I'm the network admin for our Azure setup, which follows a Hub/Spoke model with traffic routed through our central hub. I'm currently in the process of configuring VNets and subnets for our application team so they can deploy and test some apps. However, I'm a bit confused about the requirements they've laid out for App Services. They mentioned needing multiple subnets for different components like APIM, Linux App Service, Windows App Service, and Windows Function Apps, including separate subnets for inbound and outbound traffic. Additionally, they indicated that an outbound NAT IP is necessary for the Function app. As I read, I understand that applications are hosted in App Service plans, which exist within an App Service Environment. My questions are: do they genuinely need a separate App Service plan for each OS (one for Linux and one for Windows)? Also, do I need to establish an integration network for these apps? I believe that if the apps are within the same App Service plan, they don't require outbound integration on each one, but rather just on the service plan itself. How many subnets do I realistically need? So far, I think I'll need two for outbound net integration (one for each OS service plan) and possibly one inbound private subnet per app, though I'm uncertain about that.
3 Answers
Yes, you'll definitely need an App Service plan for each OS type, meaning one for Linux and one for Windows. As for the integration network, apps in the same service plan can indeed share the same subnet, so there's no need for an additional integration net unless you have specific requirements. You do need an inbound private endpoint if the app needs private access, though!
Exactly! Just make sure to configure your routing properly to handle outbound traffic.
Honestly, it seems like your infra team should manage the internal subnet setup themselves. You could provide them with the necessary IP ranges for each region/subscription, and they can create the networks as needed. Involving yourself in this too much might not be the best use of your time, especially if Azure isn’t your forte.
I appreciate that, but I am part of the infra team here. We're pretty new to Azure, and it seems like the app team thinks it should be easier and quicker to set this all up. I'm just trying to ensure they don’t come back to me with problems later.
Got it, sounds like a good plan! It’s always better to double-check on your end.
About the App Service Environment (ASE) – do you actually need that? It's pretty pricey. You might just be looking to set up App Service Plans (ASPs). If they do require an ASE, remember that you will need to create it first before setting up the ASPs inside it. Check the documentation for more details!
Thanks for the heads-up! I’m diving into it and realizing I don’t actually need the ASE—just the ASPs for each OS type.
Perfect! And just keep in mind that the outbound integration can indeed be shared among apps within the same ASP.
Thanks for clarifying! So if I have both a Windows web app and a Windows function app, they can coexist in the same Windows App Service plan and share that outbound net integration?