Skip Navigation

ILB App Service Environment with Azure Firewall

Last updated: 7/9/2021

Resource Manager templates and parameters demonstrating how to deploy App Service environment with Azure Firewall integration

This Azure Resource Manager template was created by a member of the community and not by Microsoft. Each Resource Manager template is licensed to you under a license agreement by its owner, not Microsoft. Microsoft is not responsible for Resource Manager templates provided and licensed by community members and does not screen for security, compatibility, or performance. Community Resource Manager templates are not supported under any Microsoft support program or service, and are made available AS IS without warranty of any kind.


Parameter Name Description
location Location (region) for all resources. Use the location value, not the display name, e.g. eastus, not East US 2
aseName Name of the ASE resource
vnetResourceName The name of the vNet
applicationName Name of the initial ASE App (without the FQDN)
internalLoadBalancingMode 0 = public VIP only, 1 = only ports 80/443 are mapped to ILB VIP, 2 = only FTP ports are mapped to ILB VIP, 3 = both ports 80/443 and FTP ports are mapped to an ILB VIP.
aseSubnetName Subnet name which will contain the App Service Environment
serverFarmsAseAspName Name of the app service
_artifactsLocation The location of resources, such as templates and DSC modules, that the template depends on
_artifactsLocationSasToken The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated.
vnetAddressRange Address range for the virtual network in CIDR notation
aseSubnetAddressRange Address range for the ASE subnet in CIDR notation within the vnetAddress range
aseNSGName Name for the NSG attached to the ASE subnet
aseRouteTableName Name of the Route Table attached to the ASE subnet
azureFirewallName Name of the Azure Firewall
deployAzureFirewall Toggle whether to deploy the Azure Firewall
azureFirewallRouteTableName Name of the Azure Firewall Route Table
azureFirewallSubnetAddressRange Address range that will be used by the Azure Firewall Subnet within the vnetAddress range
azureFirewallPublicIP Name for the Azure Firewall public IP resource
tags The collection of resource tags passed from parameters file
aseSubnetServiceEndpoints Service Endpoints enabled on the ASE subnet
aseManagementIps List of ASE management IP addresses
azureMonitorFQDNs FQDNs to whitelist for Azure Monitor

Use the template


New-AzResourceGroup -Name <resource-group-name> -Location <resource-group-location> #use this command when you need to create a new resource group for your deployment
New-AzResourceGroupDeployment -ResourceGroupName <resource-group-name> -TemplateUri
Install and configure Azure PowerShell

Command line

az group create --name <resource-group-name> --location <resource-group-location> #use this command when you need to create a new resource group for your deployment
az group deployment create --resource-group <my-resource-group> --template-uri
Install and Configure the Azure Cross-Platform Command-Line Interface

More templates by John Scott