3. Agenda
• Compute Options
• From cPanel and Plesk
• Azure App Service
Architecture
• Application Deployment
and Configurations
• Revisit deployment slots
• Authentication and
Authorization
• Demo for Custom Domain
and SSL
• Azure App Service Static IP
Restrictions
• Backup and Restore
• Scale App Service
• WebJobs
• Monitor
• App Service Environments
5. App Service overview
Multiple languages and frameworks
ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can also run PowerShell and other scripts or
executables as background services.
Devops optimization
Set up continuous integration and deployment with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container
Registry.
Global scale with high availability
Scale up or out manually or automatically.
Connections to SaaS platforms and on-premises data
Choose from more than 50 connectors for enterprise systems (such as SAP), SaaS services (such as Salesforce)
Security and compliance
App Service is ISO, SOC, and PCI compliant. Authenticate users with Azure Active Directory or with social login (Google,
Facebook, Twitter, and Microsoft). Create IP address restrictions and manage service identities.
6. Application templates
Choose from an extensive list of application templates in the Azure Marketplace, such as WordPress, Joomla,
and Drupal.
Visual Studio integration
Dedicated tools in Visual Studio streamline the work of creating, deploying, and debugging.
API and mobile features
App Service provides turn-key CORS support for RESTful API scenarios, and simplifies mobile app scenarios by
enabling authentication, offline data sync, push notifications, and more.
Serverless code
Run a code snippet or script on-demand without having to explicitly provision or manage infrastructure, and pay
only for the compute time your code actually uses
App Service overview
7. Compute
Options
Selection
Factors
Hosting model. How is the service hosted? What requirements and
limitations are imposed by this hosting environment?
DevOps. Is there built-in support for application upgrades? What is the
deployment model?
Scalability. How does the service handle adding or removing instances?
Can it auto-scale based on load and other metrics?
Availability. What is the service SLA?
Cost. In addition to the cost of the service itself, consider the operations
cost for managing a solution built on that service. For example, IaaS
solutions might have a higher operations cost.
What are the overall limitations of each service?
What kind of application architectures are
appropriate for this service?
12. Azure Service Plans (Tiers)
Plan
Storage
(GB)
Ram
(GB)
Cores
Custom
Domain
Max
instances
Auto
Scale
SSL
Traffic
Manager
No of Apps Price
1 1
60 CPU
minutes
/ Day
No 10 Free
1 1
240 CPU
minutes
/ Day
Yes 100 ~9.49$
10
S =
1.75
M =
3.5
L = 7
S = 1
M = 2
L = 4
Yes 3 No Yes No Unlimited 54.75-109.50-219
50 Yes 10 Yes Yes Yes Unlimited 73-146-292
250 S = 3.5
M = 7
L = 14
Yes 20 Yes Yes Yes Unlimited 146-292-584
1000 Yes 100 Yes Yes Yes Unlimited 219-438-876
13. From cPanel and Plesk
Cost-
effective
Scalable
Elastic
CurrentReliable
Global
Secure
15. Global & Geo-
Distributed
Architecture
In every Azure-supported region, you’ll find
App Service scale units running customers’
workloads (applications) and sets of regional
control units.
Control units are transparent to the customer
(until they malfunction) and considered part
of the platform.
There’s one special control unit that’s being
used as a gateway for all management API
calls.
17. App Service
Scale Unit
Collection of servers that host and
run your applications.
A typical scale unit can have more
than 1,000 servers.
The clustering of servers enables
economy of scale and reuse of
shared infrastructure.
18. Scale Unit
Main Building
Blocks
Front End
• Layer seven-load balancer. (simple round robin)
• Acting as a proxy, distributing incoming HTTP requests between different applications
and their respective Workers.
Web Workers
• Workers are the backbone of the App Service scale unit. They run your applications.
File Servers
• A file server mounts Azure Storage blobs and exposes them as network drives to the
Worker. A Worker
API Controllers
• Can be viewed as an extension to App Service Geo-Master.
• Geo-Master delegates API fulfilment to a given scale unit via the API controllers.
Publishers
• The Publisher role lets customers use FTP to access their application content and logs.
SQL Azure
• Persist application metadata.
Data Role
• can be described as a cache layer between SQL Database and all other roles in a given
unit of scale.
19. Revisit Deployment Slots
• Deployment slots are actually live apps with their own hostnames.
• App content and configurations elements can be swapped between two
deployment slots, including the production slot.
• General settings - such as framework version, 32/64-
bit, Web sockets
• App settings (can be configured to stick to a slot)
• Connection strings (can be configured to stick to a
slot)
• Handler mappings
• Monitoring and diagnostic settings
• Public certificates
• WebJobs content
• Hybrid connections
• Publishing endpoints
• Custom Domain Names
• Private certificates and SSL bindings
• Scale settings
• WebJobs schedulers
Settings that are swapped Settings that are swapped
21. Demo for Custom Domain and SSL
Custom Domain
Map a CNAME record
Map an A record
Map a wildcard domain
Redirect to a custom directory
SSL Certificates
Bind SSL certificate
Enforce HTTPS
Enforce TLS versions
Public certificates
23. Backup and Restore
Backup
• What gets backed up
• App configuration
• File content
• Database connected to your app
• Configure Partial Backups
• Create a _backup.filter file in the
D:homesitewwwroot
Restore
• Restore From App backup.
