Integrated Network & Wireless Cards Driver

Healthcare providers are preparing for the reality of the post-reform environment that will require hospitals and physicians to be more accountable for the delivery of higher quality and more efficient care delivered at a lower cost. As hospitals and physicians navigate through the challenges of planning for this future, they also have to remain focused on current operations that are threatened by thinning margins due to an increased cost structure and reimbursement declines in the current fee-for-service environment.
To effectively position for the future realities of healthcare while maintaining focus on current operations, many hospitals and physicians are turning to clinical integration as a viable option to (1) increase quality, (2) reduce cost and waste in the current system to maintain margins, (3) sustain independence for physicians not ready for hospital employment and (4) position providers to take on higher levels of accountability to effectively manage utilization and the health of populations in the future.
CI is commonly defined as a health network working together, using proven protocols and measures, to improve patient care, decrease cost and demonstrate value to the market. Once the CI network can demonstrate a value proposition, payors and large employers are approached to support the network and other incentives that are based on achieving defined results. In most cases, CI networks and the initial conversations with payors are initiated by health systems. However, to be successful, CI networks must become physician-led, professionally managed organizations.
Organizations should keep the Federal Trade Commission's clinical integration definition and requirements in mind during CI program development and implementation. In 1996, the Department of Justice and the FTC defined CI as an active and ongoing program to evaluate and modify practice patterns by the CI network's physician participants and create a high degree of interdependence and cooperation among the physicians to control costs and ensure quality. Generally, the FTC considers a program to be clinically integrated if it performs the following:

A truly integrated network accommodates the lifecycle requirements of both compute and storage, whether that entails auto-configuration of network for connectivity purposes, or dynamic response to.
IM 2021 will focus on the theme of “Intelligent Management of Open and Highly Programmable Networks”. It aims to capture recent results, emerging approaches and technical solutions for dealing with resilience and sustainability of network and service management in highly dynamic environments.

Establishes mechanisms to monitor and control utilization of healthcare services that are designed to control costs and ensure quality of care.
Selectively chooses CI network physicians who are likely to further these efficiency objectives.
Utilizes investment of significant capital, both monetary and human, in the necessary infrastructure and capability to realize the claimed efficiencies.

Integrated Networks is a technology solutions integrator of IT infrastructure including Network Cabling, Security Cameras, Door Access Control and IT Network Support. We specialize in the Design, Sale, and Installation of all technology related services.

7 Components

To effectively implement CI, the network should understand the relevance and the possible options for each of the seven components discussed below.
1. Legal options. To legally implement CI, the health system and physicians are required to organize in a structure that supports program objectives. With the exception of an employment-only model, a CI network can primarily be created within a (an):

Physician-hospital organization — A joint venture between a health system and its medical staffs.
Independent practice association — Owned and operated by only physician partners.
Subsidiary of the health system — The health system is the sole corporate member of the subsidiary entity and member physicians sign separate legal agreements to participate.

Traditionally these structures have been used to negotiate and handle managed care contracts (HMO, fee-for-fervice, etc.) for a defined network of providers and they are now being utilized as the vehicle to implement CI networks by achieving the following objectives:

Establishing a network of providers that enables enhanced coordination of care.
Creating a new partnership model with employed and independent physicians that includes defined roles for physician leadership.
Defining performance improvement initiatives to provide demonstrated value to the market.
Providing a platform for joint contracting to support care redesign and performance improvement initiatives.
Negotiating with potential partners for risk-based contracts.

