I have an Azure function under an ExpressRoute subscription that is trying to connect to an on-prem database, but fails to do so.
Is it possible to use Azure functions within ExpressRoute?
Thanks!
An Azure Function can be deployed on an App Service Environment. The App Service Environment is deployed on your own VNET which can have access to on-prem resources via ExpressRoute.
If you don't want to pay for an App Service Environment, you can deploy your Function on a dedicated App Service Plan and then use Hybrid Connections to connect to on-prem, or integrate the Function App to your VNET and create a Site-to-Site VPN to on-premises. These last 2 options option, however, won't go through ExpressRoute.
All 3 options are described here. You just need to deploy your Azure Function to an App Service Plan to get same features as an App Service.
HTH
Not without setting up a dedicated router virtual appliance (e.g. a CiscoASA VM from the Azure marketplace). Microsoft will say "not supported", but we were able to get it working in this manner.
Related
I am currently setting up an Azure logic app with an AS2 connector.
Now I am being asked to connect to the partner via VPN. From googling I think that is possible to somehow add the logic app to a VNET and then setup a site-to-site VPN gateway.
It is my first time to work with either Logic apps or AS2.
Question:
Is it possible to setup an Azure logic app with AS2 connector that connects through a VPN?
How might I do it?
Yes, it's possible.
First of all, you need to connect to Azure virtual networks from Azure Logic Apps by using an integration service environment (ISE), With ISE, you deploy the Logic Apps service into your virtual network.
When you create a logic app or integration account, select your ISE as their location. Your logic app or integration account can then directly access resources, such as virtual machines (VMs), servers, systems, and services, in your virtual network. This virtual network can be an existing VNet that has a VPN connection to the partner or you can select an Azure VNet as a peer for your environment.
You may note those prerequisites before your deploy ISE, and your ISE needs four empty subnets that aren't delegated to any service. You also can optionally set up NSGs by filtering network traffic across subnets.
Here is a detailed explanation in this blog--Introducing Azure Logic Apps Integration Service Environment (ISE).
For more references: https://learn.microsoft.com/en-us/azure/logic-apps/connect-virtual-network-vnet-isolated-environment-overview
Can Azure Functions be deployed inside a VNet?
If I created an App Service environment in a VNet and then picked that App Service Plan when creating the Function, Would that mean that the Azure Function is deployed inside the VNet and have the same restrictions etc. as defined by the VNet?
Yes, you can host an Azure function on Azure App Service Environment which provides a fully isolated and dedicated environment for securely running App Service apps or your functions. You will have fine-grained control over inbound and outbound application network traffic. So it could be restricted by network security groups.
ASEs are isolated to running only a single customer's applications and
are always deployed into a virtual network. Customers have
fine-grained control over inbound and outbound application network
traffic. Applications can establish high-speed secure connections over
VPNs to on-premises corporate resources.
VNet Integration with Azure function is a feature to use Azure Functions to connect to resources in an Azure virtual network. VNet Integration is only for making outbound calls from your app into your VNet.
In this case, you just need to deploy your Azure function in a VNet with ASE instead of VNet integration. Read Services that can be deployed into a virtual network
Yes it can be deployed inside a VNet. I would recommend you to go through the documentation
integrate Functions with an Azure virtual network
An Azure Function can be deployed on an App Service Environment. The App Service Environment is deployed on your own VNET which can have access to on-prem resources via ExpressRoute.
I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
I have an on premise desktop application and I need it to hit Web APIs I have living in an App Service Web App (on an App Service Plan) in Azure.
My on premise resources are connected over a site to site VPN and I was wondering if there is a way I can call these Web API services(in an app service) directly over the VPN instead of going to the public endpoint.
The "normal" App Service Plan exists in a multi-tenant environment so this is not possible. You would need to use an ASE (App Service Environemnt) to use advanced networking features like VPN and NSG.
How do I connect to a database on-premises from an Azure WebJob or an Azure Function? Is this even possible?
I've been recently researching this and have found there a 3 avenues to connect app services to on prem database, as of today anyway.
Hybrid Connection, VNET Integration or App Service Environment
The later 2 options require VPN or Express (I think) connectivity to a cloud VNET. The VNET Integration option requires a separate VNET with PointToSite gateway connecting to your existing VNET. The App Service Environment is a quite expensive option as your App Service Plan is actually hosted inside your VNET, no longer being a shared host.