skip to Main Content

In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?

I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?

D.

2

Answers


  1. If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro

    App Service Environments are ideal for application workloads requiring:

    • Very high scale

    • Isolation and secure network access

    The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can’t know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.

    You can see an example of IP restrictions here: restricting IP security

    Of course you should also have authentication set up on your API. Documentation links:

    Login or Signup to reply.
  2. In line with what @juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn’t change and you can use the API Gateway address in Azure API App web.config to whitelist.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search