vNet Integration Service Endpoints

%3CLINGO-SUB%20id%3D%22lingo-sub-1497114%22%20slang%3D%22en-US%22%3EvNet%20Integration%20Service%20Endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497114%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20understand%20in%20vNet%20Integrated%20AppServices%20can%20access%20other%20service%20endpoints.%20I%20have%20a%20number%20of%20WebApps%20which%20are%20vNet%20Integrated%20and%20I%20want%20to%20deploy%20a%20service%20bus%20and%20cosmos%20DB%20-%20Can%20I%20configure%20service%20endpoints%20of%20the%20AppService%20subnets%20to%20call%20the%20Service%20Bus%20and%20Cosmos%20Service%20endpoints%20or%20will%20the%20apps%20still%20need%20to%20call%20these%20endpoints%20over%20the%20public%20internet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20basically%20can%20vNet%20Integrated%20apps%20call%20resources%20using%20Service%20Endpoints%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1497114%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497893%22%20slang%3D%22en-US%22%3ERe%3A%20vNet%20Integration%20Service%20Endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497893%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F706887%22%20target%3D%22_blank%22%3E%40JacksWastedLife%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20configuring%20service%20endpoint%20you%20enable%20the%20private%20resources%20(VM)%20hosted%20on%20your%20subnet%20to%20communicate%20with%20the%20PaaS%20service%20(App%20Service)%20through%20Azue%20backbone%20network%20instead%20of%20open%20internet.%20However%2C%20you%20are%20still%20using%20the%20public%20endpoint%20of%20your%20PaaS%20resource.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20turn%20off%20public%20access%20by%20configuring%20'Firewalls%20and%20virtual%20networks'%20option%20properly.%20In%20this%20option%20you%20have%20to%20allow%20'trusted%20Microsoft%20Services'%20under%20'Exceptions'%20section%20in%20order%20to%20enable%20communication%20between%20your%20PaaS%20resource%20and%20other%20PaaS%20services.%20In%20my%20view%20this%20PaaS%20to%20PaaS%20communication%20takes%20place%20via%20Azure%20backbone%20(Microsoft%20network%20routing%20endpoint)%20by%20default.%20So%20this%20will%20be%20the%20case%20always%20even%20if%20you%20do%20not%20have%20service%20endpoints%20of%20all%20the%20services%20enabled%20on%20your%20subnet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20go%20complete%20private%2C%20you%20have%20to%20configure%20private%20link%20for%20your%20PaaS%20resources.%20This%20will%20allow%20you%20to%20assign%20private%20IP%20from%20your%20subnet%20to%20the%20PaaS%20resources.%20Still%20you%20have%20to%20configure%26nbsp%3B'Firewalls%20and%20virtual%20networks'%20to%20suit%20your%20requirement.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ERohan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497904%22%20slang%3D%22en-US%22%3ERe%3A%20vNet%20Integration%20Service%20Endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497904%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F707509%22%20target%3D%22_blank%22%3E%40rohanislam%3C%2FA%3E%26nbsp%3BThanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20kinda%20guess%20that%20would%20be%20the%20case%20with%20PaaS%20to%20PaaS.%20So%20on%20that%20basis%2C%20I%20don't%20need%20to%20worry%20about%20traffic%20between%20the%20WebApp%20and%20ServiceBus%2FCosmos%20passing%20over%20public%20internet%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20we%20only%20need%20to%20be%20a%20concern%20with%20resources%20in%20the%20vnet%2C%20such%20as%20VMs%20that%20I%20would%20need%20to%20enable%20service%20endpoints.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1498189%22%20slang%3D%22en-US%22%3ERe%3A%20vNet%20Integration%20Service%20Endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498189%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F706887%22%20target%3D%22_blank%22%3E%40JacksWastedLife%3C%2FA%3E%26nbsp%3BYes%2C%20that's%20correct.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20keep%20in%20mind%20if%20you%20want%20to%20allow%20access%20from%20on-prem%2C%20the%20traffic%20is%20either%20routed%20via%20internet%20or%20Expresroute%20MS%20peering%20session%20depending%20on%20your%20infrastructure%20setup.%20So%20it%20is%20very%20critical%20to%20configure%20Firewall%20and%20vNet%20option%20properly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ERohan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, 

I'm trying to understand in vNet Integrated AppServices can access other service endpoints. I have a number of WebApps which are vNet Integrated and I want to deploy a service bus and cosmos DB - Can I configure service endpoints of the AppService subnets to call the Service Bus and Cosmos Service endpoints or will the apps still need to call these endpoints over the public internet. 

 

So basically can vNet Integrated apps call resources using Service Endpoints? 

 

Thanks

3 Replies

@JacksWastedLife 

By configuring service endpoint you enable the private resources (VM) hosted on your subnet to communicate with the PaaS service (App Service) through Azue backbone network instead of open internet. However, you are still using the public endpoint of your PaaS resource.

 

You can turn off public access by configuring 'Firewalls and virtual networks' option properly. In this option you have to allow 'trusted Microsoft Services' under 'Exceptions' section in order to enable communication between your PaaS resource and other PaaS services. In my view this PaaS to PaaS communication takes place via Azure backbone (Microsoft network routing endpoint) by default. So this will be the case always even if you do not have service endpoints of all the services enabled on your subnet.

 

If you want to go complete private, you have to configure private link for your PaaS resources. This will allow you to assign private IP from your subnet to the PaaS resources. Still you have to configure 'Firewalls and virtual networks' to suit your requirement. 

 

Hope this helps!

 

Thanks,

Rohan

 

@rohanislam Thanks. 

 

I kinda guess that would be the case with PaaS to PaaS. So on that basis, I don't need to worry about traffic between the WebApp and ServiceBus/Cosmos passing over public internet? 

 

So we only need to be a concern with resources in the vnet, such as VMs that I would need to enable service endpoints. 

 

 

 

@JacksWastedLife Yes, that's correct.

 

Please keep in mind if you want to allow access from on-prem, the traffic is either routed via internet or Expresroute MS peering session depending on your infrastructure setup. So it is very critical to configure Firewall and vNet option properly.

 

 

Thanks,

Rohan