Azure Application Service Environments v2: Private PaaS Environments in the Cloud

Azure Application Service Environments v2: Private PaaS Environments in the Cloud


Hi, I’m Christina Compy. I’m a principal program manager
with the Azure App Service.>>Hello, everyone.
My name is Stella Ling, I’m the Senior Product Manger
for App Service.>>And we’re here today
to talk to you about the App Service Environment. The App Service Environment is
a capability that allows you to host your apps in
network isolation. And gives you a number of
scenarios that you don’t have available in the multi-tenant
App Service.>>Christina, let’s step
back and tell us more. First of all, what is
App Service in the first place?>>Sure, the Azure App Service
is a PaaS service that allows you to host your
applications at scale across the entire planet
in Microsoft’s clouds. And it has a large number of
features in it that enable rapid development and lift and
shift of your apps from on-premise into
the public cloud.>>It comes complete with
subfeatures such as Web Apps which would be HTML documents
returned from HTTP request, API apps, which are HTTP applications that
do not return an HTML document. Mobile applications,
which are device oriented applications, and
of course, functions, which is a new serverless offering
that we’ve been happy to get out the door this year.>>Yes, it looks like that
we have a lot of variety of apps that our customer can
build on top of App Service. So I heard that we’re actually
hosting over a million of external applications and
websites. That’s a huge number of sites
and apps and millions and billions of hits every month. So I’m very proud of it. And I know a lot of customers
are building, not only e-commerce apps, digital
marketing apps or LOB apps which are hosting in this case,
the App Service Environments. So now I’m very excited. Let’s talk about
App Service first of all.>>Sure, to know more about
the different types of applications that
you would host, you need to to know a little bit
more about the three different primary deployment models for
the Azure App Service. So there’s the multi-tenant
App Service which is hosted in Microsoft’s networks, and there’s multiple tenants in
the same system shared network. But we would keep your
applications in total secure isolation
from each other. But you don’t have the ability
to lock into your own network, because you’re in a multi-tenant
network at this point.>>Yes.>>Then the App Service
Environment which is a deployment of
the Azure App Service directly into a subnet in
the customer’s virtual network. And that gives you the ability
to do things such as host line of business applications
on a private IP address, or to scale to greater sizes
because we have greater access to virtual machines. And a number of other deployment
models that you can use it for. And then there’s Azure Stack. And Azure Stack is a deployment
of the App Service into your on premise Azure Stack deployment
and that is a very powerful capability in itself and-
>>Yeah, it looks like the difference between, and
help keep me honest here.>>Sure.
>>Looks like the difference between the multi-tenant and App
Servicing Environment is that basically it’s a private PaaS
environment in your cloud. And you add your virtual
network in this case. And it seems that
a lot of LOB apps, which will you kind of
lock down your app. And almost like, I heard a
customer saying that it’s almost like a stamp of their compliance
using App Service Environment. And tell me more about
difference here, which one use where.>>So the multi-tenant
App Service is great when you have an application
that you can host in a public facing Internet service.>>Yes.>>The App Service Environment
caters to the needs where you want to have endpoints
under tight control or you wanna lock down
the network access.>>Yeah.
>>In the case of an Azure Virtual Network,
that could mean you restrict access with things like
Network Security groups, or you can do things such as use
the internal load balancer deployment of
the App Service Environment. And that let’s you
have total isolation. You can also couple your apps
with devices if you use an ASE, and that enables you to have
greater application security than you can otherwise
in the multi-tenant.>>Great, tell me more. Would you not be able to lock
down your app with multi-tenant before?>>You can lock down
to a degree, right?>>Yeah.
>>You can do IP filtering, you can integrate with
an application gateway. But the thing is that the public
stamps, the multi-tenant stamps, or environments,
have public endpoints for them. And they’re shared
public endpoints, so->>Yeah, you don’t know who
can see your apps, they could get access to it.>>Right,
your apps are in public DNS.>>Yes.
>>The endpoints are public, there’s a lot of security
around this service.>>Got it.>>But you can’t do things such
as use network security groups to restrict access to
the IPs for your apps.>>Yeah.
>>But with an ASE, an App Service Environment,
you can totally do that.>>It looks like our App Service
Environment is when you need more power, more scale,
and more security.>>That’s right.
