ASE Application Service Environment

Quick summary

This document lists the top 10 operational recommendations for managing an ASE, each expanded to five actionable items, plus an extended operational checklist, richer portal click subtopics,
and exhaustive post-change runbook substeps. A PowerShell section near the end provides common ASE commands for automation and troubleshooting.

Top 10 Recommendations

1. Isolate ASE into its own virtual network and subnet

Rationale: Proper VNet isolation prevents cross-tenant exposure and simplifies NSG, routing, and peering rules.

Create a dedicated VNet and subnet for ASE and enforce naming/tags (ase-vnet, ase-subnet; tag: ase=true).
Allocate adequate CIDR blocks with growth margins; document IP plan and reservation ranges for ASE services.
Use dedicated route tables for ASE subnet to control forced tunneling, service egress and NVA paths.
Restrict subnet delegation and ensure no other platform services share the subnet to reduce attack surface.
Document peering/expressroute/VPN boundaries and test cross-boundary traffic flows post-peering to confirm isolation.

2. Use NSGs and route tables to enforce traffic flows

Rationale: Control inbound/outbound management and data plane traffic; ensure secure management jump hosts and service endpoints.

Apply NSGs with explicit allow rules limited to management IPs, Azure DNS, monitoring and required service ports.
Create route tables for ASE subnet to steer traffic to firewalls or proxies where required; document exceptions.
Leverage application/service tags where possible and avoid overly broad allow rules; prefer host-based restrictions where needed.
Enable NSG flow logs and keep baseline traffic profiles to detect drift or anomalous flows.
Use staged deployments of NSG/routing changes in a staging VNet; validate with traffic probes before production application.

3. Use service endpoints and private endpoints for dependent PaaS

Rationale: Restrict access to storage, Key Vault, and SQL from within the ASE's VNet to reduce exposure.

Prefer Private Endpoints for strong isolation; use service endpoints when private endpoints are not supported or for simplicity.
Map each PaaS dependency (Storage, SQL, Key Vault) to a connectivity model and document implications for DNS and firewall settings.
Limit resource firewall exceptions to ASE VNets or specific Private Endpoints; avoid "all Azure" exceptions unless justified and logged.
Automate creation and approval of Private Endpoints via IaC and record the approver and reason in tags/CMDB.
Periodically validate that PaaS resources are only reachable via their intended private interfaces from ASE subnets using probes.

4. Scale stamp capacity proactively and test scale plans

Rationale: ASE capacity planning prevents unpredictable cold-starts and preserves isolation by avoiding overcommit.

Define target headroom (instances, vCPU, memory) per workload and maintain buffer thresholds in capacity planning docs.
Implement regular load tests in staging that exercise expected peak traffic patterns and failure modes.
Automate metrics collection (CPU, memory, connections) and trigger capacity review when thresholds are reached.
Document scaling playbooks for worker pools (add instance, change SKU) and validate rollbacks on failure.
Coordinate capacity changes with networking (IP availability), storage, and dependent PaaS teams to avoid resource contention.

5. Use staging slots and rollout orchestration

Rationale: Reduce downtime for updates and validate environment-specific integrations before production swaps.

Create and standardize deployment slot usage per app (staging, canary, blue/green) and include health checks per slot.
Automate deployment pipelines to push to slot first, run smoke tests, and only swap when success criteria are met.
Preserve slot configuration differences (connection strings, feature flags) via slot-specific settings and secrets referencing Key Vault.
Use phased rollouts (canary %) with monitoring and quick rollback triggers when metrics degrade.
Document swap and rollback procedures, and test them regularly as part of release rehearsals.

6. Harden management plane: RBAC, Privileged Identity, and conditional access

Rationale: Minimize blast radius by least-privilege access, conditional access, and temporary elevation for operational tasks.

Apply least-privilege RBAC; use resource-group-scoped roles and custom roles for narrow permissions.
Use Azure AD PIM for just-in-time elevation and require approval/NZ for critical roles.
Enforce Conditional Access policies (MFA, compliant device) for all management operations and break-glass exceptions with audit logging.
Rotate service principal credentials and certificate-based auth regularly; record secrets in Key Vault and audit access.
Schedule periodic access reviews and remove unused or stale accounts and roles automatically when possible.

7. Enable advanced diagnostics and centralize logs

Rationale: Central logging and diagnostic settings accelerate troubleshooting and enable long-term retention for audits.

Route ASE diagnostic logs and metrics to a central Log Analytics workspace with standardized table naming and tags.
Enable Application Insights for each app with consistent sampling, custom telemetry, and correlated request IDs.
Ensure NSG/Firewall/Private Endpoint logs are ingested and retained per compliance requirements.
Create central dashboards and saved queries for ASE health signals and developer-facing error trends.
Automate alerts that map to runbooks and include contextual links to diagnostics and recent deployments for faster triage.

8. Health probes, autoscale rules, and alerts

Rationale: Detect and react to service degradation automatically; combine platform alerts with custom app metrics.

Define and implement platform-level alerts for ASE (worker health, NIC issues) and app-level alerts (error rate, latency).
Use autoscale rules tied to appropriate metrics (CPU, HTTP queue length, custom business metrics) with cool-down windows.
Create composite monitors (health score) combining multiple signals (app, infra, DNS) to reduce false positives.
Attach action groups with paging/SMS/email and automated runbook triggers for safe remediation steps.
Regularly test alert workflows (alert -> runbook -> remediation -> verify) to ensure operational readiness.

9. Patch, OS image and worker pool lifecycle management

Rationale: Regular updates reduce risk from platform vulnerabilities; plan maintenance windows for worker pool upgrades.

Maintain a scheduled patch window and a documented rollback plan; use staging and canary worker pools when available.
Test OS/image or platform-level upgrades against a representative staging ASE before rolling to production.
Use automation to apply patches progressively across pools and monitor for regressions after each batch.
Keep an inventory of worker pool SKUs, image versions, and patch history for audit and troubleshooting.
Coordinate patching with dependent services (DB, storage) to ensure compatible driver/SDK versions and minimize surprises.

10. Document network topology and automate recoveries

Rationale: Clear runbooks and IaC templates speed recovery and ensure consistent deployments across environments.

Capture full topology diagrams (VNet, subnets, peerings, NVAs, route tables, DNS) stored with versioned IaC artifacts.
Create and test ARM/Bicep templates that can recreate ASE core components and dependencies in a sandbox environment.
Maintain runbooks for common recovery actions (failover worker pool, redeploy ASE, rebuild subnet) with exact commands.
Store runbooks and templates in a secured repo with change control and automated validation (CI) on updates.
Perform quarterly restoration drills to validate the completeness and accuracy of topology documentation and recovery scripts.

Operational checklist

Use this checklist after each configuration change to validate ASE health.

Verify ASE status: Application Service Environment > Overview > Status is Healthy.
Confirm worker pool instance counts and SKUs match planned configuration.
Verify IP availability in ASE subnet and reserved address ranges remain free.
Run app smoke tests from within VNet using a VM or private jump host and record results.
Validate DNS resolution for app hostnames and PaaS dependencies from ASE subnets.
Confirm Private Endpoints and service endpoints are resolving and returning expected private IPs.
Check NSG, UDR and firewall rules for recent changes and verify no unintended denies to ASE traffic.
Ensure diagnostic settings are active and logs are flowing to Log Analytics (ingestion timestamp check).
Review Application Insights for new exceptions or spike in failed requests since the change.
Verify RBAC and PIM elevation logs for any recent role changes related to the operation.
Confirm autoscale configuration and test a scale trigger in staging where safe.
Check backup/restore jobs for any dependent resources (if applicable) completed recently without errors.
Run a synthetic probe for end-to-end transaction latency and success rate, compare to baseline.
Inspect NSG flow logs and firewall logs for anomalous sources or denied flows tied to ASE NICs.
Document the change in the CMDB/ticket with approval, runbook steps taken, test outcomes and owner for follow-up.

Best practice

Prefer private and service endpoint based connectivity for dependent PaaS services; avoid public endpoints where possible and always document exceptions.

Azure Portal exact clicks reference

Concise mapping of where to click for the most common ASE tasks, each with five practical subtopics.

Find ASE

Portal: Home > Search box > type "Application Service Environment" > select ASE resource from results.
From ASE list: filter by subscription and resource group to locate environment variants (prod/stage/test).
Use tags in the portal list view to surface owner, environment, and cost center for quick triage.
Pin ASE resource to dashboard for persistent visibility and quick access to Overview and Metrics.
Open Overview: capture resourceId and check associated resource groups and region before making changes.

Assign subnet to ASE

ASE resource > Networking > Select subnet > choose the subnet > Save; confirm operation completes without error.
Verify the subnet has correct delegation/route table and no conflicting services assigned prior to Save.
Check that subnet size meets ASE recommendations and that IP capacity is available for worker pools.
Confirm that the associated NSG and UDR are linked and contain required allow rules for Azure platform services.
After assignment, validate ASE health and worker pools in Overview > Metrics to ensure no regressions.

Attach NSG to ASE subnet

Virtual networks > select VNet > Subnets > select ASE subnet > Network security group > Associate > select NSG > Save.
Before associating, review NSG rules for required allow entries (DNS, management, monitoring) to prevent accidental lockout.
Apply NSG in a staged manner: associate a scoped NSG first, validate traffic, then replace with hardened NSG if validated.
Enable NSG flow logs on the NSG resource and confirm logs are streaming to configured storage/Log Analytics workspace.
After association, run connectivity tests (DNS, app endpoints) from in-VNet VMs to confirm no unintended blocking.

Enable diagnostic settings

ASE resource > Diagnostic settings > + Add diagnostic setting > choose logs and metrics > select destination (Log Analytics / Storage / Event Hub) > Save.
Choose the Log Analytics workspace used for centralized ASE logs and apply consistent naming/retention policies.
Enable required categories: AllMetrics, AuditLogs, AppServiceHTTPLogs, WorkerPoolLogs (if available).
Verify last ingestion timestamp in Log Analytics and run a sample query to confirm expected tables/fields appear.
Document retention period and export requirements for auditors; set alerts if telemetry ingestion stops for > N minutes.

Configure autoscale

App Service Plan > Scale out (App Service Plan) > Enable autoscale > Add a rule > set metric > define action > Save.
Define sensible scale-in protections and cooldown periods to avoid flapping under bursty traffic.
Use custom metrics where standard metrics are insufficient (e.g., queue length, custom health score).
Test autoscale rules in staging by generating synthetic load and confirm expected scale actions occur.
Attach notifications or runbook actions to scale events so operators are informed of automated changes.

Useful ASE PowerShell commands

PowerShell (Az module) snippets for inventory, diagnostics, and automation. Run in Cloud Shell or a machine with Az module authenticated.

# 1. Sign in and select subscription
Connect-AzAccount
Select-AzSubscription -SubscriptionId "YOUR-SUBSCRIPTION-ID"

# 2. List ASEs in subscription
Get-AzResource -ResourceType "Microsoft.Web/hostingEnvironments" | Format-Table Name, ResourceGroup, Location

# 3. Show ASE details
Get-AzResource -ResourceType "Microsoft.Web/hostingEnvironments" -ResourceName "my-ase-name" | ConvertTo-Json -Depth 5

# 4. Get ASE vNet/subnet association
$ase = Get-AzResource -ResourceType "Microsoft.Web/hostingEnvironments" -ResourceName "my-ase-name"
$ase.Properties.virtualNetwork | ConvertTo-Json

# 5. Add a diagnostic setting to ASE to send to Log Analytics
$workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName "rg-logs" -Name "la-ase"
Set-AzDiagnosticSetting -ResourceId $ase.ResourceId -WorkspaceId $workspace.ResourceId -Enabled $true -Category "AllMetrics","AppServiceHTTPLogs" -RetentionInDays 30

# 6. Scale worker pool (change worker size or instance count)
$aseObj = Get-AzResource -ResourceType "Microsoft.Web/hostingEnvironments" -ResourceName "my-ase-name"
# modify $aseObj.Properties.workerPools as needed then:
Set-AzResource -ResourceId $aseObj.ResourceId -Properties $aseObj.Properties -Force

# 7. Create a subnet and associate NSG (simplified)
$vnet = Get-AzVirtualNetwork -Name "vnet-ase" -ResourceGroupName "rg-network"
$subnet = Add-AzVirtualNetworkSubnetConfig -Name "ase-subnet" -AddressPrefix "10.1.0.0/24" -VirtualNetwork $vnet
Set-AzVirtualNetwork -VirtualNetwork $vnet
$nsg = New-AzNetworkSecurityGroup -Name "nsg-ase" -ResourceGroupName "rg-network" -Location "eastus"
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name "ase-subnet" -AddressPrefix "10.1.0.0/24" -NetworkSecurityGroup $nsg | Set-AzVirtualNetwork

# 8. Create a private endpoint for Storage Account (example)
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "ase-subnet" -VirtualNetwork $vnet
$storage = Get-AzStorageAccount -ResourceGroupName "rg-data" -Name "stase"
$pe = New-AzPrivateEndpoint -Name "pe-storage-ase" -ResourceGroupName "rg-data" -Location $storage.Location -SubnetId $subnet.Id -PrivateLinkResourceId $storage.Id -GroupId "blob"

# 9. Export ASE resource template
Export-AzResourceGroup -ResourceGroupName "rg-ase" -Resource $aseObj.Name -Path "./ase-template.json"

# 10. Health check: list apps in ASE and app details
Get-AzWebApp -ResourceGroupName "rg-apps" | Where-Object { $_.HostingEnvironmentProfile -ne $null } | Select Name, State, Location, HostNames | Format-Table

Replace placeholders like my-ase-name, resource group and subscription IDs with your environment values before running commands.

Runbook: Post-change validation

Expanded subtopics for each of the three validation steps to make runbooks more actionable during post-change checks.

Step 1 - Confirm platform health

Open ASE Overview: verify Status is Healthy and note any recent warnings/errors in the Overview feed.
Check worker pool health: confirm each worker pool instance is Running and within expected utilization thresholds.
Validate NIC and network interfaces: list NICs for ASE and confirm private IPs match documented mapping.
Confirm platform metrics: query CPU, memory, HTTP queue length for sudden spikes since the change.
Review recent platform events: Activity Log filter for ASE resource events in the past hour for failed operations.

Step 2 - Run functionally scoped smoke tests

Execute critical path transactions: perform a simple read and write (or equivalent API call) that represents main app flow.
Validate dependency calls: confirm app can reach Storage, Key Vault and DB via private endpoints from ASE subnet.
Measure latency and error codes: capture HTTP status codes and latency, compare with baseline thresholds for acceptable performance.
Test authentication/authorization flows: ensure token issuance and verification (AAD, certs) function as expected after the change.
Record and upload test artifacts: log request traces, screenshots or curl outputs and link them to the change ticket for traceability.

Step 3 - Check logs and telemetry

Run targeted Log Analytics queries: search for exceptions, 5xx responses, or authentication errors in the last 15 minutes.
Review Application Insights: check failed requests and dependency failures correlated to the deployed version or change window.
Validate NSG/Firewall logs for denied flows: verify no critical flows to ASE NICs were blocked by recent rule changes.
Confirm telemetry continuity: ensure ingestion timestamps indicate logs are being received and that no log gap exists.
Trigger a health-alert test: if safe, cause a low-severity alert condition to validate alert routing and runbook invocation paths.

This article was originally published on 2025-NOV-16 and last reviewed on 2025-NOV-17.