You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article explains how to configure private network access to backend storage for your application within your virtual network.
20
20
21
-
When you deploy an application in an Azure Spring Apps service instance with VNet injection, the service instance relies on backend storage for housing associated assets, including JAR files and logs. While the default configuration routes traffic to this backend storage over the public network, you can turn on the private storage access feature. This feature allows you to direct the traffic through your private network, enhancing security, and potentially improving performance.
21
+
When you deploy an application in an Azure Spring Apps service instance with virtual network injection, the service instance relies on backend storage for housing associated assets, including JAR files and logs. While the default configuration routes traffic to this backend storage over the public network, you can turn on the private storage access feature. This feature enables you to direct the traffic through your private network, enhancing security, and potentially improving performance.
22
+
23
+
> [!NOTE]
24
+
> This feature applies to an Azure Spring Apps virtual network injected service instance only.
25
+
>
26
+
> Before you enable this feature for your Azure Spring Apps service instance, ensure that there are at least two available IP addresses in the service runtime subnet.
27
+
>
28
+
> Enabling or disabling this feature changes the DNS resolution to the backend storage. For a short period of time, you might experience deployments that fail to establish a connection to the backend storage or are unable to resolve their endpoint during the update.
29
+
>
30
+
> After you enable this feature, the backend storage is only accessible privately, so you have to deploy your application within the virtual network.
22
31
23
32
## Prerequisites
24
33
25
34
- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
26
35
-[Azure CLI](/cli/azure/install-azure-cli) version 2.56.0 or higher.
27
36
- An existing Azure Spring Apps service instance deployed to a virtual network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md).
28
37
29
-
> [!NOTE]
30
-
>
31
-
> - This feature applies to Azure Spring Apps VNet injected service instance only.
32
-
> - Before enabling this feature for your Azure Spring Apps service instance, ensure that there are at least two available IP addresses in the service runtime subnet.
33
-
> - Enabling or disabling this feature changes the way of DNS resolution to the backend storage. For a short period of time, you may experience deployments failing to establish connection to the backend storage or unable to resolve its endpoint during the update.
34
-
> - After enabling this feature, the backend storage is only accessible privately, so you have to deploy your application within the virtual network.
38
+
## Enable private storage access when you create a new Azure Spring Apps instance
35
39
36
-
## Enable private storage access when creating a new Azure Spring Apps instance
37
-
38
-
When you [create an Azure Spring Apps instance in the virtual network](./how-to-deploy-in-azure-virtual-network.md), use the following command to pass the argument `--enable-private-storage-access true` to enable private storage access:
40
+
When you create an Azure Spring Apps instance in the virtual network, use the following command to pass the argument `--enable-private-storage-access true` to enable private storage access. For more information, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md).
One more resource group is created in your subscription to host the private link resources for the Azure Spring Apps instance. This resource group is named as `ap-res_{service instance name}_{service instance region}`.
52
-
53
-
:::image type="content" source="media/how-to-private-network-access-backend-storage/ap-res-group.png" alt-text="Screenshot of the Azure portal Resource Group page that shows the private link resource details." lightbox="media/how-to-private-network-access-backend-storage/ap-res-group.png":::
53
+
One more resource group is created in your subscription to host the private link resources for the Azure Spring Apps instance. This resource group is named `ap-res_{service instance name}_{service instance region}`.
54
54
55
-
There are two sets of private link resources being deployed in the resource group, each comprising the following Azure resources:
55
+
There are two sets of private link resources deployed in the resource group, each composed of the following Azure resources:
56
56
57
-
- A private endpoint represents the backend storage account's private endpoint.
58
-
- A network interface (NIC) maintains a private IP address within the service runtime subnet.
59
-
- A private DNS zone is deployed for your virtual network, with a DNS A record also created for the storage account within this DNS zone.
57
+
- A private endpoint that represents the backend storage account's private endpoint.
58
+
- A network interface (NIC) that maintains a private IP address within the service runtime subnet.
59
+
- A private DNS zone that's deployed for your virtual network, with a DNS A record also created for the storage account within this DNS zone.
60
60
61
61
> [!IMPORTANT]
62
-
> The resource groups are fully managed by the Azure Spring Apps service. Don't manually delete or modify any resource inside.
62
+
> The resource groups are fully managed by the Azure Spring Apps service. Don't manually delete or modify any resource inside these resource groups.
63
63
64
64
## Enable or disable private storage access for an existing Azure Spring Apps instance
65
65
@@ -68,18 +68,18 @@ Use the following command to update an existing Azure Spring Apps instance to en
68
68
```azurecli
69
69
az spring update \
70
70
--resource-group "<resource-group>" \
71
-
--name "<azure-spring-apps-instance-name>" \
72
-
--enable-private-storage-access true/false
71
+
--name "<Azure-Spring-Apps-instance-name>" \
72
+
--enable-private-storage-access <true-or-false>
73
73
```
74
74
75
-
## Additional costs
75
+
## Extra costs
76
76
77
77
The Azure Spring Apps instance doesn't incur charges for this feature. However, you're billed for the private link resources hosted in your subscription that support this feature. For more information, see [Azure Private Link Pricing](https://azure.microsoft.com/pricing/details/private-link/) and [Azure DNS Pricing](https://azure.microsoft.com/pricing/details/dns/).
78
78
79
79
## Use custom DNS servers
80
80
81
-
If you're using a custom DNS server and the Azure DNS IP `168.63.129.16` isn't configured as the upstream DNS server, you must manually bind all the DNS records of private DNS zones shown in the resource group `ap-res_{service instance name}_{service instance region}` to resolve the private IP addresses.
81
+
If you're using a custom domain name system (DNS) server and the Azure DNS IP `168.63.129.16` isn't configured as the upstream DNS server, you must manually bind all the DNS records of the private DNS zones shown in the resource group `ap-res_{service instance name}_{service instance region}` to resolve the private IP addresses.
82
82
83
-
## Next steps
83
+
## Next step
84
84
85
-
-[Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md)
85
+
[Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md)
0 commit comments