Merge pull request #313113 from GitHubber17/544920-j

Freshness Pass: App Service

Author: v-regandowner

articles/app-service/environment/configure-network-settings.md

@@ -1,30 +1,48 @@
 ---
-title: Configure App Service Environment v3 network settings
-description: Configure network settings that apply to the entire Azure App Service environment. Learn how to do it with Azure Resource Manager templates.
+title: Configure App Service Environment Networking Settings
+description: Configure networking settings for an Azure App Service environment, including FTP access, private endpoint creation, and remote debugging. Use the Azure CLI, Azure Resource Manager templates, or the Azure portal.
 author: seligj95
 keywords: ASE, ASEv3, ftp, remote debug
-
-ms.topic: tutorial
+ms.topic: how-to
 ms.custom: devx-track-arm-template, devx-track-azurecli
-ms.date: 03/29/2022
+ms.date: 03/13/2026
 ms.author: jordanselig
 ms.service: azure-app-service
+#customer intent: As an App Service developer, I want to configure networking settings for my App Service environments, so I can control FTP access, private endpoint creation, and remote debugging.
 ---
 
-# Network configuration settings
+# Configure networking settings for App Service Environments
+
+App Service Environment v3 provides a fully isolated and dedicated environment for securely running App Service apps. This article describes how to configure the networking settings for an App Service Environment, including FTP access, private endpoint creation, and remote debugging. Procedures are provided to configure the settings by using the Azure CLI or an Azure Resource Manager template (ARM template), and by updating the resource directly in the Azure portal.
+
+## Prerequisites
+
+- An App Service Environment v3. To create a new environment, follow the steps in [Quickstart: Create an App Service Environment](creation.md).
+
+## Review networking settings
+
+The App Service Environment networking settings are located in a single ARM template subresource:
+
+`Microsoft.Web/hostingEnvironments/{aseName}/configurations/networking`
 
-Because App Service Environments are isolated to the individual customer, there are certain configuration settings that can be applied exclusively to App Service Environments. This article documents the various specific network customizations that are available for App Service Environment v3.
+The `networking` subresource configures three properties for the App Service Environment:
 
-If you don't have an App Service Environment, see [How to Create an App Service Environment v3](./creation.md).
+- `allowNewPrivateEndpointConnections`
+- `ftpEnabled`
+- `remoteDebugEnabled`
 
-App Service Environment network customizations are stored in a subresource of the *hostingEnvironments* Azure Resource Manager entity called networking.
+All of the properties are of type `bool` and are set to false (disabled) by default.
 
-The following abbreviated Resource Manager template snippet shows the **networking** resource:
+## Use ARM template for repeatable deployment
+
+When you configure networking settings for an App Service Environment by using an ARM template, you create a configuration that's available for repeatable deployment of the same environment or other App Service Environments.
+
+The following snippet shows an abbreviated ARM template with configurations for the networking settings:
 
 ```json
 "resources": [
 {
-    "apiVersion": "2021-03-01",
+    "apiVersion": "2023-03-01",
     "type": "Microsoft.Web/hostingEnvironments",
     "name": "[parameter('aseName')]",
     "location": ...,
@@ -50,76 +68,156 @@ The following abbreviated Resource Manager template snippet shows the **networki
 }
 ```
 
-The **networking** resource can be included in a Resource Manager template to update the App Service Environment.
+## Configure properties with the Azure CLI
 
-## Configure using Azure Resource Explorer
-Alternatively, you can update the App Service Environment by using [Azure Resource Explorer](https://resources.azure.com).  
+If you plan to use the Azure CLI to configure the networking settings, keep in mind that the `az appservice ase update` command doesn't issue a PATCH against the individual properties. Instead, the command performs a PUT-style update against the entire `networking` subresource object. If you use the `az appservice ase update` command to configure a single property, the other networking properties revert to the default setting (false, disabled).
 
-1. In Resource Explorer, go to the node for the App Service Environment (**subscriptions** > **{your Subscription}** > **resourceGroups** > **{your Resource Group}** > **providers** > **Microsoft.Web** > **hostingEnvironments** > **App Service Environment name** > **configurations** > **networking**).
-2. Select **Read/Write** in the upper toolbar to allow interactive editing in Resource Explorer.  
-3. Select the blue **Edit** button to make the Resource Manager template editable.
-4. Modify one or more of the settings ftpEnabled, remoteDebugEnabled, allowNewPrivateEndpointConnections, that you want to change.  
-5. Select the green **PUT** button that's located at the top of the right pane to commit the change to the App Service Environment.
-6. You may need to select the green **GET** button again to see the changed values.
-
-The change takes effect within a minute.
+To ensure all `networking` properties are configured as expected, specify settings for all the networking properties in a single command.
 
