Explore Azure App Service.docx
Document Details
Uploaded by SpellbindingQuatrain
UCM
Full Transcript
[[Explore Azure App Service ]](https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/) Contenido {#contenido.TtuloTDC} ========= [[Introduction] 2](#_Toc172042719) [[Learning objectives] 2](#learning-objectives) [[Examine Azure App Service] 2](#examine-azure-app-se...
[[Explore Azure App Service ]](https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/) Contenido {#contenido.TtuloTDC} ========= [[Introduction] 2](#_Toc172042719) [[Learning objectives] 2](#learning-objectives) [[Examine Azure App Service] 2](#examine-azure-app-service) [[Built-in auto scale support] 2](#built-in-auto-scale-support) [[Container support] 2](#container-support) [[Continuous integration/deployment support] 3](#continuous-integrationdeployment-support) [[Deployment slots] 3](#deployment-slots) [[App Service on Linux] 3](#app-service-on-linux) [[Limitations] 3](#limitations) [[Examine Azure App Service plans] 4](#examine-azure-app-service-plans) [[How does my app run and scale?] 4](#how-does-my-app-run-and-scale) [[What if my app needs more capabilities or features?] 5](#what-if-my-app-needs-more-capabilities-or-features) [[Deploy to App Service] 5](#deploy-to-app-service) [[Automated deployment] 5](#automated-deployment) [[Manual deployment] 6](#manual-deployment) [[Use deployment slots] 6](#section-2) [[Continuously deploy code] 6](#continuously-deploy-code) [[Continuously deploy containers] 6](#continuously-deploy-containers) [[Explore authentication and authorization in App Service] 7](#explore-authentication-and-authorization-in-app-service) [[Why use the built-in authentication?] 7](#why-use-the-built-in-authentication) [[Identity providers] 7](#identity-providers) [[How it works] 8](#how-it-works) [[Authentication flow] 8](#authentication-flow) [[Authorization behavior] 9](#authorization-behavior) [[Token store] 9](#token-store) [[Logging and tracing] 10](#logging-and-tracing) [[Discover App Service networking features] 10](#discover-app-service-networking-features) [[Multi-tenant App Service networking features] 10](#multi-tenant-app-service-networking-features) [[Default networking behavior] 11](#default-networking-behavior) [[Outbound addresses] 11](#outbound-addresses) [[Find outbound IPs] 11](#find-outbound-ips) [[Exercise: Create a static HTML web app by using Azure Cloud Shell] 12](#exercise-create-a-static-html-web-app-by-using-azure-cloud-shell) [[Download the sample app] 13](#download-the-sample-app) [[Create the web app] 13](#create-the-web-app) [[Update and redeploy the app] 14](#update-and-redeploy-the-app) []{#_Toc172042719.anchor} Introduction ============ Your company is considering moving their web apps to the cloud and has asked you to evaluate Azure App Service. Learning objectives ------------------- After completing this module, you\'ll be able to: - - - - Examine Azure App Service ========================= Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite programming language or framework. Applications run and scale with ease on both Windows and Linux-based environments. Built-in auto scale support --------------------------- The ability to scale up/down or scale out/in is baked into the Azure App Service. Depending on the usage of the web app, you can scale the resources of the underlying machine that is hosting your web app up/down. Resources include the number of cores or the amount of RAM available. Scaling out/in is the ability to increase, or decrease, the number of machine instances that are running your web app. Container support ----------------- With Azure App Service, you can deploy and run containerized web apps on Windows and Linux. You can pull container images from a private Azure Container Registry or Docker Hub. Azure App Service also supports multi-container apps, Windows containers, and Docker Compose for orchestrating container instances. Continuous integration/deployment support ----------------------------------------- The Azure portal provides out-of-the-box continuous integration and deployment with Azure DevOps Services, GitHub, Bitbucket, FTP, or a local Git repository on your development machine. Connect your web app with any of the above sources and App Service will do the rest for you by auto-syncing code and any future changes on the code into the web app. Continuous integration and deployment for containerized web apps is also supported using either Azure Container Registry or Docker Hub. Deployment slots ---------------- When you deploy your web app you can use a separate deployment slot instead of the default production slot when you\'re running in the Standard App Service Plan tier or better. Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two deployment slots, including the production slot. App Service on Linux -------------------- App Service can also host web apps natively on Linux for supported application stacks. It can also run custom Linux containers (also known as Web App for Containers). App Service on Linux supports many language specific built-in images. Just deploy your code. Supported languages and frameworks include: Node.js, Java (JRE 8 & JRE 11), PHP, Python,.NET, and Ruby. If the runtime your application requires isn\'t supported in the built-in images, you can deploy it with a custom container. The languages, and their supported versions, are updated regularly. You can retrieve the current list by using the following command in the Cloud Shell. BashCopy az webapp list-runtimes \--os-type linux Limitations ----------- App Service on Linux does have some limitations: - - - Examine Azure App Service plans =============================== In App Service, an app always runs in an *App Service plan*. An App Service plan defines a set of compute resources for a web app to run. One or more apps can be configured to run on the same computing resources (or in the same App Service plan). When you create an App Service plan in a certain region (for example, West Europe), a set of compute resources is created for that plan in that region. Whatever apps you put into this App Service plan run on these compute resources as defined by your App Service plan. Each App Service plan defines: - - - - - The *pricing tier* of an App Service plan determines what App Service features you get and how much you pay for the plan. There are a few categories of pricing tiers: - - - ** Note** App Service Free and Shared (preview) hosting plans are base tiers that run on the same Azure virtual machines as other App Service apps. Some apps might belong to other customers. These tiers are intended to be used only for development and testing purposes. How does my app run and scale? ------------------------------ In the **Free** and **Shared** tiers, an app receives CPU minutes on a shared VM instance and can\'t scale out. In other tiers, an app runs and scales as follows: - - - - In this way, the App Service plan is the **scale unit** of the App Service apps. If the plan is configured to run five VM instances, then all apps in the plan run on all five instances. If the plan is configured for autoscaling, then all apps in the plan are scaled out together based on the autoscale settings. What if my app needs more capabilities or features? --------------------------------------------------- Your App Service plan can be scaled up and down at any time. It\'s as simple as changing the pricing tier of the plan. If your app is in the same App Service plan with other apps, you may want to improve the app\'s performance by isolating the compute resources. You can do it by moving the app into a separate App Service plan. You can potentially save money by putting multiple apps into one App Service plan. However, since apps in the same App Service plan all share the same compute resources you need to understand the capacity of the existing App Service plan and the expected load for the new app. Isolate your app into a new App Service plan when: - - - This way you can allocate a new set of resources for your app and gain greater control of your apps Deploy to App Service ===================== Every development team has unique requirements that can make implementing an efficient deployment pipeline difficult on any cloud service. App Service supports both automated and manual deployment. Automated deployment -------------------- Automated deployment, or continuous deployment, is a process used to push out new features and bug fixes in a fast and repetitive pattern with minimal effect on end users. Azure supports automated deployment directly from several sources. The following options are available: - - - Manual deployment ----------------- There are a few options that you can use to manually push your code to Azure: - - - - Use deployment slots -------------------- Whenever possible, use deployment slots when deploying a new production build. When using a Standard App Service Plan tier or better, you can deploy your app to a staging environment and then swap your staging and production slots. The swap operation warms up the necessary worker instances to match your production scale, thus eliminating downtime. ### Continuously deploy code If your project has designated branches for testing, QA, and staging, then each of those branches should be continuously deployed to a staging slot. This allows your stakeholders to easily assess and test the deployed branch. ### Continuously deploy containers For custom containers from Azure Container Registry or other container registries, deploy the image into a staging slot and swap into production to prevent downtime. The automation is more complex than code deployment because you must push the image to a container registry and update the image tag on the webapp. - - - Explore authentication and authorization in App Service ======================================================= Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal, or no code in your web app, RESTful API, mobile back end, and Azure Functions. Why use the built-in authentication? ------------------------------------ You\'re not required to use App Service for authentication and authorization. Many web frameworks are bundled with security features, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities. The built-in authentication feature for App Service and Azure Functions can save you time and effort by providing out-of-the-box authentication with federated identity providers, allowing you to focus on the rest of your application. - - - Identity providers ------------------ App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. The