Configure Azure Service Endpoints for Web Applications #Azure #ASE #Endpoints #AzureServiceEndpoints #webapp #AzureDevOps   Leave a comment

Sometimes you are building things in Azure and thinking if this is possible than that would be a cool feature. Suddenly you are building this and noticed that it is already there in Azure. How Cool is that.

Today I was building a demo website but I did not want to expose this directly to the web, play with this and still get the use of Azure Cloud over the internet. Reading the Azure Endpoint services there is no WebApp Endpoint services. Using a NSG or enable the Azure Firewall well it is just a test so lets see what we can do with all the basic stuff. But during the test I saw this option Microsoft.Web in the service endpoints.


More security is needed in everything you expose to the internet. And in Azure it all starts with a Vnet.

Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network.

First we create a new Vnet, while we creating this wen can enable an pick the right service endpoints. this can also be done afterwards.


Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

In case you have already a Vnet, just go to the Service points and add the selected service you want to add or select it all.

image image image

At this point there is no Configuration, it is just adding a services to the network or subnet.


Below is a list of the Azure services that are currently available.

Generally available

Public Preview

The Web app is not listed but the option is there, and working. The Azure service Endpoint is not a Firewall, as the Azure Firewall this is a totally different service.


For Samples you have a Web application, and it needs to have connection to storage or SQL server and connection to an other Web services, without setting this open to Any – Any you can restrict this with the Azure Service Endpoints


Creating the Rules is a quick process, these are similar as in the NSG.

  • Network security groups (NSGs) with service endpoints:

    • By default, NSGs allow outbound Internet traffic and so, also allow traffic from your VNet to Azure services. This continues to work as is, with service endpoints.
    • If you want to deny all outbound Internet traffic and allow only traffic to specific Azure services, you can do so using service tags in your NSGs. You can specify supported Azure services as destination in your NSG rules and the maintenance of IP addresses underlying each tag is provided by Azure.

First we go the the Web App Service. in Networking and the non readers will click the VNet integration. #Wrong 



In this case I don’t want a premium network, So we go to Configure Access Restrictions


Here we create a access rule, on who gets access to this web application.


I created a deny rule for a specific IP.



And the pages shows an error webapp is stopped. here you can also see the difference between a complete port block and no access to the application.


Changing this to Allow the App is visible


Also for the KUDU SCM you can have different rules or apply the same rules. with the little check box


With these options you can create a more secure environment again this is a great add on.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 29, 2019 by Robert Smit [MVP] in Azure

Tagged with ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: