App Service vs App Service Environment

[mapoitras]

In the initial diagram above you show a regular app service however in the detail architecture you discuss an App Service Environment. Is an App Service environment required for PCI compliance? What is the difference between regular App Service and App Service Environments from a Compliance perspective. Trying to determine if we require an ASE or if a regular App service is good enough. Documentation is not clear on differences from a Compliance perspective.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: e1a534e6-e60c-7cbd-5d74-1d9b5c08857b
• Version Independent ID: 7dc4846b-cbfe-4a73-ee9d-806068117648
• Content: Azure Security and Compliance Blueprint - PaaS Web Application for PCI DSS
• Content Source: articles/security/blueprints/pcidss-paaswa-overview.md
• Service: security
• GitHub Login: @Meladie
• Microsoft Alias: meladie

[SaurabhSharma-MSFT]

@mapoitras Thanks for your feedback! We will investigate and update as appropriate.

[Meladie]

Hello @mapoitras, I think people just shorting App Service Environment to App Services. This service allows you to isolate your vnet. I would recommend look at this article: https://docs.microsoft.com/en-us/azure/app-service/environment/intro and watching this video from Ignite: https://azure.microsoft.com/en-us/resources/videos/ignite-2018-what-is-new-in-azure-app-service-networking/

[mapoitras]

Hi! Thanks for quick response. The App Service Environment is considerably more expensive and complicated to setup. My client needs to know the differences between the two environment from a compliance perspective. Are regular App services ISO, PCI, FedRamp compliant or is it only the app service enviroments that are compliant. The documentation is really not clear. It would be usefull to see which controls are manageable in Regular App services vs App Service Environments.

Marc-Andre

On Wed, May 8, 2019 at 3:48 PM Meladie Espiritu notifications@github.com wrote:

Hello @mapoitras https://github.com/mapoitras, I think people just shorting App Service Environment to App Services. This service allows you to isolate your vnet. I would recommend look at this article: https://docs.microsoft.com/en-us/azure/app-service/environment/intro and watching this video from Ignite: https://azure.microsoft.com/en-us/resources/videos/ignite-2018-what-is-new-in-azure-app-service-networking/

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/30821#issuecomment-490625079, or mute the thread https://github.com/notifications/unsubscribe-auth/AACK7ARBHWCSULTZ27ORPE3PUMVALANCNFSM4HLRUJCA .

[Meladie]

Hi Marc-Andre, first let me better and more specifically answer the questions you have that I can answer. 1. If you go to the first link I provided above there is a Channel 9 video about half way down the page and if you go to 1:50 seconds the Product Owner of App Services provides a slide and walks through the differences in detail. So that will tell you the difference between the App Service, ASE and Azure Stack.

2. We do not have specific controls mappings between regular App Service vs App Service Environments in this current Blueprint. We are working on a refresh of the Blueprint and associated documentation. I'm happy to reach out to you when the refresh moves to Public Preview to let you know it is available.

Thank you for your feedback.

[mapoitras]

Hi! Yes. I understand the technical difference between the different solutions. What I'm trying to understand is do I need to deploy a App Service Environment to have ISO, PCI, NIST or FedRamp compliance or are regular App Service environments compliant with these certifications as well. Or maybe its App Service Environment for PCI 3.2 but regular App Service for PCI 3.1. Or Regular App Service are compliance with FedRamp but not with PCI. That's what I'm trying to figure out. Its quite clear for most Azure services but for App Service is not clear at all how these certifications apply to regular App Services vs App Service Environments.

[Meladie]

Have you looked at the Customer Implementation Matrix for PCI here: https://servicetrust.microsoft.com/ViewPage/PCIBlueprintv3 The services used to meet the requirements are listed there. Most of ASE is about isolating the network.

Also the official PCI site should be able to tell you the differences between 3.1 and 3.2 in the Change History.

From: Marc-Andre Poitras notifications@github.com Sent: Friday, May 10, 2019 6:53 AM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Meladie Espiritu meladie@microsoft.com; Assign assign@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] App Service vs App Service Environment (#30821)

Hi! Yes. I understand the technical difference between the different solutions. What I'm trying to understand is do I need to deploy a App Service Environment to have ISO, PCI, NIST or FedRamp compliance or are regular App Service environments compliant with these certifications as well. Or maybe its App Service Environment for PCI 3.2 but regular App Service for PCI 3.1. Or Regular App Service are compliance with FedRamp but not with PCI. That's what I'm trying to figure out. Its quite clear for most Azure services but for App Service is not clear at all how these certifications apply to regular App Services vs App Service Environments.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F30821%23issuecomment-491296355&data=01%7C01%7Cmeladie%40microsoft.com%7Ccdeb381d90ac4d9d362b08d6d54ec3fa%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=WRNyeugsd6TZq5pA4P20IMZaSTamQMnXR1RvFJi%2FUkY%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHDG7PULWOQSG4V7JJE7Z6TPUV42NANCNFSM4HLRUJCA&data=01%7C01%7Cmeladie%40microsoft.com%7Ccdeb381d90ac4d9d362b08d6d54ec3fa%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=f3NNAd8T1Nmz%2FhX%2BhHewQ%2Fj2nxKF0k6Q3xtGoVybPhY%3D&reserved=0.

[BenMitchell1979]

Biggest reason to got with ASEv2 vs App Services with vNet integrations is that we need to white-list our outbound IP. You require the ASE to do that since normal App Services can come from a large pool of changing PIPs inside MS Datacenter

[kevinneumann]

@mapoitras - Did you guys ever figure this out? I am having the same questions as I plan our architecture. There is a huge price jump from Web Apps to App Service Environment and I don't feel like we would gain a log from the extra features of ASE for our use case.

[Tirmisee]

Can i use Azure service fabric or AKS instead of ASE?

[gcakiroglu]

I think it is clear that a PCI compliant architecture can be build with ASEs.

However it is not clear if similar compliance level can be achieved with other App Service tiers. It would be great to see a PCI compliant reference architecture built with Azure App Service Premium Tier (if possible).

If using ASEs is only option then I think this should also be clearly stated.