Deploy an application to Azure App Service Private Endpoint from the Azure DevOps pipeline.
Recently I had to deploy Azure App Service using Azure DevOps pipelines.
Sound easy? That's what I thought.
There was one catch!
App Service has been set up to cut all public access — which means the application is accessible only from within the virtual network and by a private IP address.
Why?
Some companies still have a lot of data/components stored on-prem. Not all of these on-prem resources can be migrated to the cloud. The are multiple reasons starting from costs, security, time, etc. That is why sometimes we need to work in and hybrid on-prem to cloud environment. In this case, the company network usually is closed to the public internet, and communication between on-prem and azure is based on VPN connection and virtual networks. That is why some resources will be deployed with restriction to a private endpoint — they can’t be publicly available.
Knowing why we need to care about such a thing, let’s look at the solution.
In this case? What is the easiest and the same time, a good solution to deploy to such App Service?
Short answer:
- Azure Virtual Network
- Azure Virtual Machine Scale Set
- Azure DevOps
Using the above three components, we will set up a deployment pipeline that deploys our .Net Application to a private Azure App Service.
Theory:
In our case, the VMSS will be a container for a self-hosted Azure DevOps agent. The pipeline triggered from Azure DevOps will then execute in VMSS. The VMSS is in a private virtual network hence it can resolve private IP addresses which a private virtual network.
Assumptions:
- You already have a virtual network created
- You already have your App Service, and App Service Plan created
Practical part:
On Azure Portal, let's create an Azure Virtual Network Scale Set.
There are a lot of settings here but for our demo purpose, let’s leave most of them as default.
We should focus on the “Networking tab” — here, from the list of the virtual networks, we need to choose the virtual network used by our App Service.
DONE — that was fast :)
Azure DevOps:
Here we need to navigate to Organization Settings -> Agent Pools:
On the top right, click “Add Pool,” and you should see something like this:
Options here are quite self-describing.
Some extra options (depend on how often you need to use your pipeline and how big a budget you have):
After clicking the “create” button, you should see your new pool on the list:
Now — change the pool used to deploy app service to the newly created one in your pipelines.
Release pipelines:
Build Pipelines (Yaml pipelines)
That’s all!
When you run your pipeline, the agent hosted on the Azure virtual machine scale set executes it. As the VM has access to the virtual network, it will be able to do a proper push to the App Service.
