Merge pull request #312666 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-05 18:00 UTC

Author: learn-build-service-prod[bot]

articles/app-service/configure-vnet-integration-enable.md

@@ -1,107 +1,201 @@
 ---
-title: Enable integration with an Azure virtual network
-description: This how-to article walks you through enabling virtual network integration on an Azure App Service web app.
+title: Enable Integration with Azure Virtual Network
+description: Enable virtual network integration on an Azure App Service web app in the Azure portal, or use the Azure CLI or Azure PowerShell.
 keywords: vnet integration
 author: seligj95
 ms.author: jordanselig
 ms.topic: how-to
-ms.date: 01/30/2025
+ms.date: 03/05/2026
 ms.tool: azure-cli, azure-powershell
-#customer intent: As a deployment engineer, I want to integrate web apps in Azure App Service with our Azure virtual networks.
 ms.service: azure-app-service
 ms.custom:
   - devx-track-azurepowershell
   - devx-track-azurecli
   - sfi-image-nochange
+#customer intent: As a deployment engineer, I want to enable Azure Virtual Network integration for my Azure App Service apps, so I can access private resources from my apps within my Azure virtual network.
 ---
 
 # Enable virtual network integration in Azure App Service
 
-Through integrating with an Azure virtual network from your [Azure App Service app](./overview.md), you can reach private resources from your app within the virtual network.
+This article describes how to integrate Azure Virtual Network with [Azure App Service](overview.md). The integration enables you to reach private resources from your App Service app within your Azure virtual network. Procedures are provided for the Azure portal, the Azure CLI, and Azure PowerShell.
 
 ## Prerequisites
 
-The virtual network integration feature requires:
+- An existing app created in a [dedicated Azure App Service compute pricing tier](overview-vnet-integration.md) that supports virtual network integration.
 
-- An App Service pricing tier [that supports virtual network integration](./overview-vnet-integration.md).
-- A virtual network in the same region with an empty subnet.
+   - If you plan to allow inbound access via private endpoints on a subnet, public access must be disabled for the app. 
 
-The subnet must be delegated to Microsoft.Web/serverFarms. If you don't delegate before integration, the provisioning process configures this delegation. The subnet must be allocated an IPv4 `/28` block (16 addresses). We recommend that you have a minimum of 64 addresses (IPv4 `/26` block) to allow for maximum horizontal scale.
+- The Azure virtual network and subnet that you specify for the integration must be in the same region.
 
-If the virtual network is in a different subscription than the app, ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. The provider is registered when you create the first web app in a subscription. To explicitly register the provider, see [Register resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).
+   - The subnet must be allocated an IPv4 `/28` block (16 addresses). The recommended minimum size is 64 addresses (IPv4 `/26` block), which accommodates future growth and scaling needs.
 
-## Configure in the Azure portal
+   - The subnet must be empty, which means no network interface cards (NICs), virtual machines, private endpoints, and so on.
 
-1. Go to your app in the Azure portal. Select **Settings** > **Networking**. Under **Outbound traffic configuration**, next to **Virtual network integration**, select the **Not configured** link.
+   - The subnet must be delegated to `Microsoft.Web/serverFarms`. If you don't delegate before integration, the provisioning process configures this delegation.
+
+- If the specified virtual network is in different subscription than your app, confirm the virtual network subscription is registered with the `Microsoft.Web` resource provider.
+
+   The resource provider is registered when you create the first web app in a subscription. To explicitly register the provider, see [Azure resource providers and types > Register resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).
+
+## Configure virtual network integration
+
+Choose your preferred configuration method for completing the virtual network integration.
+
+# [Azure portal](#tab/portal)
+
+Configure virtual network integration for an app in the Azure portal:
+
+1. Sign into the [Azure portal](https://portal.azure.com) and go to the **Overview** page for your App Service app.
+
+1. In the left menu, select **Settings** > **Networking**. The **Networking** page opens.
+
+1. Scroll to the **Outbound traffic configuration** section, locate the **Virtual network integration** option, and select the **Not configured** link.
+
+   :::image type="content" source="./media/configure-vnet-integration-enable/integration-not-configured.png" border="false" alt-text="Screenshot that shows how to select the 'not configured' link for virtual network integration in the Azure portal.":::
+
+   The **Virtual Network Integration** page opens.
 
 1. Select **Add virtual network integration**.
 
-   :::image type="content" source="./media/configure-vnet-integration-enable/vnetint-app.png" alt-text="Screenshot that shows selecting Virtual network integration.":::
+   :::image type="content" source="./media/configure-vnet-integration-enable/add-virtual-network-integration.png" alt-text="Screenshot that shows how to select the 'add virtual network integration' action in the Azure portal.":::
+
+   The **Add virtual network integration** page opens.
+
+1. Select the **App Service Plan** connection to use for the integration.
+
+   - If your subscription has an existing plan that satisfies the integration configuration requirements, the portal displays the available `<virtual-network>/<subnet>` connection targets.
+   
+      - To use an existing connection, select the `<virtual-network>/<subnet>` target, and then select **Connect**.
+      
+      The procedure is complete.
+
+   - To create a new plan for the integration, select **New connection**.
+
+      The page refreshes to show the **Subscription**, **Virtual Network**, and **Subnet** options.
+
+      Configure the options to create a new connection:
+
+      1. Select a **Subscription** and a **Virtual Network** by using the dropdown lists.
+
+      1. Select a **Subnet** from the dropdown list, and then select **Connect**.
+      
+         The dropdown list shows all the virtual networks (and subnets) in the selected subscription and in the same region. The list identifies subnets available for integration, and indicates whether they're currently in use.
+
+      :::image type="content" source="./media/configure-vnet-integration-enable/add-subnet-connection.png" alt-text="Screenshot that shows how to select the subscription, virtual network, and subnet to create a new connection in the Azure portal.":::
+
+During the integration, your app restarts. When integration completes, the **Virtual Network Integration** page refreshes to show the details about the connection between the virtual network and your app.
 
-1. Select a subscription and virtual network.
+:::image type="content" source="./media/configure-vnet-integration-enable/virtual-network-connection.png" alt-text="Screenshot of the virtual network integration to an app in the Azure portal.":::
 
-1. Under **Subnet**, the dropdown list contains all the virtual networks in your subscription in the same region. Select an empty preexisting subnet or create a new subnet. Select **Connect**.
 
-   :::image type="content" source="./media/configure-vnet-integration-enable/vnetint-add-vnet.png" alt-text="Screenshot that shows selecting the virtual network.":::
+# [Azure CLI](#tab/azure-cli)
 
-During the integration, your app is restarted. When integration finishes, you see details on the virtual network that you integrated with.
+Configure virtual network integration for an app by using the Azure CLI. The following commands assume the app and virtual network are in the same subscription.
 
-## Configure with the Azure CLI
+1. Run the following command to configure virtual network integration.
 
-You can also configure virtual network integration by using the Azure CLI:
+   Replace the `<app-name>`, `<app-resource-group>`, `<virtual-network>`, and `<subnet>` values with your resource information.
+
+   ```azurecli-interactive
+   az webapp vnet-integration add \
+     --resource-group "<app-resource-group>" \
+     --name "<app-name>" \
+     --vnet "<virtual-network>" \
+     --subnet "<subnet>"
+   ```
+
+1. After the integration is complete, you can update the app configuration to route all outbound traffic through the virtual network integration:
+
+   Replace the `<app-resource-group>` and `<app-name>` values with your resource information.
+
+   ```azurecli-interactive
+   az resource update \
+     --resource-group "<app-resource-group>" \
+     --name "<app-name>" \
+     --resource-type "Microsoft.Web/sites" \
+     --set properties.outboundVnetRouting.allTraffic=true
+   ```
+
+Review the following considerations:
+
+- If the virtual network is in a different subscription than the app, you can use the global `--subscription "<subscription-ID>"` parameter to set the current subscription context. Set the current subscription context to the subscription where the virtual network is deployed.
+
+- The command checks if the subnet is delegated to `Microsoft.Web/serverFarms`. If the subnet doesn't have this configuration, the command applies the necessary delegation.
+
+- If the subnet is configured but you don't have permissions to check it, or if the virtual network is in a different subscription from your app, you can use the `--skip-delegation-check` parameter to bypass the validation.
+
+For more information, see the [az webapp vnet-integration add](/cli/azure/webapp/vnet-integration#az-webapp-vnet-integration-add) reference.
 
