How can I connect an azure app service plan to a vnet which is also connected through peering to another vnet

2
votes

I am trying to seup this hub-spoke toplogy where I have a hub vnet connected to an expressroute circuit https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke

I have another VNET (lets call it the app vnet) set up with peering to this hub VNET where I can create a virtual machine and ping resources on the other end of just fine using the remote gateway setting on the peering.

The problem is by using remote gateway, my app vnet cannot have its own gateway, and so I cannot integrate an app service plan with the vnet.

Is there another way I could accomplish this?

2
azurenetworkingazure-virtual-networkvnet

2 Answers

2
votes

I would like to suggest setting up a VNet-to-VNet VPN gateway connection instead of Vnet peering between hub vNet and app vNet. If so, Each of vNet will have their own gateway. The App vNet will be integrated with your web app. You need to ensure that the address prefixes don’t overlap among all the connected networks.

enter image description here

Update

Perhaps you can use the new preview VNet Integration.

There is a new version of the VNet Integration capability that doesn't depend on Point-to-Site VPN technology. Unlike the pre-existing feature, the new Preview feature will work with ExpressRoute and Service Endpoints.

The new version is in Preview and has the following characteristics.

No gateway is required to use the new VNet Integration feature You can access resources across ExpressRoute connections without any additional configuration beyond integrating with the ExpressRoute connected VNet. The app and the VNet must be in the same region ...

Ref: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#new-vnet-integration

1
votes

The limitation that you are encountering is from the Vnet gateway perspective. Using remote gateway over peering handicaps one from deploying the Gateway in that Vnet.

The alternative as suggested by @nancy should do the trick. But, you will have to incur the cost of having the gateway. Secondly, this will require a co-existence set-up.

That is you will have to deploy another VPN gateway: Change of reference: VNET-HUB (Your hub VNET with ExR) VNET-SPOKE1 (Current peered as referred to as your Application VNet)

Your VNET-HUB has an ExR gateway, it needs to have another VPN gateway. Your VNET-SPOKE1 needs to have a VPN gateway deployed as well.

Allowing for the VNET-HUB to talk to the App Service Environment that you would integrate via point-to-site.

Note: The On-premise will not be able to access the App VNet as we can't have a Point-to-site co-exist with Express Route.

I hope this has provided an insight into the limitations.

References/good reads: