In this session, you will learn how to control, secure, integrate and isolate your app services where you can: - Securely access resources available in or through your Azure VNet. - Securely access applications in private networks - Secure, reliable content delivery with broad global reach and rich feature set - Define and manage rules that control access to your application. - Control how network traffic is distributed to application deployments running around the globe.
2. Agenda
Discuss Azure App Service networking features
Demo most of them
Scenarios about how to make use of them
Announcements about upcoming features
Q&A
3. Azure App Service Networking Features
Azure Front Door
with WAF
Azure CDNAccess Restrictions
Hybrid ConnectionsVNet Integration
Assigned Public IP
Address
4. VNet Service Endpoints
• Extend VNet to Azure Services
• Make use of Microsoft Azure backbone network
• Faster, Reliable and Secure
5. Services
support
Service
Endpoints
Azure Storage
Azure SQL Database
Azure SQL Data Warehouse
Azure Database for PostgreSQL server
Azure Database for MySQL server
Azure Database for MariaDB
Azure Cosmos DB
Azure Key Vault
Azure Service Bus
Azure Event Hub
Azure Data Lake Store Gen 1
Azure App Service
Azure Container Registry Preview!
8. Gateway Required vs Regional VNet Integration
• Can be used to connect to any VNet either RM or Classic
• Requires VNet Gateway with point-to-site VPN configured
• 99.9% SLA due to the dependency on VNet Gateway
• Can’t be used with Linux apps
• Doesn’t support accessing via ExpressRoute or service
endpoints
Gateway
• Still in Preview
• No gateway needed
• Make calls to service endpoint secured services
• Access Resources in the same VNet, or via ExpressRoute or peered
connections
• Requires unused subnet to use its own IP addresses for the app
outbound calls
Regional
Internet
App Service
Point to
Site VPN
Azure Virtual Network Internet
App Service Azure Virtual Network
Delegated subnet
Azure SQL
9. Demo: New VNet Integration
Scenario: Provide a direct connection between Azure App Service and Azure SQL Database
11. App Service Hybrid Connection
• Allow App Service to access on-prem services securely
• The on-prem service doesn’t has to be internet accessible
• The single app service can provide access in multiple networks
• All the connections are outbound over standard web ports.
Therefore, no firewall holes needed
14. App Service Assigned IP Address
• Can be set for inbound IPs since setting outbound IPs isn’t
supported
• Make sure that the app service plan is at least at the basic tier
• A Custom domain has to be mapped to the Web App URL
• Configure an IP based SSL certificate
But What if I want to renew my certificate?
16. App Service Access Restrictions
• Prevent access from untrusted resources to your app service
• Prevent search engines from indexing and associating your website
content with the wrong domain name
• Enforce the traffic to go through WAF
19. of viewers stop watching
video if it takes more than
7 seconds to buffer2
of mobile internet users
say they’ve encountered a
website too slow to load1
experience service
degradation during
security attacks.3
End users experiences with web
20. Why Azure CDN?
• High reliability & Robust security
• Better user experience
• Global presence
• Availability and scalability
• Faster response time
22. User
probe probe
Global Private
WAN
Connection
pooling
Active global traffic
routing
Azure Region 1 Azure Region 2
• Accelerate application performance & availability
• Integration with App Services
• Globally distributed network with instance failover
• Integration with WAF rules
• SSL termination
• Integrated static content caching
• Session Affinity
• URL (redirection & rewriting)
• Multiple-site hosting
• URL-based routing
Your secure entry point for delivering globally performant
hyperscale apps.
Azure Front Door
Service
64 global edge POPs
HTTP(S)
Path based traffic load balancing
Static content caching
Application layer security
Azure Front Door Service
24. Microsoft Ignite Announcements for App Service
Windows Web app VNet Integration planned GA December 2019
Linux Web app VNet Integration planned GA Q1CY2020
Access to all IPv4 ranges supported December 2019
Routing support on all IPv4 traffic (available now in some regions) December 2019
No support dates yet for:
• Managed NAT or load balancer
• global peering
• service endpoint policies
• Network Watcher
• putting anything else in the integration subnet
• using VNet Integration across subscriptions
• multiple App Service plans being able to use the same subnet
• increasing the number of VNet Integrations per App Service plan
• VNet Integration working with Azure DNS private zones
• Hybrid connection for Linux app service
• Private Link support