Azure App Service Environment Available in Azure Government

I am very excited to report that I have just deployed an isolated App Service Environment (ASE) in Azure Government. Here are a few quick pointers on how to get started.

Azure App Service Environment (ASE) is an isolated deployment of App Service dedicated to a single subscription. It is ideal for applications that require virtual network isolation or need to scale to a large number of instances. Until recently this feature has only been available in Azure Commercial Cloud but it is not available in Azure Government. So far I have deployed it successfully in US Gov Virginia and DoD Central, but it should be available in all Government regions shortly.

I have previously written about how to use VSTS/TFS to do CI/CD with deployment to an isolated App Service Environment. At that time, this scenario was using Azure Commercial, but now you can implement the same workflow in Azure Government.

To get started quickly, you can use my ASE DevOps template. This template will deploy:

  1. An App Service Enviroment (ASE)
  2. A Web App in that ASE.
  3. A build agent (connected to a VSTS or VSTS instance)
  4. A jump box for testing purposes.

The deployment will look like the diagram below.


To use the template perform the follow preparation steps:

  1. Create a new project in VSTS (or TFS).
  2. Create a Personal Access Token (PAToken) in VSTS/TFS.
  3. Create a new Agent Pool in VSTS/TFS.

Then clone the template repository and run the preparation script:

git clone

cd iac\ase-devops

..\scripts\PrepareAseDeployment.ps1 -DomainName `
-AdminUsername EnterpriseAdmin -TSServerUrl `
-OutFile C:\temp\magase.parameters.json

This prep script will create a self-signed certificate for the domain you would like to use. For production use you will want to get your certificate from a Certificate Authority. For free certificates, I recommend Let's Encrypt. I have written a bit about how to generate certificates for Web Apps with Let's Encrypt. After running the script you are ready to create a new resource group and run the deployment:

New-AzureRmResourceGroup -Name vaase -Location usgovvirginia

New-AzureRmResourceGroupDeployment -Name myasedeploy `
-TemplateUri $(Get-GitHubRawPath .\azuredeploy.json) `
-TemplateParameterFile C:\temp\magase.parameters.json `
-ResourceGroupName vaase

The command line above uses my Get-GitHubRawPath tool to generate the path for the template. You can read more about that tool and why to use it in this blog post. If you just want the tool, you can install it with:

Install-Module HansenAzurePS

Alternatively, you can use the actual URL for the template:

This deployment will take a while to complete, it has been on the order of 1.5 hours when I have tried.

After deployment log into the Jump Box and add the IP address and host name of the web app to the c:\Windows\System32\drivers\etc\hosts file. In my case, I added:

With the hostname entries added, you should be able to open up a browser on the jump box and hit the ASE website:

The deployment above should register the self-signed certificate as the default ILB certificate, but in my case, the default ILB certificate was not binding appropriately to the sites deployed in the ASE. A simple restart of the ASE fixed that. If you are getting errors that the certificate is for a different site. Try to restart the ASE (which will restart the front-ends).

Since we are using the ASE DevOps template, you can set up a CI/CD pipeline from VSTS (or TFS). It is beyond the scope of this blog post to walk through all the steps, but a quick way to create a .NET Core Web App is using the dotnet command line tool:

cd C:\temp
mkdir dotnet-mag
cd .\dotnet-mag\
dotnet new mvc

Add the git repository of a VSTS/TFS project and push code:

git init .
git add .
git commit -m "Initial commit"
git remote add origin
git push origin master

You can then set up a standard .NET Core build configuration and for the build, you can use the Hosted VS2017 build agents (in VSTS). For the deployment configuration, you should pick the build agent deployed in the virtual network:

And if you are using a self-signed certificate, it is also necessary to use the "-allowUntrusted" configuration setting for the deployment:

After deployment, you should be able to hit the ASE web site again from the jump box and see that the .NET Core application has deployed:

And that's it. You now have an isolated App Service Environment (ASE) running in Azure Government with VSTS CI/CD pipeline. I will be posting more about ASE for Government applications, but this demonstrates that the basic pieces are in place. Let me know if you have question/comments/suggestions.

Comments (7)
  1. Phydeauxman says:

    Nice write up. Looking MAG this morning (3/1), I could not find ASEs exposed in the portal like they are in Commercial. Are ASEs in MAG only accessible programmatically?

    1. As far as I know, it is not available in the portal yet. You will have to create the ASE with a template, but some configuration steps can be done in the portal after that.

      1. Phydeauxman says:

        What method are you using to deploy them with the template? I deployed one from a template today via Visual Studio and since they take so long to provision, the access token timed out before the deployment was complete. It did not kill the deployment…just stopped any feedback from coming into Visual Studio. I have seen where other people have had similar issues from a PowerShell window. We use Terraform and will have to insert our template into our Terraform config file…not sure how that will react.

        1. Yes, I use a template to deploy. There is a link to it in the blog post. It does take a long time, but you don’t have to wait for it. An alternative is the “Deploy to Azure Gov” button on the GitHub page with the template. That will start the deployment through the portal and you don’t need a command line to wait for it.

  2. Hi,

    Can you please clarify if this refers to ASE v1 or v2? Also, is there any official MS documentation about this release?

    I ask as I am currently working with a client and we are eagerly waiting ASE v2 in MAG.


    1. It is v2. There is no v1 in MAG as far as I know. The documentation will be updated once the roll-out is complete.

      1. Thank you so much Michael. This is indeed very good news.

Comments are closed.

Skip to main content