SmartIQ KnowledgeHub

Azure Components for PaaS

All components required to run as PaaS in Azure are deployed in the Azure Resource Group that will basically group the different components logically. It is very important to consider the geographical location where your Application will be deployed to minimize latency. Also, it is recommended that both, App Service and SQL Database are deployed in the same Azure Datacentre.

Here an overview of all different components required to be deployed to host as PaaS in Azure.

Azure Components for deploying <variable v=productname data="/>

Azure Components for deploying

App Service Plan

Represent the collection of physical resources used to host your apps where Region, Scale Count, Instance Size and SKU are defined.

has two main applications (Produce and Manage) that are deployed as Virtual Applications in Azure PaaS.

Web Job is used to deploy Scheduler that will run as a service, triggering tasks scheduled within Manage.

App Service

PaaS offering of Microsoft Azure that allows creating the web and mobile apps for any platform or device. Azure runs deployed apps on Microsoft managed virtual machines (VMs).

This is the Azure component used to deploy Produce and Manage, where SSL is configured to secure data in transit (https).

Azure SQL Server and Database

Relational database as a service using the Microsoft SQL Server Engine. SQL Database is a high-performance, reliable, and secure database, without needing to manage infrastructure.

Transparent Data Encryption is always enabled to secure data at rest.
Firewall is configured to only accept requests from Produce and Manage applications.

Azure Key Vault

Azure Key Vault can be used as the wrapper/unwrapper for 's Data Encryption Key (DEK). The application will call into the vault any time a new DEK is created and stored in the database, as well as when a previous DEK is needed by the application.

Key Vault is not used to encrypt any data at this time. It is only used for DEK wrapping/unwrapping.

If Key Vault is not configured for the site will use it's static KEK as before. Once Key Vault has been configured and a DEK has been wrapped by it, then Key Vault will always be required to unwrap it. If it is later disabled then new DEKs will be wrapped by the static KEK. If is no longer able to contact Key Vault there will be no way to unwrap the DEK, therefore no way to decrypt the data that was encrypted by the DEK.

If the key ID is ever deleted from Azure then the data in can be considered lost.

There is one Key Vault configuration per site - Manage, Produce, and the Scheduler require the same settings.

Only one Key Vault key ID is supported at a time but it can be changed at any time. Each DEK records what key ID was used to wrap it and will always use that ID and version to unwrap it. The key ID in configuration is only used when wrapping newly created DEKs.

The web server requires access to call out to Azure APIs which it should be able to already if the site is running on Azure.

Key Vault Configuration

To enable Key Vault, add the following block to AppSettings (changing the KeyUri as appropriate):

  "Azure": {
    "KeyVault": {
      "Enabled": "True",
      "KeyUri": ""

"Enabled": Controls whether will use the Key Vault to wrap newly created DEKs. Existing DEKs wrapped by Key Vault will always use Key Vault.
"KeyUri": Unique path to a Key Vault key. Do not include the version number after the key id.

Updated 5 months ago

Azure Components for PaaS

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.