How to integrate Azure Web App with a VNet with gateway transit

Question

I have two VNets: A and B. VNet B has a VPN gateway and connected to an on-premise network. VNet A is peered with VNet B with transit gateway enabled. This works perfectly for virtual machines. I deploy VMs to VNet A and can access on-premise resources from there VMs.

Now I want to deploy a Web App and connect it to VNet A, so the web app will have access to on-premise resources. But to do so, I need to add a VPN gateway into the network A, which is impossible when the network is peered with another network with Use remote gateway option on. But I need this option to be on to have access to on-premise resources.

What should I do? How I can give access from Web App to on-premise resources without using App Service Environment? Is it possible?

Basically, I need the combination of these two schemes

Answer 1

In this case, you should integrate with VNet B from the Azure web app. Also, It will be integrated with a point-to-site VPN enabled VNet. There is a new version of the VNet Integration feature that is in preview. It doesn't depend on point-to-site VPN. From your scenario, the web app is working like " VPN clients" in a P2S connection on the second picture.

Here are some things to keep in mind before connecting your web app to a virtual network:

A target virtual network must have point-to-site VPN enabled with a route-based gateway before it can be connected to app. The VNet must be in the same subscription as your App Service Plan(ASP). The apps that integrate with a VNet use the DNS that is specified for that VNet.

Ref: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet