updates

seligj95 · seligj95 · commit 875a86f02c74 · 2025-06-19T10:46:11.000-04:00
diff --git a/articles/app-service/configure-gateway-required-vnet-integration.md b/articles/app-service/configure-gateway-required-vnet-integration.md
@@ -1,15 +1,18 @@
 ---
 title: Configure gateway-required virtual network integration for your app
 description: Integrate your app in Azure App Service with Azure virtual networks using gateway-required virtual network integration.
-author: madsd
+author: seligj95
 ms.topic: how-to
-ms.date: 10/17/2023
-ms.author: madsd
+ms.date: 06/19/2025
+ms.author: jordanselig
 ms.custom:
   - build-2025
 ---
 # Configure gateway-required virtual network integration
 
+> [!IMPORTANT]
+> For all virtual network integrations with App Service, the recommended method uses [regional virtual network integration](./overview-vnet-integration.md). Gateway-required virtual network integration is a legacy method with limitations that regional virtual network integration mitigates.
+
 Gateway-required virtual network integration supports connecting to a virtual network in another region or to a classic virtual network. Gateway-required virtual network integration only works for Windows plans. We recommend using [regional virtual network integration](./overview-vnet-integration.md) to integrate with virtual networks.
 
 Gateway-required virtual network integration:
@@ -38,7 +41,7 @@ To create a gateway:
 
 1. [Create the VPN gateway and subnet](../vpn-gateway/tutorial-create-gateway-portal.md). Select a route-based VPN type.
 
-1. [Set the point-to-site addresses](../vpn-gateway/point-to-site-certificate-gateway.md#addresspool). If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. The point-to-site address space must be in the RFC 1918 address blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
+1. [Set the point-to-site addresses](../vpn-gateway/point-to-site-certificate-gateway.md#addresspool). If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. The point-to-site address space must be in the RFC 1,918 address blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
 
 If you create the gateway for use with gateway-required virtual network integration, you don't need to upload a certificate. Creating the gateway can take 30 minutes. You won't be able to integrate your app with your virtual network until the gateway is created.
 
@@ -79,7 +82,7 @@ The App Service plan virtual network integration UI shows you all the virtual ne
 The private IP assigned to the instance is exposed via the environment variable WEBSITE_PRIVATE_IP. Kudu console UI also shows the list of environment variables available to the web app. This IP is an IP from the address range of the point-to-site address pool configured on the virtual network gateway. This IP will be used by the web app to connect to the resources through the Azure virtual network.
 
 > [!NOTE]
-> The value of WEBSITE_PRIVATE_IP is bound to change. However, it will be an IP within the address range of the point-to-site address range, so you'll need to allow access from the entire address range.
+> The value of WEBSITE_PRIVATE_IP is bound to change. However, it will be an IP within the address range of the point-to-site address range, so you need to allow access from the entire address range.
 >
 
 ## Gateway-required virtual network integration routing
@@ -94,11 +97,11 @@ If certificates or network information is changed, select **Sync Network**. When
 
 ### Certificate renewal
 
-The certificate used by the gateway-required virtual network integration has a lifespan of 8 years. If you have apps with gateway-required virtual network integrations that live longer you will have to renew the certificate. You can validate if your certificate has expired or has less than 6 month to expiry by visiting the VNet Integration page in Azure portal.
+The certificate used by the gateway-required virtual network integration has a lifespan of eight years. If you have apps with gateway-required virtual network integrations that live longer you'll have to renew the certificate. You can validate if your certificate has expired or has less than six month to expiry by visiting the VNet Integration page in Azure portal.
 
 :::image type="content" source="./media/overview-vnet-integration/vnetint-gateway-cert-expiry.png" alt-text="Screenshot that shows a near expiry gateway-required virtual network integration certificate.":::
 
-You can renew your certificate when the portal shows a near expiry or expired certificate. To renew the certificate you need to disconnect and reconnect the virtual network. Reconnecting will cause a brief outage in connectivity between your app and your virtual network. Your app isn't restarted, but the loss of connectivity could cause your site to not function properly.
+You can renew your certificate when the portal shows a near expiry or expired certificate. To renew the certificate, you need to disconnect and reconnect the virtual network. Reconnecting causes a brief outage in connectivity between your app and your virtual network. Your app isn't restarted, but the loss of connectivity could cause your site to not function properly.
 
 ## Pricing details
 
diff --git a/articles/app-service/migrate-gateway-based-vnet-integration.md b/articles/app-service/migrate-gateway-based-vnet-integration.md
@@ -3,13 +3,12 @@ title: Migrate from gateway-based virtual network integration
 description: Migrate your virtual network integration from gateway-based integration to regional integration.
 author: seligj95
 ms.topic: how-to
-ms.date: 10/01/2024
+ms.date: 06/19/2025
 ms.author: jordanselig
-
 ---
 # Migrate from gateway-based virtual network integration
 
-There are two ways in App Service to integration with a virtual network. One way is gateway-based integration using a virtual network gateway that establishes a point-to-site VPN connection from the app to the virtual network. The other way is now known as virtual network integration since more than 99% of all integrations are using this method. Virtual network integration has several advantages over gateway-based integration. The only edge case scenario is when you need to connect directly to a virtual network in a different region and aren't able to set up peerings.
+There are two ways in App Service to integrate with a virtual network. One way is gateway-based integration using a virtual network gateway that establishes a point-to-site VPN connection from the app to the virtual network. The other way is known as virtual network integration since more than 99% of all integrations are using this method. Virtual network integration has several advantages over gateway-based integration. The only edge case scenario where gateway-based integration is preferred is when you need to connect directly to a virtual network in a different region and aren't able to set up peerings.
 
