Access On-Premises resource from Azure App Services


In this post, I am going to discuss how we can connect Azure Web App to a resource across 2 VNET’s (Azure or On-Premises ) connected via Site-to-Site, .

A typical scenario could be you have Site-to-Site VPN from Azure to On-Premises or between 2 Azure VNET’s and want to connect Azure Web App to a resources in both VNET’s.

Azure Web App is a multi-tenant architecture which prevents  provisioning of App’s directly in a VNET. But with Point-to-Site connectivity we can enable App’s to access resources inside VNET.

Prerequisites:

  1. App Service plan should be Standard or Premium
  2. VNET Gateway should be Route based
  3. Address space of any VNET should not overlap.

Steps needed to connect:

  1. Assuming you already have Site-to-Site VPN established between 2 VNET’s (VNET1 & VNET2)
  2. Create an Azure Web App
  3. Enable Point-to-Site gateway on existing Gateway of VNET1
  4. Integrate Web App with VNET1 using Point-to-Site
  5. Update routes on web app by adding Address Space of VNET2 on Web App Networking blade
  6. Update routs on VNET2 by adding Point-to-Site Address space on VNET2 gateway.

Let’s get started

I have a Site-to-Site connection established between two Azure ARM VNETs.

Setup for Demo

1. VNET1

  • Gateway VNET1GW
  • Local Network Gateway as LNG1
  • Address Space 10.2.0.0/16
  • VM with IP 10.2.0.4
  • Point to Site Address space 172.16.0.0/24

2. VNET2

  • Gateway VNET2GW
  • Local Network gateway as LNG2
  • Address space 192.168.0.0/16
  • VM with IP 192.168.0.4

3. Web app I need to integrate to VNET is VNETAPP

To start with we need to enable Point-to-Site on VNET1GW, this can be done on portal as well now,

Virtual network gateways Microsoft -> VNET1GW -> Point-to-Site Configuration

Add Address Pool 172.16.0.0/24 & Click on Save

PTSAdd

Once this is done we now go to Web App to integrate it with VNET.

Note: VNET Integration needs your App Service plan on Standard or Premium

App Services -> VNETAPP –> Networking

vnetint

 

Click on Setup you will get list of VNET available in your subscription. One with Point-to-Site will be available for integration

vnet1

 

snip_20170220155431

Connection done. Click on “Click here to configure” to see Site to Site Address space, Point-to-site address space and routes added.

PTSAdd

 

Connectivity done, now time to test

For test we can try to tcpping from Console/ kudu (SCM) of the web app or use CURL to access web page from VM

snip_20170220155638

CURL http://10.2.0.4

snip_20170220155925

 

So our Point-to-Site connectivity is established from WebApp to VNET1 and we can access resources.

Next we need to connect to VM on VNET2

Let first check connectivity between VNET1 & VNET2 over Site-to-Site

snip_20170220160114

 

snip_20170220160350

 

VM on VNET1 has IP 10.2.0.4

VM on VNET2 has IP 192.168.0.4

clip_image018

clip_image020

Site-to-Site working fine. Now time to test from Web app

For that to work we need to check Routes on Web App VNET integration blade and then also route on LNG2 for Point-to-site address space.

App Service Plan -> NameofAppServicePlan -> Networking –> “Click here to manage”  ->Select VNET

snip_20170220161109

 

So we have route for VNET2 added on App Service VNET integration. At this point we can try to tcpping to VM on VNET2 from SCM

snip_20170220161447

Connection time out.

Web App has route to reach to VNET2 but VNET2 does not have route back to Point-to-Site Address Space.

snip_20170220161707

LNG2 which is VNET2 Local Network gateway has only route added to Site-to-Site Address space of VNET1.

Now let’s add route for Point-to-Site Address space on LNG2

snip_20170220162012

Time to test again from Web App

snip_20170220161932

Curl http://192.168.0.4

snip_20170220162205

Now Web App is able to connect to VM on VNET1 as well as to VM on VNET2 on private VNET IP. 

In this demo I have used 2 Azure VNET. Same steps needs to followed for Site-to-Site between Azure VNET and On-Premises VNET.

That’s it!

Comments (0)

Skip to main content