Home
%3CLINGO-SUB%20id%3D%22lingo-sub-898550%22%20slang%3D%22en-US%22%3EAzure%20App%20Services%20Access%20Restrictions%20%2BRegional%20Virtual%20Network%20Integration%20%2B%20Service%20Endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-898550%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20we%20know%2C%20we%20now%20have%26nbsp%3B%3CSTRONG%3Eservice%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3Bendpoints%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eavailable%20for%20%3CSTRONG%3EMicrosoft.Web%3C%2FSTRONG%3E%26nbsp%3Bwhich%20enables%26nbsp%3B%3CSTRONG%3Elocking%20down%20inbound%20traffic%20to%20selected%20VNet%2Fsubnets%3C%2FSTRONG%3E.%20You%20can%20configure%20and%20allow%20only%20a%20specific%20Subnet%20of%20a%20VNet%20to%20reach%20an%20App%26nbsp%3BService%20via%20the%20%3CSTRONG%3ENetworking%20%26gt%3B%26gt%3B%26nbsp%3BAccess%20Restrictions%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eblade%20in%20App%20Services.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20feature%2C%20in%20conjunction%20with%20the%3CSPAN%3E%26nbsp%3Bnew%20%3CSTRONG%3ERegional%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3EApp%20Service%20VNet%20Integration%20%3C%2FSTRONG%3Efeature%20can%20do%20a%20lot%20of%20amazing%20things%20that%20only%20Apps%20in%20an%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EApp%20Service%20Environment%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3CSTRONG%3E(ASE)%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3Ecould%20do%20earlier.%20We%E2%80%99ll%20discuss%20about%20a%20few%20such%20use%20cases%20in%20this%20blog%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20read%20about%20Access%20Restrictions%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fapp-service%252Fapp-service-ip-restrictions%26amp%3Bdata%3D02%257C01%257Cmadhbh%2540microsoft.com%257Cec570a15145f49d8071308d6e829954f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636951663418709336%26amp%3Bsdata%3DOCYiOY5BrPoSJNu2s1Sab3zV%252BVuR9SCiy%252FF6rFfQaZ4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20More%20about%20the%20new%20VNet%20Integration%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fapp-service%252Fweb-sites-integrate-with-vnet%2523new-vnet-integration%26amp%3Bdata%3D02%257C01%257Cmadhbh%2540microsoft.com%257Cec570a15145f49d8071308d6e829954f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636951663418719336%26amp%3Bsdata%3D3JvEy9T6Bv0kgkIwv4QXIfOuW50C2bpv2v%252BAkA7WTF8%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1824911033%22%20id%3D%22toc-hId-1824911041%22%3EUse%20Cases%3A%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EApplication%20Gateway%20Lockdown%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAppGW%20could%20be%20configured%20with%20a%20multi-tenant%20App%20Service%20earlier%20as%20well.%20However%2C%20you%20could%20not%20block%20the%20App%20from%20directly%20receiving%20requests%20over%20its%20default%20hostname%2C%20%3CAPPNAME%3E.azurewebsites.net.%20That%2C%20to%20some%20extent%2C%20defeated%20the%20purpose%20of%20having%20an%20Application%20Gateway%20WAF.%20Redirects%20on%20the%20App%20Service%20would%20often%20expose%20the%20backend%20hostname%20to%20the%20end%20user.%20Using%20Access%20Restrictions%2C%20you%20can%20allow%20access%20only%20from%20the%20Subnet%20hosting%20the%20AppGW%20and%20block%20all%20other%20requests.%3C%2FAPPNAME%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20get%20this%20to%20work%20properly%2C%20ensure%20that%20%E2%80%9CPick%20Hostname%20from%20backend%20address%E2%80%9D%20option%20is%20unchecked%20on%20the%20Application%20Gateway.%20If%20you've%20checked%20%E2%80%9C%3CSTRONG%3E%3CEM%3EPick%20hostname%20from%20backend%20address%3C%2FEM%3E%3C%2FSTRONG%3E%E2%80%9D%2C%20and%20there%20are%20redirect%20rules%20set%20up%20on%20the%20App%20Service%2C%20the%20redirected%20request%20coming%20over%20to%20%3CAPPNAME%3E.azurewebsites.net%20will%20be%20blocked.%20Here%E2%80%99s%20a%20link%20to%20my%20blog%20that%20explains%20this%20problem%20in%20detail%3A%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.unriddle.net%2Fconfig%2Fazure-application-gateway-app-service-redirects-exposing-azurewebsites-net-url-on-the-browser%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.unriddle.net%2Fconfig%2Fazure-application-gateway-app-service-redirects-exposing-azurewebsites-net-url-on-the-browser%2F%3C%2FA%3E%3C%2FAPPNAME%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAllow%20Access%20TO%20and%20FROM%20a%20VNet%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWith%20VNet%20Integration%2C%20you%20can%20allow%20your%20App%20Service%20to%20access%20VNet%20resources%20(Azure%20VM%20for%20example)%2C%20and%20Service%20Endpoint%20enabled%20resources%20(Azure%20SQL%20DB%2C%20Azure%20Storage%20Account%20for%20example)%2C%20through%20the%20Integrated%20VNet.