Web App Private Endpoints vs Service Endpoints vs App Service Environments

Recently, I got an opportunity to compare the Private Endpoint for Web Apps, Service Endpoints for Web Apps and App Service Environments. I thought it would be good to write a blog post on the observations and the comparison I learned. Limiting the attack vector for the web applications and exposing the application only to the customer private networks is a very common requirement when you talk to customers. Therefore, this blog is about a comparison between the most commonly used hosting methods for internal-facing web applications in Azure.

Private Endpoints for Web Apps

With the announcement of the Private Endpoints for Web Apps, it opens up a new architecture for making Azure Web Apps available to the Azure Networks. This method creates a Private IP address in your virtual network dedicated for the Web App instance you choose. This private IP can be used as a secure entry point for the Web Application. This feature combined with external access blocked to the web app makes the application available only to the local network.

The traffic originating from an end-user traverse the virtual network to the private endpoint for the web app. Then it goes through the Microsoft Backbone to the Web App. It never goes to the Public Internet. Hence, this is a much secure way to have connectivity to internal-facing web applications.

Private Endpoint for Web Apps

The above diagram shows the high-level architecture for the private endpoint for web apps. One of the key features of this architecture is that this model works with the hybrid networking configuration as well. This means, your on-premises users can route to your web application using the private endpoint in the virtual network. This also provides additional security features. Private endpoint makes sure that only the allowed web application instance can be accessed by the private endpoint. It can not access any other service through it. Therefore, it protects you from any possible data exfiltration from your network.

Note that this feature is still in public preview as of 10/07/2020.

Service Endpoints for Web Apps

Service Endpoints for Web Apps provide secure connectivity to Azure Web apps over an optmized route over the Microsoft backbone. When compared with the Private Endpoints, Service Endpoints does not provide a private IP in your network. Instead, it will add special routes to your VNet, so that the Web App traffic will route via the Microsoft backbone to the web app. Therefore, it will not leave the Microsoft network when reaching the web app. You can also combine Service Endpoints and restrict public access to only allow traffic from the virtual networks selected.

Service Endpoint for Web Apps

The diagram above shows the high level architecture for the Service Endpoints for web apps. One of the key functional differences in service endpoint, when compared to private endpoints, is that this provides private access to the full service in the Azure Region whereas in Private link it is only to that instance.

Service endpoints are simple to configure and easier option when compared to the other two.

App Service Environments

Azure App Service environments provide a fully isolated and dedicated environment in a customer network to run web apps. This provisions a dedicated instance of the app hosting plan in your network as opposed to the multi-tenanted offerings in the other two option. This allows customers to fully control network traffic that goes in and out of the web app.

App Service Environments

The above high-level architecture diagram shows how the App service environment sits in the network. Providing internal access to the application is easy since it sits within the virtual network. If you have hybrid connectivity via an ExpressRoute or a Site-to-Site VPN, then it can route to the web application without any special configuration.

Summary

In this post, we looked at different architecture options for hosting a Web App which is exposed to the internal network only. See the below table, as a summary of features, functionalities and complexities discussed above.

Private Endpoints Service Endpoints App Service Environments
Provide Access to Web Apps over Private IP Address Provide Access to Web Apps over optimized backbone routing Web Apps are provisioned within the customer network
Access is restricted per Web App Instance Access is restricted per Web app Service Access restriction up to the customer as the service is in the customer network
Complexity: Planning and initial configuration required Complexity: Easy to setup Complexity: Planning and Initial configuration required
In-built data exfiltration protection Traffic will need to be passed through an NVA/Firewall for exfiltration protection N/A as the application is entirely in the customer network
Cost compared to the other two options: moderate Cost compared to the other two options: Can be low and depends on the application Cost compared to the other two options: Higher running cost
Multi-tenant Hosting plan Multi-tenant Hosting plan Dedicated hosting plan