We welcome user feedback and feature requests!

Web App should use private IP in a VNet with Service Endpoints

Remove the limitation that prevents us from using Web Apps with Service Endpoints to limit access to Azure SQL database.

Limitation is described here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview?toc=%2fazure%2fvirtual-network%2ftoc.json#limitations
"•A Web App can be mapped to a private IP in a VNet/subnet. Even if service endpoints are turned ON from the given VNet/subnet, connections from the Web App to the server will have an Azure public IP source, not a VNet/subnet source. To enable connectivity from a Web App to a server that has VNet firewall rules, you must Allow all Azure services on the server."

434 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Peter shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  AdminAzure App Service team (Admin, Microsoft Azure) responded  · 

    Hi all,

    We are currently working on items that will enable service endpoints for multi-tenant App service. We will share the news of the features we deliver on the App Service Blog here: aka.ms/AppServiceBlog.

    We also expect to speak about this topic at the Ignite conference in September in Orlando.

    Thanks,
    Oded

    14 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Agreed with the comment below. It seems pointless at the moment as you still have to have the firewall open to all Azure services. When will an update be provided? Thanks,

      • Anonymous commented  ·   ·  Flag as inappropriate

        What's the status on this? I set up a test environment today exactly as mentioned in the linked video (https://youtu.be/hTsspH9hzec?t=432) and while it works, it requires the database to still be open to all Azure services, which seems to defeat the point of having it and an app service attached to the same vnet.

      • Ryan commented  ·   ·  Flag as inappropriate

        Found a link:
        https://youtu.be/hTsspH9hzec?t=432

        Summary:
        Web Apps can be attached to a virtual network (with a private IP - and not using a VPN).
        The Web App can talk to service endpoints via the virtual network. (eg; use Azure SQL database).
        Preview in East US/North Europe
        Worldwide by late October (no production workloads yet)
        GA time frame not talked about

      • Anonymous commented  ·   ·  Flag as inappropriate

        Can you please share the link to the new feature that enable the service end point for App Service?
        Any link to the Ignite announcement regarding this?

        Thanks,
        Pranith

      • Antonio commented  ·   ·  Flag as inappropriate

        Excellent news!! Will this feature allow outgoing WebApp traffic to be passed through a NVA with UDR rules?

        Thanks!

      • Anonymous commented  ·   ·  Flag as inappropriate

        Excellent!!! Have been getting around it by putting storage and sql in a different region than the app service and using public ip filtering.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Absolutely. Your own document describes the required setup as "This ON setting is probably more open than you want your SQL Database to be."

        critical requirement to not open up SQL databases more than necessary

      Feedback and Knowledge Base