AI Application Private Connectivity with Azure App Service VNET Integration

Question

Pulumi · Accepted Answer

Integrating an AI application hosted on an Azure App Service with an Azure virtual network (VNet) can be beneficial for a number of reasons including enhanced security, private access to resources within the VNet, and better network performance. The process involves setting up a VNet, and integrating it with an Azure App Service so that the app can communicate securely with resources within the VNet.

To accomplish this using Pulumi, we'll take the following high-level steps:

1. Create a resource group where all our resources will reside.
2. Set up a virtual network (VNet) with a dedicated subnet where our App Service will be connected.
3. Create an App Service Plan which specifies the location and SKU for the App Service Environment.
4. Deploy an App Service in the created App Service Plan with VNet Integration enabled via the `WebAppVnetConnection` resource.

Here's a Pulumi program in Python that demonstrates how to automate the setup of this architecture:

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a resource group
resource_group = azure_native.resources.ResourceGroup('resource_group')

# Create a virtual network with a subnet dedicated to the App Service
vnet = azure_native.network.VirtualNetwork(
    'vnet',
    resource_group_name=resource_group.name,
    address_space=azure_native.network.AddressSpaceArgs(
        address_prefixes=['10.0.0.0/16'],
    ),
    subnets=[azure_native.network.SubnetArgs(
        name='AppServiceSubnet',
        address_prefix='10.0.1.0/24',
    )],
)

# Create an App Service Plan
app_service_plan = azure_native.web.AppServicePlan(
    'app-service-plan',
    resource_group_name=resource_group.name,
    sku=azure_native.web.SkuDescriptionArgs(
        name='P1v2',
        tier='PremiumV2',
    ),
    is_xenon=True, # Required for VNet Integration
    hyper_v=True,
    location=resource_group.location,
)

# Create an App Service with the Virtual Network integration
app_service = azure_native.web.WebApp(
    'app-service',
    resource_group_name=resource_group.name,
    server_farm_id=app_service_plan.id,
    kind='app',  # Update the kind to support your specific use case (`app`, `api`, `function`, etc.)
)

# Integrate the App Service with the VNet
vnet_integration = azure_native.web.WebAppVnetConnection(
    'app-service-vnet-connection',
    name=app_service.name,
    resource_group_name=resource_group.name,
    vnet_resource_id=vnet.id,
    subnet=azure_native.web.SubnetInfoArgs(
        name='AppServiceSubnet',
        resource_id=vnet.id.apply(lambda id: f"{id}/subnets/AppServiceSubnet"),
    ),
)

# Export the App Service hostname
pulumi.export('app_service_hostname', app_service.default_host_name)
```

This Pulumi program will perform the following actions:

- Define a resource group named `resource_group` to manage all resources as a single logical group.
- Create a virtual network `vnet` with an address space of `10.0.0.0/16` and a subnet `AppServiceSubnet` with an address prefix of `10.0.1.0/24` reserved for the Azure App Service.
- Create an App Service Plan `app-service-plan` using the `P1v2` SKU in the PremiumV2 tier, which supports VNet Integration.
- Deploy an App Service `app-service` associated with the App Service Plan which will host the AI application.
- Configure `vnet_integration`, a `WebAppVnetConnection` to enable the App Service to integrate with the `AppServiceSubnet` within the `vnet` ensuring private connectivity.

To deploy this infrastructure, you would need to install Pulumi and set up the Azure provider. Once the program is ready, run `pulumi up` from the command line to create the resources. The `pulumi.export` statement will output the App Service's hostname once the deployment is complete. You can then use this hostname to access your AI application hosted on Azure.