Hi @JMN-2253 thanks for the question. can you please share which Azure articles you're referring to?
To answer your first question, you can deploy a Network Security Group (NSG) for your App Service Environment v3 by following these steps:
- Install an App Service Environment: When you install an App Service Environment, you pick the Azure virtual network that you want it to be deployed in
- Delegate the subnet: You must delegate the subnet to
Microsoft.Web/hostingEnvironments
, and the subnet must be empty. - Size the subnet: The size of the subnet can affect the scaling limits of the App Service plan instances within the App Service Environment. It’s a good idea to use a /24 address space (256 addresses) for your subnet, to ensure enough addresses to support production scale<sup>1</sup>.
- Configure using Azure Resource Explorer: You can update the App Service Environment by using Azure Resource Explorer. In Resource Explorer, go to the node for the App Service Environment and select
Read/Write
in the upper toolbar to allow interactive editing in Resource Explorer - Edit the Resource Manager template: Select the blue Edit button to make the Resource Manager template editable .Modify one or more of the settings
ftpEnabled
,remoteDebugEnabled
,allowNewPrivateEndpointConnection
s
, that you want to change. - Commit the change: Select the green PUT button that’s located at the top of the right pane to commit the change to the App Service Environment. The change takes effect within a minute
Please note that all of the inbound and outbound application traffic is inside the virtual network you specify. You deploy into a single subnet in your virtual network, and nothing else can be deployed into that subnet
As for the second question -you can use NAT gateway with Azure Firewall for your App Service Environment v3 when you:
- Deploy your Firewall to an Azure Firewall Subnet within its own virtual network (Hub Vnet).
- Add NAT gateway to the Azure Firewall Subnet and attach at least one public IP address.
- Use Regional VNet Integration for your App Service Environment v3 and configure the route tables and user-defined routes to direct the traffic to the Azure Firewall Subnet.
Key differences from old firewall:
- NAT rules are defined directly on the firewall resource.
- No need for standalone NAT gateway.
- Set source to "Any" rather than ASE subnet.
You can read here about the old vs new Azure firewall features
Hope that helps
-Grace