following identity providers are available by default: Expand table **Provider** **Sign-in endpoint** **How-To guidance** ----------------------------- ------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------- Microsoft identity platform /.auth/login/aad [[App Service Microsoft identity platform login]](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad) Facebook /.auth/login/facebook [[App Service Facebook login]](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-facebook) Google /.auth/login/google [[App Service Google login]](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-google) Twitter /.auth/login/twitter [[App Service Twitter login]](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-twitter) Any OpenID Connect provider /.auth/login/\ [[App Service OpenID Connect login]](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect) GitHub /.auth/login/github [[App Service GitHub login]](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-github) When you enable authentication and authorization with one of these providers, its sign-in endpoint is available for user authentication and for validation of authentication tokens from the provider. You can provide your users with any number of these sign-in options. How it works ------------ The authentication and authorization module runs in the same sandbox as your application code. When it\'s enabled, every incoming HTTP request passes through it before being handled by your application code. This module handles several things for your app: - - - - The module runs separately from your application code and can be configured using Azure Resource Manager settings or using a configuration file. No SDKs, specific programming languages, or changes to your application code are required. ** Note** In Linux and containers the authentication and authorization module runs in a separate container, isolated from your application code. Because it does not run in-process, no direct integration with specific language frameworks is possible. Authentication flow ------------------- The authentication flow is the same for all providers, but differs depending on whether you want to sign in with the provider\'s SDK. - - The following table shows the steps of the authentication flow. Expand table +-----------------------+-----------------------+-----------------------+ | **Step** | **Without provider | **With provider SDK** | | | SDK** | | +=======================+=======================+=======================+ | Sign user in | Redirects client | Client code signs | | | to /.auth/login/\. | provider\'s SDK and | | | | | | | | receives an | | | | authentication token. | | | | For information, see | | | | the provider\'s | | | | documentation. | +-----------------------+-----------------------+-----------------------+ | Post-authentication | Provider redirects | Client code posts | | | client | token from provider | | | to /.auth/login/\ for | | | | validation. | +-----------------------+-----------------------+-----------------------+ | Establish | App Service adds | App Service returns | | authenticated session | authenticated cookie | its own | | | to response. | authentication token | | | | to client | | | | | | | | code. | +-----------------------+-----------------------+-----------------------+ | Serve authenticated | Client includes | Client code presents | | content | authentication cookie | authentication token | | | in subsequent | in X-ZUMO-AUTH | | | requests | | | | (automatically | header | | | handled by browser). | (automatically | | | | handled by Mobile | | | | Apps client | | | | | | | | SDKs). | +-----------------------+-----------------------+-----------------------+ For client browsers, App Service can automatically direct all unauthenticated users to /.auth/login/\. You can also present users with one or more /.auth/login/\ links to sign in to your app using their provider of choice. ### Authorization behavior In the Azure portal, you can configure App Service with many behaviors when an incoming request isn\'t authenticated. - - ### Token store App Service provides a built-in token store, which is a repository of tokens that are associated with the users of your web apps, APIs, or native mobile apps. When you enable authentication with any provider, this token store is immediately available to your app. ### Logging and tracing If you enable application logging, authentication and authorization traces are collected directly in your log files. If you see an authentication error that you didn\'t expect, you can conveniently find all the details by looking in your existing application logs. Discover App Service networking features ======================================== By default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. But for many applications, you need to control the inbound and outbound network traffic. There are two main deployment types for Azure App Service. The multitenant public service hosts App Service plans in the Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKUs. There\'s also the single-tenant App Service Environment (ASE) hosts Isolated SKU App Service plans directly in your Azure virtual network. Multi-tenant App Service networking features -------------------------------------------- Azure App Service is a distributed system. The roles that handle incoming HTTP or HTTPS requests are called *front ends*. The roles that host the customer workload are called *workers*. All the roles in an App Service deployment exist in a multi-tenant network. Because there are many different customers in the same App Service scale unit, you can\'t connect the App Service network directly to your network. Instead of connecting the networks, you need features to handle the various aspects of application communication. The features that handle requests to your app can\'t be used to solve problems when you\'re making calls from your app. Likewise, the features that solve problems for calls from your app can\'t be used to solve problems to your app. Expand table **Inbound features** **Outbound features** ---------------------- ---------------------------------------------- App-assigned address Hybrid Connections Access restrictions Gateway-required virtual network integration Service endpoints Virtual network integration Private endpoints You can mix the features to solve your problems with a few exceptions. The following inbound use cases are examples of how to use App Service networking features to control traffic inbound to your app. Expand table **Inbound use case** **Feature** ------------------------------------------------------------------ ---------------------- Support IP-based SSL needs for your app App-assigned address Support unshared dedicated inbound address for your app App-assigned address Restrict access to your app from a set of well-defined addresses Access restrictions Default networking behavior --------------------------- Azure App Service scale units support many customers in each deployment. The Free and Shared SKU plans host customer workloads on multitenant workers. The Basic and higher plans host customer workloads that are dedicated to only one App Service plan. If you have a Standard App Service plan, all the apps in that plan run on the same worker. If you scale out the worker, all the apps in that App Service plan are replicated on a new worker for each instance in your App Service plan. ### Outbound addresses The worker VMs are broken down in large part by the App Service plans. The Free, Shared, Basic, Standard, and Premium plans all use the same worker VM type. The PremiumV2 plan uses another VM type. PremiumV3 uses yet another VM type. When you change the VM family, you get a different set of outbound addresses. There are many addresses that are used for outbound calls. The outbound addresses used by your app for making outbound calls are listed in the properties for your app. These addresses are shared by all the apps running on the same worker VM family in the App Service deployment. If you want to see all the addresses that your app might use in a scale unit, there\'s a property called possibleOutboundIpAddresses that lists them. ### Find outbound IPs To find the outbound IP addresses currently used by your app in the Azure portal, select **Properties** in your app\'s left-hand navigation. You can find the same information by running the following Azure CLI command in the Cloud Shell. They\'re listed in the **Additional Outbound IP Addresses** field. BashCopy az webapp show \\ \--resource-group \ \\ \--name \ \\ \--query outboundIpAddresses \\ \--output tsv To find all possible outbound IP addresses for your app, regardless of pricing tiers, run the following command in the Cloud Shell. BashCopy az webapp show \\ \--resource-group \ \\ \--name \ \\ \--query possibleOutboundIpAddresses \\ \--output tsv Exercise: Create a static HTML web app by using Azure Cloud Shell ================================================================= This module requires a sandbox to complete. A [**[sandbox]**](https://learn.microsoft.com/en-us/training/support/faq?pivots=sandbox) gives you access to free resources. Your personal subscription will not be charged. The sandbox may only be used to complete training on Microsoft Learn. Use for any other reason is prohibited, and may result in permanent loss of access to the sandbox. Microsoft provides this lab experience and related content for educational purposes. All presented information is owned by Microsoft and intended solely for learning about the covered products and services in this Microsoft Learn module. [**[Sign in to activate sandbox]**](https://learn.microsoft.com/en-us/training/modules/introduction-to-azure-app-service/7-create-html-web-app?activate-azure-sandbox=true) The free sandbox allows you to create resources in a subset of the Azure global regions. Select a region from the following list when you create resources: - - - - - - - - - - In this exercise, you\'ll deploy a basic HTML+CSS site to Azure App Service by using the Azure CLI az webapp up command. You\'ll then update the code and redeploy it by using the same command. The az webapp up command makes it easy to create and update web apps. When executed it performs the following actions: - - - - Download the sample app ----------------------- In this section you\'ll use the sandbox to download the sample app and set variables to make some of the commands easier to enter. 1. 2. 3. Create the web app ------------------ 1. 2. Update and redeploy the app --------------------------- 1. 2. 3. 4.