You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/networking/private-endpoint.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Connect privately to a Web App using Azure Private Endpoint
4
4
author: ericgre
5
5
ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c
6
6
ms.topic: article
7
-
ms.date: 05/12/2020
7
+
ms.date: 05/25/2020
8
8
ms.author: ericg
9
9
ms.service: app-service
10
10
ms.workload: web
@@ -15,6 +15,7 @@ ms.custom: fasttrack-edit
15
15
# Using Private Endpoints for Azure Web App (Preview)
16
16
17
17
> [!Note]
18
+
> With the preview refresh, we released the data exfiltration protection feature.
18
19
> The preview is available in East US and West US 2 regions for all PremiumV2 Windows and Linux Web Apps and Elastic Premium Functions.
19
20
20
21
You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access the app over Private Link. The Private Endpoint uses an IP address from your Azure VNet address space. Network traffic between a client on your private network and the Web App traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.
@@ -23,6 +24,7 @@ Using Private Endpoint for your Web App enables you to:
23
24
24
25
- Secure your Web App by configuring the Private Endpoint, eliminating public exposure.
25
26
- Securely connect to Web App from on-premises networks that connect to the VNet using a VPN or ExpressRoute private peering.
27
+
- Avoid any data exfiltration from your VNet.
26
28
27
29
If you just need a secure connection between your VNet and your Web App, a Service Endpoint is the simplest solution. If you also need to reach the web app from on-premises through an Azure gateway, a regionally peered VNet, or a globally peered VNet, Private Endpoint is the solution.
28
30
@@ -48,7 +50,7 @@ From a security perspective:
48
50
- The NIC of the Private Endpoint cannot have an NSG associated.
49
51
- The Subnet that hosts the Private Endpoint can have an NSG associated, but you must disable the network policies enforcement for the Private Endpoint: see [Disable network policies for private endpoints][disablesecuritype]. As a result, you cannot filter by any NSG the access to your Private Endpoint.
50
52
- When you enable Private Endpoint to your Web App, the [access restrictions][accessrestrictions] configuration of the Web App is not evaluated.
51
-
- You can reduce the data exfiltration risk from the VNet by removing all NSG rules where destination is tag Internet or Azure services. But adding a Web App Private Endpoint in your subnet will let you reach any Web App hosted in the same deployment stamp and exposed to the Internet.
53
+
- You can eliminate the data exfiltration risk from the VNet by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App.
52
54
53
55
In the Web HTTP logs of your Web App, you will find the client source IP. This is implemented using the TCP Proxy protocol, forwarding the client IP property up to the Web App. For more information, see [Getting connection Information using TCP Proxy v2][tcpproxy].
54
56
@@ -73,7 +75,7 @@ For pricing details, see [Azure Private Link pricing][pricing].
73
75
74
76
When you use Azure Function in Elastic Premium Plan with Private Endpoint, to run or execute the function in Azure Web portal, you must have direct network access or you will receive an HTTP 403 error. In other words your browser must be able to reach the Private Endpoint to execute the function from the Azure Web portal.
75
77
76
-
During the preview only the production slot is exposed behind the Private Endpoint, other slots are reachable by Public Endpoint only.
78
+
During the preview, only the production slot is exposed behind the Private Endpoint, other slots must be reach by Public Endpoint.
77
79
78
80
We are improving Private Link feature and Private Endpoint regularly, check [this article][pllimitations] for up-to-date information about limitations.
0 commit comments