# AZ-204: 01 - Implement Azure App Service web apps

In [2]:
import sys
sys.path.append('./../utils')
import ai

➡️ Answers generated using AI, and grounded in the learn module. Mistakes are possible. Check important info.

## Explore Azure App Service

In [3]:
%%learn 
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/

https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/1-introduction
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/2-azure-app-service
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/3-azure-app-service-plans
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/4-deploy-code-to-app-service
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/5-authentication-authorization-app-service
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/6-network-features
https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/7-create-html-web-app


('',
 'https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/\n')

In [3]:
%%question
What is Azure App Service?

Azure **App Service** is an **HTTP-based service** for hosting **web applications**, **REST APIs**, and **mobile back ends**. It supports multiple programming languages and frameworks, and allows applications to run and scale easily on both Windows and Linux environments.

In [4]:
%%question
what are the main features?

The main features of Azure **App Service** include:

- **Auto Scale Support**: Automatically scale up/down or out/in based on app usage.
- **Container Support**: Deploy and run containerized web apps on Windows and Linux.
- **Continuous Integration/Deployment**: Integrate with Azure DevOps, GitHub, Bitbucket, etc., for automatic code deployment.
- **Deployment Slots**: Use separate deployment slots for staging and production.
- **Built-in Authentication/Authorization**: Manage user sign-ins with multiple identity providers.
- **Networking Features**: Control inbound and outbound traffic with access restrictions and virtual network integration.

In [5]:
%%question
What is an App Service Plan and how does it relate to App Service?

An **App Service Plan** defines a set of **compute resources** for a web app to run on in Azure App Service. It determines the region, number and size of VM instances, and pricing tier. The **pricing tier** affects the features and cost. Multiple apps can share the same App Service Plan, meaning they share the same compute resources. The plan is the **scale unit** for the apps, allowing you to scale them together.

In [6]:
%%question
What are the different types of App Service plans? Can you compare them in a table?
- Provide a brief description, and list the features (as a bulleted list)

Certainly! Here are the different types of **App Service Plans**:

| **Plan Type** | **Description** | **Features** |
|---------------|-----------------|--------------|
| **Shared Compute** | Basic tiers for development and testing purposes. | - **Free** and **Shared** tiers<br>- Run on same Azure VM as other apps<br>- Limited CPU quotas<br>- No scale-out |
| **Dedicated Compute** | For apps requiring dedicated resources. | - **Basic**, **Standard**, **Premium**, **PremiumV2**, **PremiumV3** tiers<br>- Dedicated Azure VMs<br>- More VM instances available for scale-out<br>- Higher tiers provide more scaling options |
| **Isolated** | Offers maximum isolation and scaling. | - **Isolated** and **IsolatedV2** tiers<br>- Dedicated VMs on dedicated Virtual Networks<br>- Network isolation<br>- Maximum scale-out capabilities |

Each plan type is designed to meet different needs, balancing **cost** and **performance** based on the required **isolation** and **scaling** capabilities.

In [7]:
%%question
Can I run multiple apps on an App Service Plan? Why should I or should I not do this?

Yes, you can run **multiple apps** on the same **App Service Plan**. Here's why you might choose to do this, and some considerations:

### **Reasons to Run Multiple Apps:**
- **Cost Efficiency**: Share the compute resources and save costs by avoiding the need for separate plans.
- **Management**: Simplifies management by having a single plan for related apps.

### **Considerations:**
- **Resource Sharing**: All apps share the same compute resources (CPU, memory), which may affect performance if one app is resource-intensive.
- **Scaling**: Scaling settings apply to all apps in the plan, which may not suit apps with different scaling needs.
- **Geographical Needs**: If apps need resources in different regions, separate plans are necessary.

Decide based on the **resource needs** and **scalability** of your apps.

In [8]:
%%question
Can I scale an app individually in an App Service Plan?

No, you cannot scale an app **individually** within a shared **App Service Plan**. All apps in the same plan share the same scaling settings, meaning they scale together. If you need individual scaling, consider moving the app to a separate **App Service Plan**.

In [9]:
%%question
What are the different deployment methods?

Azure App Service supports several **deployment methods**:

### **Automated Deployment:**
- **Azure DevOps Services**: Integrate for continuous deployment from Azure DevOps.
- **GitHub**: Automatically deploy changes from a connected GitHub repository.
- **Bitbucket**: Set up automated deployment similar to GitHub.

### **Manual Deployment:**
- **Git**: Push code to a Git URL for deployment.
- **CLI**: Use Azure CLI to package and deploy your app.
- **Zip Deploy**: Send a ZIP file of your application files to App Service.
- **FTP/S**: Use FTP or FTPS to upload and deploy your code.

These methods offer flexibility depending on your project's needs and workflow.

In [10]:
%%question
Can you provide me with an example to deploy a web app using Azure CLI?

Certainly! Here's a simple example of deploying a web app using **Azure CLI**:

1. **Open Azure Cloud Shell** in the Azure portal.

2. **Create a Resource Group** (if you don't have one):
   ```bash
   az group create --name MyResourceGroup --location EastUS
   ```

3. **Create an App Service Plan**:
   ```bash
   az appservice plan create --name MyAppServicePlan --resource-group MyResourceGroup --sku B1
   ```

4. **Create a Web App**:
   ```bash
   az webapp create --name MyUniqueAppName --resource-group MyResourceGroup --plan MyAppServicePlan
   ```

5. **Deploy Your Application**:
   - Navigate to your app's directory.
   - Deploy using Zip Deploy:
     ```bash
     az webapp deployment source config-zip --resource-group MyResourceGroup --name MyUniqueAppName --src path/to/your/app.zip
     ```

Replace `MyResourceGroup`, `MyAppServicePlan`, `MyUniqueAppName`, and `path/to/your/app.zip` with your specific resource group name, app service plan name, web app name, and path to your app's zip file, respectively.

This will create and deploy your web app on Azure.

In [11]:
%%question
for the above example, does it matter what kind of framework I'm using? - does it work with .NET, Node.js, Python, etc?

No, the framework does not matter for the basic deployment process using **Azure CLI**. Azure App Service supports a variety of programming languages and frameworks, including **.NET**, **Node.js**, **Python**, **Java**, **PHP**, and **Ruby**. You just need to ensure your app is packaged correctly (e.g., in a ZIP file) and that the necessary runtime is available on Azure App Service.

In [12]:
%%question
How does the deployment actually work when I do az webapp up?

When you use the `az webapp up` command, Azure CLI handles several tasks to deploy your web app:

1. **Identify and Prepare Resources**:
   - Checks if a resource group and App Service plan already exist. If not, it creates them.
   - Determines the runtime environment based on the contents of your app directory.

2. **Create the Web App**:
   - If a web app with the specified name doesn't exist, it creates a new one in the determined runtime.

3. **Deploy the App**:
   - Packages the application files from your current working directory.
   - Deploys the package to the created or existing web app using Zip Deploy.

4. **Provide Access**:
   - Outputs the URL of the deployed web app so you can access it directly.

This command simplifies the deployment process by automatically handling setup for common scenarios.

In [13]:
%%question
Are there any other ways to deploy an app via the cli?

Yes, besides `az webapp up`, there are other ways to deploy an app via the **Azure CLI**:

1. **Zip Deploy**:
   ```bash
   az webapp deployment source config-zip --resource-group MyResourceGroup --name MyAppName --src path/to/app.zip
   ```
   Packages your app in a ZIP file and deploys it.

2. **Git Deploy**:
   - Set up a local Git repository and push your code to the App Service Git repository URL.

3. **Container Deploy**:
   - Deploy a Docker container by setting the container image:
     ```bash
     az webapp create --name MyAppName --resource-group MyResourceGroup --plan MyAppServicePlan --deployment-container-image-name myregistry.azurecr.io/myimage:tag
     ```

These methods provide flexibility depending on your preferred deployment strategy.

In [14]:
%%question
What is an Azure Static webapp and can I use az webapp up to deploy a static web app?

An **Azure Static Web App** is a service designed to automatically build and deploy full-stack web apps to Azure from a code repository. It is optimized for static content and serverless APIs, offering features like global distribution, custom domains, and integrated authentication.

You **cannot** use `az webapp up` to deploy a static web app. Instead, Azure provides a separate service called **Azure Static Web Apps** for this purpose. You typically deploy a static web app by connecting it to a GitHub repository and using GitHub Actions or by using Azure DevOps for automatic builds and deployments.

In [15]:
%%question
What is the difference between authentication and authorization?

**Authentication** is the process of verifying the identity of a user or entity, ensuring they are who they claim to be. It's about confirming identity.

**Authorization**, on the other hand, determines what an authenticated user or entity is allowed to do, such as accessing specific resources or performing certain actions. It's about granting permissions.

In summary, **authentication** answers "Who are you?" while **authorization** answers "What can you do?"

In [16]:
%%question
Why would I use the built-in authentication and authorization features in App Service?

Using the **built-in authentication and authorization** features in Azure App Service offers several advantages:

- **Simplicity**: Integrate authentication without writing extensive custom code.
- **Time-Saving**: Quickly set up authentication with federated identity providers like Microsoft Entra ID, Facebook, and Google.
- **Security**: Leverage Azure's built-in security measures without requiring deep security expertise.
- **No SDK Required**: Works across different programming languages and frameworks without needing specific SDKs.
- **Multiple Providers**: Easily support multiple sign-in options for users. 

These features allow you to focus on developing your app while handling authentication and authorization efficiently.

In [17]:
%%question
What would be the process to enable authentication and authorization for the app? Give me a high-level step-by-step overview. Do not go into details.

Certainly! Here's a high-level overview:

1. **Navigate to Azure Portal**: Open the Azure portal and select your App Service.

2. **Access Authentication/Authorization Settings**: Go to the "Authentication / Authorization" section in your App Service settings.

3. **Enable Authentication**: Turn on the authentication feature.

4. **Select Identity Provider**: Choose one or more identity providers (e.g., Microsoft Entra ID, Google, Facebook).

5. **Configure Provider**: Configure the selected identity provider(s) with necessary credentials and settings.

6. **Set Authorization Rules**: Choose authorization behavior for unauthenticated requests (e.g., require authentication, allow unauthenticated).

7. **Save Settings**: Save your configured settings to apply authentication and authorization to your app.

In [18]:
%%question
Let's use Microsoft Entra ID. How do I make sure that only authorized users (for example, members of the finance security group) can access the app?

To ensure that only authorized users, such as members of a specific security group, can access the app using **Microsoft Entra ID**, follow these steps:

1. **Configure Microsoft Entra ID** as the identity provider in your App Service's authentication settings.

2. **Create or Select a Security Group** in Microsoft Entra ID that includes the authorized users (e.g., finance group).

3. **Assign the App Role**: 
   - Create an app registration in Microsoft Entra ID for your application.
   - Define a custom role that maps to your security group.
   - Assign this role to the users or group within the app registration.

4. **Update App Configuration**:
   - Modify your app's configuration to check for this role or group membership upon authentication.
   - Implement logic in your application code to restrict access based on the role.

5. **Test Access**:
   - Verify that only users within the specified security group can access the app and that others are denied access.

These steps ensure that access is controlled based on group membership in Microsoft Entra ID.

In [19]:
%%question
Can I use entra ID app roles to control access to the app?

Yes, you can use **Microsoft Entra ID app roles** to control access to your app. Here's how it works:

1. **Define App Roles**: In the Microsoft Entra ID app registration for your application, define specific roles that correspond to different levels of access or permissions.

2. **Assign Roles**: Assign these roles to users or groups within Microsoft Entra ID.

3. **Configure App**: Update your application's configuration to recognize and enforce these roles. This typically involves checking the user's assigned roles upon authentication and authorizing actions or access based on those roles.

By using app roles, you can effectively manage and control what different users can do within your app.

In [20]:
%%question
Let's use C# razor application. What logic would I need to implement?

To use **Microsoft Entra ID app roles** in a C# Razor application, you would typically implement the following logic:

1. **Configure Authentication Middleware**:
   - Ensure your application is set up to use Microsoft Entra ID for authentication. This typically involves configuring the middleware in `Startup.cs` with your Microsoft Entra ID credentials.

2. **Check User Roles**:
   - In your Razor pages or controllers, check if the authenticated user has the required role(s) using the `User.IsInRole("RoleName")` method.

3. **Authorize Access**:
   - Use the `[Authorize(Roles = "RoleName")]` attribute on controllers, actions, or Razor pages to restrict access to users with specific roles.

4. **Implement Conditional Logic**:
   - In your Razor views, use conditional logic to display or hide content based on the user's roles.

Here's a simple example:

```csharp
// In Startup.cs
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options));

// In a Controller or Razor Page
[Authorize(Roles = "FinanceRole")]
public IActionResult FinanceDashboard()
{
    // Logic for authorized users
}

// In a Razor view
@if (User.IsInRole("FinanceRole"))
{
    <p>Welcome, Finance team member!</p>
}
```

This setup ensures that only users with the specified roles can access certain parts of your application.

In [21]:
%%question
How do I know which user is accessing the app? Compare this in C#, Python, and Node.js.

To determine which user is accessing an app, you'll typically check the user's identity from the authentication context. Here's how you can do it in **C#**, **Python**, and **Node.js**:

### **C# (ASP.NET Core)**
- **Access User Claims**: Use the `User` object in a controller or Razor page.
```csharp
string userName = User.Identity.Name;  // Get username
var userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;  // Get user ID
```

### **Python (Flask with Flask-Login)**
- **Access Current User**: Use the `current_user` object.
```python
from flask_login import current_user

user_name = current_user.name  # Assuming 'name' is a property of the user
user_id = current_user.id  # Get user ID
```

### **Node.js (Express with Passport.js)**
- **Access User Object**: Use `req.user` after authentication.
```javascript
app.get('/profile', (req, res) => {
    const userName = req.user.username;  // Assuming 'username' is a property
    const userId = req.user.id;  // Get user ID
    res.send(`User: ${userName}, ID: ${userId}`);
});
```

In each framework, the specific properties available depend on how you set up your authentication and user model. The common theme is accessing a user object provided by the authentication middleware or library.

In [22]:
%%question
Let's switch to networking. Why are there networking features in App Service?

Networking features in **App Service** are essential for:

- **Security**: Control and restrict **inbound** and **outbound** traffic to protect your app from unauthorized access.
- **Connectivity**: Enable connectivity to on-premises networks or other Azure services through virtual network integration.
- **Isolation**: Use features like **Private Endpoints** and **Service Endpoints** to ensure secure and isolated communication.
- **Access Management**: Implement access restrictions based on IP addresses or virtual network configurations.

These features help ensure your app is secure, well-connected, and efficiently managed.

In [4]:
%%question
What are the different networking features in App Service? Categorize them into groups.

In **Azure App Service**, networking features are categorized into **inbound** and **outbound** features:

### **Inbound Features:**
- **App-assigned address:** Support IP-based SSL needs and provide dedicated inbound addresses.
- **Access restrictions:** Restrict access to your app from specific addresses.
- **Service endpoints:** Connect securely to Azure services within a virtual network.
- **Private endpoints:** Access your app privately over a virtual network.

### **Outbound Features:**
- **Hybrid Connections:** Enable connections from your app to on-premises resources.
- **Gateway-required virtual network integration:** Connect apps with resources in a virtual network.
- **Virtual network integration:** Allow apps to access resources in a virtual network. 

These features help manage and secure the network traffic for your app.

In [5]:
%%question
What are App-Assigned Address and why would I use them?

An **App-assigned address** in Azure App Service provides a **dedicated IP address** for your app. This is useful for:

- **IP-based SSL needs:** Allowing you to secure your app with an SSL certificate.
- **Unshared dedicated inbound address:** Ensuring a unique IP for your app, which can be important for certain compliance or network configuration requirements.

Using an app-assigned address helps improve security and ensures consistent access to your app.

In [6]:
%%question
How do I enforce access restrictions? Can you share a real-life example?

To **enforce access restrictions** in Azure App Service, you can configure **access control rules** to allow or deny traffic based on **IP addresses** or **virtual network subnets**. Here's how you can set it up:

1. **Navigate to your App Service** in the Azure portal.
2. Under **Settings**, select **Networking**.
3. In the **Access Restrictions** section, add rules to specify which IP addresses or subnets can access your app.

### Real-life Example:

Let's say your organization wants to ensure that only employees can access the internal company portal hosted on Azure App Service. You can:

- **Allow access** only from the company's office IP range.
- **Deny access** from all other IP addresses to prevent external access.

This setup ensures that only users within the specified IP range can access the portal, enhancing security by restricting unauthorized external access.

In [7]:
%%question
Can you use this also to block certain countries?

**Azure App Service** does not directly support blocking access based on **geographic location** or **country**. However, you can achieve this by integrating with additional services or solutions, such as:

- **Azure Front Door** or **Azure Application Gateway**: Use these services to implement Web Application Firewall (WAF) rules that can block traffic based on geographic location.
- **Third-party services**: Use services that provide geo-blocking capabilities to filter traffic based on country.

These solutions can help you restrict access from specific countries by evaluating the geographic origin of incoming requests.

In [8]:
%%question
Can you share some ip ranges that I can use to block certain countries? (just examples)

Blocking IP ranges based on country can be quite complex, as IP addresses are not always perfectly aligned with geographic boundaries. However, you can refer to publicly available IP range lists that are updated regularly. Here are some example ranges you could consider for illustrative purposes:

- **China**: 36.0.0.0/8, 60.0.0.0/8
- **Russia**: 5.8.0.0/13, 37.140.128.0/17
- **India**: 14.0.0.0/8, 103.0.0.0/8

These ranges are examples and may not comprehensively cover all IPs used in these countries. It's important to use an updated and reliable source for IP ranges if you intend to implement geographical blocking. Services like MaxMind or IP2Location provide databases that can help with this task.

