Use Direct Line App Service extension within a virtual network
Commencing September 1, 2023, it is strongly advised to employ the Azure Service Tag method for network isolation. The utilization of DL-ASE should be limited to highly specific scenarios. Prior to implementing this solution in a production environment, we kindly recommend consulting your support team for guidance.
APPLIES TO: SDK v4
This article describes how to use the Direct Line App Service extension with an Azure Virtual Network (VNET).
Create an App Service Environment and other Azure resources
- The Direct Line App Service extension is available on all Azure App Services, including those hosted within an Azure App Service Environment. An Azure App Service Environment provides isolation and is ideal for working within a VNET.
- Instructions for creating an external App Service Environment can be found in Create an External App Service environment article.
- Instructions for creating an internal App Service Environment can be found in Create and use an Internal Load Balancer App Service Environment article.
- After you create your App Service Environment, add an App Service Plan inside of it where you can deploy your bots (and thus run Direct Line App Service extension). To do this:
- Go to the Azure portal.
- Create a new "App Service Plan" resource.
- Under Region, select your App Service Environment
- Finish creating your App Service Plan
Configure the VNET Network Security Groups (NSG)
Direct Line App Service extension requires an outbound connection so that it can issue HTTP requests. This can be configured as an outbound rule in your VNET NSG that is associated with the App Service Environment's subnet. The rule that required is as follows:
Field Value Source Any Source Port * Destination Service Tag Destination Service Tag AzureBotService Destination port ranges 443 Protocol Any Action Allow If your bot uses OAuth for user sign in to Microsoft Entra ID, add a second outbound rule that's associated with
https://login.microsoftonline.com/botframework.com:Field Value Source Any Source Port * Destination Service Tag Destination Service Tag AzureActiveDirectory Destination port ranges 443 Protocol Any Action Allow