AZ-104 Objective 3.4: Create and Configure Azure App Service
•50 min read•Microsoft Azure Administrator
AZ-104 Exam Focus: This objective covers Azure App Service, a fully managed platform for building, deploying, and scaling web apps. Understanding App Service plans, scaling, certificates, DNS configuration, backups, networking, and deployment slots is crucial for Azure administrators managing web applications. Master these concepts for both exam success and real-world web application management in Azure.
Understanding Azure App Service
Azure App Service is a fully managed platform-as-a-service (PaaS) offering that enables you to build, deploy, and scale web applications, mobile backends, and RESTful APIs. It supports multiple programming languages and frameworks, providing built-in infrastructure management, security, and scaling capabilities. App Service can be deployed using ARM templates and Bicep and often integrates with Azure Storage for application data.
App Service Key Features
- Multiple Languages: .NET, .NET Core, Java, Node.js, PHP, Python, Ruby
- Built-in CI/CD: Integration with Azure DevOps, GitHub, Bitbucket
- Auto-scaling: Scale based on demand or schedule
- High Availability: Built-in load balancing and traffic management
- Security: Built-in authentication, SSL certificates, and compliance
- Monitoring: Application Insights integration for performance monitoring
1. Provision an App Service Plan
An App Service plan defines the compute resources (CPU, memory, storage) that your web app will use. It determines the pricing tier, scaling capabilities, and available features for your applications.
App Service Plan Tiers
| Tier | Use Case | Scaling | Features |
|---|---|---|---|
| Free | Development, testing | No scaling | Basic features, shared infrastructure |
| Shared | Development, testing | No scaling | Custom domains, SSL |
| Basic | Small production apps | Manual scaling | Dedicated VMs, custom domains |
| Standard | Production workloads | Auto-scaling | Staging slots, backups |
| Premium | High-performance apps | Auto-scaling | Premium features, VNet integration |
| Isolated | Enterprise, compliance | Auto-scaling | Dedicated environment, ASE |
Creating an App Service Plan
# Create App Service plan az appservice plan create \ --name myAppServicePlan \ --resource-group myResourceGroup \ --location eastus \ --sku B1 \ --number-of-workers 1 # Create App Service plan with specific configuration az appservice plan create \ --name myProductionPlan \ --resource-group myResourceGroup \ --location eastus \ --sku P1V2 \ --number-of-workers 3 \ --is-linux false
App Service Plan Management
# List App Service plans az appservice plan list --resource-group myResourceGroup # Get App Service plan details az appservice plan show --name myAppServicePlan --resource-group myResourceGroup # Update App Service plan SKU az appservice plan update \ --name myAppServicePlan \ --resource-group myResourceGroup \ --sku S1 # Delete App Service plan az appservice plan delete --name myAppServicePlan --resource-group myResourceGroup
2. Configure Scaling for an App Service Plan
Scaling allows your App Service to handle varying loads by automatically adjusting the number of instances. You can configure both manual and automatic scaling based on metrics or schedules.
Scaling Types
Scaling Options:
- Manual Scaling: Set fixed number of instances
- Automatic Scaling: Scale based on metrics (CPU, memory, requests)
- Scheduled Scaling: Scale based on time schedules
- Scale Out: Increase instances during high load
- Scale In: Decrease instances during low load
Configuring Auto-scaling
# Configure auto-scaling rules az monitor autoscale create \ --resource-group myResourceGroup \ --resource myAppServicePlan \ --resource-type Microsoft.Web/serverfarms \ --name myAutoscaleSetting \ --min-count 1 \ --max-count 10 \ --count 2 # Add CPU-based scale-out rule az monitor autoscale rule create \ --resource-group myResourceGroup \ --autoscale-name myAutoscaleSetting \ --condition "CpuPercentage > 70 avg 5m" \ --scale out 1 # Add CPU-based scale-in rule az monitor autoscale rule create \ --resource-group myResourceGroup \ --autoscale-name myAutoscaleSetting \ --condition "CpuPercentage < 30 avg 5m" \ --scale in 1 # Add memory-based scaling rule az monitor autoscale rule create \ --resource-group myResourceGroup \ --autoscale-name myAutoscaleSetting \ --condition "MemoryPercentage > 80 avg 5m" \ --scale out 1
Scaling Best Practices
Scaling Guidelines:
- Set appropriate minimum and maximum instance counts
- Use multiple metrics for more accurate scaling decisions
- Configure scale-out and scale-in rules separately
- Set appropriate time windows for metric evaluation
- Test scaling behavior under different load conditions
- Monitor scaling events and adjust rules as needed
3. Create an App Service
An App Service is the actual web application that runs on your App Service plan. You can create multiple App Services on the same plan, sharing the compute resources and costs.
