Coach Beard Jr. Boring Notes
  • CONTRIBUTING
  • Multi Threading
  • Processes
  • README
  • Security Policy
  • Stack vs Heap Memory Allocation
  • What is it?
  • Mind Map
  • Azure
    • Table of contents
  • Azure
    • Resources
  • BATCH-Scripting
    • Gettng-Started
  • Cloudflare
    • Digital Certificates - What are Those
  • Cloudflare
    • Introduction to HTTPS and TLS
  • Cloudflare
    • Resources
  • DENO LAND
    • DENO - CLI
  • DENO LAND
    • Deno_index.docx
  • DENO LAND
    • Examples
  • DENO LAND
    • Starting Examples
  • DENO LAND
    • Working with Deno
  • DENO LAND
    • http_server.ts
  • Docker Notes
    • Commands
  • Docker Notes
    • Communication
  • Docker Notes
    • Containers
  • Docker Notes
    • Data in Docker
  • Docker Notes
    • Docker Compose
  • Docker Notes
    • Dockerfile
  • Docker Notes
    • Images and containers
  • Docker Notes
    • Practice Images
  • What and Why
  • Docker Notes
    • Table of contents
  • Docker Notes
    • Virtual Machines
  • Docker Notes
    • Volumes
  • Docker Notes
    • dockerignore
  • Garbage Collection
    • Introduction
  • Git and Github
    • GIT
  • Git and Github
    • Github
  • HackingHub.io
    • Mindmap
  • HackingHub.io
    • Start Here
  • JENKINS
    • JENKINS (Getting Started)
  • Java - A Headache
    • A Headache
  • Java - A Headache
    • Checked Exceptions
  • Java - A Headache
    • Concurrency In Java
  • Java - A Headache
    • ENUM
  • Java - A Headache
    • ThreadExceptions
  • Java - A Headache
    • Exception Handling
  • Java - A Headache
    • Java Memory Management
  • Java - A Headache
    • Lambda Expressions
  • Java - A Headache
    • LifeCycle and States of a Thread in Java
  • Java - A Headache
    • Memory Allocation by JVM
  • Java - A Headache
    • Multi-Threading in JAVA
  • Java - A Headache
    • Transient
  • JavaScript
    • Arrays
  • JavaScript
    • Behind the Scenes of JavaScript
  • JavaScript
    • Falsy-Truthy Values
  • JavaScript
    • Garbage Collection
  • JavaScript
    • Getters_Setters
  • JavaScript
    • Hoisting
  • JavaScript
    • How Code is Parsed and Compiled
  • JavaScript
    • Index.docs
  • JavaScript
    • Inside JS Engine
  • JavaScript
    • MindMap
  • JavaScript
    • Objects
  • JavaScript
    • this in javascript
  • Kubernetes
    • Kubernetes Architecture Overview
  • Linux & Unix
    • GRUB - Grand Unified Bootloader
  • Linux & Unix
    • Resources
  • Miscellaneous
    • CDN Architecture
  • Miscellaneous
    • JavaScript exec returns Undefined
  • NodeJS
    • Index.docs
  • Obsidian - Help
    • Resources
  • Pentester Notes
    • IP Address
  • Pentester Notes
    • LAN - Local Area Network
  • Pentester Notes
    • MAC Address
  • Pentester Notes
    • MindMap
  • Pentester Notes
    • Networking
  • Pentester Notes
    • Offensive Security
  • Pentester Notes
    • Ping
  • Pentester Notes
    • Subnetting
  • Spring-Security
    • Servlets & Filters
  • Spring-Security
    • default-configuration
  • TypeScript
    • Index.docs
  • TypeScript
    • TypeScript
  • Webpack
    • Concepts
  • .github
    • ISSUE_TEMPLATE
      • feature_request
  • Automation
    • Cucumber-Framework
      • Getting Started
  • Automation
    • Playwright
      • Introduction
  • Azure
    • AZ-104
      • Control Azure services with the CLI
  • Azure
    • AZ-104
      • Deploy Azure infrastructure by using JSON ARM templates
  • Azure
    • AZ-204
  • Azure
    • AZ-204
      • mindMap
  • Azure
    • Azure Policy
      • Azure-policies
  • Azure
    • Azure Policy
  • Azure
    • Azure-Fundamentals
  • Azure
    • Azure-Fundamentals
      • mindmap
  • Cloudflare
    • Docs
      • Cloudflare IPs
  • Cloudflare
    • Docs
      • Getting Started
  • Cloudflare
    • Docs
      • MindMap
  • DENO LAND
    • Basics
      • Basics
  • DENO LAND
    • Basics
      • Connecting to Database
  • DENO LAND
    • Basics
      • Environment Variables
  • DENO LAND
    • Basics
      • Imports
  • DENO LAND
    • Basics
      • Modules
  • DENO LAND
    • Basics
      • Permissions
  • DENO LAND
    • Basics
      • Standard Library
  • DENO LAND
    • Basics
      • Testing
  • Eager
    • Primes
      • Finding prime number - formula
  • Git and Github
