Enable virtual network integration in Azure App Service
Through integrating with an Azure virtual network (VNet) from your Azure App Service app, you can reach private resources from your app within the virtual network. The VNet integration feature has two variations:
- Regional virtual network integration: Connect to Azure virtual networks in the same region. You must have a dedicated subnet in the virtual network you're integrating with.
- Gateway-required virtual network integration: When you connect directly to a virtual network in other regions or to a classic virtual network in the same region, you must use gateway-required virtual network integration.
This article describes how to set up regional virtual network integration.
The VNet integration feature requires:
- An App Service pricing tier that supports virtual network integration.
- A virtual network in the same region with an empty subnet.
The subnet must be delegated to Microsoft.Web/serverFarms. If the delegation isn't done before integration, the provisioning process will configure this delegation. The subnet must be allocated an IPv4
/28 block (16 addresses). We recommend that you have a minimum of 64 addresses (IPv4
/26 block) to allow for maximum horizontal scale.
Configure in the Azure portal
Go to Networking in the App Service portal. Under Outbound Traffic, select VNet integration.
Select Add VNet.
The dropdown list contains all the virtual networks in your subscription in the same region. Select an empty pre-existing subnet or create a new subnet.
During the integration, your app is restarted. When integration is finished, you'll see details on the virtual network you're integrated with.
Configure with the Azure CLI
You can also configure virtual network integration by using the Azure CLI:
az webapp vnet-integration add --resource-group <group-name> --name <app-name> --vnet <vnet-name> --subnet <subnet-name>
The command checks if the subnet is delegated to Microsoft.Web/serverFarms and applies the necessary delegation if it isn't configured. If the subnet was configured, and you don't have permissions to check it, or if the virtual network is in another subscription, you can use the --skip-delegation-check parameter to bypass the validation.
Configure with Azure PowerShell
$siteName = '<app-name>' $vNetResourceGroupName = '<group-name>' $webAppResourceGroupName = '<group-name>' $vNetName = '<vnet-name>' $integrationSubnetName = '<subnet-name>' $vNetSubscriptionId = '<subscription-guid>'
If the virtual network is in another subscription than webapp, you can use the Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx" command to set the current subscription context. Set the current subscription context to the subscription where the virtual network was deployed.
Check if the subnet is delegated to Microsoft.Web/serverFarms.
$vnet = Get-AzVirtualNetwork -Name $vNetName -ResourceGroupName $vNetResourceGroupName $subnet = Get-AzVirtualNetworkSubnetConfig -Name $integrationSubnetName -VirtualNetwork $vnet Get-AzDelegation -Subnet $subnet
If your subnet isn't delegated to Microsoft.Web/serverFarms, add delegation using below commands.
$subnet = Add-AzDelegation -Name "myDelegation" -ServiceName "Microsoft.Web/serverFarms" -Subnet $subnet Set-AzVirtualNetwork -VirtualNetwork $vnet
Configure VNet Integration.
If the webapp is in another subscription than virtual network, you can use the Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx" command to set the current subscription context. Set the current subscription context to the subscription where the web app was deployed.
$subnetResourceId = "/subscriptions/$vNetSubscriptionId/resourceGroups/$vNetResourceGroupName/providers/Microsoft.Network/virtualNetworks/$vNetName/subnets/$integrationSubnetName" $webApp = Get-AzResource -ResourceType Microsoft.Web/sites -ResourceGroupName $webAppResourceGroupName -ResourceName $siteName $webApp.Properties.virtualNetworkSubnetId = $subnetResourceId $webApp.Properties.vnetRouteAllEnabled = 'true' $webApp | Set-AzResource -Force