-```azurecli-interactive
-az webapp vnet-integration add --resource-group <group-name> --name <app-name> --vnet <vnet-name> --subnet <subnet-name>
-```
 
-> [!NOTE]
-> The command checks if the subnet is delegated to Microsoft.Web/serverFarms. If it isn't configured, the command applies the necessary delegation. If the subnet was configured and you don't have permissions to check it, or if the virtual network is in another subscription, you can use the `--skip-delegation-check` parameter to bypass the validation.
+# [Azure PowerShell](#tab/azure-powershell)
 
-## Configure with Azure PowerShell
+Configure virtual network integration for an app by using Azure PowerShell. 
 
-1. Prepare parameters.
+1. Prepare parameters for the procedure commands.
+
+   Replace the `<subscription-GUID>`, `<app-name>`, `<app-resource-group>`, `<network-resource-group>`, `<virtual-network>`, and `<subnet>` values with your resource information.
 
    ```azurepowershell
+   # Set parameters for the procedure
    $siteName = '<app-name>'
-   $vNetResourceGroupName = '<group-name>'
-   $webAppResourceGroupName = '<group-name>'
-   $vNetName = '<vnet-name>'
-   $integrationSubnetName = '<subnet-name>'
-   $vNetSubscriptionId = '<subscription-guid>'
+   $vNetResourceGroupName = '<network-resource-group>'
+   $webAppResourceGroupName = '<app-resource-group>'
+   $vNetName = '<virtual-network>'
+   $integrationSubnetName = '<subnet>'
+   $vNetSubscriptionId = '<subscription-GUID>'
    ```
 
    > [!NOTE]
-   > If the virtual network is in another subscription than webapp, you can use the `Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"` command to set the current subscription context. Set the current subscription context to the subscription where the virtual network was deployed.
+   > If the virtual network is in a different subscription than the web app, you can use the `Set-AzContext -Subscription "<subscription-ID>"` command to set the current subscription context. Set the current subscription context to the subscription where the **virtual network** is deployed.
 
-1. Check if the subnet is delegated to Microsoft.Web/serverFarms.
+1. Check if the subnet is delegated to `Microsoft.Web/serverFarms`:
 
    ```azurepowershell
+   # Set the virtual network for the subnet to check
    $vnet = Get-AzVirtualNetwork -Name $vNetName -ResourceGroupName $vNetResourceGroupName
+
+   # Get the subnet
    $subnet = Get-AzVirtualNetworkSubnetConfig -Name $integrationSubnetName -VirtualNetwork $vnet
+
+   # Check the delegation
    Get-AzDelegation -Subnet $subnet
    ```
 
-1. If your subnet isn't delegated to Microsoft.Web/serverFarms, add delegation using these commands.
+1. If your subnet isn't delegated to `Microsoft.Web/serverFarms`, add the delegation:
 
    ```azurepowershell
+   # Get the subnet
    $subnet = Add-AzDelegation -Name "myDelegation" -ServiceName "Microsoft.Web/serverFarms" -Subnet $subnet
+
+   # Set the delegation
    Set-AzVirtualNetwork -VirtualNetwork $vnet
    ```
 
-1. Configure virtual network integration.
+1. Configure virtual network integration, and route all traffic through the connection:
 
