2.Dev & Ops

Runtime Management

• OS:
  • OS is updated monthly
  • Physical server are updated monthly
  • 0day and critical updates are handled on a case by case basis
  • Get https://<appname>.scm.azurewebsites.net/Env.cshtml to get the Windows version
• Process & Memory:
  • Application Pool Identity:
    • Each app in App Service runs as a random unique low-privileged worker process identity called the "application pool identity"
  • Application code has access to the memory space associated with the worker process
    • as well as any child processes that may be spawned by CGI processes or other applications
    • an app cannot access the memory or data of another app even if it is on the same virtual machine
• Runtimes:
  • Provided as an extension of IIS
  • App Service doesn't configure any web framework settings to more restricted modes
  • Runtime updates:
    • New stable versions are periodically added to App Service instances
    • 2 modes: side by side or overwriting
      • overwriting: nothing to do, the app use the latest version
      • side by side: require migration of the app to the new version
    • Deprecation:
      • Removal date is announced through:
        • https://azure.microsoft.com/updates/?product=app-service
        • https://github.com/Azure/app-service-announcements/issues
    • Major & minor versions are installed side by side
    • Patch versions are install side by side or overwriting depending on the runtime
    • Use https://<appname>.scm.azurewebsites.net/DebugConsole to get the runtime version
  • ASP.NET
  • ASP
  • Node.JS
  • PHP
  • Python
• Web App Hosting Platform:
  • Windows or Linux
  • Within the same resource group, you can't mix Windows and Linux apps in the same region.
  • Web App on Windows:
  • Web App on Linux:
    • Workload wrapped into Container, made by Web App
• Network:
  • Apps can make TCP or UDP outbound connections
  • App Service doesn't provide RDP access to the VM instances
• IPC:
  • Named pipes are supported between different process that runs an app
• Registry:
  • Keys that allow read-only access to the local Users group are accessible by apps
  • HKEY_CURRENT_USER is not accessible at all
  • Write-access to the registry is blocked

Deployment

• Directory:
  • Deployed app: /home/site/wwwroot
  • Is a UNC Share shared by all instances of the app
  • When files are updated, instances received notification to sync the new file
• Deployment type:
  • Kudu:
    • Runs as a separate process on Windows App Service
    • Runs as a second container on Containers App Service
    • Provide HTTP endpoint for deployment
      • ZipDeploy
  • FTP
  • WebDeploy
  • 3rd parties: use one of the 3 mechanisms
• Languages & deployment:
  • Java: ZipDeploy, WARdeploy
  • Node.js: AppSvc runs npm install, set SCM_DO_BUILD_DURING_DEPLOYMENT to false to avoid it
  • .Net: AppSvc runs dotnet build, set SCM_DO_BUILD_DURING_DEPLOYMENT to false to avoid it
• Deployment slot:
  • Swap prod and staging
    • Far better than deploy to prod directly
    • The swap warm up the required worker instances, eliminating downtime

Monitoring & Diagnostics

• Metrics:
• Logs:
  • Stored on the log directory
  • Can be stored directly on a storage account to avoid local storage limits
  • For containers: https://<app-name>.scm.azurewebsites.net/api/logs/docker
  • Windows ETW events and common Windows event logs (for example, System, Application, and Security event logs) are not accessible from the app
    • App Service is "faking" the API calls to these services so that they appear to succeed
• Testing Network connectivity:
  • Ping, nslookup, and tracert won't work through the Kudu console because of security constraints
  • Possible to use them from Windows containers deployed on the app service
  • DNS functionality:
    • Use nameresolver.exe <hostname>
    • Display WEBSITE_DNS_SERVER env var value to check it
    • Display WEBSITE_DNS_ALT_SERVER env var value to check it
  • TCP connectivity:
    • Use tcpping.exe <hostname> [<port>]