Merge pull request #191740 from madsd/asenetworksettings

ASE network configurations

Author: tamarakhader

articles/app-service/environment/configure-network-settings.md

@@ -0,0 +1,117 @@
+---
+title: Configure App Service Environment v3 network settings
+description: Configure network settings that apply to the entire Azure App Service environment. Learn how to do it with Azure Resource Manager templates.
+author: madsd
+
+ms.topic: tutorial
+ms.date: 03/20/2022
+ms.author: madsd
+---
+
+# Network configuration settings
+
+Because App Service Environments are isolated to the individual customer, there are certain configuration settings that can be applied exclusively to App Service Environments. This article documents the various specific network customizations that are available for App Service Environment v3.
+
+> [!NOTE]
+> This article is about App Service Environment v3, which is used with isolated v2 App Service plans.
+
+If you don't have an App Service Environment, see [How to Create an App Service Environment v3](./creation.md).
+
+App Service Environment network customizations are stored in a subresource of the *hostingEnvironments* Azure Resource Manager entity called networking.
+
+The following abbreviated Resource Manager template snippet shows the **networking** resource:
+
+```json
+"resources": [
+{
+    "apiVersion": "2021-03-01",
+    "type": "Microsoft.Web/hostingEnvironments",
+    "name": "[parameter('aseName')]",
+    "location": ...,
+    "properties": {
+        "internalLoadBalancingMode": ...,
+        etc...
+    },    
+    "resources": [
+        {
+            "type": "configurations",
+            "apiVersion": "2021-03-01",
+            "name": "networking",
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/hostingEnvironments', parameters('aseName'))]"
+            ],
+            "properties": {
+                "remoteDebugEnabled": true,
+                "ftpEnabled": true,
+                "allowNewPrivateEndpointConnections": true
+            }
+        }
+    ]
+}
+```
+
+The **networking** resource can be included in a Resource Manager template to update the App Service Environment.
+
+## Configure using Azure Resource Explorer
+Alternatively, you can update the App Service Environment by using [Azure Resource Explorer](https://resources.azure.com).  
+
+1. In Resource Explorer, go to the node for the App Service Environment (**subscriptions** > **{your Subscription}** > **resourceGroups** > **{your Resource Group}** > **providers** > **Microsoft.Web** > **hostingEnvironments** > **App Service Environment name** > **configurations** > **networking**).
+2. Select **Read/Write** in the upper toolbar to allow interactive editing in Resource Explorer.  
+3. Select the blue **Edit** button to make the Resource Manager template editable.
+4. Modify one or more of the settings ftpEnabled, remoteDebugEnabled, allowNewPrivateEndpointConnections, that you want to change.  
+5. Select the green **PUT** button that's located at the top of the right pane to commit the change to the App Service Environment.
+6. You may need to select the green **GET** button again to see the changed values.
+
+The change takes effect within a minute.
+
+## Allow new private endpoint connections
+
+For apps hosted on both ILB and External App Service Environment, you can allow creation of private endpoints. The setting is default disabled. If private endpoint has been created while the setting was enabled, they won't be deleted and will continue to work. The setting only prevents new private endpoints from being created.
+
+The following Azure CLI command will enable allowNewPrivateEndpointConnections:
+
+```azurecli
+ASE_NAME="[myAseName]"
+RESOURCE_GROUP_NAME="[myResourceGroup]"
+az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true
+
+az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query properties.allowNewPrivateEndpointConnections
+```
+
+The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+
+:::image type="content" source="./media/configure-network-settings/configure-allow-private-endpoint.png" alt-text="Configure allow private endpoint access through Azure portal.":::
+
+## FTP access
+
+This ftpEnabled setting allows you to allow or deny FTP connections are the App Service Environment level. Individual apps will still need to configure FTP access. If you enable FTP at the App Service Environment level, you may want to [enforce FTPS](../deploy-ftp.md?tabs=cli#enforce-ftps) at the individual app level. The setting is default disabled.
+
+If you want to enable FTP access, you can run the following Azure CLI command:
+
+```azurecli
+ASE_NAME="[myAseName]"
+RESOURCE_GROUP_NAME="[myResourceGroup]"
+az resource update --name $ASE_NAME/configurations/networking --set properties.ftpEnabled=true -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration"
+
+az resource show --name $ASE_NAME/configurations/networking -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration" --query properties.ftpEnabled
+```
+
+In addition to enabling access, you need to ensure that you have [configured DNS if you are using ILB App Service Environment](./networking.md#dns-configuration-for-ftp-access).
+
+## Remote debugging access
+
+Remote debugging is default disabled at the App Service Environment level. You can enable network level access for all apps using this configuration. You'll still have to [configure remote debugging](../configure-common.md?tabs=cli#configure-general-settings) at the individual app level.
+
+Run the following Azure CLI command to enable remote debugging access:
+
+```azurecli
+ASE_NAME="[myAseName]"
+RESOURCE_GROUP_NAME="[myResourceGroup]"
+az resource update --name $ASE_NAME/configurations/networking --set properties.RemoteDebugEnabled=true -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration"
+
+az resource show --name $ASE_NAME/configurations/networking -g $RESOURCE_GROUP_NAME --resource-type "Microsoft.Web/hostingEnvironments/networkingConfiguration" --query properties.remoteDebugEnabled
+```
+
+## Get started
+
+The Azure Quickstart Resource Manager template site includes a template with the base definition for [creating an App Service Environment](https://azure.microsoft.com/resources/templates/web-app-asp-app-on-asev3-create/).

