App Service Environment with Azure SQL backend

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure


This template creates an App Service Environment with an App Service within its assigned Subnet which can connect to a backend Azure SQL Server via a private endpoint. Both the App Service and Azure SQL Server are configured with a private endpoints and discoverable via Azure Private DNS. There is a P2S VPN Gateway so that you can connect privately to the VNET and access resources such as Azure SQL or App Service. In fact, a samll Virtual Machine is configured so you can remote desktop into this VM and leverage the Private DNS to access those resources. Within the App Service Configuration, you can create an Key Vault reference to the DB Connection string, so no secrets will ever be exposed. We will notice that the publicNetworkAccess setting is set to Enabled even though public network access should be disabled. The reason for this is we need this to be turned on to manage database level firewall rules.

More on the Parameters

The idea behind stackName so we can name all resources with similar name which is useful for identifying your resources. Feel free to pass in any name you like but it is recommanded to keep it short i.e. less than 10 characters.

The aadUserObjectId parameter is your user object Id and allows you to have access to Azure SQL and Azure Key Vault with your AAD user credentials. You can use Azure CLI to get that with the following command.

$objectId = ((az ad user list --upn (az account list | ConvertFrom-Json).user[1].name) | ConvertFrom-Json).objectId

The aadUsername is your user principal name which should normally be the email address to login to Azure.

The p2sRootCert refers the base 64 string of the root certificate. You would use the child certificate to connect to the VPN Gateway. Follow the instructions on to create your own cert and pass it in. Here's an example code snippet.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
    -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -Signer $cert -TextExtension @("{text}")

$RawRootCertFilePath = "<Replace with your own path>\P2SRootCertRaw.cer"
Export-Certificate -Cert $cert -FilePath $RawRootCertFilePath -Force

certutil -encode $RawRootCertFilePath $RootCertFilePath

Tags: Microsoft.Network/virtualNetworks, Microsoft.Network/virtualNetworks/subnets, Microsoft.Web/hostingEnvironments, Microsoft.Sql/servers, databases, transparentDataEncryption, firewallrules, Microsoft.Sql/servers/virtualNetworkRules, administrators, Microsoft.KeyVault/vaults, Microsoft.Web/serverfarms, Microsoft.Web/sites, SystemAssigned, Microsoft.Web/sites/config, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines, Microsoft.Compute/virtualMachines/extensions, IaaSAntimalware, Microsoft.Network/privateEndpoints, Microsoft.Network/privateDnsZones, Microsoft.Network/privateDnsZones/virtualNetworkLinks, Microsoft.Network/privateEndpoints/privateDnsZoneGroups, Microsoft.Network/publicIPAddresses, Microsoft.Network/virtualNetworkGateways, Microsoft.Storage/storageAccounts, blobServices/containers, microsoft.insights/components