associate it with that VNet and only allow access through that VNet, so to answer your question; yes.



Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

padraigdenihan-4575 avatar image
padraigdenihan-4575 answered ·

Hi again Ryan

I really appreciate you taking the time to answer but I just want to try and be crystal clear in my understanding. Just to repeat our scenario:

We have: App1 - built in App Service - under Subscription SubA.

This app needs to call an integration service API - Svc1 - which is running on an IaaS Windows VM (i.e. not an App Service app), on a Vnet under SubB - in the same Region as SubA

So, if I understand your proposal, we can:

  • create a VNet in SubA

  • peer this VNet with the VNet in SubB

  • "associate" App1 with the VNet created in SubA (using the "VNet Integration" feature?)

  • App1 can then make the outbound call to Svc1 via the peered VNet connection

Do I have this right?
Is a Hybrid Connection another option?

Sorry to keep going over this

Thanks
Padraig



1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hybrid connection is for connecting an on-prem database through a relay. That won't help you out there. You understood my proposal perfectly and it's no problem at all to go over it. Even though Svc1 is running on a VM, the same would apply, you would add your IaaS VM to the VNET where App1 on SubA can access Svc1 on SubB.

Let me know if you run into any issues.

0 Votes 0 · ·