Skip navigation

ILB App Service Environment with Azure Firewall

Last updated: 2021-07-09

Resource Manager templates and parameters demonstrating how to deploy App Service environment with Azure Firewall integration

This Azure Resource Manager (ARM) template was created by a member of the community and not by Microsoft. Each ARM template is licensed to you under a licence agreement by its owner, not Microsoft. Microsoft is not responsible for ARM templates provided and licensed by community members and does not screen for security, compatibility or performance. Community ARM templates are not supported under any Microsoft support programme or service, and are made available AS IS without warranty of any kind.


Parameter Name Description
location Location (region) for all resources. Use the location value, not the display name, e.g. eastus, not East US 2
aseName Name of the ASE resource
vnetResourceName The name of the vNet
applicationName Name of the initial ASE App (without the FQDN)
internalLoadBalancingMode 0 = public VIP only, 1 = only ports 80/443 are mapped to ILB VIP, 2 = only FTP ports are mapped to ILB VIP, 3 = both ports 80/443 and FTP ports are mapped to an ILB VIP.
aseSubnetName Subnet name which will contain the App Service Environment
serverFarmsAseAspName Name of the app service
_artifactsLocation The location of resources, such as templates and DSC modules, that the template depends on
_artifactsLocationSasToken The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated.
vnetAddressRange Address range for the virtual network in CIDR notation
aseSubnetAddressRange Address range for the ASE subnet in CIDR notation within the vnetAddress range
aseNSGName Name for the NSG attached to the ASE subnet
aseRouteTableName Name of the Route Table attached to the ASE subnet
azureFirewallName Name of the Azure Firewall
deployAzureFirewall Toggle whether to deploy the Azure Firewall
azureFirewallRouteTableName Name of the Azure Firewall Route Table
azureFirewallSubnetAddressRange Address range that will be used by the Azure Firewall Subnet within the vnetAddress range
azureFirewallPublicIP Name for the Azure Firewall public IP resource
tags The collection of resource tags passed from parameters file
aseSubnetServiceEndpoints Service Endpoints enabled on the ASE subnet
aseManagementIps List of ASE management IP addresses
azureMonitorFQDNs FQDNs to whitelist for Azure Monitor

Use the template


New-AzResourceGroup -Name <resource-group-name> -Location <resource-group-location> #use this command when you need to create a new resource group for your deployment
New-AzResourceGroupDeployment -ResourceGroupName <resource-group-name> -TemplateUri
Installing and configuring Azure PowerShell

Command line

az group create --name <resource-group-name> --location <resource-group-location> #use this command when you need to create a new resource group for your deployment
az group deployment create --resource-group <my-resource-group> --template-uri
Installing and configuring the Azure cross-platform command-line interface

More templates by John Scott