Skip to content →

Enterprise Deployment of an Internal Load Balancer with an App Service Environment v2

Infrastructure as Code (IaC) is becoming the norm for deploying all resources (IaaS and PaaS) in the Cloud. This post is part 1 of 7 of a miniseries which will take us though the process of deploying an Internal Load Balancer (ILB) with an App Service Environment (ASE) v2, all via Azure Resource Manager (ARM) Templates and PowerShell.  The miniseries will cover the following 7 topics:

  1. Deploying ILB ASE v2 with ARM Templates
  2. Uploading Certificate to Key Vault and Assigning it to the ILB ASE v2 with ARM Templates
  3. Creating an App Service Plan (ASP) with ARM Templates
  4. Creating App Service Web Apps with ARM Templates
  5. Uploading Certificates to Key Vault and Assigning to App Service Plan for Web App Usage with ARM
  6. Assigning Network Security Groups (NSGs) to the ILB ASE
  7. Resource Group Recommendations for RBAC for ILB ASE, ASP and Web Apps

Kudo’s to Natalia Konokhova who is the co-author of all the ARM templates.


I strongly recommend you read this blog post 1st to understand how the ILB ASE works before you try working with it via ARM. For an overview on the ASE, see Introduction to App Service Environments. To learn how to create an External ASE, see Create an External ASE.  Also, if you’re not familiar with Azure Resource Manger Templates  I recommend you read Azure Resource Manager overview.

All the templates we’ll be using can be found here.  This post specifically will focus on the scripts in the app-service-environment-v2 folder.


You will be working with 3 files which can be found in the repo as per screenshot below.

  1. azuredeploy.parameters.json – the parameter files that lets you customize your ASE deployment
  2. azuredeploy.json – the ARM template specifying the ILB ASE resource to deploy
  3. azuredeploy.ps1 – the PowerShell script we’ll use to submit the deployment template + parameters to Azure Resource Manager

Given most enterprises have a separation of concerns/duties from network resources and computer resources this deployment requires an existing virtual network and subnet name to be provide via the parameters.  Also, like any ARM deployment you must have an existing Resource Group to deploy the ILB ASE.


aseName – the friendly name for your ILB ASE resource

aseLocation – the location (Azure region) you want to deploy the ILB ASE into

existingVnetRG – the Resource Group where the Virtual Network for your ILB ASE resides

existingVnetName – the name of the Virtual Network for your ILB ASE

subnetName – the name of the dedicated subnet for your ILB ASE (the subnet must be empty and can only be used for your ILB ASE)

internalLoadBalancingMode – This indicates you want an ILB (do no changes this value)

dnsSuffix – the root DNS name for the ILB ASE, for example (if you create a web app called myapp under this ILB ASE its DNS name would be


The template is fairly straight forward.  It consists of the usual 3 parts.

  1. Parameter Definition – the parameters you can pass as defined in the above section
  2. Variable Definition – use this to construct the existing virtual network ID using the parameters that were supplied
  3. Resource Definition – the ILB ASE definition (see the full Microsoft.Web.hostingEnvironments template reference)


Now that the required parameters have been provided and we understand the template it’s time to submit the deployment to ARM via PowerShell.

Once you run line 25 go grab a coffee as this takes a while to complete.

This deployment took just over 90 minutes; however I’ve seen it as fast as 45 minutes.  This creation time isn’t that significant as the ASE ILB itself is usually a long-lived resource you don’t spin up and down all the time.  The App Service Plans and Web Apps is what you’d want to be able to create/scale more dynamically.

Now we have a happily running ILB ASE.  In part 2 we’ll focus on uploading a certificate to Key Vault and assigning it to the ILB ASE v2 with ARM a template.  This is the certificate that is used for all in transport communication by the ILB ASE and all the Web Apps hosted within it.

Published in ARM Azure Cloud DevOps IaC Microsoft Uncategorized


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.