A front-end application that makes calls to one or more API applications behind it is known as a multi-tier web application. This type of architecture usually gets complicated when you want to secure the API applications by making them unavailable from the internet.
You can provide security for your API applications in several ways that make them accessible only from your front-end applications. This involves securing your API application's inbound traffic.
A network interface that uses Azure Private Link to connect you privately, in a highly secure way, to your web app is known as a private endpoint. It uses a private IP address from the virtual network, effectively bringing the web app into that network. This feature is applicable only for inbound flows to your web app.
Private endpoints help to protect against data exfiltration because the only thing you can access across the private endpoint is the app with which it's configured.
The architecture described in this article uses private endpoints to provide highly secure communications between app services in a multi-tier environment.
Architecture
Potential use cases
Here are some use cases for this architecture:
Applications that require private connections to a back-end API app.
Restricting app access from resources in a virtual network.
Exposing your app on a private IP in a virtual network.
Connecting from a web app to Azure Storage, Azure Event Grid, Azure Cognitive Search, Azure Cosmos DB, or any other service that supports a private endpoint for inbound connectivity.
Workflow
Here's the traffic flow and basic configuration of the architecture:
1. A front-end web app connects to Azure through the AppserviceSubnet subnet in an Azure virtual network by using Azure App Service regional VNet Integration.
2. A private endpoint for the API app is configured in Azure Private Link in the PrivateLinkSubnet subnet of the virtual network.
3. The front-end web app connects to the back-end API app private endpoint through the PrivateLinkSubnet subnet of the virtual network.
4. The API app isn't accessible from the public internet. It allows traffic only from PrivateLinkSubnet.
Components
Azure App Service enables you to build and host web apps and API apps in the programming language that you choose without needing to manage infrastructure.
Azure Virtual Network is the fundamental building block for creating your own network in Azure. It provides a highly secure environment for running Azure resources like virtual machines.
Azure Private Link provides private connectivity that you can use to access Azure PaaS services like Azure Storage and Azure SQL Database, or to access customer or partner services, from a virtual network.
Alternatives
One way to implement this solution is to deploy both the front-end app and the API app in the same internal load balancer App Service Environment (ILB ASE) and make the front-end app directly internet accessible via an application gateway.
Another method is to deploy the front-end app in the multitenant service and the API app in an ILB ASE. Or you can host both the front-end app and the API app in the multitenant service.
These are some alternative ways to provide security for your web apps:
App-assigned addresses
Azure service endpoints
Access restrictions
Benefits
These are some benefits of using a private endpoint for your web app:
It eliminates public exposure and makes the app more secure.
It enables you to create high-security connections from on-premises networks that connect to the virtual network by using a virtual private network (VPN) or Azure ExpressRoute private peering.
It helps prevent data exfiltration.
Considerations
When you use a private endpoint for a web app, remote debugging isn't available. You need to deploy code to a slot to debug it remotely.
FTP access isn't available when you use a private endpoint for a web app.
Private endpoints don't support IP-based SSL.
DNS configuration
When you use a private endpoint, the requested URL must match the name of your web app. By default, the app name is mywebappname.azurewebsites.net. When you deploy the private endpoint, you need to update the DNS entry to the canonical name mywebappname.privatelink.azurewebsites.net.
You need to set up a private DNS server or an Azure DNS private zone. Create the DNS zone privatelink.azurewebsites.net.
After this configuration, you'll be able to reach your web app privately by using the default name mywebappname.azurewebsites.net.
Availability
A system can't be highly available if it's not reliable.
Take private link availability into consideration when you evaluate the SLA of the entire architecture. Private Link provides a high availability SLA.
Scalability
Performance efficiency is the ability of your workload to scale to meet the demands placed on it in an efficient way. Be aware of performance efficiency patterns when you design and build your cloud application.
Pricing
The cost of your implementation is affected by:
The scalability of the solution—how well it supports changes in demand.
Whether the solution runs continuously or intermittently.
The service tiers that you use.