Azure Web App for Windows with VNET integration - GA
We have been impatiently waiting for this to happen - now you can use virtual network integration for Azure App services ( Windows ) as per latest blog post https://azure.github.io/AppService/2020/02/27/General-Availability-of-VNet-Integration-with-Windows-Web-Apps.html . It was already available for production workloads for Windows with minor restrictions in the past, but now it is GA! This blog post is purely personal and includes my own thoughts and reflections, should not be related to views of company I am linked to. Comments and discussions are very welcome!
What's new?
- We can now use routing to appliances of Azure Firewall to control outbound traffic, and not only to RFC1918.
- You are no longer restricted to Premiumv2 App service plan only, but also Standard, Premium and Elastic Premium
Tips to get started:
- Create App service with one of above mention App Service Plans
- Plan SKU of plan in advance, only one plan can be attached per VNET, if your apps cannot fit in that plan, you will need to create new plan and new VNET. Compare plan sizes and decide which one suits you at best.
- Create dedicated subnet as per Microsoft official doc here https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration
- In case you have appliance or firewall deployed. make sure that you route table doesn't have gateway propagation settings enabled - otherwise you will have advertised routes from on-prem taking precedence and causing asymmetric routing
- If you are using Azure Firewall, take advantage of application rules that will allow you to whitelist FQDN names and restrict traffic only from specific web app. Same can be achieved for HTTP/HTTPs FQDN names for Storage blob names f.e. to protect workloads against data exfiltration. We are currently ( at the moment of creation of this doc ) waiting for SQL FQDNs to be GA ( public preview atm ) to enable same functionality for SQL traffic https://docs.microsoft.com/en-us/azure/firewall/sql-fqdn-filtering
Principal Solution Architect | .NET & Azure at AE
4 年Waiting for Godot finished!