This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 0%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Is it possible to restrict the inbound and outbound rules for the web app by placing the app inside a subnet and restricting the public access using nsg rules?? I was unable to block the ports using the nsg rules. But I want to make my api app and sql db private???
To follow-up, Please let us know if you have further query on this.
Please don’t forget to Accept the answer
Access Restriction feature allows you to build a list of allow and deny rules that are evaluated in priority order. It's similar to the network security group (NSG) feature
Following reference helps to Set up Azure App Service access restrictions
app-service-ip-restrictions
I know about the access restriction feature. But the client is asking to restrict the web app in public subnet, api app & sql database server in two different private subnet. I tried to explain him about the access restriction and using service or private endpoints to make the services private. But I'm confused a lot with these scenarios.
Hi @Sai Kalyan Kalapala
Thank you for posting in Q & A.
It is similar question i answered in previous post.
It's similar to the network security group (NSG) feature in Azure networking. You can use this feature in an App Service Environment (ASE) or in the multitenant service. When you use it with an ILB ASE or private endpoint, you can restrict access from private address blocks.
Azure App Service has two variations on the VNet Integration feature:
The multitenant systems that support the full range of pricing plans except Isolated.
The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.
When you use VNet Integration with VNets in the same region, you can use the following Azure networking features:
https://learn.microsoft.com/en-us/azure/app-service/networking-features
If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.
Is it better to use the private or service endpoints for the web apps and azure sql database server in the same vnet instead of using nsg or udr as they are very much confusing. Apart from these is it possible to add these vnet integrations to the azure front door ??? I guess azure front door does not support the vnet integration. Can u please clarify my doubts?? Thank you
UDR
Whenever you create a vNET with multiple subnets; each subnet will automatically be assigned default system routes. Additional system routes cannot be added nor current ones edited but with the creation of a User Defined Routetable (UDR) – will override any default system route with your created UDR.
NSG
NSG to apply a network security rule to a specific workload or group of VMs – defined by ASG worked as being the “network object” & expilicit IP addresses are added to this object.
https://thomasthornton.cloud/2020/03/20/securing-your-virtual-network-with-azure-firewall-and-network-security-groups/
Azure Front Door can only route to public VIPs/FQDNs and cannot route to private IP spaces and thus also doesn’t support VNET integration. This is by design and we do not plan to add this support any time int he near future. One of the ways you can achieve this is by routing traffic from Azure Front Door to an Application Gateway/Standard Load Balancer tied to your VNET.
https://feedback.azure.com/forums/217313-networking/suggestions/36232873-vnet-integration-front-door
Front Door can perform path-based load balancing only at the global level but if one wants to load balance traffic even further within their virtual network (VNET) then they should use Application Gateway.
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq
If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.