Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from for IT Pros.

    See All Petri Newsletters

    Deploy Azure App Service Environment with Internal Load Balancer

    Posted on by Aidan Finn in Microsoft Azure

    In this article, I will show you how to deploy an internal Azure Service Environment (ASE), which will share its hosted app services via an internal load balancer.





    An internal Azure Service Environment (ASE) with internal load balancer [Image Credit: Microsoft]
    An internal Azure Service Environment (ASE) with internal Load Balancer [Image Credit: Microsoft]

    Create A New ASE

    Start the creation by clicking Create A Resource > Web + Mobile > App Service Environment. Enter the following details:

    • Name: Enter a unique name in the domain for your new ASE.
    • Subscription: Specify the subscription you want to create the ASE in.
    • Resource Group: Select an existing resource group or create a new one for the ASE resources.

    The Virtual Network/Location setting is important because this is where you:

    • Select/create a virtual network
    • Specify the region
    • Create the ASE as an internal one

    Click Virtual Network/Location. Here you will enter:

    • Virtual Network: Either select or create a virtual network. Note that the location of the virtual network will be the location of the ASE.
    • VIP Type: Select Internal.
    • Domain: Enter the domain name that will be used for all app services in the app services plan (instead of the usual

    Create an internal virtual network ASE [Image Credit: Aidan Finn]
    Create an Internal Virtual Network ASE [Image Credit: Aidan Finn]

    When you close the Virtual Network blade, you can click Create in the App Service Environment blade. The creation job might take around one and a half hours to complete.

    Creating a new internal ASE [Image Credit: Aidan Finn]
    Creating a New Internal ASE [Image Credit: Aidan Finn]

    Eventually, you will have a set of resources. Note that you cannot see an internal load balancer but here is one.

    The resources of a new internal ASE [Image Credit: Aidan Finn]
    The Resources of a New Internal ASE [Image Credit: Aidan Finn]

    You can find the internal IP address (, an IPv4 address from the virtual network, which we will use later) of the ASE by opening it and browsing to Settings > IP Addresses. There you will also find the outbound (NAT) address and the management IP address of the ASE.

    The IP addresses of the internal ASE [Image Credit: Aidan Finn]
    The IP Addresses of the Internal ASE [Image Credit: Aidan Finn]

    Deploy an App Service / App Services Plan

    You can add a new app service, running on an Isolated tier app services plan, to the internal ASE the same way as normal. In the Azure Portal, click Create A Resource > Web + Mobile > Web App. Enter the details for the web app:

    • App Name: This prefix will form a unique FQDN.
    • Subscription: The name of the subscription that the app service and app service plan will be in.
    • Resource Group: The new or existing resource group that the app service and app service plan will be deployed into.
    • OS: Windows – Linux is not supported by ASE.

    When you get to App Service/Location, click Create New. Enter the following information:

    • App Service Plan: Give the plan a descriptive name.
    • Location: Select the internal ASE that you just created.
    • Pricing Tier: Choose one of the isolated tier instance sizes.

    Create a new Azure isolated tier app service plan in the ASE [Image Credit: Aidan Finn]
    Create a New Azure Isolated Tier App Service Plan in the ASE [Image Credit: Aidan Finn]

    Click OK to save the settings in New App Service Plan. You are returned to Web App, where you can optionally enable Application Insights. Click Create and the new app service is deployed into a new app service plan in the internal ASE.

    Testing the App Service

    The only way to connect to the App Service is to connect to the virtual network because, by default, it is only available from the virtual network. Some connection methods will include:

    • Virtual Network: Deploy a service, such as a virtual machine, on the same virtual network as the app service (but a different subnet), and access the app service.
    • VNet Peering: You can peer the ASE virtual network with another virtual network and connect to the app service from the other virtual network.
    • Virtual Network Gateway: Features such as point-to-site (P2S) VPN, site-to-site (S2S) VPN, or ExpressRoute will give remote users access to the ASE virtual network, and thus the app services hosted in it.
    • Web Application Gateway (WAG): You can deploy a WAG in front of the ASE and use the private IP address of the ASE as a “backend pool” for the Azure layer-7 load balancer/firewall.

    Note that in all cases, you must manage DNS to resolve a domain name to the virtual network IP address of the ASE. In my example, I created an ASE with the domain name, so the app service (called petriapp) is called and should resolve to the public IP address of the ASE (

    In my example, I did the following:

    1. Added a subnet to the ASE virtual network.
    2. Deployed a virtual machine to the new subnet.
    3. Added a hosts file entry to the guest OS of the Azure virtual machine to resolve to
    4. Browsed from the Azure virtual machine to

    Testing an app service in an internal ASE [Image Credit: Aidan Finn]
    Testing an App Service in an Internal ASE [Image Credit: Aidan Finn]


    The internal ASE is what I think of when I think of isolated app services. The private virtual network connection makes for an interesting deployment that brings the power of the cloud to truly private but still flexible deployments.


    Don't have a login but want to join the conversation? Sign up for a Petri Account


    Register for this Petri Webinar!

    Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By