%20With%20Access%20Restrictions%2C%20you%20can%20lock%20down%20access%20to%20the%20App%20Service%20from%20that%20VNet%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eonly%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ealmost%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ereplicates%20the%20isolated%20behavior%20of%20an%20ILB%20ASE.%20However%2C%20this%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Enot%20exactly%20the%20same%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eas%20having%20an%20App%20in%20an%20ILB%20ASE%20because%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ethe%20traffic%20to%20your%20App%20Service%20will%20still%20be%20over%20its%20inbound%20public%20IP%3C%2FSTRONG%3E.%20The%20Web%20App%20is%20still%20on%20public%20DNS.%20But%2C%20IPs%20not%20on%20the%20access%20restrictions%20%E2%80%98%3CSTRONG%3Eallow%E2%80%99%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Elist%20will%20see%20an%20HTTP%20403.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135777i97DAED777AE1F766%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMulti-Tier%20Applications%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EYou%20can%20allow%20internet%20access%20to%20your%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EFront%20End%20App%20Service%3C%2FSTRONG%3E%2C%20and%20lock%20down%20access%20to%20a%20backend%20API%20App%20Service%20using%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAccess%20Restrictions%3C%2FSTRONG%3E.%20(See%20diagram%20below).%20You%E2%80%99ll%20need%20to%20set%20up%20VNet%20Integration%20from%20your%20Front%20End%20App%20to%20a%20Subnet%20and%20enable%20Access%20Restrictions%20to%20Backend%20API%20App.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135778i47653E4E1389A625%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESome%20customers%20may%20want%20to%20test%20this%20connectivity%20first%20before%20going%20ahead%20with%20deploying%20their%20code.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ERemember%20that%20tcpping%20would%20NOT%20BE%20A%20GOOD%20TEST%20in%20this%20scenario%3C%2FSTRONG%3E.%20This%20is%20because%2C%20you%E2%80%99ll%20still%20get%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EConnected%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eresponse%20from%20the%20backend%20API%20App%20when%20you%20tcpping%20even%20from%20Apps%20that%20are%20not%20integrated%20with%20the%20VNet.%20The%20best%20test%2C%20in%20this%20case%2C%20will%20be%20a%20simple%20CURL%20command.%20Here%E2%80%99s%20what%20I%20mean%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFront%20End%20App%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3Eamaze.azurewebsites.net%20(this%20app%20is%20integrated%20with%20a%20subnet)%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBackend%20API%20App%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eamaze-dest.azurewebsites.net%20(this%20app%20has%20access%20restrictions%20enabled%20on%20the%20subnet)%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESome%20other%20unrelated%20App%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eunrelated.azurewebsites.net%20(this%20is%20a%20standalone%20app%20that%20has%20not%20been%20integrated%20with%20the%20subnet%20and%20is%20in%20no%20way%20related%20to%20the%20solution)%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ETCPPing%20result%20from%20the%20unrelated%20App%20to%20Backend%20API%20App%20Service%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20873px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135779iA4F7BD1F34A0D137%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ECURL%20result%20from%20the%20unrelated%20App%20to%20Backend%20API%20Service%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135780iFD8B22F711604210%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135781i82ACE974D5B960A4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ECURL%20result%20from%20Front%20End%20App%20to%20Backend%20API%20App%20Service%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135782i3364ECAF6893A010%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20are%20just%20a%20few%20use%20cases%20among%20the%20many%20powerful%20things%20you%20can%20do%20with%20these%20features.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-898550%22%20slang%3D%22en-US%22%3E%3CP%3EThese%20three%20features%20can%20do%20a%20lot%20of%20amazing%20things%20that%20only%20App%20Service%20Environments%20could%20do%20earlier.%3C%2FP%3E%3C%2FLINGO-TEASER%3E

