How to integrate Azure App Service with Azure Virtual Network

Case #

While configuring Azure App Service, you need to integrate App Service with Azure Virtual Network (VNET). App Service VNET integration is one of the many networking features of Azure App Service, as shown in the table below.

Inbound networking featuresOutbound networking features
App-assigned addressHybrid Connections
Access restrictionsGateway-required virtual network integration
Service endpointsVirtual network (VNET) integration
Private endpoints

Solution #

You can configure VNET integration for your App Service either during resource provisioning time or after the resource provisioning.

During App Service resource provisioning #

You can configure VNET integration while provisioning the App Service resource in the Azure management portal, under the Networking tab. The default settings of the Networking tab are as follows.

To enable VNET integration, set the "Enable network injection" option to "On" and then configure the virtual network to integrate with your App Service. Further down, se the "Enable VNET integration option" to "On" and choose the subnet of your VNET which will be used as the source for the outbound traffic of your App Service.

After App Service resource provisioning

After the App Service resource has been provisioned, you can access the configuration of the VNET integration parameters from the Azure portal under the "Networking" blade of the App Service resource, as shown below.

From this page you have the following VNET integration configuration options:

  • Disconnect the VNET from the App Service.
  • Enable or disable the "Route All" option.
  • Change the integrated VNET.
  • Change the integrated VNET subnet.

To setup a different VNET or VNET subnet, you first need to disconnect the existing VNET.

At this point you can click on "Add VNET" to configure VNET integration again with a different VNET and VNET subnet.

Connecting and disconnecting with a virtual network is at an app level. Operations that can affect virtual network integration across multiple apps are at the App Service plan level. You can see similar information at the App Service plan level in the App Service plan --> Networking --> VNet integration portal.

App Service VNET integration configuration properties #

The following App Service Kudu console page provides a list of all environment variables configured for the App Service.

https://[appservicename].scm.azurewebsites.net/Env.cshtml

In the example shown below, the WEBSITE_VNET_ROUTE_ALL = 1 variable is shown.

WEBSITE_VNET_ROUTE_ALL when set to 1 enforces all outbound traffic (including all public IP addresses) to pass via the VNET integration and not only RFC 1918 traffic (private IPv4 address spaces).

Sources #

https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration

https://learn.microsoft.com/en-us/training/modules/design-implement-private-access-to-azure-services/7-integrate-your-app-service-azure-virtual-networks

https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing

https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable

Powered by BetterDocs