1# App Service Networking
2 
3VNet integration, Private Endpoints, Access Restrictions, and Hybrid Connections.
4 
5## Feature Availability by SKU
6 
7| Feature | Free | Basic | Standard | Premium | Isolated |
8|---------|:-:|:-:|:-:|:-:|:-:|
9| VNet integration (outbound) | ❌ | ✅ | ✅ | ✅ | ✅ (native) |
10| Private Endpoints (inbound) | ❌ | ✅ | ✅ | ✅ | ✅ |
11| Access Restrictions | ✅ | ✅ | ✅ | ✅ | ✅ |
12| Hybrid Connections | ❌ | 5 | 25 | 200 | 200 |
13| Access to service-endpoint-protected resources | ❌ | ✅ | ✅ | ✅ | ✅ |
14> Note: Service endpoints are configured on VNets/subnets and downstream services (e.g., Storage, SQL). App Service accesses them via VNet integration rather than enabling service endpoints directly on the app.
15 
16## VNet Integration (Outbound)
17 
18Routes outbound traffic from the app through a VNet subnet, enabling access to private resources (databases, storage, VMs).
19 
20### Subnet Requirements
21 
22| Requirement | Value |
23|------------|-------|
24| Minimum subnet size | `/26` (64 addresses) recommended |
25| Delegation | `Microsoft.Web/serverFarms` |
26| Dedicated | One subnet per App Service plan |
27 
28### Bicep — VNet Integration
29 
30```bicep
31resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' = {
32  parent: vnet
33  name: 'app-service-subnet'
34  properties: {
35    addressPrefix: '10.0.1.0/26'
36    delegations: [
37      {
38        name: 'Microsoft.Web.serverFarms'
39        properties: { serviceName: 'Microsoft.Web/serverFarms' }
40      }
41    ]
42  }
43}
44 
45resource webApp 'Microsoft.Web/sites@2024-11-01' = {
46  name: appName
47  location: location
48  properties: {
49    serverFarmId: appServicePlan.id
50    virtualNetworkSubnetId: subnet.id
51    outboundVnetRouting: {
52      allTraffic: true // route all outbound through VNet
53    }
54  }
55}
56```
57 
58### CLI - VNet Integration
59 
60```bash
61# Configure virtual network integration 
62az webapp vnet-integration add --resource-group RG --name APP --vnet VNET --subnet SUBNET
63 
64# Update app configuration to route all outbound traffic through the virtual network integration
65az resource update --resource-group RG --name APP --resource-type "Microsoft.Web/sites" --set properties.outboundVnetRouting.allTraffic=true
66```
67 
68 
69> 💡 **Tip:** Set `outboundVnetRouting.allTraffic: true` to route ALL outbound traffic through the VNet. Without this, only RFC1918 traffic is routed through the VNet.
70 
71## Private Endpoints (Inbound)
72 
73Expose the app on a private IP address within your VNet. Public access can be disabled entirely.
74 
75### Bicep — Private Endpoint
76 
77```bicep
78resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-11-01' = {
79  name: '${appName}-pe'
80  location: location
81  properties: {
82    subnet: { id: privateEndpointSubnet.id }
83    privateLinkServiceConnections: [
84      {
85        name: '${appName}-connection'
86        properties: {
87          privateLinkServiceId: webApp.id
88          groupIds: ['sites']
89        }
90      }
91    ]
92  }
93}
94 
95resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
96  name: 'privatelink.azurewebsites.net'
97  location: 'global'
98}
99 
100resource dnsLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
101  parent: privateDnsZone
102  name: '${vnet.name}-link'
103  location: 'global'
104  properties: {
105    virtualNetwork: { id: vnet.id }
106    registrationEnabled: false
107  }
108}
109 
110resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-11-01' = {
111  parent: privateEndpoint
112  name: 'default'
113  properties: {
114    privateDnsZoneConfigs: [
115      {
116        name: 'webapp-dns-zone'
117        properties: {
118          privateDnsZoneId: privateDnsZone.id
119        }
120      }
121    ]
122  }
123}
124```
125 
126### CLI - Private Endpoint
127 
128```bash
129# Retrieve web app resource id
130id=$(az webapp show --name APP --resource-group RG --query id --output tsv)
131 
132# Create Private Endpoint
133az network private-endpoint create --connection-name CONNECTIONNAME --name private-endpoint --private-connection-resource-id $id --resource-group RG --subnet SUBNET --group-id sites --vnet-name VNET
134 
135# Create Private DNS Zone
136az network private-dns zone create --resource-group RG --name "privatelink.azurewebsites.net"
137 
138# Link the DNS Zone to virtual network
139az network private-dns link vnet create --resource-group RG --zone-name "privatelink.azurewebsites.net" --name dns-link --virtual-network VNET --registration-enabled false
140 
141```
142 
143> ⚠️ **Warning:** Private Endpoints require Basic (B1+) or higher tier. The private DNS zone `privatelink.azurewebsites.net` must be linked to the VNet for name resolution.
144 
145## Access Restrictions
146 
147Control inbound access with IP-based or service-tag rules. Available on all SKUs.
148 
149### Bicep — Access Restrictions
150 
151```bicep
152siteConfig: {
153  ipSecurityRestrictions: [
154    {
155      name: 'allow-office'
156      priority: 100
157      action: 'Allow'
158      ipAddress: '203.0.113.0/24'
159    }
160    {
161      name: 'deny-all'
162      priority: 2147483647
163      action: 'Deny'
164      ipAddress: 'Any'
165    }
166  ]
167  scmIpSecurityRestrictionsUseMain: true
168}
169```
170 
171### CLI - Access Restrictions
172 
173```bash
174# Add restriction to allow traffic from set range used by the office
175az webapp config access-restriction add --resource-group RG --name APP --rule-name 'allow-office' --action Allow --ip-address 203.0.113.0/24 --priority 100
176 
177# Add restriction to deny access from any other address range
178az webapp config access-restriction add --resource-group RG --name APP --rule-name 'deny-all' --action Deny --ip-address Any --priority 2147483647
179 
180# Set SCM Site (Kudu) to use same access restrictions as main site
181az webapp config access-restriction set -g RG -n APP --use-same-restrictions-for-scm-site true
182```
183 
184> 💡 **Tip:** Always restrict the SCM/Kudu site too. Use `scmIpSecurityRestrictionsUseMain: true` to inherit main site rules, or define separate SCM rules.
185 
186## Hybrid Connections
187 
188Connect to on-premises resources without VPN. Requires Basic tier or higher. Uses Hybrid Connection Manager (HCM) agent on-premises relaying through Azure Relay.
189 
190> ⚠️ **Warning:** Each Hybrid Connection maps to a single host:port endpoint. Basic tier supports 5; Standard tier supports 25; Premium/Isolated support 200.
191 
192## Troubleshooting
193 
194| Issue | Cause | Fix |
195|-------|-------|-----|
196| Cannot reach private DB | VNet integration not enabled | Enable VNet integration; check `outboundVnetRouting.allTraffic` |
197| DNS resolution fails | Private DNS zone not linked | Link `privatelink.*` DNS zone to VNet |
198| Access restriction not working | Priority ordering wrong | Lower numbers = higher priority; check rule order |
199| Hybrid Connection timeout | HCM not running | Verify HCM service status on-premises |
200| Outbound traffic blocked | NSG rules on subnet | Allow outbound to required services in NSG |
201