It is possible to connect Azure App Services that are on Standard and Premium plans to a virtual network using a point to site VPN. Unfortunately although it is reasonably straightforward in the portal there isn’t much documentation around on how to do this using PowerShell. In response to a forum post, https://social.msdn.microsoft.com/Forums/en-US/2417fc64-e8d3-4b15-a493-7524f7d4961e/join-a-web-app-to-a-vpn-in-azure-through-powershell-script I created the connection with some help from https://resources.azure.com/. The solution isn’t a work of art but hopefully enough to put people on the right track.
First you need an existing VNet with P2S configured. If you haven’t done that already I suggest reading my previous post – http://www.techdiction.com/2016/01/12/creating-a-point-to-site-vpn-connection-on-an-azure-resource-manager-virtual-network/
Then use the below PowerShell to connect the App Service to the VNet using P2S VPN:
$subscription_id = "<Subscription_ID>" $NetworkName = "<Network_Name>" $location = "<Region>" $netrgname = "<Resource_Group_VNet_is_in>" $AppServiceName = "<AppService_Name>" $props = @{ "vnetResourceId" = "/subscriptions/$subscription_id/resourcegroups/$netrgname/providers/Microsoft.ClassicNetwork/virtualNetworks/$NetworkName"; "certThumbprint"= "<Client_cert_thumbprint>"; "certBlob"= "<Base64_Cert_Data>"; # all on one line, without begin and end headers "routes" = $null; } New-AzureRMResource -ResourceName "$AppServiceName/$AppServiceName-to-$NetworkName" -Location $location -ResourceGroupName $netrgname -ResourceType Microsoft.Web/sites/virtualNetworkConnections -PropertyObject $props -ApiVersion "2015-08-01" -force
Many thanks Marcus, it worked like a charm!
Does this work with ARM (V2) VNets? Or only Classic VNets?
This example is for ARM resources. Note the RM in New-AzureRMResource.
Marcus, Although you are using the Resource Manger cmdlets to create your connection, the network you are connecting to is a V1, 'Classic' network as shown in the vNet resource ID you are pasing to New-AzureRmResource vnetResourceId" = "/subscriptions/$subscription_id/resourcegroups/$netrgname/providers/Microsoft.ClassicNetwork/virtualNetworks/$NetworkName" If it were a V2 network, that would read 'Microsoft.Network/VirtualNetworks'
Very true. Well spotted. I would expect it work with either – have you tried/have an issue? Although this whole process will soon become redundant as VNet peering has now been announced which means the VPN will no longer be required to link VNets in the same region.
How would I do this in ARM template?