No guidance for how to deal with Azure PaaS management traffic

[Phydeauxman]

When an App Service Environment (ASE) is provisioned, regardless if it is an external or internal variety it gets a Public IP. This Public IP is used by the ASE to communicate with the Azure management plane in order to function properly. Without connectivity to the management plane, you can't even deploy an ASE. There needs to be guidance in this document about this traffic and how to incorporate it into an architecture that maintains TIC compliance. Treating this traffic as any other Internet bound traffic will force the traffic to come from the cloud, to on-prem (via VPN or ER), out the TIC and back out to the cloud.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 39ac9071-91dd-9bf1-b5c0-5da2f01340df
• Version Independent ID: e3aa0a01-2a1e-d91c-e8c9-85d3a1fd132e
• Content: Trusted Internet Connections guidance for Azure
• Content Source: articles/security/compliance/compliance-tic.md
• Service: security
• GitHub Login: @dlapiduz
• Microsoft Alias: dlap

[MarileeTurscak-MSFT]

@Phydeauxman Thanks for your feedback! We will investigate and update as appropriate.

[SaurabhSharma-MSFT]

@Phydeauxman Thanks for the feedback ! I have assigned this issue to content author to investigate and update the document as appropriate.