In some reason, your Azure Web App need to connect to a private, secured resource on Azure. Then you’ll think about VNET which will be created for security purpose. You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets.
In this article, we’re going to learn How to connect an Azure Web App to Azure Virtual Network (VNET) by using VNET integration.
Prerequisites
To have permission on Azure Network feature, you must have an Azure account/Service Principal with Network Contributor role and Contributor role on the working subscription and:
- Azure CLI installed on your working machine. See How to install Azure CLI on Ubuntu 22.04
- Follow this article and create 2 VNET. How to create an Azure Virtual Network?
After followed above article to create VNET, you need to remove current peering which was created in both VNETs, we’re going to re-create them in next steps. Let’s remove them first:
# make sure you're connected to the Azure # remove peering in cli-vnet-1 az network vnet peering delete --vnet-name cli-vnet-1 --resource-group cli-vnet-1 --name peering-to-cli-vnet-2 # remove peering in vli-vnet-2 az network vnet peering delete --vnet-name cli-vnet-2 --resource-group cli-vnet-2 --name peering-to-cli-vnet-1
Now, there’s no peering between 2 Virtual Networks, we’re going to create Azure Web Apps and connect to different VNET.
Connect an Azure Web App to VNET
1. Create Azure Web App
As previous article, we have learnt how to run a Node.JS application in Azure Web App, let’s create another one based what we did:
For WebApp1(frontend)
WebApp1RG="simple-express-1" WebApp1Name="simple-express-1" WebApp1PlanName="simple-express-1-plan" # create resource group for webapp1 az group create -n $WebApp1RG --location northeurope # create app service plan for webapp1 az appservice plan create -n $WebApp1PlanName -g $WebApp1RG --is-linux # create webapp which running our hidetran/simple-express docker image az webapp create -n $WebApp1Name --plan $WebApp1PlanName -g $WebApp1RG -i hidetran/simple-express:latest # update WebApp 1 setting az webapp config appsettings set -g $WebApp1RG -n $WebApp1Name --settings ENV_NAME=frontend az webapp restart -n $WebApp1Name -g $WebApp1RG
For WebApp2(backend)
WebApp2RG="simple-express-2" WebApp2Name="simple-express-2" WebApp2PlanName="simple-express-2-plan" az group create -n $WebApp2RG --location westeurope az appservice plan create -n $WebApp2PlanName -g $WebApp2RG --is-linux az webapp create --n $WebApp2Name --plan $WebApp2PlanName -g $WebApp2RG -i hidetran/simple-express:latest az webapp config appsettings set -g $WebApp2RG -n $WebApp2Name --settings ENV_NAME=backend az webapp restart -n $WebApp2Name -g $WebApp2RG
Now browse your simple-express-1 and simple-express-2 on your browser, you’ll see:
2. Connect Azure Web App to VNET with VNET Integration
Asume that our backend app service need to be secured connect via VNET, we need to put it behind VNET by using VNET integration. We will connect simple-express-1 to cli-vnet-1 and simple-express-2 to cli-vnet-2. Let’s run
# add simple-express-1 to VNET cli-vnet-1 # get subnet_1 id in vnet cli-vnet-1 subnet1Id=$(az network vnet subnet show -n subnet_1 -g cli-vnet-1 --vnet-name cli-vnet-1 --query id -o tsv) az webapp vnet-integration add -n simple-express-1 -g simple-express-1 --subnet $subnet1Id --vnet cli-vnet-1 # get subnet_3 id in vnet cli-vnet-2 subnet3Id=$(az network vnet subnet show -n subnet_3 -g cli-vnet-2 --vnet-name cli-vnet-2 --query id -o tsv) az webapp vnet-integration add -n simple-express-2 -g simple-express-2 --subnet $subnet3Id --vnet cli-vnet-2
Now when browse simple-express-1 and simple-express-2 you see your app services has connected to the VNET and allocated with a private IP.
3. Configure Access Restriction for Web App
We’re going to add an Access Restriction for simple-express-2 Web App to block all incoming traffic except for traffics though VNET. Let’s run
# get subnet_1 resource id subnet1Id=$(az network vnet subnet show --name subnet_1 --vnet-name cli-vnet-1 -g cli-vnet-1 --query id -o tsv) # Add network Restriction Rule az webapp config access-restriction add -g $WebApp2RG -n $WebApp2Name --rule-name allow_frontend --action Allow --priority 101 --subnet $subnet1Id
Now when you browse your simple-express-2 on the browser, you may received 403 Forbidden HTTP code. It means your simple-express-2 is now secured.
On simple-express, we have published an endppoint which help us make a HTTP GET request, we will use it to verify connection between simple-express-1 and simple-express-2
Above screenshots saying that we cannot make a HTTP request to the simple-express-2 because it connected to the VNET and have an Access Restriction rule in placed.
Let’s make another request from simple-express-1 which is connected to Allowed subnet.
Leave a Reply