Understanding Outbound Data Transfer for Azure App Service Plan - azure

For the purpose of migrating a very small business web application from on-premise to Azure PAAS service environment, We have identified the below tentative solution..
Use Azure Storage Account to Host the front end (Angular SPA).
Use App Service Plan to run the Back-End Spring Boot Application.
Use Application Gateway V2 (with WAF) as public end point which will re-route traffic to both Storage account and App Service (SSL will be hosted in Gateway as it is the public endpoint)
Use Azure SQL Server as database.
Use VPN gateway Site to Site connection from Azure service to on-premise for out going SFTP file transfer.(very small in size).
But it seems App Service Plan will not be placed within the Application VNET, and hence a VNET integration from Azure service to Application VNET is first required to enable the VPN connectivity. Ours is a very small application with no HA or other multi zone/region requirements, hence using dedicated ASE (Azure Service Environment) is not feasible for us. Since the communication with App Service is not going to be local to application VNET, we are trying to under stand the concept of term 'Out bound data transfer (specifically which are charged and not)' in Azure networking, with respect to the above PAAS services.
Does the traffic from Application Gateway (in Application VNET) to Azure Service (Plan) are considered outbound data transfer?
If there a VNET integration is in place from Azure Service to application VNET, does the traffic going out of Azure service to application VNET is considered outbound data transfer?

From this article, we know that
Outbound data transfer: The first 5 GB per month of outbound data
transfer is free for all Azure zones, but following that the Azure
pricing tiers will kick in based on various slabs (5–10 TB, then 40TB,
100TB, 350TB, and then everything above 500 TB).
This charge should be considered if the applications deployed in Azure
are accessed over the internet. For example, when downloading data
from Azure storage accounts or websites, accessing VMs over RDP and
SSH will incur charges as data is being transferred out of an Azure
data center.
Another scenario where these charges will be applied is with hybrid
connectivity through VPN or ExpressRoute. For VPNs, the outbound data
from the VPN Gateways will be billed at outbound data charge rates.
For ExpressRoute, outbound data transfers are chargeable for metered
data plans, and the cost will vary based on the selected plan.
To your questions:
The traffic from Application Gateway (in Application VNET) to Azure Service (Plan) would be considered outbound data transfer
because if the backend pool is a public endpoint (azure app service), the application gateway uses its frontend public IP to reach the server. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity. Read How an application gateway routes a request. Also, it would be charged if you have an application getaway and app service plan in different regions.
With VNet integration, the app service is connected to both a VNet and the Internet. The traffic going out of Azure service to application VNET would not be considered outbound data transfer
because the traffic usually goes over the Azure backbone network and the VMs that hosting your web app is assigned a private IP address from that integrated subnet. These IP addresses are used for outbound connectivity. You would also be charged if deployed all resources across regions(for this, you may use gateway-required VNet integration).
If you're interested, you could read that other Azure services can reduce your cloud costs.

Related

App Service VNET integration for outbound traffic: can it reach Internet endpoints?

I deploy my web application to an App Service instance on Premium tier. My web application makes outbound requests to external resources on the Internet.
In order to secure the connection with one of these external resources so I can reach it with a private IP address, my plan is to create a Site-to-Site VPN from Azure to Oracle Cloud Infrastructure (where the external resource resides). Then, I plan to use the VNET Integration for outbound traffic and connect my App Service to my VPN.
My question is - will the web application still be able to reach the other external resources on the Internet with their public IPs? I believe the answer is related to routing tables but I can't wrap my mind around it.
Just because you integrate a Regional VNet (I'm assuming) doesn't mean the app service won't be able to make outbound connections. Pretty much like
When you integrate your app service with your VNet that has the site-to-site VPN, traffic from your app service will traverse the Azure network rather than going out to internet, assuming your app service is using an RFC1918 address for your infrastructure. If you want to secure the traffic even further, then your app service would need to be hosted inside an App Service Environment

Application Gateway vs Front Door

I am working on following architecture.
We are following hub and spoke topologies
We are looking at having two Application Gateways (1 in the Hub and 1 in the Lab)
a. They really need an App Gateway in the HUB?
b. And Whether customer can consider having may be Azure Front Door in replacement for the App Gateway.
Has anyone done any critical research around this, any case studies or reference Architecture on the same? Any thought?
Azure Application gateway is a regional load-balancing service that distributes traffic within virtual networks across virtual machines (VMs) or zonal and zone-redundant service endpoints within a region.
Whereas Azure Front Door is a global load-balancing service that distributes traffic across regional backends, clouds, or hybrid on-premises services to the closest available backend.
If your hub and spokes are in the same region and you want to load balance traffic between them, you can go with Azure Application gateway.
Refer : https://learn.microsoft.com/en-us/azure/architecture/high-availability/ref-arch-iaas-web-and-db
If your hub and spokes are in different regions and you want to load balance traffic between them, you can go with Azure Front Door.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/signalr/#azure-front-door
If you would like to load balance or route traffic within a virtual network or internally, you can use a combination of Application gateway and Front Door OR use the latest Azure Front Door Premium tier where you can enable Private Link to connect to origins behind an internal load balancer over a private endpoint.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/multi-saas/multitenant-saas
https://learn.microsoft.com/en-us/azure/frontdoor/private-link
So, it all comes down to your requirement. You can configure any of the below:
1 Application gateway to load balance the traffic in the same region
1 Azure Front Door to load balance traffic between different regions
2 Application gateways and 1 Azure Front Door Classic to load balance
internal traffic in different regions
1 Azure Front Door Premium with private endpoint to load balance internal traffic in different
regions

