This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 88%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
I'm trying to configure an app service such that it has a private link setup into our VPN enabled vnet but also allow public access (e.g. to allow front door and our devops agents access).
The docs (https://learn.microsoft.com/en-gb/azure/app-service/networking/private-endpoint) note that "by default" public access is disabled, to me that sounds like it is possible to not have the default, is that actually possible?
I'd rather not route everything through our vnet (using hub and spoke design) because to my mind that adds a single point of failure we don't need, e.g. having front door connect to the app service over the MS backbone means it isn't reliant on my vnet infrastructure. But the vpn access is useful for internal access direct to the app service.
Hi @Matt Browne
unfortunately by default, public access is disabled by default, and you cannot enable it, the App-assigned address option is grayed out and you lose public access.
Best
OK - just odd wording then, "by default" would imply there are different options.
Is there a design where we can achieve what we want, e.g. public access comes through front door (does things like load balancing over pools of app services in different regions) but VPN access direct to the app service.
The word has an ambiguous meaning, but what it means is that connections will be closed by default automatically when the private endpoint is enabled, making it impossible to access via public IP, requiring an additional resource or VPN
Get in touch if you need more help with this issue.
--please don't forget to "[Accept the answer]" if the reply is helpful--
Understood - thanks for your help...
Are there any docs or examples on how to achieve what we would like:
The problem I have is I can't see how to route out of our vpn vnet to the app service
1 - access via front door
2 - To connect endpoint with azure VPN client you need a DNS forwarder (can be a virtual machine or private resolver in public preview):
Reference: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview
Think I've figured this out.
I have added the GatewaySubnet from my vnet which my VPN connects into as a rule on the app service as a vnet source:
This allows access from my vnet but also still allows a rule which gives access to frontdoor traffic.
Glad you were able to make it work!
There is a new resource o general availability - private endpoint network security group