I'm in a bit of a dilemma. We want our developers to deploy function apps and web apps easily, without going through a complicated procedure. Our current plan is to set up a Premium V3 App Service Plan, giving app service contributor and network contributor access over a subnet, and integrating with a virtual network (VNet). However, it seems that using private endpoints won't work because our DNS servers are centrally managed. Is there any way to limit public access without resorting to private endpoints?
5 Answers
Have you looked into setting up an App Service Environment (ASE)? It allows VNet integration and custom domains, like dev.contoso.com. It comes with a built-in load balancer and a single IP, which your internal DNS team can use to direct requests effectively. Each app associated with the ASE also gets an automatically generated subdomain.
I recommend using service endpoints. They should meet all your requirements and are actually less complex compared to private endpoints, plus they're free. Make sure you have the premium app service plan if you need your apps to access private resources, otherwise any SKU would do.
I heard they relaxed the requirement for premium plans. We're using service endpoints with a basic app service plan for our dev and stage environments.
Unfortunately, our cybersecurity team insists on using private endpoints only. I originally thought about restricting access using network rules, but that's off the table.
Have you considered deploying an Azure Private DNS that integrates with your central DNS servers? It could simplify your setup significantly.
The problem is that our devs need more independence and can't control those central DNS servers. They require private endpoints for inbound access.
You might check out network security perimeters for this. It’s currently in preview but could be worth exploring.
If it’s just for a website and not a big deal on security, a simple workaround could be to require a secret cookie to keep the site hidden from crawlers. This way, if the cookie isn't present, you can just return a 404 error. We used it to cloak our test and staging sites without complicating things.
Yeah, but it's shockingly expensive compared to the Premium V3. It's like 2.3 times the cost in my area.