question

tadul avatar image
0 Votes"
tadul asked SnehaAgrawal-MSFT edited

App service to App service communication/call

Hello,

We have few app service and app service api etc. These urls are publicly accessible and we want to have restriction.

The issue with us is that when we use service endpoint for a subnet within a VNET then only resources within this VNET can only access the services and Inter-service calls fails (App service calling another app service)

Though we have not tried but as far as I can read , It will be the same case with private link as well.

If I create two separate private link for two different app service and attach it to a single subnet within a VNET then will these two app service be able to call each other? (assuming when private link is created then private IP from that VNET is given to app services )

Thanks,
Tadul Shah
9xxxxxxxx0

azure-webapps
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

With Private Link, your app runs in the public App service and you have one app behind one address. If you want to apply network security external to your application, then you still only get that with an ILB ASE. If you only need a private address in your VNet, then Private Link can give you that. To add to this Private Link provides a private address for inbound traffic only to your app. It does not enable your app to make outbound calls into your VNet. If you want to have all inbound and outbound in your VNet, then you need to use both Private Link and Regional VNet Integration. With Private Link you can secure the inbound and with VNet Integration you can secure the outbound.

You may refer to below links:

https://docs.microsoft.com/en-gb/azure/app-service/networking/private-endpoint

https://docs.microsoft.com/en-us/azure/private-link/

0 Votes 0 ·
tadul avatar image tadul SnehaAgrawal-MSFT ·

Hello,

Looks like ASE is the option left. We are exploring it.

Thanks,
Tadul Shah

0 Votes 0 ·

1 Answer

MalleswarReddy avatar image
0 Votes"
MalleswarReddy answered MalleswarReddy commented

Hi,

If I create two separate private link for two different app service and attach it to a single subnet within a VNET then will these two app service be able to call each other? (assuming when private link is created then private IP from that VNET is given to app services )
---- Yes, it is possible. Use App service Environment. Under App service environment, web apps can still communicate with each other though they are not publicly accessible.
https://docs.microsoft.com/en-us/azure/app-service/environment/network-info#service-endpoints

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

Thanks for replying.

But we do not want to go for App service Environment. Can use of private link fulfill this requirement?

Regards, Tadul Shah

0 Votes 0 ·

Hi Tadul Shah,

Private link's purpose is different. you can create two app services under two VNets and communicate between VNet using private link just to avoid the public internet route.

I still don't understand why you are preferring to take that route. Just adding my suggestions, probably you might be considering the above approach for different reasons.

1) You can create App service under VNet,
2) You can add all your web apps and web services under the same app service. They can still communicate with each other and moreover they are under VNet.







0 Votes 0 ·

Hello,

You can not create app service within a VNET..You will have to use App service environment.

VNET integration is for outbound traffic from app service but we are looking for inbound restrictions.

Thanks,
Tadul Shah

0 Votes 0 ·
Show more comments