Azure App Service vNet Intergration and ExpressRoute

While reviewing a recent customer design we spotted a problem. The design used Azure App Service vNet Integration with an ExpressRoute.

vNet Integration is a feature of App Services that allows an App to create an SSL VPN to an Azure VPN Gateway. This allows the App to access resources on an Azure Virtual Network or beyond. However, if it is an ExpressRoute VPN Gateway integration is not possible.

Fortunately, an alternative method of connectivity exists. Hybrid Connections are also a feature of the Azure App Service. A Hybrid Connection can be configured to pass HTTP(S) requests made in an App to the Hybrid Connection Manager. The Hybrid Connection Manager is an agent installed on a Windows Server with network access to the destination of the HTTP(S) request. Traffic between the App and the Hybrid Connection Manager is encrypted with SSL and the connection from the Hybrid Connection Manager is outgoing. This avoids opening incoming firewall ports which is undesirable. Additionally, multiple Hybrid Connection Managers can be configured for redundancy.

In this case Hybrid Connections have avoided a redesign of the App and is a minor change to the Azure infrastructure required for the project.

About the author