4

I'm sure this is a very basic question, but I have been spending a lot of time on it and have not found a clear answer.

I am trying to create a bicep file with the appropriate setup for my webapi, but have been struggling with vnet as I transition from a prototype to a beta release. I thought it might be easy to find a template for a app service for web api, connecting to an Azure SQL database and files from blob storage using a vnet. The place where I am stuck right now it

  • service endpoints
  • subnet delegation

I read this post, which was helpful, but did not address service endpoints. Do I use delegation wherever possible and service endpoints when they are not available?

I have other service to add like notification hubs and am considering api management as well as key vault but really need to get the basics down and I am struggling.

lcj
  • 1,355
  • 16
  • 37

1 Answers1

3

A great reference for learning Bicep and seeing examples of how to create them:

Note while the quick start repoistory is ARM templates, you can take most of those and use Bicep CLI to convert them to Bicep.

The primary difference between delegation and service endpoints with virtual networks (vnets):

  • delegation means a given subnet is only going to be used by that service (this is related to PaaS services)
  • service endpoint is allowing secure and direct connectivity for that service to the subnet assigned

An example of the above:

Delegation

Deploying App Services is one of the most common Azure services that requires a dedicated subnet be allocated just for that service, aka delegation.

Service Endpoint

Deploying a Virtual Machine that you need to access a Storage Account from? The subnet where the Virtual Machine is deployed will need to have the Microsoft.Storage service endpoint enabled to allow the secure, direct connection to it.

One thing to note on service endpoints, while they are still used Microsoft recommends use of Private Endpoints as well. This allows you to directly connect to the service endpoint over the private/internal network of your VNet.

Shawn Melton
  • 211
  • 1
  • 6
  • Thanks, Shawn. I guess you're saying they both serve a different purpose and can be used together. Either delegation + service endpoint or delegation + private endpoint (preferred) would be the most secure way to approach something like a webapi architecture. So App Service and Azure SQL in the simple webapi example would be two subnets and each would use service delegation and private endpoints. – lcj Sep 26 '22 at 11:19