Azure App Services Integration with Onpremises Applications

With Organisations taking their Digital transformation journey to Cloud and trying to utilize Cloud to its fullest potential, it is not uncommon to have scenarios wherein integration between the application developed in Cloud needs to be integrated with data or application hosted on the Onpremises environment.

Recently I was working for one of my client having a large Azure footprint and while working with them, their is a requirement to integrate a newly created Application developed in Azure Cloud to be integrated with the Onpremises application.

The Application is being developed using Azure Web App and Azure Web API and an integration to Onpremises application was on table. The key solution design requirement was data security and seemless integration with the Onpremises application.

While designing the solution, I have used Azure App Services which has recently introduced the new Virtual Network Integration capability which enables access to resources across service endpoint and across Express Route or other network connectivity technologies supported in Azure. My client has an Express route connection between the Onpremises and Azure.

The design is enabled to provide adequate security to the Web App by leveraging Azure AD integration, Multi Factor Authentication, and Azure App Services platform native Access Restriction policy.

This feature of Azure App service has following characteristics:

·      No gateway is required to use it.

·      You can access resources across ExpressRoute connections without any additional configuration beyond integrating with the ExpressRoute-connected virtual network.

·      The app and the virtual network must be in the same region.

·      The new feature requires an unused/ dedicated subnet preferably /27 in an existing vNet in your Azure Resource Manager virtual network.

·      Your App Service plan must be a Standard or above. It doesn’t support Free or Basic App Service Plan.

·      The new capability is available only from newer Azure App Service scale units. The VNet Integration UI in the portal will tell you if your app can use the new feature.

·      Production workloads are not supported on the new feature while it’s in preview.

·      Your app must be in an Azure App Service deployment that’s capable of scaling up to Premium v2.

·      The feature doesn’t work for apps in an App Service Environment.

·      The feature currently works just with Windows platform based apps. Linux platform-based apps in not supported at the time of writing this document

Conceptual Design

Now let’s get into action to configure this on Azure Portal

Create App Service Plan

On the Azure Portal blade

• Go to all Service -> App Service Plan
• Create a new App Service Plan by selecting the relevant
• Subscription;
• Resource Group;
• Defining App Service Plan name;
• Choosing Windows as an operating system; and
• Selecting region same as your virtual Network and sku as standard or above;
• Define tags and then create.

Create App Service (Web App) on the App Service Plan

·      Go to All services and look for App Service

·      Add a new App Service, which will bring a Web App create GUI template, select appropriate

• Subscription;
• Resource Group where you have deployed the App Service Plan;
• Name the Web App;
• Select Code in publish;
• Select appropriate Run time stack based on your code;
• Select the same region which you have selected for your App Service Plan;
• Select the Windows Plan as the App Service Plan created in the above step;
• Enable Application Insight; and
• Assign appropriate Tags and then review and create.

Add Custom Domain Name and Certificate

Custom domain and certificate can be used to connect the Web App on the custom domain name. A DNS CName record need to be created on the Public DNS which will point to this Web application.

To enable this, upload the custom certificate in App Services on Azure Portal App Service blade Under Settings and then Custom domain. Then,

• Type in Custom domain and click validate;
• If you have a custom domain CName pointed to this Web App, the validation will go through and you can then add the custom domain;
• Then go to TLS/SSL Settings and upload the certificate and enable the SNI based binding;
• Type in custom domain record.

Integrate Web App to existing VNet

Now we need to connect this Web App to the exiting virtual Network. To do this

• Create a dedicated subnet in the existing vNet with /27 address space.

Now on the Azure Portal Web App Blade

• Under Settings, go to Networking;
• Under VNet Integration, configure, VNET Integration (preview); and
• Now Select the Virtual Network on which we have create a dedicate subnet for this App Service and the select the Subnet and save.

Web app is now connected to the existing VNet on Azure which is connected to the Onpremises network over Azure ExpressRoute or any other network technology support by Azure.

 Note: the configuration requirement will differ if you have onpremises connectivity other than Azure Express Route

Access Restriction

An option to control access to Azure Web application is achievable by defining the Access Restriction Rule to your app. Once this rule is in place, any incoming traffic from network other than allowed network will be denied.

Controlling Unauthorized Access

To control unauthorized access to the Web App we have enabled its integration with Azure Active directory. This can be achieved by registering your Web App with Azure Active Directory under Application registration as a custom application.

Now under the Enterprise Application in Azure AD blade on Azure Portal, look for your application and assign user or groups to your application who can access the Web Application. Now Azure Active Directory is enabled to provide Authentication and Authorization to this Web Application.

Enable Multi Factor Authentication on your Web App

To further protect this Web Application from identity attacks, we have enabled a Mutli-Factor authentication using Azure AD Conditional access. Now after the initial user authentication to Azure AD, user is prompted to provide an authentication code to access the app. To enable this,

Go to Azure Active Directory blade on the Azure Portal

• Under Security, Conditional Access
• Create a New Policy by defining the name
• Under Assignments, Add the users or groups who needs access to this application under the include tab and click select users and groups;
• Under Assignment, under Cloud Apps or action on Cloud Apps toggle, under include tab, search for Web App name registered with Azure AD in previous step;
• Under Assignments, under condition; define the location from which user is allowed to access the App;
• Under Access Control; Select Grant Access and check Multi Factor authentication; and
• Finally enable the policy.

Common Troubleshooting Scenarios

Even if you have configured the Azure environment correctly, there are possibilities that you cannot able to connect to the Onpremises application/ data. There can be multiple reasons for this. The few common reasons are 

• Firewall or Load Balancer in front of the Application;
• Routing issue; and
• DNS issue.

Azure App Service provide various option to diagnose the connectivity issue. One of the options is to use the Console available on App Services under Development tools on Azure Portal App Service Blade. The tools ping, nslookup and tracert won’t work through the console due to security constraints. The equivalent commands are

·      Ping

o  tcpping.exe hostname [optional: port]

·      DNS Resolver

o  nameresolver.exe hostname [optional: DNS Server]

Following the above mentioned design and configuration can help you accelerate your cloud app development in Azure cloud.

Disclaimer

All views expressed on this post are that of my own and do not represent the opinions of any entity whatsoever with which I have been, am now, or will be affiliated.