In [9]:
%%question
What are service endpoints and private endpoints?
What are the differences between them - and output this in a table.

Sure! Here's a table highlighting the differences between **service endpoints** and **private endpoints** in Azure:

| Feature              | **Service Endpoints**                     | **Private Endpoints**                     |
|----------------------|-------------------------------------------|-------------------------------------------|
| **Purpose**          | Extends a virtual network to Azure services. | Connects privately to services over a private IP address. |
| **Traffic**          | Routes traffic through the public IP but restricts it to the VNet. | Ensures traffic stays within the Azure backbone network. |
| **Security**         | Adds a layer of access control to Azure services. | Provides enhanced security by private connectivity. |
| **Access**           | Limited to the configured virtual network. | Can access services securely from on-premises via VPN or ExpressRoute. |
| **IP Address**       | Uses the public IP of the service.        | Uses a private IP from your VNet.         |
| **Use Case**         | Simplifying network architecture for Azure services. | Securely accessing resources without exposing them to the internet. |

These features help in securely integrating Azure services with your network architecture.

In [10]:
%%question
Why would I use a service endpoint or a private endpoint with Azure App Service?

Using **service endpoints** or **private endpoints** with Azure App Service provides enhanced network security and connectivity:

### **Service Endpoints:**
- **Security:** Restrict access to Azure services to only your virtual network, adding a layer of security.
- **Simplified Network Architecture:** Helps integrate Azure services like Azure Storage and SQL Database seamlessly with your virtual network.
- **Performance:** Traffic flows directly between your VNet and the service, potentially improving performance.

### **Private Endpoints:**
- **Private Connectivity:** Access services privately over a virtual network, ensuring all traffic stays within the Azure backbone.
- **Enhanced Security:** Keeps your services isolated from the public internet, reducing exposure to security threats.
- **Use Cases:** Ideal for scenarios requiring secure connections to services from on-premises networks via VPN or ExpressRoute.

Overall, these features help secure your Azure App Service and improve the integration with other Azure resources.

In [11]:
%%question
What would be possible with private endpoints, that you can't do with service endpoints - or would be rather limited?

Using **private endpoints** offers capabilities that **service endpoints** cannot provide or are limited in:

1. **Private Connectivity:**
   - **Private Endpoints** allow services to be accessed entirely through a private IP address within your virtual network, eliminating exposure to the public internet.
   - **Service Endpoints** still use the service's public IP, though access is limited to your VNet.

2. **On-Premises Access:**
   - **Private Endpoints** enable secure access to Azure services from on-premises environments via VPN or ExpressRoute.
   - **Service Endpoints** do not extend to on-premises networks.

3. **Network Isolation:**
   - **Private Endpoints** provide complete network isolation, making it easier to meet stringent security and compliance requirements.
   - **Service Endpoints** offer less isolation, as traffic traverses the public internet, albeit restricted to specific VNets.

4. **Resource Accessibility:**
   - **Private Endpoints** can be used to access services from different subscriptions or tenants securely.
   - **Service Endpoints** are generally restricted to the same subscription and require additional configuration for cross-subscription access.

These distinctions make private endpoints particularly beneficial for scenarios requiring high security and network isolation.

In [12]:
%%question
What about the risk of data exfiltration?

**Private Endpoints** significantly reduce the **risk of data exfiltration** by ensuring that all traffic between your resources and Azure services remains within the Azure backbone network, preventing exposure to the public internet. This setup minimizes the potential for unauthorized data access or leakage.

In contrast, while **Service Endpoints** enhance security by restricting access to your virtual network, they still allow traffic over public network paths, which could pose a higher risk of data exfiltration compared to private endpoints. 

By using private endpoints, you can enforce strict network access controls and ensure that data does not leave the secure Azure environment, thereby enhancing your data protection strategy.

In [13]:
%%question
What are hybrid connections and why would I use them?

**Hybrid Connections** in Azure App Service allow your web apps to securely access resources in other networks, such as on-premises servers or other cloud environments, without requiring complex network setup like VPNs.

### Why Use Hybrid Connections?

1. **Secure Access:** Establishes a secure connection between your Azure App Service and on-premises or other networked resources, without exposing them to the public internet.

2. **Ease of Setup:** Simple to configure compared to traditional VPN solutions, as it uses Azure Relay for connectivity.

3. **Portability:** Works across any network resource that uses TCP/IP, making it versatile for accessing databases, APIs, and other services.

4. **Minimal Changes:** Requires minimal changes to your network infrastructure, as it doesn't require inbound firewall rules.

Hybrid Connections are ideal for scenarios where you need reliable and secure access to on-premises resources from your cloud-based applications.

In [14]:
%%question
What would be the process to set up a hybrid connection? (provide a high level overview, do not go into details)

To set up a **Hybrid Connection** in Azure App Service, follow these high-level steps:

1. **Create Hybrid Connection:**
   - In the Azure portal, create a new Hybrid Connection under your App Service.

2. **Install and Configure Hybrid Connection Manager:**
   - Download and install the Hybrid Connection Manager (HCM) on a server in your network that can reach the desired resource.
   - Register the HCM with your Azure subscription and configure it to connect to the specific endpoint.

3. **Configure App Service:**
   - Link the Hybrid Connection to your Azure App Service, specifying the endpoint details (hostname and port) you wish to connect to.

4. **Test Connectivity:**
   - Verify that the Azure App Service can successfully connect to the on-premises resource using the Hybrid Connection.

This setup allows your app to securely access resources across network boundaries with minimal configuration.

In [15]:
%%question
What ports should I then open (inbound and outbound) in my firewall?

For **Hybrid Connections**, you generally need to configure your firewall as follows:

### **Outbound Ports:**
- **Port 443:** The Hybrid Connection Manager (HCM) communicates with Azure Relay over HTTPS, so ensure outbound traffic on port 443 is allowed.

### **Inbound Ports:**
- **No inbound ports** need to be opened for Hybrid Connections, as the connection is initiated from the Hybrid Connection Manager to Azure Relay, maintaining the security of your network.

This setup minimizes firewall changes, focusing on secure, outbound-only connections.

In [16]:
%%question
Are there any limitations with hybrid connections?

Yes, there are some **limitations** with Hybrid Connections:

1. **Protocol Support:** Hybrid Connections support only **TCP-based** protocols, not UDP.

2. **Port Limitation:** Each Hybrid Connection is limited to a **specific port** on the target resource.

3. **Performance:** There may be **latency** due to the additional network hops through Azure Relay.

4. **Scaling:** Hybrid Connections are not designed for **high-throughput** scenarios. They are suitable for small to medium-scale applications.

5. **Network Dependencies:** Hybrid Connections rely on the availability and reliability of both Azure Relay and your network infrastructure.

These limitations mean Hybrid Connections are best suited for scenarios requiring secure, low-volume access to on-premises resources.

In [17]:
%%question
If I use this, do I need to change my app code? Let's imagine I'm using a .NET Core app  and need to connect to a SQL Server database on a VM in my on-premises network.

No, you generally **do not need to change your app code** when using Hybrid Connections. For a **.NET Core app** connecting to a **SQL Server database** on an on-premises VM:

1. **Connection String:** Use the same connection string format you would normally use for accessing SQL Server. The Hybrid Connection will transparently handle the network routing.

2. **Network Configuration:** Ensure that the Hybrid Connection is properly configured to route traffic to the SQL Server's hostname and port.

This allows your app to connect to on-premises resources without needing code changes, making integration straightforward.

In [18]:
%%question
What is the difference between VNET Integration and Gateway-required VNET Integration?

**VNET Integration** and **Gateway-required VNET Integration** are both features to connect Azure App Service to a virtual network, but they differ in their capabilities and requirements:

| Feature                            | **VNET Integration**                                             | **Gateway-required VNET Integration**                          |
|------------------------------------|------------------------------------------------------------------|----------------------------------------------------------------|
| **Purpose**                        | Connects App Service to a virtual network for outbound traffic.  | Connects App Service to a virtual network using a VPN gateway. |
| **Network Access**                 | Allows access to resources in the same region's virtual network. | Allows access to resources across regions via VPN gateway.     |
| **Setup Complexity**               | Simple setup, no gateway needed.                                 | Requires a VPN gateway, more complex setup.                    |
| **Use Case**                       | Access resources in the same region.                             | Access cross-region resources or on-premises via VPN.          |
| **Performance**                    | Lower latency, as it's direct within the same region.            | May have higher latency due to gateway traversal.              |

**VNET Integration** is ideal for regional resource access, while **Gateway-required VNET Integration** is used when cross-region or on-premises connectivity is needed.

In [19]:
%%question
What would be the cost for each of these VNET integrations?

The cost for **VNET Integration** and **Gateway-required VNET Integration** can vary based on several factors:

### **VNET Integration:**
- **Cost:** Typically included in the App Service pricing tier, but there might be additional costs for the virtual network resources used, such as network security groups or additional IP addresses.

### **Gateway-required VNET Integration:**
- **Cost:** Involves additional costs due to the use of a VPN gateway. The cost is based on the gateway's SKU, amount of data transferred, and the number of connections.

For specific pricing details, it's best to refer to the official Azure pricing page or the Azure Pricing Calculator, as costs can vary based on region, usage, and service tier.

In [20]:
%%question
Why would I go for a ASE (App Service Environment) instead of VNET Integration?

Choosing an **App Service Environment (ASE)** over **VNET Integration** offers several benefits, particularly for scenarios requiring enhanced security and performance:

1. **Isolation:** ASE provides a fully isolated and dedicated environment for your applications, which can enhance security and compliance.

2. **Scale and Performance:** ASE can scale to higher numbers of instances and provides more predictable performance since resources are not shared with other customers.

3. **Network Integration:** ASE integrates directly with your virtual network, allowing both inbound and outbound traffic control, including full control over incoming IP addresses and the ability to use private IP addresses.

4. **Customization:** Greater control over network configurations, including the ability to use network security groups for granular access control.

5. **High Availability:** ASE can be configured across multiple availability zones for increased resilience.

These features make ASE a suitable choice for mission-critical applications requiring stringent security and performance requirements.

## Configure web app settings

In [21]:
%%learn
https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/

https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/1-introduction
https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/2-configure-application-settings
https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/3-configure-general-settings
https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/4-configure-path-mappings
https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/5-enable-diagnostic-logging
https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/6-configure-security-certificates


('',
 'https://learn.microsoft.com/en-us/training/modules/configure-web-app-settings/\n')

In [22]:
%%question
How are app settings used in an App Service?

**App settings** in an **App Service** are used as **environment variables** for the application code. They allow you to store configuration values, such as secrets or connection strings, securely and separately from the code base. These settings can override values in files like *Web.config* or *appsettings.json*, ensuring that production secrets are used in the cloud without altering the development environment. They are encrypted at rest and can be configured through the Azure portal.

In [24]:
%%question
Can these app settings be used in infrastructure as code for example Bicep or ARM templates? Share an example

Certainly! Here's a simple example of how to define **app settings** in an **ARM template**:

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2021-02-01",
      "name": "[parameters('appName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "siteConfig": {
          "appSettings": [
            {
              "name": "APP_SETTING_KEY",
              "value": "YourValue"
            },
            {
              "name": "ANOTHER_SETTING",
              "value": "AnotherValue"
            }
          ]
        }
      }
    }
  ],
  "parameters": {
    "appName": {
      "type": "string"
    }
  }
}
```

For **Bicep**, the syntax is more streamlined:

```bicep
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
  name: appName
  location: resourceGroup().location
  properties: {
    siteConfig: {
      appSettings: [
        {
          name: 'APP_SETTING_KEY'
          value: 'YourValue'
        }
        {
          name: 'ANOTHER_SETTING'
          value: 'AnotherValue'
        }
      ]
    }
  }
}
```

In both examples, replace `"YourValue"` and `"AnotherValue"` with the actual values you want to set for your application settings. These templates can be deployed to configure your App Service with the desired settings.

In [25]:
%%question
What is the Always On setting? How does it work?

The **Always On** setting in Azure App Service ensures that your app remains loaded, even when there is no traffic, preventing it from being unloaded due to inactivity. When **Always On** is enabled, the front-end load balancer sends a **GET** request to the application root every five minutes to keep it active. This is particularly useful for apps that require quick response times or for those running **continuous WebJobs**, ensuring they remain responsive without the delay of warming up after being idle.

In [26]:
%%question
What is ARR affinity?

**ARR affinity** (Application Request Routing affinity) is a feature in Azure App Service that ensures a client's requests are consistently routed to the same **instance** of a web app during a session. This is achieved by setting a session cookie on the client's browser, which helps maintain session state across multiple requests. ARR affinity is useful for stateful applications where maintaining user session consistency is important. However, for stateless applications, it can be set to **Off** to optimize load distribution across instances.

In [27]:
%%question
What is the disadvantage of using ARR affinity?

The **disadvantage** of using **ARR affinity** is that it can lead to **uneven load distribution** across instances. Since each user's requests are routed to the same instance, some instances may become overloaded while others remain underutilized. This can impact the overall performance and scalability of your application. Additionally, it limits the app's ability to leverage the full benefits of a cloud environment, such as automatic load balancing.

In [28]:
%%question
Can my code write data to a disk in Azure App Service? How?

Yes, your code can write data to a **disk** in Azure App Service, specifically to the **App Service file system**. This capability allows temporary storage of files. However, it's important to note that this storage is **ephemeral** and not intended for permanent data storage, as files may be lost during app restarts or scaling operations.

To write data:

1. **Use the `/home` directory**: For Linux-based App Services, the writable directory is `/home`. For Windows-based App Services, you can use the `D:\home` directory.
   
2. **Code Example**:
   - In **C#**:
     ```csharp
     System.IO.File.WriteAllText(@"/home/myfile.txt", "Hello, Azure!");
     ```
   - In **Python**:
     ```python
     with open("/home/myfile.txt", "w") as file:
         file.write("Hello, Azure!")
     ```

For persistent storage, consider using Azure Storage options like **Azure Blob Storage** or **Azure SQL Database**.

In [29]:
%%question
Can I mount storage to my app? How?

Yes, you can mount external storage to your Azure App Service app using **Azure Storage**. You can mount **Azure Blobs** or **Azure Files** to your app, allowing it to access shared storage. Here's how you can do it:

1. **Navigate to Azure Portal**: Go to your App Service instance.

2. **Configuration**: Under the **Settings** section, select **Configuration**.

3. **Path Mappings**: Go to the **Path mappings** tab.

4. **Add Storage Mount**: Click on **New Azure Storage Mount**.

5. **Configure Storage**:
   - **Name**: Set the display name for the mount.
   - **Storage Account**: Choose or enter the storage account name.
   - **Storage Type**: Select either **Azure Files** or **Azure Blobs**.
   - **Container/Share Name**: Specify the container or file share.
   - **Access Key**: Provide the access key for the storage account.
   - **Mount Path**: Define the path where the storage will be mounted in your app.

6. **Save**: Apply the changes to mount the storage.

This setup allows your app to read from and write to the mounted storage as if it were part of the local file system.

In [30]:
%%question
What would my code look like to write data to a mounted storage?

To write data to a mounted storage in Azure App Service, you'll treat the mounted path like any other directory in your file system. Here's an example in **C#** and **Python**:

### C# Example

Assuming your mounted path is `/mnt/storage`:

```csharp
using System.IO;

string path = "/mnt/storage/myfile.txt";
string content = "Hello, Azure Mounted Storage!";
File.WriteAllText(path, content);
```

### Python Example

Assuming your mounted path is `/mnt/storage`:

```python
path = "/mnt/storage/myfile.txt"
content = "Hello, Azure Mounted Storage!"

with open(path, "w") as file:
    file.write(content)
```

In both examples, replace `/mnt/storage/myfile.txt` with the actual mount path you configured in the Azure Portal. This path should correspond to the **Mount Path** you specified during the storage mount setup.

In [31]:
%%question
What is an IIS handler mapping and why would I use it?

An **IIS handler mapping** is a configuration in Internet Information Services (IIS) that specifies how certain types of requests are processed by the web server. It maps specific file extensions or request paths to the appropriate **script processor** or **module** that handles the request. 

### Why Use IIS Handler Mappings?

- **Custom Processing**: Allows you to define custom processing for specific file types or URLs, enabling you to use different programming languages or frameworks for different parts of your application.
  
- **Extend Functionality**: You can integrate additional modules or script processors (like PHP, Python, or custom scripts) into your web application.

- **Flexibility**: Provides the ability to handle requests dynamically and route them to the appropriate handler based on the request type.

For example, if you have a custom script that should handle requests for `.xyz` files, you would set up a handler mapping to route those requests to the appropriate script processor.

In [32]:
%%question
Why would I configure certifcates in App Service?

You would configure **certificates** in Azure App Service to ensure **secure communication** and **data protection** for your web applications. Here are some reasons:

- **TLS/SSL Encryption**: Certificates enable **TLS/SSL encryption**, ensuring that data transmitted between your app and its users is secure and protected from interception.

- **Custom Domain Security**: To secure custom domains with HTTPS, you need to bind a certificate to your domain, enhancing trust and security for your users.

- **Mutual Authentication**: You can use client certificates to enable **mutual authentication**, adding an extra layer of security by verifying both the server and the client.

- **Compliance**: Many industries require secure communication channels as part of compliance with standards such as PCI-DSS, HIPAA, and GDPR.

- **Trust**: Certificates from trusted Certificate Authorities (CAs) help validate your app's authenticity, increasing user trust.

## Scale apps in Azure App Service

In [33]:
%%learn
https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/

https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/1-introduction
https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/2-autoscale-factors
https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/3-app-service-autoscale-conditions-rules
https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/4-autoscale-app-service
https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/5-autoscale-best-practices


('',
 'https://learn.microsoft.com/en-us/training/modules/scale-apps-app-service/\n')

In [34]:
%%question
Do I need to implement a load balancer?

**No**, Azure App Service automatically handles load balancing for you. When you scale out your app by adding more instances, Azure distributes incoming requests across all available instances to ensure efficient resource utilization and optimal performance.

In [35]:
%%question
What is the difference between scaling out and scaling up?

**Scaling out** refers to adding more instances to your application, increasing the number of machines handling requests. This is also known as horizontal scaling. 

**Scaling up** involves increasing the resources (like CPU, memory) of the existing instance, enhancing the capacity of a single machine. This is known as vertical scaling.

In [36]:
%%question
I need to scale out my app. What are the different ways to do this?

To **scale out** your app in Azure App Service, you can use the following methods:

1. **Azure Autoscale**: Define custom autoscale rules based on metrics such as CPU usage or HTTP request count. Configure conditions to automatically add or remove instances based on demand.

2. **Automatic Scaling**: Let Azure handle scaling decisions for you. It prewarms instances to ensure smooth performance and avoids cold starts.

3. **Manual Scaling**: Manually increase the number of instances directly through the Azure portal by setting a specific instance count.

4. **Scheduled Scaling**: Define schedules to automatically scale out at specific times or dates when you anticipate higher demand.

These methods allow flexibility in managing your app's scalability based on your specific requirements.

In [37]:
%%question
What metrics can I use to autoscale my app? Share an example for each of them.

Here are some metrics you can use to **autoscale** your app, along with examples:

1. **CPU Percentage**: 
   - **Example**: Scale out by one instance if the average CPU utilization exceeds 70% across all instances for more than 10 minutes.

2. **Memory Percentage**:
   - **Example**: Scale out by one instance if memory usage exceeds 80% for more than 5 minutes.

3. **Disk Queue Length**:
   - **Example**: Scale out if the disk queue length exceeds 20 for more than 10 minutes.

4. **HTTP Queue Length**:
   - **Example**: Scale out by one instance if the HTTP queue length is greater than 10 for more than 5 minutes.

5. **Data In**:
   - **Example**: Scale out by one instance if data received exceeds 500 MB over a period of 15 minutes.

6. **Data Out**:
   - **Example**: Scale out by one instance if data sent exceeds 1 GB over a period of 30 minutes.

These metrics help ensure your app has sufficient resources to handle varying loads effectively.

In [38]:
%%question
Why is important to also configure scale down rules?

Configuring **scale down** rules is important because it helps:

1. **Cost Efficiency**: Reduces unnecessary resource usage, saving costs by scaling back when demand decreases.
   
2. **Resource Optimization**: Frees up resources for other applications or services that might need them.

3. **System Stability**: Prevents over-provisioning, which could lead to increased maintenance and potential system inefficiencies.

4. **Environmental Impact**: Minimizes energy consumption and carbon footprint by using only the necessary resources.

Overall, scaling down ensures a balanced approach to resource management in both high and low demand situations.

In [39]:
%%question
Is autoscaling supported with every pricing tier?

**No**, autoscaling is not supported with every pricing tier. It is available in the **Standard (S1)** and higher tiers, such as **Premium (P1)** and **Isolated** tiers. Lower tiers like **Free (F1)** and **Basic (B1)** either limit you to a single instance or only support manual scaling.

In [40]:
%%question
Can I get notified when autoscaling is happening? How?

Yes, you can get notified when **autoscaling** occurs by setting up **Activity Log alerts** in Azure. The alerts can notify you via **email**, **SMS**, or **webhooks** whenever:

- Autoscale issues a scale operation.
- Autoscale successfully completes a scale action.
- Autoscale fails to take a scale action.
- Metrics aren't available for autoscale decisions.
- Metrics become available again for decision-making.

These notifications help you stay informed about the scaling activities of your app.

In [51]:
%%question
Can you share an example of a autoscale JSON configuration? Can this be used in infrastructure as code?

Certainly! Here's an example of an **autoscale JSON configuration** using an Azure Resource Manager (ARM) template. This configuration can indeed be used as part of your **Infrastructure as Code** strategy:

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Insights/autoscalesettings",
      "apiVersion": "2015-04-01",
      "name": "[parameters('autoscaleSettingName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "profiles": [
          {
            "name": "DefaultProfile",
            "capacity": {
              "minimum": "1",
              "maximum": "5",
              "default": "1"
            },
            "rules": [
              {
                "metricTrigger": {
                  "metricName": "Percentage CPU",
                  "metricNamespace": "",
                  "metricResourceUri": "[resourceId('Microsoft.Web/sites', parameters('appServiceName'))]",
                  "timeGrain": "PT1M",
                  "statistic": "Average",
                  "timeWindow": "PT5M",
                  "timeAggregation": "Average",
                  "operator": "GreaterThan",
                  "threshold": 75
                },
                "scaleAction": {
                  "direction": "Increase",
                  "type": "ChangeCount",
                  "value": "1",
                  "cooldown": "PT5M"
                }
              },
              {
                "metricTrigger": {
                  "metricName": "Percentage CPU",
                  "metricNamespace": "",
                  "metricResourceUri": "[resourceId('Microsoft.Web/sites', parameters('appServiceName'))]",
                  "timeGrain": "PT1M",
                  "statistic": "Average",
                  "timeWindow": "PT5M",
                  "timeAggregation": "Average",
                  "operator": "LessThan",
                  "threshold": 25
                },
                "scaleAction": {
                  "direction": "Decrease",
                  "type": "ChangeCount",
                  "value": "1",
                  "cooldown": "PT5M"
                }
              }
            ]
          }
        ],
        "enabled": true,
        "targetResourceUri": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
      }
    }
  ],
  "parameters": {
    "autoscaleSettingName": {
      "type": "string"
    },
    "appServiceName": {
      "type": "string"
    },
    "appServicePlanName": {
      "type": "string"
    }
  }
}
```

### Explanation:
- **Profiles**: Define the scaling conditions, including minimum, maximum, and default instance counts.
- **Rules**: Specify conditions that trigger autoscaling actions based on metrics like CPU usage.
- **ScaleAction**: Define the action (increase or decrease) when the rule's condition is met.

You can use this configuration in your ARM templates to automate the setup of autoscaling policies for your Azure resources.

## Explore Azure App Service deployment slots

In [41]:
%%learn
https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/

https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/1-introduction
https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/2-app-service-staging-environments
https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/3-app-service-slot-swapping
https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/4-swap-deployment-slots
https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/5-route-traffic-app-service


('',
 'https://learn.microsoft.com/en-us/training/modules/understand-app-service-deployment-slots/\n')

In [42]:
%%question
I need to deploy my application into DEV/TEST/PRODUCTION environments. What possible ways do I have to do this?

To deploy your application into **DEV**, **TEST**, and **PRODUCTION** environments, you can use several methods:

1. **Deployment Slots**: Use Azure App Service **deployment slots** to manage different environments. Deploy your app to a **staging slot** (like DEV or TEST) and then swap it with the **production slot** when ready.

2. **Azure DevOps Pipelines**: Create **CI/CD pipelines** to automate the deployment process to different environments. Define separate stages for DEV, TEST, and PRODUCTION.

3. **Infrastructure as Code (IaC)**: Use tools like **Azure Resource Manager (ARM) templates**, **Terraform**, or **Bicep** to define and deploy infrastructure across different environments.

4. **Separate App Service Instances**: Set up distinct Azure App Service instances for each environment and deploy your application separately to each.

5. **Branch-based Deployment**: Use different branches in your version control system (e.g., Git) for each environment and configure deployments to target specific branches.

Choose the method that best fits your deployment strategy and team workflow.

In [43]:
%%question
OK, let's use deploment slots 😊. Is this available in every app service tier?

**Deployment slots** are available in the **Standard**, **Premium**, and **Isolated** App Service plan tiers. They are not available in the **Free** or **Basic** tiers. Each of the supported tiers offers a different number of deployment slots, allowing you to manage multiple environments like DEV, TEST, and PRODUCTION efficiently.

In [45]:
%%question
Do I need to pay extra for deployment slots?

No, there is no extra charge for using **deployment slots**. They are included in the pricing of the **Standard**, **Premium**, and **Isolated** App Service plan tiers that support them.

In [46]:
%%question
Since deployments slots are essentially apps, running on the same app service plan, can I scale them individually? In the end, they take away resources from my production app.

No, you cannot scale **deployment slots** individually. All slots under the same **App Service Plan** share the resources allocated to that plan. This means that any slot, whether it's staging, development, or production, utilizes the shared resources. Therefore, if non-production slots are heavily used, they may impact the performance of your production app. To mitigate this, ensure that the App Service Plan has sufficient capacity, or consider limiting the load on non-production slots.

In [44]:
%%question
What happens during a swap?

During a **swap** between deployment slots in Azure App Service, the following steps occur:

1. **Apply Settings**: The settings from the target slot (e.g., production) are applied to the source slot (e.g., staging). This includes **slot-specific app settings** and **connection strings**.

2. **Restart Instances**: Instances in the source slot are restarted to apply these settings. 

3. **Warm-up**: If configured, the source slot is warmed up by making HTTP requests to ensure it's ready for production traffic.

4. **Switch Routing**: The routing rules for the two slots are switched, meaning the source slot now serves traffic as the target slot.

5. **Finalize Swap**: The previous content and configuration of the target slot are now in the source slot.

Throughout this process, the target slot remains **online**, ensuring no downtime during the swap.

In [47]:
%%question
What is a deployment slot setting?

A **deployment slot setting** is a configuration in Azure App Service that determines whether certain app settings or connection strings should remain specific to a particular deployment slot. When marked as a deployment slot setting, these configurations do not change or swap when you swap slots, allowing you to maintain environment-specific settings such as database connection strings or API keys for each slot. This ensures that each slot can have its unique configuration while sharing the same application code.

In [48]:
%%question
When swapping, what settings/configuration will not be swapped?

When swapping deployment slots, the following **settings/configurations** are **not swapped**:

- **Publishing endpoints**
- **Custom domain names**
- **Non-public certificates and TLS/SSL settings**
- **Scale settings**
- **WebJobs schedulers**
- **IP restrictions**
- **Always On**
- **Diagnostic log settings**
- **Cross-origin resource sharing (CORS)**
- **Virtual network integration**
- **Managed identities**

These settings remain specific to their respective slots and do not change during a swap.

In [49]:
%%question
How can I route traffic to a specific slot?

To **route traffic** to a specific deployment slot in Azure App Service, you can use:

1. **Traffic Routing by Percentage**:
   - Go to your app's resource page.
   - Select **Deployment slots**.
   - In the **Traffic %** column of the desired slot, specify the percentage of traffic you want to route to that slot.
   - Click **Save** to apply the changes.

2. **Manual Traffic Routing**:
   - Use query parameters in your app's URL to route traffic manually.
   - For example, appending `?slot=<slot_name>` to your URL can direct users to a specific slot.

By default, traffic is pinned to a slot for the duration of a session, ensuring consistent user experience.

In [50]:
%%question
What is the x-ms-routing-name parameter used for?

The **x-ms-routing-name** parameter is used in Azure App Service to route requests to a specific **deployment slot**. It acts as a query parameter that helps manually direct traffic to a particular slot. When you append `?x-ms-routing-name=<slot_name>` to your app's URL, it ensures that the request is routed to the specified slot. This is useful for testing or allowing users to opt into a beta version of your app without affecting the main production traffic.