Site icon

Unable to access Webapp or Kudu site hosted in ILB ASE

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

The Azure App Service Environment is a deployment of Azure App Service into a subnet in an Azure virtual network (VNet). There are two ways to deploy an App Service Environment (ASE):

You can read more about ILB App Service Environment here v2 , v3 .


When accessing Site / Kudu Site hosted in ILB ASE, you might encounter error as below where the site is unreachable. There can be multiple factors due to which the site can’t be accessible:



Below are troubleshooting steps:

It is essential that your machine must be able to resolve to both the App Service / Function App hostname and SCM site. If site doesn’t resolve, then you would see similar error as below:



1. To check if the name-resolution is returning the correct ILB ASE IP , you can execute the below commands from the machine you are trying to connect to the site:


nslookup <AppName>.<ASEName>

Execute this command from the VM / Machine which is in the Virtual Network or Connected network.

Resolve-DNSName <AppName>.<ASEName>

Powershell command to check name resolution.


The commands should provide you the ILB IP mapped to this domain if the DNS records are configured properly. If not, then you would need to update the DNS Configuration accordingly. You can refer this document for DNS Configuration.


2. You can execute below commands to check the connectivity to the apps in ILB ASE:


curl -v <AppName>.<ASEName> net -k

Execute this command from the VM / Machine which is in the Virtual Network or Connected network.

test-netconnection <AppName>.<ASEName> -port 443

PowerShell Command to check connectivity.


3. Install PSPing in the Virtual Machine from where you are trying to access the app service as this will help us to make a TCP call to the ILB IP to check the connectivity.


PsPing implements Ping functionality, TCP ping, latency and bandwidth measurement. To download PSPing utility click here.


psping <URL>: <Port>


Note: If the connectivity fails, check if there are any Network Security Groups (NSG) mapped to the subnet of ASE or Virtual Machine / NIC which could be blocking the traffic.




Source / Destination Port(s)




* / 80



App Service Environment subnet range

* / 80,443



App Service Environment subnet range


4. For testing purpose ( Not recommended for Production workloads) , you can choose to update the hosts file entry:



Host File Entry




This record is used for resolving Site URL.



This record is used for resolving  Kudu site URL.



This record is used for SSO to Kudu/scm site.


5. You can go to Azure Portal > Diagnose and Solve Problems and view the detectors: Vnet Verifer.

This detector will help to verify the required NSG considerations are being met or not for the ASE.



More Information:


ASE v3: App Service Environment networking - Azure App Service Environment | Microsoft Learn

ASE v2: Networking considerations - Azure App Service Environment | Microsoft Learn


If you have any other questions, feel free to comment below!

Exit mobile version