Creating an App Service
# Create App Service az webapp create \ --name myWebApp \ --resource-group myResourceGroup \ --plan myAppServicePlan # Create App Service with specific runtime az webapp create \ --name myWebApp \ --resource-group myResourceGroup \ --plan myAppServicePlan \ --runtime "DOTNET|6.0" # Create Linux App Service az webapp create \ --name myLinuxWebApp \ --resource-group myResourceGroup \ --plan myAppServicePlan \ --runtime "NODE|18-lts"
App Service Configuration
# Configure app settings az webapp config appsettings set \ --name myWebApp \ --resource-group myResourceGroup \ --settings "APP_ENV=production" "DB_CONNECTION=connection_string" # Configure connection strings az webapp config connection-string set \ --name myWebApp \ --resource-group myResourceGroup \ --connection-string-type SQLServer \ --settings "DefaultConnection=Server=server;Database=db;User=user;Password=pass" # Configure general settings az webapp config set \ --name myWebApp \ --resource-group myResourceGroup \ --always-on true \ --use-32bit-worker-process false
4. Configure Certificates and Transport Layer Security (TLS)
SSL/TLS certificates are essential for securing web applications and enabling HTTPS communication. Azure App Service provides multiple options for certificate management.
Certificate Types
Certificate Options:
- App Service Managed Certificate: Free, automatically managed certificates
- Key Vault Certificate: Import certificates from Azure Key Vault
- Upload Certificate: Upload your own certificates
- Wildcard Certificates: Cover multiple subdomains
- SNI SSL: Multiple certificates on same IP
- IP SSL: Dedicated IP address for certificate
Configuring SSL/TLS
# Create App Service managed certificate az webapp config ssl create \ --name myWebApp \ --resource-group myResourceGroup \ --hostname mydomain.com # Upload custom certificate az webapp config ssl upload \ --name myWebApp \ --resource-group myResourceGroup \ --certificate-file certificate.pfx \ --certificate-password password # Bind certificate to custom domain az webapp config ssl bind \ --name myWebApp \ --resource-group myResourceGroup \ --certificate-thumbprint thumbprint \ --ssl-type SNI # Configure TLS version az webapp config set \ --name myWebApp \ --resource-group myResourceGroup \ --min-tls-version 1.2
TLS Configuration Best Practices
Security Guidelines:
- Use TLS 1.2 or higher for all connections
- Enable HTTPS-only redirect for all traffic
- Use App Service managed certificates for simplicity
- Implement HSTS (HTTP Strict Transport Security)
- Regularly renew certificates before expiration
- Use Key Vault for certificate management in production
5. Map an Existing Custom DNS Name to an App Service
Custom domain configuration allows you to use your own domain name instead of the default Azure domain. This involves DNS configuration and domain verification.
Domain Configuration Process
Configuration Steps:
- Add custom domain to App Service
- Configure DNS records (A, CNAME, or ALIAS)
- Verify domain ownership
- Bind SSL certificate to domain
- Test domain resolution and SSL
DNS Configuration
# Add custom domain az webapp config hostname add \ --webapp-name myWebApp \ --resource-group myResourceGroup \ --hostname mydomain.com # Add subdomain az webapp config hostname add \ --webapp-name myWebApp \ --resource-group myResourceGroup \ --hostname www.mydomain.com # List custom domains az webapp config hostname list \ --webapp-name myWebApp \ --resource-group myResourceGroup # Remove custom domain az webapp config hostname remove \ --webapp-name myWebApp \ --resource-group myResourceGroup \ --hostname mydomain.com
DNS Record Types
| Record Type | Use Case | Value | Notes |
|---|---|---|---|
| A Record | Root domain | App Service IP | Requires IP SSL certificate |
| CNAME | Subdomains | myapp.azurewebsites.net | Most common option |
| ALIAS | Root domain (Azure DNS) | myapp.azurewebsites.net | Azure DNS only |
6. Configure Backup for an App Service
Regular backups are essential for data protection and disaster recovery. Azure App Service provides built-in backup capabilities for your applications and databases.
Backup Configuration
# Configure backup az webapp config backup create \ --resource-group myResourceGroup \ --webapp-name myWebApp \ --backup-name myBackup \ --storage-account-url "https://mystorageaccount.blob.core.windows.net/backups" \ --frequency 1d \ --retention 30 \ --databases @databases.json # Create backup now az webapp config backup create \ --resource-group myResourceGroup \ --webapp-name myWebApp \ --backup-name myBackupNow \ --storage-account-url "https://mystorageaccount.blob.core.windows.net/backups" # List backups az webapp config backup list \ --resource-group myResourceGroup \ --webapp-name myWebApp # Restore from backup az webapp config backup restore \ --resource-group myResourceGroup \ --webapp-name myWebApp \ --backup-name myBackup \ --target-name myRestoredApp
Backup Best Practices
Backup Guidelines:
- Configure automated daily backups for production apps
- Include connected databases in backup configuration
- Store backups in different regions for disaster recovery
- Test backup restoration procedures regularly
- Implement backup retention policies
- Monitor backup success and failure notifications
7. Configure Networking Settings for an App Service
Network configuration allows you to control how your App Service communicates with other resources and how external traffic reaches your application.
Networking Features
Network Options:
- VNet Integration: Connect to Azure Virtual Networks
- Private Endpoints: Secure access via private IP
- Access Restrictions: Control inbound traffic
- Hybrid Connections: Connect to on-premises resources
- Service Endpoints: Secure access to Azure services
- App Service Environment: Isolated network environment
VNet Integration
# Configure VNet integration az webapp vnet-integration add \ --name myWebApp \ --resource-group myResourceGroup \ --subnet mySubnet \ --vnet myVNet # List VNet integrations az webapp vnet-integration list \ --name myWebApp \ --resource-group myResourceGroup # Remove VNet integration az webapp vnet-integration remove \ --name myWebApp \ --resource-group myResourceGroup
Access Restrictions
# Add IP access restriction az webapp config access-restriction add \ --name myWebApp \ --resource-group myResourceGroup \ --rule-name "Allow Office IP" \ --action Allow \ --ip-address 203.0.113.0/24 \ --priority 100 # Add service endpoint restriction az webapp config access-restriction add \ --name myWebApp \ --resource-group myResourceGroup \ --rule-name "Allow VNet" \ --action Allow \ --subnet mySubnet \ --vnet-name myVNet \ --priority 200 # List access restrictions az webapp config access-restriction show \ --name myWebApp \ --resource-group myResourceGroup
8. Configure Deployment Slots for an App Service
Deployment slots allow you to deploy different versions of your application to different environments (staging, production) and swap them without downtime.
