You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/networking/private-endpoint.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: Connect privately to a Web App and secure data exfiltration using Azure Private Endpoint
3
-
description: Connect privately to a Web App and secure data exfiltration using Azure Private Endpoint
2
+
title: Connect privately to a Web App using Azure Private Endpoint
3
+
description: Connect privately to a Web App using Azure Private Endpoint
4
4
author: ericgre
5
5
ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c
6
6
ms.topic: article
@@ -13,16 +13,14 @@ ms.workload: web
13
13
14
14
# Using Private Endpoints for Azure Web App (Preview)
15
15
16
-
You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access to the app over Private Link. The Private Endpoint uses an IP address from your Azure VNet address space. Network traffic between client on your private network and the Web App traverses over the Vnet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet. With Private Endpoint, you can disable outgoing network flows from the subnet with NSG and eliminate the data leakage risk.
16
+
You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access to the app over Private Link. The Private Endpoint uses an IP address from your Azure VNet address space. Network traffic between client on your private network and the Web App traverses over the Vnet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.
17
17
18
18
Using Private Endpoint for your Web App enables you to:
19
19
20
20
- Secure your Web App by configuring the Service Endpoint, eliminating public exposure
21
-
- Increase security for the Vnet by enabling you to block data exfiltration from the Vnet
22
21
- Securely connect to Web App from on-premises networks that connect to the Vnet using a VPN or ExpressRoute private peering.
23
22
24
-
If you just need a secure connection between your Vnet and your Web App, Service Endpoint is the simplest solution.
25
-
If you need to protect against data exfiltration or route access from on-premises, Private Endpoint is the solution.
23
+
If you just need a secure connection between your Vnet and your Web App, Service Endpoint is the simplest solution. If you also need to reach the web app from on-premises through an Azure gateway, a regionally peered Vnet or a globally peered Vnet, Private Endpoint is the solution.
26
24
27
25
For more information about [Service Endpoint][serviceendpoint]
28
26
@@ -33,22 +31,24 @@ When you create a Private Endpoint for your Web App, it provides a secure connec
33
31
The connection between the Private Endpoint and the Web App uses a secure [Private Link][privatelink]. Private endpoint is only used for incoming flows to your Web App. Outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the [Vnet integration feature][vnetintegrationfeature].
34
32
35
33
The Subnet where you plug the Private Endpoint can have other resources in it, you don't need a dedicated empty Subnet.
36
-
You can deploy Private Endpoint in region A for the Web App deployed in region B.
34
+
You can deploy Private Endpoint in a different region than the Web App.
37
35
38
36
> [!Note]
39
37
>The Vnet integration feature cannot use the same subnet than Private Endpoint, this is a limitation of the Vnet integration feature
40
38
41
39
From the security perspective:
42
40
43
41
- When you enable Service Endpoint to your Web App, you disable all public access
44
-
- You can enable multiple Private Endpoints in others Vnets and Subnets
42
+
- You can enable multiple Private Endpoints in others Vnets and Subnets, including Vnets in other regions
43
+
- The IP address of the Private endpoint NIC must be dynamic, but will remain the same until you delete the Private Endpoint
45
44
- The NIC of the Private Endpoint cannot have an NSG associated
46
-
- The Subnet that hosts the Private Endpoint can have an NSG associated, but you must disable the network policies enforcement for the Private Endpoint see [this article][disablesecuritype]. As a result, you cannot filter by any NSG the access to your Private Endpoint.
45
+
- The Subnet that hosts the Private Endpoint can have an NSG associated, but you must disable the network policies enforcement for the Private Endpoint see [this article][disablesecuritype]. As a result, you cannot filter by any NSG the access to your Private Endpoint
47
46
- When you enable Private Endpoint to your Web App, the [access restrictions][accessrestrictions] configuration of the Web App is not evaluated.
47
+
- You can reduce data exfiltration risk from the vnet by removing all NSG rules where destination is tag Internet or Azure services. But adding a Web App Service Endpoint in your subnet, will let you reach any Web App hosted in the same stamp and exposed to Internet.
48
48
49
49
Private Endpoint for Web App is available for tier PremiumV2, and Isolated with an external ASE.
50
50
51
-
In the Web http logs of your Web App, you will discover that we are aware of the client source IP. We implemented the TCP Proxy protocol, forwarding up to the Web App the client IP. For more information, see [this article][tcpproxy].
51
+
In the Web http logs of your Web App, you will find the client source IP. We implemented the TCP Proxy protocol, forwarding up to the Web App the client IP property. For more information, see [this article][tcpproxy].
0 commit comments