-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unclear whether / how it is possible to let App Service access resource (CosmosDB) that can only be accessed from vnet #28461
Comments
@hansmbakker Thank you for detailing the issue you are encountering, Are you saying that the 4 steps you detailed in Or, you followed the 4 steps (as detailed) and got it working but when you follow the documentation, it DOES NOT work? If you are completly stuck and your solution is not working at all, I suspect that you need to add the specific source address for your App Service to the Cosmos DB firewall Inbound and outbound IP addresses in Azure App Service |
@Mike-Ubezzi-MSFT thank you for your response. After the 4 steps of my solution (+whitelisting the ip of my development machine) it did not work. So what I’m asking is:
I couldn’t find an answer to both questions in the docs. The reason I prefer not to whitelist the IP from the app service is that that IP is not guaranteed to be fixed I believe. |
@hansmbakker You need to subscribe to App Service Environment to gain the static IP functionality. The App Service by itself does not allow for dedicated IP addresses. So, you can use the |
@Mike-Ubezzi-MSFT are you saying that my scenario / solution is not possible without an App Service Environment (ASE)? If the idea is that
Then why can't I route the App Service --> CosmosDB traffic through the VNet? I don't understand what the purpose of the (New) VNet Integration of the normal App Service is then? |
@hansmbakker To let appservice access Cosmos DB you should check the accept connections from Azure datacenters option as shown in the screen below: Azure Cosmos DB account will be accessible from Azure datacenter IP range. This allows services like Search, Data factory, Stream analytics whose IP addresses can't be fixed - to talk to Cosmos DB account. |
@SnehaGunda I understand that would allow the App Service to access the CosmosDB instance. However, I use the option you recommend, then any random App Service or other component from within Azure can access the CosmosDB instance. That does not match the reason behind this story - the IT department came up with the approach mentioned in the opening post and they required this setup in our architecture, to let only this App Service access the CosmosDB instance. Now the point of this GitHub issue is to
Therefore, I'm asking feedback on
|
@hansmbakker The Stack Overflow answer provided by Nancy Xiong is spot on. If you deploy the application tier in an App Service Environment, you gain true VNet functionality. Using Multi-tenent environment does not fully support VNet only access...as Nancy pointed out in the Stack Overflow answer. There is a article written by Deloitte that provides and overview and a comparison between a Multi-tenant app service instance and an App Service Environment instance: When to Use an Azure App Service Environment v2 (App Service Isolated) Private access only? Multi-tenant environment: No.
App Service Isolated / App Service Environment v2: Yes.
|
@Mike-Ubezzi-MSFT I understand that ASE can be used to restrict access to the App Service. However, that is not what I'm trying to achieve. I'm trying to let the App Service access another resource (in this case Cosmos DB, but also Blob Storage) routed through the VNet. I thought I could use the (new) VNet integration for that. One of my questions is what the purpose of the App Service's VNet Integration is, if it can not do that? |
@hansmbakker The intent of the VNet Integration feature had the following requirements when the service was initially launched:
(shortlist of items)
Announcing the new VNet Integration feature in App Service So, it is intended to integrate with a VNet and extend (front end) services across an Express Route connection or other peered network for app services calls into a virtual network. What you are attempting to do is secure the communication the App Service needs to establish with the Cosmos DB instance, either through a direct connection or via REST. It's not that your method will not work but the integration service is not the solution here. |
I have verified that the service endpoints do not appear to be working for Key Vault and Blob storage as well, despite the last paragraph on this page that explicitly says:
I've set up my app service exactly like the OP, and I get "unauthorized" errors. When I disable the VNET restrictions on the key vault/blob storage accounts, it works fine. |
Thanks for the additional detail! I have assigned the issue to the content author to evaluate and update as appropriate. |
That is exactly what I'm trying: routing the calls from app services through the vnet to a service endpoint that is also connected to the vnet
This is where my confusion comes from. From the first quote it looks like it could/should work, but from the second quote it looks like it cannot work. What is the way to go, then?
Thank you! |
@hansmbakker It has to do with inbound connectivity versus outbound connectivity, and the use of Site-to-Site/Point-to-Site VPN and Express Route scenarios for the creation of private addressing to extend on-premise to Azure, in cases where the VNet service endpoints are private. Not necessarily VNet to VNet integration, which is what you are attempting to implement. I agree the documentation needs to be enhanced to make things more clear but the MSDN and Stack Overflow forums have a few threads where this is being discussed: App Service and VNet to VNet Connectivity I think if the document had a supported/unsupported scenario chart to help distill the difference between leveraging VNet service endpoints (public and private) and VNet integration. |
The "Learn more" link in the screenshot above points to https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet. The "New VNet Integration" (which I'm using) section on that page says:
|
@Mike-Ubezzi-MSFT thank you for the elaborate answer.