 ## Allow new private endpoint connections
 
-For apps hosted on both ILB and External App Service Environment, you can allow creation of private endpoints. The setting is default disabled. If private endpoint has been created while the setting was enabled, they won't be deleted and will continue to work. The setting only prevents new private endpoints from being created.
+If your app is hosted on both an Internal Load Balancer (ILB) App Service Environment and an External App Service Environment, you can allow creation of private endpoints with the `allow-new-private-endpoint-connection` setting. The ability to create new private endpoint connections is disabled by default.
 
-The following Azure CLI command will enable allowNewPrivateEndpointConnections:
+If a private endpoint is created while the `allow-new-private-endpoint-connection` setting is enabled, and you then disable the setting, the existing private endpoint continues to work. When you disable the `allow-new-private-endpoint-connection` setting, you only prevent the creation of new private endpoints.
 
-```azurecli
-ASE_NAME="[myAseName]"
-RESOURCE_GROUP_NAME="[myResourceGroup]"
-az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true
+# [Azure portal](#tab/azure-portal)
 
-az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query allowNewPrivateEndpointConnections
-```
+You can enable new private endpoint connections for the App Service Environment in the Azure portal.
 
-The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+1. In the [Azure portal](https://portal.azure.com), go to your **App Service Environment** resource.
 
-:::image type="content" source="./media/configure-network-settings/configure-allow-private-endpoint.png" alt-text="Screenshot from Azure portal of how to configure your App Service Environment to allow creating new private endpoints for apps.":::
+1. In the left menu, select **Settings** > **Configuration**.
 
-## FTP access
+1. Locate the **Networking settings** group, and select the **Allow new private endpoints** checkbox.
 
-This ftpEnabled setting allows you to allow or deny FTP connections are the App Service Environment level. Individual apps will still need to configure FTP access. If you enable FTP at the App Service Environment level, you may want to [enforce FTPS](../deploy-ftp.md?tabs=cli#enforce-ftps) at the individual app level. The setting is default disabled.
+   :::image type="content" source="./media/configure-network-settings/configure-allow-private-endpoint.png" alt-text="Screenshot that shows how to allow new private endpoint connections for an App Service Environment in the Azure portal.":::
 
-If you want to enable FTP access, you can run the following Azure CLI command:
+1. Select **Apply** for your changes to take effect.
 
-```azurecli
-ASE_NAME="[myAseName]"
-RESOURCE_GROUP_NAME="[myResourceGroup]"
-az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-incoming-ftp-connections true
+# [Azure CLI](#tab/azure-cli)
 
-az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query ftpEnabled
-```
-The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+Run the following Azure CLI commands to enable new private endpoint connections for an App Service Environment:
 
-:::image type="content" source="./media/configure-network-settings/configure-allow-incoming-ftp-connections.png" alt-text="Screenshot from Azure portal of how to configure your App Service Environment to allow incoming ftp connections.":::
+1. Set the `<placeholder>` command parameters to the values for your App Service Environment:
 
-In addition to enabling access, you need to ensure that you have [configured DNS if you are using ILB App Service Environment](./networking.md#dns-configuration-for-ftp-access) and that the [necessary ports](./networking.md#ports-and-network-restrictions) are unblocked.
+   ```azurecli
+   ASE_NAME="<App-Service-Environment>"
+   RESOURCE_GROUP_NAME="<Resource-Group>"
+   ```
 
-## Remote debugging access
+1. Enable FTP access for the App Service Environment by using the `--allow-incoming-ftp-connections` parameter:
 
-Remote debugging is default disabled at the App Service Environment level. You can enable network level access for all apps using this configuration. You'll still have to [configure remote debugging](../configure-common.md?tabs=cli#configure-general-settings) at the individual app level.
+   ```azurecli
+   az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true
+   ```
 
-Run the following Azure CLI command to enable remote debugging access:
+1. List IP addresses for the App Service Environment that allow creation of new private endpoint connections:
 
