question

KevonHayes-3427 avatar image
0 Votes"
KevonHayes-3427 asked ajkuma-MSFT commented

App Services VNet Support

Since App Services contains the inbound and outbound IPs the Azure backbone uses to map the App Service to the actual VM it's hosted on in the Azure data center, shouldn't it be possible to use multihoming to afford App Services the same VNet, NSG, route table, and subnet(s) configuration as VMs have?

Especially if my goal is to reduce server maintenance and not worry about patching VMs, etc., it would be nice if Azure afforded a way to do this without having to use ASE, VMs, or AKS.

If App Service migration and creating a new App Service Plan is necessary to get this functionality, that would be a tradeoff I'd be willing to make. ASE is nice but very expensive. App service access restrictions is ok but seems disjointed for the aforementioned configuration norm.

Is this possible?

azure-webapps-vnet
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered

@KevonHayes-3427, summarizing the answer to benefit the community:

All the roles in an App Service deployment exist in a multi-tenant network. "Because there are many different customers in the same App Service scale unit, you can't connect the App Service network directly to your network." Reference - Networking Restrictions/Considerations


Thanks for your cooperation!


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
1 Vote"
ajkuma-MSFT answered ajkuma-MSFT commented

KevonHayes-3427, Apologies for the delay from over the weekend. Thanks for the great question.

1/2:

Firstly, in regard to your point on patching App Service hosts – App Service being a PaaS (Platform as a Service) offering users are only required to focus on their code, and not to worry about managing the underlying Virtual Machines and other resources with the latest security updates, OS patches and so on.

App Service applies monthly updates to the resources, making sure our customers’ code is always running on the most recent security patches and OS versions available.


App Service update cycle:

Before beginning worldwide updates, we deploy first to a private region which is not commonly accessible. Only after testing is validated there, we begin to roll out to datacenters across the globe. Our typical time for completing updates worldwide is about 10 business days, which allows us to deploy during each region’s off hours and also avoid deploying to Paired Regions at the same time (for example, East US and West US).

Kindly check these docs for more info:
The magic behind App Service OS updates

How and when are OS updates applied?



· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2/2: Just to highlight more for providing additional clarity ( sorry for the long post)


--As mentioned on this doc - If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in.

All Azure Web Apps run in a secure environment called a sandbox. Each app runs inside its own sandbox, isolating its execution from other instances on the same machine as well as providing an additional degree of security and privacy.
All the roles in an App Service deployment exist in a multi-tenant network. Because there are many different customers in the same App Service scale unit, you can't connect the App Service network directly to your network.

Kindly check this doc - Networking Restrictions/Considerations




1 Vote 1 ·

Additionally,

--You may be interested to know about Deploying to Network-secured sites without ASE. With the combination of the Virtual Network (VNet) and Private Endpoint integrations on App Service, you can secure your site’s inbound and outbound requests respectively. deploying-to-network-secured-sites..

--There are other features (like service endpoints, private endpoints, /combinations of them), you could leverage depending on your requirement. See, Use cases and features networking-features



1 Vote 1 ·

Thank you.

0 Votes 0 ·
Show more comments