![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 96%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
575 questions
Hello @Anonymous ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
If you just want to setup a highly available ILB ASE:
The recommended solution is to deploy a zone redundant Application Gateway.
You can improve the resiliency of an ASE deployment by deploying in multiple availability zones and load balance them using Application Gateway v2 which is zone-redundant. Application gateway v2 spans multiple availability zones per region. This in turn means, a single application gateway is sufficient for a highly available system. The v1 SKU does not support this.
Refer the below articles for more information: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/enterprise-integration/ase-high-availability-deployment
https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway
If you want to setup a highly available multi-region ILB ASE:
It needs a global load balancing solution and in Azure this is only provided by Azure Front Door and Azure Traffic Manager.
Azure Front Door with private links to ILB ASE can be used but this feature is only available in Azure Front Door Standard/Premium (Preview).
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-web-app
NOTE : Azure Front Door Standard/Premium (Preview) is currently in public preview, this preview version is provided without a service level agreement, and it's not recommended for production workloads. Also, Azure Front Door private endpoints are only available in the following regions during public preview: East US, West 2 US, South Central US, UK South, and Japan East.
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link
You can also use private endpoints with Azure Traffic Manager but in this case, the health probes will fail and be marked as degraded. The degraded endpoints are not included in the ATM's query response. However, if all the endpoints are degraded then they will be included in the query response. Therefore you can go ahead and set it up for private web app endpoints if you are okay with the health monitoring feature not being available.
You can refer to the following documentation for a detailed explanation on how Azure Traffic Manager (ATM) can assist with HA for web applications with private endpoints (in an ASE):
https://learn.microsoft.com/en-gb/archive/blogs/mihansen/using-azure-traffic-manager-for-private-endpoint-failover-manual-method
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.