Each legal option is capable of achieving these CI objectives and they differ in ownership structure and capitalization requirements. Some hospitals and physicians already have a PHO or IPA in place and are using those entities as the foundation for their CI programs. For example, a four-hospital system in the Midwest chose to utilize a PHO as their vehicle for CI because the business entity was already created. Although the infrastructure was not entirely created to support a fully-functioning CI network, the PHO created an opportunity for ownership, access to resources, strong public perception and the analytics staff to support quality programs. However, to limit physician costs while still allowing physicians to have a significant leadership role in the network; a four-hospital system in the southeast created a subsidiary of the health system to launch its program.
2. Physician leadership. Integration in the post-reform era requires a high degree of physician-hospital alignment that is based on trust and transparency. Health systems willing to pursue CI must empower physician leaders to have an influence on the future direction of the CI network. This will help to integrate the physician's clinical expertise into hospital operations and also increase cooperation and credibility of the CI network. Furthermore, dedicated physicians and administrative leadership will be required to successfully implement a major change project of this magnitude.
A vital step to physician engagement and leadership is a robust communication strategy across the network and its partners. Clear goals and objectives by both employed and independent physicians will encourage dialogue and partnership formation as the strategy is implemented.
Once the CI network is created, a governance structure should be developed. Physician leaders should participate on the CI board and provide leadership to committees formed to achieve program objectives. Other participating physicians may lead and/or participate on sub-committees supported by the CI network or health system. CI committees may merge with existing committees in place within the health system (i.e., executive committee, quality committee and contracting committee).
3. Participation criteria. Member physicians or groups in the CI network must sign a participation agreement. This agreement outlines the expectations and requirements for participation in the CI program. In the initial stages of the network, it is very critical that member physicians adhere to program guidelines to help ensure that stated objectives are met and the network's value proposition is able to be demonstrated to the market.
Recognizing this, one large CI network in the Southeast included information technology adoption in the participation criteria to ensure that the network was able to demonstrate the value of enhanced coordination between providers following evidence-based guidelines. To ingrain IT utilization into the culture, not only did the CI network initially include IT adoption and utilization in the participation criteria, but the network also designated a portion of the performance incentive dollars to this area to increase compliance.
As the network matures and the participation criteria is solidified into the culture, incentive payments are not typically awarded for compliance. However, to keep physicians focused on program requirements, physician eligibility in the incentive program may be tied to meeting the participation criteria.
Sample participation criteria include:

Maintaining the appropriate IT infrastructure.
Logging into the CI Network website to view network and individual performance.
Compliance with clinical protocols and care pathways developed by the network.
Participation in all network contracts.

4. Performance improvement. Clinical quality and operational improvement projects are necessary components of a CI program. CI provides a vehicle that engages physicians in determining how quality is defined and measured. CI also allows physicians to take an active role in care redesign and protocol development to increase quality, more effectively manage costs, reduce variation and eliminate unnecessary waste within the delivery system. The performance initiatives span across specialties and sites of care.
To achieve performance improvement, the CI network works to define baseline performance and identify areas where the network can demonstrate quality and operational efficiencies to the market. It is critical that physicians play an active role in selecting metrics for the performance improvement initiatives. CI networks should select performance improvement initiatives based on the (1) feasibility of capturing sufficient data to monitor performance, (2) improvement opportunity, (3) payor, employer and/or hospital interest in the program and (4) the ability of participating physicians to impact the targeted metrics.
Performance improvement initiatives can be complex and difficult to monitor effectively based on the sophistication of the network's IT system and the capacity of the network to manage multiple initiatives effectively. Recognizing this, one large multi-hospital system in the Midwest implemented their initiatives in a phased approach over time and ensured that all metrics were consistent across contracts. Individual metrics were then reevaluated and updated on an annual basis to help ensure that the initiatives continued to demonstrate the value of the network. Performance improvement initiatives are typically developed in the following categories:

Variance and cost reduction — Improving operational efficiencies
Clinical efficiency — Reducing avoidable, unproductive and duplicative services
Care redesign — Ensuring treatment in the most optimal setting and by the right provider
System optimization — Shifting focus to preventive care and population health
Patient experience —Objective and meaningful comparisons between providers of care

5. Information technology. If you do not measure it, you cannot improve it. IT is the backbone of the CI network's value proposition and is critical to improving coordination and connectivity between providers of care. Early adopters of CI would manually input data and transfer information by excel template report cards. Today the industry is inundated with tools to assist with monitoring and reporting the care provided to a patient. Since providers will be affected most by a change in technology, they must be heavily involved in choosing the correct vendor. Two types of data sharing sources being used most by hospitals are electronic health records and patient registries. However, health information exchanges are becoming more popular and could eventually become robust enough to support clinically integrated initiatives.
An EHR is a medical record for a patient in a physician office, hospital, ancillary care facility or ambulatory care facility. The EHR is intended to replace paper-based patient records for recording encounter-based information on each patient who receives care from the provider entity and includes electronic: data entry, order entry, prescribing and transcription.
A patient registry is a repository that holds clinical information specific to a disease, disease process, implant, drug, etc. A cancer registry is an example of a disease-specific database. The registry is intended to track (1) patients and their compliance with specific chronic disease (or wellness) based guidelines across populations, (2) physician compliance with those guidelines and (3) outcomes for specific interventions. A data registry differentiates itself by interfaces with multiple data sources to provide sufficient data at the point of care provided to a patient, which is why many CI networks are utilizing data registries as opposed to the electronic medical records approach.

