Develop Reference

Azure Linux Container Web App does not resolve name within the vnet using private DNS

vnet is connected to my Web App through which I can communicate with other services and applications. When I specify the internal IP of another application to my application, everything works fine. But now the task has come from the management to remake it to use the internal DNS server and internal DNS names. In Azure vnet, in the DNS servers settings, I specified the IP of my DNS servers. I added 168.63.129.16 - now work. If you connect Windows VM to the network everything works fine. Perhaps something needs to be added to the Dockerfile or Linux Container Web App settings so that integration with vnet and DNS works.

If your web application is integrated with the virtual network, your application would be able to communicate with the applications in the virtual network
After integrating your web application with the virtual network, you need to perform sync network action
Go to Azure portal --> Go to your App Service plan where the web app is hosted --> Under Networking, select Virtual Network Integration --> select Sync Network
Once the sync action is complete, you would be able to communicate with your internal application using the DNS name from your web application
Reference: Name resolution for resources in Azure virtual networks | Microsoft Docs

App service not working with on-premises VPN

I've been trying to set up an App Service which communicates with a server in our on-premises environment. I've set up everything regarding VNET, Local network gateway, Virtual network gateway, Point-to-Site and so on. I've also set up a Linux VM to enable testing, the VM can communicate with on-prem and on-prem reaches our VM.
I also connected the app service to the VNET and it is able to tcpping the VM. But I can't get the app service to communicate with the on-prem service.
In the App Service Plan everything looks normal, I can see all the subnets, site-to-site, point-to-site and that the certificates are in sync.
But when I look at the Networking for the App Service it does not show as connected and Azure says that the certificates are not in sync. Could this be one of the reasons why the App Service and the on-prem can't communicate? Do I have to add routes for the Point-to-Site to the on-prem network?

If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:
Avoid picking IP address space that overlaps with other networks.
When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.
If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.
You can get more details from the VNet Integrations.
Update
If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:
your routes are not configured with your point to site IP ranges in your on-premises gateway
your network security groups are blocking access for your Point-to-Site IP range
your on-premises firewalls are blocking traffic from your Point-to-Site IP range
you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network

How-To Configure Virtual Network Gateway in AZURE

I am using AZURE and have created several webapps and one Virtual Machine. I need all of them to be part of a virtual network so that cookies/and other packets transferred between them work properly. I created the VM and the network at the same time. But when I try to add networking to the webapps it shows the network but says that it does not have a gateway.
I don't know how to add a gateway to that VPN or how to make it work. Can anyone please help me?

You have to configure point to site in your virtual network before you can connect a web application to your vnet. Basically, you need to create a gateway and then configure point to site.
Since you already have a virtual network, follow steps 4 and 5 only:
Create a VNet with a Site-to-Site VPN connection using the Azure Portal
Later, configure P2S:
Configure a Point-to-Site connection to a virtual network using PowerShell
If everything goes right, you will be able to select the VNET in your app settings instead of a greyed item.
I wrote about this process a while ago and you can find my notes here.

How to connect Azure Web Sites to a Worker Role (TCP) through a (regional) vnet? Is it possible?

How would one make a TCP connection from an Azure PaaS hosted Web Sites to a Worker Role? That's deployed in one virtual network. Can this be done without opening an Input Endpoints, Internet facing port on the worker role? It looks like WebSites cannot currently be part of virtual network deployments as per Azure Virtual Network FAQ:
Can I use Windows Azure websites with Virtual Network? No. We do not support websites with virtual networks.
I'm new to Azure and playing with various configurations and it looks like this is something that could perhaps be done with the new regional vnets (and perhaps the internal load balancer), but then again there isn't really information around regarding this other than that they are on different virtual machines and in different networks and thus making them to communicate is a more involved process.
If it helps discussion, I have the following are the regional vnet configurations, which are used by the worker Xyz.ComputeRole. This role is the one accepting TCP connections.
<edit: I found a really good post regarding this matter Network Isolation Options for Machines in Windows Azure Virtual Networks. As it stands, it looks like I could open an Input Endpoint to the worker role and then restrict access to it only from the WebSites deployment. However, it looks like a lot of work to do, and hops over the networking elements like a load-balancer, and perhaps I'd need to find out the Web Sites deployment IP.
Am I off-base and there's a simple way to connect a WebSites to a Azure computer role via TCP connection?
Network configuration
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="XyzVnetDns" IPAddress="192.168.50.0" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="XyzVNet" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Sub1">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="XyzVnetDns" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
Cloud service configuration
<NetworkConfiguration>
<VirtualNetworkSite name="XyzVNet" />
<AddressAssignments>
<InstanceAddress roleName="Xyz.ComputeRole">
<Subnets>
<Subnet name="Sub1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>

