The seemingly impenetrable ILB ASE v2

Microsoft released their second version of the App Service Environment in June 2017 which included an Isolated SKU.

The Internal Load Balancer with an App Service Environment v2 is a deployment of the Azure App Service with no public endpoints, deployed to a subnet in a customers own Azure Virtual Network. It provides a fully managed PaaS to build, deploy and scale apps running on any platform in a secure isolated environment.

This PaaS is pricey, starting at approx £800 per month plus additional cost dependent on the performance SKU you need, so it is targeted for use with big businesses and Government agencies.

Prior to working with ASE v2 I watched the Channel 9 video Security and Horsepower with App Service.

The highlight of this video for me was the confidence the presenter Rob Caron had in the security of the ILB ASE v2. Its being used for highly PCI compliant financial environments, Microsoft have secured and locked down. “I don’t care how good you are” your not getting passed.


The time came for the internal pen test. After 1 week no high risk vulnerabilities we’re found, testing going through an Azure App Gateway with WAF enabled then disabled and a server connected to the same virtual network as the ILB ASE. The internal pen tester was concerned, this was his first time doing a pen test nothing had been found. I referenced the channel 9 video.

The external pen test was performed, again nothing was found. In fact the pen test was caught short, saving the customer development time to fix vulnerabilities and additional expenditure.