Do I need a VNet?

My deployed application isn't very complicated and it doesn't require a dedicated Azure VM.

Fundamentally it's an Azure App Service (with deployment slots), and it requires an Azure SQL database, and it stores some stuff in Azure Blob Storage, and it needs an Azure Key Vault, and I want to add a couple of Azure Function Apps, but... none of those things are resident in a VNet.

I could create a VNet, and create endpoints in the VNet for all of those resources, but I'm not sure that does anything for me in terms of security or management.

Bottom line: Do I actually need a VNet for a system that doesn't run any Azure VMs? Is it any more secure than letting the App Service hit the other resources directly?

Solution 1:

You don't need a VNet and to get your solution working. I have built solutions similar to yours both with and without a VNet.

Having a VNet does give you some security benefits.

With a VNet and Endpoints your App Service Site could then communicate to your Azure SQL database and storage over a private IP. Keeping the traffic away for the public internet. Importantly it means you can then block all public access to you Azure SQL database and storage or at least lock it down to just your public management IP.

Personally I have found using a VNet is more stable and secure. But it depends on the solution, how secure does it need to be, are they any GDPR or data protection risks.

I always go back to the question with cloud solutions. If I was building this as an on premise solution would make my SQL and file servers publicly accessible if there was another way.

Thanks Phil