How to route traffic from my Azure App Service to specific external IP address

1
votes

I'm trying to follow along with the guide found here: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-integrate-with-vnet

I have tried both connecting to an existing VNET and setting up a new VNET, but the results are the same.

I have an existing VNET that connects to an external partner service. When I connect a VM to the VNET, I am able to telnet into the external partner's IP:port. When I connect the azure app service to that same VNET, I am unable to get the traffic to route to that external partner service.

From the guide, it looks like I should be able to just add IP address range to the App Service Plan's Networking configuration as seen in this image from the linked article.

IP Addresses routed to VNET include text boxes

When I go into my App Service Plan's Networking configuration, I have no option to add more IP addresses.

My App Service Plan's Networking configuration

When I look at the App Service directly (not the plan), I see that there are some default routes (not sure where those come from).

App Service Plan network configuration

I tried adding a User Defined Route to the route table associated with the subnet, but that did not appear in the IP Addresses Routed To VNET.

The address range listed in the Site-to-Site address space is the range that I need forwarded.

2
azureazure-web-app-serviceazure-virtual-networkazure-app-service-plansvnet
Remember your partner needs to also configure their routers to route the point-to-site address space to your vnet :) Even if the traffic was making it there, it might not know how to send a response.juunas

2 Answers

3
votes

So, while the article shows that you can add routes via the portal seen in the first image of the question, that functionality does not exist. To add a route, you have to use the resource explorer and edit the service plan.

Resource explorer

From here, it will open the explorer to the app service plan selected. Find the virtualNetworkConnections node and open it. Inside you'll see a Routes node. Pick routes.

Virtual Network Connections

Enable Read/Write capability in the top bar.

Enable Read/Write

Copy an existing route from the list if there is one to pick up the default values, then pick create option to add a new route.

Create route

Paste the existing route and update appropriate fields or fill in from scratch. Here is an example...

{
  "id": "/subscriptions/<subid>/resourceGroups/<RG name>/providers/Microsoft.Web/serverFarms/<service plan name>/virtualNetworkConnections/<vnet name>/routes/<route name>",
  "name": "<route name>",
  "type": "Microsoft.Web/serverfarms/virtualNetworkConnections/routes",
  "location": "<location, eg East US 2>",
  "properties": {
    "name": "<route name>",
    "startAddress": "<start address>",
    "endAddress": "<end address>",
    "routeType": "DEFAULT",
    "denyRoute": false
  }
}

If you had an existing route, you should only need to change the <route name>, <start address>, and <end address>.

The {Resource Name} field should be populated with same value as in the template. After filled in, select PUT. The new route will now be available.

Put Route

1
votes

To add a route. It needs to be done at the App Service Plan level.

"The only operation you can take in the app view of your VNet Integration is to disconnect your app from the VNet it is currently connected to. To disconnect your app from a VNet, select Disconnect. Your app will be restarted when you disconnect from a VNet. Disconnecting doesn't change your VNet. The VNet and its configuration including the gateways remains unchanged. If you then want to delete your VNet, you need to first delete the resources in it including the gateways.

To reach the ASP VNet Integration UI, open your ASP UI and select Networking. Under VNet Integration, select Click here to configure to open the Network Feature Status UI."

"The ASP VNet Integration UI will show you all of the VNets that are used by the apps in your ASP. You can have up to 5 VNets connected to by any number of apps in your App Service plan. Each app can have only one integration configured. To see details on each VNet, click on the VNet you are interested in. There are two actions you can perform here.

Sync network. The sync network operation makes sure that your certificates and network information are in sync. If you add or change the DNS of your VNet, you need to perform a Sync network operation. This operation will restart any apps using this VNet. Add routes Adding routes will drive outbound traffic into your VNet. Routing The routes that are defined in your VNet are used to direct traffic into your VNet from your app. If you need to send additional outbound traffic into the VNet, then you can add those address blocks here."