Last Update: Sep 04, 2024 | Published: Mar 04, 2018
In this post, I will explain how app services, or web apps, can be connected to external users or services.
The purpose of an app service is to allow someone or something to connect to it, or for it to connect to something, and do some service. Internal users or external clients need to connect to a line-of-business (LOB) application interface. Partners or suppliers need to connect to an application via an API. Or an application might need to integrate with some external service, such as a database.
Azure App services allow you to have external connectivity. Of course, an app service can be accessed across the Internet. We take that for granted. But what if you don’t want to share your service for all to see? What if IP filtering or x.509 security is not enough? There are some alternatives that you can use in your architecture.
A Standard, Premium, or Isolate app service plan offers the ability for an app service to connect with a virtual network via a point-to-site VPN. The virtual network must have a VPN gateway that is Basic/Dynamic, VpnGw1 or a higher size, and configure for point-to-site connectivity.
Once an app service is connected to a virtual network, you can:
The point-to-site VPN connection inherits the SLA of the gateway in question. There are some limitations:
TCP and UDP connections should work fine but some things that you might want to do will not work over the point-to-site connection:
This is a feature that I really like and in conversations that I’ve had, it seems to be an approach that few are aware of. However, it has been available for years in the Basic, Standard, and Premium plans.
If you read the official documentation, you’ll see all sorts of phrases such as BizTalk, service bus and relays that will make this sound very complicated. I’ll boil this solution down to some simple points:
The obvious example here is that an app service can integrate with a database that cannot be hosted in Azure. The beauty of this approach is that it is light-touch. You do not need to create inbound firewall rules, VPN tunnels, or ExpressRoute connections. A small relay agent makes an outbound connection and that’s pretty much it!
You cannot use hybrid connections to:
The ASE is a solution where you deploy one or more single-tenant Isolated tier app services plans in an environment that is connected to a virtual network. This means that every instance in the app service plan is already in the virtual network, and can communicate directly with Azure virtual machines in the same network without needing any VPN or hybrid connections.
An internal ASE, deployed using an internal load balancer presents your Isolated tier app services to users/systems via a single private IP address. You can route to that private IP address in a number of ways:
That last option is more scalable than the VNet Integration option that I mentioned earlier in this article. The app service plan is already in the virtual network, so one a virtual network has a connection to elsewhere, the app service plan inherits that connection. For example:
With all these options, what should you do? I think there will be lots of variables to consider, but here are some thoughts:
Related Article: