MattDarket-9185 avatar image
0 Votes"
MattDarket-9185 asked MitchBuenaventura-6753 commented

ASE v3 questions

Hi everyone,

I need to create an Azure infrastructure to host our web apps in a secure way using ASE v3.

The ASE v3 will contain more than 5 app services all with a custom domains (multi-site situatioin: for example site1.domain, site2.domain, site3.domain etc.)

I thought the infrastructure in this way:

Azure Front door with WAF as the entry point --> it forward the packets to Public IP of Azure Firewall.

First question: Could I set a DNAT rule to point the traffic to the Private Endpoint of ASE v3? Or I need introduce an Applcation Gateway (with only private IP) to route the traffic in the correct way to the app services?

In other words, how can I make the packets flow?

1) Azure Front Door --> Azure Firewall --> ASE v3

2) Azure Front Door --> Azure Firewall --> Application Gateway (with WAF?) --> ASE v3?

Second question: I don't understand with ASE v3, if I still have to follow the following guide ( to configure the Azure firewall or not. I seemed to understand that all network connections are managed by Microsoft. So need I any configurations on Azure Firewall in an infrastructure as described above?

Third question: Can I setup the pipelines with DevOps to deploy on these app services without a Self-Hosted release agent installed on a VM?

Thank you for all!


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

brtrach-MSFT avatar image
0 Votes"
brtrach-MSFT answered

@MattDarket-9185 Thank you for your interest in ASE V3. If you haven't already, please review the current limitations with ASE V3 as it's in public preview state to ensure these won't block your plans. (preview products are traditionally not recommended for production workloads)

You mention your scenario using the private endpoint for inbound traffic. Please note that this will change to a load balancer when ASE V3 becomes Globally Available (GA) so you will need to change that, which could lead to downtime. There is also a chance that you might have to move from a preview environment to a GA environment as it's not clear how they will swap to load balancers in GA without causing downtime for customers. Something to keep in mind.

From my understanding, if you want traffic that has come from the internet, you will need to use an App Gateway.

In regards to the firewall settings, ASE V3 has removed all the management traffic from flowing into your ASE via your VNET. This is good news as it allows you to configure your firewall as tightly as needed without breaking your ASE. So you will not need to follow the steps listed in the document you linked.

While in preview, the ASE won't have built in support for an internet accessible endpoint. You could add an Application Gateway for such a purpose. This should allow you to not need a Azure VM connected to the ASE VNET to perform deployments as was sometimes required with an ILB ASE V2.

We hope this helps to answer your questions. Please let us know if there are any more and we would be happy to answer them.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MitchBuenaventura-6753 avatar image
0 Votes"
MitchBuenaventura-6753 answered MitchBuenaventura-6753 commented


Is there a target date for GA for ASE v3?

I know this is mentioned in the list of limitations but will there be migration capabilities or tools provided to easily convert from v2 to v3? It's not necessarily defined as a NO but listed as a limitation which makes me want to believe there will be a way to upgrade?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MitchBuenaventura-6753, There is not a publicly sharable GA date but I do know from recent conversations with the product group that they are working quickly to get V3 to GA as they want everyone to have access to the faster hardware and easier to manage network features. I do want to mention as well that Microsoft support and the product group are providing support for V3 while it is in public preview, which is not always the case with every public preview product/feature.

We did receive verification from the product group in our meeting with them last month and they shared, "At GA or shortly thereafter we will have guidance and tools to upgrade from ASEv2 to ASEv3."

Please let us know if you have any further questions.

1 Vote 1 ·

Thank you @brtrach-MSFT for the update. Appreciate the teams work!

0 Votes 0 ·