ASE v3 questions

Matt Darket 1 Reputation point
2021-01-10T18:56:51.057+00:00

Hi everyone,

I need to create an Azure infrastructure to host our web apps in a secure way using ASE v3.

The ASE v3 will contain more than 5 app services all with a custom domains (multi-site situatioin: for example site1.domain, site2.domain, site3.domain etc.)

I thought the infrastructure in this way:

Azure Front door with WAF as the entry point --> it forward the packets to Public IP of Azure Firewall.

First question: Could I set a DNAT rule to point the traffic to the Private Endpoint of ASE v3? Or I need introduce an Applcation Gateway (with only private IP) to route the traffic in the correct way to the app services?

In other words, how can I make the packets flow?

1) Azure Front Door --> Azure Firewall --> ASE v3

2) Azure Front Door --> Azure Firewall --> Application Gateway (with WAF?) --> ASE v3?

Second question: I don't understand with ASE v3, if I still have to follow the following guide (https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration) to configure the Azure firewall or not. I seemed to understand that all network connections are managed by Microsoft. So need I any configurations on Azure Firewall in an infrastructure as described above?

Third question: Can I setup the pipelines with DevOps to deploy on these app services without a Self-Hosted release agent installed on a VM?

Thank you for all!
Regards,

Matt

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
587 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
578 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,957 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. brtrach-MSFT 15,261 Reputation points Microsoft Employee
    2021-01-13T00:51:08.933+00:00

    @Matt Darket Thank you for your interest in ASE V3. If you haven't already, please review the current limitations with ASE V3 as it's in public preview state to ensure these won't block your plans. (preview products are traditionally not recommended for production workloads)

    You mention your scenario using the private endpoint for inbound traffic. Please note that this will change to a load balancer when ASE V3 becomes Globally Available (GA) so you will need to change that, which could lead to downtime. There is also a chance that you might have to move from a preview environment to a GA environment as it's not clear how they will swap to load balancers in GA without causing downtime for customers. Something to keep in mind.

    From my understanding, if you want traffic that has come from the internet, you will need to use an App Gateway.

    In regards to the firewall settings, ASE V3 has removed all the management traffic from flowing into your ASE via your VNET. This is good news as it allows you to configure your firewall as tightly as needed without breaking your ASE. So you will not need to follow the steps listed in the document you linked.

    While in preview, the ASE won't have built in support for an internet accessible endpoint. You could add an Application Gateway for such a purpose. This should allow you to not need a Azure VM connected to the ASE VNET to perform deployments as was sometimes required with an ILB ASE V2.

    We hope this helps to answer your questions. Please let us know if there are any more and we would be happy to answer them.

    0 comments
  2. Mitch Buenaventura 1 Reputation point
    2021-02-05T19:00:25.037+00:00

    @brtrach-MSFT

    Is there a target date for GA for ASE v3?

    I know this is mentioned in the list of limitations but will there be migration capabilities or tools provided to easily convert from v2 to v3? It's not necessarily defined as a NO but listed as a limitation which makes me want to believe there will be a way to upgrade?