Build with an Azure free account. Get USD200 credit for 30 days and 12 months of free services.

Start free today

Security and Horsepower with App Service: The New Isolated Offering

Play Security and Horsepower with App Service: The New Isolated Offering
Sign in to queue

Description

You love App Service, but you need to run your apps securely inside of an Azure Virtual Network. Plus having a little (or a lot) more horsepower would be nice, too. Stefan Schackow joins Scott Hanselman for a whirlwind tour of the new Isolated App Service offering: D-Seriesv2 workers running App Service all inside the secure “moat” of your Azure virtual network.

For more information, see Introduction to App Service Environment.

Create a Free Account (Azure)

Tag:

Azure

Embed

Download

The Discussion

  • User profile image
    Tom

    Will D series vms ever be available for regular app services?

  • User profile image
    Stefan

    @Tom: Yes - they are available now in Preview. See the following blog post for more info:
    https://azure.microsoft.com/en-us/blog/azure-app-service-premium-v2-in-public-preview/

  • User profile image
    Bill

    Can the VNET used for isolated app service be connected to an on-prem network via ExpressRoute? If so, does the VNET still require direct outbound access to Azure or is it OK to use a default route that directs all outbound traffic on-prem?

  • User profile image
    ccompy

    @Bill:Hi Bill, The VNet used to host an ASE can be connected to on premises using ExpressRoute but it still requires you to allow it to go direct to the internet. Read https://docs.microsoft.com/en-us/azure/app-service/app-service-environment/network-info for more information.  

    That said, we are about complete and public with an ability to let you add your own egress IPs to the ASE which could be your on premises gateways/NATs, etc.  The disclaimer to that is you need to keep latency in mind.  That is to say you do not want to send traffic to on premises across the ocean and back.   

  • User profile image
    majid

    Majid H

  • User profile image
    brownjohn00

    I was kind of hoping for clarification around whether the Isolated service is completely a single-tenant solution at the physical level for compute. I get that the VM is dedicated but what about the underlying CPU sockets (e.g. L1-L3 caches which are shared across multiple CPU cores (esp. L3).  I need NO potential exposure to other tenant code on a physical level.

    Having been a service provider I'm suspicious about "what is left out" of the message because you can't be sure if there is intentional "shaping" of the comments (e.g. leave the customer to draw the wrong conclusions "oops").

  • User profile image
    StefanC9

    @brownjohn00:The App Service VMs are all dedicated to a single tenant - but they run using the underlying pool of Azure physical hardware - so not bare metal.

  • User profile image
    Bazul
    How about deployment from Azure DevOps? Seems the App Service deploy task in Azure Pipelines is unable to resolve the Kudu URL from Azure DevOps. It can create the App Service resource in the ASE (so my service principal verifies and works) but it can't deploy my code using the Kudu scm URL.


    Error: Failed to fetch Kudu App Settings. Error: Error: getaddrinfo ENOTFOUND myappservice.scm.na.cloud.mycompany myappservice.scm.na.cloud.mycompany:443

    Maybe this still requires a DevOps pipeline agent in the ASE's VNET?
  • User profile image
    robcaron
    @Bazul - With an ASE there's no public endpoint. When using the hosted agent for Azure Pipelines, they're not placed in a VNet, so they can't communicate with a node inside ASE ("myappservice.scm.na.cloud.mycompany" won't resolve in the public internet).

    You should use a self-hosted agent deployed inside the same VNet as the ASE:
    https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops#install

    Azure DevOps Portal can see the ASE only because Azure DevOps is communicating with the Azure Resource Manager APIs, which are confirming that the resource exists and are giving the endpoint. But the Azure Resource Manager APIs cannot allow deployments, which require a communication with Kudu running on the ASE nodes.

    HTH
    (H/T to @ItalyPaleAle on Twitter)

Add Your 2 Cents