How to deploy App service environment v3 Network Security Group

JMN-2253 596 Reputation points

Hello Pro

1-How to deploy App service environment v3 Network Security Group?

2-How ASE v3 can be natted using Azure Firewall, current article state the steps on old firewall which doesn't apply to the new one

I found couple of articles, but none of them are really clear to us.


Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,006 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Grmacjon-MSFT 16,596 Reputation points

    Hi @JMN-2253 thanks for the question. can you please share which Azure articles you're referring to?

    To answer your first question, you can deploy a Network Security Group (NSG) for your App Service Environment v3 by following these steps:

    1. Install an App Service Environment: When you install an App Service Environment, you pick the Azure virtual network that you want it to be deployed in
    2. Delegate the subnet: You must delegate the subnet to Microsoft.Web/hostingEnvironments, and the subnet must be empty.
    3. Size the subnet: The size of the subnet can affect the scaling limits of the App Service plan instances within the App Service Environment. It’s a good idea to use a /24 address space (256 addresses) for your subnet, to ensure enough addresses to support production scale<sup>1</sup>.
    4. Configure using Azure Resource Explorer: You can update the App Service Environment by using Azure Resource Explorer. In Resource Explorer, go to the node for the App Service Environment and select Read/Write in the upper toolbar to allow interactive editing in Resource Explorer
    5. Edit the Resource Manager template: Select the blue Edit button to make the Resource Manager template editable .Modify one or more of the settings ftpEnabled, remoteDebugEnabled, allowNewPrivateEndpointConnections, that you want to change.
    6. Commit the change: Select the green PUT button that’s located at the top of the right pane to commit the change to the App Service Environment. The change takes effect within a minute

    Please note that all of the inbound and outbound application traffic is inside the virtual network you specify. You deploy into a single subnet in your virtual network, and nothing else can be deployed into that subnet

    As for the second question -you can use NAT gateway with Azure Firewall for your App Service Environment v3 when you:

    1. Deploy your Firewall to an Azure Firewall Subnet within its own virtual network (Hub Vnet).
    2. Add NAT gateway to the Azure Firewall Subnet and attach at least one public IP address.
    3. Use Regional VNet Integration for your App Service Environment v3 and configure the route tables and user-defined routes to direct the traffic to the Azure Firewall Subnet.

    Key differences from old firewall:

    • NAT rules are defined directly on the firewall resource.
    • No need for standalone NAT gateway.
    • Set source to "Any" rather than ASE subnet.

    You can read here about the old vs new Azure firewall features

    Hope that helps