I have been asked a couple of times when should you consider using an App Service Environment over a standard App Service Web App?
App Service Environment
An App Service Environment (ASE) provides an isolated and dedicated container to run a number of services such as:
- Web Apps
- Mobile Apps
An ASE does not replace an App Service Web App, it just provides a secure space for this to run.
At a high level you should consider using an ASE, if you meet one of the following conditions:
- Access to the management plane is only available within your VNET and not from the internet
- The Web App cannot be internet facing and therefore should be behind a Web Application Firewall
- Communication from the Web App to PaaS DB Service should be secured within your VNET
- Communication from the Web App to VM should be secured within your VNET
This can be logically explained in the diagram below.
App Service Web App
An App Service Web App is the PaaS service which without the ASE is accessible directly from the internet.
The instances you run sit on shared compute, which may or may not be on the same physical server or rack.
At a high level, an App Service Web App can be integrated into other Azure services such as:
- VNET which has a Virtual Network Gateway
- Can securely connect to a virtual machine back ends using a Point to Site Configuration
Depending on the requirements of the application and the business will determine if your App Service Web App should run on a standard PaaS tier or within an App Service Environment.
It should be noted that even though an App Service Web App running App Service Environment is considerably more expensive than a standard App Service Web App, you can run multiple App Services within the App Service Environment.