6. Contracting options. The purpose of CI is to provide higher quality care. Creating a CI network for the sole purpose of negotiating better rates is not the purpose of CI. However, CI networks are rewarded for demonstrated value, which is defined as the highest quality care at the lowest cost.
The CI network can contract with payors, employers or health systems. These contracts can range from a specific procedure to a population of patients. Many hospital systems have reported that payors are not requiring that CI contracts include downside risk for the network. A six-hospital system in the Southeast reported that a major payor has approached them with a contracting model that would reward their network for demonstrated performance in the following ways:

Premium base rates — Increased fee-for-service rates based on expected performance
Performance incentives — Incentive payments made for performance improvement initiatives
Shared savings — Savings shared based on a reduction in the cost of care

Some hospitals have also contracted with their own CI network to realize cost saving opportunities and to more effectively manage cost within their own health plan. A hospital system in the Southwest has implemented this strategy. The savings that are generated by the network are shared to fund the CI program and to make distributions to member physicians.
7. Flow of funds. Calculation and distribution of CI incentives to physicians and to the health system occur after performance is achieved. A distribution of funds will typically be realized through cost savings, quality and efficiency programs negotiated by the CI network and its partners. Funds are distributed based on meeting performance objectives and performance can be defined in a variety of ways. For example, some CI networks reward simply for global network compliance of the CI agreement while other CI networks reward based on site (multiple hospital systems), specialty and individual performance.
Regardless of how the funds flow to the members of the CI network, the methodology should be transparent and easy to understand. Key considerations for CI network distribution methodologies include:

Distribute rewards based on measurable performance.
Reduce complexity of distribution methodology.
Increase transparency across the network.

Conclusion

Health systems and physicians are implementing CI networks across the nation to respond to changing healthcare dynamics that are holding providers more accountable for quality and outcomes. Each CI network needs to create a disciplined approach to assessing and developing the key components of their network to create a sufficient value proposition for the health system, physicians, payers and employers. As CI becomes a strategic imperative in most markets, organizations should keep the following critical success factors in mind to accelerate the implementation of a successful and sustainable CI network:

Align your health system objectives with the CI vision and strategy to avoid conflicting messages in your market.
Involve physician leaders in the CI development process to gain physician buy-in for program objectives.
Express a willingness to create a new partnership model with employed and independent physicians that includes defined roles for physician leadership.
Maintain systems that can track and monitor clinical data across the continuum of ambulatory, acute and post-acute services.
Utilize a scaled approach to develop a comprehensive list of metrics that provide value to multiple stakeholders and positions the CI network for greater levels of accountability.
Create an effective communication strategy across all stakeholders to increase understanding of the key issues of CI.
Commit to approach payers in the market as a combined network.

Michael Strilesky is a manager with Dixon Hughes Goodman, where he develops strategic and operational solutions for healthcare clients. Mr. Strilesky can be reached at michael.strilesky@dhgllp.com.

Enable VNet Integration

Go to the Networking UI in the App Service portal. Under VNet Integration, select Click here to configure.
Select Add VNet.
The drop-down list contains all of the Azure Resource Manager virtual networks in your subscription in the same region. Underneath that is a list of the Resource Manager virtual networks in all other regions. Select the VNet you want to integrate with.
- If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
- To select a VNet in another region, you must have a VNet gateway provisioned with point to site enabled.
- To integrate with a classic VNet, instead of selecting the Virtual Network drop-down list, select Click here to connect to a Classic VNet. Select the classic virtual network you want. The target VNet must already have a Virtual Network gateway provisioned with point-to-site enabled.

During the integration, your app is restarted. When integration is finished, you'll see details on the VNet you're integrated with.

