This chapter covers two critical networking features for Azure App Service: VNet Integration and Private Endpoints. These technologies allow you to securely connect your App Service to resources inside your virtual network (VNet) and to restrict access to your app from only within your VNet. For the AZ-204 exam, approximately 10-15% of questions in the Compute domain touch on these concepts, often in scenarios involving hybrid connectivity, network security, and private access. Mastering these topics is essential for designing secure, enterprise-grade Azure solutions.
Jump to a section
Imagine a large corporate office building (the public internet) with many tenants. Your company leases a private condo (your App Service) inside a secure gated community (your virtual network). Normally, to visit your condo, guests must enter through the main public lobby (public endpoint) where anyone could see them. But you want a private entrance that only residents of the gated community can use. You build a direct bridge (Private Endpoint) from your condo's private door to a specific parking spot inside the gated community. Now, when an employee from another building in the community (a VM in your VNet) wants to visit, they walk across the bridge directly into your condo, bypassing the public lobby entirely. The bridge is a one-way private connection; no one from outside the community can even see the bridge entrance. Additionally, you set up a secure tunnel (VNet Integration) from your condo to the community's internal road network, so your condo can access community resources (like a shared pool or gym) using internal roads (private IPs) rather than going out to the public highway. This tunnel ensures that outbound traffic from your condo appears to come from the community's internal addresses, not from a random public address. The bridge (Private Endpoint) is for inbound traffic to your condo; the tunnel (VNet Integration) is for outbound traffic from your condo to the community.
What is App Service VNet Integration?
App Service VNet Integration is a feature that enables your App Service app to access resources in an Azure virtual network (VNet) but does not grant private inbound access to the app. It is designed for outbound traffic from your app to resources like databases, storage accounts, or other services inside a VNet. There are two types: Regional VNet Integration (recommended for most scenarios) and Gateway-required VNet Integration (legacy, used for connecting to classic VNets or on-premises via VPN).
How Regional VNet Integration Works
When you enable Regional VNet Integration, Azure creates a delegated subnet in your VNet (minimum size /27 with 32 addresses) and attaches it to your App Service plan. Each App Service plan instance (VM) gets a virtual network interface (vNIC) in that subnet. The subnet must be empty and delegated to Microsoft.Web/serverFarms. Azure then configures routing so that outbound traffic from your app to addresses in the VNet range is sent over this vNIC, using private IPs from the delegated subnet. Traffic to the internet still goes through the normal outbound path (unless you force-tunnel).
Key Components and Defaults
Delegated Subnet: Must be a dedicated subnet with no other resources. Minimum size /27. The subnet cannot be used for anything else.
Route Tables: Azure automatically adds routes for the VNet address space. You can add custom routes via route tables associated with the subnet.
Network Security Groups (NSGs): You can apply NSGs to the delegated subnet to control outbound traffic (e.g., block traffic to certain IPs). NSGs are supported for Regional VNet Integration.
Service Endpoints: You can also use service endpoints on the delegated subnet to access Azure PaaS services like Storage or SQL Database over the Azure backbone.
Point-to-Site VPN: For Gateway-required VNet Integration, you need a VNet gateway with point-to-site VPN. This is older and has limitations (e.g., no NSG support, performance capped at ~200 Mbps).
What is a Private Endpoint?
A Private Endpoint is a network interface that connects your App Service to a specific resource (like a storage account or your app itself) over a private IP address from your VNet. For App Service, you can create a Private Endpoint for your app to allow inbound traffic only from your VNet. This replaces the public endpoint with a private IP in your VNet, making your app inaccessible from the public internet.
How Private Endpoints Work for App Service
When you create a Private Endpoint for your App Service, Azure provisions a network interface in your VNet subnet with a private IP address. DNS configuration is updated so that the app's hostname (e.g., myapp.azurewebsites.net) resolves to that private IP when queried from within the VNet. From outside the VNet, the hostname still resolves to the public IP (unless you disable public access). You can also configure the app to deny public traffic entirely. Traffic from the VNet to the app flows over the Microsoft backbone, never leaving the Azure network.