>>For your apps.>>That’s right.>>Sure,
you briefly alluded to it. It seems like we can also talk
about the virtual network, how works for App Service
Environment and, yeah.>>Right, so the key component
to the App Service Environment is the fact that it deploys
inside an Azure Virtual Network. And so
with the Azure Virtual Network, you get the ability to control
access to the endpoints for your apps, noted that before. It gives you greater security, which helps with internal
compliance needs. As well as any sort of marketing
needs you might have on how you expose your apps here.>>Got it, it’s almost like
you can put your front-end in the public environments
versus your back-end systems or APIs that you wanna kind of
host in a private environment that might be
a good fit as well.>>That’s true, but you could also use the App
Service Environment to host both your front-end applications and
your back-end applications. And we’re gonna talk
a little bit about that.>>Yeah, it seems to be a nice
transition that I know you’re gonna share some of
the best practices of our deployment styles.>>Right, right, right, so just to reiterate what
the App Service Environment is. It is a deployment to the Azure
App Service inside a customer’s Azure Virtual Network. And it gives you the access, it gives you isolation,
greater scale, etc. So it’s important to draw
the distinction that we’re talking in
Azure Virtual Network. This isn’t a capability to
deploy the App Service in an arbitrary network anywhere. It’s only for deploying in
an Azure Virtual Network.>>Yeah.
>>And because this is a PaaS service, Microsoft manages the system and
customers get to use it.>>Yeah, sure.>>So let’s dive into some of
the deployment model types. So the basic model
that people build out of the box is an External
App Service Environment. So this is a case where
the public endpoint or the endpoint for your apps,
is a public IP address. Which is similar to what you’ve
got with the multi-tenant in that regard.>>Yeah, exactly.>>But then you can do things
such as assign an IP address to an individual application.>>Yeah.
>>And use network security groups to lock it down so
that you could essentially build two-tier applications with one
end facing the Internet and the other part securely locked down
with network security groups.>>Yeah, the customer can enjoy
all the PaaS capabilities that App Service kind of
bring to the table, like the CICD integration. Like say, very good and develop experience like
connection with the IDEs and all the developer products
still available for customers. And I know that we have done
a great deal of improvement in terms of creation of ASE as well
that experience is super simple. I know this is the always
almost like a basic model for the ASE but it’s a good start.>>Right, so if your creating
an App Service Environment, we allow you to create
it two different ways.>>Yeah.
>>Well, three, if you count tablets. You can create it in the portal,
though, while you’re creating your app. If you don’t have one already
in the region you wanted to play to, you can create an App Service
Environment as part of it. And if you do that, you’re
creating one of these where you have an external endpoint. You can also go through
a standalone model where you can create, again,
ASE with an external endpoint. Or you can create one
within internal endpoint.>>Yeah, and I believe we see a
lot of use cases of the endpoint being the internal More balanced
and seen the customer fill and that’s a little bit more
secure and private for them.>>Right so if you wanted to
host something like an internal expense application,
>>Yes, that is a great example.>>Right, because you, that’s not something you want
on a public IP address, right?>>Exactly or HR system people’s
records like their PAIs and->>Right.>>Everything.
>>Or sales system.>>Exactly.
>>You name it.>>Yes.
>>There’s a number of these things and you don’t want to put that with
a public IP address, right?>>Yeah.
>>It would give, people would be a little
concerned over that.>>Yeah, yeah, yeah.>>So with the app
service environment, there’s a variant deployment
model where you can deploy with an internal load bouncer.>>Yeah.
>>ILB.>>Yeah.>>So, in this case, if you were
connected from your on-premises network to your Azure virtual
network, then you would have. You can consider the Azure
Virtual Network at that point, an extension of your
own premises network. And if it’s an extension of
your own premises network, and you’re hosting
your apps inside this app service environment
with a private IP address, then you’re essentially, that’s
a line of business application. It’s just the same as if
you had hosted it inside your own datacenter internally.>>Yeah, I heard someone saying
that you can almost just because of the scalability of
app service environment that you can, the V2, You can actually
scale up to 100 VMs instances. Yes and people are just
hosting their many IP system inside ILB app and at the same
time they can actually have access to their on
premise resources. Their SAP or any kinda
the on premise sources. So it’s a very good support for their back end line
of business system.>>That’s true,
very good, Stella. So yeah, this is a very
powerful technique that makes the public cloud where
Microsoft’s Azure Cloud far more useful [CROSSTALK]
>>Practical for our customers.>>Practical, cuz not only do
you host now your Internet facing applications. You can host your internal facing applications-
>>Exactly.>>Which is huge?>>Yes.
>>So and it’s a passed service, which again,
passed services make your life a whole lot easier than
building it all from scratch.>>Yep, you don’t have to manage
the infrastructure, patching, like server management,
everything, we take care of for you. But you can still have a very
private lockdown environment for a system.>>Right.
