Feature Request: App Service VNET Integration

[samcook]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add the ability to connect an app service (or app service slot) to a virtual network via an existing virtual network gateway.

New or Affected Resource(s)

• azurerm_app_service
• azurerm_app_service_slot

Potential Terraform Configuration

resource "azurerm_app_service" "app" {
  resource_group_name = "appservice-rg"
  location            = "westus"
  name                = "appservice-name"
  app_service_plan_id = "appserviceplan-id"

  virtual_network_integration {
    gateway_name        = "vnetgateway-name"
    resource_group_name = "vnetgateway-rg"
  }
}

References

https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/virtualnetworkconnections
https://gallery.technet.microsoft.com/scriptcenter/Connect-an-app-in-Azure-ab7527e3

[tombuildsstuff]

hi @samcook

Thanks for opening this issue :)

App Services can be attached to Virtual Network's by attaching the App Service Plan containing the App Service to an App Service Environment; this property is available in the properties block on the azurerm_app_service_plan resource as app_service_environment_id. It's not currently possible to create an App Service Environment using Terraform - however support for this is being tracked in this issue #438.

Since this is a question regarding Terraform Configuration rather than a bug in Terraform - I'm going to close this issue for the moment.

Thanks!

[samcook]

Hi @tombuildsstuff

Thanks for the quick response. While I understand that an app service within an app service environment does get attached to a vnet (and we use this in our production environment), this is a different feature (non ASE app service connected to vnet via a vnet gateway).

In our case, we use this in non production environments to allow our app services to communicate with vnet resources, because app service environments are quite expensive.

Is this still something that you'd consider implementing?

[tombuildsstuff]

@samcook

Is this still something that you'd consider implementing?

Yes it is (whilst this isn't on our short-term roadmap at the moment, we're happy to help with a PR for this). Apologies, I missed that this wasn't related to the App Service Environment connection method - I'll reopen this :)

[samcook]

Great, thanks @tombuildsstuff

I've been trying to get it working using ARM templates, but not having any joy there either.

If this link is to be believed, it's not even something that can be done using ARM templates alone. 🙁

https://social.msdn.microsoft.com/Forums/en-US/53d19f76-2d2d-40e8-856f-44d31e80e7d4/arm-deploy-app-service-to-vnet-doesnt-sync-certifcates?forum=WAVirtualMachinesVirtualNetwork

Your ARM template is just doing one part of the step to integrate with an existing VNet and that is to add to the link to the Virtual Network.

There are 2 other steps that cannot be completed in ARM and will need to be carried out in PowerShell. This is assuming of course that the destination VNet already has a Gateway Subnet and a VPN package.

[tombuildsstuff]

@samcook

If this link is to be believed, it's not even something that can be done using ARM templates alone. 🙁

The good news is it appears there's an API's for both of these:

https://docs.microsoft.com/en-us/rest/api/appservice/webapps/createorupdatevnetconnection
https://docs.microsoft.com/en-us/rest/api/appservice/webapps/createorupdatevnetconnectiongateway

I've not checked the SDK yet - but assuming there's matching SDK methods for these (which there should be if there's docs) it should be possible to add this to Terraform :)

[losandes]

I think this is the SDK documentation that correlates to those APIs @tombuildsstuff. Can you confirm?

https://godoc.org/github.com/Azure/azure-sdk-for-go/services/web/mgmt/2016-09-01/web#VirtualNetworkProfile

EDIT: The length of that godoc spun me for a loop. The above link would only be part of what's needed

[tekollt]

Would it not make sense to also include virtual_network_name for azurerm_function_app since they do share the same api calls and both of them are app service?

[tombuildsstuff]

@thoregilK given that's a separate resource (since it's slightly different) - there's a feature request for Virtual Network Integration within Function Apps here #1460 - which I'd recommend subscribing to for updates

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!