-```azurecli
-ASE_NAME="[myAseName]"
-RESOURCE_GROUP_NAME="[myResourceGroup]"
-az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-remote-debugging true
+   ```azurecli
+   az appservice ase list-addresses --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query allowNewPrivateEndpointConnections
+   ```
 
-az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query remoteDebugEnabled
-```
+---
+
+## Allow incoming FTP connections
+
+Use the `ftpEnabled` setting to allow or deny FTP connections for an App Service Environment. FTP access is disabled by default.
+
+You still need to configure FTP access for each individual app. If you enable FTP at the App Service Environment level, you might want to [enforce FTPS](../deploy-ftp.md?tabs=cli#enforce-ftps) at the individual app level. 
+
+# [Azure portal](#tab/azure-portal)
+
+You can configure FTP access for the App Service Environment in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com), go to your **App Service Environment** resource.
+
+1. In the left menu, select **Settings** > **Configuration**.
+
+1. Locate the **Networking settings** group, and select the **Allow incoming FTP connections** checkbox.
+
+   :::image type="content" source="./media/configure-network-settings/configure-allow-incoming-ftp-connections.png" alt-text="Screenshot that shows how to enable FTP access for an App Service Environment in the Azure portal.":::
+
+1. Select **Apply** for your changes to take effect.
+
+# [Azure CLI](#tab/azure-cli)
+
+Run the following Azure CLI commands to enable FTP access for an App Service Environment:
+
+1. Set the `<placeholder>` command parameters to the values for your App Service Environment:
+
+   ```azurecli
+   ASE_NAME="<App-Service-Environment>"
+   RESOURCE_GROUP_NAME="<Resource-Group>"
+   ```
 
-The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+1. Enable FTP access for the App Service Environment by using the `--allow-incoming-ftp-connections` parameter:
 
-:::image type="content" source="./media/configure-network-settings/configure-allow-remote-debugging.png" alt-text="Screenshot from Azure portal of how to configure your App Service Environment to allow remote debugging.":::
+   ```azurecli
+   az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-incoming-ftp-connections true
+   ```
+
+1. List IP addresses for the App Service Environment that allow incoming FTP connections:
+
+   ```azurecli
+   az appservice ase list-addresses --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query ftpEnabled
+   ```
+
+---
+
+### Configure DNS and unblock ports
+
+When you enable FTP access for an App Service Environment, prepare your configuration to receive FTP connections:
+
+- If you're using an ILB App Service Environment, verify your [DNS configuration for FTP access](./networking.md#dns-configuration-for-ftp-access).
+
+- Unblock the [necessary ports](./networking.md#ports-and-network-restrictions) and address any restrictions.
+
+## Enable remote debugging
+
+Use the `remoteDebugEnabled` setting to allow or deny incoming FTP connections for an App Service Environment. Remote debugging is disabled by default. 
+
+You can enable network-level access for all apps associated with the App Service Environment. However, you still need to [configure remote debugging](../configure-common.md?tabs=cli#configure-general-settings) for each individual app.
+
+# [Azure portal](#tab/azure-portal)
+
+You can configure remote debugging for the App Service Environment in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com), go to your **App Service Environment** resource.
+
+1. In the left menu, select **Settings** > **Configuration**.
+
+1. Locate the **Networking settings** group, and select the **Allow remote debugging** checkbox.
+
+   :::image type="content" source="./media/configure-network-settings/configure-allow-remote-debugging.png" alt-text="Screenshot that shows how to enable remote debugging for an App Service Environment in the Azure portal.":::
+
+1. Select **Apply** for your changes to take effect.
+
+# [Azure CLI](#tab/azure-cli)
+
+Run the following Azure CLI commands to enable remote debugging access for an App Service Environment:
+
+1. Set the `<placeholder>` command parameters to the values for your App Service Environment:
+
+   ```azurecli
+   ASE_NAME="<App-Service-Environment>"
+   RESOURCE_GROUP_NAME="<Resource-Group>"
+   ```
+
+1. Enable remote debugging for the App Service Environment by using the `--allow-remote-debugging` parameter:
+
+   ```azurecli
+   az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-remote-debugging true
+   ```
+
+1. List IP addresses for the App Service Environment that allow remote debugging:
+
+   ```azurecli
+   az appservice ase list-addresses --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query remoteDebugEnabled
+   ```
+
+---
 
