Blog Post

Apps on Azure Blog
1 MIN READ

Generally available: Enhanced network security features for App Service Basic SKU

jordanselig's avatar
jordanselig
Icon for Microsoft rankMicrosoft
Apr 14, 2022
App Service now supports VNet integration (outbound) and private endpoints (inbound) all the way down to the Basic SKU. The App Service VNet integration feature enables your apps to access resources in or through a virtual network but doesn't grant inbound private access to your apps. For inbound access, you need private endpoints, which allow clients located in your private network to securely access your apps over Private Link, which eliminates exposure from the public internet.

 

With this update, you can use our lower-cost tiers and achieve the same level of security that you could previously only achieve with our high-end SKUs. Note that if you want to downgrade an existing App Service Plan and still use VNet integration, you need to be on the newer App Service footprint to ensure you’re App Service Plan supports VNet integration for Basic SKU. For more details, see the VNet integration limitations.
 

 

Updated Apr 15, 2022
Version 3.0
  • erik_oleary At this time, that is the only workaround. We are exploring alternative solutions. In other news, we are pushing a fix that addresses the scaling issues you experienced that should be implemented shortly.

  • erik_oleary's avatar
    erik_oleary
    Copper Contributor

    jordanselig that's fascinating advice to workaround this issue. Is there a better solution forthcoming? I feel like a 'StandardV3' or 'BasicV3' may be needed. If the behavior/capabilities of your app is different on different 'stamp's which you cant even choose with, say, a bicep template, that are just randomly assigned when you create a resource group that's just a bad outcome.

  • erik_oleary - Some stamps will not support vnet integration down to the standard/basic tier even in new resource deployments due to certain infrastructure constraints. To ensure your App Service is on a stamp that supports this feature, create your app in a Premium v3 App Service plan since those plans are only supported on our newest deployments. You can scale down to the basic tier after the plan is created.

     

    Regarding the "regional vnet" error message you are seeing, that issue was raised the other day and we are actively investigating. Apologies for any inconvenience.

  • erik_oleary's avatar
    erik_oleary
    Copper Contributor

    "you need to be on the newer App Service footprint to ensure you’re App Service Plan supports VNet integration for Basic SKU"

     

    What does this mean? I just created a brand new resource group and app service plan and I don't see vnet support. I'm able to create a basic app with vnet via bicep but if I try to scale it up or modify it after it deploys I'm unable to - it complains about being in a regional vnet and it must be removed first.

  • Great news! While we'll still be sticking with premium for other features, it's nice to see security features being made more easily available