Walkthrough: Setting up an App Service Environment
To securely run your App Service applications at high scale, you must create an App Service Environment (ASE) . Before you can create an ASE, there are a number of things that must be in place.
ASE v3 has not been tested by Sitecore and is not officially supported.
Prerequisites
If you want to reach your web applications using custom domain name instead of default <asename>.appserviceenvironment.net
and ensure your web applications support SSL, you must obtain a valid SSL certificate by using internal certificate authorities, by purchasing a certificate from an external issuer, or by using a self-signed certificate.
To use an SSL certificate in the App Service, ensure the certificate:
-
Is signed by a trusted certificate authority.
-
Is exported as a password-protected PFX file.
-
Contains a private key that is at least 2048 bits long.
There are two ways to configure certificates with your ILB ASE:
-
You can set a wildcard default certificate for the ILB ASE.
-
You can set Subject Alternative Name (SAN), certificates on each of the web applications in your ASE to create an ILB ASE certificate that includes all your individual application names in the SAN of the certificate instead of using a wildcard reference. The limitations of using a SAN certificate is that you must know beforehand the names of the applications that you are putting in the ASE, otherwise you must keep updating the ILB ASE certificate.
Regardless of which choice you make, you must configure the following certificate attributes properly:
-
Wildcard certificate - If you use a wildcard ILB ASE certificate, you must set the attribute to
*.<public domain name>
-
Subject Alternative Name - This attribute must include both
*.<public domain name>
and*.scm.<public domain name>
for the wildcard ILB ASE certificate.
You can find names of the web applications that are covered by a SAN certificate in a resource group where SXP is deployed. In the resource group, locate all of your web applications and copy their names for a SAN certificate in the following format:
<appname>.<public domain name>
and <appname>.scm.<public domain name>
Your SAN certificate must also cover the root domain where your application will be publicly available, for example:
<public domain name>
and/or www.<public domain name>
.
Create a resource group
To create a resource group:
-
In the Azure portal, go to Resource groups, +Add. This takes you to the Create a resource group panel.
-
In the Create a resource group panel, select a Subscription, a Resource group, and a Region.
-
To create the resource group, click Review + create.
Create a virtual network
To create a virtual network:
-
In the Azure portal, go to Create a resource, and search for virtual network.
-
Click the Virtual Network tile, then click Create.
-
In the Create virtual network panel, in the Name field, enter a name, and in the Address Space field, enter 192.168.248.0/22.
-
Select a Subscription, a Resource group, and a Location.
-
To manage the application gateway, in the Subnet section, enter a name for the subnet, for example, ApplicationGatewaySubnet.
-
In the Address range field, enter 192.168.251.0/24.
-
Use the default values for all the other fields.
-
To create the virtual network, click Create and then wait until the virtual network is deployed.
Create the App Service Environment
To create an App Service Environment (ASE):
-
In the Azure portal, click Create a resource.
-
In the Search field, enter App Service Environment.
-
Select the App Service Environment tile and click Create.
-
In the App Service Environment panel, in the Project Details section, select a Subscription and a Resource Group.
-
In the Instance Details section:
-
In the App Service Environment Name field, enter any valid name.
-
In the VIP Type field, click Internal.
-
Ensure the Domain is the same as the public domain name.
-
-
To select the networking settings, click Next: Networking.
-
On the Networking tab, in the Virtual Network field, click the VNet you created earlier.
-
In the Subnet field, click Create new. The Create Subnet window opens.
-
In the Subnet Name field, specify a valid name.
-
In the Virtual Network Address Block field, leave the default value.
-
In the Subnet Address Block field, ensure that the value is 192.168.250.0/24, and then to create the subnet, click OK.
-
To create the App Service Environment, on the Networking tab, click Review and create.
Configure the DNS zone
The ASE uses the DNS zone as a private DNS for name resolution inside VNet and does not affect your global DNS settings.
To configure the DNS zone:
-
Create a private DNS zone and configure it as described in the DNS configuration section of the Microsoft documentation.
-
Link your DNS zone to ASE virtual network. For more details, please refer to the Microsoft documentation.
If you want to use custom domain names for a web application inside an ASE you must:
-
Create a private DNS zone with the same name as your custom domain.
-
Configure custom domains for your web apps. For more information about TLS/SSL configuration, please refer to the Microsoft documentation.
-
Update appropriate web app settings to the new domain names.
Deploy Sitecore inside the ASE
To deploy Sitecore inside the ASE, you follow the standard deployment procedure. However, you must also fill in the following parameters:
-
ASE name - Must be equal to the name of your previously created ASE resource.
-
ASE resource group name - Must be equal to the name of your previously created ASE resource.
The deployment location must be the same as the ASE virtual network location. You must explicitly define the location in the azuredeploy.parameters.json
file.
Access the Web Apps deployed into the ASE
Web Apps that are deployed in an ASE are not publicly available from the internet by default. However, there are a few different ways of providing access to the Web Apps in an ASE:
Technology and approach |
When you should use it |
---|---|
A virtual machine (also known as a Jumpbox) that is deployed to the same VNET as the ASE |
If you want to run the software within the environment. |
Express route or site-to-site connections |
If you want to connect one environment to another. |
Application Gateway |
If you want to connect from outside the ASE into the ASE to access a particular Web App. |
For more information about how to use VPN technologies to connect a VNet with your on-premise networks, see Microsoft's documentation.