Regional VNet Integration

Using regional VNet Integration enables your app to access:

Resources in a VNet in the same region as your app.
Resources in VNets peered to the VNet your app is integrated with.
Service endpoint secured services.
Resources across Azure ExpressRoute connections.
Resources in the VNet you're integrated with.
Resources across peered connections, which include Azure ExpressRoute connections.
Private endpoints

When you use VNet Integration with VNets in the same region, you can use the following Azure networking features:

Network security groups (NSGs): You can block outbound traffic with an NSG that's placed on your integration subnet. The inbound rules don't apply because you can't use VNet Integration to provide inbound access to your app.
Route tables (UDRs): You can place a route table on the integration subnet to send outbound traffic where you want.

By default, your app routes only RFC1918 traffic into your VNet. If you want to route all of your outbound traffic into your VNet, apply the app setting WEBSITE_VNET_ROUTE_ALL to your app. To configure the app setting:

Go to the Configuration UI in your app portal. Select New application setting.
Enter WEBSITE_VNET_ROUTE_ALL in the Name box, and enter 1 in the Value box.
Select OK.
Select Save.

Note

If you route all of your outbound traffic into your VNet, it's subject to the NSGs and UDRs that are applied to your integration subnet. When you route all of your outbound traffic into your VNet, your outbound addresses are still the outbound addresses that are listed in your app properties unless you provide routes to send the traffic elsewhere.

There are some limitations with using VNet Integration with VNets in the same region:

You can't reach resources across global peering connections.
The feature is available from all App Service scale units in Premium V2 and Premium V3. It is also available in Standard but only from newer App Service scale units. If you are on an older scale unit you can only use the feature from a Premium V2 App Service plan. If you want to be certain of being able to use the feature in a Standard App Service plan, create your app in a Premium V3 App Service plan. Those plans are only supported on our newest scale units. You can scale down if you desire after that.
The integration subnet can be used by only one App Service plan.
The feature can't be used by Isolated plan apps that are in an App Service Environment.
The feature requires an unused subnet that's a /28 or larger in an Azure Resource Manager VNet.
The app and the VNet must be in the same region.
You can't delete a VNet with an integrated app. Remove the integration before you delete the VNet.
You can have only one regional VNet Integration per App Service plan. Multiple apps in the same App Service plan can use the same VNet.
You can't change the subscription of an app or a plan while there's an app that's using regional VNet Integration.
Your app cannot resolve addresses in Azure DNS Private Zones without configuration changes

VNet Integration depends on use of a dedicated subnet. When you provision a subnet, the Azure subnet loses 5 IPs for from the start. One address is used from the integration subnet for each plan instance. If you scale your app to four instances, then four addresses are used. The debit of 5 addresses from the subnet size mean that the maximum available addresses per CIDR block are:

/28 has 11 addresses
/27 has 27 address
/26 has 59 addresses

If you scale up or down in size, you need double your address need for a short period of time. The limits in size means that the real available supported instances per subnet size are, if your subnet is a:

/28, your maximum horizontal scale is 5 instances
/27, your maximum horizontal scale is 13 instances
/26, your maximum horizontal scale is 29 instances

The limits noted on maximum horizontal scale assumes that you will need to scale up or down in either size or SKU at some point.

Since subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity, a /26 with 64 addresses is the recommended size.

If you want your apps in another plan to reach a VNet that's already connected to by apps in another plan, select a different subnet than the one being used by the preexisting VNet Integration.

The feature is fully supported for both Windows and Linux apps, including custom containers. All of the behaviors act the same between Windows apps and Linux apps.

Service endpoints

Regional VNet Integration enables you to use service endpoints. To use service endpoints with your app, use regional VNet Integration to connect to a selected VNet and then configure service endpoints with the destination service on the subnet you used for the integration. If you then wanted to access a service over service endpoints:

configure regional VNet Integration with your web app
go to the destination service and configure service endpoints against the subnet used for integration

Network security groups

You can use network security groups to block inbound and outbound traffic to resources in a VNet. An app that uses regional VNet Integration can use a network security group to block outbound traffic to resources in your VNet or the internet. To block traffic to public addresses, you must have the application setting WEBSITE_VNET_ROUTE_ALL set to 1. The inbound rules in an NSG don't apply to your app because VNet Integration affects only outbound traffic from your app.

