none
Web App with Intranet access only

    Question

  • Hi,

    I am developing small Azure Web App (PaaS) and my customer would like to enhance the security so that the Web App can be accessed from their Intranet only. The Web App does not need to access on-prem resources, everything is nicely within Azure. Furthermore, the traffic volumes are rather low and the Web App is not resource hungry, so e.g. S1 App Service Plan is enough.

    I am a bit confused with VPNs, VNET, ASEs, Network security groups, Configuring IP address restrictions in web.config etc, etc so what is the most straightforward way to implement my customer requirement?

    Tuesday, February 14, 2017 3:52 PM

Answers

All replies

  • There was a feedback voiced on similar question here, Internal Load Balancer (ILBs) with the App Service Environment feature would help in your requirement:

    Announcing Internal Load Balancer and Resource Manager VNet support

    Check the documentation below for more details on other features:

    IP and Domain Restrictions for Windows Azure Web Sites

    Integrate your app with an Azure Virtual Network

    Introduction to App Service Environment

    Azure Network Security Groups (NSG) – Best Practices


    Wednesday, February 15, 2017 3:45 PM
    Moderator
  • I have studied the documentation but not sure if I have understood it correctly... as it sounds so absurd...

    Let's assume that I have developed "Hello World" Web App on top of Azure PaaS and I'd like to limit the access to that particular web app to customer intranet only. No database, not high volumes, just simple "Hello World" Web App with tight security

    In my limited understanding, the only way to implement this use case is to put the "Hello World" Web App into App Service Environment (ASE). This is otherwise OK, but ASE requires premium >=6 core App Service Plan which costs roughly 1500USD /month plus other ingredients like VNet, VPN, ASE etc so that the total cost is roughly 2000USD per month.

    Furthermore, it seems that if I would have selected VM or Azure Web Role as a platform instead of Web App PaaS, I dont need ASE and I can implement the use case 1-2 orders of magnitude cheaper.

    Have I misunderstood something, or is this really the case?

    Tuesday, February 21, 2017 7:25 PM
  • Hi, 

    I think your observations are right.

    A normal web app doesn't have much capabilities to restrict access. If you want it cheap and simple, I see two options: You can put an IP restriction in the web.config or use AD authentication.

    • Marked as answer by hpahkala Wednesday, February 22, 2017 8:24 PM
    Wednesday, February 22, 2017 11:11 AM
  • Thanks for clear answer. That ASE with min 6 core premium App Service sounded so absurd that I thought I have missed something essential. I even made a bet: "This is so common use case that surely there are a better way".

    I think this is quite important missing feature and it seems to push me back to old VMs. Sad, as otherwise App Service was very productive environment

    Wednesday, February 22, 2017 8:45 PM
  • Having come to the same conclusion, I too find this absolutely mind boggling expensive for such a simple and common feature.

    Wednesday, March 14, 2018 11:17 AM
  • Thanks for the feedback. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). Post your feedback here: Azure Website only accessible through a Virtual Private Network.

     

    Just to highlight, Azure offers several ways to host web sites: Azure App Service, Virtual Machines, Service Fabric, and Cloud Services. Refer the documentation for more information: Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison  ­on this topic.

    ---------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    • Marked as answer by hpahkala Tuesday, December 11, 2018 12:14 PM
    Saturday, March 17, 2018 6:56 PM
    Moderator