integrate webapp with Azure VNET

Question

I have deployed a Web app in Azure and is available in http://XXX.azurewebsites.net. I would like to limit the access to this site by placing the web app in the Virtual Network using Point to Site.

I have created a VNET and successfully established the Point to site connection. Then i have integrated the Webapp to the created VNET.

Now Clients who dont have client certificate also able to access the site/URL. how to restrict that?

My Expected Behaviour is Clients whoever have the client certificate and vpn client package can access the site using the above url. Others should not be able to access the site using "XXX.azurewebsites.net" url.

Please help me in achieving this.

Answer 1

Configuring a Client Address Pool on the Virtual Network Gateway is what allows only specific clients to be able to connect to the VPN. However that is only for the VNet gateway. The website itself still has a Public IP address that is accessible over the internet. You would need apply an NSG on the subnet of the web app blocking internet traffic using a deny rule for source ports 80 and 443. With internet blocked, a client would only be able to access the app from within the virtual network.

Answer 2

Integrating the Web App with a VNET does not hide it. It simply allows your app to connect to resources in the VNET.

You will have to use standard ways of blocking traffic like allowed IP addresses in web.config.

Another (very expensive) option is to use an App Service Environment. Or Virtual Machines.