Securing backend AppServices with VNET integration
Pascal van der Horst
Pascal van der Horst
 3 Minutes
 18 January 2021

Securing backend AppServices with VNET integration

Securing your backend AppService is not something you think of in the first place. A backend AppService could be called directly by suspicious persons with bad intensions. By securing your backend AppService, you will prevent backend APIs to expose critical data or that the AppService cost are increased by consuming more resources then actually needed.

Problem scenario

You have a web application that exists of a frontend AppService and a backend AppService. Normally, you would setup two AppServices that communicate with each other through HTTP calls. The frontend AppService calls the backend AppService and the backend AppService retrieves the data from a data source and returns the result back to the frontend AppService. This is a very common scenario within the Azure topology. 

The problem with this common scenario is that a suspicious person can call the backend AppService directly from anywhere in the world. Although the underlying AppService virtual machines are protected by Microsoft, it's still externally accessible instead of only being available for the consuming service

Appservice common scenario

Target scenario

To prevent direct connection from the internet, an Azure Virtual Network will be used to restrict access to the backend AppService by using IP-restriction. See below diagram.

restricted api

This illustration shows that the HTTPS traffic runs through the virtual network instead of the Internet. As a result, it is not possible to gain remote access to the backend by a malicious user.


To realize the platform, a number of Azure resources and configuration changes are needed.

Needed Azure resources

  • An Azure account and subscription
  • Azure Virtual Network with a delegating subnet
  • Azure AppService or an Azure Function as a backend (Api)
  • Azure AppService for the frontend (Web)

Steps (tutorial)

 A 3-step plan explains how azure resources are created and how azure resources can be configured to meet the target scenario.

Do you have questions about securing backend AppServices? Get in touch, we'll be happy to help.

  • azure
  • cloud
  • security
  • backend
Pascal van der Horst
Pascal van der Horst

Pascal is specialized in designing and developing Microsoft .NET applications both on-premise and in the cloud (Azure) based on SCRUM methodology. He values qualitative and maintainable code, using design patterns and (cloud) principles as much as possible.