Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite programming language or framework. Applications run and scale with ease on both Windows and Linux-based environments.
What are the lmitations for App Service on Linux?
App Service on Linux isn't supported on Shared pricing tier.
The Azure portal shows only features that currently work for Linux apps. As features are enabled, they're activated on the portal.
When deployed to built-in images, your code and content are allocated a storage volume for web content, backed by Azure Storage. The disk latency of this volume is higher and more variable than the latency of the container filesystem. Apps that require heavy read-only access to content files may benefit from the custom container option, which places files in the container filesystem instead of on the content volume.
Which powershell commend list all supported languages for webapps?
az webapp list-runtimes
What is an app service plan?
In App Service, an app always runs in an App Service plan. An App Service plan defines a set of compute resources for a web app to run. One or more apps can be configured to run on the same computing resources (or in the same App Service plan).
Each App Service plan defines:
Operating System (Windows, Linux)
Region (West US, East US, etc.)
Number of VM instances
Size of VM instances (Small, Medium, Large)
Pricing tier (Free, Shared, Basic, Standard, Premium, PremiumV2, PremiumV3, Isolated, IsolatedV2)
What is an app service pricing tier?
The pricing tier of an App Service plan determines what App Service features you get and how much you pay for the plan. There are a few categories of pricing tiers:
Shared compute: Free and Shared, the two base tiers, runs an app on the same Azure VM as other App Service apps, including apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources can't scale out.
Dedicated compute: The Basic, Standard, Premium, PremiumV2, and PremiumV3 tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. The higher the tier, the more VM instances are available to you for scale-out.
Isolated: The Isolated and IsolatedV2 tiers run dedicated Azure VMs on dedicated Azure Virtual Networks. It provides network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities.
How does my app service app run and scale?
In the Free and Shared tiers, an app receives CPU minutes on a shared VM instance and can't scale out. In other tiers, an app runs and scales as follows:
An app runs on all the VM instances configured in the App Service plan.
If multiple apps are in the same App Service plan, they all share the same VM instances.
If you have multiple deployment slots for an app, all deployment slots also run on the same VM instances.
If you enable diagnostic logs, perform backups, or run WebJobs, they also use CPU cycles and memory on these VM instances.
In this way, the App Service plan is the scale unit of the App Service apps. If the plan is configured to run five VM instances, then all apps in the plan run on all five instances. If the plan is configured for autoscaling, then all apps in the plan are scaled out together based on the autoscale settings.
How can i isolate computation ressources of my apps located inside the same app service plan?
If your app is in the same App Service plan with other apps, you may want to improve the app's performance by isolating the compute resources. You can do it by moving the app into a separate App Service plan.
When should i put apps into their own app service plan instead to an already existing one?
You can potentially save money by putting multiple apps into one App Service plan. However, since apps in the same App Service plan all share the same compute resources you need to understand the capacity of the existing App Service plan and the expected load for the new app.
Isolate your app into a new App Service plan when:
The app is resource-intensive.
You want to scale the app independently from the other apps in the existing plan.
The app needs resource in a different geographical region.
How can i manual deploy app service web apps?
There are a few options that you can use to manually push your code to Azure:
Git: App Service web apps feature a Git URL that you can add as a remote repository. Pushing to the remote repository deploys your app.
CLI: webapp up is a feature of the az command-line interface that packages your app and deploys it. Unlike other deployment methods, az webapp up can create a new App Service web app for you if you haven't already created one.
webapp up
az
az webapp up
Zip deploy: Use curl or a similar HTTP utility to send a ZIP of your application files to App Service.
curl
FTP/S: FTP or FTPS is a traditional way of pushing your code to many hosting environments, including App Service.
What are app service deployment slots?
Whenever possible, use deployment slots when deploying a new production build. When using a Standard App Service Plan tier or better, you can deploy your app to a staging environment and then swap your staging and production slots. The swap operation warms up the necessary worker instances to match your production scale, thus eliminating downtime.