As we know, we now have service endpoints available for Microsoft.Web which enables locking down inbound traffic to selected VNet/subnets. You can configure and allow only a specific Subnet of a VNet to reach an App Service via the Networking >> Access Restrictions blade in App Services.

 

This feature, in conjunction with the new Regional App Service VNet Integration feature can do a lot of amazing things that only Apps in an App Service Environment (ASE) could do earlier. We’ll discuss about a few such use cases in this blog post.

 

You can read about Access Restrictions here. More about the new VNet Integration here.

 

Use Cases:

 

  • Application Gateway Lockdown

AppGW could be configured with a multi-tenant App Service earlier as well. However, you could not block the App from directly receiving requests over its default hostname, <appname>.azurewebsites.net. That, to some extent, defeated the purpose of having an Application Gateway WAF. Redirects on the App Service would often expose the backend hostname to the end user. Using Access Restrictions, you can allow access only from the Subnet hosting the AppGW and block all other requests.

 

To get this to work properly, ensure that “Pick Hostname from backend address” option is unchecked on the Application Gateway. If you've checked “Pick hostname from backend address”, and there are redirect rules set up on the App Service, the redirected request coming over to <appname>.azurewebsites.net will be blocked. Here’s a link to my blog that explains this problem in detail:
http://www.unriddle.net/config/azure-application-gateway-app-service-redirects-exposing-azurewebsite...

 

  • Allow Access TO and FROM a VNet

With VNet Integration, you can allow your App Service to access VNet resources (Azure VM for example), and Service Endpoint enabled resources (Azure SQL DB, Azure Storage Account for example), through the Integrated VNet. With Access Restrictions, you can lock down access to the App Service from that VNet only.

 

This almost replicates the isolated behavior of an ILB ASE. However, this is not exactly the same as having an App in an ILB ASE because the traffic to your App Service will still be over its inbound public IP. The Web App is still on public DNS. But, IPs not on the access restrictions ‘allow’ list will see an HTTP 403.

 

image.png

  • Multi-Tier Applications

You can allow internet access to your Front End App Service, and lock down access to a backend API App Service using Access Restrictions. (See diagram below). You’ll need to set up VNet Integration from your Front End App to a Subnet and enable Access Restrictions to Backend API App.

 

image.png

 

Some customers may want to test this connectivity first before going ahead with deploying their code. Remember that tcpping would NOT BE A GOOD TEST in this scenario. This is because, you’ll still get a Connected response from the backend API App when you tcpping even from Apps that are not integrated with the VNet. The best test, in this case, will be a simple CURL command. Here’s what I mean:

Front End App: amaze.azurewebsites.net (this app is integrated with a subnet)

Backend API App: amaze-dest.azurewebsites.net (this app has access restrictions enabled on the subnet)

Some other unrelated App: unrelated.azurewebsites.net (this is a standalone app that has not been integrated with the subnet and is in no way related to the solution)

  • TCPPing result from the unrelated App to Backend API App Serviceimage.png
  • CURL result from the unrelated App to Backend API Service

image.png

 

image.png

  • CURL result from Front End App to Backend API App Serviceimage.png

 

These are just a few use cases among the many powerful things you can do with these features.

 

I hope this helps!