Merge pull request #205946 from madsd/port25

Port 25 support

Author: PRMerger7

articles/app-service/environment/networking.md

@@ -3,7 +3,7 @@ title: App Service Environment networking
 description: App Service Environment networking details
 author: madsd
 ms.topic: overview
-ms.date: 02/17/2022
+ms.date: 08/01/2022
 ms.author: madsd
 ---
 
@@ -83,6 +83,9 @@ You can put your web application firewall devices, such as Azure Application Gat
 
 Your application will use one of the default outbound addresses for egress traffic to public endpoints. If you want to customize the outbound address of your applications on an App Service Environment, you can add a NAT gateway to your subnet.
 
+> [!NOTE]
+> Outbound SMTP connectivity (port 25) is supported for App Service Environment v3. However, the supportability is determined by the subscription where the virtual network is deployed. For virtual networks created before 1. August 2022, you will have to re-enable outbound SMTP connectivity support on the subscription. For more information on subscription type support and how to request support to re-enable outbound SMTP connectivity, see [Troubleshoot outbound SMTP connectivity problems in Azure](../../virtual-network/troubleshoot-outbound-smtp-connectivity.md).
+
 ## Private endpoint
 
 In order to enable Private Endpoints for apps hosted in your App Service Environment, you must first enable this feature at the App Service Environment level.
@@ -96,7 +99,6 @@ az appservice ase update --name myasename --allow-new-private-endpoint-connectio
 
 For more information about Private Endpoint and Web App, see [Azure Web App Private Endpoint][privateendpoint] 
 
-
 ## DNS
 
 The following sections describe the DNS considerations and configuration that apply inbound to and outbound from your App Service Environment.
@@ -137,10 +139,7 @@ The apps in your App Service Environment will use the DNS that your virtual netw
 
 ## Limitations
 
-While App Service Environment does deploy into your virtual network, there are a few networking features that aren't available:
-
-* Sending SMTP traffic. Although you can still have email-triggered alerts, your app can't send outbound traffic on port 25.
-* Using Azure Network Watcher or NSG flow to monitor outbound traffic.
+While App Service Environment does deploy into your virtual network, you currently cannot use Azure Network Watcher or NSG flow to monitor outbound traffic.
 
 ## More resources
 

articles/app-service/overview-vnet-integration.md

@@ -3,7 +3,7 @@ title: Integrate your app with an Azure virtual network
 description: Integrate your app in Azure App Service with Azure virtual networks.
 author: madsd
 ms.topic: conceptual
-ms.date: 06/30/2022
+ms.date: 08/01/2022
 ms.author: madsd
 
 ---
@@ -86,24 +86,20 @@ Through application routing or configuration routing options, you can configure
 
 Application routing applies to traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during start up. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the **Route All** setting. If **Route All** is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that **Route All** is enabled.
 
-> [!NOTE]
-> * Only traffic configured in application or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.
-> * When **Route All** is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.
+* Only traffic configured in application or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.
+* When **Route All** is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.
 
 Learn [how to configure application routing](./configure-vnet-integration-routing.md).
 
 We recommend that you use the **Route All** configuration setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing `WEBSITE_VNET_ROUTE_ALL` app setting can still be used, and you can enable all traffic routing with either setting.
 
+> [!NOTE]
+> Outbound SMTP connectivity (port 25) is supported for App Service when the SMTP traffic is routed through the virtual network integration. The supportability is determined by the subscription where the virtual network is deployed. For virtual networks created before 1. August 2022, you will have to re-enable outbound SMTP connectivity support on the subscription. For more information on subscription type support and how to request support to re-enable outbound SMTP connectivity, see [Troubleshoot outbound SMTP connectivity problems in Azure](../virtual-network/troubleshoot-outbound-smtp-connectivity.md).
+
 #### Configuration routing
 
 When you are using virtual network integration, you can configure how parts of the configuration traffic is managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.
 
-> [!NOTE]
-> * Windows containers don't support pulling custom container images over virtual network integration.
-> * Backup/restore to private storage accounts is currently not supported.
-> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.
-> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
-
 ##### Content storage
 
 Bringing your own storage for content in often used in Functions where [content storage](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured as part of the Functions app.
@@ -118,6 +114,12 @@ When using custom containers for Linux, you can pull the container over the virt
 
 App settings using Key Vault references will attempt to get secrets over the public route. If the Key Vault is blocking public traffic and the app is using virtual network integration, an attempt will then be made to get the secrets through the virtual network integration.
 
+> [!NOTE]
+> * Windows containers don't support pulling custom container images over virtual network integration.
+> * Backup/restore to private storage accounts is currently not supported.
+> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.
+> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
+
 #### Network routing
 
 You can use route tables to route outbound traffic from your app without restriction. Common destinations can include firewall devices or gateways. You can also use a [network security group](../virtual-network/network-security-groups-overview.md) (NSG) to block outbound traffic to resources in your virtual network or the internet. An NSG that's applied to your integration subnet is in effect regardless of any route tables applied to your integration subnet.