Key Components and Defaults
Private Endpoint: A resource in a subnet with a private IP from that subnet's range. It uses a NIC with the private IP.
Private DNS Zone: To resolve the app's hostname to the private IP, you need a private DNS zone (privatelink.azurewebsites.net) linked to your VNet. Azure can auto-create this.
Public Access: You can set the app's access restrictions to deny public traffic, forcing all traffic through the Private Endpoint.
Pricing: Private Endpoint incurs hourly charges and data processing fees. VNet Integration (Regional) does not have extra charges beyond the VNet resources.
Interaction Between VNet Integration and Private Endpoints
These two features are complementary but serve different directions:
Private Endpoint: Inbound traffic to your app from your VNet.
VNet Integration: Outbound traffic from your app to your VNet.
You can use both together: your app can receive traffic via a Private Endpoint and also access resources in the VNet via Regional VNet Integration. However, note that when you use VNet Integration, outbound traffic to the VNet uses the delegated subnet's IPs, not the Private Endpoint's IP. Also, if your app is integrated with a VNet and you use Private Endpoint for the same app, the VNet Integration subnet must be the same VNet as the Private Endpoint's subnet.
Configuration and Verification Commands
To enable Regional VNet Integration via Azure CLI:
az webapp vnet-integration add -g MyResourceGroup -n MyApp --vnet MyVNet --subnet MySubnetTo verify:
az webapp vnet-integration list -g MyResourceGroup -n MyAppTo create a Private Endpoint for an App Service:
az network private-endpoint create -g MyResourceGroup -n MyPE --connection-name MyConnection \
--private-connection-resource-id $(az webapp show -g MyResourceGroup -n MyApp --query id -o tsv) \
--group-id sites --subnet MySubnet --vnet-name MyVNetTo verify:
az network private-endpoint show -g MyResourceGroup -n MyPE --query customDnsConfigsLimitations and Considerations
Regional VNet Integration: Only works for Windows and Linux apps in Standard, Premium, PremiumV2, PremiumV3, Isolated, and IsolatedV2 plans. Free, Shared, and Basic plans are not supported. The subnet cannot be used for other resources. The feature does not allow inbound traffic to the app from the VNet.
Private Endpoint: Not supported for apps deployed to Isolated tier (ASE) with ILB ASE. Also, if you use Private Endpoint, you cannot use the same app with Access Restrictions that rely on service endpoints (though you can use both).
DNS Resolution: When using Private Endpoint, DNS must be configured correctly. If you use Azure-provided DNS, the private DNS zone handles resolution. If you use custom DNS, you must manually add the A record.
Performance and Scalability
Regional VNet Integration adds minimal latency (sub-millisecond) because traffic stays within Azure's backbone. Private Endpoint also adds negligible latency. Both features scale automatically with your App Service plan. For high-throughput scenarios, ensure the delegated subnet has enough IP addresses (each instance uses one IP from the subnet). For Private Endpoint, each endpoint uses one IP regardless of instance count.
Create a Delegated Subnet
First, you need a subnet in your VNet that is delegated to Microsoft.Web/serverFarms. This subnet must be empty and have a minimum size of /27 (32 addresses). Azure will assign IPs from this subnet to each instance of your App Service plan when VNet Integration is enabled. You can create the subnet via portal, CLI, or PowerShell. For example: az network vnet subnet create -g MyRG --vnet-name MyVNet -n MySubnet --address-prefixes 10.0.1.0/27 --delegations Microsoft.Web/serverFarms. Note that the subnet cannot be used for any other resources, including other Azure services or VMs.
