Best Practice for Azure App Service
The following configurations are recommended for the Azure App Service which is utilised for SmartIQ PaaS deployment in Azure.
Monitoring
Configuring Alerts:
Azure allows you to create alerts on the different metrics at App Service (web app) and App Service plan level. These alerts are activated when the system crosses the threshold level configured for each alert. The recommended alerts which must be configured are as follows:
- Average Response Time: The average time spent for the app to service requests in ms.
- Average memory working set: The average amount of memory in MiBs used by the app.
- HTTP Server Errors: Count of requests resulting in an HTTP status code >=400 but <500
- CPU Percentage: The average CPU used across all instances of the plan. It’s recommended to configure this alert at 80 percent.
- Memory Percentage: The average memory used in all instances of the plan. It’s recommended to configure this alert at 80 percent.
Availability
Configure Scale Out in App Service plan
In the Azure Portal, you can manually set the instance count of your service, or, you can set parameters to have it automatically scale based on demand. This is typically referred to as Scale out or Scale in.
Before scaling based on instance count, you should consider that scaling is affected by Pricing tier in addition to instance count. Different pricing tiers can have different numbers cores and memory, and so they will have better performance for the same number of instances (which is Scale up or Scale down).
It is recommended that you configure scale out rule on the basis of CPU Percentage and Memory Percentage greater than 80 percent and scale in the rule for CPU and Memory Percentage less than 30 percent.
For more details on configuring scale out rule, please refer the following link:
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/insights-how-to-scale
Security
Enforce HTTPS
You should redirect all HTTP requests to the HTTPS port for your web app. This can be done by going to your web app page, in the left navigation, select Custom domains. Then, in HTTPS Only, select On.
Configure SSL Certificate
When a web application is created using Azure App Service, it is assigned to a subdomain of azurewebsites.net. For example, if the app name is Demo, the URL is demo.azurewebsites.net. By default, Azure enables HTTPS with a wildcard certificate assigned to the *.azurewebsites.net domain.
Best Practice
If you are going to put up the custom domain to your web app, you must apply the SSL certificate to your web app else your site will not be secure.
You can refer to the following URL which lists the steps for mapping custom domain and binding SSL certificate to your web app.
Map Custom Domain:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
Bind SSL Certificate:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl
IP Restrictions
IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. The allow list can include individual IP addresses or a range of IP addresses defined by a subnet mask.
When a request to the app is generated from a client, the IP address is evaluated against the allow list. If the IP address is not on the list, the app replies with an HTTP 403 status code.
Best Practice
If your website is not client facing, consider configuring the list of IPs who should be allowed to access the site.
Refer to the following URL to configure app service IP restrictions:
https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
Backup
Continous Deployment
You should consider configuring a continuous deployment workflow for your Azure Web Apps. App Service integration with BitBucket, GitHub, and Visual Studio Team Services (VSTS) enable a continuous deployment workflow where Azure pulls in the most recent updates from your project published to one of these services.
By using tools such as GitHub and VSTS you can use features such as collaboration, tracking commits, rollback, backup, etc.
Refer to the following URL to configure continuous deployment:
https://docs.microsoft.com/en-us/azure/app-service/app-service-continuous-deployment
Updated over 4 years ago