App service to App service communication/call

Tadul 1

Hello,

We have few app service and app service api etc. These urls are publicly accessible and we want to have restriction.

The issue with us is that when we use service endpoint for a subnet within a VNET then only resources within this VNET can only access the services and Inter-service calls fails (App service calling another app service)

Though we have not tried but as far as I can read , It will be the same case with private link as well.

If I create two separate private link for two different app service and attach it to a single subnet within a VNET then will these two app service be able to call each other? (assuming when private link is created then private IP from that VNET is given to app services )

Thanks,
Tadul Shah
9xxxxxxxx0

SnehaAgrawal-MSFT 18,366 Reputation points

2020-06-12T07:20:18.797+00:00

With Private Link, your app runs in the public App service and you have one app behind one address. If you want to apply network security external to your application, then you still only get that with an ILB ASE. If you only need a private address in your VNet, then Private Link can give you that. To add to this Private Link provides a private address for inbound traffic only to your app. It does not enable your app to make outbound calls into your VNet. If you want to have all inbound and outbound in your VNet, then you need to use both Private Link and Regional VNet Integration. With Private Link you can secure the inbound and with VNet Integration you can secure the outbound.

You may refer to below links:

https://learn.microsoft.com/en-gb/azure/app-service/networking/private-endpoint

https://learn.microsoft.com/en-us/azure/private-link/
Tadul 1 Reputation point

2020-06-12T08:45:37.83+00:00

Hello,

Looks like ASE is the option left. We are exploring it.

Thanks,
Tadul Shah
SnehaAgrawal-MSFT 18,366 Reputation points

2020-06-12T14:29:48.157+00:00

You may also investigate this doc link in case missed: https://learn.microsoft.com/en-us/azure/app-service/networking-features#create-multi-tier-applications might be helpful.

1 answer

Malleswara Reddy, G 1,631 Reputation points

2020-06-08T18:28:17.993+00:00

Hi,

If I create two separate private link for two different app service and attach it to a single subnet within a VNET then will these two app service be able to call each other? (assuming when private link is created then private IP from that VNET is given to app services )
---- Yes, it is possible. Use App service Environment. Under App service environment, web apps can still communicate with each other though they are not publicly accessible.
https://learn.microsoft.com/en-us/azure/app-service/environment/network-info#service-endpoints
Please sign in to rate this answer.
Tadul 1 Reputation point

2020-06-08T18:32:32.2+00:00

Hello,

Thanks for replying.

But we do not want to go for App service Environment. Can use of private link fulfill this requirement?

Regards, Tadul Shah

Malleswara Reddy, G 1,631 Reputation points

2020-06-08T19:18:33.543+00:00

Hi Tadul Shah,

Private link's purpose is different. you can create two app services under two VNets and communicate between VNet using private link just to avoid the public internet route.

I still don't understand why you are preferring to take that route. Just adding my suggestions, probably you might be considering the above approach for different reasons.

1) You can create App service under VNet,
2) You can add all your web apps and web services under the same app service. They can still communicate with each other and moreover they are under VNet.

Tadul 1 Reputation point

2020-06-09T06:37:01.41+00:00

Hello,

You can not create app service within a VNET..You will have to use App service environment.

VNET integration is for outbound traffic from app service but we are looking for inbound restrictions.

Thanks,
Tadul Shah

Malleswara Reddy, G 1,631 Reputation points

2020-06-09T06:49:18.907+00:00

Hi,

I mean by using ASE as it is going to be a simple solution.

Malleswara Reddy, G 1,631 Reputation points

2020-06-09T06:52:42.21+00:00

Hi,

I meant by using ASE as it is going to be a simple solution.

VNET integration is for outbound traffic from app service but we are looking for inbound restrictions.
--- you can still do that
https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-control-inbound-traffic
Sign in to comment