Post

App Service Overview

You will need to be familiar with App Service if you are taking the AZ-204 Azure Developer Associate certification exam.

This is some of the exam preparation notes I have taken for App Service.

You can check out my other exam prepation notes for other Azure services covered on the AZ-204 exam here.

Describe Azure App Service key components and value

What is App Service?

  • Azure App Service is used for hosting applications that use the HTTP protocol e.g. web applications, REST APIs and mobile back ends
  • App Service supports popular programming languages and container images
  • App Service offers Windows and Linux environments to run your applications
  • App Service supports auto scaling
    • Scale up / down support which scales a single instance
    • Scale out / in support which scales across multiple instances
  • App Service supports Continous Integration / Deployment
  • App Service supports Deployment Slots

What are the components of App Service?

App Service is a made up of an App Service Plan and a Web App

Web App

  • A Web App requires an App Service Plan and one or more Web Apps can run within an App Service Plan and share those compute resources
  • Deploy a code as a Web App
  • Deploy a container image as a Web App

App Service Plan

  • App Service Plan defines the compute resources
    • Operating System (Windows, Linux)
    • Region (West US, East US, etc.)
    • Number of VM instances
    • Size of VM instances (Small, Medium, Large)
    • Pricing tier (Free, Shared, Basic, Standard, Premium, PremiumV2, PremiumV3, Isolated, IsolatedV2)

App Service Plan Pricing Tier

  • App Service Plan Pricing Tier
    • Pricing tier determines the App Service Features available to the Web Apps on that App Service Plan
    • Pricing tier also determines how much you pay for that plan
    • Pricing Tiers are grouped into Shared Compute, Dedicated Compute and Isolated Compute
      • Shared Compute
        • Includes Free and Shared Pricing Tiers
        • Your Web App will run on the same Azure VM as other Web Apps including Web Apps from other customers
        • CPU quotas are allocated to each Web App running on the App Service Plan
        • Resources can’t scale out
      • Dedicated Compute
        • Includes Basic, Standard, Premium, PremiumV2, and PremiumV3 Pricing Tiers
        • Your Web App will run on dedicated Azure VMs, only Web Apps in the same App Service plan share the same compute resources
        • Resources can scale out, the higher your tier the more you can scale out
      • Isolated Compute
        • Includes Isolated and IsolatedV2 Pricing Tiers
        • Run dedicated Azure VMs on dedicated Azure Virtual Networks
        • Provides Network and Compute isolation
        • Provides the maximum scale out capability

App Service Plan Auto Scaling

  • App Service Plan Auto Scaling for Dedicated and Isolated Compute
    • When one or more Apps are placed in a App Service Plan
      • Each App runs across all VM instances in the Plan
      • Each Deployment Slot for each App runs across all the VM instances in the Plan
      • Diagnostic logs, backups, and WebJobs consume the CPU cycles / memory from these VM instances
    • When the App Service Plan is scaled, all of the Apps within the same App Service Plan scale out together

Explain how Azure App Service manages authentication and authorization

  • Azure App Service provides out of the box authentication and authorization capabilities
  • Add User sign with minimal or no code and no additional SDKs
  • Supports federated identity providers including Microsoft Entra ID, Facebook, Google, X, GitHub, Apple, OpenID Connect Providers
  • Authentication and Authorization module
    • Runs in the same sandbox as your application code (or for Linux / containers it runs in a seperate container isolated from your application code)
    • When it’s enabled, every incoming HTTP request passes through it before being handled by your application code
    • What it does
      • Authenticates users and clients with the specified identity provider(s)
      • Validates, stores, and refreshes OAuth tokens issued by the configured identity provider(s)
      • Manages the authenticated session
      • Injects identity information into HTTP request headers
  • App Service authentication settings
    • Restrict access: Require authentication or Allow unautheticated access
    • HTTP Response Codes for Unauthenticated requests:
      • HTTP 303 Found redirect
      • HTTP 401 Unauthorized
      • HTTP 403 Forbidden
      • HTTP 404 Not found
  • Token store
    • A token store is created that contains tokens that are linked to users of your App Service
  • Logging and tracing
    • If application logging is enabled, authentication and authorization traces are collected in logs

Identify methods to control inbound and outbound traffic to your web app

The main deployment types for App Service

  1. Multi tenant public service (for Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 Plan Pricing tiers)
  2. Single tenant App Service Environment (ASE) - which is in your Azure Virtual Network (Isolated Plan Pricing tiers)

In a multi tenant environment you can’t connect the App Service network to your our network because it is shared by other tenants, instead App Service offers the following networking features for App Service multi tenant environments.

Multi Tenant App Service Inbound Networking Features:

  1. App-assigned address
  2. Access restrictions
  3. Service endpoints
  4. Private endpoints

Multi Tenant App Service Outbound Networking Features:

  1. Hybrid Connections
  2. Gateway-required virtual network integration
  3. Virtual network integration

Learn more about these networking features in the App Service docs.

To get the current set of outbound IP addresses used by your App Service Web App use the following az webapp show command.

1
az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv

To get the possible set of outbound IP addresses used by your App Service Web App use the following az webapp show command.

1
az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses  --output tsv

Deploy an app to App Service using Azure CLI commands

Create application settings that are bound to deployment slots

  • In Azure Portal
    • Go into your App Service
    • Settings, App settings, Environment variables
    • Select + Add
    • If you’re using deployment slots you can specify if your setting is swappable or not. In the dialog, you can stick the setting to the current slot.

Explain the options for installing SSL/TLS certificates for your app

There are 5 options for install Secure Sockets Layer (SSL) / Transport Layer Security (TLS) certificates for your App Service application.

  1. Create a free App Service managed certificate
  2. Purchase an App Service certificate
  3. Import a certificate from Key Vault
  4. Upload a private certificate
  5. Upload a public certificate

Read more at Add and manage TLS/SSL certificates in Azure App Service

Enable diagnostic logging for your app to aid in monitoring and debugging

Types of Logging Available for App Service:

  1. Application Logging: Windows and Linux
  2. Deployment Logging: Windows and Linux
  3. Web Server Logging: Windows only
  4. Detailed error messages: Windows only
  5. Failed request tracing Windows only
  • Logs are written to either the App Service file system or Azure Storage Blobs
  • App Service Diagnostic logging can be enabled via the Azure Portal
    • These can be enabled on your App Service, App Service logs
  • Stream logs
    • In the Azure Portal, on your App Service, Log stream
    • Via Azure CLI using az webapp log tail --name appname --resource-group myResourceGroup
  • Log files
    • For logs stored in the App Service file system, download logs as a ZIP file
      • Linux/container apps: https://<app-name>.scm.azurewebsites.net/api/logs/docker/zip
      • Windows apps: https://<app-name>.scm.azurewebsites.net/api/dump

Create virtual app to directory mappings

  • In the Configuration > Path mappings section of Azure Portal
  • For Windows apps, you can customize the IIS handler mappings and virtual applications and directories
  • You can add custom storage for your containerized app using Path mappings

Identify scenarios for which autoscaling is an appropriate solution

  • handling of peak loads e.g. increased/reduced activity for a business app during holidays

Create autoscaling rules for a web app

  • Scaling in and out (as opposed of up and down)
  • Adds or removes web servers that are load balanced to spread the load

  • Option 1: Azure App Service autoscaling

    • this is where you define rules and thresholds for when an autoscaling scale in or out event will occur
    • scaling can be done based on rules:
      • Infra metric utilisation
        • CPU Percentage, Memory Percentage, Disk Queue Length, HTTP Queue Length, Data In, Data Out
        • Service Bus Queue Item Count etc.
        • Calculation for autoscaling based on:
          • Time grain (e.g. 1 minute)
          • Aggregation (Average, Minimum, Maximum, Sum, Last, and Count)
          • Duration
          • Comparison to a Threshold value
        • Results in actions:
          • Scale in or out by n instances
          • cool down of at least 5 minutes
        • Rules can be combined
    • scaling can be done on Schedule / time of day
    • scaling can be done on Alerts
    • Not all App Service Plan pricing tiers support autoscaling: you need at least S1 or any of the P level production tiers
  • Option 2: Azure App Service automatic scaling
    • this is where you can set the maximum burst, minimum amount of instances, and maximum amount of instances
    • scaling is done for you automatically as your App Service instances will be continously monitored for load
    • instances can be prewarmed by requesting this using the Azure CLI, and you will be billed for these prewarmed instances
    • Web Apps using the same App Service Plan can scale differently using this approach

Monitor the effects of autoscaling

  • Run history chart in the Azure Portal
    • Shows how the number of instances varies over time, and which autoscale conditions caused each change
  • Also includes a table of autoscaling events timestamped

Describe the benefits of using deployment slots

Understand how slot swapping operates in App Service

Perform manual swaps and enable auto swap

Manual Swap

Auto Swap

  • Auto swap isn’t currently supported in web apps on Linux and Web App for Containers
  • When auto swap is enabled from a slot into production, every time you push your code changes to that slot, App Service automatically swaps the app into production after it’s warmed up in the source slot
  • Go to your app’s resource page and select the deployment slot you want to configure to auto swap. The setting is on the Configuration > General settings page.
  • Set Auto swap enabled to On. Then select the desired target slot for Auto swap deployment slot, and select Save on the command bar.
  • Execute a code push to the source slot. Auto swap happens after a short time, and the update is reflected at your target slot’s URL.

Route traffic manually and automatically

Manual Routing

  • use the x-ms-routing-name url query param e.g:
    • <webappname>.azurewebsites.net/?x-ms-routing-name=staging - opts into the changes on the staging slot
    • <webappname>.azurewebsites.net/?x-ms-routing-name=self - stays on the production slot

Automatic Routing

  • Go to your app’s resource page and select Deployment slots.
  • In the Traffic % column of the slot you want to route to, specify a percentage (between 0 and 100) to represent the amount of total traffic you want to route. Select Save.

Further Reading

This post is licensed under CC BY 4.0 by the author.