I wonder if it possible to access Worker Roles from Azure WebApps so that the access to the aforementioned worker roles is limited to the aforementioned WebApps (i.e. they proxy the calls to internal worker roles) and maybe additionally allow some other internal resources to access these worker roles (just to be clear, but I don't see a problem there as VNET is readily deployable).
Whilst researching on this topic, I came across Access security to an Azure App Service API App, which looks like being close, but not quite or How can we improve Azure Web Apps (formerly Websites)? in Azure Feedback. It looks like it might be possible via WebApp ASE, but it also looks like there's a lot of services with it and I mostly care about just locking down the path from public Internet facing WebApp so that it can call internal worker roles, but the worker roles wouldn't be directly accessible from the Internet.
I see also there are other choices, such as using just web and compute roles, but this comes with the idea of cost and deployment conveniene (I see there's YAMS, looks very nice).
<edit: I forgot I asked almost identical question a year ago How to connect Azure Web Sites to a Worker Role (TCP) through a (regional) vnet? Is it possible?. That's basically the issue in this question too.
The most secure way would be to use a classic vNet and connect the app with the worker role through them. That way you can use Network Security groups to further lock down your services. I've done this and it works nice. Here is the documentation for that: https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/ If you need to scale the web and worker separately you could ut your services on a WebJob and deploy to a web app and set them up within a vNet as well.