1.2: Create Azure App Service web apps - Configure web app settings

Question 1

Describe how app settings are passed to application code

Answer 1

App settings are variables passed as environment variables to the app code.

For Linux and custom containers they’re passed using the –env flag

Question 2

Describe how to navigate to app settings within the Azure portal

Answer 2

Application settings can be accessed by navigating to your app’s management page and selecting Configuration > Application Settings.

Question 3

Describe app setting prescedence

Answer 3

Values in App Service override the ones in web.config or appsettings.json

Question 4

Describe app setting storage storage security feature

Answer 4

App settings are always encrypted when stored (encrypted-at-rest).

Question 5

Describe how to add a new App Setting

Answer 5

To add a new app setting, click New application setting. If you are using deployment slots you can specify if your setting is swappable or not. In the dialog, you can stick the setting to the current slot.

Question 6

Describe the special requirement for nested App Setting key names

Answer 6

In default or custom Linux container nested key names need to replace : with __

Question 7

Describe how to edit App Settings in bulk

Answer 7

You can edit settings in bulk using the ‘Advanced’ option.
It opens up an editor showing all settings in a JSON format.

Question 8

Descirbe how to configure connection string

Answer 8

For ASP.NET and ASP.NET Core developers, the values you set in App Service override the ones in Web.config. For other language stacks, it’s better to use app settings instead, because connection strings require special formatting in the variable keys in order to access the values.

Question 9

Describe General settings > Stack settings

Answer 9

Stack settings: The software stack to run the app, including the language and SDK versions.
For Linux apps and custom container apps, you can also set an optional start-up command or file.

Question 10

Describe General settings > Platform settings

Answer 10

Platform settings: Lets you configure settings for the hosting platform, including:

• Bitness: 32-bit or 64-bit.
• WebSocket protocol: For ASP.NET SignalR or socket.io, for example.
• Always On: Keep the app loaded even when there’s no traffic. By default, Always On isn’t enabled and the app is unloaded after 20 minutes without any incoming requests. It’s required for continuous WebJobs or for WebJobs that are triggered using a CRON expression.
• Managed pipeline version: The IIS pipeline mode. Set it to Classic if you have a legacy app that requires an older version of IIS.
• HTTP version: Set to 2.0 to enable support for HTTPS/2 protocol.
• ARR affinity: In a multi-instance deployment, ensure that the client is routed to the same instance for the life of the session. You can set this option to Off for stateless applications.

Question 11

Describe General settings > Debugging

Answer 11

Debugging: Enable remote debugging for ASP.NET, ASP.NET Core, or Node.js apps. This option turns off automatically after 48 hours.

Question 12

Describe General settings > Incoming client certificates

Answer 12

Incoming client certificates: require client certificates in mutual authentication. TLS mutual authentication is used to restrict access to your app by enabling different types of authentication for it.

Question 13

Describe the differences between Configuration > Path mappings for Windows and Linux OS

Answer 13

Windows: you can customize the IIS handler mappings and virtual applications and directories.
Linux and containerised apps: You can add custom storage.

Question 14

Describe how to customise Windows handler mappings

Answer 14

Handler mappings let you add custom script processors to handle requests for specific file extensions. To add a custom handler, select New handler. Configure the handler as follows:

Extension: The file extension you want to handle, such as .php or handler.fcgi.
Script processor: The absolute path of the script processor. Requests to files that match the file extension are processed by the script processor. Use the path D:\home\site\wwwroot to refer to your app’s root directory.
Arguments: Optional command-line arguments for the script processor.

Question 15

Describe how to configure Windows virtual applications and directories

Answer 15

You can configure virtual applications and directories by specifying each virtual directory and its corresponding physical path relative to the website root (D:\home). To mark a virtual directory as a web application, clear the Directory check box.

Question 16

Describe how to configre custom storage for Linux and containerised apps

Answer 16

• Name: The display name.
• Configuration options: Basic or Advanced.
• Storage accounts: The storage account with the container you want.
• Storage type: Azure Blobs or Azure Files. Windows container apps only support Azure Files.
• Storage container: For basic configuration, the container you want.
• Share name: For advanced configuration, the file share name.
• Access key: For advanced configuration, the access key.
• Mount path: The absolute path in your container to mount the custom storage.

Question 17

Describe Application logging

Answer 17

Platform: Windows/Linux
Location: App Service file system and/or Azure Storage blobs
Description: Logs messages generated by your application code

Question 18

Describe Application logging categories

Answer 18

• Critical
• Error
• Warning
• Info
• Debug
• Trace

Question 19

Describe Web Server logging

Answer 19

Platform: Windows
Location: App Service file system or Azure Storage blobs
Description: Raw HTTP request data in the W3C extended log file format

Question 20

Describe Detailed Error logging

Answer 20

Platform: Windows
Location: App Service file system
Description: Copies of the .html error pages that would have been sent to the client browser

Question 21

Describe Failed Request logging

Answer 21

Platform: Windows
Location: App Service file system
Description: Detailed tracing information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. One folder is generated for each failed request, which contains the XML log file, and the XSL stylesheet to view the log file with.

Question 22

Decribe Deployment logging

Answer 22

Platform: Windows/Linux
Location: App Service file system
Description: Helps determine why a deployment failed. Deployment logging happens automatically and there are no configurable settings for deployment logging.

Question 23

Describe how to enable application logging for Windows

Answer 23

1. Navigate to the app and select ‘App service logs’
2. Select ‘On’ and choose type:
   A - File system logging turns off automatically after 12 hours - useful for temporary debugging
   B - Blob storage logging provide long term logging solutions
3. Select level (like Log4Net levels)
   * Disabled (all off)
   * Verbose: Trace, Debug,
   * Info: Werbose + Info,
   * Warning: Info + Warning,
   * Error: Warning + Error, Critical

Question 24

Describe how to enable application logging for Linux

Answer 24

1. Navigate to the app and select ‘App service log’
2. Select ‘File system’
3. Set quota and retention

Question 25

Describe how to enable Web Server logging

Answer 25

1. For Web server logging, select Storage to store logs on blob storage, or File System to store logs on the App Service file system.
2. In Retention Period (Days), set the number of days the logs should be retained.
3. When finished, select Save.

Question 26

Describe how to add log messages in code

Answer 26

ASP.NET - System.Diagnostics.Trace

ASP.NET Core - Microsoft.Extensions.Logging.AzureAppServices

Question 27

Describe how to stream logs

Answer 27

Before you stream logs in real time, enable the log type that you want.

Any information written to files ending in .txt, .log, or .htm that are stored in the /LogFiles directory (d:/home/logfiles) is streamed by App Service.

Question 28

Describe where you can stream logs to

Answer 28

Azure portal - To stream logs in the Azure portal, navigate to your app and select Log stream.

Azure CLI - To stream logs live in Cloud Shell, use the following command:
` az webapp log tail –name appname –resource-group myResourceGroup`

Local console - To stream logs in the local console, install Azure CLI and sign in to your account. Once signed in, follow the instructions for Azure CLI above.

Question 29

Describe the options you have for adding certificates in App Service

Answer 29

Create a free App Service managed certificate - A private certificate that’s free of charge and easy to use if you just need to secure your custom domain in App Service.
Purchase an App Service certificate - A private certificate that’s managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options.
Import a certificate from Key Vault - Useful if you use Azure Key Vault to manage your certificates.
Upload a private certificate - If you already have a private certificate from a third-party provider, you can upload it.
Upload a public certificate - Public certificates aren’t used to secure custom domains, but you can load them into your code if you need them to access remote resources.

Question 30

Describe the requirements for using a private certificate

Answer 30

• Be exported as a password-protected PFX file, encrypted using triple DES.
• Contain a private key at least 2048 bits long
• Contain all intermediate certificates in the certificate chain

Question 31

Describe the additional requirements when using a private certificate to secure a custom domain in a TLS binding

Answer 31

• Contain an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1)
• Be signed by a trusted certificate authority

Question 32

Describe the requirements for enableding custom TLS/SSL bindings or client certificates for you App Service

Answer 32

To create custom TLS/SSL bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier.

Question 33

Describe the free App Service managed certificate

Answer 33

The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. It’s a TLS/SSL server certificate that’s fully managed by App Service and renewed continuously and automatically in six-month increments, 45 days before expiration. You create the certificate and bind it to a custom domain, and let App Service do the rest.

The free certificate comes with the following limitations:

• Doesn’t support wildcard certificates.
• Doesn’t support usage as a client certificate by certificate thumbprint.
• Isn’t exportable.
• Isn’t supported on App Service Environment (ASE).
• Isn’t supported with root domains that are integrated with Traffic Manager.
• If a certificate is for a CNAME-mapped domain, the CNAME must be mapped directly to: <app-name>.azurewebsites.net.

Question 34

Describe how you can import an App Service certificate

Answer 34

If you purchase an App Service Certificate from Azure, Azure manages the following tasks:
* Takes care of the purchase process from certificate provider.
* Performs domain verification of the certificate.
* Maintains the certificate in Azure Key Vault.
* Manages certificate renewal.
* Synchronize the certificate automatically with the imported copies in App Service apps.

If you already have a working App Service certificate, you can:
* Import the certificate into App Service.
* Manage the certificate, such as renew, rekey, and export it.

Question 35

Describe how you can upload a private certificate

Answer 35

If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order. Then you can Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

If you generated your certificate request using OpenSSL, then you’ve created a private key file. To export your certificate to PFX, run the following command. Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

In Bash:
~~~
openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>
~~~</merged-certificate-file></private-key-file>

Question 36

Describe how you can enforce HTTPS

Answer 36

You can redirect all HTTP requests to the HTTPS port by navigating to your app page and, in the left navigation, select TLS/SSL settings. Then, in HTTPS Only, select On.

Question 37

Describe feature management

Answer 37

1. Decouples feature release from code deployment
2. Enables quick changes to feature availability on demand.
3. It uses a technique called feature flags (also known as feature toggles, feature switches, and so on) to dynamically administer a feature’s lifecycle.

Question 38

Describe what a feature flag is

Answer 38

Feature flag: a variable with a binary state of on or off. The feature flag also has an associated code block. The state of the feature flag triggers whether the code block runs or not.

Question 39

Describe what a feature manager is

Answer 39

Feature manager: A feature manager is an application package that handles the lifecycle of all the feature flags in an application. The feature manager typically provides additional functionality, such as caching feature flags and updating their states.

Question 40

Desccribe what a feature filter is

Answer 40

Filter: a rule for evaluating the state of a feature flag. A user group, a device or browser type, a geographic location, and a time window are all examples of what a filter can represent.

Question 41

Describe the two aspects required for feature flag implementation

Answer 41

1. An application that uses feature flags
2. A repository that stores the flags and their states

Question 42

Describe the parts of a feature flag

Answer 42

A feature flag has 2 parts:

1. A name
2. One or more filters - used to evaluate if the feature is on

Where multie filters exists the filter list is traversed in order until one of the filters determines the feature should be enabled. (Think of it as ‘OR’ logic)