Merge pull request #106608 from Ericgre/master

Web app private link how to article

Author: PMEds28

articles/app-service/networking/media/private-endpoint/schemaglobaloverview.png

@@ -0,0 +1,78 @@
+---
+title: Connect privately to a Web App and secure data exfiltration using Azure Private Endpoint
+description: Connect privately to a Web App and secure data exfiltration using Azure Private Endpoint
+author: ericgre
+ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c
+ms.topic: article
+ms.date: 03/12/2020
+ms.author: ericg
+ms.service: app-service
+ms.workload: web
+
+---
+
+# Using Private Endpoints for Azure Web App (Preview)
+
+You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access to the app over Private Link. The Private Endpoint uses an IP address from the Azure VNet address space. Network traffic between client on your private network and the Web App traverses over the Vnet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet. With Private Endpoint you can disable outgoing network flows from the subnet with NSG and eliminate the data leakage risk.
+
+Using private endpoints for your Web App enables you to:
+
+- Secure your Web App by configuring the Service Endpoint, eliminating public exposure
+- Increase security for the Vnet by enabling you to block data exfiltration from the Vnet
+- Securely connect to Web App from on-premises networks that connect to the Vnet using a VPN or ExpressRoute private peering.
+
+If you just need a secure connection between your Vnet and your Web App, Service Endpoint is the simplest solution. If you need to protect against data exfiltration or route access from on-premises Private Endpoint is the solution.
+
+For more information about [Service Endpoint][serviceendpoint]
+
+## Conceptual overview
+
+A Private Endpoint is a special network interface (nic) for your Azure Web App in your Subnet in your Virtual Network (Vnet).
+When you create a Private Endpoint for your Web App, it provides a secure connectivity between clients on your private network and your Web App. The private Endpoint is assigned an IP Address from the IP address range of your Vnet.
+The connection between the Private Endpoint and the Web App uses a secure [Private Link][privatelink]. Private endpoint is only used for incoming flows to your Web App, outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the [Vnet integration feature][vnetintegrationfeature].
+
+The Subnet where you plug the Private Endpoint can have other resources in it, you don't need a dedicated empty Subnet.
+> [!Note]
+>The Vnet integration feature cannot use the same subnet than Private Endpoint, this is a limitation of the Vnet integration feature
+
+From the security perspective:
+
+- When you enable Service Endpoint to your Web App, you disable all public access. But you can enable multiple Private Endpoints in others Vnets and Subnets.
+- The NIC of the Private Endpoint cannot have an NSG associated.
+- The Subnet that hosts the Private endpoint can have an NSG associated, but you must disable the network policies enforcement for the Private Endpoint see [this article] [disablesecuritype]. As a result, you cannot filter by any NSG the access to your Private Endpoint.
+- When you enable Private Endpoint to your Web App, the [access restrictions][accessrestrictions] configuration of the Web App is not evaluated.
+
+Private Endpoint for Web App is available for tier Standard, PremiumV2, and Isolated with an external ASE.
+
+In the Web http logs of your web app, you will discover that we are aware of the source IP of the client. We implemented the TCP Proxy protocol, forwarding up to the web app the client IP. For more information, see [this article][tcpproxy].
+
+![Global overview][1]
+
+
+## DNS
+
+As this feature is in preview, we don't change the DNS entry today, you need to manage yourself the DNS entry in your private DNS server or Azure DNS private zone. 
+If you need to use a custom DNS name, you must add the custom name in your web app. During the preview, the custom name must be validated like any custom name, using public DNS resolution. [custom DNS validation technical reference][dnsvalidation]
+
+## Pricing
+
+For pricing details, see [Azure Private Link pricing][pricing].
+
+## Limitations
+
+We are improving Private Link feature and Private Endpoint regularly, check [this article][pllimitations] for up-to-date information about limitations.
+
+
+<!--Image references-->
+[1]: ./media/private-endpoint/schemaglobaloverview.png
+
+<!--Links-->
+[serviceendpoint]: https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview
+[privatelink]: https://docs.microsoft.com/azure/private-link/private-link-overview
+[vnetintegrationfeature]: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet
+[disablesecuritype]: https://docs.microsoft.com/azure/private-link/disable-private-endpoint-network-policy
+[accessrestrictions]: https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions
+[tcpproxy]: https://docs.microsoft.com/azure/private-link/rivate-link-service-overview#getting-connection-information-using-tcp-proxy-v2
+[dnsvalidation]: https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-custom-domain
+[pllimitations]: https://docs.microsoft.com/azure/private-link/private-endpoint-overview#limitations
+[pricing]: https://azure.microsoft.com/pricing/details/private-link/

