The Azure App Service is happy to announce support for the use of Internal Load Balancers (ILBs) with an App Service Environment (ASE) and the ability to deploy an ASE into a Resource Manager(V2) Azure Virtual Network.
These were two of the most requested features for the Azure App Service. Being able to deploy into a Resource Manager Azure Virtual Network(VNet) enables customers to consume resources in their ARM based VNets. The ILB support enables customers to securely host internet inaccessible applications, such as line of business applications, in the Azure cloud.
Deploying an ASE into a Resource Manager VNet
If you want to make an ASE in a Resource Manager VNet you need to have the VNet pre-created. The Create Virtual Network capability that is in the ASE creation flow still only creates a Classic (V1) VNet so you need to have your Resource Manager VNet made in advance of doing the ASE create. If you have your Resource Manager VNet already created, then it is a simple matter of selecting the VNet you want during ASE creation.
In the list of VNets, the Classic VNets say Classic next to the location. For more information on creating an ASE in a Resource Manager VNet, check out the documentation article.
The differences between an ILB ASE and a normal ASE
In a normal ASE all the traffic to the ASE comes in from an internet accessible VIP.
The domain names for your apps in that ASE point to the VIP so all request and publishing access goes through the VIP. You can use network security groups to lock down access to your ASE and even use a WAF with your ASE. The domain names for your apps though are in Azure DNS and are public. So what is the solution if you want to host say, your time tracking app or your invoice processing app on an ASE? You probably don’t want to make that internet accessible in any possible way. This is where the ILB ASE can really shine.
With an ILB the endpoint is on an IP in your Azure VNet. On top of that, you own your own subdomain. Sure this means you need to manage your own DNS and HTTPS for the site but, it’s all under your control and in your network space, not the internet. If you have stringent security requirements, then most likely they are met with an ILB ASE.
On top of hosting your intranet apps securely in an ASE you also can use an ILB ASE for multi-tier applications. There are a number of customer application needs where customers want an internet isolated API capability. In such a scenario you can have an internet accessible ASE that makes calls to the ILB ASE that don’t traverse the internet.
Making an ILB ASE
Before you make your ILB ASE, make your DNS if you need to. Making an ILB ASE is practically the same as making an ASE normally. The only difference is setting the VIP Type to Internal.
Go into the VNET Configuration and change the type from External to Internal. When you do so, you will have to provide your own subdomain. Since you are managing your own subdomain you also need to handle the SSL certificate used by your ILB ASE. That gets uploaded after ILB ASE creation. For more details on making and using an ILB ASE, read this doc.