To control inbound traffic to your app, use the Access Restrictions feature. An NSG that's applied to your integration subnet is in effect regardless of any routes applied to your integration subnet. If WEBSITE_VNET_ROUTE_ALL is set to 1 and you don't have any routes that affect public address traffic on your integration subnet, all of your outbound traffic is still subject to NSGs assigned to your integration subnet. If WEBSITE_VNET_ROUTE_ALL isn't set, NSGs are only applied to RFC1918 traffic.

Routes

You can use route tables to route outbound traffic from your app to wherever you want. By default, route tables only affect your RFC1918 destination traffic. If you set WEBSITE_VNET_ROUTE_ALL to 1, all of your outbound calls are affected. Routes that are set on your integration subnet won't affect replies to inbound app requests. Common destinations can include firewall devices or gateways.

If you want to route all outbound traffic on-premises, you can use a route table to send all outbound traffic to your ExpressRoute gateway. If you do route traffic to a gateway, be sure to set routes in the external network to send any replies back.

Border Gateway Protocol (BGP) routes also affect your app traffic. If you have BGP routes from something like an ExpressRoute gateway, your app outbound traffic will be affected. By default, BGP routes affect only your RFC1918 destination traffic. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be affected by your BGP routes.

Azure DNS Private Zones

After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS Private Zones. To work with Azure DNS Private Zones, you need to add the following app settings:

WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1

These settings will send all of your outbound calls from your app into your VNet in addition to enabling your app to use Azure DNS private zones. These settings will send all the outbound calls from your app into your VNet. Additionally, it will enable the app to use Azure DNS by querying the Private DNS Zone at the worker level. This functionality is to be used when a running app is accessing a Private DNS Zone.

Note

Trying to add a custom domain to a Web App using Private DNS Zone is not possible with the VNET Integration. Custom domain validation is done at the controller level, not the worker level, which prevents the DNS records from being seen. To use a custom domain from a Private DNS Zone, validation would need to be bypassed using an Application Gateway or ILB App Service Environment.

Private endpoints

If you want to make calls to Private Endpoints, then you need to ensure that your DNS lookups will resolve to the private endpoint. To ensure that the DNS lookups from your app will point to your private endpoints you can:

integrate with Azure DNS Private Zones. If your VNet doesn't have a custom DNS server, this will be automatic
manage the private endpoint in the DNS server used by your app. To do this you need to know the private endpoint address and then point the endpoint you are trying to reach to that address with an A record.
configure your own DNS server to forward to Azure DNS private zones

How regional VNet Integration works

Apps in App Service are hosted on worker roles. The Basic and higher pricing plans are dedicated hosting plans where there are no other customers' workloads running on the same workers. Regional VNet Integration works by mounting virtual interfaces with addresses in the delegated subnet. Because the from address is in your VNet, it can access most things in or through your VNet like a VM in your VNet would. The networking implementation is different than running a VM in your VNet. That's why some networking features aren't yet available for this feature.

When regional VNet Integration is enabled, your app makes outbound calls to the internet through the same channels as normal. The outbound addresses that are listed in the app properties portal are the addresses still used by your app. What changes for your app are the calls to service endpoint secured services, or RFC 1918 addresses go into your VNet. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be sent into your VNet.

Note

WEBSITE_VNET_ROUTE_ALL is currently not supported in Windows containers.

The feature supports only one virtual interface per worker. One virtual interface per worker means one regional VNet Integration per App Service plan. All of the apps in the same App Service plan can use the same VNet Integration. If you need an app to connect to an additional VNet, you need to create another App Service plan. The virtual interface used isn't a resource that customers have direct access to.

Because of the nature of how this technology operates, the traffic that's used with VNet Integration doesn't show up in Azure Network Watcher or NSG flow logs.

Gateway-required VNet Integration

Gateway-required VNet Integration supports connecting to a VNet in another region or to a classic virtual network. Gateway-required VNet Integration:

Enables an app to connect to only one VNet at a time.
Enables up to five VNets to be integrated within an App Service plan.
Allows the same VNet to be used by multiple apps in an App Service plan without affecting the total number that can be used by an App Service plan. If you have six apps using the same VNet in the same App Service plan, that counts as one VNet being used.
Supports a 99.9% SLA due to the SLA on the gateway.
Enables your apps to use the DNS that the VNet is configured with.
Requires a Virtual Network route-based gateway configured with an SSTP point-to-site VPN before it can be connected to an app.

