-1

I have a VM running a WebAPI service that I want to hit from an Azure web app using a vnet-to-vnet conneciton. As such, I have the VPNs configured as follows:

Virtual Machine - VMVnet

Address Space: 10.1.0.0/16
Subnet: 10.1.0.0/24
Gateway Subnet: 10.1.1.0/27
Private IP: 10.1.0.4

I also opened the target port up in Windows Firewall.

Web App - AppVnet

Address Space: 10.2.0.0/16
Subnet: 10.2.0.0/24
Gateway Subnet: 10.2.1.0/27

I also have Virtual Network Gateways configured for both, each with a connection going to the other.

Now, after I connect the app to AppVnet and sync the routes from the app service plan's networking section, I should be able to hit the VM using its private IP from the app code. When I try, I get the following error:

An attempt was made to access a socket in a way forbidden by its access permissions

I also tried setting up Virtual Network Peering between the networks, but that didn't work either.

Is what I'm trying to do even possible with Azure web apps? I saw this question, which seemed like what I was looking for but the information in it is a bit lacking.

If not, I have tried this with a point-to-site configuration with the app connected to the VM's vnet, and it worked fine. Would it be preferable to set up a second nic on the VM using the AppVnet and connect all apps through that?

Community
  • 1
  • 1
valverij
  • 4,871
  • 1
  • 22
  • 35
  • You need to create a point to site connection from Azure Vm to Azure WebApp. Check this MSDN blog for more detailed information Link: https://blogs.msdn.microsoft.com/benjaminperkins/2017/02/01/create-a-vnet-and-access-an-azure-vm-hosted-within-it-from-an-app-serivces-web-app/ – Zahid Faroq Jul 05 '18 at 16:26
  • That's within the *same* vnet, though, right? In this setup, the VM and app would be behind different vnets. – valverij Jul 05 '18 at 16:46
  • What is your question now? It seems that P2S VPN can resolve it, and you do not need a second nic on the VM. – Nancy Jul 06 '18 at 02:57
  • @NancyXiong-MSFT I guess I'm just wondering why neither the vnet-to-vnet nor vnet peering works with the web app. – valverij Jul 06 '18 at 12:31

1 Answers1

0

I'm just wondering why neither the vnet-to-vnet nor vnet peering works with the web app

First of all, you need to know to Integrate your app with an Azure Virtual Network.

Here are some things to keep in mind before connecting your web app to a virtual network:

  • If your target virtual network already exists, it must have point-to-site VPN enabled with a Dynamic routing gateway before it can be connected to an app.
  • If your gateway already exists with point-to-site enabled, and it is not in the basic SKU, IKEV2 must be disabled in your point-to-site configuration.

That is to say, you already have a P2S connection that you can connect to AppVnet from your App. If you want to connect to VMVnet through the AppVnet from your app, you can achieve it by gateway transit for virtual network peering in hub-and-spoke network architecture.

enter image description here

In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. In this case, your AppVnet is the Hub-RM. Your web app is the VPN client in a P2S VPN connection.

I am not sure that you real configuration in your side, but I guess your creating Vnet to Vnet connection is just like Hub-RM to Spoke-RM connection in the diagram, so it does not work. Setting up Vnet peering and gateway transit enabled, it should work. For more details about Configure VPN gateway transit for virtual network peering.

Nancy
  • 26,865
  • 3
  • 18
  • 34