1

In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?

I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?

D.

user3573411
  • 53
  • 7

2 Answers2

1

If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro

App Service Environments are ideal for application workloads requiring:

  • Very high scale

  • Isolation and secure network access

The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can't know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.

You can see an example of IP restrictions here: restricting IP security

Of course you should also have authentication set up on your API. Documentation links:

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Thanks Junnas. ASE is what I have been exploring. In my questions I was referring to mapping front end piece to Web Apps and Api in API Apps (both part of ASE). Then secure API App using one of the authN/Z options. I wanted to understand if that is common pattern. Or if there is another mechanism to enable private communication between Web App and Api App. I saw some older posts and channel 9 video referring to some feature. – user3573411 May 31 '17 at 02:05
  • Sorry, did not realize that ASE is premium service. I will review it. Thanks. – user3573411 May 31 '17 at 02:22
  • We mostly use Azure AD for authentication and authorization. We create an application for each component (front-end/API), and then give them the necessary permissions that specify what they are allowed to call. That would be one option. – juunas May 31 '17 at 06:13
1

In line with what @juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn't change and you can use the API Gateway address in Azure API App web.config to whitelist.

Gopi Kolla
  • 964
  • 6
  • 12
  • Do you know if API apps provide an option to secure API using a key. I believe API GW does that, but that also increase cost a whole lot. – user3573411 May 31 '17 at 02:15