You can't use gateway-required VNet Integration:

With a VNet connected with Azure ExpressRoute.
From a Linux app.
From a Windows container.
To access service endpoint secured resources.
With a coexistence gateway that supports both ExpressRoute and point-to-site or site-to-site VPNs.

Set up a gateway in your Azure virtual network

To create a gateway:

Create a gateway subnet in your VNet.
Create the VPN gateway. Select a route-based VPN type.
Set the point-to-site addresses. If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. The point-to-site address space must be in the RFC 1918 address blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

If you create the gateway for use with App Service VNet Integration, you don't need to upload a certificate. Creating the gateway can take 30 minutes. You won't be able to integrate your app with your VNet until the gateway is provisioned.

How gateway-required VNet Integration works

Gateway-required VNet Integration is built on top of point-to-site VPN technology. Point-to-site VPNs limit network access to the virtual machine that hosts the app. Apps are restricted to send traffic out to the internet only through Hybrid Connections or through VNet Integration. When your app is configured with the portal to use gateway-required VNet Integration, a complex negotiation is managed on your behalf to create and assign certificates on the gateway and the application side. The result is that the workers used to host your apps are able to directly connect to the virtual network gateway in the selected VNet.

Access on-premises resources

Apps can access on-premises resources by integrating with VNets that have site-to-site connections. If you use gateway-required VNet Integration, update your on-premises VPN gateway routes with your point-to-site address blocks. When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. Details on how to do that vary per gateway and aren't described here. You can't have BGP configured with a site-to-site VPN connection.

No additional configuration is required for the regional VNet Integration feature to reach through your VNet to on-premises resources. You simply need to connect your VNet to on-premises resources by using ExpressRoute or a site-to-site VPN.

Note

The gateway-required VNet Integration feature doesn't integrate an app with a VNet that has an ExpressRoute gateway. Even if the ExpressRoute gateway is configured in coexistence mode, the VNet Integration doesn't work. If you need to access resources through an ExpressRoute connection, use the regional VNet Integration feature or an App Service Environment, which runs in your VNet.

Peering

If you use peering with the regional VNet Integration, you don't need to do any additional configuration.

If you use gateway-required VNet Integration with peering, you need to configure a few additional items. To configure peering to work with your app:

Add a peering connection on the VNet your app connects to. When you add the peering connection, enable Allow virtual network access and select Allow forwarded traffic and Allow gateway transit.
Add a peering connection on the VNet that's being peered to the VNet you're connected to. When you add the peering connection on the destination VNet, enable Allow virtual network access and select Allow forwarded traffic and Allow remote gateways.
Go to the App Service plan > Networking > VNet Integration UI in the portal. Select the VNet your app connects to. Under the routing section, add the address range of the VNet that's peered with the VNet your app is connected to.

Manage VNet Integration

Connecting and disconnecting with a VNet is at an app level. Operations that can affect VNet Integration across multiple apps are at the App Service plan level. From the app > Networking > VNet Integration portal, you can get details on your VNet. You can see similar information at the App Service plan level in the App Service plan > Networking > VNet Integration portal.

The only operation you can take in the app view of your VNet Integration instance is to disconnect your app from the VNet it's currently connected to. To disconnect your app from a VNet, select Disconnect. Your app is restarted when you disconnect from a VNet. Disconnecting doesn't change your VNet. The subnet or gateway isn't removed. If you then want to delete your VNet, first disconnect your app from the VNet and delete the resources in it, such as gateways.

The App Service plan VNet Integration UI shows you all of the VNet integrations used by the apps in your App Service plan. To see details on each VNet, select the VNet you're interested in. There are two actions you can perform here for gateway-required VNet Integration:

Sync network: The sync network operation is used only for the gateway-dependent VNet Integration feature. Performing a sync network operation ensures that your certificates and network information are in sync. If you add or change the DNS of your VNet, perform a sync network operation. This operation restarts any apps that use this VNet. This operation will not work if you are using an app and a vnet belonging to different subscriptions.
Add routes: Adding routes drives outbound traffic into your VNet.