Deployment Slot Types
Slot Features:
- Production Slot: The main slot serving live traffic
- Staging Slots: Additional slots for testing and validation
- Blue-Green Deployment: Instant swap between versions
- Warm-up: Pre-load applications before swap
- Traffic Routing: Route percentage of traffic to slots
- Slot Settings: Configuration that stays with slots
Creating and Managing Deployment Slots
# Create deployment slot az webapp deployment slot create \ --name myWebApp \ --resource-group myResourceGroup \ --slot staging # Deploy to slot az webapp deployment source config \ --name myWebApp \ --resource-group myResourceGroup \ --slot staging \ --repo-url https://github.com/user/repo.git \ --branch staging # Swap slots az webapp deployment slot swap \ --name myWebApp \ --resource-group myResourceGroup \ --slot staging \ --target-slot production # Configure slot settings az webapp config appsettings set \ --name myWebApp \ --resource-group myResourceGroup \ --slot staging \ --settings "APP_ENV=staging" \ --slot-settings # List deployment slots az webapp deployment slot list \ --name myWebApp \ --resource-group myResourceGroup
Deployment Slot Best Practices
Deployment Guidelines:
- Use staging slots for testing before production deployment
- Configure slot-specific settings for different environments
- Test slot swaps during low-traffic periods
- Use warm-up to ensure applications are ready before swap
- Implement automated testing in staging slots
- Monitor application health after slot swaps
App Service Monitoring and Diagnostics
# Enable application logging az webapp log config \ --name myWebApp \ --resource-group myResourceGroup \ --application-logging filesystem \ --level information # Enable web server logging az webapp log config \ --name myWebApp \ --resource-group myResourceGroup \ --web-server-logging filesystem # Download logs az webapp log download \ --name myWebApp \ --resource-group myResourceGroup \ --log-file logs.zip # Configure Application Insights az webapp config appsettings set \ --name myWebApp \ --resource-group myResourceGroup \ --settings "APPINSIGHTS_INSTRUMENTATIONKEY=your-key"
Exam Tips and Key Points
Critical Exam Knowledge:
- App Service Plans: Understand tiers, pricing, and scaling capabilities
- Scaling: Know manual vs automatic scaling and configuration options
- SSL/TLS: Understand certificate types and TLS configuration
- Custom Domains: Know DNS configuration and domain verification
- Backups: Understand backup configuration and restoration
- Networking: Know VNet integration, access restrictions, and private endpoints
- Deployment Slots: Understand slot creation, swapping, and configuration
Common Scenarios and Solutions
Real-World Scenarios:
- High-Traffic Web App: Use Standard/Premium plans with auto-scaling
- Secure Application: Implement SSL certificates and access restrictions
- Custom Domain: Configure DNS and SSL for professional appearance
- Zero-Downtime Deployment: Use deployment slots for blue-green deployment
- Hybrid Connectivity: Use VNet integration for on-premises access
- Disaster Recovery: Configure automated backups and cross-region replication
Summary
Azure App Service provides a comprehensive platform for hosting web applications with built-in management, security, and scaling capabilities. This objective covers the essential aspects of App Service management:
- App Service plan provisioning and tier selection
- Scaling configuration for performance and cost optimization
- App Service creation and configuration
- SSL/TLS certificate management and security
- Custom domain configuration and DNS management
- Backup configuration for data protection
- Networking settings for security and connectivity
- Deployment slots for zero-downtime deployments
Understanding these App Service features is essential for Azure administrators to effectively deploy, manage, and secure web applications in Azure environments.
Next Steps: Practice creating App Service plans and web apps in the Azure portal. Experiment with scaling, SSL configuration, custom domains, and deployment slots to understand the complete App Service lifecycle and capabilities.
Related Topics
Continue your Azure administration learning journey with these related topics:
- Automate Deployment with ARM Templates and Bicep - Deploy App Service resources with IaC
- Configure and Manage Storage Accounts - Set up storage for App Service applications
- Provision and Manage Containers - Compare App Service with container solutions
- Configure and Manage Virtual Networks - Integrate App Service with VNets
- Configure Name Resolution and Load Balancing - Set up custom domains and load balancing
- Monitor Resources in Azure - Monitor App Service performance and health
- Manage Microsoft Entra ID Users and Groups - Configure authentication for App Service