Deploying web applications securely in Azure isn’t just about flipping a few switches and hoping for the best. For industries like banking and insurance, security is a top priority—both at the platform and application levels. That’s where Azure’s fully managed services come in, and today, we’ll take a closer look at Microsoft’s recommended approach using the App Service Environment (ASE), Application Gateway, and Web Application Firewall (WAF).
Does Microsoft’s solution check all the boxes? Can we tweak it for better performance or security? Let’s find out.
The Proposed Solution – A Quick Overview
The Microsoft documentation suggests the following setup:
- Azure App Service Environment (ASE): A fully isolated environment for hosting web applications securely
- Azure Application Gateway with Web Application Firewall (WAF): A layer 7 load balancer to filter incoming traffic and protect against common attacks
- Internally Load-Balanced (ILB) ASE: To keep the app fully private within the virtual network (VNet), avoiding exposure to the public internet
This approach ensures that only approved traffic reaches the application while maintaining a scalable and manageable deployment pipeline. But can we do better?
Where We Can Improve
While Microsoft’s approach is solid, we see a few areas where improvements or alternatives might be beneficial:
1. Zero Trust Considerations
The recommended setup focuses heavily on network isolation, but what about identity-based security? Implementing Azure AD Application Proxy or using private endpoints for additional security could further restrict access beyond just networking controls.
2. Performance and Cost Considerations
Running an ASE in ILB mode can be costly, and if your application doesn’t need full isolation, a combination of App Service with Private Link might be a more cost-effective alternative while still maintaining security.
3. Advanced Monitoring & Security Logging
Azure Monitor and Microsoft Defender for Cloud provide excellent insights, but adding Azure Sentinel for SIEM capabilities would enhance real-time security analytics and incident response.
4. Traffic Management for High Availability
If multi-region availability is a concern, consider adding Azure Front Door in front of Application Gateway for global traffic distribution and DDoS protection.
Technical Overview for Cloud Architects
Key Components in the Architecture:
- App Service Environment (ASE v3): Ensures isolation and dedicated compute for hosting applications.
- Application Gateway (WAF Enabled): Filters and routes traffic securely.
- Private Endpoints (Optional): Allows secure access without public exposure.
- Azure DevOps Pipelines: Handles automated CI/CD deployments.
- Azure Monitor + Log Analytics: For real-time monitoring and diagnostics.
Pros and Cons of This Approach:
| Feature | Pros | Cons |
|---|---|---|
| ASE v3 | Fully isolated, supports private networking | Higher cost and complexity |
| ILB App Service | No internet exposure | Requires extra networking setup |
| WAF-enabled Application Gateway | Protects against OWASP threats | Needs fine-tuning to avoid false positives |
| Azure DevOps CI/CD | Secure, automated deployments | Learning curve for YAML pipelines |
Technical Implementation Guide for Engineers
Step 1: Deploy an App Service Environment (ASE v3)
az appservice ase create --resource-group awesomeRG \
--name awesomeASE--subnet awesomeSubnet--kind ASEv3
Step 2: Set Up an ILB ASE
Ensure the ASE is internally load-balanced within a VNet:
{
"properties": {
"internalLoadBalancingMode": "Web, Publishing"
}
}
Step 3: Configure Application Gateway with WAF
Create an Application Gateway with WAF enabled:
az network application-gateway create --name agw \
--resource-group awesomeRG --sku WAF_v2 \
--vnet-name awesomeVnet --subnet awesomeSubnet
Enable WAF rules to protect against common threats:
{
"properties": {
"policySettings": {
"enabled": true,
"mode": "Prevention"
}
}
}
Step 4: Set Up a Private Endpoint for App Service (Alternative to ASE)
az network private-endpoint create --name privateEndpoint \
--resource-group awesomeRG --vnet-name awesomeVnet \
--subnet awesomeSubnet --private-connection-resource-id appserviceID
Step 5: Implement CI/CD with Azure DevOps
Use a YAML pipeline to automate deployments:
trigger:
branches:
include:
- main
stages:
- stage: Deploy
jobs:
- job: DeployToASE
steps:
- task: AzureWebApp@1
inputs:
azureSubscription: 'awesomeASE'
appName: 'awesomeApp'
package: '$(Build.ArtifactStagingDirectory)/drop.zip'
Microsoft’s solution provides a strong foundation for deploying secure applications, but there’s always room for enhancements. Whether it’s adding private endpoints, integrating SIEM for better security insights, or optimizing cost with App Service + Private Link, there are multiple ways to tailor this approach to fit your needs.
If you’re working in a security-conscious industry, following this guide should help you deploy applications with confidence—without losing sleep over security vulnerabilities (or at least, fewer of them).
Happy architecting!
Cheers, Oskar
Securely managed web applications – Azure Architecture Center | Microsoft Learn
Transparency: AI assisted blog post
Some content in this post is created with the help of AI tools (like a Language Model). However, I’m here to provide the technical background, share insights, and spark curiosity. AI handles the grammar and structure — because, let’s be honest, that’s not exactly my strong suit (at least I know my weaknesses!).
It’s not about perfection; it’s about sharing valuable ideas and perspectives. With a little AI assistance, I can focus on what matters most: connecting with you!
P.S. Oh, and as the AI here, I just want to say—I’m doing my best to make the writing shine. How it all turned out this good? Honestly, I have no idea—but I’m happy to help!
