A Powershell script to attach an existing Azure Web App to and Existing V2 VNet

AppServiceExistingVnet

Import-Module AzureRm.Network

# VNet Connection Name that we wish to connect our App Service to
$vnetConnectionName = "{your V2 VNet Name Goes Here}"
# Resource groups name that contains our VNet
$vnetResourceGroupName = "{The name of the resource group that contains your V2 VNet}"

# Web App Name & Resouce Group
$webAppName = "{Your Web App Name}"
$appResourceGroupName="{Name of the resource group that contains your web app}"

# Azure Login 
$userName ="{azure login name}"
$pwd ="{azure password}"
$SubscriptionID= "{subscription ID}"
$TenantId ="{Tenant ID}

# Login and set the context 
$pwdConvert = ConvertTo-SecureString $pwd -AsPlainText -Force
$cred = New-Object -TypeName pscredential -ArgumentList $userName, $pwdConvert

Login-AzureRmAccount -Credential $cred -ServicePrincipal -TenantId $TenantId
Set-AzureRmContext -SubscriptionId $SubscriptionID
 

# At this point, the gateway should be able to be joined to an App, but may require some minor tweaking. We will declare to the App now to use this VNET
Write-Host "Getting App information"
$webApp = Get-AzureRmResource -ResourceName $webAppName -ResourceType "Microsoft.Web/sites" -ApiVersion 2015-08-01 -ResourceGroupName $appResourceGroupName
$location = $webApp.Location

$webAppConfig = Get-AzureRmResource -ResourceName "$($webAppName)/web" -ResourceType "Microsoft.Web/sites/config" -ApiVersion 2015-08-01 -ResourceGroupName $appResourceGroupName
$currentVnet = $webAppConfig.Properties.VnetName

if($currentVnet -ne $null -and $currentVnet -ne "")
{
    Write-Host "Currently connected to VNET $currentVnet"
	# App is already part of the virtual network,  we cannot add again.
	return
}

# get the vnet details
$vnet = Get-AzureRmVirtualNetwork -Name $vnetConnectionName -ResourceGroupName $vnetResourceGroupName

 # We need to check if this VNET is able to be joined to a App, based on following criteria
        # If there is no gateway, we can create one.
        # If there is a gateway:
            # It must be of type Vpn
            # It must be of VpnType RouteBased
            # If it doesn't have the right certificate, we will need to add it.
            # If it doesn't have a point-to-site range, we will need to add it.

$gatewaySubnet = $vnet.Subnets | Where-Object { $_.Name -eq "GatewaySubnet" }

if($gatewaySubnet -eq $null -or $gatewaySubnet.IpConfigurations -eq $null -or $gatewaySubnet.IpConfigurations.Count -eq 0) {
	Write-Host "Gateway Invaid cannot continue, check you have a GatewaySubnet and its has an IP Configuration"
	return
}

$uriParts = $gatewaySubnet.IpConfigurations[0].Id.Split('/')
$gatewayResourceGroup = $uriParts[4]
$gatewayName = $uriParts[8]

$gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $vnet.ResourceGroupName -Name $gatewayName

  # validate gateway types, etc.
if($gateway.GatewayType -ne "Vpn")
{
    Write-Error "This gateway is not of the Vpn type. It cannot be joined to an App."
    return
}

if($gateway.VpnType -ne "RouteBased")
{
    Write-Error "This gateways Vpn type is not RouteBased. It cannot be joined to an App."
    return
}

if($gateway.VpnClientConfiguration -eq $null -or $gateway.VpnClientConfiguration.VpnClientAddressPool -eq $null)
{
    Write-Host "This gateway does not have a Point-to-site Address Range. Please specify one in CIDR notation, e.g. 10.0.0.0/8"
    return
}

Write-Host "Creating App assocation to VNET"
    $propertiesObject = @{
        "vnetResourceId" = "/subscriptions/$($SubscriptionID)/resourceGroups/$($vnet.ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/$($vnetConnectionName)"
    }

$virtualNetwork = New-AzureRmResource -Location $location -Properties $PropertiesObject -ResourceName "$($webAppName)/$($vnet.Name)" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections" -ApiVersion 2015-08-01 -ResourceGroupName $appResourceGroupName -Force

 # We need to check if the certificate here exists in the gateway.
$certificates = $gateway.VpnClientConfiguration.VpnClientRootCertificates

$certFound = $false
foreach($certificate in $certificates)
{
    if($certificate.PublicCertData -eq $virtualNetwork.Properties.CertBlob)
    {
        $certFound = $true
        break
    }
}

 if(-not $certFound)
{
    Write-Host "Adding certificate"
    Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $("{0}.cer" -f $webAppName) -PublicCertData $virtualNetwork.Properties.CertBlob -VirtualNetworkGatewayName $gateway.Name
}

# Now finish joining by getting the VPN package and giving it to the App
Write-Host "Retreiving VPN Package and supplying to App"
$packageUri = Get-AzureRmVpnClientPackage -ResourceGroupName $vnet.ResourceGroupName -VirtualNetworkGatewayName $gateway.Name -ProcessorArchitecture Amd64

# Put the VPN client configuration package onto the App
$PropertiesObject = @{
	"vnetName" = $vnet.Name; "vpnPackageUri" = $packageUri
}

New-AzureRmResource -Location $location -Properties $PropertiesObject -ResourceName "$($webAppName)/$($vnet.Name)/primary" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections/gateways" -ApiVersion 2015-08-01 -ResourceGroupName $appResourceGroupName -Force

Write-Output "Intergration between " + $webAppName + " and " + $vnet.Name + " Complete !"

Somehow this appears to be the only script that I can find which actually works, so thank you so much!
Only edit is that Add-AzureRmVpnClientRootCertificate needs a -ResourceGroupName parameter