How to access resource in Express Route VNET from Azure Web App
Scenario
Azure Web App is connected to a VNET (VNET1) using Point-To-Site and then there is another VNET (VNET2) with Express route Gateway. Both VNET are in Azure.
Note: This blog is only if requirement is to access resource in Azure VNET having ER gateway. If your requirement is to access On-Prem resources from App Service through ER gateway then only solution will be use App Service Environment.
Requirement
Azure Web App should be able to connect resource in VNET with Express route Gateway.
Web App <---P2S ---> VNET1 with Route Base GW<--- s2s---> VNET2 with Coexisting Gateway & (Express Route)
Limitation
In Azure, we can connect two VNET’s using VNET Peering & VNET to VNET connectivity. But since we have a Web App connected using Point-To-Site, we need to add transit route which both these options will not allow. So, only way to get this working is having Site-to-Site IPsec tunnel.
We can create Site-to-Site but both gateways should be identical i.e. both gateways can either be Route based (Dynamic) or Policy based (Static). In my case VNET1 is Route based Gateway and VNET2 is Express Route.
Solution
So, can this be achieved?
Yes, we can either setup App Service Environment or if the requirement is to stay with multi-tenant App service then we can create Coexisting Gateway in VNET2 and then establish Site-to-Site IPsec connectivity between VNET1 and VNET2.
Here is how we do that!
Existing setup
Web App <---P2S ---> VNET1 with Route Base GW
VNET2 with Express Route
First thing we need to do is create Coexisting gateway on VNET2. This can be done using PowerShell. Here is sample
| ##Create coexistence IPsec Gateway##$location = "DCLocation"$vnet = Get-AzureRmVirtualNetwork -Name ExpressrouteVNET -ResourceGroupName RGNAME$gwSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet$gwIP = New-AzureRmPublicIpAddress -Name "VPNGatewayIP" -ResourceGroupName RGNAME -Location $location -AllocationMethod Dynamic$gwConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name "VPNGatewayIpConfig" -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.IdNew-AzureRmVirtualNetworkGateway -Name "NAMEFORNEWGW" -ResourceGroupName RGNAME -Location $location -IpConfigurations $gwConfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard ##Create Local Network Gateway## $MyLocalNetworkAddress = @("10.0.0.0/21",” 172.16.0.0/16”) <- Address space of VNET1 & Point-to-Site$localVpn = New-AzureRmLocalNetworkGateway -Name "LOCALNETWORKGATEWAY" -ResourceGroupName Blogs -Location $location -GatewayIpAddress IPOFVNET1GW -AddressPrefix $MyLocalNetworkAddress ##Connection## $azureVpn = Get-AzureRmVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName RGNAMENew-AzureRmVirtualNetworkGatewayConnection -Name "VPNConnection" -ResourceGroupName RGNAME -Location $location -VirtualNetworkGateway1 $azureVpn -LocalNetworkGateway2 $localVpn -ConnectionType IPsec -SharedKey "enteryourpresharedkey" |
Once this is done then we can create Site-to-Site IPsec connection between VNET1 Gateway and VNET2 Coexisting Gateway.
For testing connectivity i have documented in my previous blog
HTH