Securing backend AppServices with VNET integration

Problem scenario

You have a web application that exists of a frontend AppService and a backend AppService. Normally, you would setup two AppServices that communicate with each other through HTTP calls. The frontend AppService calls the backend AppService and the backend AppService retrieves the data from a data source and returns the result back to the frontend AppService. This is a very common scenario within the Azure topology. 

The problem with this common scenario is that a suspicious person can call the backend AppService directly from anywhere in the world. Although the underlying AppService virtual machines are protected by Microsoft, it's still externally accessible instead of only being available for the consuming service

Target scenario

To prevent direct connection from the internet, an Azure Virtual Network will be used to restrict access to the backend AppService by using IP-restriction. See below diagram.

This illustration shows that the HTTPS traffic runs through the virtual network instead of the Internet. As a result, it is not possible to gain remote access to the backend by a malicious user.

Platform

To realize the platform, a number of Azure resources and configuration changes are needed.

Needed Azure resources

• An Azure account and subscription
• Azure Virtual Network with a delegating subnet
• Azure AppService or an Azure Function as a backend (Api)
• Azure AppService for the frontend (Web)

Steps (tutorial)

 A 3-step plan explains how azure resources are created and how azure resources can be configured to meet the target scenario.

• Part 1: Provision and configure Azure Virtual Network
• Part 2: Provision and configure the backend
• Part 3: Provision and configure the frontend

Do you have questions about securing backend AppServices? Get in touch, we'll be happy to help.