Azure App Service and Virtual Network Integration Options 

My pleasure, thanks for watching.

Great to hear!

You are very welcome

Glad to help

Great to hear! Thanks!

Glad you enjoyed it!

My pleasure.

Hehe, thanks

My pleasure.

Glad you like it. I have courses on Pluralsight but my RU-vid channel is more about me just sharing knowledge and I don't want to make money from it. It's why you don't see video or banner adverts on my videos. This is me giving back to an awesome community.

Very welcome

Glad you liked it

My pleasure!

Glad to help

My pleasure.

My pleasure

I have videos on azure dns as well which may fill in some gaps about what that does.

Haha yes, it’s my only form of exercise :)

Good luck! 🍀

@@NTFAQGuy with this SUPERCOOL :) tutorial I must pass, owe you big time for this presentation, thanks a lot ;) and take care of your knees on next IRONMAN hahaha /:)

Lol, thanks :)

Welcome

Welcome

My pleasure!

Glad it was helpful!

Glad you think so!

Thank you! Cheers!

Things have changed since I recorded. Check the docs re peering capabilities today. I may update at some point.

@@NTFAQGuy Ok. I see that resources in peered VNETs are accessible now... thks

At this point there is no deployment support for private endpoints but I think its in the works.

you could use app service. yes regional vnet integration to get via expressroute then could use app gateway with service endpoints/private endpoints for the webapp.

Glad you like the video. Assuming you have all the use remote gateway etc. configured on the peer.

@@NTFAQGuy I do have that enabled. In this video you mention that crossing VNET peers with function/app services won't work. Is that still accurate today?

azure web app already has a load balancer, the front end is native to the service that balances to the back end instances. Now you can add something like app gateway if want additional layer 7 functionality.

Thanks yes there were updates. I thought I mentioned in another comment.

that would work yes or use app gateway for example

If you use service endpoint to a vnet it’s still locked down and takes optimized route but to completely remove use of public ip can use private endpoint.

outgoing ips from the app service would be the IPs it creates in the subnet its integrates with. if its P2S its the IP its given as part of the VPN.

you can't have more than one gateway in a vnet.

Nice!

And if you use a NAT Gateway, Integrate it to a VNet and associate that VNet with an App Service Plan.

@@KelvinGalabuzi NAT Gateway is not an option for ASEv1 or ASEv2 as it is based on the older Cloud Services Tech Stack vs Azure App Services, even though it is called App Service Environment ( Only you Microsoft :D ). Because of this underlying technology, it is also limited to the older Basic SKU ALB, and scaling it is super slow compared to App Services (though part of that is also the dedicated nature of this deployment). What I've not tried is if you can use NAT Gateway with App Services? Have you successfully done that? ASEv1 and ASEv2 are also the only technology stacks for PaaS that Azure lists for PCI Compliance (specifically the ILB ASE) in their blueprints. I'm not sure if we could get normal App Services validated for PCI being a "shared" architecture. But if the NAT Gateway works with AppServices for Outbound IPs, then I'd be interested in mocking something up and seeing if I can't get it blessed by MSFT and our Auditors.

Don’t know what I said at 4:25 but if it’s public ip then azure fabric basically NATs for private ip space of vnet. Does not have to be rfc1918

absolutely vnets are commonly 1918. workers are nodes that host the workloads like workers in AKS or nodes in app service plan

@@NTFAQGuy Thanks John. Watching this for the 3rd time in the last hour and taking notes.

Welcome

Don’t think so if recall correctly. You would need gateway integrated but check the docs to be 100%

don't know of another option I'm afraid.

@@NTFAQGuy thank you for prompt reply. Loving your Master Class series.

I think there may be confusion about what you can do with static content hosting in storage account. There is no engine to run code to talk to another layer.

@@NTFAQGuy ..yea I lost it apologies... got it sorted

I’m going to do a detailed front door video in the future. It integrates simply into app services. I can’t provide 1:1 solutions though I’m afraid. Community is your best bet.

postgresql has private endpoints so could have PE in a vnet and the app service could be regional vnet integrated to use that PE.

@@NTFAQGuy ah ok, thanks. I'll need to look into that then

Multiple apps can be in one plan

@@NTFAQGuy Thanks John. You mentioned private link is only for outbound with ASP, i assume its same for ASE. Is private link statefull atleast with ASP/ASE so you can get reply on request? Or must these other options be used for the reply as well.. thanks

I have other videos on vnet integration with PaaS and asev3 specifically

Yes :-)

for connecting assets on prem there is out of box Hybrid Connection which uses Azure Relay, is that better to use instead if Regional Vnet ? Any thoughts.. thanks

@@sid0000009 to on-prem the relay is a good fit. the focus here was around app service and vnets

Great video btw! I worked with this the last couple of weeks, but I missed the peering part. So my design is flawed now. (sits in corner crying)

if its in same region the peering should work, its global that does not work today.

@@NTFAQGuy Ah thanks!

thats a very specific combination so not going to do a video on that but there is nothing special there. i have a video on deep dive container networking and from there its just IP routing. you say cosmos db IN a vnet and there is no such thing. assume you mean a private endpoint. again just DNS resolution of the privatelink name and Ip route.

private endpoint is the IP address in vnet enabled via private link.

@@NTFAQGuy Awesome Teach! That is what I thought but wanted to verify...I just tried this in the lab with an Azure ASP with Functions with the Service VNET Integration and Privatelinks...it works well! Looking to hook in more services using this model. Right now my flow is simple, but it's a great start. Appreciate the great explanation!!!

there is a playlist of the setup

Yes there are a lot of concepts and considerations which is also the case on premises when you think about it.

@@NTFAQGuy Is it possible to restrict the inbound and outbound rules for the web app by placing the app inside a subnet and restricting the public access using nsg rules?? I was unable to block the ports using the nsg rules. But I want to make my api app and sql db private. How shall I proceed???