Summary
Configure Virtual Network integration for App Service to enable private connectivity to backend services and restrict network exposure.
Security Benefits
- App Service can access Key Vault and SQL through private endpoints
- Reduced attack surface by eliminating public endpoint dependencies
- Network segmentation between application and data tiers
Current State
- App Service uses public endpoints for backend connectivity
- Key Vault relies on Azure Services bypass for access
- No network isolation between tiers
Acceptance Criteria
Implementation Reference
\\�icep
// Virtual Network
resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
name: 'vnet-'
location: location
properties: {
addressSpace: {
addressPrefixes: ['10.0.0.0/16']
}
subnets: [
{
name: 'snet-app'
properties: {
addressPrefix: '10.0.1.0/24'
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.Web/serverFarms'
}
}
]
}
}
{
name: 'snet-private-endpoints'
properties: {
addressPrefix: '10.0.2.0/24'
}
}
]
}
}
// App Service VNet Integration
resource appServiceVnetConfig 'Microsoft.Web/sites/networkConfig@2023-12-01' = {
parent: appService
name: 'virtualNetwork'
properties: {
subnetResourceId: vnet.properties.subnets[0].id
swiftSupported: true
}
}
// Key Vault Private Endpoint
resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-11-01' = {
name: 'pe-kv-'
location: location
properties: {
subnet: {
id: vnet.properties.subnets[1].id
}
privateLinkServiceConnections: [
{
name: 'kv-connection'
properties: {
privateLinkServiceId: keyVault.id
groupIds: ['vault']
}
}
]
}
}
\\
Priority
P2 - High - Implement within 30 days
Summary
Configure Virtual Network integration for App Service to enable private connectivity to backend services and restrict network exposure.
Security Benefits
Current State
Acceptance Criteria
Implementation Reference
\\�icep
// Virtual Network
resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
name: 'vnet-'
location: location
properties: {
addressSpace: {
addressPrefixes: ['10.0.0.0/16']
}
subnets: [
{
name: 'snet-app'
properties: {
addressPrefix: '10.0.1.0/24'
delegations: [
{
name: 'delegation'
properties: {
serviceName: 'Microsoft.Web/serverFarms'
}
}
]
}
}
{
name: 'snet-private-endpoints'
properties: {
addressPrefix: '10.0.2.0/24'
}
}
]
}
}
// App Service VNet Integration
resource appServiceVnetConfig 'Microsoft.Web/sites/networkConfig@2023-12-01' = {
parent: appService
name: 'virtualNetwork'
properties: {
subnetResourceId: vnet.properties.subnets[0].id
swiftSupported: true
}
}
// Key Vault Private Endpoint
resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-11-01' = {
name: 'pe-kv-'
location: location
properties: {
subnet: {
id: vnet.properties.subnets[1].id
}
privateLinkServiceConnections: [
{
name: 'kv-connection'
properties: {
privateLinkServiceId: keyVault.id
groupIds: ['vault']
}
}
]
}
}
\\
Priority
P2 - High - Implement within 30 days