    • Github-Actions
      • Auto Publish(Release) - GitHub Actions
  • Git and Github
    • Github-Actions
      • Continuous Integration (CI) - GitHub Actions
  • Git and Github
    • Github-Actions
      • Github-Actions Introduction
  • Java - A Headache
    • Garbage Collection
      • Garbage Collection
  • Java - A Headache
    • Garbage Collection
      • Types of Garbage Collection
  • Java - A Headache
    • Spring - Framework
      • annotation
  • Java - A Headache
    • Threads
      • Threads in JAVA
  • JavaScript
    • Basics
      • DataTypes_Variables
  • JavaScript
    • Basics
      • Null-Undefined-NaN
  • JavaScript
    • DOM
      • Fundamental data types
  • JavaScript
    • DOM
      • Learn to search Methods and attributes
  • JavaScript
    • DOM
      • What is DOM
  • JavaScript
    • DOM
      • Working With DOM
  • JavaScript
    • Functions
      • Functions in JavaScript
  • JavaScript
    • OOP
      • OOP in JS
  • Pentester Notes
    • DNS
      • DNS Records
  • Pentester Notes
    • DNS
      • Securing DNS
  • Pentester Notes
    • DNS
      • What is 1.1.1.1
  • Pentester Notes
    • DNS
      • What is DNS
  • Pentester Notes
    • OSI Model
      • Intro
  • Pentester Notes
    • Protocols
      • ARP Protocol
  • Pentester Notes
    • Protocols
      • DHCP Protocol
  • Azure
    • AZ-104
      • Azure-Administrators
        • automate-azure-tasks-using-scripts
  • Azure
    • AZ-104
      • Azure-Administrators
        • azure-resource-manager
  • Azure
    • AZ-104
      • Azure-Administrators
        • configure-azure-resources
  • Azure
    • AZ-104
      • Azure-Administrators
        • configure-resources-with-arm
  • Azure
    • AZ-104
      • Azure-Administrators
        • control-azure-services-cli
  • Azure
    • AZ-104
      • Azure-Administrators
        • deploy-azure-infra-using-arm-templates
  • Azure
    • AZ-104
      • Azure-Administrators
  • Azure
    • AZ-104
      • Configure and Manage VNet for Azure
        • Configure Azure DNS
  • Azure
    • AZ-104
      • Configure and Manage VNet for Azure
        • Configure Azure Virtual Network Peering
  • Azure
    • AZ-104
      • Configure and Manage VNet for Azure
        • Configure Network Security Groups
  • Azure
    • AZ-104
      • Configure and Manage VNet for Azure
        • Configure Network routing and endpoints
  • Azure
    • AZ-104
      • Configure and Manage VNet for Azure
        • Configure Virtual Networks
  • Azure
    • AZ-104
      • Deploy and Manage Azure compute resources
        • Configure Azure Container Instances
  • Azure
    • AZ-104
      • Deploy and Manage Azure compute resources
        • Configure Virtual Machines
  • Azure
    • AZ-104
      • Deploy and Manage Azure compute resources
        • Manage VM with Azure CLI
  • Azure
    • AZ-104
      • Deploy and Manage Azure compute resources
        • configure-azure-app-service-plans
  • Azure
    • AZ-104
      • Deploy and Manage Azure compute resources
        • configure-azure-app-service
  • Azure
    • AZ-104
      • Deploy and Manage Azure compute resources
        • configure-vm-availability
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Configure Azure Blob Storage
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Configure Azure Files and Azure File Sync
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Configure Azure Storage Security
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Configure Azure Storage with tools
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Configure Storage Accounts
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Control Access to Azure Storage with SAS
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Create Azure Storage Account
  • Azure
    • AZ-104
      • Implement and Manage Storage in Azure
        • Upload, download, manage data with Azure Storage Explorer
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Allow users to reset their password with Entra SSPR
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Configure Azure Policy
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Configure Microsoft Entra ID
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Configure RBAC
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Configure Subscriptions
