What is the simplest ASE certification

Use an internal load balancer with an App Service environment

  • 8 minutes to read


This article covers the App Service Environment v1. A newer version is available for the App Service environment. This is more user-friendly and is based on a more efficient infrastructure. For more information about this new version, see Introduction to the App Service Environment.

The App Service Environment (ASE) feature is a premium service option from Azure App Service with advanced configuration options that are not available in the multi-tenant stamps. The ASE feature essentially provides Azure App Service in your Azure virtual network (VNet). For a better understanding of what App Service Environments can do, see the What Is an App Service Environment? Documentation. If you are unsure of the benefits of operating in a VNet, it is advisable to read the FAQs on virtual networks.


An ASE can be deployed with an endpoint accessible from the Internet or an IP address on your VNet. To set the IP address to a VNet address, you must provision your ASE with an internal load balancer (ILB). If your ASE is configured with an ILB, provide:

  • Your own domain or subdomain. For the sake of simplicity, a subdomain is assumed in this document, but you can configure each case.
  • the certificate used for HTTPS
  • DNS management for the subdomain.

In return, you can do the following, for example:

  • Securely host intranet applications, such as line-of-business applications, that you access via a site-to-site or ExpressRoute VPN
  • Host apps in the cloud that are not listed in the public DNS server
  • Build back-end apps that are isolated from the internet into which your front-end apps can be securely integrated

Deactivated functions

There are some things that you cannot do with an ILB-ASE. Which includes:

  • Using IPSSL
  • Assigning IP addresses to specific apps
  • Buy and use a certificate with an app through the portal. Of course, you can still get certificates directly from a certification authority and use them with your apps, but not via the Azure portal.

Creation of an ILB-ASE

Creating an ILB ASE is not much different from creating a normal ASE. For a more in-depth explanation of how to create an ASE, see Create an App Service Environment. The process of creating an ILB ASE is the same when creating a VNet during ASE creation and when selecting an existing VNet. How to create an ILB-ASE:

  1. In the Azure portal, select Create Resource> Web + Mobile> App Service Environment out.
  2. Select your subscription.
  3. Select or create a resource group.
  4. Select or create a VNet.
  5. Create a subnet when you select a VNet.
  6. Choose Virtual network / location> VNet configurationand set the VIP Type to Internal.
  7. Provide a name for the subdomain (this subdomain will be used for apps created in this ASE).
  8. Choose OK and then Create out.

In the “Virtual Network” area there is an option for the VNET configuration with which you can choose between an external VIP or an internal VIP. The external address is the default setting. If you need to set it to External, your ASE will use an Internet accessible VIP. If you select "Internal", your ASE will be configured with an ILB under an IP address in your VNET.

After selecting the internal address, you cannot add any further IP addresses to your ASE; you must instead provision the subdomain of the ASE. In an ASE with an external VIP address, the name of the ASE in the subdomain is used for apps that are created in that ASE. If your ASE is * contosotest _ and your app in this ASE mytest that is, the subdomain has the format contosotest.p.azurewebsites.net and the url for that app is *mytest.contosotest.p.azurewebsites.net**. If you set the VIP type to Internal, your ASE name will not be used in the subdomain for the ASE. You specify the subdomain explicitly. If your subdomain *contoso.corp.net is and you have an app in this ASE called timereporting the url for this app is _ *timereporting.contoso.corp.net**.

Apps in an ILB-ASE

Creating an app in an ILB-ASE corresponds to the normal creation of an app in an ASE.

  1. In the Azure portal, click Create Resource> Web + Mobile> Web or on Mobile or API app.
  2. Enter the name of the app.
  3. Select your subscription.
  4. Select or create a resource group.
  5. Select or create an App Service (ASP) plan. If you are creating a new ASP, choose your ASE as the location and choose the worker pool where you want your ASP to be created. When creating the ASP, you select your ASE as the location and the worker pool. When you provide the name of the app, you will see that the subdomain under your app name is replaced with the subdomain for your ASE.
  6. click on Create. Check the box Pin to the dashboard if the app should be displayed in the dashboard.

Under the app name, the subdomain name is updated to reflect the subdomain of your ASE.

Review after the ILB-ASE creation

An ILB-ASE is somewhat different from a non-ILB-ASE. As mentioned earlier, you need to manage your own DNS and also provide your own certificate for HTTPS connections.