 Gateway-based integration can't be used in the following scenarios:
 
@@ -20,35 +19,30 @@ Gateway-based integration can't be used in the following scenarios:
 * To resolve App Settings referencing a network protected Key Vault.
 * With a coexistence gateway that supports both ExpressRoute and point-to-site or site-to-site VPNs.
 
-| Feature | Virtual network integration| Gateway-based integration |
-| :--------: | :------------: | :------------: |
-| Gateway required | No   |  Yes   |
-| Bandwidth limit | Virtual machine limit |  SSTP Point-to-site VPN limit |
-| Connect up to  | Two subnets per plan | Five virtual networks per plan  |
-| Route tables, NSG, NAT gateway support | Yes |  No |
-| OS Support | Windows, Linux, and Windows Container  | Windows only  |
-| Access service endpoints |  Yes | No  |
-| Resolve network protected Key Vault app settings |  Yes | No  |
-| Co-connect to virtual network with Express Route | Yes | No |
-| Connect directly to virtual network in different region | Only through global peerings | Yes |
+| Feature                                                 | Virtual network integration           | Gateway-based integration      |
+| :-----------------------------------------------------: | :-----------------------------------: | :----------------------------: |
+| Gateway required                                        | No                                    | Yes                            |
+| Bandwidth limit                                         | Virtual machine limit                 | SSTP Point-to-site VPN limit   |
+| Connect up to                                           | Two subnets per plan                  | Five virtual networks per plan |
+| Route table, NSG, NAT gateway support                   | Yes                                   | No                             |
+| OS Support                                              | Windows, Linux, and Windows Container | Windows only                   |
+| Access service endpoints                                | Yes                                   | No                             |
+| Resolve network protected Key Vault app settings        | Yes                                   | No                             |
+| Co-connect to virtual network with Express Route        | Yes                                   | No                             |
+| Connect directly to virtual network in different region | Only through global peerings          | Yes                            |
 
 ## Migration path and planning
 
-The complexity and planning of migration varies based on your current setup. 
+The complexity and planning of migration varies based on your current setup. Migrating from gateway-based to regional virtual network integration is a disconnect/connect operation. Before making the switch, make sure you have a subnet configured for your apps. The subnet must meet certain [requirements](./overview-vnet-integration.md#subnet-requirements). You can either have one subnet per plan or take advantage of the [multi-plan subnet join feature](./overview-vnet-integration.md#subnet-requirements) to connect apps from different plans to the same subnet. You should spend time planning your subnet address range. The general recommendation is to have double the IPs as the expected maximum planned instances of your plan. You should also delegate the subnet to `Microsoft.Web/serverFarms`.
 
 ## Same region migration
 
-If you're connecting to a gateway in the same region as your app, the migration is simple. First you need to select or create a subnet in the virtual network where the apps integrates going forward.
+If you're connecting to a gateway in the same region as your app, the migration is simple. First you need to select or create a subnet in the virtual network where the apps integrate going forward.
 
 ![Diagram that illustrates moving to virtual network integration.](media/migrate-gateway-based-vnet-integration/same-region-migration.png)
 
-Then all you need to do is run a command to configure the virtual network integration.
-
-
-
-
-Migrating from gateway-based to regional virtual network integration is a simple disconnect/connect operation. Before making the switch, make sure you have a subnet configured for your apps. You can either have one per plan or take advantage of the new multi-plan subnet join feature to connect apps from different plans to the same subnet. You should spend a little time planning your subnet address range. The general recommendation is to have double the IPs as the expected maximum planned instances of your plan. You should also delegate the subnet to `Microsoft.Web/serverFarms`.
+Then you need to configure the virtual network integration following the standard process described in [Enable virtual network integration in Azure App Service](./configure-vnet-integration-enable.md).
 
 ## Post configurations
 
-After moving to regional virtual network integration, you now have some new options you can take advantage of. You can decide if configuration options like backup/restore and image pull for container based workloads should be [routed through the virtual network](./overview-vnet-integration.md#configuration-routing). You can also define Network Security Groups or User Defined Routes for the individual subnets and you can increase SNAT ports and get a deterministic outbound public source IP by attaching a NAT gateway to the subnet.
+After moving to regional virtual network integration, you have new options that you can take advantage of. You can decide if configuration options like backup/restore and image pull for container based workloads should be [routed through the virtual network](./overview-vnet-integration.md#configuration-routing). You can also define Network Security Groups or User Defined Routes for the individual subnets. You can also increase SNAT ports and get a [deterministic outbound public source IP by attaching a NAT gateway to the subnet](./overview-inbound-outbound-ips.md#get-a-static-outbound-ip).