articles/app-service/environment/media/configure-network-settings/configure-allow-private-endpoint.png

@@ -51,19 +51,20 @@ For your app to receive traffic, ensure that inbound network security group (NSG
 
 It's a good idea to configure the following inbound NSG rule:
 
-|Port|Source|Destination|
-|-|-|-|
-|80,443|Virtual network|App Service Environment subnet range|
+|Source / Destination Port(s)|Direction|Source|Destination|Purpose|
+|-|-|-|-|-|
+|* / 80,443|Inbound|VirtualNetwork|App Service Environment subnet range|Allow app traffic and internal health ping traffic|
 
 The minimal requirement for App Service Environment to be operational is:
 
-|Port|Source|Destination|
-|-|-|-|
-|80|Azure Load Balancer|App Service Environment subnet range|
+|Source / Destination Port(s)|Direction|Source|Destination|Purpose|
+|-|-|-|-|-|
+|* / 80|Inbound|AzureLoadBalancer|App Service Environment subnet range|Allow internal health ping traffic|
 
 If you use the minimum required rule, you might need one or more rules for your application traffic. If you're using any of the deployment or debugging options, you must also allow this traffic to the App Service Environment subnet. The source of these rules can be the virtual network, or one or more specific client IPs or IP ranges. The destination is always the App Service Environment subnet range.
+The internal health ping traffic on port 80 is isolated between the Load balancer and the internal servers. No outside traffic can reach the health ping endpoint.
 
-The normal app access ports are as follows:
+The normal app access ports inbound are as follows:
 
 |Use|Ports|
 |-|-|
@@ -117,6 +118,15 @@ To configure DNS in Azure DNS private zones:
 
 In addition to the default domain provided when an app is created, you can also add a custom domain to your app. You can set a custom domain name without any validation on your apps. If you're using custom domains, you need to ensure they have DNS records configured. You can follow the preceding guidance to configure DNS zones and records for a custom domain name (simply replace the default domain name with the custom domain name). The custom domain name works for app requests, but doesn't work for the `scm` site. The `scm` site is only available at *<appname>.scm.<asename>.appserviceenvironment.net*.
 
+### DNS configuration for FTP access
+
+For FTP access to Internal Load balancer (ILB) App Service Environment v3 specifically, you need to ensure DNS is configured. Configure an Azure DNS private zone or equivalent custom DNS with the following settings:
+
+1. Create an Azure DNS private zone named `ftp.appserviceenvironment.net`.
+1. Create an A record in that zone that points `<App Service Environment-name>` to the inbound IP address.
+
+In addition to setting up DNS, you also need to enable it in the [App Service Environment configuration](./configure-network-settings.md#ftp-access) as well as at the [app level](../deploy-ftp.md?tabs=cli#enforce-ftps).
+
 ### DNS configuration from your App Service Environment
 
 The apps in your App Service Environment will use the DNS that your virtual network is configured with. If you want some apps to use a different DNS server, you can manually set it on a per app basis, with the app settings `WEBSITE_DNS_SERVER` and `WEBSITE_DNS_ALT_SERVER`. `WEBSITE_DNS_ALT_SERVER` configures the secondary DNS server. The secondary DNS server is only used when there is no response from the primary DNS server.

articles/app-service/environment/networking.md

@@ -31,10 +31,12 @@
   items:
   - name: Using App Service Environment
     href: using.md
-  - name: Provision App Service Environment from an ARM template
+  - name: Create App Service Environment from template
     href: create-from-template.md
   - name: App Service Environment custom settings
     href: app-service-app-service-environment-custom-settings.md
+  - name: App Service Environment v3 network settings
+    href: configure-network-settings.md
   - name: Migrate to App Service Environment v3
     href: migration-alternatives.md
   - name: Use the migration feature