Manage Azure App Service virtual network integration routing
Through application routing or configuration routing options, you can configure what traffic is sent through the virtual network integration. For more information, see the overview section.
Your app is already integrated using the regional virtual network integration feature.
Application routing defines what traffic is routed from your app and into the virtual network. We recommend that you use the vnetRouteAllEnabled
site setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with a built-in policy. The existing WEBSITE_VNET_ROUTE_ALL
app setting can still be used, and you can enable all traffic routing with either setting.
Follow these steps to disable outbound internet traffic routing in your app through the portal.
Go to Networking > Virtual network integration in your app portal.
Uncheck the Outbound internet traffic setting.
Select Apply to confirm.
You can also configure Outbound internet traffic by using the Azure CLI.
az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --set properties.vnetRouteAllEnabled=[true|false]
When you're using virtual network integration, you can configure how parts of the configuration traffic are managed. By default, configuration traffic goes directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.
Routing container image pull over virtual network integration can be configured using the Azure CLI.
az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --set properties.vnetImagePullEnabled=[true|false]
We recommend that you use the site property to enable routing image pull traffic through the virtual network integration. Using the configuration setting allows you to audit the behavior with Azure Policy. The existing WEBSITE_PULL_IMAGE_OVER_VNET
app setting with the value true
can still be used, and you can enable routing through the virtual network with either setting.
Routing content share over virtual network integration can be configured using the Azure CLI. In addition to enabling the feature, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.
az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --set properties.vnetContentShareEnabled=[true|false]
We recommend that you use the site property to enable content share traffic through the virtual network integration. Using the configuration setting allows you to audit the behavior with Azure Policy. The existing WEBSITE_CONTENTOVERVNET
app setting with the value 1
can still be used, and you can enable routing through the virtual network with either setting.
Routing backup traffic over virtual network integration can be configured using the Azure CLI. Database backup isn't supported over the virtual network integration.
az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --set properties.vnetBackupRestoreEnabled=[true|false]