The Azure App Service Environment (ASE) provides a fully isolated and dedicated environment for securely running App Service apps at high scale. You can scale your application to 100 of the instances out of the box. Here are some excellent reasons to use ASE
- Network isolation for apps
- Larger scale than multi-tenant
- More powerful hosts (enabling Scale-up to 100 of instances out of box)
- Ability to work with all VPN types (particularly express route)
- Enable Gated Access by upstream devices like web application firewalls (WAF)
However, ASE comes with a downside - a steep increase in cost $$$ (consider the number of the environment typical development team needs), time it takes to deploy a new environment can be anywhere from 2+ hrs. Development teams often find it is safer to leave ASE environments running then to tear down to avoid such lead times.
If cost is your concern and you are looking at alternatives to ASE, you are in the right place. Here are a few Alternatives
- IaaS, running Virtual Machines (VM) or Virtual Machine Scale Set (VMSS) yourself can sometimes be considerably cheaper, however only do it if you are up to take on responsibility for patching and managing the VMs.
- Containerisation and hosting of the application within Azure Kubernetes Service or Service Fabric Cluster could be a great alternative with the same level of isolation as the App Service Environment and much lower cost! You can still have all the network isolation you desire minus some of the overhead of managing the infrastructure.
- If you prefer Public App Service, there is an excellent feature called IP restriction that works on the front-end role (load balancer level), so external traffic never reaches your application. If you want to connect to on-premises resources like SQL databases, consider Hybrid Connections.
Also, to take a step further, you can deploy Application Gateway (with internal IP) a Layer 7 appliance that enables application-level routing and load balancing. It also provides an additional feature called Web Application Firewall that protects applications against common web vulnerabilities and exploits like SQL Injection or Cross-site scripting. (see walk through sample here)
Update: Now that Private Link for App Service option is available (in preview) you can host Public App Service (web apps) on a private IP address in VNet and avoid using shared public address all together (more about it here).