• Restore From storage.
• Restore from snapshot.
24. Scale App Service
• Auto scale settings
• Scale based on metrics
• Scale to a specific instance count
• Specific start/end dates
• Repeat specific days
• View the scale history of your
resource
25. Autoscale
concepts
A resource can have only one autoscale setting
An autoscale setting can have one or more profiles and each profile can have
one or more autoscale rules.
An autoscale setting scales instances horizontally, which is out by increasing
the instances and in by decreasing the number of instances.
An autoscale job always reads the associated metric to scale by, checking if it
has crossed the configured threshold for scale-out or scale-in
All thresholds are calculated at an instance level.
All autoscale failures are logged to the Activity Log. Similarly, all successful
scale actions are posted to the Activity Log.
26. High density hosting on Azure App Service using per-app scaling
• Per-app scaling is available only for Standard, Premium, Premium V2
and Isolated pricing tiers.
28. Monitor apps in Azure App Service
Quotas for Free or Shared apps are:
Quota Description
CPU (Short) The amount of CPU allowed for this app in a 5-minute
interval. This quota resets every five minutes.
CPU (Day) The total amount of CPU allowed for this app in a day.
This quota resets every 24 hours at midnight UTC.
Memory The total amount of memory allowed for this app.
Bandwidth The total amount of outgoing bandwidth allowed for this
app in a day. This quota resets every 24 hours at midnight
UTC.
Filesystem The total amount of storage allowed.
29. Quota enforcement
• If an app exceeds the CPU (short), CPU
(Day), or bandwidth quota, the app is
stopped until the quota resets. During
this time, all incoming requests result
in an HTTP 403 error.
31. Enable diagnostics logging for apps in Azure App Service
• Web server diagnostics
• Detailed Error Logging
• Failed Request Tracing
• Web Server Logging
• Application diagnostics
• Using Trace class in .net.
32. App Service Environments
The ASE is a deployment of the
Azure App Service into a subnet
of a customer’s Azure Virtual
Network
The ASE provides:
Network isolation for apps
Larger scale than multi-tenant
More powerful hosts
Ability to work with all VPN types
33. ASE is Dedicated environment
• An ASE is dedicated exclusively to a single subscription and can host 100 App Service Plan
instances.
• An ASE is composed of front ends and workers. Front ends are responsible for HTTP/HTTPS
termination and automatic load balancing of app requests within an ASE. Front ends are
automatically added as the App Service plans in the ASE are scaled out.
• Workers are roles that host customer apps. Workers are available in three fixed sizes:
• One vCPU/3.5 GB RAM
• Two vCPU/7 GB RAM
• Four vCPU/14 GB RAM
34. Types of App Service Environments
External ASE:
• All app inbound and outbound
traffic flow through the VIP
• Large scale internet accessible app
hosting
• Higher memory workers
• Internet accessible but network
restricted apps
ILB ASE:
• Internal Load Balancer (ILB) on a
VNet IP is used for app access.
Outbound from VNet flows
through an external VIP
• Internal app hosting
• WAF fronted apps
• Internet isolated app hosting for 2
tier systems
35.
36. subnet
App Service
Environment
Front Ends
Workers
Azure Virtual Network
Open to the internet
Locked down to the ASE
VIP
IP SSL
Assign an IP SSL Address to a single app
Use NSGs to lock down access to that app.
Enables things like hosting a public app that calls
an API app that only apps in the ASE can reach
External ASE – The one ASE 2 tier application
37. External ASE + ILB ASE 2 tier application
Azure Virtual Network
VIP
App Service Environment
ILB
Internet
App Service Environment
Web apps
API apps
38. External ASE + ILB ASE 2 tier with geo distribution
Azure Virtual Network
VIP
App Service Environment
ILB
Internet
App Service Environment
Web apps
API apps
Azure Virtual Network
VIP
App Service Environment
Web apps
Site to Site VPN
East US
West US
39. App Service Worker
ILB ASE + VNET Integration 2 tier application
Point to Site VPN
App Service Environment
subnet
ILB
Azure Virtual Network
40. ILB ASE inbound connections with WAF
App Service
Environment
Azure Virtual Network
ILB WAF
Configure your apps with a Web
Application Firewall virtual device for
extreme application security.Internet
41. ILB ASE with WAF 2 tier application
API apps
App Service
Environment
Azure Virtual Network
ILB
WAF
Leverage the benefits of the WAF with a
web app that calls back to an API app on
the same ILB ASE. The traffic between
the web and API apps stays in the VNet.
Internet
web apps
42.
