question

tadul avatar image
tadul asked ·

Queries on App service in Azure

Hello,

I have below queries regarding app service web apps.

  1. App service (PAAS offering from Azure):

  • We have created multiple app services and URL's of those are publicly accessible. Is there away deploy this app service in a VNET? I have read about App service Environment but it's a different service altogether.

  • If we use VNET service endpoints to restrict inbound access to app service then how we manage communication between one app service to another app service in our application.

  • There is an external IP associated with every App service and this IP is same (All app services are using a single app service plan)...Is that IP ever change ?

Thanks,

Tadul Shah

9967067430


azure-webapps
1 comment
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Grmacjon-MSFT avatar image Grmacjon-MSFT ·

@tadul did the answer below help answer your question?

0 Votes 0 · ·

1 Answer

Grmacjon-MSFT avatar image
Grmacjon-MSFT answered ·

Thanks for your questions @tadul .


Yes, you can deploy an app service in a VNET. As this doc states:


VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. VNet Integration is used only to make outbound calls from your app into your VNet. The VNet Integration feature behaves differently when it's used with VNet in the same region and with VNet in other regions. The VNet Integration feature has two variations:


Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the same region, you must have a dedicated subnet in the VNet you're integrating with.


Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet."


to answer your last question, yes the inbound IP address may change when you perform one of the following actions:


Delete an app and recreate it in a different resource group. Delete the last app in a resource group and region combination and recreate it. Delete an existing TLS binding, such as during certificate renewal (see Renew certificate).


To get a static inbound IP address, you need to secure a custom domain. If you don't actually need TLS functionality to secure your app, you can even upload a self-signed certificate for this binding. In an IP-based TLS binding, the certificate is bound to the IP address itself, so App Service provisions a static IP address to make it happen.


to learn more about Inbound and outbound IP addresses in Azure App Service please see this documentation.


Let us know if you have further questions.


Thanks,


Grace


2 comments Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tadul avatar image tadul ·

Hi Grace,

I think App service environment could be providing the solution what we are looking for.

We want to restrict the inbound access as well as we want to allow inter service communication between two app services.

We tried with service end point and private link but that does work for inter service communication.

VNET integration is for outbound so wont be applicable in my case.

We are exploring ASE option now.

Thanks,
Tadul Shah.

0 Votes 0 · ·
Grmacjon-MSFT avatar image Grmacjon-MSFT tadul ·

Glad to hear you are exploring ASE @tadul . Feel free to accept the answer if it helped answer your question.

Thanks,


Grace

0 Votes 0 · ·