2

I have an Azure Web App that needs to connect to the addresses xx.x.x.10 and xx.x.x.12 the customers on-premise server. For this purpose the Customer have setup a Policy based VPN (Cisco ASA 9.8) with public IP yyy.yy.y.y

While trying to get to obtain this connection to the on-premise service, I have for now created the following resources:

  • a Local Network Gateway with
    • IPaddress yyy.yy.y.y
    • Address spaces xx.x.x.10/32 and xx.x.x.12/32
  • a VNet with
    • Address space 10.0.0.0/16
    • GatewaySubnet 10.0.255.0/24
  • a Public IP: zzz.zz.z.z
  • a Virtual Network Gateway
    • Sku: Basic
    • VPN: PolicyBased
    • Subnet: GatewaySubnet (10.0.255.0/24)
    • Public IP: zzz.zz.z.z
  • a Site-to-site connection between the Local Network Gateway and the Virtual Network Gateway

Since the Virtual Network Gateway needs to be Policy-based, it (as I see it):

  • has to be Basic Sku
  • is restricted to maximum one site-to-site connection
  • cannot have point-to-site connections

Will it somehow be possible for me to get my web app in contact with the on-premise server? and in that case that what am I still missing to make it work? or is it required that the VPN is changed to a route-based?

skrl
  • 21
  • 2

1 Answers1

0

You can directly connect your Web App with your Virtual Network if they are in the same Azure region. This will allow the Web App to talk with anything connected to the VNet, including remote networks reachable through site-to-site VPNs:

enter image description here

A point-to-site connection is only required if the VNet is in a different Azure region or uses the Classic deployment model.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Great, all my Azure resources are in the same region, so this seems to be the on the right path. Is it correctly understood that I should create an additional subnet on the VNet and connect the Web App to this subnet? - or should I connect to the already created GatewaySubnet to which my Virtual Network Gateway is connected? – skrl Dec 15 '20 at 21:09
  • You need an additional dedicated subnet; the GatewaySubnet can only be used by a Virtual Network Gateway. You'll find sizing guidelines for the integration subnet in the documentation (although, since you have the whole 10.0.0.0/16 address space available for the VNet, just choosing any 10.0.X.0/24 is the easiest way to go). – Massimo Dec 15 '20 at 21:19
  • So i dont need a point to site config, if it is in the same region? Is this true? I have trouble with my setup, and i dont know if i should see anything specific after connecting the webapp to rhe vnet, like routing info etc beside the subnet information. – mslot Feb 13 '21 at 15:42
  • 1
    Yes, it' true. And no, the only thing you'll see is the fact that the Web App is connected to the VNet. Everything should *just work* if you set it up correctly. If you have troubles, please post details in a new question so that we may help you. – Massimo Feb 13 '21 at 16:48
  • Thanks. I have done so: https://serverfault.com/questions/1054000/azure-webapp-site-to-site-vpn-not-working-when-used-with-webapp – mslot Feb 17 '21 at 16:21