Multi-region web app with private connectivity to database.

Posted byAshish UpadhyayPosted inMicrosoft AzureTags:, , , , ,

Multi-region web app is a highly available solution for a web app with private connectivity to a SQL database. A single-region architecture already exists for a web app with private database connectivity. This solution extends that base architecture by making it highly available.

Let us first understand, how to set up single region private connectivity from an Azure Web App to Azure Platform-as-a-Service (PaaS) services, or between Azure PaaS services that aren’t natively deployed in isolated Azure Virtual Networks.

The web app can securely connect to a backend database over a fully private connection. The public internet can’t reach the database, which eliminates a common attack vector.

Potential Use Cases of Single-Region Architecture

  • Connect from a Web App to Azure Storage, Azure Cosmos DB, Azure Cognitive Search, Azure Event Grid, or any other service that supports an Azure Private Endpoint for inbound connectivity.
  • Connect from an Azure Functions App to any Azure service that supports an Azure Private Endpoint, as long as the Function App is deployed in a pricing plan that supports Virtual Network integration.
  • Connect from a Web App or Functions App to another Web App, because App Service also supports Private Endpoints for inbound connectivity. For example, connect from a website to a REST API hosted in another Azure App Service instance.

Architecture for Web app private connectivity to Azure SQL database

Web App Connectivity with Single-Region

1. Using Azure App Service regional VNet Integration, the web app connects to Azure through an AppSvcSubnet delegated subnet in an Azure Virtual Network.

– In this example, the Virtual Network only routes traffic and is otherwise empty, but other subnets and workloads could also run in the Virtual Network.

– The App Service and Private Link subnets could be in separate peered Virtual Networks, for example as part of a hub-and-spoke network configuration. For regional VNet Integration, the peered Virtual Networks must be located in the same Azure region

2. Azure Private Link sets up a private endpoint for the Azure SQL database in the PrivateLinkSubnet of the Virtual Network.

3. The web app connects to the SQL Database private endpoint through the PrivateLinkSubnet of the Virtual Network.

4. The database firewall allows only traffic coming from the PrivateLinkSubnet to connect, making the database inaccessible from the public internet.

Coming to Multi-region web app with private connectivity to database.

To offer high availability, this solution:

  • Deploys a secondary instance of the solution in another Azure region.
  • Uses auto-failover groups for geo-replication and high availability of the database.

You can achieve high availability with a complete region failover. However, this solution uses a partial region failover. With this approach, only components with issues fail over:

  • If the primary database fails over, the web app in the primary region connects to the newly activated secondary database while maintaining private connectivity.
  • If the app goes down in the primary region, the instance in the secondary region takes over. That instance connects to the primary database, which is still active.

Potential Use Cases of Multi-region web app with private connectivity to database.

With private connectivity to a SQL database and high availability, this solution has applications in many areas. Examples include the financial, healthcare, and defense industries.

Architecture of Multi-region web app with private connectivity to database.

Web App Connectivity with Multi-region.

Traffic flow for Multi-region.

  1. Azure Traffic Manager routes requests from the internet to a web app.
  2. By using Azure App Service regional VNet Integration, the web app connects to a delegated subnet named AppSvcSubnet in Azure Virtual Network.
  3. Azure Private Link sets up a private endpoint for the Azure SQL Database in a virtual network subnet named PrivateLinkSubnet. The web app connects to this private endpoint.
  4. The database firewall only lets in traffic coming from the PrivateLinkSubnet private endpoint.
  5. The database is inaccessible from the public internet. Only components inside or connected to the virtual network can reach the database.

Components in Multi-region Approach.

  • App Service and its Web Apps feature provide a framework for building, deploying, and scaling web apps. The App Service platform offers built-in infrastructure maintenance, security patching, and scaling.
  • App Service VNet Integration connects apps to Azure resources. If you use Virtual Network to set up a non-internet-routable network, the VNet Integration feature gives apps access to resources in that network. The regional variation of VNet Integration works with virtual networks in the same region as the app.
  • An Azure DNS private zone contains records that you can’t resolve from the internet. DNS resolution only works from virtual networks that are linked to the private zone.
  • Azure Private Endpoint is a network interface that connects privately and securely to a service that Private Link powers.
  • Private Link provides a private endpoint in a virtual network. You can use the private endpoint to connect to Azure PaaS services like Azure Storage and SQL Database or to customer or partner services.
  • SQL Database is a general-purpose relational database managed service that supports relational data, spatial data, JSON, and XML.
  • Traffic Manager is a DNS-based traffic load balancer. This service distributes traffic to public-facing applications across global Azure regions. Traffic Manager also provides public endpoints with high availability and quick responsiveness.
  • Virtual Network is the fundamental building block for private networks in Azure. Azure resources like virtual machines (VMs) can securely communicate with each other, the internet, and on-premises networks through Virtual Network.

Here we conclude with our description for both the cases which includes Single Region connectivity to database and it’s architecture as well. We also talked about Multi-region Web app private connectivity to increase the availability for the database with its architecture, traffic flow and components used for it.

We will discuss more about Microsoft Azure in our upcoming blogs. Stay tuned and do subscribe to our blog to keep getting all updates regarding our new blogs.

Published by Ashish Upadhyay

Associate DevOps Engineer, Quantitative Research Technology & Manager Research at Morningstar Inc. Microsoft Certified Professional. Talks about Cloud, Software Development, MLOps, DevOps & much more,

Leave a comment

Design a site like this with WordPress.com
Get started