Which identity providers are supported by azure app service?
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. The following identity providers are available by default:
Provider
Sign-in endpoint
How-To guidance
Microsoft identity platform
/.auth/login/aad
App Service Microsoft identity platform login
Facebook
/.auth/login/facebook
App Service Facebook login
Google
/.auth/login/google
App Service Google login
Twitter
/.auth/login/twitter
App Service Twitter login
Any OpenID Connect provider
/.auth/login/<providerName>
App Service OpenID Connect login
GitHub
/.auth/login/github
App Service GitHub login
When you enable authentication and authorization with one of these providers, its sign-in endpoint is available for user authentication and for validation of authentication tokens from the provider. You can provide your users with any number of these sign-in options.
How does the authentication and authorization process works in azure app services?
The authentication and authorization module runs in the same sandbox as your application code. When it's enabled, every incoming HTTP request passes through it before being handled by your application code. This module handles several things for your app:
Authenticates users and clients with the specified identity provider(s)
Validates, stores, and refreshes OAuth tokens issued by the configured identity provider(s)
Manages the authenticated session
Injects identity information into HTTP request headers
The module runs separately from your application code and can be configured using Azure Resource Manager settings or using a configuration file. No SDKs, specific programming languages, or changes to your application code are required.
What are the app service authentication flows?
The authentication flow is the same for all providers, but differs depending on whether you want to sign in with the provider's SDK.
Without provider SDK: The application delegates federated sign-in to App Service. This is typically the case with browser apps, which can present the provider's login page to the user. The server code manages the sign-in process, so it's also called server-directed flow or server flow.
With provider SDK: The application signs users in to the provider manually and then submits the authentication token to App Service for validation. This is typically the case with browser-less apps, which can't present the provider's sign-in page to the user. The application code manages the sign-in process, so it's also called client-directed flow or client flow. This applies to REST APIs, Azure Functions, JavaScript browser clients, and native mobile apps that sign users in using the provider's SDK.
Step
Without provider SDK
With provider SDK
Sign user in
Redirects client to /.auth/login/<provider>.
/.auth/login/<provider>
Client code signs user in directly with provider's SDK and receives an authentication token. For information, see the provider's documentation.
Post-authentication
Provider redirects client to /.auth/login/<provider>/callback.
/.auth/login/<provider>/callback
Client code posts token from provider to /.auth/login/<provider> for validation.
Establish authenticated session
App Service adds authenticated cookie to response.
App Service returns its own authentication token to client code.
Serve authenticated content
Client includes authentication cookie in subsequent requests (automatically handled by browser).
Client code presents authentication token in X-ZUMO-AUTH header (automatically handled by Mobile Apps client SDKs).
X-ZUMO-AUTH
What are the authorization behaviors in an azure app service?
Allow unauthenticated requests: This option defers authorization of unauthenticated traffic to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers. This option provides more flexibility in handling anonymous requests. It lets you present multiple sign-in providers to your users.
Require authentication: This option rejects any unauthenticated traffic to your application. This rejection can be a redirect action to one of the configured identity providers. In these cases, a browser client is redirected to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized. You can also configure the rejection to be an HTTP 401 Unauthorized or HTTP 403 Forbidden for all requests.
HTTP 401 Unauthorized
HTTP 403 Forbidden
What is an azure app service token store?
App Service provides a built-in token store, which is a repository of tokens that are associated with the users of your web apps, APIs, or native mobile apps. When you enable authentication with any provider, this token store is immediately available to your app.
Name the two main network deployment tpyes for azure app services.
There are two main deployment types for Azure App Service. The multitenant public service hosts App Service plans in the Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKUs. There's also the single-tenant App Service Environment (ASE) hosts Isolated SKU App Service plans directly in your Azure virtual network.
Name the Inbound and Outbound network features for an azure app service
Azure App Service is a distributed system. The roles that handle incoming HTTP or HTTPS requests are called front ends. The roles that host the customer workload are called workers. All the roles in an App Service deployment exist in a multi-tenant network. Because there are many different customers in the same App Service scale unit, you can't connect the App Service network directly to your network.
Instead of connecting the networks, you need features to handle the various aspects of application communication. The features that handle requests to your app can't be used to solve problems when you're making calls from your app. Likewise, the features that solve problems for calls from your app can't be used to solve problems to your app.
Inbound features
Outbound features
App-assigned address
Hybrid Connections
Access restrictions
Gateway-required virtual network integration
Service endpoints
Virtual network integration
Private endpoints
Name some inbound network use cases and their related app service feature(s)
you can mix the features to solve your problems with a few exceptions. The following inbound use cases are examples of how to use App Service networking features to control traffic inbound to your app.
Inbound use case
Feature
Support IP-based SSL needs for your app
Support unshared dedicated inbound address for your app
Restrict access to your app from a set of well-defined addresses
What does SKU mean?
In Azure, “SKU” stands for “Stock Keeping Unit.” SKU refers to a specific version or offering of a resource within Azure. It defines the characteristics, capabilities, features, performance levels, and pricing of various Azure resources and services like virtual machines, storage accounts, databases, and more.
What are Outbound addresses in azure app services?
The worker VMs are broken down in large part by the App Service plans. The Free, Shared, Basic, Standard, and Premium plans all use the same worker VM type. The PremiumV2 plan uses another VM type. PremiumV3 uses yet another VM type. When you change the VM family, you get a different set of outbound addresses.
There are many addresses that are used for outbound calls. The outbound addresses used by your app for making outbound calls are listed in the properties for your app. These addresses are shared by all the apps running on the same worker VM family in the App Service deployment. If you want to see all the addresses that your app might use in a scale unit, there's a property called possibleOutboundIpAddresses that lists them.
possibleOutboundIpAddresses
How can i get all outbound IP addresses currently used by an azure app service app via powershell?
you can find the same information by running the following Azure CLI command in the Cloud Shell. They're listed in the Additional Outbound IP Addresses field.
az webapp show \
--resource-group <group_name> \
--name <app_name> \
--query outboundIpAddresses \
--output tsv
Note we could also use query possibleOutboundIpAddresses
query possibleOutboundIpAddresses
How does the overall app service auth architecture look like?
which configuration categories exist for app services?
What can be adjusted inside the app service configure path mappings section for windows related workloads?
For Windows apps, you can customize the IIS handler mappings and virtual applications and directories.
Handler mappings let you add custom script processors to handle requests for specific file extensions. To add a custom handler, select New handler. Configure the handler as follows:
Extension: The file extension you want to handle, such as *.php or handler.fcgi.
Script processor: The absolute path of the script processor. Requests to files that match the file extension are processed by the script processor. Use the path D:\home\site\wwwroot to refer to your app's root directory.
D:\home\site\wwwroot
Arguments: Optional command-line arguments for the script processor.
Each app has the default root path (/) mapped to D:\home\site\wwwroot, where your code is deployed by default. If your app root is in a different folder, or if your repository has more than one application, you can edit or add virtual applications and directories.
/
You can configure virtual applications and directories by specifying each virtual directory and its corresponding physical path relative to the website root (D:\home). To mark a virtual directory as a web application, clear the Directory check box.
D:\home
What can be adjusted inside the app service configure path mappings section for linux related workloads?
You can add custom storage for your containerized app. Containerized apps include all Linux apps and also the Windows and Linux custom containers running on App Service. Select New Azure Storage Mount and configure your custom storage as follows:
Name: The display name.
Configuration options: Basic or Advanced.
Storage accounts: The storage account with the container you want.
Storage type: Azure Blobs or Azure Files. Windows container apps only support Azure Files.
Storage container: For basic configuration, the container you want.
Share name: For advanced configuration, the file share name.
Access key: For advanced configuration, the access key.
Mount path: The absolute path in your container to mount the custom storage.
Last changed9 months ago