AZ-204: Create Azure App Service web apps
Create a free App Service managed certificate
A private certificate that's free of charge and easy to use if you just need to secure your custom domain in App Service. What certificate option is this?
Purchase an App Service certificate
A private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options. What certificate option is this?
Standard App Service plan
All the apps in that plan will run on the same worker. If you scale out the worker, all the apps in that App Service plan will be replicated on a new worker for each instance in your App Service plan. What service plan is this?
Yes, known as encrypted-at-rest
Are App settings are always encrypted when stored?
No, on Free and Shared tiers, an app receives CPU minutes on a shared VM instance and can't scale out
Can Free and Shared tiers scale out?
False: an app (Web Apps, API Apps, or Mobile Apps) always runs in an App Service plan.
Can an app (Web Apps, API Apps, or Mobile Apps) run in something other than a App Service plan?
verticle scaling
Depending on the usage of the web app, you can scale the resources of the underlying machine that is hosting your web app up/down
Windows/Linux, App Service file system Helps determine why a deployment failed. Deployment logging happens automatically and there are no configurable settings for deployment logging.
Describe Deployment logging and platform and location
Windows platform, App service file system Copies of the .html error pages that would have been sent to the client browser. For security reasons, detailed error pages shouldn't be sent to clients in production, but App Service can save the error page each time an application error occurs that has HTTP code 400 or greater.
Describe Detailed error logging and the platform and location
Windows, App Service File System, Detailed tracing information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. One folder is generated for each failed request, which contains the XML log file, and the XSL stylesheet to view the log file with.
Describe Failed request tracing and the platform and location
Windows platform, App Service File system or Azure Storage Blobs Raw HTTP request data. Each log message includes data like the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.
Describe Web server logging and the platform and location
Window/Linux platform, App Service file system and/or Azure Storage blobs, Logs generated by application code. These messages can be generated by the web framework you choose. Each message is assigned one of the following categories: Critical, Error, Warning, Info, Debug, and Trace.
Describe application logging and the platform and location
you can think of a feature flag as a Boolean state variable used with an if conditional statement in your code: if (featureFlag) { // Run the following code }
Describe how a feature flat is implemented in application code
Runs in the same sandbox as your application code. When it's enabled, every incoming HTTP request passes through it before being handled by your application code. This module handles several things for your app: Authenticates users with the specified provider Validates, stores, and refreshes tokens Manages the authenticated session Injects identity information into request headers
Describe how authentication and authorization module works
Git: App Service web apps feature a Git URL that you can add as a remote repository. Pushing to the remote repository will deploy your app. CLI: webapp up is a feature of the az command-line interface that packages your app and deploys it. Unlike other deployment methods, az webapp up can create a new App Service web app for you if you haven't already created one. Zip deploy: Use curl or a similar HTTP utility to send a ZIP of your application files to App Service. FTP/S: FTP or FTPS is a traditional way of pushing your code to many hosting environments, including App Service.
Describe some of the options you can use to manually push your code to Azure?
Sign user in - Client code signs user in directly with provider's SDK and receives an authentication token. For information, see the provider's documentation. Post-authentication - Client code posts token from provider to /.auth/login/<provider> for validation. Establish authenticated session - App Service returns its own authentication token to client code. Serve authenticated content - Client code presents authentication token in X-ZUMO-AUTH header (automatically handled by Mobile Apps client SDKs).
Describe the authentication flow steps with provider SDK
Sign user in - Redirects client to /.auth/login/<provider> Post-authentication -- Provider redirects client to /.auth/login/<provider>/callback. Establish authenticated session -- App Service adds authenticated cookie to response. Serve authenticated content -- Client includes authentication cookie in subsequent requests (automatically handled by browser)
Describe the authentication flow steps without provider SDK
1) select Storage to store logs on blob storage, or File System to store logs on the App Service file system. 2) in Retention Period (Days), set the number of days the logs should be retained.
