This project contains a sample setup for playing with Azure App Service networking features.
This project provides the following features:
- Base setup for a web application and database. It also contains the following components for the walkthroughs:
- VNet with several subnets.
- Application gateway installed in the application gateway subnet and with a public IP address associated to it.
- Azure Front Door service.
The below drawing illustrates this setup:
- Walkthroughs of several networking setups and explanation for Azure App Service.
- Azure Account
- A fork of this GitHub repository in your own account and with the capability of executing GitHub actions (public repository access is needed for this)
- latest Azure CLI version installed. Azure Cloud Shell can also be used as an alternative for the script steps in case Azure CLI is not installed.
The below walk-through contains the steps for creating a resource group in Azure and the steps needed to set up your deployment secret in your GitHub repository. You will need the latest version of the Azure CLI installed to execute these steps.
- In a command prompt or in Azure Cloud Shell, define environment variables.
RESOURCE_GROUP='appsvcnetworkingdemo'
LOCATION=westus
- Login to your Azure account and make sure the correct subscription is active.
az login
az account list -o table
az account set <your-subscription-id>
- Create a resource group for all necessary resources.
az group create --name $RESOURCE_GROUP --location $LOCATION
- Copy the resource group ID which is outputted in the previous step to a new environment variable.
RESOURCE_GROUP_ID=<resource group ID from previous output>
- Create a service principal and give it access to the resource group.
az ad sp create-for-rbac \
--name appsvcnetworkingdemo \
--role Contributor \
--scopes $RESOURCE_GROUP_ID \
--sdk-auth
-
Copy the full output from this command.
-
In your GitHub repo navigate to Settings > Secrets and select New Repository Secret.
-
Name the secret AZURE_CREDENTIALS and paste the output from the 'az ad sp create-for-rbac' command in the value textbox.
-
Select Add Secret.
-
In your command prompt, query the object id for your user account:
az ad user show --id <[email protected]> --query objectId -o tsv
-
In your GitHub repo add an additional secret: AAD_USERNAME and give it the value of your username [email protected].
-
In your GitHub repo add an additional secret: AAD_SID and give it the value of the object id you just obtained.
-
Inspect the infradeploy.yml file and update any environment variables at the top of the file to reflect your environment.
-
In your GitHub repo, navigate to Actions and select the deploy-app-svc-networking-sample action.
Note
In case you see a message that says Workflows aren’t being run on this forked repository, select the I understand my workflows, go ahead and enable them button.
-
Select Run workflow > Run workflow.
-
This will start a new workflow run and deploy the necessary infrastructure.
-
Double check in the Azure Portal that all resources got deployed correctly and are up and running.
-
In the Azure Portal in your resource group, navigate to the Deployments menu. Select the last deployment and next select outputs.
-
Copy the value of the principalId value.
-
In the Azure Portal, navigate to the sample SQL database and open Query Editor.
-
Select Login as your username.
-
Copy the sql script from mi.sql in the query editor window and replace each instance of the accountName by the principalId value you just copied.
-
Execute the script.
To check whether the installation was done correctly:
-
In the Azure portal, navigate to the App Service that got deployed.
-
Select the URL of the App Service to navigate to the web application. The application will display info on your incoming request, configuration of the app, environment variables, ...
-
Select the SQL menu tab at the top of the application. This will display a page for connecting to a backend database.
-
Select Submit. This should give you a response on the same page with an access token and an output indicating you successfully logged in to the database by using a managed identity and from a public IP address.
These demo's work best if you follow them one by one. They walk you through a full setup going from using out of the box networking to the option you have for extra locking down app service for incoming requests and next for outgoing requests.
- Web app private connectivity to Azure SQL database
- Multi-region web app with private connectivity to database
- App Service networking features
- Inbound and outbound IP addresses in Azure App Service
- Regional VNet integration
- App Service private endpoints
- Hybrid connections