-## Next steps
+## Related content
 
-> [!div class="nextstepaction"]
-> [Deploy your app to Azure App Service using FTP](../deploy-ftp.md)
+- [Deploy your app to Azure App Service by using FTP or FTPS](../deploy-ftp.md)
+- ['az appservice ase update' command reference](/cli/azure/appservice/ase)

articles/app-service/environment/how-to-create-from-template.md

@@ -84,8 +84,8 @@ The following table describes the core properties and other options you can use
 | `upgradePreference` | No | Specify your preference for automatic upgrades. There are four possible values:<br> - `None`: (Default) Upgrade automatically during the upgrade process for the region.<br> - `Early`: Upgrade automatically with a high prioritization compared with other resources in the region.<br> - `Late`: Upgrade automatically with a low prioritization compared with other resources in the region.<br> - `Manual`: Receive a notification when an upgrade is available, and start the process within 15 days. After 15 days, the upgrade occurs with other automatic upgrades in the region.<br> For more information, see [Upgrade preference for App Service Environment planned maintenance](how-to-upgrade-preference.md). |
 | `clusterSettings` | No | Customize the behavior of the App Service Environment. For more information, see [Custom configuration settings for App Service Environments](app-service-app-service-environment-custom-settings.md). |
 | `networkingConfiguration` -> `allowNewPrivateEndpointConnections` | No | Specify whether to allow creation of a new private endpoint connection for an ILB App Service Environment or External App Service Environment. By default, the option is disabled. For more information, see [Network configuration settings > Allow new private endpoint connections](configure-network-settings.md#allow-new-private-endpoint-connections). |
-| `networkingConfiguration` -> `remoteDebugEnabled` | No | Specify whether to enable remote debugging for the App Service Environment. By default, the option is disabled. For more information, see [Network configuration settings > Remote debugging access](configure-network-settings.md#remote-debugging-access). |
-| `networkingConfiguration` -> `ftpEnabled` | No | Specify whether to allow FTP connections to the App Service Environment. By default, the option is disabled. For more information, see [Network configuration settings > FTP access](configure-network-settings.md#ftp-access). |
+| `networkingConfiguration` -> `remoteDebugEnabled` | No | Specify whether to enable remote debugging for the App Service Environment. By default, the option is disabled. For more information, see [Configure networking settings > Enable remote debugging](configure-network-settings.md#enable-remote-debugging). |
+| `networkingConfiguration` -> `ftpEnabled` | No | Specify whether to allow FTP connections to the App Service Environment. By default, the option is disabled. For more information, see [Configure networking settings > Allow incoming FTP connections](configure-network-settings.md#allow-incoming-ftp-connections). |
 | `networkingConfiguration` -> `inboundIpAddressOverride` |  No | Use this setting to create an App Service Environment with your own Azure Public IP address (specify the resource ID) or define a static IP for ILB deployments. This setting can't be changed after the App Service Environment is created. |
 | `customDnsSuffixConfiguration` | No | Use this setting to specify a custom domain suffix for the App Service Environment. For more information about the specific parameters, see [Custom domain suffix for App Service Environments](how-to-custom-domain-suffix.md).<br> **Important**: To set this option, you must have an existing key vault, a valid certificate secret from Azure Key Vault, and access with a managed identity for Azure resources through Microsoft Entra ID. |
 

articles/app-service/environment/media/configure-network-settings/configure-allow-incoming-ftp-connections.png

@@ -228,7 +228,7 @@ For FTP access to Internal Load balancer (ILB) App Service Environment v3 specif
 1. Create an Azure DNS private zone named `ftp.appserviceenvironment.net`.
 1. Create an A record in that zone that points `<App Service Environment-name>` to the inbound IP address.
 
-In addition to setting up DNS, you also need to enable it in the [App Service Environment configuration](./configure-network-settings.md#ftp-access) and at the [app level](../deploy-ftp.md?tabs=cli#enforce-ftps).
+In addition to setting up DNS, you also need to enable it in the [App Service Environment - Configure networking settings](./configure-network-settings.md#allow-incoming-ftp-connections) and at the [app level](../deploy-ftp.md?tabs=cli#enforce-ftps).
 
 ### DNS configuration from your App Service Environment