Sitecore Customers deploying workloads in Azure PAAS looking can integrate their premise/corporate network with sitecore PAAS content authoring webapp using Azure Virtual Network gateway (VPN Gateway) and VNet Integration (azure web app) feature by setting up setup Site-Site VPN in Azure. This article will demonstrate the process to set up site-to-site VPN using Azure App Services(non-ASE web apps) and please note that this article doesnt use the new VNet Integration feature(In Preview) released recently in Microsoft Ignite 2018.
Integrate Azure App Service with an Azure Virtual Network
The Azure App Service has two forms.
For the sake of site-site VPN discussion, this document goes through VNet Integration with multi-tenant web apps and not App Service Environment.
VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. A common scenario where you would use VNet Integration is enabling access from your web app to a database or azure resources running in your Azure virtual network.
The VNet Integration feature:
There are some things that VNet Integration does not support including:
Accessing on-premises resources
One of the benefits of the VNet Integration feature is that if your VNet is connected to your on-premises network with a Site-to-Site VPN then your apps can have access to your on-premises resources from your app. For this to work though customer may need to update their on-premises VPN gateway with the routes for your Point-to-Site IP range. When the Site to Site VPN is first set up then the process used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site-to-Site VPN, then you need to update the routes manually.
Azure costs involved to setup VNet Integration
Below are the related charges to the use of this feature
For your apps to be able to use this feature, they need to be in a Standard or Premium App Service Plan. Due to how Point-to-Site VPNs are handled, you always have a charge for outbound data through your VNet Integration connection even if the VNet is in the same data center. The last item is the cost of the VNet gateways. If you do not need the gateways for something else such as Site-to-Site VPNs, then you are paying for gateways to support the VNet Integration feature.Requirements for Site-Site VPN
Requirements for Site-Site VPN
Before start make sure you have following in place.
VPN gateway options in Azure
Below VPN gateway options are available for customers based on their networking requirements. Ref https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/
VPN GATEWAY TYPE
11-30: $0.02/hour per tunnel
Process to setup VPN Integration for Site-Site VPN
1. Create Virtual Network in Azure portal
2. Create Virtual network gateway
3. Once Virtual Network gateway is created you can see that the Gateway subnet has been added to the virtual network automatically.
4. Next step is to configure point-to-site configure in the VPN gateway. You can select the tunnel type. The two tunnel options are SSTP and IKEv2. The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect. Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. You can choose to enable one of them or both.
5. Setup VNet Integration in Azure web app. Click on setup link on the VNet Integration screen and then it opens up a screen to select the Virtual network enabled with Point-Site configuration for selection.
6. Once the virtual network is selected, we can see that the VNet Integration setup starts and the web app integration with virtual network gets initiated.
7. Once the VNet Integration is completed in the Azure portal, you will be able to see the “Connected” status shown in the Networking tab for the web app selected. The web app is now integrated with on-premise network for content authoring users to work with-in the corporate network.
This is a great solution to integrate your CMS web app with an on-prem network. Only thing in this setup what a miss is protecting the Web App from public, and thus make it only accessible via the on-prem network. I achieved this with an application gateway with a public ip address without a listener. This public ip address is my handler to whitelist only this on the web app.
Greetings Ronald Nieuwenhuis.
Hi Ronald Nieuwenhuis , The specific scenario i have detailed here is for customers who want to restrict the access to CM through corporate network but not through public internet. I came across these customers during my experience in the last few months. But Yes good point raised. I will update the blog accordingly.