After creating your ASE, you'll notice that it shows the subdomain you specified and the menu attitude a new item ILB certificate contains. The ASE is created with a self-signed certificate to make testing HTTPS easier. In the portal you will be informed that you have to provide your own certificate for HTTPS, but the purpose is that you use a certificate suitable for your subdomain.

If you're just experimenting and don't know how to create a certificate, you can use the IIS MMC console application to create a self-signed certificate. Once created, you can export it as a PFX file and then upload it to the ILB certificate user interface. When you access a website that is protected with a self-signed certificate, you receive a browser warning that the website you are accessing is not secure because the certificate cannot be validated. To avoid this warning, you need a properly signed certificate that corresponds to your subdomain and has a certificate chain that your browser can recognize.

If you want to try the flow with your own certificates and test both HTTP and HTTPS to access the ASE, do the following:

  1. After creating the ASE, switch to the ASE user interface: ASE> Settings> ILB certificates.
  2. Define the ILB certificate by selecting Certificate PFX file and specifying the password. This step will take some time and a message will appear stating that scaling is in progress.
  3. Get the ILB address for your ASE (ASE> Properties> Virtual IP Address).
  4. Once created, create a web app in the ASE.
  5. Create a VM if one doesn't exist in that VNet (not on the same subnet as the ASE as it will crash).
  6. Set the DNS for the subdomain. You can use a wildcard with your subdomain in your DNS, or if you want to do some simple testing, edit the hosts file on your VM to set the VIP address for the web app name. If you create the web app “mytestapp” in an ASE with the subdomain name “.ilbase.com” so that it is addressed with “mytestapp.ilbase.com”, you must specify this in the host file. (On Windows, the host file is located at C: \ Windows \ System32 \ drivers \ etc.)
  7. Go to (or the name of your web app in your subdomain) in a browser on this VM.
  8. Use a browser on this VM and switch to. If you use a self-signed certificate, you have to accept a reduction in security.

The IP address of the ILB is listed in the properties as a virtual IP address.

Use an ILB-ASE

Network security groups

An ILB-ASE enables network isolation for your apps. The apps are neither accessible nor known on the Internet. This approach is great for hosting intranet sites, such as line-of-business applications. If you need to restrict access even further, you can use network security groups (NSGs) to control access at the network level.

If you plan to use NSGs to further restrict access, you need to make sure that you are not disrupting the communications that the ASE needs to operate. Although HTTP / HTTPS access is only through the ILB used by the ASE, the ASE is still dependent on resources outside of the VNET. To determine what network access is required, see Controlling Inbound Traffic into an App Service Environment and Network Configuration Details for App Service Environments Using ExpressRoute.

To configure your network security groups, you need to know the IP address that Azure uses to manage your ASE. This IP address is also the outgoing IP address of your ASE for Internet inquiries. The outbound IP address for your ASE remains static for the life of your ASE. If you delete and recreate the ASE, you will get a new IP address. To find out the IP address, go to Settings> Propertiesand look for Outgoing IP address.

General ILB-ASE administration

Managing an ILB ASE is largely the same as managing an ASE normally. You will need to scale up your worker pools to host more ASP instances and scale up your front-end servers to handle additional HTTP / HTTPS traffic. For general information about managing the configuration of an ASE, see Configuring an App Service Environment.

The additional management elements are certificate and DNS management. You must retrieve and upload the certificate used for HTTPS after the ILB-ASE creation and replace it before it expires. Since Azure owns the base domain, certificates can be provided for ASEs with an external VIP address. Since the subdomain used for an ILB-ASE can be any subdomain, you must provide your own certificate for HTTPS.

DNS configuration

If an external VIP address is used, the DNS is managed using Azure. Every app created in your ASE is automatically added to Azure DNS - a public DNS. You have to manage your own DNS in an ILB-ASE. For a given subdomain, such as contoso.corp.net, you need to create DNS A records with the following references to your ILB address:

  • *
  • * .scm
  • ftp
  • Publish

First steps

To get started with App Service environments, see Introduction to App Service Environments.


If you'd like to try Azure App Service before signing up for an Azure account, you can go to Try App Service to create a short-lived starter web app in App Service for free. No credit card required, no obligations.