VNet integration & Network security rules

Joris Bijnens 21 Reputation points


I want to use VNet integration to access VNet integrated components from an App Service.
I want to further lock down the internal network by allowing only this App Service access to certain components. Is this even possible?

The 'VNet Integrated' source IP of the App Service can change and I can only get it from the App Service itself (via 'website_private_ip').
So if I want to use NSGs or a 3rd party firewall, how can I limit the access of the App Service on the internal network?



Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,361 questions
0 comments No comments
{count} votes

Accepted answer
  1. brtrach-MSFT 15,791 Reputation points Microsoft Employee

    @Joris Bijnens To add to what @Roderick Bant shared, we understand that you are looking to limit your web app to only access certain resources and also attach it to a VNet.

    It sounds like you are concerned that the IP address might change. I do not see this called out in the considerations section of the document, so I do not think this is a concern. If you read something different, please let us know.

    In regard to using a NSG with your web app, I do believe you will need to use the built in "access restrictions" feature (web apps own version of an NSG) of the web app as multi-tenant web apps I do not believe integrate with the standalone NSG product in Azure. Read further on access restrictions here if this is something you are interested in. (note that an App Service Environment does work with the NSG product.)

    If you have further questions or concerns, please let us know.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Roderick Bant 2,051 Reputation points

    VNet integration is normally done with a dedicated integration subnet within your vnet. You can place an NSG on that subnet with rules for outbound traffic controlling access to your private resources. This overview of vnet integration describes the same principle.

    It's also worth noting that rules should not apply to a single IP but the CIDR of the integration subnet range because when an App Service app scales to more than 1 instance, multiple IP's in that subnet will be used for those instances.

    0 comments No comments

  2. Joris Bijnens 21 Reputation points


    Indeed, I am basing myself on this article, where I read the following.
    Let me know if I misinterpret this:
    The value of WEBSITE_PRIVATE_IP is bound to change. However, it will be an IP within the address range of the integration subnet or the point-to-site address range, so you'll need to allow access from the entire address range.

    I will review your suggestions, thank you.


    0 comments No comments