LibrarySites.Banner

Site-Site VPN Integration with Azure web apps(PAAS)

Introduction

Sitecore Customers deploying workloads in Azure PAAS looking can integrate their premise/corporate network with sitecore PAAS content authoring webapp using Azure Virtual Network gateway (VPN Gateway) and VNet Integration (azure web app) feature by setting up setup Site-Site VPN in Azure. This article will demonstrate the process to set up site-to-site VPN using Azure App Services(non-ASE web apps) and please note that this article doesnt use the new VNet Integration feature(In Preview) released recently in Microsoft Ignite 2018.

Integrate Azure App Service with an Azure Virtual Network

The Azure App Service has two forms. 

  • The multi-tenant web apps which are deployed in shared environment in Azure comes with Basic/Standard/premium pricing plans
  • The App Service Environment (ASE) premium feature, which deploys into your VNet.

For the sake of site-site VPN discussion, this document goes through VNet Integration with multi-tenant web apps and not App Service Environment.

VNet Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. A common scenario where you would use VNet Integration is enabling access from your web app to a database or azure resources running in your Azure virtual network. 

The VNet Integration feature: 

  • requires a Standard, Premium, or Isolated pricing plan
  • works with Classic or Resource Manager VNet
  • supports TCP and UDP
  • enables an app to connect to only 1 VNet at a time
  • enables up to five VNets to be integrated with in an App Service Plan
  • allows the same VNet to be used by multiple apps in an App Service Plan
  • supports a 99.9% SLA due to the SLA on the VNet Gateway

There are some things that VNet Integration does not support including: 

  • mounting a drive
  • AD integration
  • private site access

Accessing on-premises resources

One of the benefits of the VNet Integration feature is that if your VNet is connected to your on-premises network with a Site-to-Site VPN then your apps can have access to your on-premises resources from your app. For this to work though customer may need to update their on-premises VPN gateway with the routes for your Point-to-Site IP range. When the Site to Site VPN is first set up then the process used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site-to-Site VPN, then you need to update the routes manually.

Azure costs involved to setup VNet Integration

Below are the related charges to the use of this feature 

  • App Service Plan pricing tier requirements
  • Data transfer costs
  • VPN Gateway costs 

For your apps to be able to use this feature, they need to be in a Standard or Premium App Service Plan. Due to how Point-to-Site VPNs are handled, you always have a charge for outbound data through your VNet Integration connection even if the VNet is in the same data center. The last item is the cost of the VNet gateways. If you do not need the gateways for something else such as Site-to-Site VPNs, then you are paying for gateways to support the VNet Integration feature.Requirements for Site-Site VPN

Requirements for Site-Site VPN

Before start make sure you have following in place. 

  • VPN device: A VPN device is needed in the customer on premise environment to create the VPN connection with Sitecore Azure subscription. A list of supported list of devices by azure can found here
  • Static Public IP address: The VPN device should have external public IP address and it should not be NAT. 
  • VNet Integration only works with apps in a Standard, Premium, or Isolated pricing plan. If you enable the feature, and then scale your App Service Plan to an unsupported pricing plan, your apps lose their connections to the VNets they are using. 
  • If your target virtual network already exists, it must have point-to-site VPN enabled with a Dynamic routing gateway before it can be connected to an app. If your gateway is configured with Static routing, you cannot enable point-to-site Virtual Private Network (VPN). 
  • The VNet must be in the same subscription as your App Service Plan (ASP). 
  • If your gateway already exists with point-to-site enabled, and it is not in the basic SKU, IKEV2 must be disabled in your point-to-site configuration. 
  • The apps that integrate with a VNet use the DNS that is specified for that VNet. 
  • By default, your integrating apps only route traffic into your VNet based on the routes that are defined in your VNet.

VPN gateway options in Azure

Below VPN gateway options are available for customers based on their networking requirements. Ref https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/ 

VPN GATEWAY TYPE

BANDWIDTH

S2S TUNNELS

P2S TUNNELS

Basic

100 Mbps

Max 10

Max 128

1-10: Included

1-128: Included

VpnGw1

650 Mbps

Max 30

Max 128

1-10: Included

1-128: Included

11-30: $0.02/hour per tunnel

 

VpnGw2

1 Gbps

Max 30

Max 128

1-10: Included

1-128: Included

11-30: $0.02/hour per tunnel

 

VpnGw3

1.25 Gbps

Max 30

Max 128

1-10: Included

1-128: Included

11-30: $0.02/hour per tunnel

 

Process to setup VPN Integration for Site-Site VPN

1. Create Virtual Network in Azure portal

2. Create Virtual network gateway

  • map the virtual network to the Gateway
  • Create Public IP Address for gateway

3. Once Virtual Network gateway is created you can see that the Gateway subnet has been added to the virtual network automatically.

4. Next step is to configure point-to-site configure in the VPN gateway. You can select the tunnel type. The two tunnel options are SSTP and IKEv2. The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect. Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. You can choose to enable one of them or both.

5. Setup VNet Integration in Azure web app. Click on setup link on the VNet Integration screen and then it opens up a screen to select the Virtual network enabled with Point-Site configuration for selection.

6. Once the virtual network is selected, we can see that the VNet Integration setup starts and the web app integration with virtual network gets initiated.

7. Once the VNet Integration is completed in the Azure portal, you will be able to see the “Connected” status shown in the Networking tab for the web app selected. The web app is now integrated with on-premise network for content authoring users to work with-in the corporate network.

  • This is a great solution to integrate your CMS web app with an on-prem network. Only thing in this setup what a miss is protecting the Web App from public, and thus make it only accessible via the on-prem network. I achieved this with an application gateway with a public ip address without a listener. This public ip address is my handler to whitelist only this on the web app.

    Greetings Ronald Nieuwenhuis.

  • Hi , The specific scenario i have detailed here is for customers who want to restrict the access to CM through corporate network but not through public internet. I came across these customers during my experience in the last few months. But Yes good point raised. I will update the blog accordingly.