Virtual network integration for Azure services
Integrating Azure services to an Azure virtual network enables private access to the service from virtual
machines or compute resources in the virtual network. You can integrate Azure services in your virtual
network with the following options:
● Deploying dedicated instances of the service into a virtual network. The services can then be privately
accessed within the virtual network and from on-premises networks.
● Using Private Link to access privately a specific instance of the service from your virtual network and
from on-premises networks.
● You can also access the service using public endpoints by extending a virtual network to the service,
through Service Endpoints. Service Endpoints allow service resources to be secured to the virtual
network.
Configure App Service for regional VNET integration
With Azure Virtual Network (VNets), you can place many of your Azure resources in a non-internet-routable
network. The VNet Integration feature enables your apps to access resources in or through a VNet.
VNet Integration doesn’t enable your apps to be accessed privately.
Azure App Service has two variations on the VNet Integration feature:
● The multitenant systems that support the full range of pricing plans except Isolated.
● The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.
The VNet Integration feature is used in multitenant apps. If your app is in App Service Environment, then
it’s already in a VNet and doesn’t require use of the VNet Integration feature to reach resources in the
same VNet.
VNet Integration gives your app access to resources in your VNet, but it doesn’t grant inbound private
access to your app from the VNet. Private site access refers to making an app accessible only from a
private network, such as from within an Azure virtual network. VNet Integration is used only to make
outbound calls from your app into your VNet. The VNet Integration feature behaves differently when it’s
used with VNet in the same region and with VNet in other regions. The VNet Integration feature has two
variations:
● Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the
same region, you must have a dedicated subnet in the VNet you are integrating with.
● Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual
network in the same region, you need an Azure Virtual Network gateway provisioned in the target
VNet.
The VNet Integration features:
● Require a Standard, Premium, PremiumV2, PremiumV3, or Elastic Premium pricing plan.
● Support TCP and UDP.
● Work with Azure App Service apps and function apps.
There are some things that VNet Integration does not support, like:
● Mounting a drive.
● Active Directory integration.
● NetBIOS.
Gateway-required VNet Integration provides access to resources only in the target VNet or in networks
connected to the target VNet with peering or VPNs. Gateway-required VNet Integration doesn’t enable
access to resources available across Azure ExpressRoute connections or work with Service Endpoints.
Regardless of the version used, VNet Integration gives your app access to resources in your VNet, but it
doesn’t grant inbound private access to your app from the VNet. Private site access refers to making your
app accessible only from a private network, such as from within an Azure VNet. VNet Integration is only
for making outbound calls from your app into your VNet. Follow the steps below to learn how VNet
integration is enabled.
Configure the virtual network for integration with App Service
Go to the App Service portal->Networking UI->VNet integration, Select Add VNet.
The drop-down list contains all of the Azure Resource Manager virtual networks in your subscription in
the same region. Underneath that is a list of the Resource Manager virtual networks in all other regions.
Select the VNet you want to integrate with.
If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
To select a VNet in another region, you must have a VNet gateway provisioned with point to site enabled.
To integrate with a classic VNet, instead of selecting the Virtual Network drop-down list, select Click
here to connect to a Classic VNet. Select the classic virtual network you want. The target VNet must
already have a Virtual Network gateway provisioned with point-to-site enabled.
During the integration, your app is restarted. When integration is finished, you will see details on the
VNet you’re integrated.
For more details- Integrate your app with an Azure VNET
