1

I need to access some local network resources from a webapi running as an appservice.

For reasons, our local network gateway (Cisco ASA something) requires what in classic vnet lingo was called static routing and in the new RM lingo is called policy based routing. I don't have the option of using hybrid connection.

Unfortunately Azure's point-to-site VPN for connecting AppServices to VNETs requires route based routing.

So I ended up with the setup shown below.

From a VM in vnets 1 and 3 I can access resources in the local network. From a VM in vnet 2 I can access resources in vnets 1 and 3, but not local network. From the webapi (AppService) I can access resources in vnet2, but nothing in vnet1, 3 or local network.

I'm unable to turn on "allow gateway transition" since that requires the peer vnet not to have an existing gateway and it was also not allowed on static/policy based gateways.

What I want is either to allow the AppService direct access to local netowrk, or access via a proxy installed in a vnet. Any ideas?

I can make the jumb by having the API (AppService) call an api acting as a proxy running on a VM in vnet 2 call an api acting as a proxy running in vnet 1 (or 3) which calls the resource in the local network. But there got to be a better way. enter image description here

Pål Andreassen
  • 155
  • 1
  • 8

1 Answers1

0

Based on my knowledge, according to your network architecture, it is not possible for you to access APP service from your local gateway.

Because VNet peering is between two virtual networks, and there is no derived transitive relationship.

According to your description, you need a direction between connection between your local gateway and Virtual Network 2. enter image description here

More information about integrate your app with an Azure Virtual Network please refer to this link.

Now, your local gateway is static routing VPN gateway, it is not possible create a Site-to-Site VPN with Azure dynamic VPN gateway. If your local has a Windows Server, I suggest you could connect a site-to-site VPN with RRAS. More information about this please refer to this link.

Community
  • 1
Shui shengbao
  • 3,503
  • 1
  • 10
  • 20
  • Thank you for your answer. Unfortunately I have no control over the local network side of things (very rigid stuff) and I have to solve this on "my side" or give up. – Pål Andreassen Jun 12 '17 at 07:51
  • @PålAndreassen Unfortunately, if you don't have dynamic VPN gateway in your local or RRAS server, it is not possible for you to create a connection between your local and Azure app. – Shui shengbao Jun 12 '17 at 07:53
  • I managed to work around my problem be setting a VM in my VNET that has a connection to on-premise resources. Then I setup a hybrid connection from the AppService to that VM, which allows forwarded traffic to my local resources. So instead of using the point to site VPN from the appservice straight to the VNET I use hybrid connection from the appservice to a VM in the VNET. Downside is that my connection is only up as long as the VM is up... – Pål Andreassen Jun 12 '17 at 13:11