This article describes how to integrate Azure Virtual Network with Azure App Service. The integration enables you to reach private resources from your App Service app within your Azure virtual network. Procedures are provided for the Azure portal, the Azure CLI, and Azure PowerShell.
Prerequisites
An existing app created in a dedicated Azure App Service compute pricing tier that supports virtual network integration.
- If you plan to allow inbound access via private endpoints on a subnet, public access must be disabled for the app.
The Azure virtual network and subnet that you specify for the integration must be in the same region.
The subnet must be allocated an IPv4 /28 block (16 addresses). The recommended minimum size is 64 addresses (IPv4 /26 block), which accommodates future growth and scaling needs.
The subnet must be empty, which means no network interface cards (NICs), virtual machines, private endpoints, and so on.
The subnet must be delegated to Microsoft.Web/serverFarms. If you don't delegate before integration, the provisioning process configures this delegation.
If the specified virtual network is in different subscription than your app, confirm the virtual network subscription is registered with the Microsoft.Web resource provider.
The resource provider is registered when you create the first web app in a subscription. To explicitly register the provider, see Azure resource providers and types > Register resource provider.
Choose your preferred configuration method for completing the virtual network integration.
Configure virtual network integration for an app in the Azure portal:
Sign into the Azure portal and go to the Overview page for your App Service app.
In the left menu, select Settings > Networking. The Networking page opens.
Scroll to the Outbound traffic configuration section, locate the Virtual network integration option, and select the Not configured link.
The Virtual Network Integration page opens.
Select Add virtual network integration.
The Add virtual network integration page opens.
Select the App Service Plan connection to use for the integration.
If your subscription has an existing plan that satisfies the integration configuration requirements, the portal displays the available <virtual-network>/<subnet> connection targets.
- To use an existing connection, select the
<virtual-network>/<subnet> target, and then select Connect.
The procedure is complete.
To create a new plan for the integration, select New connection.
The page refreshes to show the Subscription, Virtual Network, and Subnet options.
Configure the options to create a new connection:
Select a Subscription and a Virtual Network by using the dropdown lists.
Select a Subnet from the dropdown list, and then select Connect.
The dropdown list shows all the virtual networks (and subnets) in the selected subscription and in the same region. The list identifies subnets available for integration, and indicates whether they're currently in use.
During the integration, your app restarts. When integration completes, the Virtual Network Integration page refreshes to show the details about the connection between the virtual network and your app.
Configure virtual network integration for an app by using the Azure CLI. The following commands assume the app and virtual network are in the same subscription.
Run the following command to configure virtual network integration.
Replace the <app-name>, <app-resource-group>, <virtual-network>, and <subnet> values with your resource information.
az webapp vnet-integration add \
--resource-group "<app-resource-group>" \
--name "<app-name>" \
--vnet "<virtual-network>" \
--subnet "<subnet>"
After the integration is complete, you can update the app configuration to route all outbound traffic through the virtual network integration:
Replace the <app-resource-group> and <app-name> values with your resource information.
az resource update \
--resource-group "<app-resource-group>" \
--name "<app-name>" \
--resource-type "Microsoft.Web/sites" \
--set properties.outboundVnetRouting.allTraffic=true
Review the following considerations:
If the virtual network is in a different subscription than the app, you can use the global --subscription "<subscription-ID>" parameter to set the current subscription context. Set the current subscription context to the subscription where the virtual network is deployed.
The command checks if the subnet is delegated to Microsoft.Web/serverFarms. If the subnet doesn't have this configuration, the command applies the necessary delegation.
If the subnet is configured but you don't have permissions to check it, or if the virtual network is in a different subscription from your app, you can use the --skip-delegation-check parameter to bypass the validation.
For more information, see the az webapp vnet-integration add reference.
Configure virtual network integration for an app by using Azure PowerShell.
Prepare parameters for the procedure commands.
Replace the <subscription-GUID>, <app-name>, <app-resource-group>, <network-resource-group>, <virtual-network>, and <subnet> values with your resource information.
# Set parameters for the procedure
$siteName = '<app-name>'
$vNetResourceGroupName = '<network-resource-group>'
$webAppResourceGroupName = '<app-resource-group>'
$vNetName = '<virtual-network>'
$integrationSubnetName = '<subnet>'
$vNetSubscriptionId = '<subscription-GUID>'
Note
If the virtual network is in a different subscription than the web app, you can use the Set-AzContext -Subscription "<subscription-ID>" command to set the current subscription context. Set the current subscription context to the subscription where the virtual network is deployed.
Check if the subnet is delegated to Microsoft.Web/serverFarms:
# Set the virtual network for the subnet to check
$vnet = Get-AzVirtualNetwork -Name $vNetName -ResourceGroupName $vNetResourceGroupName
# Get the subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $integrationSubnetName -VirtualNetwork $vnet
# Check the delegation
Get-AzDelegation -Subnet $subnet
If your subnet isn't delegated to Microsoft.Web/serverFarms, add the delegation:
# Get the subnet
$subnet = Add-AzDelegation -Name "myDelegation" -ServiceName "Microsoft.Web/serverFarms" -Subnet $subnet
# Set the delegation
Set-AzVirtualNetwork -VirtualNetwork $vnet
Configure virtual network integration, and route all traffic through the connection:
# Set the subnet resource ID
$subnetResourceId = "/subscriptions/$vNetSubscriptionId/resourceGroups/$vNetResourceGroupName/providers/Microsoft.Network/virtualNetworks/$vNetName/subnets/$integrationSubnetName"
# Get the web app configuration
$webApp = Get-AzResource -ResourceType "Microsoft.Web/sites" -ResourceGroupName $webAppResourceGroupName -ResourceName $siteName
# Set the subnet ID
$webApp.Properties | Add-Member -NotePropertyName "virtualNetworkSubnetId" -NotePropertyValue $subnetResourceId -Force
# Set routing to all traffic
$webApp.Properties | Add-Member -NotePropertyName "vnetRouteAllEnabled" -NotePropertyValue $true -Force
# Complete the integration
$webApp | Set-AzResource -Force
Note
If the virtual network is in a different subscription than the web app, you can use the Set-AzContext -Subscription "<subscription-ID>" command to set the current subscription context. Set the current subscription context to the subscription where the web app is deployed.
Related content