Network configuration settings

Because App Service Environments are isolated to the individual customer, there are certain configuration settings that can be applied exclusively to App Service Environments. This article documents the various specific network customizations that are available for App Service Environment v3.

Note

This article is about App Service Environment v3, which is used with isolated v2 App Service plans.

If you don't have an App Service Environment, see How to Create an App Service Environment v3.

App Service Environment network customizations are stored in a subresource of the hostingEnvironments Azure Resource Manager entity called networking.

The following abbreviated Resource Manager template snippet shows the networking resource:

"resources": [
{
    "apiVersion": "2021-03-01",
    "type": "Microsoft.Web/hostingEnvironments",
    "name": "[parameter('aseName')]",
    "location": ...,
    "properties": {
        "internalLoadBalancingMode": ...,
        etc...
    },    
    "resources": [
        {
            "type": "configurations",
            "apiVersion": "2021-03-01",
            "name": "networking",
            "dependsOn": [
                "[resourceId('Microsoft.Web/hostingEnvironments', parameters('aseName'))]"
            ],
            "properties": {
                "remoteDebugEnabled": true,
                "ftpEnabled": true,
                "allowNewPrivateEndpointConnections": true
            }
        }
    ]
}

The networking resource can be included in a Resource Manager template to update the App Service Environment.

Allow new private endpoint connections

For apps hosted on both ILB and External App Service Environment, you can allow creation of private endpoints. The setting is default disabled. If private endpoint has been created while the setting was enabled, they won't be deleted and will continue to work. The setting only prevents new private endpoints from being created.

The following Azure CLI command will enable allowNewPrivateEndpointConnections:

ASE_NAME="[myAseName]"
RESOURCE_GROUP_NAME="[myResourceGroup]"
az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true

az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query allowNewPrivateEndpointConnections

The setting is also available for configuration through Azure portal at the App Service Environment configuration:

Screenshot from Azure portal of how to configure your App Service Environment to allow creating new private endpoints for apps.

FTP access

This ftpEnabled setting allows you to allow or deny FTP connections are the App Service Environment level. Individual apps will still need to configure FTP access. If you enable FTP at the App Service Environment level, you may want to enforce FTPS at the individual app level. The setting is default disabled.

If you want to enable FTP access, you can run the following Azure CLI command:

ASE_NAME="[myAseName]"
RESOURCE_GROUP_NAME="[myResourceGroup]"
az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-incoming-ftp-connections true

az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query ftpEnabled

The setting is also available for configuration through Azure portal at the App Service Environment configuration:

Screenshot from Azure portal of how to configure your App Service Environment to allow incoming ftp connections.

In addition to enabling access, you need to ensure that you have configured DNS if you are using ILB App Service Environment and that the necessary ports are unblocked.

Remote debugging access

Remote debugging is default disabled at the App Service Environment level. You can enable network level access for all apps using this configuration. You'll still have to configure remote debugging at the individual app level.

Run the following Azure CLI command to enable remote debugging access:

ASE_NAME="[myAseName]"
RESOURCE_GROUP_NAME="[myResourceGroup]"
az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-remote-debugging true

az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query remoteDebugEnabled

The setting is also available for configuration through Azure portal at the App Service Environment configuration:

Screenshot from Azure portal of how to configure your App Service Environment to allow remote debugging.

Next steps