Azure App Service - VNet Integration vs Private Endpoint vs Hybrid Connection - azure

I have a .NET Web API running in Azure App Service. It needs to connect to the RabbitMQ service running on my On-Prem server. How should I establish that connection between Azure App Service and RabbitMQ service port?
Do I need to whitelist the outbound IP addresses of Azure App Service in my firewall for this change?

The outbound IP address of Azure app service might change, see when it will change.
So you could have two options:
Hybrid connection.
It makes outbound calls to Azure over port 443. Hybrid Connections provides access from your app to a TCP endpoint and does not enable a new way to access your app. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination.
VNet integration and VPN gateway. With these methods, you can access the RabbitMQ service in a private network with a point to site or site to site VPN connection. VNet Integration is used only to make outbound calls from your app into your VNet. It doesn't grant inbound private access to your app from the VNet. In this case, If you want to use Private Endpoints for Azure Web App, then you need to either integrate with Azure DNS Private Zones or manage the private endpoint in the DNS server used by your app.

Related

App Service VNET integration for outbound traffic: can it reach Internet endpoints?

I deploy my web application to an App Service instance on Premium tier. My web application makes outbound requests to external resources on the Internet.
In order to secure the connection with one of these external resources so I can reach it with a private IP address, my plan is to create a Site-to-Site VPN from Azure to Oracle Cloud Infrastructure (where the external resource resides). Then, I plan to use the VNET Integration for outbound traffic and connect my App Service to my VPN.
My question is - will the web application still be able to reach the other external resources on the Internet with their public IPs? I believe the answer is related to routing tables but I can't wrap my mind around it.
Just because you integrate a Regional VNet (I'm assuming) doesn't mean the app service won't be able to make outbound connections. Pretty much like
When you integrate your app service with your VNet that has the site-to-site VPN, traffic from your app service will traverse the Azure network rather than going out to internet, assuming your app service is using an RFC1918 address for your infrastructure. If you want to secure the traffic even further, then your app service would need to be hosted inside an App Service Environment

Access on-premise server from app service

We have set up a VPN gateway and used it to connect an on-premise network with an Azure VNet. We have successfully tested a number of scenarios
communication from VMs to on-premise DBs
communication from on-premise computers (desktops and servers) to VMs (SSH etc.)
communication from on-premise computers (desktops and servers) to services with Private Link endpoints (App Serivces, DBs etc.).
The use-case we are now attempting is to access an on-premise DB from an app-service. I have integrated the app-service to the routed VNet and also added a service endpoint to this VNet. I have seen infos that this should work but it is not getting though.
A second question is what is the actual source ip of the app-service when it connects to the on-premise server. Surely not the outbound IPs? These are non-exclusive public IPs. Opening these on our VPN firewall would be a risk. In this case is the solution to also give the app service in question a private link endpoint. Will it's source IP then be the private IP of the PL?
Private Endpoint is only used for incoming flows to your Web App. Outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the VNet integration feature. When you enable Private Endpoint to your Web App, the access restrictions configuration of the Web App is not evaluated. So in this case, I don't think you need to set the service endpoint Microsoft.Web for your web app if you have set it. Reference from using Azure private endpoint for Azure web app.
When regional VNet Integration is enabled, your app makes outbound calls to the internet through the outbound addresses that are listed in the app properties portal. Regional VNet Integration works by mounting virtual interfaces with addresses in the delegated subnet. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be sent into your VNet. So the source IP address will be from the integrated subnet when app service comes to the on-premise server as the #silent's comment. Reference from how regional VNet Integration works. Please note that the feature supports only one regional VNet Integration per App Service plan.

What are some Architecture design consideration while choosing Azure HCM over Azure VPN S2S connection for application hosted on Azure App Service?

