Azure App Service and Bicep

List of sample deployments of Azure App Service with various scenario by using Bicep

  • Azure App service with Blob
  • Azure App Service + SQLDB + App Insight
  • Azure App Service (Webapp + private endpoint (WebApp and SQL Server) + VNET integration.
  • Application Gateway (private and public listeners) -> Azure App Service (via PE) -> SQL Server (via PE)

Azure App service with Blob:

az group create --name $RESOURCE_GROUP--location westus3
az deployment group create --resource-group $RESOURCE_GROUP --template-file main.bicep --parameters environmentType=nonprod

az deployment group list --output table

Azure App Service + SQLDB + App Insight :

az group create --name $RESOURCE_GROUP --location westus3
az deployment group create --resource-group $RESOURCE_GROUP --template-file 01-main-web-app-sqldb.bicep  --parameters sqlAdministratorLogin='azuresqladmin' sqlAdministratorLoginPassword='PLEASECHANGEtoSECRETPASSWORD' location='westus3'

Azure App Service (Webapp + private endpoint (WebApp and SQL Server) + VNET integration:
Deploys two web apps (frontend and backend) and SQL Server securely connected together with VNet integration (webAppFrontend) and Private Endpoint(webAppBackend,SQLServer)
m18h/02-main-webapp-pe-vnet-integration.bicep at master · fujute/m18h (

az group create --name $RESOURCE_GROUP--location westus3
az deployment group create --resource-group $RESOURCE_GROUP--template-file 02-main-webapp-pe-vnet-integration.bicep \
--parameters virtualNetworkName='m6290cvnet' sqlAdministratorLoginPassword='PLEASECHANGETOSECUREPASSWORD'


Integrate your app with an Azure virtual network


picture: Regional virtual network integration

Application Gateway integration: Integration with App Service (multi-tenant)


picture: Integration with App Service (multi-tenant)

Regional virtual network integration ( multi-tier applications )


Picture: Expose your API application by using private endpoints in your virtual network
picture: Use service endpoints to ensure inbound traffic to your API app comes only from the subnet used by your front-end web app

*Creating an application gateway with private inbound and outbound addresses.
*Securing inbound traffic to your app with service endpoints.
*Using the virtual network integration feature so the back end of your app is in your virtual network.
Configuring private endpoints will expose your apps on a private address, but you’ll need to configure DNS to reach that address from on-premises. To make this configuration work, you’ll need to forward the Azure DNS private zone that contains your private endpoints to your on-premises DNS servers.


This deployment style won’t give you a dedicated address for outbound traffic to the internet or the ability to lock down all outbound traffic from your app. It will give you a much of what you would only otherwise get with an ASE


Tutorial #1

Tutorial: Isolate back-end communication in Azure App Service with Virtual Network integration


Tutorial #2

Configure v2 custom rules using PowerShell – Azure Web Application Firewall | Microsoft Docs

See Also:

Additional information:

Web app private connectivity to Azure SQL Database


1.Subnet requirements:
” Because subnet size can’t be changed after assignment, use a subnet that’s large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity, use a “/26″ with 64 addresses. When you’re creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of /27 is required ” More details:

2.App Service ports:
“If you scan App Service, you’ll find several ports that are exposed for inbound connections. There’s no way to block or control access to these ports in the multi-tenant service.” More details: