The Azure Trail

Do I Need to Deploy an App Service Environment (ASE)

Published · Updated

In an earlier blog post we looked at deploying a web application to azure app service in a multi tenant environment. What we need to determine now is if this deployment model meets your requirements for the application.

There are 3 different deployment models for app service 

1. Multi Tenant

2. App Service Env

3. Azure Stack

Application that you can host in a public facing environment

Isolated in your virtual network

  • Endpoints under tighter control
  • Larger scale , more power and more security for your applications
  • Ability to work with VPNs
  • Internal compliance  (PCI compliant environment e.g banking , financials etc… )

Deployment of the app service into your on premise environment

 

So can I not lock down my app with multi tenant ? well you can to a degree , you can use IP filtering or integrate with an application gateway but the multi tenant environment has shared public endpoints to them. 

Your apps are in public DNS and the endpoints are public.

Azure has a lot of built in security around the service but you can’t use NSG to restrict access to the IP for the app using this model.

What is an Application Service Environment ?

An App Service Environment v2 is a fully isolated and dedicated environment for securely running Azure App Service apps at high scale, this includes Web Apps, Mobile apps and API apps It is essentially a deployment of the Azure App Service into a subnet of your network, so think of it as your private Platform-as-a-Service environment in the cloud.

The key component to the app service environment is that it deploys into a subnet inside your azure virtual network, so once its inside your virtual network you now have the ability to control access to the endpoints to the apps , which give greater security. 

But its still a PAAS service so microsoft still manages it for you 

You can create an 2 different types of ASE

  • Internal ASE
    • Private IP addresses , maybe for internal applications that you don’t want to have a public facing endpoint.
    • Connect then to the ASE via VPN 
    • Could front it with a WAF device to allow public access
      • Because the apps in an ILB ASE can be exposed on a private IP address, you can easily add WAF devices to expose just the apps that you want to the internet and keep the rest secure. It lends itself to easy development of multi-tier applications.
  • External ASE
    • Most basic model , most commonly used
    • Gives public facing endpoint to access ASE , which is similar to the multitenant scenario but now you can use NSG to lock down access
    • Also allows the ability to assign an IP to specific application

So when does it make sense to pay the premium price of the App Service Environment?

  • When we need to restrict the App Services to be accessible only from within the VNET or via Express Route or Site-to-Site VPN 
  • When we require to control inbound and outbound traffic to and from our App Services 
  • When we need a connection between the App Services and on-premises without going via the public Internet  
  • When we require larger scale – more than 20 instances
  • When a static outbound IP Address for the App Service is required.

   

ASE Pricing 

There is a flat monthly fee for an ASE deployment plus the additional app service plan costs. All apps hosted within an ASE must use the isolated pricing SKU. So you really need to make sure its absolutely necessary to deploy one.

https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

Useful Links

https://channel9.msdn.com/Blogs/Azure/Azure-Application-Service-Environments-v2-Private-PaaS-Environments-in-the-Cloud

https://platform.deloitte.com.au/articles/when-to-use-an-app-service-environment-v2#:~:text=or%20network%20configurations.-,Yes.,going%20over%20the%20public%20Internet.

https://docs.microsoft.com/en-us/azure/app-service/networking-features

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *