Merge branch 'main' into release-aio-2603

Author: v-alje

articles/app-service/configure-ssl-certificate-in-code.md

@@ -17,7 +17,7 @@ ms.custom:
 
 [!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
 
-In your application code, you can access both [public key certificates and certificates that contain a private key that you add to Azure App Service.](configure-ssl-certificate.md). Your app code might act as a client and access an external service that requires certificate authentication. It might also need to perform cryptographic tasks. This article shows how to use public or private certificates in your application code.
+In your application code, you can access both [public key certificates and certificates that contain a private key that you add to Azure App Service.](configure-ssl-certificate.md). Your app code might act as a client and access an external service that requires certificate authentication. It might also need to perform cryptographic tasks. This article shows how to use publicly or privately signed certificates in your application code.
 
 This approach to using certificates in your code makes use of the Transport Layer Security (TLS) functionality in App Service, which requires your app to be in the Basic tier or higher. If your app is in the Free or Shared tier, you can [include the certificate file in your app repository](#load-a-certificate-from-a-file).
 
@@ -111,7 +111,7 @@ For languages that don't support or offer insufficient support for the Windows c
 
 ## Load a certificate from a file
 
-If you need to load a certificate file that you upload manually, it's better to upload the certificate by using [File Transfer Protocol Secure (FTPS)](deploy-ftp.md) instead of [Git](deploy-local-git.md), for example. Keep sensitive data like a private certificate out of source control.
+If you need to load a certificate file that you upload manually, it's better to upload the certificate by using [File Transfer Protocol Secure (FTPS)](deploy-ftp.md) instead of [Git](deploy-local-git.md), for example. Keep sensitive data like certificate private keys out of source control.
 
 ASP.NET and ASP.NET Core on Windows must access the certificate store even if you load a certificate from a file. To load a certificate file in a Windows .NET app, load the current user profile with the following command in <a target="_blank" href="https://shell.azure.com" >Cloud Shell</a>:
 
@@ -140,7 +140,7 @@ To see how to load a TLS/SSL certificate from a file in Node.js, PHP, Python, or
 
 The `WEBSITE_LOAD_CERTIFICATES` app setting makes the specified certificates accessible to your Windows or Linux custom containers (including built-in Linux containers) as files. The files are found under the following directories:
 
-| Container platform | Public certificates | Private certificates |
+| Container platform | Public certificate files (no private key) | Certificate files that include a private key |
 | - | - | - |
 | Windows container | `C:\appservice\certificates\public` | `C:\appservice\certificates\private` |
 | Linux container | `/var/ssl/certs` | `/var/ssl/private` |

articles/app-service/environment/app-service-app-service-environment-geo-distributed-scale.md

@@ -1,30 +1,48 @@
 ---
-title: Configure App Service Environment v3 network settings
-description: Configure network settings that apply to the entire Azure App Service environment. Learn how to do it with Azure Resource Manager templates.
+title: Configure App Service Environment Networking Settings
+description: Configure networking settings for an Azure App Service environment, including FTP access, private endpoint creation, and remote debugging. Use the Azure CLI, Azure Resource Manager templates, or the Azure portal.
 author: seligj95
 keywords: ASE, ASEv3, ftp, remote debug
-
-ms.topic: tutorial
+ms.topic: how-to
 ms.custom: devx-track-arm-template, devx-track-azurecli
-ms.date: 03/29/2022
+ms.date: 03/13/2026
 ms.author: jordanselig
 ms.service: azure-app-service
+#customer intent: As an App Service developer, I want to configure networking settings for my App Service environments, so I can control FTP access, private endpoint creation, and remote debugging.
 ---
 
-# Network configuration settings
+# Configure networking settings for App Service Environments
+
+App Service Environment v3 provides a fully isolated and dedicated environment for securely running App Service apps. This article describes how to configure the networking settings for an App Service Environment, including FTP access, private endpoint creation, and remote debugging. Procedures are provided to configure the settings by using the Azure CLI or an Azure Resource Manager template (ARM template), and by updating the resource directly in the Azure portal.
+
+## Prerequisites
+
+- An App Service Environment v3. To create a new environment, follow the steps in [Quickstart: Create an App Service Environment](creation.md).
+
+## Review networking settings
+
+The App Service Environment networking settings are located in a single ARM template subresource:
+
+`Microsoft.Web/hostingEnvironments/{aseName}/configurations/networking`
 
-Because App Service Environments are isolated to the individual customer, there are certain configuration settings that can be applied exclusively to App Service Environments. This article documents the various specific network customizations that are available for App Service Environment v3.
+The `networking` subresource configures three properties for the App Service Environment:
 
-If you don't have an App Service Environment, see [How to Create an App Service Environment v3](./creation.md).
+- `allowNewPrivateEndpointConnections`
+- `ftpEnabled`
+- `remoteDebugEnabled`
 
-App Service Environment network customizations are stored in a subresource of the *hostingEnvironments* Azure Resource Manager entity called networking.
+All of the properties are of type `bool` and are set to false (disabled) by default.
 
-The following abbreviated Resource Manager template snippet shows the **networking** resource:
+## Use ARM template for repeatable deployment
+
+When you configure networking settings for an App Service Environment by using an ARM template, you create a configuration that's available for repeatable deployment of the same environment or other App Service Environments.
+
+The following snippet shows an abbreviated ARM template with configurations for the networking settings:
 
 ```json
 "resources": [
 {
-    "apiVersion": "2021-03-01",
+    "apiVersion": "2023-03-01",
     "type": "Microsoft.Web/hostingEnvironments",
     "name": "[parameter('aseName')]",
     "location": ...,
@@ -50,76 +68,156 @@ The following abbreviated Resource Manager template snippet shows the **networki
 }
 ```
 
-The **networking** resource can be included in a Resource Manager template to update the App Service Environment.
+## Configure properties with the Azure CLI
 
-## Configure using Azure Resource Explorer
-Alternatively, you can update the App Service Environment by using [Azure Resource Explorer](https://resources.azure.com).  
+If you plan to use the Azure CLI to configure the networking settings, keep in mind that the `az appservice ase update` command doesn't issue a PATCH against the individual properties. Instead, the command performs a PUT-style update against the entire `networking` subresource object. If you use the `az appservice ase update` command to configure a single property, the other networking properties revert to the default setting (false, disabled).
 
-1. In Resource Explorer, go to the node for the App Service Environment (**subscriptions** > **{your Subscription}** > **resourceGroups** > **{your Resource Group}** > **providers** > **Microsoft.Web** > **hostingEnvironments** > **App Service Environment name** > **configurations** > **networking**).
-2. Select **Read/Write** in the upper toolbar to allow interactive editing in Resource Explorer.  
-3. Select the blue **Edit** button to make the Resource Manager template editable.
-4. Modify one or more of the settings ftpEnabled, remoteDebugEnabled, allowNewPrivateEndpointConnections, that you want to change.  
-5. Select the green **PUT** button that's located at the top of the right pane to commit the change to the App Service Environment.
-6. You may need to select the green **GET** button again to see the changed values.
-
-The change takes effect within a minute.
+To ensure all `networking` properties are configured as expected, specify settings for all the networking properties in a single command.
 
 ## Allow new private endpoint connections
 
-For apps hosted on both ILB and External App Service Environment, you can allow creation of private endpoints. The setting is default disabled. If private endpoint has been created while the setting was enabled, they won't be deleted and will continue to work. The setting only prevents new private endpoints from being created.
+If your app is hosted on both an Internal Load Balancer (ILB) App Service Environment and an External App Service Environment, you can allow creation of private endpoints with the `allow-new-private-endpoint-connection` setting. The ability to create new private endpoint connections is disabled by default.
 
-The following Azure CLI command will enable allowNewPrivateEndpointConnections:
+If a private endpoint is created while the `allow-new-private-endpoint-connection` setting is enabled, and you then disable the setting, the existing private endpoint continues to work. When you disable the `allow-new-private-endpoint-connection` setting, you only prevent the creation of new private endpoints.
 