Does an Azure vnet affect performance

Does an Azure Vnet improve or degrade performance compared to a connection via public endpoint?
By performance I mean latency or throughput.
For example when connecting from a web app to a database.
If communicating resources are on the same VNet OR in VNets that are on the SAME Azure Region, there will be NO degradation.
On the oder hand, if the peer VNets are on different Azure Regions, there will be degradation because the peers are in different data centers.
Vnets are primarily used to add an additional layer of security. They do not offer performance benefits - but if you use Vnet connectivity in any part of your application then you need to be aware of the correct configuration to avoid (unnecessary) degradation.
Lets' say for example you have a simple web app made up of an App Service instance with a SQL Database. If you connect your App to a Vnet to access some on-premise resource (via VPN or Expressroute), and that vnet is configured with forced tunnelling to on-premise then you will have degradation: Traffic from the web app to SQL db is getting hair-pinned via your on-premise network. If you then set-up a Service Endpoint for the SQL database on your VNet, the traffic will stay in Azure and you will get optimal routing Source. However it won't be any faster than if you had no VNet.
For a more detailed explanation take a look at this blog: Improve security and performance with Virtual Network Service Endpoints and Firewalls for Azure Storage

Access on-premise server from app service

We have set up a VPN gateway and used it to connect an on-premise network with an Azure VNet. We have successfully tested a number of scenarios
communication from VMs to on-premise DBs
communication from on-premise computers (desktops and servers) to VMs (SSH etc.)
communication from on-premise computers (desktops and servers) to services with Private Link endpoints (App Serivces, DBs etc.).
The use-case we are now attempting is to access an on-premise DB from an app-service. I have integrated the app-service to the routed VNet and also added a service endpoint to this VNet. I have seen infos that this should work but it is not getting though.
A second question is what is the actual source ip of the app-service when it connects to the on-premise server. Surely not the outbound IPs? These are non-exclusive public IPs. Opening these on our VPN firewall would be a risk. In this case is the solution to also give the app service in question a private link endpoint. Will it's source IP then be the private IP of the PL?
Private Endpoint is only used for incoming flows to your Web App. Outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the VNet integration feature. When you enable Private Endpoint to your Web App, the access restrictions configuration of the Web App is not evaluated. So in this case, I don't think you need to set the service endpoint Microsoft.Web for your web app if you have set it. Reference from using Azure private endpoint for Azure web app.
When regional VNet Integration is enabled, your app makes outbound calls to the internet through the outbound addresses that are listed in the app properties portal. Regional VNet Integration works by mounting virtual interfaces with addresses in the delegated subnet. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be sent into your VNet. So the source IP address will be from the integrated subnet when app service comes to the on-premise server as the #silent's comment. Reference from how regional VNet Integration works. Please note that the feature supports only one regional VNet Integration per App Service plan.

Can Azure App Services have fixed MAC addresses?

I've got an Azure app service that I'd like to use to run some software that requires licensing. The license is provided via a server on our internal network. The issue being finding a way to connect to this server.
The first option is to provide a fixed license that ties to the MAC address. However I don't think this will be possible from an app service, as it does not really have a MAC address? Can I provide a VNI to it and obtain a fixed MAC address that way?
What other options are there? Can the app service be tied to a VNET that can tunnel to the on-premises resource? Should I use a VM with a VNI instead of an app service? Any resources on these kind of problems would be appreciated.
I have used Azure Relay to connect my on-prem service with my app service. Not sure if you have already considered this option.
If your requirement is to establish a connection between your on-prem service and you app service, check out this https://learn.microsoft.com/en-us/azure/service-bus-relay/relay-what-is-it
Hope this helps
You could use VNet Integration with Azure App service and Azure VPN gateway to connect to on-premise resources. VNet Integration is used only to make outbound calls from your app into your VNet. There are Regional VNet Integration and Gateway-required VNet Integration.
How regional VNet Integration works
Regional VNet Integration works by mounting virtual interfaces with
addresses in the delegated subnet. Because the from address is in your
VNet, it can access most things in or through your VNet like a VM in
your VNet would. The networking implementation is different than
running a VM in your VNet. That's why some networking features aren't
yet available for this feature.
How gateway-required VNet Integration works
Gateway-required VNet Integration is built on top of point-to-site VPN
technology. Point-to-site VPNs limit network access to the virtual
machine that hosts the app. Apps are restricted to send traffic out to
the internet only through Hybrid Connections or through VNet
Integration. When your app is configured with the portal to use
gateway-required VNet Integration, a complex negotiation is managed on
your behalf to create and assign certificates on the gateway and the
application side. The result is that the workers used to host your
apps are able to directly connect to the virtual network gateway in
the selected VNet.
For more information, you could read this blog---How to Connect Azure Web Apps To On-Premises
In addition, If you need more control of the application deployment and less scale out or in than the Azure app service. You could host your application on the Azure VM, then set up a VPN gateway in that VNet where Azure VM locate, it allows access to the on-premise resources from your Azure VM as usual in the internal network.

Resources