Describe the steps to enable application logging Web server logging
1) In App Service logs set the Application logging option to File System. 2) In Quota (MB), specify the disk quota for the application logs. In Retention Period (Days), set the number of days the logs should be retained. 3) click save
Describe the steps to enable application logging for Linux/container apps in azure portal
1) Go to your app and select App Service logs 2) Select On for either Application Logging (Filesystem) or Application Logging (Blob), or both 3) The Filesystem option is for temporary debugging purposes, and turns itself off in 12 hours. The Blob option is for long-term logging, and needs a blob storage container to write logs to. 4) You can also set the Level of details included in the log 5) click save when finished
Describe the steps to enable application logging for Windows apps in azure portal
dynamically administer a feature's lifecycle on the fly
Describe what a feature flags are
Azure App Service allows you to integrate a variety of auth capabilities into your web app or API without implementing them yourself. It's built directly into the platform and doesn't require any particular language, SDK, security expertise, or even any code to utilize. You can integrate with multiple login providers. For example, Azure AD, Facebook, Google, Twitter.
Describe what built-in authentication in Azure allows you to do
No, App Servicesupports both automated and manual deployment.
Does App Service only support automated deployment?
Yes, you can sign in users and access data by writing minimal or no code in your web app, API, and mobile back end, and also Azure Functions.
Does Azure App Service provide built-in authentication and authorization support?
With its similarities to GitHub, you can configure an automated deployment with Bitbucket.
Does Azure support automated deployment with Bitbucket?
Uses the --env flag to set the environment variable in the container
For Linux apps and custom containers, how does App Service pass app settings to the container?
ASP.NET and ASP.NET Core developers
For what kind of developers, do the values you set in App Service override the ones in Web.config?
Extension: The file extension you want to handle, such as *.php or handler.fcgi. Script processor: The absolute path of the script processor. Requests to files that match the file extension are processed by the script processor. Use the path D:\home\site\wwwroot to refer to your app's root directory. Arguments: Optional command-line arguments for the script processor.
Handler mappings let you add custom script processors to handle requests for specific file extensions. To add a custom handler, select New handler. Configure the handler as follows:
You can change the pricing tier of the plan. If your app is in the same App Service plan with other apps, you may want to improve the app's performance by isolating the compute resources. You can do it by moving the app into a separate App Service plan.
How can you scale your app?
The application signs users in to the provider manually and then submits the authentication token to App Service for validation. This is typically the case with browser-less apps, which can't present the provider's sign-in page to the user. The application code manages the sign-in process, so it is also called client-directed flow or client flow. This applies to REST APIs, Azure Functions, JavaScript browser clients, and native mobile apps that sign users in using the provider's SDK.
How does authentication flow with the provider SDK?
The application delegates federated sign-in to App Service. This is typically the case with browser apps, which can present the provider's login page to the user. The server code manages the sign-in process, so it is also called server-directed flow or server flow.
How does authentication flow without the provider SDK?
Renewed continuously and automatically in six-month increments, 45 days before expiration.
How often is the free app service managed certificate renewed?
Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file. openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file> When prompted, define an export password. You'll use this password when uploading your TLS/SSL certificate to App Service.
How would you export a private certificate to PFX?
navigate to your app and select Log stream.
How would you stream logs in Azure Portal?
az webapp log tail --name appname --resource-group myResourceGroup
How would you stream logs in Cloud Shell/Azure CLI?
Debugging: Enable remote debugging for ASP.NET, ASP.NET Core, or Node.js apps. This option turns off automatically after 48 hours.
If the Debugging setting is enabled this option will automatically turn off after how many hours?
Upload a private certificate
If you already have a private certificate from a third-party provider, you can upload it. What certificate option is this?
Import the certificate into App Service. Manage the certificate, such as renew, rekey, and export it.
If you already have a working App Service certificate, you can:
Linux/container apps: https://<app-name>.scm.azurewebsites.net/api/logs/docker/zip Windows apps: https://<app-name>.scm.azurewebsites.net/api/dump
If you configure the Azure Storage blobs option for a log type, you need a client tool that works with Azure Storage. For logs stored in the App Service file system, the easiest way is to download the ZIP file in the browser at:
Takes care of the purchase process from GoDaddy. Performs domain verification of the certificate. Maintains the certificate in Azure Key Vault. Manages certificate renewal. Synchronize the certificate automatically with the imported copies in App Service apps.
If you purchase an App Service Certificate from Azure, Azure manages the following tasks:
Keep the app loaded even when there's no traffic. By default, Always On is not enabled and the app is unloaded after 20 minutes without any incoming requests. It's required for continuous WebJobs or for WebJobs that are triggered using a CRON expression.
In App service platform settings, describe the Always On setting
Managed pipeline version
In the general settings tab of app services the platform setting is described as the IIS pipeline mode. Set it to Classic if you have a legacy app that requires an older version of IIS.
WebSocket protocol: For ASP.NET SignalR or socket.io, for example.
In the general settings tab of app services the platform setting that sets WebSockets?
Bitness: 32-bit or 64-bit
In the general settings tab of app services the platform setting that sets the Bits?
Stack settings
In the general settings tab of app services what setting is described as The software stack to run the app, including the language and SDK versions. For Linux apps and custom container apps, you can also set an optional start-up command or file.
Yes, If the plan is configured for auto scaling then all apps in the plan are scaled out together based on the auto scaling settings.
In the non-free/shared tiers The app service plan is the scale unit of the App service apps. If the plan is configured to run five VM instances, then all apps in the plan run all five instances. Is this correct?
An app runs on all the VM instances configured in the App Service plan. If multiple apps are in the same App Service plan, they all share the same VM instances. If you have multiple deployment slots for an app, all deployment slots also run on the same VM instances. If you enable diagnostic logs, perform backups, or run WebJobs, they also use CPU cycles and memory on these VM instances.
In tiers other than Free and Shared how does an app run and scale?
App-assigned address Access restrictions Service endpoints Private endpoints
List the Inbound Features request to your app
Hybrid Connections Gateway-required virtual network integration Virtual network integration
List the Outbound Features request from your app
Upload a public certificate
Public certificates are not used to secure custom domains, but you can load them into your code if you need them to access remote resources. What certificate option is this?
Horizontal scaling
Resources include the number of cores or the amount of RAM available. Scaling out/in is the ability to increase, or decrease, the number of machine instances that are running your web app.
HTTP version
Set this app service platform setting to 2.0 to enable support for HTTPS/2 protocol.
Dedicated compute
The Basic, Standard, Premium, PremiumV2, and PremiumV3 tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. The higher the tier, the more VM instances are available to you for scale-out.
Front Ends
The are the roles called that handle incoming HTTP or HTTPS requests?
Workers
The are the roles called that host the customer workload?
Exported as a password-protected PFX file, encrypted using triple DES. Contains private key at least 2048 bits long Contains all intermediate certificates in the certificate chain
The free App Service managed certificate and the App Service certificate already satisfy the requirements of App Service. If you want to use a private certificate in App Service, your certificate must meet the following requirements:
Does not support wildcard certificates. Does not support usage as a client certificate by certificate thumbprint. Is not exportable. Is not supported on App Service Environment (ASE). Is not supported with root domains that are integrated with Traffic Manager. If a certificate is for a CNAME-mapped domain, the CNAME must be mapped directly to <app-name>.azurewebsites.net.
The free certificate comes with the following limitations:
az webapp list-runtimes --os-type linux
The languages, and their supported versions, are updated on a regular basis. You can retrieve the current linux list by using the following command in the Cloud Shell.
Filter
This is a rule for evaluating the state of a feature flag. A user group, a device or browser type, a geographic location, and a time window are all examples of what a filter can represent.
Feature flag
This is a variable with a binary state of on or off. This also has an associated code block. The state of the this triggers whether the code block runs or not.
Feature manager
This is an application package that handles the lifecycle of all the feature flags in an application. The feature manager typically provides additional functionality, such as caching feature flags and updating their states.
Allow unauthenticated requests
This option defers authorization of unauthenticated traffic to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers.This option provides more flexibility in handling anonymous requests. It lets you present multiple sign-in providers to your users.
Require authentication
This option will reject any unauthenticated traffic to your application. This rejection can be a redirect action to one of the configured identity providers. In these cases, a browser client is redirected to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized. You can also configure the rejection to be an HTTP 401 Unauthorized or HTTP 403 Forbidden for all requests.
Shared compute
This pricing tier is both Free and Shared share the resource pools of your apps with the apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources can't scale out.
Consumption
This tier is only available to function apps. It scales the functions dynamically depending on workload.
Isolated
This tier runs dedicated Azure VMs on dedicated Azure Virtual Networks. It provides network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities.
Basic, Standard, Premium, or Isolated tier. Custom SSL is not supported in the F1 or D1 tier.
To create a TLS/SSL bindings or enable client certificates for your App Service app, your App Service plan must be in what tiers?
Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1) Signed by a trusted certificate authority
To secure a custom domain in a TLS binding, the certificate has additional requirements:
Import a certificate from Key Vault
Useful if you use Azure Key Vault to manage your certificates. What certificate option is this?
ARR affinity
What app service platform setting is described as "In a multi-instance deployment, ensure that the client is routed to the same instance for the life of the session. You can set this option to Off for stateless applications."
Incoming client certificates
What app service settings require client certificates in mutual authentication. TLS mutual authentication is used to restrict access to your app by enabling different types of authentication for it.
Name: The display name. Configuration options: Basic or Advanced. Storage accounts: The storage account with the container you want. Storage type: Azure Blobs or Azure Files. Windows container apps only support Azure Files. Storage container: For basic configuration, the container you want. Share name: For advanced configuration, the file share name. Access key: For advanced configuration, the access key. Mount path: The absolute path in your container to mount the custom storage.
What are the custom Storage configuration options in app service?
1) Multi-tenant App Service 2) Single-tenant App Service Environment
What are the two main deployment types for Azure App Service?
you can configure handler mappings, and virtual application and directory mappings. The Path mappings page will display different options based on the OS type.
What can you configure in the Path mappings section in app service?
App Service plan
What defines a set of compute resources for a web app to run. One or more apps can be configured to run on the same computing resources or same plan. In addition, Azure Functions also has this option
The pricing tier of an App Service plan
What determines what App Service features you get and how much you pay for the plan?
You can push your code to Azure DevOps, build your code in the cloud, run the tests, generate a release from the code, and finally, push your code to an Azure Web App.
What is Azure DevOps?
Azure supports automated deployment directly from GitHub. When you connect your GitHub repository to Azure for automated deployment, any changes you push to your production branch on GitHub will be automatically deployed for you.
What is Github?
Automated deployment or continuous deployment
What is a process used to push out new features and bug fixes in a fast and repetitive pattern with minimal impact on end users?
Azure App Service
What is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite programming language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
Basic and higher plans
What plan host customer workloads that are dedicated to only one App Service plan?
Azure portal
What provides out-of-the-box continuous integration and deployment with Azure DevOps, GitHub, Bitbucket, FTP, or a local Git repository on your development machine. Connect your web app with any of the above sources and App Service will do the rest for you by auto-syncing code and any future changes on the code into the web app.
Free and Shared SKU plans
What service plan host customer workloads on multitenant workers?
Region (West US, East US, etc.) Number of VM instances Size of VM instances (Small, Medium, Large) Pricing tier (Free, Shared, Basic, Standard, Premium, PremiumV2, PremiumV3, Isolated)
Whatever apps you put into this App Service plan run on these compute resources as defined by your App Service plan. Each App Service plan defines:
The app is resource-intensive. You want to scale the app independently from the other apps in the existing plan. The app needs resource in a different geographical region. This way you can allocate a new set of resources for your app and gain greater control of your apps.
When would you isolate your app into a new App Service plan?
Azure App Configuration
Where can you go to access feature flags and manipulate their states quickly?
Support IP-based SSL needs for your app - App-assigned address Support unshared dedicated inbound address for your app - App-assigned address Restrict access to your app from a set of well-defined addresses - Access restrictions
You can mix the features to solve your problems with a few exceptions. What are some example use cases of how to use App Service networking features to control traffic inbound to your app.
Deployment slots
what are live apps with their own host names. App content and configurations elements can be swapped between two deployment slots, including the production slot.