articles/app-service/networking/private-endpoint.md

@@ -87,6 +87,8 @@
       href: networking-features.md
     - name: Application Gateway with service endpoints
       href: networking/app-gateway-with-service-endpoints.md
+    - name: Private endpoints
+      href: networking/private-endpoint.md
   - name: Inbound and outbound IPs
     href: overview-inbound-outbound-ips.md
   - name: Virtual Network Integration

articles/app-service/toc.yml

@@ -0,0 +1,205 @@
+---
+title: Connect privately to a Web App using Azure Private Endpoint
+description: Connect privately to a Web App using Azure Private Endpoint
+author: ericgre
+ms.assetid: b8c5c7f8-5e90-440e-bc50-38c990ca9f14
+ms.topic: article
+ms.date: 03/12/2020
+ms.author: ericg
+ms.service: app-service
+ms.workload: web
+
+---
+
+# Connect privately to a Web App using Azure Private Endpoint (Preview)
+
+Azure Private Endpoint is the fundamental building block for Private Link in Azure. It allows you to connect privately to your Web App.
+In this Quickstart, you will learn how deploy a Web App with Private Endpoint and connect to this Web App from a Virtual Machine.
+
+## Sign in to Azure
+
+Sign in to the Azure portal at https://portal.azure.com.
+
+## Virtual network and Virtual Machine
+
+In this section, you will create virtual network and the subnet to host the VM that is used to access your Web App through the Private Endpoint.
+
+### Create the virtual network
+
+In this section, you'll create a virtual network and subnet.
+
+1. On the upper-left side of the screen, select **Create a resource** > **Networking** > **Virtual network** or search for **Virtual network** in the search box.
+
+1. In **Create virtual network**, enter or select this information in the Basics tab:
+
+ ![Create Virtual Network][1]
+
+1. Click **"Next: IP Addresses >"** and enter or select this information:
+
+![Configure IP Addresses][2]
+
+1. In the subnet section, click **"+ Add Subnet"** and enter the following information and click **"Add"**
+
+![Add Subnet][3]
+
+1. Click **"Review + create"**
+
+1. After the validation passed, click **"Create"**
+
+### Create virtual machine
+
+1. On the upper-left side of the screen in the Azure portal, select **Create a resource** > **Compute** > **Virtual machine**
+
+1. In Create a virtual machine - Basics, enter or select this information:
+
+![Virtual Machine basic ][4]
+
+1. Select **"Next: Disks"**
+
+Keep default settings.
+
+1. Select **"Next: Networking"**, select this information:
+
+![Networking ][5]
+
+1. Click **"Review + Create"**
+
+1. When the validation passed message, click **"Create"**
+
+## Create your Web App and Private Endpoint
+
+In this section, you will create a private Web App using a Private Endpoint to it.
+
+### Web App
+
+1. On the upper-left side of the screen in the Azure portal, select **Create a resource** > **Web** > **Web App**
+
+1. In Create Web App - Basics, enter or select this information:
+
+![Web App basic ][6]
+
+1. Select **"Review + create"**
+
+1. When the validation passed message, click **"Create"**
+
+### Create the Private endpoint
+
+1. In the Web App properties, select **Settings** > **Networking** and click on **"Configure your private endpoint connections"**
+
+![Web App networking][7]
+
+1. In the wizard, click **"+ add"**
+
+![Web App Private Endpoint][8]
+
+1. Fill the subscription, Vnet, and Subnet information and click **"OK"**
+
+![Web App Networking][9]
+
+1. Review the creation of the private endpoint
+
+![Review][10]
+![Final view of the Private endpoint][11]
+
+## Connect to a VM from the internet
+
+1. In the portal's search bar, enter **myVm**
+1. Select the **Connect button**. After selecting the Connect button, Connect to virtual machine opens, select **RDP**
+
+![RDP button][12]
+
+1. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer after you click on **Download RDP file**
+
