Azure AI Bot Service
An Azure service that provides an integrated environment for bot development.
925 questions
Recommended way to network isolate with an Azure Bot Service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 56.00000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Sam Lee
0
Reputation points
Hi,
We're building a teams app (nodejs) based on the bot service. We want it to be network isolated and only exposed through something like a front door, but the documentation is unclear on the best way to do this.
Here it mentions "Commencing September 1, 2023, it is strongly advised to employ the Azure Service Tag method for network isolation. The utilization of DL-ASE should be limited to highly specific scenarios. Prior to implementing this solution in a production environment, we kindly recommend consulting your support team for guidance." but it provides no guidance on how to actually implement this solution using service tags or give context on how it is supposed to work with a teams app deployed to app service.
I've also followed this guide: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/teams/securing-bot-teams-channel
However, I wasn't able to get it working previously (could very well be user error on my part). It's a bit complicated and lacking in explanations and detail. The concept sounds like it could work but it isn't a realistic scenario and difficult to test.
Could someone please point me in the right direction? Is there some documentation I'm missing? Otherwise, I think adapting the concepts in the 2nd guide might be the solution, just want to see if I can get a more standardised approach before I go off and try and retrofit it to my solution.
Thanks.
Azure AI Bot Service
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 17%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Pavankumar Purilla 6,940 Reputation points Microsoft External Staff2025-04-02T06:07:24.09+00:00 Hi Sam Lee,
DL-ASE is a premium service in Azure that provides a fully isolated and dedicated environment for securely running App Service apps, including web apps, mobile app backends, and API apps. It offers enhanced security, scalability, and performance.
The Gist for secured workspace scenario is we create private endpoints for azure resources and modify our network security group, firewall rules and DNS records in host server (custom DNS scenario) accordingly. Here is the step-by-step process.
Create a Virtual Network and Subnets:
Set up a VNet and create subnets for your bot service and other resources.
Configure Private Endpoints:
Create private endpoints for your bot service and other necessary Azure services.
Set Up Network Security Groups:
Define NSG rules to allow traffic only from authorized sources and block all other traffic.
Deploy the Direct Line App Service Extension:
Ensure the extension is co-located with your bot's app service within the VNet.
Allowlist Token Endpoints:
Use service tags to allowlist the token endpoints required for user authentication. AzureActiveDirectory or AzureFrontDoor.Backend in inbound and outbound rules of NSG
Configure Outbound HTTPS Requests:
Ensure that your bot service can make outbound HTTPS requests to Bot Framework services through the private endpoint.
For more information, please check below document URLs.
Configure network isolation - Bot Service | Microsoft Learn
Secure workspace resources using virtual networks (VNets) - Azure Machine Learning | Microsoft Learn (for architectural workflow of virtual network isolation)
Azure service tags overview | Microsoft Learn
Create, change, or delete an Azure network security group | Microsoft Learn (configuring Inbound and outbound rules)
Azure service tags overview | Microsoft Learn
I hope this information helps.
Thank you
-
Sam Lee 0 Reputation points
2025-04-03T04:21:50.9033333+00:00 Hi Pavankumar,
Is Direct Line App Service Extension the only way to network isolate the bot service? What about the 2nd guide from the Architecture Center?
-
Pavankumar Purilla 6,940 Reputation points Microsoft External Staff
2025-04-03T08:31:58.0233333+00:00 Hi Sam Lee,
A working Direct Line App Service extension bot - It is needed as part of pre-requisites. -
Pavankumar Purilla 6,940 Reputation points Microsoft External Staff
2025-04-04T01:41:56.33+00:00 Hi Sam Lee,
Did you get any chance to check the response. Thank you! -
Pavankumar Purilla 6,940 Reputation points Microsoft External Staff
2025-04-07T02:04:54.42+00:00 Hi Sam Lee,
Just following up to see if you had a chance to review the above response. Thank you! -
Sam Lee 0 Reputation points
2025-04-07T02:07:28.7866667+00:00 Yes, thank you. There's a lot of misinformation out there on this topic.
-
Pavankumar Purilla 6,940 Reputation points Microsoft External Staff
2025-04-07T13:43:43.45+00:00 Hi Sam Lee,
At this time, there is no fully standardized or simplified approach available in official documentation for achieving this using service tags alone in conjunction with Azure Front Door and Teams integration. We understand how important this is, and we are actively tracking this internally.We’ll be sure to update you as soon as we have more detailed guidance or any updated resources from the product team that better outline the recommended practices for this scenario.
Thank you!
-
Sam Lee 0 Reputation points
2025-04-09T02:19:41.5+00:00 Would it be correct to say that using DL-ASE would mean that the app service hosting the bot app wouldn't need to be exposed to the public via something like front door? Since the bot service would be integrated into our network thereby being able to call the app service private endpoint securely?
-
Pavankumar Purilla 6,940 Reputation points Microsoft External Staff
2025-04-09T16:31:38.4+00:00 Hi Sam Lee,
Using a Dedicated Logical App Service Environment (DL-ASE) allows your app service hosting the bot app to be securely integrated into your network. This setup eliminates the need to expose the app service to the public internet via services like Azure Front Door. Dedicated App Service Environment (DL-ASE) and configure private endpoints, your app can be completely network isolated and not exposed publicly. The Bot Framework can communicate with it securely via those private endpoints inside your virtual network.
Sign in to comment
Sign in to answer