AZ-500 Microsoft Azure Security Technologies Exam

Designing and Implementing Private Connectivity

Virtual network integration lets Azure App Service and Azure Functions connect securely to resources in an Azure Virtual Network. There are two main patterns: regional VNet integration, which links apps to a subnet in the same region, and gateway-required integration, which uses a VPN gateway for cross-region connections. Regional VNet integration is easier to set up and offers lower latency, while gateway-required integration supports multi-region scenarios. Choosing the right method ensures secure private connectivity and meets both performance and compliance needs.

Private endpoints and service endpoints let your apps access Azure PaaS services over private IP addresses. A private endpoint creates a network interface in a delegated subnet that maps to a PaaS service, ensuring all traffic stays on the Microsoft backbone network. A service endpoint extends your VNet identity to Azure services, enforcing access from specific subnets. Use these endpoints to:

• Secure inbound flows to your App Service or Function App
• Restrict outbound access to Azure Storage, SQL Database, and other services
• Eliminate the need for public IP addresses and reduce attack surface

To manage outbound connections to the internet, deploy an Azure NAT Gateway on the integration subnet. A NAT gateway provides a static public IP and increases the number of available SNAT ports for your app’s outbound connections. Configure it by enabling Route All on your app’s VNet integration, creating the NAT gateway with a public IP, and associating it with the subnet. This setup ensures that all outbound calls use the NAT gateway’s IP and benefit from predictable scaling.

To control traffic within your network, use Network Security Groups (NSGs) and user-defined routes (UDRs) on your integration subnet. NSGs can filter traffic by IP address, port, and protocol, and UDRs let you forward traffic through firewalls or on-premises gateways. Use NSGs and UDRs to:

• Block unwanted outbound internet or on-premises traffic
• Route traffic through Azure Firewall, VPN Gateway, or other network appliances
• Ensure that reply traffic follows approved, secure paths
  This combination of controls helps enforce strict traffic policies and improves overall security.

After implementation, validate connectivity and security using built-in Azure tools. Use the Network troubleshooter in the Azure portal to check VNet integration status, DNS resolution, and routing. Test access to private resources with PowerShell’s Test-NetConnection or the tcpping utility from within your app’s environment. Continuous monitoring and logging help ensure that your private connectivity remains robust and that any issues are detected quickly.

Conclusion

In this section, you learned how to design and implement private connectivity for Azure App Service and Azure Functions. You explored regional and gateway-required VNet integration patterns and how to choose between them based on latency and region requirements. You saw how private endpoints, service endpoints, Azure NAT Gateway, NSGs, and UDRs work together to secure and control traffic. Finally, you reviewed tools for validating and monitoring your network setup. Together, these concepts ensure that your serverless apps communicate securely and reliably in a private network environment.