You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/overview-vnet-integration.md
+18-10Lines changed: 18 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Integrate your app with an Azure virtual network
3
3
description: Integrate your app in Azure App Service with Azure virtual networks.
4
4
author: madsd
5
5
ms.topic: conceptual
6
-
ms.date: 07/21/2023
6
+
ms.date: 02/06/2024
7
7
ms.author: madsd
8
8
ms.custom: UpdateFrequency3
9
9
@@ -20,7 +20,7 @@ App Service has two variations:
20
20
* The dedicated compute pricing tiers, which include the Basic, Standard, Premium, Premium v2, and Premium v3.
21
21
* The App Service Environment, which deploys directly into your virtual network with dedicated supporting infrastructure and is using the Isolated and Isolated v2 pricing tiers.
22
22
23
-
The virtual network integration feature is used in Azure App Service dedicated compute pricing tiers. If your app is in an [App Service Environment](./environment/overview.md), it's already integrated with a virtual network and doesn't require you to configure virtual network integration feature to reach resources in the same virtual network. For more information on all the networking features, see [App Service networking features](./networking-features.md).
23
+
The virtual network integration feature is used in Azure App Service dedicated compute pricing tiers. If your app is in an [App Service Environment](./environment/overview.md), it already integrates with a virtual network and doesn't require you to configure virtual network integration feature to reach resources in the same virtual network. For more information on all the networking features, see [App Service networking features](./networking-features.md).
24
24
25
25
Virtual network integration gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from the virtual network. Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. Virtual network integration is used only to make outbound calls from your app into your virtual network. Refer to [private endpoint](./networking/private-endpoint.md) for inbound private access.
26
26
@@ -46,7 +46,7 @@ Virtual network integration supports connecting to a virtual network in the same
46
46
47
47
When you use virtual network integration, you can use the following Azure networking features:
48
48
49
-
***Network security groups (NSGs)**: You can block outbound traffic with an NSG that's placed on your integration subnet. The inbound rules don't apply because you can't use virtual network integration to provide inbound access to your app.
49
+
***Network security groups (NSGs)**: You can block outbound traffic with an NSG that you use on your integration subnet. The inbound rules don't apply because you can't use virtual network integration to provide inbound access to your app.
50
50
***Route tables (UDRs)**: You can place a route table on the integration subnet to send outbound traffic where you want.
51
51
***NAT gateway**: You can use [NAT gateway](./networking/nat-gateway-integration.md) to get a dedicated outbound IP and mitigate SNAT port exhaustion.
52
52
@@ -87,7 +87,7 @@ Because subnet size can't be changed after assignment, use a subnet that's large
87
87
>
88
88
> Since you have 1 App Service plan, 1 x 50 = 50 IP addresses.
89
89
90
-
When you want your apps in your plan to reach a virtual network that's already connected to by apps in another plan, select a different subnet than the one being used by the pre-existing virtual network integration.
90
+
When you want your apps in your plan to reach a virtual network thatapps in another plan already connect to, select a different subnet than the one being used by the pre-existing virtual network integration.
91
91
92
92
## Permissions
93
93
@@ -99,17 +99,17 @@ You must have at least the following Role-based access control permissions on th
99
99
| Microsoft.Network/virtualNetworks/subnets/read | Read a virtual network subnet definition |
100
100
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network |
101
101
102
-
If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but it's automatically registered when creating the first web app in a subscription.
102
+
If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but it also automatically registers when creating the first web app in a subscription.
103
103
104
104
## Routes
105
105
106
106
You can control what traffic goes through the virtual network integration. There are three types of routing to consider when you configure virtual network integration. [Application routing](#application-routing) defines what traffic is routed from your app and into the virtual network. [Configuration routing](#configuration-routing) affects operations that happen before or during startup of your app. Examples are container image pull and [app settings with Key Vault reference](./app-service-key-vault-references.md). [Network routing](#network-routing) is the ability to handle how both app and configuration traffic are routed from your virtual network and out.
107
107
108
-
Through application routing or configuration routing options, you can configure what traffic is sent through the virtual network integration. Traffic is only subject to [network routing](#network-routing) if it's sent through the virtual network integration.
108
+
Through application routing or configuration routing options, you can configure what traffic is sent through the virtual network integration. Traffic is only subject to [network routing](#network-routing) if sent through the virtual network integration.
