Connecting Azure App Service to VNet using Point to Site VPN using PowerShell

It is possible to connect Azure App Services that are on Standard and Premium plans to a virtual network using a point to site VPN. Unfortunately although it is reasonably straightforward in the portal there isn’t much documentation around on how to do this using PowerShell. In response to a forum post, I created the connection with some help from  The solution isn’t a work of art but hopefully enough to put people on the right track.

First you need an existing VNet with P2S configured. If you haven’t done that already I suggest reading my previous post –

Then use the below PowerShell to connect the App Service to the VNet using P2S VPN:

$subscription_id = "<Subscription_ID>"
$NetworkName = "<Network_Name>"
$location = "<Region>"
$netrgname = "<Resource_Group_VNet_is_in>"
$AppServiceName = "<AppService_Name>"
 $props = @{
      "vnetResourceId" = "/subscriptions/$subscription_id/resourcegroups/$netrgname/providers/Microsoft.ClassicNetwork/virtualNetworks/$NetworkName";
      "certThumbprint"= "<Client_cert_thumbprint>";
      "certBlob"= "<Base64_Cert_Data>"; # all on one line, without begin and end headers
      "routes" = $null;

New-AzureRMResource -ResourceName "$AppServiceName/$AppServiceName-to-$NetworkName" -Location $location  -ResourceGroupName $netrgname -ResourceType Microsoft.Web/sites/virtualNetworkConnections -PropertyObject $props -ApiVersion "2015-08-01" -force 



  1. Ahmed IG

    Many thanks Marcus, it worked like a charm!

  2. Johansson

    Does this work with ARM (V2) VNets? Or only Classic VNets?

    1. Marcus (Post author)

      This example is for ARM resources. Note the RM in New-AzureRMResource.

      1. Thomas

        Marcus, Although you are using the Resource Manger cmdlets to create your connection, the network you are connecting to is a V1, 'Classic' network as shown in the vNet resource ID you are pasing to New-AzureRmResource vnetResourceId" = "/subscriptions/$subscription_id/resourcegroups/$netrgname/providers/Microsoft.ClassicNetwork/virtualNetworks/$NetworkName" If it were a V2 network, that would read 'Microsoft.Network/VirtualNetworks'  

        1. Marcus (Post author)

          Very true. Well spotted. I would  expect it work with either – have you tried/have an issue? Although this whole process will soon become redundant as VNet peering has now been announced which means the VPN will no longer be required to link VNets in the same region.

  3. Alex B

    How would I do this in ARM template?


Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.