Azure VPN Client P2S access to Azure Web Apps

Is it possible using an Azure VPN Client P2S to restrict access a public Azure Web App?

Usually the Azure VPN Client P2S is used for private VNET access and that all works fine, but Azure Web Apps all have public IPs and Azure VPN Client P2S drops non-VNETs traffic. Maybe one day Microsoft will add full tunnel support to P2S VPN but for now it looks like we need to give the Web Apps a private IP.

I’ve tried assigning the Azure Web App a new Private Endpoint. That works great for the VPN but it cuts off the public access completely and public access is still needed for some IP restricted public access.

I’ve also tried assigning a VNET to the Web App. I can ping the web app private IP over the VPN and can access it via the public IP but can’t access the site over the private IP (ports 80/443 not responding).

Azure VPN Client P2S access Azure Web Apps: Is this impossible?

Use an App Gateway for public access, combined with the Private Endpoint configuration that works. Alternatively you can route VPN to a firewall that SNATs out to an internet path.

What is the solution?

Hi I figured out the app gateway method a few hours ago and it works perfectly fine. Was about to post the same. Thanks for posting Ethril. Will note the Firewall SNAT method too. It works also with a private app service environment.