Yes, that is exactly what I want, and I am already using the New VNet Integration (please see my repro steps in the opening post). I tried setting it up just as @ccompy presented, but it does not work as expected. @NateB2 has the same issue in #28805. I understand that it is still in preview, but how can we collaborate best to raise this issue? Is there any chance that @ccompy could comment here? |
FWIW, on Monday, I had a phone/remote desktop sharing session with a support engineer on the App Service team, and he appeared to indicate that what we're trying to do should be possible with the new Vnet integration preview. At the end of the conversation, after I showed him what we had set up, he said he was going to reproduce it on his side and confer with the team to see what's going on. |
@NateB2 were they able to reproduce it? |
@hansmbakker - yes, and they said that it's not yet implemented, but going to be implemented before the new VNET integration reaches GA. They didn't give a timeline as to when that was going to take place, however. |
@hansmbakker thanks for raising this, have you made any progress since then? Have you tried the two subnets scenario for the ServiceEndpoint and one for the Vnet? Its been more than 2 months, and for the claims they've made in the video since 2018 and the updated website, this should be working by now! |
@sarah026 it's a coincidence that you ask this today, as I succeeded with CosmosDB just two hours ago. Things I had to do to make it work:
Having two subnets in the vnet was not needed, one subnet is enough. The New VNET integration and the CosmosDB service endpoint are connected to the same subnet. This made it work for CosmosDB for me, but Azure Storage does not work for me yet using the same approach. |
Pleased to hear that @hansmbakker! Thanks for sharing. Our environment was set up yesterday, so it is a new build. |
West Europe, hope it works for you as well. |
Having the same problem with App Services and SQL Azure, this doesn't seem to work as the documentation and the various other demos indicate it should: |
Mine is working fine now between AppService and SQL elasticpool. I suggest you raise a ticket with them. The issue with mine was datacentre level issue, they needed to whitelist something for it to work. Not something we've done wrong, and so I wouldn't suggest you waste as much time as I wasted trying to figure this out. |
Will do, thanks for the advice @sarah026 |
Got it working between Web app and cosmos table. Not sure what made it work but it took a couple of hours of deleting resources, and adding them back again. Might just have been the time that solved it, provisions etc maybe?? |
Deleting and recreating also 'mystically' solved my problem. I tried this route after I found that the servers I was initially provisioned did not support scaling to P1V2. It was referenced in some docs, but what I didn't realize is that it meant my SPECIFIC server may have that scaling option disabled (which it did), and that would be an indicator of a separate deficiency that would prevent this VNet solution from working. What I think happened was I was assigned compute resources in an old rack, possibly because I carried that server forward from a free trial account (even though that was less than 2 months ago). The requirement/consequence is very hard to associate, an invisible thread that was keeping my VNet from working. I did not realize that of two servers in the same compute location on the same plan, one may support scaling while the other did not. It finally dawned on me what they meant when I was watching the youtube video posted above. |
So I'm still running into this problem. Also, is the new VNET integration already released? The steps I executed:
@hansmbakker and the rest, do you see anything I missed? Code to connect to cosmos:
|
@devedse Thank you for providing the details specific to your deployment. What I do not see is a Privatelink associated with the VNET that you have created. A Private Endpoint establishes a private address space as defined by the VNET configuration. What you do not have is a Private IP Address issued for the Cosmos DB for SQL API service that has been setup in that VNET. Please see the following to complete the configuration: Configure Azure Private Link for an Azure Cosmos account. Note: By working with NSGs instead of static IP and port values, when IP address changes occur, the NSG is automatically updated. Any manual configuration implemented outside an NSG will require intervention to update the correct values when each Azure maintenance update made. |
Hi @Mike-Ubezzi-MSFT , I've been trying to follow your steps but am still running into some new issues:
I'm now however quite stumped on what to do next. You mention that the App Service should already have a NSG? So should I not create it? I'm not sure what to do next. |
@Mike-Ubezzi-MSFT , it's been a while since anyone reacted to this topic. Do you have an idea what steps I'm missing? |
Ok I finally managed to get it to work, what I did was the following:
|
@devedse you mentioned ended up creating another new subset in your most recent update, would you please clarify are the cosmos DB private endpoint and the web app service ended up with a same subset or not? I went into the issue of CosmosDB requiring a subset without any dedication, but web app service requires a subset with a dedication to servicefarm, which means the two requirements are conflict to each other. @Mike-Ubezzi-MSFT |
@dawwa, they are now both on separate subnets. |
@devedse , thanks for the clarification, the section below mentioned the |
@dawwa, I was making use of Linux Containers. (I can really suggest to go for Linux containers unless you really have an application that only runs on Windows). |
This issue needs to go to support for a deeper investigation as it appears there are some complications with deleting and adding the NSG, etc. Please make sure this step has been completed, if it applies.
Also, this one: Do the peered virtual networks also have access to Azure Cosmos account?
|
@Mike-Ubezzi-MSFT , would it be possible for you to connect me with some Microsoft people. I'm basically trying to deploy the whole solution through Terraform but there's so much issues I'm running into, for example:
All of it seems to be related to having some things in VNET's but I can't figure out how it should all integrate. Mainly because sometimes the first deployment does work, so it seems my code is correct (sometimes it doesn't though). But when you do subsequent deployment everything breaks down. |
(I'm not sure whether this is an App Service or Cosmos DB docs issue; this is a crosspost from the ticket for the App Service docs)
This issue is related to this post on Stackoverflow.
From the docs page that I'm creating this issue from, and from the VNet-related Cosmos DB docs page it is unclear to me whether the scenario below is supported.
I have an App Service and a Cosmos DB. I want to restrict access to the Cosmos DB - only the App Service should access it.
My solution was to:
default
Allow access from Selected networks
default
subnetNew VNet integration
in the App Service and connected it to the samedefault
subnetCosmos DB firewall setup:
default
subnet setup:Unfortunately, this does not work. How do I make the App Service correctly access Cosmos DB through the VNet?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: