Build with an Azure free account. Get USD200 credit for 30 days and 12 months of free services.

Start free today

Security and Horsepower with App Service: The New Isolated Offering

Play Security and Horsepower with App Service: The New Isolated Offering

The Discussion

  • User profile image

    Will D series vms ever be available for regular app services?

  • User profile image

    @Tom: Yes - they are available now in Preview. See the following blog post for more info:

  • User profile image

    Can the VNET used for isolated app service be connected to an on-prem network via ExpressRoute? If so, does the VNET still require direct outbound access to Azure or is it OK to use a default route that directs all outbound traffic on-prem?

  • User profile image

    @Bill:Hi Bill, The VNet used to host an ASE can be connected to on premises using ExpressRoute but it still requires you to allow it to go direct to the internet. Read for more information.  

    That said, we are about complete and public with an ability to let you add your own egress IPs to the ASE which could be your on premises gateways/NATs, etc.  The disclaimer to that is you need to keep latency in mind.  That is to say you do not want to send traffic to on premises across the ocean and back.   

  • User profile image

    Majid H

  • User profile image

    I was kind of hoping for clarification around whether the Isolated service is completely a single-tenant solution at the physical level for compute. I get that the VM is dedicated but what about the underlying CPU sockets (e.g. L1-L3 caches which are shared across multiple CPU cores (esp. L3).  I need NO potential exposure to other tenant code on a physical level.

    Having been a service provider I'm suspicious about "what is left out" of the message because you can't be sure if there is intentional "shaping" of the comments (e.g. leave the customer to draw the wrong conclusions "oops").

  • User profile image

    @brownjohn00:The App Service VMs are all dedicated to a single tenant - but they run using the underlying pool of Azure physical hardware - so not bare metal.

  • User profile image
    How about deployment from Azure DevOps? Seems the App Service deploy task in Azure Pipelines is unable to resolve the Kudu URL from Azure DevOps. It can create the App Service resource in the ASE (so my service principal verifies and works) but it can't deploy my code using the Kudu scm URL.

    Error: Failed to fetch Kudu App Settings. Error: Error: getaddrinfo ENOTFOUND

    Maybe this still requires a DevOps pipeline agent in the ASE's VNET?
  • User profile image
    @Bazul - With an ASE there's no public endpoint. When using the hosted agent for Azure Pipelines, they're not placed in a VNet, so they can't communicate with a node inside ASE ("" won't resolve in the public internet).

    You should use a self-hosted agent deployed inside the same VNet as the ASE:

    Azure DevOps Portal can see the ASE only because Azure DevOps is communicating with the Azure Resource Manager APIs, which are confirming that the resource exists and are giving the endpoint. But the Azure Resource Manager APIs cannot allow deployments, which require a communication with Kudu running on the ASE nodes.

    (H/T to @ItalyPaleAle on Twitter)

Add Your 2 Cents