When deploying an Application Service Environment (ASE) you are able to choose between deploying an Internal or External ASE. Internal provides a private IP address (on your VNet) as the means to access the apps within the ASE from your internal networks, whereas External provides a public IP allowing access to apps within the ASE from both internal networks and the internet. More detailed information on Internal and External ASE’s can be found here: https://docs.microsoft.com/en-us/azure/app-service/environment/network-info
When deploying an ASE, it’s possible to add an additional layer of security by deploying an Application Gateway (AppGw) with Web Application Firewall (WAF) enabled as the front end, rather than exposing the public IP of the ASE directly to the internet. Another benefit of using an AppGw as the frontend for your ASE is the ability to only expose the apps that need to be publicly accessible, rather than all of the apps that are deployed within the ASE.
As an example, let’s assume we have 4 apps deployed within the ASE called app1 through app4 (within your VNet the apps will have an FQDN of appX.<asename>.appserviceenvironment.net – these are not configured in public DNS and therefore not accessible externally). We only need to expose app2 publicly, with a custom domain of strategicapp.strategiccloudsolutons.co.uk. Below is a high level look at how you would configure the ASE with an AppGw for this scenario:
- Deploy an Internal ASE (this can take several hours)
- Deploy App Service Plans within the ASE (this can take 30 minutes to several hours)
- Deploy an AppGw with WAF enabled, and a Public IP for the front end
- Export the SSL certificate of the ASE and acquire the SSL certificate for the custom domain strategicapp.strategiccloudsolutons.co.uk. To acquire the SSL certificate of the ASE refer to the documentation here: https://docs.microsoft.com/bs-latn-ba/azure/application-gateway/create-gateway-internal-load-balancer-app-service-environment#solution
- Add the ASE’s private IP address to the AppGw’s backend pool
- Create an HTTP Setting configuration on the AppGw. When using HTTPS, it’s important to use the SSL certificate of the ASE’s Load Balancer – the HTTP Setting configuration is used to authenticate to the ASE, not to encrypt traffic to the App
- Create a health probe on the AppGw, entering the custom domain in the Host field
- Create a Multisite Listener on the AppGw, setting the frontend IP as private, entering the custom domain in the Host Name field and suppling the SSL certificate for the custom domain
- Deploy your app to an App Service Plan within the ASE
- Configure the custom domain on the app, supplying the SSL certificate for the custom domain
- On your public DNS registrar, create an A record for the custom domain with the public IP of the AppGw
The above steps are not exhaustive; however, they provide key configuration items that you’ll need to make in order to use an AppGw as the frontend for your ASE.
We hope you’ve found this post useful!