>>Yeah.>>So another part, another way
you can go with the ILB ASE.>>Yeah.
>>Is just front it with a WAF device, so WAF-
>>That’s huge.>>A WAF device is a web
application firewall.>>Yeah.
>>So this is, if you’re not familiar with it,
it is a server component that allows you to do things such as
DDoS protection, URL filtering.>>Yep.
>>Prevent SQL injection, it’s a great security measure
that most enterprises use to protect especially their
marketplace applications or banking applications, etc.>>Yep.
>>And so if you’re using an ILB ASE because the endpoint
for your apps is totally isolated and locked down inside
of your Azure Virtual Network that means you’ve got as good
security as it’s gonna get. So it’s pretty powerful.>>Yeah, sometimes I heard that
the firewall’s just a compliance requirement for a lot of
industry like finance or whatever.>>Yeah.>>So that’s giving that option
to our customers actually, helping them to meet
the compliance need. Like I said, like example of
compliance for a customer’s.>>It’s true, I mean I work
with a lot of customers that would not be able to move to
the cloud if it wasn’t for the app service environment.>>Exactly.
>>So it basically opens the door to going through
the security gates that a lot of companies have built up over
the years to protect themselves. And that’s great and
it’s great that we have some way to make them feel good
about moving into Azure. Another thing you can do with
the ILB ASE, with the WAF, going to the two tier model,
is you are only exposing. The apps to the internet that
you want to so one of the great things you get with the ILB ASE
system, you host not only your front-end applications but
you can also host those back-end applications that talk
to secure data sources. Let’s say that this virtual
network was integrated on premises over express route. Then you could, for example,
have a web layer that talks to an API app that talks to an SAP
system in the backend, or however you want to build it. So it’s very powerful. So another way to go, and this is-
>>Wow, this is the global scale with
a Traffic Manager there.>>And in this case,
it’s using Traffic Manager. But we’ve had customers use
any number of load balancing techniques. It’s based off whatever the
customer need is this isn’t like it only works this way.>>And this almost seem to
mimic kinda like global company structure. They have a central corporate,
and then they have their
French office. So that they can also host in
their private environment but I stealing the thunder here. [LAUGH]
>>No, I love you enthusiasm. So it’s very important
to note that, while we are geographically
distributed, we are world wide. A lot of companies still work
within certain geo zones.>>Yes.
>>For example, in the United States.>>Yep.
>>And so if you wanted to minimize front end latency
to your customers, so you could set up-
>>That’s a great point.>>Deployments on east coast and
the west cost.>>Yes!
>>We’ve also got stuff in North US, South US,
>>So [CROSSTALK] you wanted, yeah. Right, or if you wanted to
cover Europe, you’ve got again the cardinal points and you can
deploy your apps as you see fit. It’s a very powerful
capability that lets you host at scale with security and
isolation.>>And low latency,
[CROSSTALK] yes.>>And low latency, well
>>Distributing it definitely lowers the latency.>>Yeah, yeah.>>Definitely so,
the app service environment we recently put out
an update to it. And it’s using very powerful
virtual machines on. Under the covers but
because it’s past service customers don’t directly log in
and use the machines directly, they’re using the services. But they come in, we have three
different flavors or sizes. We’ve got 1 core,
a two core, and a four core.>>Yeah.>>And the scale is three and
a half gigs, seven and 14. So these sizes should
accommodate almost any reasonable web application.>>Yes.
>>If you’re using more than 14 gig in your app you’re probably
doing it a little off.>>[LAUGH]
>>You might want to use something like a cash service.>>Yeah.
>>Cash sure or used tables or queues, or CDN, but-
>>Yeah like, yeah, with 4 core 14 gig buy ram and
100 instances, I feel like it’s very
hard to outgrow.>>Yeah.
>>Yeah, yeah.>>I mean,
that’s pretty basely powerful.>>Yeah, yeah, yep.>>Right, right, so we’re using the new Dv2
workers that I noted earlier. They have SSDs in the fast CPUs.>>Yeah.>>The system,
the app service environment V two just like V one,
it’s a single tenant system.>>Yeah.
>>So you only expose it internally
to who you want to use it.>>Yeah, so it’s basically
a single attendant., meaning like you own
your own tenants and you are not sharing
the environment with others. That’s the-
>>Not unless you want to.>>[LAUGH] Well.
>>But yes.>>Different scenario, if you
want to work with multi tenants, but this case-
>>Sure.>>If you have your own tenant,
you can put more apps in it, or you just have one app, gigantic
app in one tenant, right?>>Sure, yes.