Enable Regional VNet Integration
In the Azure portal, navigate to your App Service -> Networking -> VNet Integration. Click 'Add VNet' and select your VNet and the delegated subnet. Alternatively, use the CLI command: az webapp vnet-integration add. Azure will then attach a virtual network interface (vNIC) to each instance of your App Service plan. This vNIC is used for all outbound traffic destined to IPs within the VNet address space. The integration takes a few minutes to complete. After enabling, you can verify by checking the VNet Integration blade or using az webapp vnet-integration list.
Configure Routing and NSGs
By default, Azure adds routes to the subnet's route table for the VNet address space. You can add custom routes (e.g., to force-tunnel traffic to on-premises via a firewall) by associating a route table with the delegated subnet. You can also apply NSGs to control outbound traffic from the app. For example, you can block traffic to certain IP ranges. However, note that NSGs on the delegated subnet affect only outbound traffic from the app; inbound traffic to the app is unaffected. Also, you cannot use NSGs with Gateway-required VNet Integration.
Create a Private Endpoint
To allow inbound traffic from your VNet to your app privately, create a Private Endpoint. In the portal, go to your App Service -> Networking -> Private Endpoint Connections. Click 'Add' and specify the name, VNet, and subnet (can be the same or different from the VNet Integration subnet). The Private Endpoint will get a private IP from that subnet. Azure will also create a Private DNS Zone (privatelink.azurewebsites.net) linked to your VNet, so the app's hostname resolves to the private IP inside the VNet. You can also configure the app to deny public traffic by setting 'Public Network Access' to 'Disabled'.
Verify DNS and Connectivity
After setting up Private Endpoint, test DNS resolution from a VM inside the VNet: nslookup myapp.azurewebsites.net should return the private IP. From outside the VNet, it should return the public IP (or fail if public access is disabled). Test connectivity by accessing the app from a VM (e.g., curl https://myapp.azurewebsites.net). Also, verify that the app can reach resources in the VNet via VNet Integration (e.g., from the app's Kudu console, ping a VM's private IP). If both features are used together, ensure the VNet Integration subnet is in the same VNet as the Private Endpoint's subnet.
Scenario 1: Secure Microservices Architecture
A financial services company deploys a microservices application on Azure App Service. The front-end app needs to communicate with a back-end API app, which in turn accesses an Azure SQL Database and a Storage Account, all inside a VNet. They use Regional VNet Integration on both App Services to allow them to access the database and storage over private IPs. To secure inbound traffic, they deploy Private Endpoints for both App Services, so that only traffic from within the VNet can reach them. They also disable public access on both apps. This ensures that all traffic stays within the Azure backbone, meeting compliance requirements. The company uses Premium V3 plan for better performance. The delegated subnets are /27 each. They monitor the NSG flow logs to detect any unexpected outbound traffic.
Scenario 2: Hybrid Application with On-premises Connectivity
A retail company has an App Service that needs to access an on-premises database via a site-to-site VPN. They use Regional VNet Integration to connect the app to a VNet that has a VPN gateway. The VNet Integration subnet is in the same VNet. They add a custom route to the subnet's route table to send traffic to the on-premises IP range through the VPN gateway. The app can now access the database securely. For inbound access, they use a Private Endpoint so that only users connected to the corporate network (via VPN or ExpressRoute) can reach the app. They also implement Access Restrictions as a second layer, allowing only the VNet's address space.
Scenario 3: Multi-tier App with Service Endpoints
A SaaS provider uses App Service with Regional VNet Integration to access Azure Storage via service endpoints. They enable service endpoints on the delegated subnet for Microsoft.Storage. This ensures that traffic from the app to the storage account goes over the Azure backbone and not the internet. They also use a Private Endpoint for the App Service itself to allow private inbound access from their management VNet. They note that service endpoints and Private Endpoints can coexist on the same subnet, but the Private Endpoint is for a different resource. They experience no issues with scale, but they ensure the delegated subnet has enough IPs for peak instance count (e.g., 40 instances need at least /27).
