Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you have queries related to Routing Traffic through Azure NAT Gateway for App Services.
Since you are already aware about Virtual network integration and how NAT gateway is used and configured for outbound internet traffic from App Services, I would not write much about that here.
You query is about how to control outbound routing through the Vnet Integration and how to influence the outbound routing when NAT Gateway is used along vnet Intergration on the same App Services subnet.
You can control what traffic goes through the virtual network integration. There are three types of routing to consider when you configure virtual network integration.
- Application routing defines what traffic is routed from your app and into the virtual network.
- Configuration routing affects operations that happen before or during startup of your app. Examples are container image pull and app settings with Key Vault reference.
- Network routing is the ability to handle how both app and configuration traffic are routed from your virtual network and out.
Note: Through application routing or configuration routing options, you can configure what traffic is sent through the virtual network integration. Traffic is only subject to network routing if sent through the virtual network integration.
Refer all three options available on the UI Which you have shared above
Now let's discuss each component in bit details
Application Routing
- When you configure application routing, you can either route all traffic (including internet) or only private traffic (also known as RFC1918 traffic) into your virtual network using vnet integration.
- You configure this behavior through the outbound internet traffic setting. If outbound internet traffic routing is disabled, your app only routes private traffic into your virtual network.
- If you want to route all your outbound app traffic including internet into your virtual network, make sure that outbound internet traffic is enabled.
- When outbound internet traffic routing is enabled, the source address for your outbound traffic from your app is still one of the IP addresses that are listed in your app properties.
- Only If you route your traffic through a NAT gateway, the source IP address originates from the NAT Gateway Public Ip address.
- You can configure application routing using either Portal or Azure CLI by referring the below link - https://zcusa.951200.xyz/en-us/azure/app-service/configure-vnet-integration-routing#configure-application-routing
Configuration Routing
- When you're using virtual network integration, you can configure how parts of the configuration traffic are managed. By default, configuration traffic goes directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.
- For example, if you wish that the configuration based like container image pull and Backup/restore traffic should via the virtual network and not directly through public route under configuration routing you enable the container image pull and Backup/restore box.
- With this setting your Content Storage traffic goes via public route while container image pull and Backup/restore traffic should via the virtual network.
- You can configure Configuration routing using either Portal or Azure CLI by referring the below link - https://zcusa.951200.xyz/en-us/azure/app-service/configure-vnet-integration-routing#configure-configuration-routing
Network Routing
- Once you have configured Application Routing and Configuration Routing as explained above you can further control the traffic routed to your Virtual Network through vnet Integration using Network Routing option.
- Since the Outbound traffic is routed to Virtual Network it can be subjected to NSG, route table and NAT Gateway by applying NSG , route table and NAT Gateway on the Application Gateway subnet.
- Route tables, network security groups and Nat Gateway only apply to traffic routed through the virtual network integration using Application Routing and Configuration Roution options.
The routing options i explained above are called Site settings and there is one more way using which the routing behavior of App service can be modified and that is App setting.
In Azure App Service, certain settings are available to the deployment or runtime environment as environment variables. Some of these settings can be customized when you set them manually as app settings. This reference shows the variables you can use or customize.
- Refer the below link to see all the environment variable
https://zcusa.951200.xyz/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet
- Refer below page for Network specific environment Variable
The article mentioned by you influence the App settings WEBSITE_VNET_ROUTE_ALL variable which is one of the ways to influence routing
The site settings can also be modified using Built-in Policies as mentioned by you. That is another way to achieve the same result. This is mentioned on below page -
Note: Site properties override the app settings if both exist. Site properties have the advantage of being auditable with Azure Policy and validated at the time of configuration.
I hope I was able to explain the concept, nonetheless if you have any further queries, you may reach back.
Let me answer the other 2 questions
Question 02
Newly deployed apps with Basic and Standard tiers can perform VNet integration, correct?
However, older deployed apps require Premium v2 or Premium v3 tiers to support VNet integration, is that correct?
Answer: The Vnet Integration feature is available from all App Service deployments in Premium v2 and Premium v3. It's also available in Basic and Standard tier but only from newer App Service deployments. If you're on an older deployment, you can only use the feature from a Premium v2 App Service plan. If you want to make sure you can use the feature in a Basic or Standard App Service plan, create your app in a Premium v3 App Service plan. Those plans are only supported on our newest deployments. You can scale down if you want after the plan is created.
Question 03
Let's assume there is an App Service that includes different services with the following requirements:
Process 01: Some services access azure sql databases and azure data storage accounts via public internet.
Process 02: Other services access external services from the App Service.
If I want to route only Process 02 traffic through an Azure NAT Gateway, while leaving the traffic for Process 01 unchanged, can this be achieved using the Application / Configuration/Network Routing options? and how to do it?
Answer: As explained above Application / Configuration Routing are the main switch and they cannot be defined on based on Processes or service specific data. If you have configured Application / Configuration Routing traffic through virtual Network, then only Network Routing policy be enforced and since you have enabled the NAT Gateway on entire App services subnet all the traffic irrespective of the process will be Natted with NAT Gateway IP. However, you can use the route table to route the traffic to any Firewall NVA and modify the traffic. Also, NSG can be used to allow or deny the specific traffic.
If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Ujjawal Tyagi