Cloud Infrastructure Community's Space

Connect Azure Web App to Azure VNET

In some reason, your Azure Web App need to connect to a private, secured resource on Azure. Then you’ll think about VNET which will be created for security purpose. You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets.

In this article, we’re going to learn How to connect an Azure Web App to Azure Virtual Network (VNET) by using VNET integration.


To have permission on Azure Network feature, you must have an Azure account/Service Principal with Network Contributor role and Contributor role on the working subscription and:

After followed above article to create VNET, you need to remove current peering which was created in both VNETs, we’re going to re-create them in next steps. Let’s remove them first:

# make sure you're connected to the Azure

# remove peering in cli-vnet-1
az network vnet peering delete --vnet-name cli-vnet-1 --resource-group cli-vnet-1 --name peering-to-cli-vnet-2

# remove peering in vli-vnet-2
az network vnet peering delete --vnet-name cli-vnet-2 --resource-group cli-vnet-2 --name peering-to-cli-vnet-1

Now, there’s no peering between 2 Virtual Networks, we’re going to create Azure Web Apps and connect to different VNET.

Connect an Azure Web App to VNET

1. Create Azure Web App

As previous article, we have learnt how to run a Node.JS application in Azure Web App, let’s create another one based what we did:

For WebApp1(frontend)


# create resource group for webapp1
az group create -n $WebApp1RG --location northeurope

# create app service plan for webapp1
az appservice plan create -n $WebApp1PlanName -g $WebApp1RG --is-linux

# create webapp which running our hidetran/simple-express docker image
az webapp create -n $WebApp1Name --plan $WebApp1PlanName -g $WebApp1RG -i hidetran/simple-express:latest

# update WebApp 1 setting
az webapp config appsettings set -g $WebApp1RG -n $WebApp1Name --settings ENV_NAME=frontend

az webapp restart -n $WebApp1Name -g $WebApp1RG

For WebApp2(backend)


az group create -n $WebApp2RG --location westeurope

az appservice plan create -n $WebApp2PlanName -g $WebApp2RG --is-linux

az webapp create --n $WebApp2Name --plan $WebApp2PlanName -g $WebApp2RG -i hidetran/simple-express:latest

az webapp config appsettings set -g $WebApp2RG -n $WebApp2Name --settings ENV_NAME=backend

az webapp restart -n $WebApp2Name -g $WebApp2RG

Now browse your simple-express-1 and simple-express-2 on your browser, you’ll see:

WepApp2 as Backend service
WebApp1 as Frontend service

2. Connect Azure Web App to VNET with VNET Integration

Asume that our backend app service need to be secured connect via VNET, we need to put it behind VNET by using VNET integration. We will connect simple-express-1 to cli-vnet-1 and simple-express-2 to cli-vnet-2. Let’s run

# add simple-express-1 to VNET cli-vnet-1

# get subnet_1 id in vnet cli-vnet-1
subnet1Id=$(az network vnet subnet show -n subnet_1 -g cli-vnet-1 --vnet-name cli-vnet-1 --query id -o tsv)

az webapp vnet-integration add -n simple-express-1 -g simple-express-1 --subnet $subnet1Id --vnet cli-vnet-1

# get subnet_3 id in vnet cli-vnet-2
subnet3Id=$(az network vnet subnet show -n subnet_3 -g cli-vnet-2 --vnet-name cli-vnet-2 --query id -o tsv)

az webapp vnet-integration add -n simple-express-2 -g simple-express-2 --subnet $subnet3Id --vnet cli-vnet-2

Now when browse simple-express-1 and simple-express-2 you see your app services has connected to the VNET and allocated with a private IP.


3. Configure Access Restriction for Web App

We’re going to add an Access Restriction for simple-express-2 Web App to block all incoming traffic except for traffics though VNET. Let’s run

# get subnet_1 resource id
subnet1Id=$(az network vnet subnet show --name subnet_1 --vnet-name cli-vnet-1 -g cli-vnet-1 --query id -o tsv)

# Add network Restriction Rule
az webapp config access-restriction add -g $WebApp2RG -n $WebApp2Name --rule-name allow_frontend --action Allow --priority 101 --subnet $subnet1Id

Now when you browse your simple-express-2 on the browser, you may received 403 Forbidden HTTP code. It means your simple-express-2 is now secured.

On simple-express, we have published an endppoint which help us make a HTTP GET request, we will use it to verify connection between simple-express-1 and simple-express-2

Above screenshots saying that we cannot make a HTTP request to the simple-express-2 because it connected to the VNET and have an Access Restriction rule in placed.

Let’s make another request from simple-express-1 which is connected to Allowed subnet.

Wow, it works!

Leave a Reply

Your email address will not be published. Required fields are marked *

Press ESC to close