-```azurecli
-ASE_NAME="[myAseName]"
-RESOURCE_GROUP_NAME="[myResourceGroup]"
-az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true
+# [Azure portal](#tab/azure-portal)
 
-az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query allowNewPrivateEndpointConnections
-```
+You can enable new private endpoint connections for the App Service Environment in the Azure portal.
 
-The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+1. In the [Azure portal](https://portal.azure.com), go to your **App Service Environment** resource.
 
-:::image type="content" source="./media/configure-network-settings/configure-allow-private-endpoint.png" alt-text="Screenshot from Azure portal of how to configure your App Service Environment to allow creating new private endpoints for apps.":::
+1. In the left menu, select **Settings** > **Configuration**.
 
-## FTP access
+1. Locate the **Networking settings** group, and select the **Allow new private endpoints** checkbox.
 
-This ftpEnabled setting allows you to allow or deny FTP connections are the App Service Environment level. Individual apps will still need to configure FTP access. If you enable FTP at the App Service Environment level, you may want to [enforce FTPS](../deploy-ftp.md?tabs=cli#enforce-ftps) at the individual app level. The setting is default disabled.
+   :::image type="content" source="./media/configure-network-settings/configure-allow-private-endpoint.png" alt-text="Screenshot that shows how to allow new private endpoint connections for an App Service Environment in the Azure portal.":::
 
-If you want to enable FTP access, you can run the following Azure CLI command:
+1. Select **Apply** for your changes to take effect.
 
-```azurecli
-ASE_NAME="[myAseName]"
-RESOURCE_GROUP_NAME="[myResourceGroup]"
-az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-incoming-ftp-connections true
+# [Azure CLI](#tab/azure-cli)
 
-az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query ftpEnabled
-```
-The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+Run the following Azure CLI commands to enable new private endpoint connections for an App Service Environment:
 
-:::image type="content" source="./media/configure-network-settings/configure-allow-incoming-ftp-connections.png" alt-text="Screenshot from Azure portal of how to configure your App Service Environment to allow incoming ftp connections.":::
+1. Set the `<placeholder>` command parameters to the values for your App Service Environment:
 
-In addition to enabling access, you need to ensure that you have [configured DNS if you are using ILB App Service Environment](./networking.md#dns-configuration-for-ftp-access) and that the [necessary ports](./networking.md#ports-and-network-restrictions) are unblocked.
+   ```azurecli
+   ASE_NAME="<App-Service-Environment>"
+   RESOURCE_GROUP_NAME="<Resource-Group>"
+   ```
 
-## Remote debugging access
+1. Enable FTP access for the App Service Environment by using the `--allow-incoming-ftp-connections` parameter:
 
-Remote debugging is default disabled at the App Service Environment level. You can enable network level access for all apps using this configuration. You'll still have to [configure remote debugging](../configure-common.md?tabs=cli#configure-general-settings) at the individual app level.
+   ```azurecli
+   az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-new-private-endpoint-connection true
+   ```
 
-Run the following Azure CLI command to enable remote debugging access:
+1. List IP addresses for the App Service Environment that allow creation of new private endpoint connections:
 
-```azurecli
-ASE_NAME="[myAseName]"
-RESOURCE_GROUP_NAME="[myResourceGroup]"
-az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-remote-debugging true
+   ```azurecli
+   az appservice ase list-addresses --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query allowNewPrivateEndpointConnections
+   ```
 
-az appservice ase list-addresses -n --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query remoteDebugEnabled
-```
+---
+
+## Allow incoming FTP connections
+
+Use the `ftpEnabled` setting to allow or deny FTP connections for an App Service Environment. FTP access is disabled by default.
+
+You still need to configure FTP access for each individual app. If you enable FTP at the App Service Environment level, you might want to [enforce FTPS](../deploy-ftp.md?tabs=cli#enforce-ftps) at the individual app level. 
+
+# [Azure portal](#tab/azure-portal)
+
+You can configure FTP access for the App Service Environment in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com), go to your **App Service Environment** resource.
+
+1. In the left menu, select **Settings** > **Configuration**.
+
+1. Locate the **Networking settings** group, and select the **Allow incoming FTP connections** checkbox.
+
+   :::image type="content" source="./media/configure-network-settings/configure-allow-incoming-ftp-connections.png" alt-text="Screenshot that shows how to enable FTP access for an App Service Environment in the Azure portal.":::
+
+1. Select **Apply** for your changes to take effect.
+
+# [Azure CLI](#tab/azure-cli)
+
+Run the following Azure CLI commands to enable FTP access for an App Service Environment:
+
+1. Set the `<placeholder>` command parameters to the values for your App Service Environment:
+
+   ```azurecli
+   ASE_NAME="<App-Service-Environment>"
+   RESOURCE_GROUP_NAME="<Resource-Group>"
+   ```
 
-The setting is also available for configuration through Azure portal at the App Service Environment configuration:
+1. Enable FTP access for the App Service Environment by using the `--allow-incoming-ftp-connections` parameter:
 
-:::image type="content" source="./media/configure-network-settings/configure-allow-remote-debugging.png" alt-text="Screenshot from Azure portal of how to configure your App Service Environment to allow remote debugging.":::
+   ```azurecli
+   az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-incoming-ftp-connections true
+   ```
+
+1. List IP addresses for the App Service Environment that allow incoming FTP connections:
+
+   ```azurecli
+   az appservice ase list-addresses --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query ftpEnabled
+   ```
+
+---
+
+### Configure DNS and unblock ports
+
+When you enable FTP access for an App Service Environment, prepare your configuration to receive FTP connections:
+
+- If you're using an ILB App Service Environment, verify your [DNS configuration for FTP access](./networking.md#dns-configuration-for-ftp-access).
+
+- Unblock the [necessary ports](./networking.md#ports-and-network-restrictions) and address any restrictions.
+
+## Enable remote debugging
+
+Use the `remoteDebugEnabled` setting to allow or deny incoming FTP connections for an App Service Environment. Remote debugging is disabled by default. 
+
+You can enable network-level access for all apps associated with the App Service Environment. However, you still need to [configure remote debugging](../configure-common.md?tabs=cli#configure-general-settings) for each individual app.
+
+# [Azure portal](#tab/azure-portal)
+
+You can configure remote debugging for the App Service Environment in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com), go to your **App Service Environment** resource.
+
+1. In the left menu, select **Settings** > **Configuration**.
+
+1. Locate the **Networking settings** group, and select the **Allow remote debugging** checkbox.
+
+   :::image type="content" source="./media/configure-network-settings/configure-allow-remote-debugging.png" alt-text="Screenshot that shows how to enable remote debugging for an App Service Environment in the Azure portal.":::
+
+1. Select **Apply** for your changes to take effect.
+
+# [Azure CLI](#tab/azure-cli)
+
+Run the following Azure CLI commands to enable remote debugging access for an App Service Environment:
+
+1. Set the `<placeholder>` command parameters to the values for your App Service Environment:
+
+   ```azurecli
+   ASE_NAME="<App-Service-Environment>"
+   RESOURCE_GROUP_NAME="<Resource-Group>"
+   ```
+
+1. Enable remote debugging for the App Service Environment by using the `--allow-remote-debugging` parameter:
+
+   ```azurecli
+   az appservice ase update --name $ASE_NAME -g $RESOURCE_GROUP_NAME --allow-remote-debugging true
+   ```
+
+1. List IP addresses for the App Service Environment that allow remote debugging:
+
+   ```azurecli
+   az appservice ase list-addresses --name $ASE_NAME -g $RESOURCE_GROUP_NAME --query remoteDebugEnabled
+   ```
+
+---
 
-## Next steps
+## Related content
 
-> [!div class="nextstepaction"]
-> [Deploy your app to Azure App Service using FTP](../deploy-ftp.md)
+- [Deploy your app to Azure App Service by using FTP or FTPS](../deploy-ftp.md)
+- ['az appservice ase update' command reference](/cli/azure/appservice/ase)