+![Download RDP file][13]
+
+1. Open the downloaded.rdp file.
+
+- If prompted, select Connect.
+- Enter the username and password you specified when creating the VM.
+
+> [!Note]
+> You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.
+
+- Select OK.
+
+1. You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.
+
+1. Once the VM desktop appears, minimize it to go back to your local desktop.
+
+## Access Web App privately from the VM
+
+In this section, you will connect privately to the Web App using the Private Endpoint.
+
+1. Get the private IP of your Private Endpoint, in the search bar type **Private Link**, and select Private Link
+
+![Private Link][14]
+
+1. In the Private Link Center, select **Private Endpoints** to list all your Private Endpoints
+
+![Private Link center][15]
+
+1. Select the Private Endpoint link to your Web App and your subnet
+
+![Private endpoint properties][16]
+
+1. Copy the Private IP of your Private Endpoint and the FQDN of your Web App, in our case webappdemope.azurewebsites.net 10.10.2.4
+
+1. In the myVM, verify that the Web App is not accessible through the public IP. Open a browser and copy the Web App name, you must have a 403 forbidden error page
+
+![Forbidden][17]
+
+> [!Note]
+> As this feature is in preview, you need to manually manage the DNS entry.
+
+1. Create the host entry, open file explorer and locate the hosts file
+
+![Hosts file][18]
+
+1. Add an entry with the private IP address and the public name of your Web App by editing the hosts file with notepad
+
+![Hosts content][19]
+
+1. Save the file
+
+1. Open a browser and type the url of your web app
+
+![Web site with PE][20]
+
+1. You are accessing to your Web App through the Private Endpoint
+
+## Clean up resources
+
+When you're done using the Private Endpoint, Web App and the VM, delete the resource group and all of the resources it contains:
+
+1. Enter ready-rg in the Search box at the top of the portal and select ready-rg from the search results.
+1. Select Delete resource group.
+1. Enter ready-rg for TYPE THE RESOURCE GROUP NAME and select Delete.
+
+## Next steps
+
+In this Quickstart, you created a VM on a virtual network, a Web App, and a Private Endpoint. You connected to a VM from the Internet and securely communicated to the Web App using Private Link. To learn more about Private Endpoint, see [What is Azure Private Endpoint][privateendpoint].
+
+<!--Image references-->
+[1]: ./media/create-private-endpoint-webapp-portal/createnetwork.png
+[2]: ./media/create-private-endpoint-webapp-portal/ipaddresses.png
+[3]: ./media/create-private-endpoint-webapp-portal/subnet.png
+[4]: ./media/create-private-endpoint-webapp-portal/virtualmachine.png
+[5]: ./media/create-private-endpoint-webapp-portal/vmnetwork.png
+[6]: ./media/create-private-endpoint-webapp-portal/webapp.png
+[7]: ./media/create-private-endpoint-webapp-portal/webappnetworking.png
+[8]: ./media/create-private-endpoint-webapp-portal/webapppe.png
+[9]: ./media/create-private-endpoint-webapp-portal/webapppenetwork.png
+[10]: ./media/create-private-endpoint-webapp-portal/inprogress.png
+[11]: ./media/create-private-endpoint-webapp-portal/webapppefinal.png
+[12]: ./media/create-private-endpoint-webapp-portal/rdp.png
+[13]: ./media/create-private-endpoint-webapp-portal/rdpdownload.png
+[14]: ./media/create-private-endpoint-webapp-portal/pl.png
+[15]: ./media/create-private-endpoint-webapp-portal/plcenter.png
+[16]: ./media/create-private-endpoint-webapp-portal/privateendpointproperties.png
+[17]: ./media/create-private-endpoint-webapp-portal/forbidden.png
+[18]: ./media/create-private-endpoint-webapp-portal/explorer.png
+[19]: ./media/create-private-endpoint-webapp-portal/hosts.png
+[20]: ./media/create-private-endpoint-webapp-portal/webappwithpe.png
+
+<!--Links-->
+[privateendpoint]: https://docs.microsoft.com/azure/private-link/private-endpoint-overview