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Configure user and group accounts
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Create Azure Users and Groups in Entra ID
  • Azure
    • AZ-104
      • Manage identities and governance in Azure
        • Secure Azure resources with Azure RBAC
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Configure Azure Alerts
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Configure Azure Monitor
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Configure Log Analytics
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Configure Network Watcher
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Configure Virtual Machine Backups
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Configure file and folder backups
  • Azure
    • AZ-104
      • Monitor and back up Azure resources
        • Improve incident response with alerting on Azure
  • Azure
    • AZ-204
      • Azure-AppService-WebApps
        • AppService-DeploymentSlots
  • Azure
    • AZ-204
      • Azure-AppService-WebApps
        • Azure-App-Services
  • Azure
    • AZ-204
      • Azure-AppService-WebApps
        • Configure-web-app-settings
  • Azure
    • AZ-204
      • Azure-AppService-WebApps
        • Scale-apps-Azure-AppService
  • Azure
    • AZ-204
      • Azure-AppService-WebApps
  • Azure
    • AZ-204
      • Azure-Cosmos-DB
        • cosmosDB-part1
  • Azure
    • AZ-204
      • Azure-Cosmos-DB
        • cosmosDB-part2
  • Azure
    • AZ-204
      • Azure-Cosmos-DB
  • Azure
    • AZ-204
      • Azure-Functions
        • Azure-Functions-2
  • Azure
    • AZ-204
      • Azure-Functions
        • Azure-Functions
  • Azure
    • AZ-204
      • Azure-Functions
  • Azure
    • AZ-204
      • Containerized-Solutions
        • implement-azure-container-apps
  • Azure
    • AZ-204
      • Containerized-Solutions
        • manage-container-images-in-container-registry
  • Azure
    • AZ-204
      • Containerized-Solutions
  • Azure
    • AZ-204
      • Containerized-Solutions
        • run-container-images-container-instances
  • Azure
    • AZ-204
      • Sols-using-blob-Storage
        • Azure-Blob-Storage-demo
  • Azure
    • AZ-204
      • Sols-using-blob-Storage
        • Azure-Blob-Storage-intro
  • Azure
    • AZ-204
      • Sols-using-blob-Storage
        • Azure-Blob-Storage-lifecycle
  • Azure
    • AZ-204
      • Sols-using-blob-Storage
        • mindmap
  • Azure
    • AZ-204
      • course-notes-udemy
        • Azure App Service
  • Azure
    • AZ-204
      • course-notes-udemy
        • Containers Service
  • Azure
    • AZ-204
      • course-notes-udemy
        • Create VM via Powershell
  • Azure
    • AZ-204
      • Course Notes - Udemy
  • Azure
    • Azure-Fundamentals
      • Architecture-Services
        • Azure Infrastructure
  • Azure
    • Azure-Fundamentals
      • Architecture-Services
        • Azure-identity-access-security
  • Azure
    • Azure-Fundamentals
      • Architecture-Services
        • Azure-storage-services
  • Azure
    • Azure-Fundamentals
      • Architecture-Services
  • Azure
    • Azure-Fundamentals
      • Architecture-Services
        • compute-and-network-services
  • Azure
    • Azure-Fundamentals
      • Architecture-Services
        • mindMap
  • Azure
    • Azure-Fundamentals
      • Cloud-Concepts
  • Azure
    • Azure-Fundamentals
      • Cloud-Concepts
        • cloud-concepts
  • Azure
    • Azure-Fundamentals
      • Management-Governance
        • Cost-management-Azure
  • Azure
    • Azure-Fundamentals
      • Management-Governance
        • Monitor-tools-in-auzre
  • Azure
    • Azure-Fundamentals
      • Management-Governance
  • Azure
    • Azure-Fundamentals
      • Management-Governance
        • azure-for-governance-and-compliance
  • Azure
    • Azure-Fundamentals
      • Management-Governance
        • features-tools-for-managing-and-deploying-resources
  • Azure
    • Azure-Fundamentals
      • Management-Governance
        • mindmap
Powered by GitBook
On this page
  • Azure App Service
  • Azure App Service Plans
  • Deploy to App Service
  • Authentication and Authorization in App Service
  • App Service Networking features
Edit on GitHub
  1. Azure
  2. AZ-204
  3. Azure-AppService-WebApps

