Merge pull request #313957 from msangapu-msft/patch-29

JamesJBarnett · web-flow · commit 857b37d25e11 · 2026-03-30T16:39:39.000-07:00
Revise terraform-secure-backend-frontend.md
diff --git a/articles/app-service/scripts/terraform-secure-backend-frontend.md b/articles/app-service/scripts/terraform-secure-backend-frontend.md
@@ -4,43 +4,45 @@ description: Learn how to use terraform provider for App Service to deploy two w
 author: ericgre
 ms.assetid: 3e5d1bbd-5581-40cc-8f65-bc74f1802156
 ms.topic: sample
-ms.date: 12/06/2022
+ms.date: 03/30/2026
 ms.author: ericg
 ms.service: azure-app-service
 ms.custom: devx-track-terraform
 ---
 
 # Create two web apps connected securely with Private Endpoint and VNet integration
 
-This article illustrates an example use of [Private Endpoint](../networking/private-endpoint.md) and regional [VNet integration](../overview-vnet-integration.md) to connect two web apps (frontend and backend) securely with the following terraform configuration:
-- Deploy a VNet
-- Create the first subnet for the integration
-- Create the second subnet for the private endpoint, you have to set a specific parameter to disable network policies
-- Deploy one App Service plan of type Basic, Standard, PremiumV2, PremiumV3, IsolatedV2, Functions Premium (sometimes referred to as the Elastic Premium plan), required for Private Endpoint feature
-- Create the frontend web app with specific app settings to consume the private DNS zone, [more details](../overview-vnet-integration.md#azure-dns-private-zones)
-- Connect the frontend web app to the integration subnet
-- Create the backend web app
-- Create the DNS private zone with the name of the private link zone for web app privatelink.azurewebsites.net
-- Link this zone to the VNet
-- Create the private endpoint for the backend web app in the endpoint subnet, and register DNS names (website and SCM) in the previously created DNS private zone
+This article illustrates an example use of [Private Endpoint](../networking/private-endpoint.md) and regional [VNet integration](../overview-vnet-integration.md) to connect two web apps (frontend and backend) securely with the following Terraform configuration:
+
+1. Deploy a VNet
+1. Create the first subnet for the integration
+1. Create the second subnet for the private endpoint, and disable subnet network policies for private endpoints (set `private_endpoint_network_policies_enabled = false`)
+1. Deploy one App Service plan of type Basic, Standard, PremiumV2, PremiumV3, IsolatedV2, Functions Premium (sometimes referred to as the Elastic Premium plan), required for the Private Endpoint feature
+1. Create the frontend web app with specific app settings to consume the private DNS zone. For more information, see [Azure DNS private zones](../overview-vnet-integration.md#azure-dns-private-zones).
+1. Connect the frontend web app to the integration subnet
+1. Create the backend web app
+1. Create the DNS private zone with the name of the private link zone for web apps (`privatelink.azurewebsites.net`)
+1. Link this zone to the VNet
+1. Create the private endpoint for the backend web app in the endpoint subnet, and register DNS names (site and SCM) in the previously created DNS private zone
 
 ## How to use terraform in Azure
 
 Browse to the [Azure documentation](/azure/developer/terraform/) to learn how to use terraform with Azure.
 
 ## The complete terraform file
 
-To use this file, replace the placeholders _\<unique-frontend-app-name>_ and _\<unique-backend-app-name>_ (app name is used to form a unique DNS name worldwide). 
+To use this file, replace the placeholders _\<unique-frontend-app-name>_ and _\<unique-backend-app-name>_ (app name is used to form a unique DNS name worldwide).
 
 ```hcl
 terraform {
   required_providers {
     azurerm = {
-      source = "hashicorp/azurerm"
-      version = "~>3.0"
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
     }
   }
 }
+
 provider "azurerm" {
   features {}
 }
@@ -62,8 +64,10 @@ resource "azurerm_subnet" "integrationsubnet" {
   resource_group_name  = azurerm_resource_group.rg.name
   virtual_network_name = azurerm_virtual_network.vnet.name
   address_prefixes     = ["10.0.1.0/24"]
+
   delegation {
     name = "delegation"
+
     service_delegation {
       name = "Microsoft.Web/serverFarms"
     }
@@ -75,7 +79,8 @@ resource "azurerm_subnet" "endpointsubnet" {
   resource_group_name  = azurerm_resource_group.rg.name
   virtual_network_name = azurerm_virtual_network.vnet.name
   address_prefixes     = ["10.0.2.0/24"]
-  private_endpoint_network_policies_enabled = true
+
+  private_endpoint_network_policies_enabled = false
 }
 
 resource "azurerm_service_plan" "appserviceplan" {
@@ -90,25 +95,26 @@ resource "azurerm_windows_web_app" "frontwebapp" {
   name                = "<unique-frontend-app-name>"
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
-  service_plan_id = azurerm_service_plan.appserviceplan.id
+  service_plan_id     = azurerm_service_plan.appserviceplan.id
 
   site_config {}
+
   app_settings = {
-    "WEBSITE_DNS_SERVER": "168.63.129.16",
-    "WEBSITE_VNET_ROUTE_ALL": "1"
+    "WEBSITE_DNS_SERVER"     = "168.63.129.16"
+    "WEBSITE_VNET_ROUTE_ALL" = "1"
   }
 }
 
 resource "azurerm_app_service_virtual_network_swift_connection" "vnetintegrationconnection" {
-  app_service_id  = azurerm_windows_web_app.frontwebapp.id
-  subnet_id       = azurerm_subnet.integrationsubnet.id
+  app_service_id = azurerm_windows_web_app.frontwebapp.id
+  subnet_id      = azurerm_subnet.integrationsubnet.id
 }
 
 resource "azurerm_windows_web_app" "backwebapp" {
   name                = "<unique-backend-app-name>"
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
-  service_plan_id = azurerm_service_plan.appserviceplan.id
+  service_plan_id     = azurerm_service_plan.appserviceplan.id
 
   site_config {}
 }
@@ -119,10 +125,10 @@ resource "azurerm_private_dns_zone" "dnsprivatezone" {
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "dnszonelink" {
-  name = "dnszonelink"
-  resource_group_name = azurerm_resource_group.rg.name
+  name                  = "dnszonelink"
+  resource_group_name   = azurerm_resource_group.rg.name
   private_dns_zone_name = azurerm_private_dns_zone.dnsprivatezone.name
-  virtual_network_id = azurerm_virtual_network.vnet.id
+  virtual_network_id    = azurerm_virtual_network.vnet.id
 }
 
 resource "azurerm_private_endpoint" "privateendpoint" {
@@ -132,20 +138,19 @@ resource "azurerm_private_endpoint" "privateendpoint" {
   subnet_id           = azurerm_subnet.endpointsubnet.id
 
   private_dns_zone_group {
-    name = "privatednszonegroup"
+    name                 = "privatednszonegroup"
     private_dns_zone_ids = [azurerm_private_dns_zone.dnsprivatezone.id]
   }
 
   private_service_connection {
-    name = "privateendpointconnection"
+    name                           = "privateendpointconnection"
     private_connection_resource_id = azurerm_windows_web_app.backwebapp.id
-    subresource_names = ["sites"]
-    is_manual_connection = false
+    subresource_names              = ["sites"]
+    is_manual_connection           = false
   }
 }
 ```
 
 ## Next steps
 
-
 > [Learn more about using Terraform in Azure](/azure/developer/terraform/)