The private IP assigned to the instance is exposed via the environment variable, WEBSITE_PRIVATE_IP. Kudu console UI also shows the list of environment variables available to the Web App. This IP is assigned from the address range of the integrated subnet. For Regional VNet Integration, the value of WEBSITE_PRIVATE_IP is an IP from the address range of the delegated subnet, and for Gateway-required VNet Integration, the value is an IP from the adress range of the Point-to-site address pool configured on the Virtual Network Gateway. This is the IP that will be used by the Web App to connect to the resources through the Virtual Network.

Note

The value of WEBSITE_PRIVATE_IP is bound to change. However, it will be an IP within the address range of the integration subnet or the point-to-site address range, so you will need to allow access from the entire address range.

Gateway-required VNet Integration routing

The routes that are defined in your VNet are used to direct traffic into your VNet from your app. To send additional outbound traffic into the VNet, add those address blocks here. This capability only works with gateway-required VNet Integration. Route tables don't affect your app traffic when you use gateway-required VNet Integration the way that they do with regional VNet Integration.

Gateway-required VNet Integration certificates

When gateway-required VNet Integration is enabled, there's a required exchange of certificates to ensure the security of the connection. Along with the certificates are the DNS configuration, routes, and other similar things that describe the network.

If certificates or network information is changed, select Sync Network. When you select Sync Network, you cause a brief outage in connectivity between your app and your VNet. While your app isn't restarted, the loss of connectivity could cause your site to not function properly.

Pricing details

The regional VNet Integration feature has no additional charge for use beyond the App Service plan pricing tier charges.

Three charges are related to the use of the gateway-required VNet Integration feature:

App Service plan pricing tier charges: Your apps need to be in a Standard, Premium, PremiumV2, or PremiumV3 App Service plan. For more information on those costs, see App Service pricing.
Data transfer costs: There's a charge for data egress, even if the VNet is in the same datacenter. Those charges are described in Data Transfer pricing details.
VPN gateway costs: There's a cost to the virtual network gateway that's required for the point-to-site VPN. For more information, see VPN gateway pricing.

Troubleshooting

Note

VNET integration is not supported for Docker Compose scenarios in App Service.Azure Functions Access Restrictions are ignored if their is a private endpoint present.

The feature is easy to set up, but that doesn't mean your experience will be problem free. If you encounter problems accessing your desired endpoint, there are some utilities you can use to test connectivity from the app console. There are two consoles that you can use. One is the Kudu console, and the other is the console in the Azure portal. To reach the Kudu console from your app, go to Tools > Kudu. You can also reach the Kudo console at [sitename].scm.azurewebsites.net. After the website loads, go to the Debug console tab. To get to the Azure portal-hosted console from your app, go to Tools > Console.

Tools

In native Windows apps, the tools ping, nslookup, and tracert won't work through the console because of security constraints (they work in custom Windows containers). To fill the void, two separate tools are added. To test DNS functionality, we added a tool named nameresolver.exe. The syntax is:

You can use nameresolver to check the hostnames that your app depends on. This way you can test if you have anything misconfigured with your DNS or perhaps don't have access to your DNS server. You can see the DNS server that your app uses in the console by looking at the environmental variables WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER.

Integrated Network & Wireless Cards Drivers

Note

nameresolver.exe currently doesn't work in custom Windows containers.

You can use the next tool to test for TCP connectivity to a host and port combination. This tool is called tcpping and the syntax is:

The tcpping utility tells you if you can reach a specific host and port. It can show success only if there's an application listening at the host and port combination, and there's network access from your app to the specified host and port.

Debug access to virtual network-hosted resources

A number of things can prevent your app from reaching a specific host and port. Most of the time it's one of these things:

A firewall is in the way. If you have a firewall in the way, you hit the TCP timeout. The TCP timeout is 21 seconds in this case. Use the tcpping tool to test connectivity. TCP timeouts can be caused by many things beyond firewalls, but start there.
DNS isn't accessible. The DNS timeout is 3 seconds per DNS server. If you have two DNS servers, the timeout is 6 seconds. Use nameresolver to see if DNS is working. You can't use nslookup, because that doesn't use the DNS your virtual network is configured with. If inaccessible, you could have a firewall or NSG blocking access to DNS or it could be down.

