Azure: Only allow access to Web App from On-premises using VPN

Question

I have a scenario regarding web apps on Azure that I can't wrap my head around.

I have a Web App (not ASE) that is connected to a VNET/Subnet and I have setup access restrictions on the Web App so that only traffic from that specific VNET/Subnet is allowed. This works as expected and a 403 is thrown when trying to access the web app from the internet.

My problem is that the Web App is no longer accessible from the on-premises setup anymore either, and I am unsure how to facilitate that. I don't like to use IP whitelisting to enable access, but I don't know the alternatives.

Anybody with experience on how to access a restricted Web App from an on-premises system? All the examples I could find are about accessing on-premise data from a VNET, not the other way around.

Illustration of setup:

On-premises server --> VPN Gateway in Azure --> VNET --> Web App in VNET -x-> Internet

score 1 · Accepted Answer · answered Mar 04 '21 at 14:11

1

Private Endpoints are your friends :)

answered Mar 04 '21 at 14:11

silent

14,494
4
46
86

Thank you - it was exactly what I needed. – pwind Mar 05 '21 at 08:21

medone · Answer 2 · 2021-03-04T14:18:50.433

0

I see you wanna set a S2S connection using vpn to allow access to your on-premises networks(subnets)

You should create a local network gateway representing your on-promises and also you should verify your firewall devices is supported by azure to make sure that the configuration works. Supported Vpn Devices by Azure

edited Mar 04 '21 at 14:18

answered Mar 04 '21 at 14:11

medone

3
2

Azure: Only allow access to Web App from On-premises using VPN

2 Answers2