    ```azurepowershell
+   # Set the subnet resource ID
    $subnetResourceId = "/subscriptions/$vNetSubscriptionId/resourceGroups/$vNetResourceGroupName/providers/Microsoft.Network/virtualNetworks/$vNetName/subnets/$integrationSubnetName"
-   $webApp = Get-AzResource -ResourceType Microsoft.Web/sites -ResourceGroupName $webAppResourceGroupName -ResourceName $siteName
-   $webApp.Properties.virtualNetworkSubnetId = $subnetResourceId
-   $webApp.Properties.vnetRouteAllEnabled = 'true'
+
+   # Get the web app configuration
+   $webApp = Get-AzResource -ResourceType "Microsoft.Web/sites" -ResourceGroupName $webAppResourceGroupName -ResourceName $siteName
+
+   # Set the subnet ID
+   $webApp.Properties | Add-Member -NotePropertyName "virtualNetworkSubnetId" -NotePropertyValue $subnetResourceId -Force
+
+   # Set routing to all traffic
+   $webApp.Properties | Add-Member -NotePropertyName "vnetRouteAllEnabled" -NotePropertyValue $true -Force
+
+   # Complete the integration
    $webApp | Set-AzResource -Force
    ```
 
    > [!NOTE]
-   > If the webapp is in another subscription than virtual network, you can use the `Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"` command to set the current subscription context. Set the current subscription context to the subscription where the web app was deployed.
+   > If the virtual network is in a different subscription than the web app, you can use the `Set-AzContext -Subscription "<subscription-ID>"` command to set the current subscription context. Set the current subscription context to the subscription where the **web app** is deployed.
+
+---
 
 ## Related content
 
-- [Configure virtual network integration routing](./configure-vnet-integration-routing.md)
-- [General networking overview](./networking-features.md)
+- [Manage Azure App Service virtual network integration routing](configure-vnet-integration-routing.md)
+- [Overview of App Service networking features](networking-features.md)

articles/app-service/media/configure-vnet-integration-enable/add-subnet-connection.png

@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: b-ahibbard
 ms.service: azure-netapp-files
 ms.topic: how-to
-ms.date: 02/24/2026
+ms.date: 03/05/2026
 ms.author: anfdocs
 ms.custom: references_regions
 ---
@@ -28,7 +28,8 @@ Advanced ransomware protection's alert mechanisms enable you to stay vigilant in
 * Attack reports are retained for 30 days.  
 * Ransomware threat notifications are sent in the Azure Activity log.  
 * It’s recommended that you enable no more than five volumes per Azure region with advanced ransomware protection to mitigate performance issues. 
-* It's recommended you increase QoS capacity by 5 to 10 percent due to potential performance impacts of advanced ransomware protection. The scale of the impact can vary based on the configurations across your Azure NetApp Files deployment.  
+* It's recommended you increase QoS capacity by 5 to 10 percent due to potential performance impacts of advanced ransomware protection. The scale of the impact can vary based on the configurations across your Azure NetApp Files deployment.
+* If your volumes have workloads with a high level of encryption and deletion, it may increase the possibility of false positives. It is recommended not to enable advanced ransomware protection on these volumes.
 
 ## Supported regions 
 
@@ -127,7 +128,7 @@ You can also use [Azure CLI commands](/cli/azure/feature) `az feature register`
 
     :::image type="content" source="./media/ransomware-configure/ransomware-threats.png" alt-text="Screenshot of ransomware threats." lightbox="./media/ransomware-configure/ransomware-threats.png":::
 
-1. If you know the files are **not** an active threat, mark the files as a **False positive**. 
+1. If you know the files are **not** an active threat, mark the active threat as a **False positive**. 
 
     If you believe the files are a threat, select **Threat**. You can then [revert the volume](snapshots-revert-volume.md) based on the last snapshot captured before the threat.
 1. Once you've resolved the threat, you can view archived ransomware reports on the same page. Reports are archived for 30 days.