If those items don't answer your problems, look first for things like:

Integrated Network Solutions

Regional VNet Integration

Integrated Network Port On Motherboard

Is your destination a non-RFC1918 address and you don't have WEBSITE_VNET_ROUTE_ALL set to 1?
Is there an NSG blocking egress from your integration subnet?
If you're going across Azure ExpressRoute or a VPN, is your on-premises gateway configured to route traffic back up to Azure? If you can reach endpoints in your virtual network but not on-premises, check your routes.
Do you have enough permissions to set delegation on the integration subnet? During regional VNet Integration configuration, your integration subnet is delegated to Microsoft.Web/serverFarms. The VNet Integration UI delegates the subnet to Microsoft.Web/serverFarms automatically. If your account doesn't have sufficient networking permissions to set delegation, you'll need someone who can set attributes on your integration subnet to delegate the subnet. To manually delegate the integration subnet, go to the Azure Virtual Network subnet UI and set the delegation for Microsoft.Web/serverFarms.

Gateway-required VNet Integration

Is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
Does the gateway show as being up in the portal? If your gateway is down, then bring it back up.
Do certificates show as being in sync, or do you suspect that the network configuration was changed? If your certificates are out of sync or you suspect that a change was made to your virtual network configuration that wasn't synced with your ASPs, select Sync Network.
If you're going across a VPN, is the on-premises gateway configured to route traffic back up to Azure? If you can reach endpoints in your virtual network but not on-premises, check your routes.
Are you trying to use a coexistence gateway that supports both point to site and ExpressRoute? Coexistence gateways aren't supported with VNet Integration.

Debugging networking issues is a challenge because you can't see what's blocking access to a specific host:port combination. Some causes include:

You have a firewall up on your host that prevents access to the application port from your point-to-site IP range. Crossing subnets often requires public access.
Your target host is down.
Your application is down.
You had the wrong IP or hostname.
Your application is listening on a different port than what you expected. You can match your process ID with the listening port by using 'netstat -aon' on the endpoint host.
Your network security groups are configured in such a manner that they prevent access to your application host and port from your point-to-site IP range.

Leviton Integrated Network Home System

You don't know what address your app actually uses. It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.

Additional debug steps include:

Connect to a VM in your virtual network and attempt to reach your resource host:port from there. To test for TCP access, use the PowerShell command test-netconnection. The syntax is:

Bring up an application on a VM and test access to that host and port from the console from your app by using tcpping.

On-premises resources

If your app can't reach a resource on-premises, check if you can reach the resource from your virtual network. Use the test-netconnection PowerShell command to check for TCP access. If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection might not be configured properly.

If your virtual network-hosted VM can reach your on-premises system but your app can't, the cause is likely one of the following reasons:

Your routes aren't configured with your subnet or point-to-site address ranges in your on-premises gateway.
Your network security groups are blocking access for your point-to-site IP range.
Your on-premises firewalls are blocking traffic from your point-to-site IP range.
You're trying to reach a non-RFC 1918 address by using the regional VNet Integration feature.

Automation

Integrated Network Concepts

CLI support is available for regional VNet Integration. To access the following commands, install the Azure CLI.

PowerShell support for regional VNet integration is available too, but you must create generic resource with a property array of the subnet resourceID

For gateway-required VNet Integration, you can integrate App Service with an Azure virtual network by using PowerShell. For a ready-to-run script, see Connect an app in Azure App Service to an Azure virtual network.

Hunterhigh80

Integrated Network & Wireless Cards Driver

7 Components

Conclusion

More Articles on Clinical Integration:

Enable VNet Integration

Regional VNet Integration

Service endpoints

Network security groups

Routes

Azure DNS Private Zones

Private endpoints

How regional VNet Integration works

Gateway-required VNet Integration

Set up a gateway in your Azure virtual network

How gateway-required VNet Integration works

Access on-premises resources

Peering

Manage VNet Integration

Gateway-required VNet Integration routing

Gateway-required VNet Integration certificates

Pricing details

Troubleshooting

Tools

Integrated Network & Wireless Cards Drivers

Debug access to virtual network-hosted resources

Integrated Network Solutions

Integrated Network Port On Motherboard

Leviton Integrated Network Home System

On-premises resources

Automation

Integrated Network Concepts

MOST POPULAR ARTICLES