Microsoft Azure

What Is App Service Environment?

In this post, I will explain how you can run Azure App Services in an isolated or virtual network-connected deployment and why, despite the price, it was the right choice for some projects I’ve been working on.



Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

Normal App Services

When you deploy an app services plan (a set of under-the-cover virtual machines) to host one or more app services in the Free, Shared, Basic, Standard, or Premium Tiers, then the infrastructure that your app services are deployed into are multi-tenant. This means that the virtual machines that make up your app services plan are in a shared pool. Those virtual machines might be dedicated to you, but they come from a shared environment. A set of transparent and hidden front-end servers (offering the load balancing functionality) are shared between all of the tenants (customers) using the virtual machines in this app services environment. And finally, because you are in a multi-tenant environment, the app service plan is not connected directly to a virtual network. Although, you can connect your app services to a virtual network via a P2V VPN connection and use this to route externally via a site-to-site VPN connection.

The goal of app services is to make things easy for you. But easy means making some small compromises. For a small number of customers, these compromises are too much. And it is because of this, that Microsoft launched the Isolated tier app services plan, which allows you to deploy your own app services environment (ASE).

App Services Environment (ASE)

The term ASE is normally used to describe a customer’s deployment of the isolated tier app services plan, but it’s something that I have also heard Microsoft use to describe the hidden pieces of the other tiers. Typically, if you hear ASE, then it’s a reference to the Isolated tier.

In short, the Isolated tier app services plan must be deployed into an ASE. The ASE provides a single customer with a completely private deployment of app services. There are a few traits to this:

  • Privacy: The customer has a completely private, single-tenant deployment, offering them total control over Internet connectivity, security and compliance.
  • Virtual Network: The virtual machines of the app services plan are connected to a virtual network. This allows for some interesting architectural possibilities, which have caused me to recommend ASE twice in recent weeks. I originally thought that I’d never recommend an Isolated tier because of the cost but I was wrong.
  • Deployment: There are two deployment types; you can publish an ASE using a public IP address (the same as many other IaaS components in Azure) or using an internal Azure Load Balancer.


As several other parts of the Azure PaaS catalogue, ASE is built on IaaS components. One will have to understand virtual networks, IP addresses, load balancers, Network Security Groups, and more. This is more evidence that, even with an advanced PaaS deployment,  the future career of IT pros (that are willing to do continuous re-learning) are secure. Although, “disk monkeys” are probably still at great risk.

External ASE

The first type of ASE deployment is an external ASE, using a PIP to make the web apps available to the Internet using a public IP (PIP) address. The first benefit of this approach is that you get a single-tenant (you) ASE but it’s still on the Internet. The second benefit of this approach is that the instances of the app service plan(s) that you deploy in the ASE are connected to a virtual network, just like virtual machines. Now some interesting architectural possibilities arise (more on this later).

Internal ASE

The second type of ASE is an internal deployment, where the ASE is shared to the virtual network via an internal Azure load balancer with a private IP address from the virtual network. Note that with this deployment type, you have sole responsibility for managing the DNS of the app services.

It is up to you if you deploy the app service(s) on the Internet or not, and if you do, how you accomplish it. There are plenty of interesting ways to share a private IP address to the Internet in Azure, including the web application gateway, third-party firewall appliances, and more. The architectural possibilities are interesting!

Virtual Network Connectivity

The reason that ASE has popped up, unexpectedly, in proposals that I have written, is the connectivity to virtual networks. Don’t get me wrong, a more traditional app service plan does offer network connectivity:

  • Hybrid Network Connections: A secure tunnel to a TCP-based service, such as SQL Server, typically running on-premises or in another cloud.
  • VPN: A point-to-site VPN connection to a virtual network using a gateway, which can route to on-premises via a site-to-site VPN.

The problem with both of those approaches is scale. In one of my proposals, the customer needed many connections to suppliers and partners without deploying any change-making software. If an ASE can be deployed into a virtual network, then a VPN gateway can enable those connections without deploying any software. The higher sizes of gateway support up to 30 site-to-site VPN tunnels.

An Azure Service Environment connects to a virtual network [Image Credit: Microsoft]
An Azure Service Environment Connects to a Virtual Network [Image Credit: Microsoft]

The ASE also has the ability to talk directly to virtual machines on the virtual network. That works both ways. Another customer has a preference to use a certain brand of firewall for edge network security. That firewall can be run as a virtual appliance in Azure, so it can be deployed on an edge subnet in the virtual network and route to the private IP address of an internal ASE deployment (internal load balancer).

Or if a customer wishes, the ASE can be published to on-premises users via an ExpressRoute or VPN connection, with no Internet connection at all! The customer gets the cloud benefits of a PaaS deployment but with the security of an isolated installation.


When I saw the fixed cost of an ASE (~$1,043.82/month RRP in East US) plus the cost of the isolate tier instances (starting at ~$219/month RRP in East US), I thought I would never deploy ASE. However, when we compared the architectural, technical, and operational (developer) benefits with the alternatives, ASE with the Isolated app services tier was a no-brainer.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: