Use Direct Line App Service extension within a virtual network

Commencing September 1, 2023, it is strongly advised to employ the Azure Service Tag method for network isolation. The utilization of DL-ASE should be limited to highly specific scenarios. Prior to implementing this solution in a production environment, we kindly recommend consulting your support team for guidance.

APPLIES TO: SDK v4

This article describes how to use the Direct Line App Service extension with an Azure Virtual Network (VNET).

Create an App Service Environment and other Azure resources

  1. The Direct Line App Service extension is available on all Azure App Services, including those hosted within an Azure App Service Environment. An Azure App Service Environment provides isolation and is ideal for working within a VNET.
  2. After you create your App Service Environment, add an App Service Plan inside of it where you can deploy your bots (and thus run Direct Line App Service extension). To do this:
    • Go to the Azure portal.
    • Create a new "App Service Plan" resource.
    • Under Region, select your App Service Environment
    • Finish creating your App Service Plan

Configure the VNET Network Security Groups (NSG)

  1. Direct Line App Service extension requires an outbound connection so that it can issue HTTP requests. This can be configured as an outbound rule in your VNET NSG that is associated with the App Service Environment's subnet. The rule that required is as follows:

    Field Value
    Source Any
    Source Port *
    Destination Service Tag
    Destination Service Tag AzureBotService
    Destination port ranges 443
    Protocol Any
    Action Allow
  2. If your bot uses OAuth for user sign in to Microsoft Entra ID, add a second outbound rule that's associated with https://login.partner.microsoftonline.cn/botframework.com:

    Field Value
    Source Any
    Source Port *
    Destination Service Tag
    Destination Service Tag AzureActiveDirectory
    Destination port ranges 443
    Protocol Any
    Action Allow