Application Hosting plan ASE

Question

Application Hosting plan ASE

prasantc 976

How to secure the network traffic between different web apps hosted in a single application service environment

SnehaAgrawal-MSFT 22,706 Reputation points Moderator

2023-09-05T15:06:36.1866667+00:00

@prasantc seems /25 should be enough. If you're estimating 54 address, the /25 would leave them with 69 available addresses (/25 => 128 - 5 (azure managed) - 54). If your scale out rules change or add more services, you'll have to keep that in mind. If all you don't intend segment the subnet, then would suggest using /24 and take up the entire subnet for additional headroom.

Accepted answer

0 additional answers

Your answer

SnehaAgrawal-MSFT 22,706 Reputation points Moderator

2023-09-05T15:06:36.1866667+00:00

@prasantc seems /25 should be enough. If you're estimating 54 address, the /25 would leave them with 69 available addresses (/25 => 128 - 5 (azure managed) - 54). If your scale out rules change or add more services, you'll have to keep that in mind. If all you don't intend segment the subnet, then would suggest using /24 and take up the entire subnet for additional headroom.

Answer 1

@prasantc Private endpoints in Azure App Service Environment allow you to securely access your web apps over Azure Private Link. Private endpoints provide secure connectivity between clients on your private network and your app.

The private endpoint is assigned an IP address from the IP address range of your virtual network.

The connection between the private endpoint and the app uses a secure Private Link. Private endpoints are only used for incoming traffic to your app. Outgoing traffic won't use this private endpoint.

Using private endpoints for your app enables you to:

Secure your app by configuring the private endpoint and disable public network access to eliminating public exposure
Securely connect to your app from on-premises networks that connect to the virtual network using a VPN or ExpressRoute private peering
Avoid any data exfiltration from your virtual network

In order to enable private endpoint for apps hosted in an IsolatedV2 plan (App Service Environment v3), you have to enable the private endpoint support at the App Service Environment level. You can activate the feature by the Azure portal in the App Service Environment configuration pane, or through the following CLI:

az appservice ase update --name myasename --allow-new-private-endpoint-connections true

For more details you may refer to below official document links would be helpful

https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint
https://learn.microsoft.com/en-us/azure/app-service/environment/networking Let us know if further query or issue remains.

prasantc 976 Reputation points

2023-08-31T23:13:52.0033333+00:00

Thank for the URL. I did read those link but I was little confused about private endpoint on ASE,, as thought the traffic for the web app in ASE is always internal unless I use external LAB or App gateway. Secondly, I was trying to research on securing traffic between 6 separate web app hosted in ASE instead of having separate hosting plan.

In a different (I may have to post separate question) but I am trying to find out if /25 CIDR would be good enough for ASE hosting 15-18 web app. Considering, scale up operations IPs, hosting VM ips, SCM IPs , deployment slots IPs and any other services. I am going by 18 X 3 = 54 please room for other servcices.

Share via

Application Hosting plan ASE

0 additional answers

Your answer