>>Yeah, yeah.>>So you can scale in an app
service environment you could scale up to hundred app
service plan instances.>>Yes.
>>Now what those are are when you create your app, it’s always created inside
an app service plan.>>Yes.
>>App service plan, you can think of it like
a server provisioning profile.>>Yeah.
>>And so when you scale your app, you’re actually scaling
the apps service plan.>>Yes.
>>So if I had three apps in my
app service plan. Then each of those three
apps would be scaled for every instance I scaled
my app service plan.>>Got it.
>>So within app service environment, you can have 100 total app
service plan instances, whether it’s one plan or
100 plans with one instance.>>Yeah.
>>And you don’t have to use all 100 you can use
some smaller amount.>>Yeah, yeah.>>So
the TB of storage you get is for use across the entire
App Service Environment. So it would be used by all the
App Service plans that are used in that ASE.>>A lot of storage!>>That is a lot of storage I
would still recommend, use CDNs, though, if you’re gonna
host a lot of image data.>>Yeah, yeah, yeah.>>Term you should be
careful using that.>>Yeah.>>Cool, and so,
real quick bit of demo here.>>Great, show us some of
the in product experience.>>Right, so what we’ve got
here is the Azure Portal. And we’re looking at an app
service environment. And this app service environment
gives you access to, this particular one happens
to be an ILB ASE, so it has an internal end point.>>Yep.
>>And so, if you were to access
the apps on it, you have to set up your
own certificates and DNS. It’s not on the Internet, right? There’s a little bit
more overhead, but this is actually a feature, because then you’re
out of the public eye. This is for total isolation.>>Yeah, yeah,
it’s designed that way.>>Right, and so we give you the
ability to set the certificate for SSL on the front end. You also have access, of course, to the information that’s
tied to the system. And then going into the scaling
on your app service plans, just to touch on that. You can see, of course, the apps in the app service
plans that are in your ASE, because hey, if you’re managing
it, you should kind of know.>>Yep, yep.>>So the way this
works is if I was to scale my app service plan,
then the system will automatically scale based
on what I’ve already set.>>I see.>>There’s already a scale
operation in progress on this one, which is another
reason I picked this one.>>Yep.
>>So you can get that information,
see that feedback. This isn’t the plan
that’s actually scaling, so it lets you know that
the entire ASE is scaling.>>Yeah, scaling is super
easy as a slider versus, you don’t have to kind of manage
your DNS so you know how to warm up your VM, and then we
take care of all them for you.>>Right, this isn’t like
managing VMs, where you have to then manage it in a load
balancer or something else.>>Yeah, yeah, yeah.>>Right.
>>Everything is building with the service.>>Right, and you have access to
all of the features that the app service provides, so.>>And this is scale out and
then we have scale up as well, in case you want to have more
core or RAM in this case, right.>>Right, if you wanted to
change size, you could scale up or down as appropriate amongst
those three different sizes.>>Yep.>>So that’s it in a nutshell. A quick overview on the app
service environment, but if you want to learn more about it-
>>Yeah, I was about to say, I’m almost
eager to get started and I definitely, this is a very
powerful offering from us. And I do want to know, leave
some good documentation to your customers so that they can
kind of get started quickly.>>We’ve got a lot
of documentation. The easiest way to start
is either with the intro or with the readme. The readme give you access
to list all the different documents that are tied to
the app service environment.>>Great.
>>But then if you were looking for the introduction,
then of course we’ve got the What is
an App Service Environment, which goes through a lot
of what we just said, and it gives you links out to
the different sections.>>And I know that we have
a couple of very easy to use tutorials for people to
follow through as well, right?>>Right, we’ve got a number
of tutorials that help get you started. Especially around
the creation of your ASE, and creating the apps, and
then setting up ILB ASEs, and managing network constraints,
and stuff like that. And we’re gonna
continue to grow it. Cuz the App Service Environment
is a very important component for the App Service team, so.>>Sure, for Azure, even, allow
customers to run their apps in private PaaS environment,
in the cloud. It’s a huge thing, and
that with a lot of lockdown and compliance, of compliance and
a lot going on here.>>To learn more about the app
service environment, you can go to docs.microsoft.com and search
for the App Service Environment. We’ve got information on
the readme document, as well as we’ve got an introduction
in many other walkthroughs.>>We look forward to see what
you’re building with app service environment, thank you!>>Thank you for watching, bye.

Danny Hutson

Leave a Reply

Your email address will not be published. Required fields are marked *