What AZ-204 Tests
The AZ-204 exam covers App Service VNet Integration and Private Endpoints under objective 'Implement secure cloud solutions' (1.3). You should expect scenario-based questions where you must choose the correct networking feature to meet security and connectivity requirements. Key points tested:
Knowing the difference between VNet Integration (outbound) and Private Endpoint (inbound).
Understanding that Regional VNet Integration requires a delegated subnet (/27 minimum) and does not allow inbound access.
Knowing that Private Endpoint uses a private IP and requires a Private DNS Zone (privatelink.azurewebsites.net).
Recognizing that Gateway-required VNet Integration is legacy and requires a VNet gateway with point-to-site VPN.
Understanding that both features can be used together but for different traffic directions.
Common Wrong Answers
'VNet Integration allows inbound traffic from the VNet.' This is false. VNet Integration is only for outbound traffic. Many candidates confuse it with Private Endpoint or with an Application Gateway in front. The correct answer for inbound private access is Private Endpoint or an internal load balancer (ILB ASE).
'You can use the same subnet for both VNet Integration and Private Endpoint.' While you can have both in the same VNet, they require separate subnets. The delegated subnet for VNet Integration cannot be used for Private Endpoints (or any other resource). The Private Endpoint subnet can be any non-delegated subnet.
'Private Endpoint requires a VPN gateway.' No. Private Endpoint uses Azure Private Link and does not require any gateway. It works within the VNet directly.
'VNet Integration works with all App Service plans.' No. It requires Standard, Premium, PremiumV2, PremiumV3, Isolated, or IsolatedV2. Free, Shared, and Basic are not supported.
Exam Numbers and Terms
Minimum subnet size for Regional VNet Integration: /27 (32 addresses).
Delegation: Microsoft.Web/serverFarms.
Private DNS zone: privatelink.azurewebsites.net.
Gateway-required VNet Integration uses point-to-site VPN and supports NSGs? No, it does not.
Regional VNet Integration supports NSGs and route tables.
Edge Cases
If you use Private Endpoint and also want to use VNet Integration, the VNet Integration subnet must be in the same VNet as the Private Endpoint's subnet.
If you enable Private Endpoint and disable public access, the app is only accessible from the VNet. However, the Kudu site (scm endpoint) also gets a Private Endpoint if you configure it (separate endpoint).
For apps in an App Service Environment (ASE), Private Endpoint is not supported for the apps themselves; you use ILB ASE for private access.
How to Eliminate Wrong Answers
If the question asks for 'private inbound access to an App Service from a VNet', the answer is Private Endpoint (or ILB ASE). Not VNet Integration.
If the question asks for 'outbound access from App Service to resources in a VNet', the answer is Regional VNet Integration (or Gateway-required if legacy).
If the question mentions 'delegated subnet' and 'outbound', it's VNet Integration.
If the question mentions 'private IP' and 'DNS zone', it's Private Endpoint.
Regional VNet Integration enables outbound traffic from App Service to VNet resources; it does NOT allow inbound traffic from the VNet.
Private Endpoint enables inbound traffic from a VNet to an App Service using a private IP; it does NOT affect outbound traffic.
The delegated subnet for VNet Integration must be at least /27 and delegated to Microsoft.Web/serverFarms.
Private Endpoint requires a Private DNS Zone (privatelink.azurewebsites.net) linked to the VNet for hostname resolution.
Both features can be used together: Private Endpoint for inbound, VNet Integration for outbound, in the same VNet.
Gateway-required VNet Integration is legacy; use Regional VNet Integration for new deployments.
Private Endpoint is not supported for apps in an App Service Environment (ASE); use ILB ASE instead.
VNet Integration is not supported on Free, Shared, or Basic App Service plans.
These come up on the exam all the time. Here's how to tell them apart.
Regional VNet Integration
Uses a delegated subnet (/27 minimum) directly attached to App Service plan instances.
