You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Private Endpoint is available for Windows and Linux Web App, containerized or not, hosted on these App Service Plans : **Basic**, **Standard**, **PremiumV2**, **PremiumV3**, **IsolatedV2**, **Functions Premium** (sometimes referred to as the Elastic Premium plan).
19
19
20
-
You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access the app over Private Link. The Private Endpoint uses an IP address from your Azure VNet address space. Network traffic between a client on your private network and the Web App traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.
20
+
You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access the app over Private Link. The Private Endpoint uses an IP address from your Azure virtual network address space. Network traffic between a client on your private network and the Web App traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.
21
21
22
22
Using Private Endpoint for your Web App enables you to:
23
23
24
24
- Secure your Web App by configuring the Private Endpoint, eliminating public exposure.
25
-
- Securely connect to Web App from on-premises networks that connect to the VNet using a VPN or ExpressRoute private peering.
26
-
- Avoid any data exfiltration from your VNet.
25
+
- Securely connect to Web App from on-premises networks that connect to the virtual network using a VPN or ExpressRoute private peering.
26
+
- Avoid any data exfiltration from your virtual network.
27
27
28
-
If you just need a secure connection between your VNet and your Web App, a Service Endpoint is the simplest solution.
29
-
If you also need to reach the web app from on-premises through an Azure Gateway, a regionally peered VNet, or a globally peered VNet, Private Endpoint is the solution.
28
+
If you just need a secure connection between your virtual network and your Web App, a Service Endpoint is the simplest solution.
29
+
If you also need to reach the web app from on-premises through an Azure Gateway, a regionally peered virtual network, or a globally peered virtual network, Private Endpoint is the solution.
30
30
31
31
For more information, see [Service Endpoints][serviceendpoint].
32
32
33
33
## Conceptual overview
34
34
35
-
A Private Endpoint is a special network interface (NIC) for your Azure Web App in a Subnet in your Virtual Network (VNet).
36
-
When you create a Private Endpoint for your Web App, it provides secure connectivity between clients on your private network and your Web App. The Private Endpoint is assigned an IP Address from the IP address range of your VNet.
37
-
The connection between the Private Endpoint and the Web App uses a secure [Private Link][privatelink]. Private Endpoint is only used for incoming flows to your Web App. Outgoing flows won't use this Private Endpoint. You can inject outgoing flows to your network in a different subnet through the [VNet integration feature][vnetintegrationfeature].
35
+
A Private Endpoint is a special network interface (NIC) for your Azure Web App in a Subnet in your virtual network.
36
+
When you create a Private Endpoint for your Web App, it provides secure connectivity between clients on your private network and your Web App. The Private Endpoint is assigned an IP Address from the IP address range of your virtual network.
37
+
The connection between the Private Endpoint and the Web App uses a secure [Private Link][privatelink]. Private Endpoint is only used for incoming flows to your Web App. Outgoing flows won't use this Private Endpoint. You can inject outgoing flows to your network in a different subnet through the [virtual network integration feature][vnetintegrationfeature].
38
38
39
39
Each slot of an app is configured separately. You can plug up to 100 Private Endpoints per slot. You can't share a Private Endpoint between slots.
40
40
41
41
The Subnet where you plug the Private Endpoint can have other resources in it, you don't need a dedicated empty Subnet.
42
42
You can also deploy the Private Endpoint in a different region than the Web App.
43
43
44
44
> [!Note]
45
-
>The VNet integration feature cannot use the same subnet as Private Endpoint, this is a limitation of the VNet integration feature.
45
+
>The virtual network integration feature cannot use the same subnet as Private Endpoint, this is a limitation of the virtual network integration feature.
46
46
47
47
From a security perspective:
48
48
49
49
- By default, when you enable Private Endpoints to your Web App, you disable all public access.
50
-
- You can enable multiple Private Endpoints in others VNets and Subnets, including VNets in other regions.
51
-
- The IP address of the Private Endpoint NIC must be dynamic, but will remain the same until you delete the Private Endpoint.
52
-
- The Subnet that hosts the Private Endpoint can have an NSG associated, but you must disable the network policies enforcement for the Private Endpoint: see [Disable network policies for private endpoints][disablesecuritype]. As a result, you can't filter by any NSG the access to your Private Endpoint.
53
-
- By default, when you enable Private Endpoint to your Web App, the [access restrictions][accessrestrictions] configuration of the Web App isn't evaluated.
54
-
- You can eliminate the data exfiltration risk from the VNet by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App.
50
+
- You can enable multiple Private Endpoints in others virtual networks and Subnets, including virtual network in other regions.
51
+
- The access restrictions configuration of a Web App isn't evaluated for traffic through the Private Endpoint.
52
+
- You can eliminate the data exfiltration risk from the virtual network by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App.
55
53
56
54
In the Web HTTP logs of your Web App, you'll find the client source IP. This feature is implemented using the TCP Proxy protocol, forwarding the client IP property up to the Web App. For more information, see [Getting connection Information using TCP Proxy v2][tcpproxy].
57
55
@@ -119,7 +117,7 @@ az appservice ase update --name myasename --allow-new-private-endpoint-connectio
119
117
120
118
## Specific requirements
121
119
122
-
If the Virtual Network is in a different subscription than the app, you must ensure that the subscription with the Virtual Network is registered for the Microsoft.Web resource provider. You can explicitly register the provider [by following this documentation][registerprovider], but it will also automatically be registered when creating the first web app in a subscription.
120
+
If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the Microsoft.Web resource provider. You can explicitly register the provider [by following this documentation][registerprovider], but it will also automatically be registered when creating the first web app in a subscription.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments