I wanna host three Web Apps on App Service Environment 3 (like the below diagram). Also, an Application Gateway control and routes incoming traffic between three Web Apps based on domain address. When I create ASE v3, I should select Public IP or Private IP. If I select Public IP, my problem is Web Apps have direct access via the Internet. If I select Private IP, my problem is I couldn't publish from Azure DevOps from the Internet. What is the best solution for this scenario?

The external option does not have to be directly accessible via the Internet. You can still put an application gateway (WAF) or Azure firewall in front of the ASE as a frontend to the public IP address of your ASE as per your diagram. The ILB option would be using a private IP address on the ASE instead but still requires the WAF/Firewall in front of it. https://learn.microsoft.com/en-us/azure/app-service/environment/networking#network-routing

Which type of App Service Environment v3 (Public IP or Private IP) is suitable for this scenario?

Accepted answer

Alan Kinane 16,791 Reputation points MVP

2022-02-28T09:37:21.29+00:00

The external option does not have to be directly accessible via the Internet. You can still put an application gateway (WAF) or Azure firewall in front of the ASE as a frontend to the public IP address of your ASE as per your diagram. The ILB option would be using a private IP address on the ASE instead but still requires the WAF/Firewall in front of it.

https://learn.microsoft.com/en-us/azure/app-service/environment/networking#network-routing
Please sign in to rate this answer.
Mohsen Akhavan 936 Reputation points

2022-02-28T10:23:47.01+00:00

@Alan Kinane Thanks Alan for your response. I need more clarification.

Currently, I have an ASE with Private IP. After creating a Web App on this ASE, I have a Web App with a Private IP and an URL like https://testapp.app-plan-ase.appserviceenvironment.net. This URL doesn't accessible from the Internet. I deploy an Application Gateway in the frontend and add a policy to forward incoming traffic to this Web App if the user sends the request to testapp.mydomain.com. It works well but my problem is when I want to deploy to Web App from Azure DevOps. Because this URL it's not accessible from the internet and it's valid on the local network.

Do you mean I can use ASE with Public IP?

After that, all my Web Apps have a public IP and also have an URL like https://testapp.azurewebsites.net. This URL is accessible from the Internet and I can deploy it to this Web App from Azure DevOps. Also, I deploy an Application Gateway in the frontend and add a policy to forward incoming traffic to this Web App if the user sends the request to testapp.mydomain.com. In this scenario, my problem is this web app is accessible from both sides https://testapp.azurewebsites.net and testapp.mydomain.com. I can control incoming traffic when the user sends a request to testapp.mydomain.com but how can I control incoming traffic if the user sends the request directly to https://testapp.azurewebsites.net?

Alan Kinane 16,791 Reputation points MVP

2022-02-28T10:52:58.3+00:00

OK, if you have the application gateway in place then you can restrict access to only be allowed from the application gateway instead of direct to azurewebsites.net

https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#add-an-access-restriction-rule

For the ILB approach, you would need to create a VM on the VNET where your ASE is deployed and use a self-hosted agent.
https://learn.microsoft.com/en-us/azure/app-service/environment/using-an-ase#publishing

Mohsen Akhavan 936 Reputation points

2022-03-05T19:31:37.173+00:00

@Alan Kinane Regarding your comment, I tested but I need more clarification.

Currently, I configure Application Gateway to forward my request from portal.mydomain.com to my web app. Now, when I request portal.mydomain.com the web app loaded well and the URL changed to https://app-portal.p.azurewebsites.net. My configuration is:

This configuration works well but I have two problems:

Direct Access to web app URL https://app-portal.p.azurewebsites.net

Change URL

As you quote, I restricted azurewebsites.net on the web app like the below picture:

When I request https://app-portal.p.azurewebsites.net I received

But when I request portal.mydomain.com I received

Is correct my configuration? Do you have any idea?

Alan Kinane 16,791 Reputation points MVP

2022-03-07T09:13:05.97+00:00

Instead of the deny rule in access restrictions, can you instead use an allow rule and restrict this to the public IP address of the application gateway. This will allow access from this IP address only.

For the URL changing, you probably need to configure this in the HTTP settings of the application gateway, maybe override the host name.
Sign in to comment