Upgrade HTTP endpoints to HTTPS in Azure App Service#16060
Merged
Conversation
HTTP endpoints are now upgraded to HTTPS:443 by default in App Service, matching the existing behavior in Azure Container Apps. App Service already redirects HTTP to HTTPS at the platform level, so this ensures connection strings reflect the actual serving scheme. - Add PreserveHttpEndpoints property to AzureAppServiceEnvironmentResource - Add WithHttpsUpgrade() extension method to opt out - Upgrade HTTP->HTTPS in ProcessEndpoints with consolidated logging - Add CanPreserveHttpSchemeUsingWithHttpsUpgrade test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16060Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16060" |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Azure App Service publishing to automatically upgrade HTTP endpoint references to HTTPS:443 (matching the existing Azure Container Apps behavior), with an environment-level opt-out via WithHttpsUpgrade(false) and consolidated logging.
Changes:
- Upgrade App Service HTTP endpoint mappings to
https://+ port 443 by default, with an environment opt-out (WithHttpsUpgrade(false)). - Add environment-scoped aggregation + single log message listing upgraded endpoints.
- Update/extend Azure App Service publishing snapshot tests to reflect the new endpoint scheme behavior.
Show a summary per file
| File | Description |
|---|---|
| src/Aspire.Hosting.Azure.AppService/AzureAppServiceWebsiteContext.cs | Applies HTTPS upgrade (unless opted out) when building endpoint mappings used for endpoint references. |
| src/Aspire.Hosting.Azure.AppService/AzureAppServiceEnvironmentResource.cs | Adds environment flag (PreserveHttpEndpoints) to control upgrade behavior. |
| src/Aspire.Hosting.Azure.AppService/AzureAppServiceEnvironmentExtensions.cs | Introduces WithHttpsUpgrade(bool upgrade = true) public API to toggle upgrade behavior. |
| src/Aspire.Hosting.Azure.AppService/AzureAppServiceEnvironmentContext.cs | Aggregates upgraded endpoints and logs once per environment. |
| src/Aspire.Hosting.Azure.AppService/AzureAppServiceInfrastructure.cs | Invokes the consolidated HTTPS-upgrade log after processing resources. |
| tests/Aspire.Hosting.Azure.Tests/AzureAppServiceTests.cs | Adds a new test intended to cover opt-out behavior. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.EndpointReferencesAreResolvedAcrossProjects.verified.bicep | Updates expected connection string scheme to https:// for App Service. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.AddAppServiceWithTargetPort.verified.bicep | Updates expected connection string scheme to https://. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.AddAppServiceWithArgs.verified.bicep | Updates expected connection string scheme to https://. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.AddAppServiceToEnvironmentWithoutDashboard.verified.bicep | Updates expected connection string scheme to https://. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.CanPreserveHttpSchemeUsingWithHttpsUpgrade.verified.json | Adds snapshot output for the new opt-out test. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.CanPreserveHttpSchemeUsingWithHttpsUpgrade.verified.bicep | Adds snapshot output for the new opt-out test. |
Copilot's findings
- Files reviewed: 12/12 changed files
- Comments generated: 3
Mirror the ACA WithHttpsUpgrade documentation pattern with remarks explaining opt-out behavior and a usage example. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Re-running the failed jobs in the CI workflow for this pull request because 1 job was identified as retry-safe transient failures in the CI run attempt.
|
Contributor
Author
|
/deployment-test |
Contributor
|
🚀 Deployment tests starting on PR #16060... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
Contributor
|
❌ Deployment E2E Tests failed — 23 passed, 7 failed, 0 cancelled View test results and recordings
|
mitchdenny
approved these changes
Apr 12, 2026
Member
mitchdenny
left a comment
mitchdenny
left a comment
There was a problem hiding this comment.
Clean implementation that mirrors the ACA HTTPS upgrade behavior 1:1. Scheme upgrade logic, port assignment, logging consolidation, and public API surface all look correct. No issues found.
…t URLs Add a second project that references project1 so the snapshot captures the resolved endpoint URLs (services__project1__http__0). This proves WithHttpsUpgrade(false) actually preserves http:// scheme instead of upgrading to https://. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🎬 CLI E2E Test Recordings — 68 recordings uploaded (commit View recordings
📹 Recordings uploaded automatically from CI run #24298642695 |
radical
pushed a commit
that referenced
this pull request
Apr 14, 2026
* Upgrade HTTP endpoints to HTTPS in Azure App Service HTTP endpoints are now upgraded to HTTPS:443 by default in App Service, matching the existing behavior in Azure Container Apps. App Service already redirects HTTP to HTTPS at the platform level, so this ensures connection strings reflect the actual serving scheme. - Add PreserveHttpEndpoints property to AzureAppServiceEnvironmentResource - Add WithHttpsUpgrade() extension method to opt out - Upgrade HTTP->HTTPS in ProcessEndpoints with consolidated logging - Add CanPreserveHttpSchemeUsingWithHttpsUpgrade test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add remarks and example to WithHttpsUpgrade XML docs Mirror the ACA WithHttpsUpgrade documentation pattern with remarks explaining opt-out behavior and a usage example. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix CanPreserveHttpSchemeUsingWithHttpsUpgrade test to verify endpoint URLs Add a second project that references project1 so the snapshot captures the resolved endpoint URLs (services__project1__http__0). This proves WithHttpsUpgrade(false) actually preserves http:// scheme instead of upgrading to https://. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Apr 25, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Upgrade HTTP endpoints to HTTPS in Azure App Service, mirroring the existing behavior in Azure Container Apps (added in #14267).
Azure App Service already forces HTTP to HTTPS redirect at the platform level (docs), so connection strings should use
https://to match the actual serving scheme. Previously, HTTP endpoints kepthttp://in their connection strings, which was inconsistent with reality.Changes:
WithHttpsUpgrade(false)to opt out at the environment levelThis matches the ACA implementation 1:1 in API shape, naming, and behavior.
Checklist
<remarks />and<code />elements on your triple slash comments?aspire.devissue: