Walkthrough: Setting up an App Service Environment

Current version: 9.1

To securely run your App Service applications at high scale, you must create an App Service Environment (ASE) . Before you can create an ASE, there are a number of things that must be in place.

Note

ASE v3 has not been tested by Sitecore and is not officially supported.

Prerequisites

If you want to reach your web applications using custom domain name instead of default <asename>.appserviceenvironment.net and ensure your web applications support SSL, you must obtain a valid SSL certificate by using internal certificate authorities, by purchasing a certificate from an external issuer, or by using a self-signed certificate.

Note

To use an SSL certificate in the App Service, ensure the certificate:

  • Is signed by a trusted certificate authority.

  • Is exported as a password-protected PFX file.

  • Contains a private key that is at least 2048 bits long.

There are two ways to configure certificates with your ILB ASE:

  • You can set a wildcard default certificate for the ILB ASE.

  • You can set Subject Alternative Name (SAN), certificates on each of the web applications in your ASE to create an ILB ASE certificate that includes all your individual application names in the SAN of the certificate instead of using a wildcard reference. The limitations of using a SAN certificate is that you must know beforehand the names of the applications that you are putting in the ASE, otherwise you must keep updating the ILB ASE certificate.

Regardless of which choice you make, you must configure the following certificate attributes properly:

  • Wildcard certificate - If you use a wildcard ILB ASE certificate, you must set the attribute to *.<public domain name>

  • Subject Alternative Name - This attribute must include both *.<public domain name> and *.scm.<public domain name> for the wildcard ILB ASE certificate.

You can find names of the web applications that are covered by a SAN certificate in a resource group where SXP is deployed. In the resource group, locate all of your web applications and copy their names for a SAN certificate in the following format:

<appname>.<public domain name> and <appname>.scm.<public domain name>

Your SAN certificate must also cover the root domain where your application will be publicly available, for example:

<public domain name> and/or www.<public domain name>.

Create a resource group

To create a resource group:

  1. In the Azure portal, go to Resource groups, +Add. This takes you to the Create a resource group panel.

    Create a resource group in the Azure portal
  2. In the Create a resource group panel, select a Subscription, a Resource group, and a Region.

  3. To create the resource group, click Review + create.

Create a virtual network

To create a virtual network:

  1. In the Azure portal, go to Create a resource, and search for virtual network.

  2. Click the Virtual Network tile, then click Create.

  3. In the Create virtual network panel, in the Name field, enter a name, and in the Address Space field, enter 192.168.248.0/22.

    Create a virtual network in the Azure portal
  4. Select a Subscription, a Resource group, and a Location.

  5. To manage the application gateway, in the Subnet section, enter a name for the subnet, for example, ApplicationGatewaySubnet.

  6. In the Address range field, enter 192.168.251.0/24.

  7. Use the default values for all the other fields.

  8. To create the virtual network, click Create and then wait until the virtual network is deployed.

Create the App Service Environment

To create an App Service Environment (ASE):

  1. In the Azure portal, click Create a resource.

  2. In the Search field, enter App Service Environment.

  3. Select the App Service Environment tile and click Create.

  4. In the App Service Environment panel, in the Project Details section, select a Subscription and a Resource Group.

  5. In the Instance Details section:

    • In the App Service Environment Name field, enter any valid name.

    • In the VIP Type field, click Internal.

    • Ensure the Domain is the same as the public domain name.

    Create the App Service Environment
  6. To select the networking settings, click Next: Networking.

  7. On the Networking tab, in the Virtual Network field, click the VNet you created earlier.

  8. In the Subnet field, click Create new. The Create Subnet window opens.

    Add a new Subnet
  9. In the Subnet Name field, specify a valid name.

  10. In the Virtual Network Address Block field, leave the default value.

  11. In the Subnet Address Block field, ensure that the value is 192.168.250.0/24, and then to create the subnet, click OK.

    Add the Address Block value
  12. To create the App Service Environment, on the Networking tab, click Review and create.

    Create the App service environment

Configure the DNS zone

The ASE uses the DNS zone as a private DNS for name resolution inside VNet and does not affect your global DNS settings.

To configure the DNS zone:

  1. Create a private DNS zone and configure it as described in the DNS configuration section of the Microsoft documentation.

  2. Link your DNS zone to ASE virtual network. For more details, please refer to the Microsoft documentation.

If you want to use custom domain names for a web application inside an ASE you must:

  1. Create a private DNS zone with the same name as your custom domain.

  2. Configure custom domains for your web apps. For more information about TLS/SSL configuration, please refer to the Microsoft documentation.

  3. Update appropriate web app settings to the new domain names.

Deploy Sitecore inside the ASE

To deploy Sitecore inside the ASE, you follow the standard deployment procedure. However, you must also fill in the following parameters:

  • ASE name - Must be equal to the name of your previously created ASE resource.

  • ASE resource group name - Must be equal to the name of your previously created ASE resource.

Important

The deployment location must be the same as the ASE virtual network location. You must explicitly define the location in the azuredeploy.parameters.json file.

Access the Web Apps deployed into the ASE

Web Apps that are deployed in an ASE are not publicly available from the internet by default. However, there are a few different ways of providing access to the Web Apps in an ASE:

Technology and approach

When you should use it

A virtual machine (also known as a Jumpbox) that is deployed to the same VNET as the ASE

If you want to run the software within the environment.

Express route or site-to-site connections

If you want to connect one environment to another.

Application Gateway

If you want to connect from outside the ASE into the ASE to access a particular Web App.

For more information about how to use VPN technologies to connect a VNet with your on-premise networks, see Microsoft's documentation.

Do you have some feedback for us?

If you have suggestions for improving this article,