Supports NSGs and route tables on the delegated subnet.
No VPN gateway required; works within the same region.
Higher performance (up to 1.25 Gbps per instance) and lower latency.
Recommended for most scenarios; simpler to configure.
Gateway-required VNet Integration
Uses a point-to-site VPN connection from App Service to a VNet gateway.
Does not support NSGs or route tables on the gateway subnet.
Requires a VNet gateway with point-to-site VPN enabled.
Performance limited to ~200 Mbps aggregate across all instances.
Legacy; only use for classic VNets or cross-region connectivity.
Mistake
VNet Integration allows inbound traffic from the VNet to the App Service.
Correct
VNet Integration only enables outbound traffic from the app to VNet resources. For inbound private access, you must use Private Endpoint or an App Service Environment (ASE) with internal load balancer.
Mistake
You can use the same subnet for both VNet Integration and Private Endpoint.
Correct
VNet Integration requires a dedicated delegated subnet (Microsoft.Web/serverFarms) that cannot host any other resources, including Private Endpoints. Private Endpoints require a separate, non-delegated subnet.
Mistake
Private Endpoint requires a VPN gateway or ExpressRoute to work.
Correct
Private Endpoint uses Azure Private Link and works entirely within the Azure network backbone. No VPN or ExpressRoute is needed for traffic within the same VNet or peered VNets.
Mistake
VNet Integration works with all App Service pricing tiers.
Correct
Regional VNet Integration is supported only on Standard, Premium, PremiumV2, PremiumV3, Isolated, and IsolatedV2 plans. Free, Shared, and Basic plans are not supported.
Mistake
Gateway-required VNet Integration supports NSGs and route tables.
Correct
Gateway-required VNet Integration does not support NSGs or route tables on the gateway subnet. Regional VNet Integration does support NSGs and route tables on the delegated subnet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. VNet Integration only allows outbound traffic from the App Service to the VNet. For inbound private access, you need to create a Private Endpoint for your App Service. The Private Endpoint gives the app a private IP in your VNet, and you can disable public access to ensure only VNet traffic can reach it.
The minimum subnet size is /27, which provides 32 IP addresses. This is because each App Service plan instance uses one IP from the subnet, and Azure reserves five IPs per subnet. If you have more than 27 instances, you need a larger subnet. Always plan for future scaling.
No. Private Endpoint is not supported for apps deployed in an App Service Environment (ASE). Instead, ASE with an internal load balancer (ILB ASE) provides private inbound access. You can use Private Endpoint for apps in other tiers (Standard, Premium, etc.) even if they are in an ASE? Actually, apps in an ASE can use Private Endpoint? The official documentation states that Private Endpoint is not supported for apps hosted in an ASE. Use ILB ASE for private access.
Yes, for Regional VNet Integration, you can apply NSGs to the delegated subnet to control outbound traffic from the App Service. However, NSGs do not affect inbound traffic to the app. For Gateway-required VNet Integration, NSGs are not supported.
Azure automatically creates a Private DNS Zone (privatelink.azurewebsites.net) and adds an A record mapping the app's hostname (e.g., myapp.azurewebsites.net) to the private IP of the Private Endpoint. This zone is linked to the VNet, so VMs in the VNet resolve the hostname to the private IP. Outside the VNet, the public DNS still resolves to the public IP (unless public access is disabled).
Yes, you can use both simultaneously. Private Endpoint handles inbound traffic from the VNet to the app, while VNet Integration handles outbound traffic from the app to the VNet. However, the VNet Integration subnet must be in the same VNet as the Private Endpoint's subnet.
Yes, if the VNet you integrate with has connectivity to on-premises (via VPN gateway or ExpressRoute), the App Service can access on-premises resources using the VNet's routes. You may need to add custom routes to the delegated subnet's route table to direct traffic appropriately.
You've just covered App Service VNet Integration and Private Endpoints — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?