109
109
110
110
### Application routing
111
111
112
-
Application routing applies to traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during startup. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the outbound internet traffic setting. If outbound internet traffic routing is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that outbound internet traffic is enabled.
112
+
Application routing applies to traffic that is sent from your app after it starts. See [configuration routing](#configuration-routing) for traffic during startup. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the outbound internet traffic setting. If outbound internet traffic routing is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that outbound internet traffic is enabled.
113
113
114
114
* Only traffic configured in application or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.
115
115
* When outbound internet traffic routing is enabled, the source address for your outbound traffic from your app is still one of the IP addresses that are listed in your app properties. If you route your traffic through a firewall or a NAT gateway, the source IP address originates from this service.
@@ -147,9 +147,17 @@ App settings using Key Vault references attempt to get secrets over the public r
147
147
> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.
148
148
> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
149
149
150
+
### Routing app settings
151
+
152
+
App Service has existing app settings to configure application and configuration routing. Site properties override the app settings if both exist. Site properties have the advantage of being auditable with Azure Policy and validated at the time of configuration. We recommend you to use site properties.
153
+
154
+
You can still use the existing `WEBSITE_VNET_ROUTE_ALL` app setting to configure application routing.
155
+
156
+
App settings also exist for some configuration routing options. These app settings are named `WEBSITE_CONTENTOVERVNET` and `WEBSITE_PULL_IMAGE_OVER_VNET`.
157
+
150
158
### Network routing
151
159
152
-
You can use route tables to route outbound traffic from your app without restriction. Common destinations can include firewall devices or gateways. You can also use a [network security group](../virtual-network/network-security-groups-overview.md) (NSG) to block outbound traffic to resources in your virtual network or the internet. An NSG that's applied to your integration subnet is in effect regardless of any route tables applied to your integration subnet.
160
+
You can use route tables to route outbound traffic from your app without restriction. Common destinations can include firewall devices or gateways. You can also use a [network security group](../virtual-network/network-security-groups-overview.md) (NSG) to block outbound traffic to resources in your virtual network or the internet. An NSG that you apply to your integration subnet is in effect regardless of any route tables applied to your integration subnet.
153
161
154
162
Route tables and network security groups only apply to traffic routed through the virtual network integration. See [application routing](#application-routing) and [configuration routing](#configuration-routing) for details. Routes don't apply to replies from inbound app requests and inbound rules in an NSG don't apply to your app. Virtual network integration affects only outbound traffic from your app. To control inbound traffic to your app, use the [access restrictions](./overview-access-restrictions.md) feature or [private endpoints](./networking/private-endpoint.md).
155
163
@@ -187,7 +195,7 @@ There are some limitations with using virtual network integration:
187
195
* The app and the virtual network must be in the same region.
188
196
* The integration virtual network can't have IPv6 address spaces defined.
189
197
* The integration subnet can't have [service endpoint policies](../virtual-network/virtual-network-service-endpoint-policies-overview.md) enabled.
190
-
*The integration subnet can be used by only one App Service plan.
198
+
*Only one App Service plan virtual network integration connection per integration subnet is supported.
191
199
* You can't delete a virtual network with an integrated app. Remove the integration before you delete the virtual network.
192
200
* You can't have more than two virtual network integrations per Windows App Service plan. You can't have more than one virtual network integration per Linux App Service plan. Multiple apps in the same App Service plan can use the same virtual network integration.
193
201
* You can't change the subscription of an app or a plan while there's an app that's using virtual network integration.
@@ -226,7 +234,7 @@ The feature is easy to set up, but that doesn't mean your experience is problem
226
234
227
235
### Deleting the App Service plan or app before disconnecting the network integration
228
236
229
-
If you deleted the app or the App Service plan without disconnecting the virtual network integration first, you aren't able to do any update/delete operations on the virtual network or subnet that was used for the integration with the deleted resource. A subnet delegation 'Microsoft.Web/serverFarms' remains assigned to your subnet and prevents the update/delete operations.
237
+
If you deleted the app or the App Service plan without disconnecting the virtual network integration first, you aren't able to do any update/delete operations on the virtual network or subnet that was used for the integration with the deleted resource. A subnet delegation 'Microsoft.Web/serverFarms' remains assigned to your subnet and prevents the update and delete operations.
230
238
231
239
In order to do update/delete the subnet or virtual network again, you need to re-create the virtual network integration, and then disconnect it:
232
240
1. Re-create the App Service plan and app (it's mandatory to use the exact same web app name as before).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments