Azure-docs: ASE and Azure Firewall
When I configure my External ASE subnet's route table with a UDR of 0.0.0.0/0 with next hop of Azure Firewall private IP address, my web app breaks. When I switch next hop to Internet, my web app loads.
Is it possible that step 5 is incorrect? Or, am I attempting to use an unsupported configuration? Is step 5 only possible with internal ASE?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 29246f12-744e-08a1-c222-b0eae866b401
- Version Independent ID: 6e925f96-dc31-d400-2681-2e387b40ed74
- Content: Locking down App Service Environment outbound traffic - Azure
- Content Source: articles/app-service/environment/firewall-integration.md
- Service: app-service
- GitHub Login: @ccompy
- Microsoft Alias: ccompy
markwaksman
All 5 comments
@markwaksman Thanks for the feedback! We are currently investigating and will update you shortly.
AshokPeddakotla-MSFT
on 23 May 2019
I have the exact same issue. There is a function app running on the ASE and it loses all connectivity. In the portal, I can see the status as running in the overview but none of the functions load. It also does not give any error just keeps trying to load
siddsachar
on 23 May 2019
@markwaksman and @siddsachar, Thanks for bringing this to our attention. We have been discussing on this internally and I have assigned the issue to the content author to review further and update the document as necessary.
AjayKumar-MSFT
on 27 May 2019
@AjayKumar-MSFT @markwaksman @siddsachar There is an entire section on application traffic needs which are additional. I can add clarification to the doc that the entire first section is just so that your ASE will function. It does not then support your apps. To handle your app needs, you need to support whatever routing is required for that.
It is unfortunate that the route enforcement is at the IP level rather than something at the TCP level. Your application requests must have routing support in order to reply to where the request came from.
ccompy
on 9 Jun 2019
The doc was refreshed with some clarification, so we will close this out, but if you feel you need more information please just let us know.
AjayKumar-MSFT
on 9 Jul 2019
Related issues
bdcoder2
·
3Comments
spottedmahn
·
3Comments
Favna
·
3Comments
mrdfuse
·
3Comments
spottedmahn
·
3Comments
Most helpful comment
@AjayKumar-MSFT @markwaksman @siddsachar There is an entire section on application traffic needs which are additional. I can add clarification to the doc that the entire first section is just so that your ASE will function. It does not then support your apps. To handle your app needs, you need to support whatever routing is required for that.
It is unfortunate that the route enforcement is at the IP level rather than something at the TCP level. Your application requests must have routing support in order to reply to where the request came from.