How to isolate your apps in Azure with App Service Environments

In this blog post, we'll talk about how you can use App Service Environments to help secure your apps in Microsoft Azure.

Building web and serverless apps in the cloud is becoming more and more common. And when you think about how increasingly easy it is to leverage a cloud provider like Microsoft Azure, AWS, or GCP, you can understand why.

Cloud computing can enable you to more easily deploy apps that are scalable, high performing, and even globally accessible — generally with much less effort than traditional hosting platforms.

However, there is something else that is also becoming more common: front page news stories reporting security breaches for company apps and data.

Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

So if you’re asking (or being asked) questions about security, you’re not alone. One specific question you might be asked is: how can I keep my apps isolated from other customers?

There are several techniques for securing your apps in Azure. Within this blog, we’re going to focus on one specific method, by learning about App Service Environments.

App Service Environments (also known as an ASE) allow you to host applications in Azure by using isolated compute and virtual network resources so your apps can be more isolated from other customer workloads.

Why would you want to do that? This is often important if you’re building an app that must comply with strict standards — say for example when dealing with classified information.

To understand how this works, and why this matters, we’re going to take a look under the hood of Azure App Service, and particularly focus on how it differs from App Service Environments. Because as you’ll come to learn, App Service Environments are actually quite easy to get up and running, and work very similarly to Azure App Service (just with more isolation).

If you’re building a web app in Azure, you might use Azure App Service. Azure App Service is a popular PaaS offering that can simplify web app deployment and hosting. Azure App Service provides features like load balancing, auto-scaling, and SSL encryption — all without having to manage the underlying infrastructure.

Azure App Service also supports Azure Functions, which is an Azure service that helps you to build serverless applications by allowing you to focus on the individual code for the function you’re implementing. You can configure triggers so that the code only runs when required, and get simplified integration with other Azure services.

When you use Azure App Service, you can get access to all of these features at a fraction of the price than it would typically cost for you to manage and administer all of the required infrastructure yourself.

How can cloud providers deliver services cheaper than you? Through economies of scale. Azure App Service is a multi-tenant service. That is to say that many customers are sharing the same infrastructure as you.

Microsoft ensures your apps are separated from other customers, but when you’re securing your solutions, it’s important to understand that other customers do share elements of the service with you.

When using Azure App Service, your app requires load balancing, front end connectivity, outbound connectivity, and compute to execute code. Depending on whether you’re using the shared or dedicated App Service Plans, many of these components will be shared with others.

This is normal for cloud computing. Someone else (e.g., Microsoft) manages infrastructure that many customers share. That’s also why it helps to understand shared responsibility in the cloud.

So what happens if you want to develop a solution in the cloud, but you’re not allowed to use shared infrastructure?

This can be common when processing information that must be kept secure. For example, for certain government or defense agencies, processing the highest levels of classified information may not be permitted on shared infrastructure.

In these scenarios, it’s possible to leverage App Service features in a more isolated way. It’s probably no surprise by now — you can achieve this through the use of an ASE.

Especially with ASE version 3, it’s become quite easy to deploy your Web Apps or Function Apps to infrastructure that is isolated. All with minimal change to the developer experience, and with access to the same kinds of features available to a normal App Service app.

There are two key ways in which infrastructure is isolated with an ASE.

• Firstly, you can leverage Dedicated Hosts which means the underlying hypervisors that your app will run on are only available to you. No more sharing with other customers. 

• Secondly, your App Service Environment can be deployed to your own virtual network, ensuring that you have greater control over network security, ingress, and egress for your apps. 

If you're building an app that should only be accessed internally, you can use an Internal ASE. This ensures access is only permitted through the virtual network. On the other hand, if public accessibility is still required, you can deploy an External ASE.

Once you have configured your App Service Environment, the process for deploying web or function apps is much the same as with normal App Service apps. You'll configure an app the same as before, but instead of choosing a location like West US for your location, you will choose the ACE you configured earlier for your location.

App Service Plans are still required when using an ASE, but you’ll select an Isolated plan. This references the fact that your apps will be isolated from others. You may also notice the plan provides the same features as before, but with access to greater scale — an added bonus!

Security is often a balancing act, and there are many things to consider. You might be wondering how to secure the virtual network you use for your ASE, or even just how to secure a normal App Service app.

If you’re interested in learning more about securing many services in Azure, from identity through to app secrets, you may be interested in our AZ-500 Microsoft Azure Security Technologies course. This in-depth, hands-on course is designed to prepare you for the AZ-500 exam with hands-on defense of Azure solutions.

Get the Azure Cloud Dictionary of Pain
Speaking cloud doesn’t have to be hard. We analyzed millions of responses to ID the top concepts that trip people up. Grab this cloud guide for succinct definitions of some of the most painful terms in Azure.