Azure-App-Services

Azure App Service

Azure app service is HTTP based service for web-app hosting, REST-api, and mobile backend

Features

  1. Built-in auto scale support

  2. Continuous Integration/Deployment Support

    • The Azure protal provides out-of-the box continuous integration and deployment with Azure DevOps Services, Github, BitBucket, FTP, or a local GIT repository on your deployment machine

    • It also provides feature that will auto-sync your commits and updates of the repository on behalf of you.

  3. Deployment Slots

    • When you deploy your web app you can use a separate deployment slot instead of default production slot when you are running standard app service plain tier or better

  4. App Service on Linux

    • App Service can also host web apps natively on linux for supported application stacks. It can also run custom linux containers.

    • If the runtime your application requires isn't supported in the built-in images, you can deploy it with a custom container

    • The languages and their support versions, are updated regularly. You can retrieve the current list by using the command az webapp list-runtime --os-type linux

Limitations

App Service on Linux have some limitations

  • App service on linux isn't supported on shared pricing tier

  • Azure portal shows only features that currently work for linux apps, as features are enabled, they are activated on the protal

  • When deployed to built-in images, you code and content are allocated a storage volume for web content, backed by Azure storage.

  • The disk latency of the volume is higher and more variable than the latency of a container filesystem

  • Apps that require heavy read-only access to content files may benefit from the custom container option, which places files in the contianer filesystem instead of one the content volume

Azure App Service Plans

One or more apps can be configured to run on the same computing resources (or in the same App Service plan).

If you have multiple apps, then they all share the same VM instance if apps are in the same app service plan

Deploy to App Service

App Service supports both automated and manual deployments

Automated Deployments

Azure supports automated deployment directly from several sources:

  1. Auzre DevOps Service

  2. Github

  3. Bitbucket

Manual Deployment

There are a few options that you can use to manually push your code to Azure:

  1. Git

    • App service web apps feature a git url that you can add as a remote repository.

    • pushing to the remote repository deploys your app

  2. CLI

    • webapp up is a feature of az CLI that packages your app and deplpoys it. az webapp up can create a new app service web app for you it you havent already created one.

  3. Zip deploy

    • use curl or similar HTTP utility to send a zip of your application files to App Service

  4. FTP/S

    • FTP/FTPS is a traditional way of pushing your code to many hosting env, including App service.

Use deployment slots

You can deploy your app to staging env and then swap your staging and production slots. The swap operation warms up the necessary worker instances to match your production scale, thus eliminating downtime.

Authentication and Authorization in App Service

App Service provides built-in authentication and authorization support.

Azure app service allows you to integrate various auth capabilities into your web app or API without implementing them yourself.

Its built directly into the platform and doesnt require any particular language.

Identity providers

3rd party identity providers authentication is also supported by the platform and the supported parties are

  1. Microsoft Identity platform -> /.auth/login/aad

  2. Facebook -> /.auth/login/facebook

  3. Google -> /.auth/login/google

  4. Twitter -> /.auth/login/twitter

  5. Any OpenID conntect provider -> /.auth/login/<providerName>

  6. Github -> /.auth/login/github

When you enable auth and authorization with one of these providers, its sign-in endpoint is available for users authentication for validation of authentication tokens from the provider

How it works

Authentication and authorization module runs in the same sandbox as your application code. When its enabled, every incoming HTTP request passes through it before being handled by your application code.

This module handles several things for your app

  1. Authenticates users and clients with the specified identify providers

  2. Validates, stores and refreshes OAuth tokens issued by the configured identity providers

  3. Manages the authenticated session

  4. Injects identity information into HTTP request headers

The module runs separately from your application code, and can be configured using azure resource manager settings or using a configuration file. No SDKs, specific programming languages, or changes to your application code are required.

In linux and containers the authentication and authorization module runs in a separate container, isolated from your applciation code. Because it does not run in-process, no direct integration with specific language framework is possible.

Authentication Flow

The authentication flow is same from all providers, but differs depending on whether you want to sigin in with the providers SDK

  1. Without provider SDK

    • The application delegates federated sign-in to app service. This is typically the case with browser apps, which can present the providers login page to the user. The server code manages the sign-in process, so its also called server-direccted flow or server flow

  2. With provider SDK

    • The application signs users in to the provider manually and then submits the authentication token to app service for validation.

    • The application code manages the sign-in process, so its also called client-directed flow or client flow

    • This applies to REST APIs, Azure Functions, JavaScript browser clients, and native mobile apps that sign users in using the providers SDK

Authentication flow steps

Step
Without provider SDK
With provider SDK

Sign user in

Redirects client to /.auth/login/<provider>

Client code signs user in directly with providers SDK and receives an authentication token

Post-authentication

Provider redirects client to /.auth/login/<provider>/callback

client code posts token from provider to /.auth/login/<provider> for validation

Established authenticated session

App Service adds authenticated cookie to response

App service returns its own authentication token to client code

Serve authenticated content

Client includes authentication cookie in subsequent requests(automatically handled by browser)

client code presents authentication token in X-ZUMO-AUTH header (automatically handled by Mobile Apps client SDKs)

For client browsers, App Service can automatically direct all unauthenticated users to /.auth/login/<provider>.

Authorization behavior

In azure portal you can configure, app service with many behaviors when an incoming request isn't authenticated

  1. Allow unauthenticated requests

    • this option defers authorization of unauthenitcated traffic to your application code.

    • for authenticated requests app service also passes along authenticated information in the HTTP headers.

    • This option provides more flexibility in handling anonymous requests. It lets you present multiple sign-in proviers to your users.

  2. Require authentication

    • This option rejects any unauthenticated traffic to your application.

    • This rejection can be a redirect action to one of the configured identity providers

    • In these cases, a browser client is redirected to /.auth/login/<provider> for the provider you choose.

    • If the anonymous requests comes from a native mobile app, the returned response is an HTTP 401 Unauthorized

Restriciting access in this way applies to all calls to your app

Token store

App service provides a built-in token store, which is a repository of tokens that are associated with the users of your web apps, APIs or native mobile apps. When you enable authentication with any provider, this token store is immediately available to your app.

Logging and tracing

If you enable application logging, authentication and authorization traces are collected directly in your log files. If you see an authentication error that you didnt expect, you can conveniently find all the details by looking in your existing application logs

App Service Networking features

By default, apps hosted in app service are accessible directly through the internet and can reach only internet-hosted endpoints.

There are two main deployment types for Azure App Service. The multitenant public service hosts App Service plans in the Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKUs. There's also the single-tenant App Service Environment (ASE) hosts Isolated SKU App Service plans directly in your Azure virtual network.

Multi-tenant App Service networking features

Azure app service is a distributed system. The roles that handle incoming HTTP or HTTPS requests are called front ends The roles that host the customer workload are called workers All the roles in an App service deployment exists in a multi-tenant network.

Instead of connecting the networks, you need features to handle various aspects of application communication.

Inbound features that app service offer

  1. App-assigned address

  2. Access restrictions

  3. Service endpoints

  4. Private endpoints

Outbound features that app service offer

  1. Hybrid Connections

  2. Gateway-required virtual network integration

  3. Virtual network integration

The inbound use case examples for how to use app service networking features to control traffic inbound to your app

Inbound use case
Feature

Support IP-based SSL needs for your app

App-assigned address

Support unshared dedicated inbound address for you app

App-assigned address

Restrict access to your app from a set of well defined address

Access restrictions

Default networking behavior

The free and shared SKU plans host customer workloads on multitenant workers. The basic and higher plans host customer workloads that are dedicated to only one app service plan.

Outbound addresses

The worker VMs are broken down in large part by the app service plans.

The outbound addresses used by your app for making outbound calls are listed in the properties of your app. These addresses are shared by all the apps running on the same worker VM family in the app service deployment. If you want to see all the addresses that your app might use in a scale unit, there is a property called possibleOutboundIpAddresses that lists them.

Find outbound IPs

To find the outbound IP addresses currently used by your app in Azure portal, select Properties in your app's left-hand navigation.

You can also find the same information by running the following CLI command

az webapp show --resource-group \<groupName> --name \<appName> --query outboundIpAddresses --output tsv

To find all possible outbound IP addresses for you app, regardless of pricing tiers, run the following command

az webapp show --resource-group \<groupName> --name \<appName> --query possibleOutboundIpAddresses --output tsv
PreviousAzure-AppService-WebAppsNextAzure

Last updated 1 year ago