DMZ separation on ASE

prasantc 751 Reputation points
2020-09-03T06:35:46.383+00:00

Is it possible to separate web on DMz network by using separate subnet on same ASE plan redirect traffic using app gateway? Or it is better to create separate ASP instead to host web app that needs to run on DMZ and allow storage access using service end point

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,853 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 25,486 Reputation points Microsoft Employee
    2020-09-04T04:04:49.993+00:00

    Hi @prasantc ,

    I'm assuming your web app is public facing. This should be possible, route table rules should that send inbound management and application traffic back from where it came are defined. Any traffic leaving your ASE can be sent through a firewall with a route table rule. I put some reference links below.

    https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway
    https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration
    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz

    0 comments
  2. prasantc 751 Reputation points
    2020-09-05T17:58:34.313+00:00

    I have 10 websites in ASE which are internal web app ad 3 are DMZ. After doing some research and checking with MS support I found that I cannot create separate subnet for one group of site and another group of site on the same ASE. Therefore, now I am testing with ASP standard tier and hosting three websites on ASP. Only issue is ASP comes with public IP address and I had to enable public link on managed SQL to allow traffic from ASP web instance to managed SQL