You cannot add Azure Web Sites deployments to a VNet because there's no dedicated outbound IP address for Web Sites. This will also preclude you from setting up Access Control Lists (ACL's) on the worker role's input endpoints.
For Web Sites -> Worker Role (cloud service) security, you'd need to rely on something app-specific (maybe an SSL cert or something else).
By the way: regarding "a lot of work to do" for restricting access: Not sure exactly what you tried (or if you tried it), but it's trivial through the portal (just enter a subnet mask and... done), and very easy through command-line as well.

There are now two ways to connect to resources in your Azure VNET from your Azure Website. You can find details written up in several blogs.
The Hybrid Connections capability involves you downloading a relay agent that can access both Azure and your desired endpoint. This works for access to resources in your VNET or in any other network for that matter. You can install the agents on premise to enable TCP access to resources there. Each Hybrid Connection endpoint you define can only provide access to a single host:port. You can have 5 endpoints for free and if you need more you can pay to get them.
The VNET Integration capability allows you to access resource in your VNET. Under the cover it is using point to site technology to do this so your VNET needs a dynamic routing gateway and you need point to site to be enabled. If you also use site to site VPN to connect your on premise network to your VNET you can then access on premise resources.
None of these methods provide private access to your website. They only are intended to enable your website to access resource in other networks. Both features are also currently in preview and are being improved upon.
If you would like details on either there are a number of blogs and documents online. For an example you can refer to this one: using vnet or hybrid connections with Azure websites

Connect Azure Cloud Service in Virtual Network to Azure SQL database

I have an Azure Cloud Service (Worker Role) that needs to connect to my Azure SQL database and also connect to an external database.
In development the external database was on the public Internet and connectivity was not a problem.
However, the solution now needs to be deployed in a production environment and access to the external database is to be restricted by setting up a Virtual Network.
The Cloud Service, when deployed in the Virtual Network, gets an IP from the subnet, but seems to become inaccessible to the outside world, and is not connecting to the Azure SQL database (I also cannot RDP to it).
This seems to be beyond my level of understanding of networking, but I don't see why it should lose access to its neighbours in the Azure environment.
What am I missing? Do I need to get involved with Endpoints? Is the Virtual Network misconfigured?
Thanks in advance.

Your question is quite vague, in terms that it does describe the whole picture in the best possible way. Let me put my answer based on my understanding about your issue.
First of all - Azure virtual Network is Virtual Network. It is designed to enable secure cross-premisses connectivity with Windows Azure Data Center.
When you deploy a proper PaaS Cloud Service (Worker Role / Web Role) in a Virtual Network, the role instances get IP Addresses allocated from the defined DHCP pool (the VNet Definition).
When you deploy any service in an Azure Virtual Network you have to take care of Name Resolution! Meaning that, if you do not provide a proper DNS Server, your cloud instances will not be able to resolve any address. That includes Azure SQL Database servers. More on Name Resolution can be read here.
Next, but not less important - Azure SQL Database servers are not part of, and, as of March'2013, cannot be added to Azure Virtual Network!
The last statement means that in order for your Worker Role to access Azre SQL Database server, you need to provide a proper DNS server in your Azure Virtual Network.
And lastly, when you deploy a PaaS service into a Virtual Network, in order to access it via Remote Desktop need to:
* Properly enable and configure RDP extension. it will anyway create Input Endpoint. But this is the only way to enable RDP on PaaS right now;
* You could probably enable RDP via PowerShell startup script and access RDP via the VPN tunnel for the Virtual Network - say you configured a Site-to-Site or Point-to-site VPN for your Azure VNet.
Check the building cross-premises Virtual Network guide here.