Here https://docs.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase#post-ilb-ase-creation-validation it says you need to manage your own DNS for your ILB ASE v2 domain. Does it mean I can just use 'DNS Zone' from Azure, for example, or some third-part DNS provider? Is this correct?
2 Answers
1
votes
Actually, Bryan Trach-MSFT you're wrong.
I set up ILB ASE yesterday with Web Application Firewall (application gateway) and used multi-host routing with it. And now my multiple apps are externally accessible. And this way my infrastructure becomes PCI compliant (not just because of that but that's one of the factors).
And as I found out, "manage your own DNS" just means you need to use any external DNS provider (Azure DNS for example) for your apps within ILB ASE.
1
votes
Edit: Your situation is particular because you want to use an app gateway WAF, which is only supported on ILB ASE at this time. You also wish to have your apps publically available. I have updated the below statement to reflect that while you can use an external DNS provider, this defeats the purpose of the ILB ASE design, which is meant to be used with an internal DNS server to keep your apps local to your company network only.
Additional note: multi-tenant web apps are adding the ability to disable TLS 1.0 on April 30th so that developers can be compliant with PCI. If your sole reason for using an ILB ASE with app gateway WAF is PCI compliance, you might be able to save on usage costs by waiting a few more weeks. Or you can use a regular ASE and turn off TLS 1.0 by following this document.
You would want to use an Internally Load Balanced App Service Environment (ILB ASE) when you do not want your web apps exposed to an external DNS provider. The point of an ILB ASE is to keep your app services internal to only your company network. Using Azure DNS or another 3rd party DNS provider is possible but it defeats the intended design of an ILB ASE, which is to only have your apps available internally.
You will need to look into using an on-prem (internal) DNS server or a VM in the cloud that is configured to handle DNS. There is a chance that your company already has a DNS server setup, so you might want to look into that first. If you currently have no DNS server setup, here is a blog that talks about configuring DNS on Windows Server 2016.
DNS requirements for an ILB ASE can be found here:
*
*.scm
ftp
publish
