Sometimes it’s difficult too understand for the first time readers what is the difference between Azure App Service plan ASP and App Service Environment
Azure App Service plan is the “Actual package which consists of specific hardware resources and features” , Normally its run on shared resources and Azure global network. ASP plans are like Basic,Standard,Premium etc
App Service Environment (ASE) is describes more about environment . Its pure isolated resources and runs on your vnet . When you choose ASE as environment you can buy only “Isolated Plan” not regular app service plan like premium,standard etc.
Detailed comparison to run application in normal ASP and ASE :
Normal ASP | App Service Environment - ASE |
|---|---|
| Compute resources are hosted on a multitenant environment. | All compute resources are fully isolated and dedicated exclusively to a single subscription |
| There is no out-of-the-box compute resource layer specialization | Compute resources on an ASE are grouped in 2 different layers: Front-End Pool and Worker Pools (up to 3). The Front-End Pool is in charge of SSL termination and load balancing of app requests for the corresponding Worker Pools. Once the SSL has been off-loaded and the load balanced, the Worker Pool is in charge of processing all the logic of the App Services. The Front-End Pool is shared by all Worker Pools. |
| A Virtual Network can be created and App Services can be integrated to it. | An ASE is always deployed in a regional Virtual Network. This provides the ability to have access to resources in a VNET without any additional configuration required. |
| App Services are accessible via public Internet. | ASEs support an Internal Load Balancer (ILB) which allows you to host your intranet or LOB applications on Azure and access them only via a Site-to-Site or ExpressRoute VPN. |
| Inbound and outbound traffic control is not currently supported. | An ASE is always deployed in a regional Virtual Network, thus inbound and outbound network traffic can be controlled using a network security group. ASEs can be deployed into VNETs which use private address ranges. |
| Azure App Service Virtual Network integration provides the capability to access on-prem resources via a VPN over public Internet. | In addition to Azure App Service Virtual Network integration, the ASE provides the ability to connect to on-prem resources via ExpressRoute, which provides a faster and more reliable and secure connectivity without going over public Internet. |
| A Web Application Firewall (WAF) service is available to App Services through Application Gateway. | ASEs provide the ability to configure a Web Application Firewall for inspecting inbound web traffic which can block SQL injections, cross-site scripting, malware uploads, application DDoS, and other attacks. |
| By default, Azure App Services get assigned virtual IP addresses. However, these are shared with other App Services in that region. There is a way to give an Azure Web App a dedicated inbound static IP address. Nevertheless, there is no way to get a dedicated static outbound IP. Thus, an Azure App Service outbound IP cannot be securely whitelisted on on-prem or third-party firewalls. | ASEs provides a static Inbound and Outbound IP Address for all resources contained within it. App Services (Web App, Azure Web Jobs, API Apps, Mobile Apps and Logic Apps) can connect to third party application using a dedicated static outbound IP which can be whitelisted on on-prem or third-party firewalls. |
| App Services can be scaled-out automatically. | App Services deployed on an ASE can be scaled-out automatically. |
| Basic-F1 or B1 , and Premium-P1V1,P2V2,and P3V3 ,Standard- S1,S2 and S3consists of different CPU and memory and other features | Not applicable . You have to create app service environment.(Isolated ) |