I am trying to deploy Hybrid Application on Azure. My Application will be hosted on Azure Cloud App Service and Database will be on company's private DC. I have some question on optimal architecture or optimum architecture solution on Azure in this scenario. I have an option to use VPN S2S connection or Azure Application Service Hybrid Connection Manager (HCM).
Since they both establish connection over public Internet they both will suffer from multiple hops connections and probably no SLA guarantees.
So what are the design consideration while choosing one over other and when would I choose Hybrid Connection manager (HCM) over VPN Site-to-site (S2S) when establishing hybrid connectivity from Azure hosed Application (PaaS) with the on-premise DB? Which one is faster?
As far as I know, in the case of connection from your app service to the on-premise database, the HCM features with app service is more easier deployed and without gateway needed than Azure app service over Site-to-site (S2S) connection. It's enough to use it for connecting resources in remote network. It's secure to makes outbound calls to Azure over port 443.
Each Hybrid Connection correlates to a single TCP host and port combination. It simply provides network access. See App Service Hybrid Connection benefits and Things you cannot do with Hybrid Connections
However, If you're using azure app service with virtual network and VPN connection, it makes a private connection from your web app service to your database and have more control of your network security rules. Also, there is preview feature to use Private Endpoints for Azure Web App.
You can use Private Endpoint for your Azure Web App to allow clients
located in your private network to securely access the app over
Private Link. The Private Endpoint uses an IP address from your Azure
VNet address space. Network traffic between a client on your private
network and the Web App traverses over the VNet and a Private Link on
the Microsoft backbone network, eliminating exposure from the public
Internet.

How to allow users over VPN to access Azure Web App

We have an Azure Web App and Azure VPN, we've locked down the web app so it's accessible internally only by granting/restricting access via IP addresses (via Access Restrictions page). However users over our VPN are not able to access the web app - when they connect over VPN, the user's external IP address is not from our internal network. We do not want to whitelist everyone's IP address.
If we had the internal IP address of the web app, we have a few options we could try, but we assume this is not available to us.
How would we allow access to a web app for users over a VPN?
Is this something API Management would solve?
If you don't want to whitelist everyone's IP address. You could involve front-ending the Web App with an Azure Application Gateway and restricting access to the Web App such that only connections from the Gateway are allowed.
Azure Application Gateway is a web traffic load balancer. It has a public or a private frontend or both backends, it must deploy in a dedicated subnet. The subnet also supports to restrict the network inbound and outbound traffic with NSG. In this case, you can deploy a private app GW, then the users over VPN will send the HTTP/HTTPS requests to the APP GW frontend, the APP GW receives the requests via Listener and routes the traffic to the appropriate backends based on the routing rules. An application gateway can communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed. See supported backend pools and how an application gateway works.
You could get more references from the third way in this blog.

What ip address do you use to connect to a VM from a Web App through point-to-site VNET Integration?

I have a .Net Web API deployed as a Web App and am trying to connect it to a MySQL db on a VM in a virtual network, but it's responding with a 500 internal server error.
My VNET just consists of one VM with no DNS or site-to-site configuration.
The preview portal says VNET Integration is connected, my certificates are in sync and the gateway is online.
I gave my VM a static IP address which I'm using in my web.config connection string, thinking requests would be routed through the gateway to the VM, but according to my general mysql log their aren't any connection attempts to the mysql server.
The address I gave my VM is within the range of addresses being routed to the VNET, and I setup an endpoint on the VM for the port I'm trying to connect to mysql on with an access rule that allows all connections, so I'm not sure why the connection doesn't appear to be getting through the gateway to my VM.
You may check this link which provides instructions on how to connect Azure App Service - Web App with Azure Virtual Network, so that it can use resources visible within network itself:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/
App Service supports three ways to connect to VNETs.
ASE - (App Service Environment) is a dedicated Cloud Service that includes all the needed pieces for App Service and as such can be joined to a VNET. A good starting point on ASE is this blog (https://azure.microsoft.com/en-us/blog/introducing-app-service-environment/).
Hybrid Connections - an agent based way to punch an application specific "wormhole" through network boundaries (https://azure.microsoft.com/en-us/documentation/articles/integration-hybrid-connection-overview/)
Virtual Networks - a way to "dial up" from an App Service App into an network (https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/)

Resources