
close
close
In this post, I will explain how app services, or web apps, can be connected to external users or services.
The purpose of an app service is to allow someone or something to connect to it, or for it to connect to something, and do some service. Internal users or external clients need to connect to a line-of-business (LOB) application interface. Partners or suppliers need to connect to an application via an API. Or an application might need to integrate with some external service, such as a database.
Azure App services allow you to have external connectivity. Of course, an app service can be accessed across the Internet. We take that for granted. But what if you don’t want to share your service for all to see? What if IP filtering or x.509 security is not enough? There are some alternatives that you can use in your architecture.
advertisment
A Standard, Premium, or Isolate app service plan offers the ability for an app service to connect with a virtual network via a point-to-site VPN. The virtual network must have a VPN gateway that is Basic/Dynamic, VpnGw1 or a higher size, and configure for point-to-site connectivity.
Azure App Service VNet Integration [Image Credit: Microsoft]
The point-to-site VPN connection inherits the SLA of the gateway in question. There are some limitations:
advertisment
TCP and UDP connections should work fine but some things that you might want to do will not work over the point-to-site connection:
This is a feature that I really like and in conversations that I’ve had, it seems to be an approach that few are aware of. However, it has been available for years in the Basic, Standard, and Premium plans.
Azure App Service Hybrid Connection [Image Credit: Microsoft]
advertisment
The obvious example here is that an app service can integrate with a database that cannot be hosted in Azure. The beauty of this approach is that it is light-touch. You do not need to create inbound firewall rules, VPN tunnels, or ExpressRoute connections. A small relay agent makes an outbound connection and that’s pretty much it!
You cannot use hybrid connections to:
The ASE is a solution where you deploy one or more single-tenant Isolated tier app services plans in an environment that is connected to a virtual network. This means that every instance in the app service plan is already in the virtual network, and can communicate directly with Azure virtual machines in the same network without needing any VPN or hybrid connections.
An internal ASE, deployed using an internal load balancer presents your Isolated tier app services to users/systems via a single private IP address. You can route to that private IP address in a number of ways:
An Azure Service Environment Connects to a Virtual Network [Image Credit: Microsoft]
With all these options, what should you do? I think there will be lots of variables to consider, but here are some thoughts:
Related Article:
More in Microsoft Azure
Build 2022: Microsoft's Intelligent Data Platform Combines Data and Analytics
May 25, 2022 | Rabia Noureen
Microsoft Revises Restrictive Cloud Licensing Policies to Avoid EU Antitrust Probe
May 19, 2022 | Rabia Noureen
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Addresses Cross-Tenant Database Vulnerability in Azure PostgreSQL
Apr 29, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
Most popular on petri