Azure’s ASE is all about serverless! In a Windows environment IT usually spins up a server in an on prem hypervisor, updates it, installs security software and SCCM to patch it and then configure IIS with certs and bindings for Development to deploy simple code. The ASE is an abstraction of all those layers and provides a platform for Dev to deploy code. Thanks to Jason Savill’s youtube channel for a great overview on ASE v3, the video is embedded here for review and I explain the different areas in terraform.
Here’s the video for a review.
I. Subnet Delegation
When creating the subnet we need to add the delegation to the hosting environments
II. Create the ASE
At the time of this post I didn’t find a parameter to change the domain. We set the allow new private endpoint connections for internal connectivity.
III. Create the ASP
We are setting the kind to Windows since we are running IIS/.Net apps
IV. Add your own certificate for SSL (Optional)
It is better to let the ASE manage the cert but if you want to have a specific name, specially for external access then do the following:
A. Use secure files in Azure DevOps by uploading your cert to a pipeline’s library
B. Add a task in your pipeline to download the file:
In the pipeline task you have to pass the secret so terraform can use it to open the cert.
C. Use terraform to get the file after it downloads to the agents and import with the private key.
V. Create the storage account and function
Add security while you are here: CORS, HTTPS and TLS m
VI. Bind the custom domain name and cert to your function
Note: The hostname binding parameter called “app_service_name” is compatible with functions since it uses the same API. This can be confusing to make you think it is only compatible with app services.
VII. Create an app slot so you can at least have a stage and prod environment for a blue/green deployment
At this time there were no options to bind a custom hostname and cert to the app slot, since we are using an internal ASE I used the default name and configured DNS for it.
VIII. Gotchas with custom domain names
Kudu is configured in the background and defaults to the original name of the ASE. Configure your DNS Settings to use the default name + your custom domain name so clients can use the custom name and backend developers can use the default link. More information here: https://docs.microsoft.com/en-us/azure/app-service/environment/networking
IX. Result:
Since our DNS is configured with a forward lookup zone and we have the express route to Azure, we are able to get to the functions from our internal network.
