Microsoft Azure

Deploy Azure App Service Environment with Internal Load Balancer

In this article, I will show you how to deploy an internal Azure Service Environment (ASE), which will share its hosted app services via an internal load balancer.



Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.



An internal Azure Service Environment (ASE) with internal load balancer [Image Credit: Microsoft]
An internal Azure Service Environment (ASE) with internal Load Balancer [Image Credit: Microsoft]

Create A New ASE

Start the creation by clicking Create A Resource > Web + Mobile > App Service Environment. Enter the following details:

  • Name: Enter a unique name in the domain for your new ASE.
  • Subscription: Specify the subscription you want to create the ASE in.
  • Resource Group: Select an existing resource group or create a new one for the ASE resources.

The Virtual Network/Location setting is important because this is where you:

  • Select/create a virtual network
  • Specify the region
  • Create the ASE as an internal one

Click Virtual Network/Location. Here you will enter:

  • Virtual Network: Either select or create a virtual network. Note that the location of the virtual network will be the location of the ASE.
  • VIP Type: Select Internal.
  • Domain: Enter the domain name that will be used for all app services in the app services plan (instead of the usual

Create an internal virtual network ASE [Image Credit: Aidan Finn]
Create an Internal Virtual Network ASE [Image Credit: Aidan Finn]

When you close the Virtual Network blade, you can click Create in the App Service Environment blade. The creation job might take around one and a half hours to complete.

Creating a new internal ASE [Image Credit: Aidan Finn]
Creating a New Internal ASE [Image Credit: Aidan Finn]

Eventually, you will have a set of resources. Note that you cannot see an internal load balancer but here is one.

The resources of a new internal ASE [Image Credit: Aidan Finn]
The Resources of a New Internal ASE [Image Credit: Aidan Finn]

You can find the internal IP address (, an IPv4 address from the virtual network, which we will use later) of the ASE by opening it and browsing to Settings > IP Addresses. There you will also find the outbound (NAT) address and the management IP address of the ASE.

The IP addresses of the internal ASE [Image Credit: Aidan Finn]
The IP Addresses of the Internal ASE [Image Credit: Aidan Finn]

Deploy an App Service / App Services Plan

You can add a new app service, running on an Isolated tier app services plan, to the internal ASE the same way as normal. In the Azure Portal, click Create A Resource > Web + Mobile > Web App. Enter the details for the web app:

  • App Name: This prefix will form a unique FQDN.
  • Subscription: The name of the subscription that the app service and app service plan will be in.
  • Resource Group: The new or existing resource group that the app service and app service plan will be deployed into.
  • OS: Windows – Linux is not supported by ASE.

When you get to App Service/Location, click Create New. Enter the following information:

  • App Service Plan: Give the plan a descriptive name.
  • Location: Select the internal ASE that you just created.
  • Pricing Tier: Choose one of the isolated tier instance sizes.

Create a new Azure isolated tier app service plan in the ASE [Image Credit: Aidan Finn]
Create a New Azure Isolated Tier App Service Plan in the ASE [Image Credit: Aidan Finn]

Click OK to save the settings in New App Service Plan. You are returned to Web App, where you can optionally enable Application Insights. Click Create and the new app service is deployed into a new app service plan in the internal ASE.

Testing the App Service

The only way to connect to the App Service is to connect to the virtual network because, by default, it is only available from the virtual network. Some connection methods will include:

  • Virtual Network: Deploy a service, such as a virtual machine, on the same virtual network as the app service (but a different subnet), and access the app service.
  • VNet Peering: You can peer the ASE virtual network with another virtual network and connect to the app service from the other virtual network.
  • Virtual Network Gateway: Features such as point-to-site (P2S) VPN, site-to-site (S2S) VPN, or ExpressRoute will give remote users access to the ASE virtual network, and thus the app services hosted in it.
  • Web Application Gateway (WAG): You can deploy a WAG in front of the ASE and use the private IP address of the ASE as a “backend pool” for the Azure layer-7 load balancer/firewall.

Note that in all cases, you must manage DNS to resolve a domain name to the virtual network IP address of the ASE. In my example, I created an ASE with the domain name, so the app service (called petriapp) is called and should resolve to the public IP address of the ASE (

In my example, I did the following:

  1. Added a subnet to the ASE virtual network.
  2. Deployed a virtual machine to the new subnet.
  3. Added a hosts file entry to the guest OS of the Azure virtual machine to resolve to
  4. Browsed from the Azure virtual machine to

Testing an app service in an internal ASE [Image Credit: Aidan Finn]
Testing an App Service in an Internal ASE [Image Credit: Aidan Finn]


The internal ASE is what I think of when I think of isolated app services. The private virtual network connection makes for an interesting deployment that brings the power of the cloud to truly private but still flexible deployments.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.