Explore Azure App Service Flashcards
What is Azure App Service (AAS)
Used for hosting web apps or mobile backends
What does AAS contain support for?
- auto scaling with vertical and horizontal scalinh
- CI with devops, github and bitbucket
- deployment slots
- Linux (with some limitations)
What is an app service plan (asp)
- Defines a set of compute resources for a web app to run
- 1 or more apps can be configured to run on the same plan
What does an app service plan define?
OS
Region
Number of VMs
Size of VMs
Pricing tier
Describe the Shared compute pricing tiers
- Free and Standard Tiers
- Run on an app on the same VM as other AAS apps, including apps of other customers
- Cant scale out
Describe the dedicated compute pricing tiers
- Basic. standard, premium, premium V2, premium V3
- Run on dedicated Azure VMs
- Only apps in the same service plan share the same resources
- higher tiers have more VM instances available to you for scale out
Descirbe the isolated compute pricing tier
- Isolated and isolatedV2
- Provides max scale out capabilities
How can I improve app performance with app service plans?
Isolate the compute resource by moving the app into a separate app service plan so it isn’t sharing resources with other apps in the original plan
What are the two methods of deploying app services?
- Automated Deployment; CI is a repetitive process to push out new features and bug fixes in a fast and repetitive pattern with minimal effect on end users. Can use DevOps, GitHub and bitbucket
- Manual Deployment; can use Git, CLI, Zip Deploy or FTP/s
What are deployment slots (briefly in relation to App Service Plan)
- Recomended way to deploy app services
- apps are deployed to a slot and can then be swapped over
- the swap operation warms up the necessary worker instances to match production scale, eliminating downtime
Briefly describe app Services built in auth
- Allows you to integrate various auth capabilities into your web app or API without implementing them yourself
- Built directly into the platform
- Can integrate with multiple login providers (Microsoft Entra ID, Facebook, Google Twitter)
What is the authentication and authorisation module?
- Runs in same sandbox as your app code
- when its enabled every incoming HTTP request passes through it before being handled by app code
- runs separately from the app code and can be configured with ARM or config file, no SDK or programming changes to app code are required
What does the authentication and authorisation module do?
- Authenticates users and client with the specified Identity providers (facebook, google, twitter etc)
- validates, stores and refreshes Oauth tokens issued by the configured identity providers
- manages authenticated session
- injects ID information into HTTP request headers
- signs user in -> post authentication -> establish authenticated session -> serve authenticated code
How does authentication flow work with the providers SDK
- app delegates sign-in to app service
- typically used in browser apps which can present the providers login page to the user
- server code manages the sign-in process
how does authentication flow work without the providers SDK
- app signs users in to the provider manually and then submits the auth token to app service for validation
- browserless apps use this as they cant present providers sign-in page to the user
- app code manages the sign-in process
- Applies to REST APIs, Azure functions and native mobile apps
How can I configure app service to behave when an incoming request isn’t authenticated?
- allow unauthenticated requests; defers authorisation of traffic to your app code
- require authentication; rejects all traffic. Could be a redirect to one of the identity providers
What is the token store?
- built in token store which is a repo of tokens associated with the users of your web apps, APIs or mobile apps
What is the default app hosting behaviour?
apps hosted in app service are accessible through internet and can reach only internet hosted endpoints
What are the two main deployment types for azure app service?
- Multi-tennant app service networking; hosts app plans in all tiers bar the isolated ones
- Single-tennant App Service Environment (ASE) hosts app service plans directly in your virtual network
Describe multi-tenant app service networking
- Due to many customers in same app service scale unit you cant connect app service network directly to your network
- Instead of connecting the networks you need features to handle the various aspects of application communication
- These features vary between calls from and to the app
What are front-ends and workers?
- Used in multi-tenant app service networking
- roles that handle incoming HTTP/S requests are called front-ends
- roles that host the customer workload are called workers
What are inbound features?
- One of the two mult-tenant app service networking solutions
- app assigned addresses, access restrictions, service endpoints, private endpoints
What are outbound features?
- One of the two mult-tenant app service networking solutions
- hybrid connection, getaway related vnet integration, vnet integration
How do app service scaler units support multiple customers?
- Free and shared plans host customer workloads on multi-tenant workers
- basic and higher plans host customer workloads that are dedicated to only one app service plan
- in standard all apps in that plan run on the same worker, if you scale out the worker all apps in that plan are replcated on a new worker for each instance in your plan
How are worker VMs broken down by plans?
- premium v2 and V3 use separate VMs to the other tiers
- when you change the VM family you get a different set of outbound addresses
- there are many addresses that are used for outbound calls
- these addresses are shared by app apps running on the same worker VM family in the AAS deployment
