How To Secure Azure Web App Using Private Endpoints

In this article, we’ll learn about Private Endpoint, various aspects of it, its pros, and the way to configure DNS to reach web app privately. This will make the web app secure with a private connection for the service.

Private Endpoint

A Private Endpoint can be understood as a special kind of network interface (NIC) that enables a secure and private connection to services. In the case of Azure Private Endpoints, it is used to connect services that are powered by the Azure Private Link such as Azure Web App in a subnet of Virtual Network (Vnet). With the creation of the private endpoints for the web app, secure connectivity is built for the clients on the private network and the web app. IP Address is assigned from the IP address range of the Virtual Network (Vnet) for the private endpoint. Private Link is used for the connection of the web app and the private endpoint. Only incoming flows to the web app are enabled through the private endpoint. For outgoing flows, the private endpoint cannot be used. Howsoever, outgoing flows can be injected into the network via another subnet through the integration feature of the Virtual Network.

Individual discrete configuration is applied for each slot of the apps with over 100 private endpoints plugging possible for each slot. Howsoever, private endpoints cannot be shared between the slots. There is not required for a dedicated empty subset to plug the private endpoint. Other resources can co-exist in the subset where the private endpoints are plugged into. Moreover, there is no requirement to deploy the web apps and private endpoint in the same region. But it must be noted that the VNet integration feature cannot use the subnet that is used for the private endpoint.

 There are numerous benefits of using private endpoints for web apps. Some of them are listed as follows,

  • Data exfiltration can be completed avoided from VNet. 
  • Public exposure can be eliminated by configuring the private endpoints thus securing the web app.
  • Even from the on-premises network, connection to the web app can be secured by connecting to the Vnet through a Virtual Private Network (VPN) or ExpressRoute private peering.

Properties of Private Endpoint

Each property of Private Endpoint is discussed as follows,

Property  Description 
Name  Must be a unique name within the resource group of Azure.
Private Link Resource  Resource ID or Alias can be connected from the available list. For all the traffic that is sent to this resource, a unique network identifier is generated.
Target Subresource  Every private link resource has multiple options to choose from based upon preference. It constitutes the sub-resource that is to be connected.
Connection Approval Method  It can be both manual or automatic. Private endpoints can be approved automatically depending upon the role-based access control permissions in Azure.
Request Message  Messages for connections that are requested can be manually approved. Specific requests can be identified from these messages.
Connection Status  The connection status denotes if the private endpoint is active or not. Only during the approved state, the private endpoints can be used to send traffic. Other various states are also available, such as Pending, Rejected, Disconnected, and Approved.

The Azure Service that can be used other than the Web App are as follows,

  • Azure SQL Database 
  • Azure Cosmos DB 
  • Azure Storage 
  • Custom Services that use Private Link Service 

Security with Private Endpoint

There are multitudes of security activations with the private endpoint that need to be understood. First of all, all the public access is disabled when private endpoints in enabled to the web app. From VNets in different regions to subnets, multiple private endpoints can be enabled in all of them. It is required that the IP address of the private endpoint NIC is dynamic but remains the same unless deleted. NSG cannot be associated with the NIC of the private endpoint. Howsoever, NSG can be associated with the subnet that hosts the private endpoints but the network policies enforcement must be disabled for the private endpoints. Thus, access to the private endpoints cannot be filtered by any NSG. Moreover, access restrictions configurations are not evaluated for the web apps when the private endpoint to the web app is enabled. Also, by removing all the NSG rules for destinations tag of Internet and Azure services, the risk of data exfiltration can be mitigated from the VNet. Finally, it is crucial to realize that when the private endpoint is deployed for a web app, this specific web app can only be accessed through the private endpoint, and for other web apps, another dedicated private endpoint must be deployed.

Learn more about Azure Private link from this video,

Domain Name Server (DNS)

When the private endpoint is used for the web app, the name of the web app and the requested URL must match. By default, the public name of the name app without the private endpoint is the canonical name of the cluster. Let us take this example to understand.

Name  Value  Type 
sampleapp.azurewebsites.net  clustername.azurewebsites.windows.net  CNAME 
clustername.azurewebsites.windows.net  cloudservicename.cloudapp.net  CNAME 
cloudservicename.cloudapp.net  80.123.111.155 

When the private endpoint is deployed, the DNS entry is updated to point to the canonical name sampleapp.privatelink.azurewebsites.net 

Let us see how the resolution now turns out for the Name. 

Name  Value  Type 
sampleapp.azurewebsites.net  sampleapp.privatelink.azurewebsites.net  CNAME 
sampleapp.privatelink.azurewebsites.net  clustername.azurewebsites.windows.net  CNAME 
clustername.azurewebsites.windows.net  cloudservicename.cloudapp.net  CNAME 
cloudservicename.cloudapp.net  80.123.111.155 

A private DNS Server or an Azure DNS private zone must be setup and the host entry can be modified to test the machine. The DNS zone that needs to be created is privatelink.azurewebsites.net.

The record should be registered for the web app with an A record and the private endpoint IP. The sample of the name resolution is as shown below,

Name  Value  Type 
sampleapp.azurewebsites.net  sampleapp.privatelink.azurewebsites.net  CNAME 
sampleapp.privatelink.azurewebsites.net  10.10.10.8 

Finally, with the above DNS configuration, the web app can be accessed privately through the default name sampleapp.azurewebsites.net. Custom DNS names can also be used after getting it validated.

Conclusion

Thus, in this article, we learned about Azure Private Endpoints and learned it to use them in amalgamation with Azure Web App. We started with learning the fundamentals of Private Endpoint, the various benefits of the Azure Private Endpoints, and its properties. We also listed similar other services of Azure that can benefit from Azure Private Endpoints. Later, we dived into the security prospect of the private endpoint and finally learned to configure DNS for the web app using the private endpoint.