43. Site to Site or ExpressRoute VPN
Azure Virtual Network
ASE high level network
VIP
App Service Environment
subnet
Internet
On Premises
An ASE is a deployment of the Azure App Service into a subnet in a
customer’s Azure Virtual Network
The apps in an ASE are exposed to the internet through a VIP
Because the apps are in the ASE inside the customer’s VNet, they can
access resources that are also in the VNet
If the VNet is connected to an on premises network via a Site to Site or
ExpressRoute VPN then they can access resources on premises
If you want private site access then create an ASE that uses an Internal
Load Balancer instead of one with an external VIP
ILB
44. Routes and security groups
Route selection is based on its origin in
the following order
1. User defined route
2. BGP route (with ExpressRoute)
3. System route
ASE management traffic must source
from the VNet
• If you have ER with forced tunneling,
define a UDR on the ASE subnet sending
0.0.0.0/0 to internet
Network security groups
• must allow (for now) inbound to ASE
subnet from any IP to subnet on ports
454/455
• Must allow outbound from ASE subnet
to any IP.
• Must allow ASE subnet to talk to ASE
subnet on any port
45. Azure Files
ASE dependencies (all required)
subnet
App Service Environment
Multirole
VIP
Workers
Azure Virtual Network
Azure SQL
Azure DNS
Cert authority
Management
Traffic to the dependencies MUST originate with the ASE VIP
It CANNOT be force tunneled on premises and sent out a SNAT
46. ASE inbound connections
subnet
App Service Environment
Multirole VIP
Workers
Azure Virtual Network
HTTP/HTTPS
FTP
Remote Debug
Management (REQUIRED)
Apps are at <appname>.<asename>.p.azurewebsites.net
47. ILB ASE inbound connections
subnet
App Service
Environment
Multirole VIP
Workers
Azure Virtual Network
HTTP/HTTPS
FTP
Remote Debug
Management (REQUIRED)
ILB
Apps are at <appname>.<customer managed domain>
Internet isolated unless the customer sets up a WAF or proxy
with public DNS names
48. App Service feature access
Customer
browser
Geomaster
Stamp
controller
Front end
Portal
Controller
Scm site
Management
ARM
Old stuff
Scm site
Some scm site features include:
• Functions
• Kudu
• Web jobs
• Logstream
• Deployment
• Extensions
• Process Explorer
• Console
49. External ASE feature access
subnet
App Service
Environment
Multirole VIP
Workers
Azure Virtual Network
Management
ILB
Customer
browser
Portal
Controller
ARM
Normal feature access goes through the VIP on either port 454 or port 443
Scm site
Scm site port 443
Management ports 454
50. External ASE feature access – 443 NSG
subnet
App Service
Environment
Multirole VIP
Workers
Azure Virtual Network
Management
ILB
Customer
browser
Portal
Controller
ARM
If you try to control app https access and lock down 443, you can break feature access
Scm site
Scm site port 443
Management ports 454/455
51. ILB ASE feature access
subnet
App Service
Environment
Multirole VIP
Workers
Azure Virtual Network
Management
ILB
Customer
browser
Portal
Controller
ARM
<appname>.scm.<customer managed domain> is not in public DNS and is not internet
accessible.
Features that depend on such access do not work when customer is outside of the VNET
Scm site
52. ILB ASE feature access, part 2
subnet
App Service
Environment
Multirole VIP
Workers
Azure Virtual Network
Management
ILB
Customer
browser
Portal
Controller
ARM
If customer browser is in the VNET then they can hit the scm site from
their browser. The portal controller still cannot hit the scm site as it is
outside the VNET
There is ongoing work to change how this behaves so that there is no
communication from the Portal Controller to the scm site.
Scm site
Scm site
53. Azure Files
Forced tunnel challenges
subnet
App Service Environment
Multirole
VIP
Workers
Azure Virtual Network
Azure SQL
Azure DNS
Cert authority
Management
Today this model won’t work. The traffic must originate from the
VIP. To avoid this you currently need to set UDRs to send everything
to the internet
ER VPN
On Premises network
App Service clusters bunches of servers into a single unit called a “scale unit” (or a “stamp”).
There are many such scale units across the globe in Azure datacenters.
In every Azure-supported region, you’ll find App Service scale units running customers’ workloads (applications) and sets of regional control units.
There’s one special control unit that’s being used as a gateway for all management API calls.
If your app needs to access remote resources as a client, and the remote resource requires certificate authentication, you can upload public certificates to your app. Public certificates are not required for SSL bindings of your app.
Public Certificate: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load
Ensure the maximum and minimum values are different and have an adequate margin between them.
Manual scaling is reset by autoscale min and max.
Always use a scale-out and scale-in rule combination that performs an increase and decrease.
Choose the appropriate statistic for your diagnostics metric.
Choose the thresholds carefully for all metric types.
Considerations for scaling threshold values for special metrics.
Considerations for scaling when multiple profiles are configured in an autoscale setting
Always select a safe default instance count
Configure autoscale notifications
CPU time vs CPU percentage
CPU Time: Useful for apps hosted in Free or Shared plans, because one of their quotas is defined in CPU minutes used by the app.
CPU percentage: Useful for apps hosted in Basic, Standard, and Premium plans, because they can be scaled out. CPU percentage is a good indication of the overall usage across all instances.