Azure App Service and Bicep

List of sample deployments of Azure App Service with various scenario by using Bicep

Azure App service with Blob
Azure App Service + SQLDB + App Insight
Azure App Service (Webapp + private endpoint (WebApp and SQL Server) + VNET integration.
Application Gateway (private and public listeners) -> Azure App Service (via PE) -> SQL Server (via PE)

Azure App service with Blob:
https://github.com/fujute/m18h/blob/master/bicep/00-main.bicep

# https://github.com/fujute/m18h/blob/master/bicep/00-main.bicep
RESOURCE_GROUP='21ExampleRG'
az group create --name $RESOURCE_GROUP--location westus3
az deployment group create --resource-group $RESOURCE_GROUP --template-file main.bicep --parameters environmentType=nonprod

az deployment group list --output table

Azure App Service + SQLDB + App Insight :
https://github.com/fujute/m18h/blob/master/bicep/01-main-web-app-sqldb.bicep

# https://github.com/fujute/m18h/blob/master/bicep/01-main-web-app-sqldb.bicep
RESOURCE_GROUP='22ExampleRG'
az group create --name $RESOURCE_GROUP --location westus3
az deployment group create --resource-group $RESOURCE_GROUP --template-file 01-main-web-app-sqldb.bicep  --parameters sqlAdministratorLogin='azuresqladmin' sqlAdministratorLoginPassword='PLEASECHANGEtoSECRETPASSWORD' location='westus3'

Azure App Service (Webapp + private endpoint (WebApp and SQL Server) + VNET integration:
Deploys two web apps (frontend and backend) and SQL Server securely connected together with VNet integration (webAppFrontend) and Private Endpoint(webAppBackend,SQLServer)
m18h/02-main-webapp-pe-vnet-integration.bicep at master · fujute/m18h (github.com)

# https://github.com/fujute/m18h/blob/master/bicep/02-main-webapp-pe-vnet-integration.bicep
RESOURCE_GROUP='23ExampleRG'
az group create --name $RESOURCE_GROUP--location westus3
az deployment group create --resource-group $RESOURCE_GROUP--template-file 02-main-webapp-pe-vnet-integration.bicep \
--parameters virtualNetworkName='m6290cvnet' sqlAdministratorLoginPassword='PLEASECHANGETOSECUREPASSWORD'

Reference

“
*Creating an application gateway with private inbound and outbound addresses.
*Securing inbound traffic to your app with service endpoints.
*Using the virtual network integration feature so the back end of your app is in your virtual network.
..
Configuring private endpoints will expose your apps on a private address, but you’ll need to configure DNS to reach that address from on-premises. To make this configuration work, you’ll need to forward the Azure DNS private zone that contains your private endpoints to your on-premises DNS servers.
..
This deployment style won’t give you a dedicated address for outbound traffic to the internet or the ability to lock down all outbound traffic from your app. It will give you a much of what you would only otherwise get with an ASE
“
ref: https://docs.microsoft.com/en-us/azure/app-service/networking-features

Tutorial #1

Tutorial: Isolate back-end communication in Azure App Service with Virtual Network integration

ref: https://docs.microsoft.com/en-us/azure/app-service/tutorial-networking-isolate-vnet

Tutorial #2

” Configure v2 custom rules using PowerShell – Azure Web Application Firewall | Microsoft Docs ”

Additional information:

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/apps/scalable-apps-performance-modeling-site-reliability

Web app private connectivity to Azure SQL Database
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/enterprise-integration/ase-high-availability-deployment

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/web/multi-tier-app-service-private-endpoint

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity
https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

https://docs.microsoft.com/en-us/azure/application-gateway/quick-create-template
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/application-gateway-security-baseline?toc=%2Fazure%2Fapplication-gateway%2Ftoc.json

https://docs.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal
https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

https://docs.microsoft.com/th-th/azure/app-service/networking/app-gateway-with-service-endpoints

FAQ:

1.Subnet requirements:
” Because subnet size can’t be changed after assignment, use a subnet that’s large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity, use a “/26″ with 64 addresses. When you’re creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of /27 is required ” More details:
https://docs.microsoft.com/th-th/azure/app-service/overview-vnet-integration

2.App Service ports:
“If you scan App Service, you’ll find several ports that are exposed for inbound connections. There’s no way to block or control access to these ports in the multi-tenant service.” More details: https://docs.microsoft.com/en-us/azure/app-service/networking-features

Fuju.Org

Explore. Experience. Share.

Azure App Service and Bicep

List of sample deployments of Azure App Service with various scenario by using Bicep

Reference

Integrate your app with an Azure virtual network

Application Gateway integration: Integration with App Service (multi-tenant)

Regional virtual network integration ( multi-tier applications )

See Also:

Additional information:

FAQ: