Azure App Services provide PaaS for a different kind of applications:
- Web Apps which serve HTML pages and other web content from applications based on ASP.NET, Node.JS, PHP, Ruby, Python, Java, or static websites
- API Apps which serve REST APIs
- Mobile Apps which serve REST APIs, access to data over OData protocol, requires Push Notification and additional mobile users Authentication capabilities
- Function Apps help to host event-based application in serverless manner
- Custom Containerized Apps run single Docker container from configured registries or complex multi-container applications configured with Docker Compose
Azure requires to configure App Service Plan to reserve a dedicated compute resources for our applications.
App Service Plan defines:
- Location (Azure Region) for our application
- OS (Linux, Windows)
- Vertical scaling
- Horizontal scaling
- Networking configuration
Vertical scaling options are defined with Pricing tiers which grouped to Free, Shared, Basic, Standard, Premium, Isolated classes. Each tier has Azure Compute Units number which indicates performance objective, own set of capabilities and limits. Free and Shared tiers share compute resources with other Azure clients, so their use is not recommended for production environments.
App Service Plan runs applications in set of VMs hidden in the background from engineer. At least 1 VM instance is always up, if App Service Plan is provisioned. It means that it consumes budget even if there is no applications deployed.
Service provides possibility to configure horizontal autoscaling which adds or removes instances based on performance metrics.
Engineer needs to take in consideration that there are 2 separate interfaces for Inbound and Outbound network traffic. IP which is used for entering application is not the same which is used for exiting.
By default, outbound IP address is dynamic. To set it to static different technics could be applied:
- VNet Integration: Associate Azure Virtual Network Subnet with App Service Plan and limits the variation of IP addresses to subnet IP range. In this case, additionally, App Services traffic can be routed to Azure Firewall or NAT Gateway.
- Hybrid Connections capability makes possible to pass all outbound traffic over Azure Relay Agent. This case requires configuration and maintenance of at least 1 Windows VM or server. Advantage of this approach not only in determinization of application outbound IP but possibility to provide access to private networks with highly restrictive firewall rules. Agent uses a pull connection method and can establish a connection even over HTTP proxy.
IP addresses filters for Inbound connections can be done with Access Restrictions. If only private usage is required, Private Endpoint can be configured to get a private IP for application.
Inbound connection can be protected with Azure Frontdoor or Azure Application Gateway.
Azure Traffic Manager can be used for multi-region sophisticated load balancing.
Each application has:
- Application code or binaries
- Application settings with secrets which could be referenced to Azure KeyVault secrets
- Deployment slots to facilitate blue/green deployment model. Each deployment slot can be associated to its code/application binaries source (Git pull, Git push, ZIP/WAR archives, FTPS, or cloud sync, ex. OneDrive)
- Backup & Restore capabilities including backup of application database.
- Monitoring with Azure Monitor
- Quotas to restrict user access based on performance metrics
- Authentication integration capabilities
- SSL certificate & custom domain
- Managed Identity to provide secure passwordless access to Databases, Key Vault and other Azure services under deployed the same tenant
App Services could be integrated with additional Azure services like:
- Azure CDN to speedup content delivery to end-user
- Azure Storage Accounts for logs export or for permanent Docker container storage
- Azure Application Insights to monitor and debug application state
- Azure API Management to aggregate and provide API offers