How to monitor Azure App Service content changes and publishing activity

There are various ways to deploy an Azure App Service content: FTP, GitHub actions, deploy from Zip and many others. With Azure Role-Based Access Control it is possible to have many different users with contributor access who can deploy new content or modify existing files. In those situations it may be important to track who made the content changes and when. Some companies or businesses may need this capability for various compliance requirements. This blog post explains how to enable the monitoring of app service content publishing activity and content file changes.

Azure App Service is integrated with Azure Monitor which makes many app service logs available in Azure Monitor and Azure Log Analytics. The publishing activity and file change logs are also pushed to Azure Monitor and can be exported to third party services or can be used to create rule-based alerts.

Here are the configuration steps necessary to enable publishing activity and file change logging.

Continue reading “How to monitor Azure App Service content changes and publishing activity”

How to restore a deleted Azure Web App

If you happened to accidentally delete your web app in Azure App Service then up until recently you had to open a support case in order to get it restored. But now you can restore it yourself by using the commands from the Az PowerShell module. This blog post explains how to do that.

Assume you used to have a site named “undeletesiteexample” and you have deleted it accidentally. The first step to recover it is to get the details of the deleted app:

Continue reading “How to restore a deleted Azure Web App”

Using Azure Activity Log to check the progress of deployment slots swap operation

If you use Azure Web App Deployment Slots then you may have noticed that sometimes the swap action may take a while to complete. This may happen when an application that is being swapped into production has a long warmup/initialization phase. It has to be warmed up on every VM in an App Service Plan and that sometimes takes minutes (more detailed description of what happens during the swap can be found in Most common deployment slot swap failures and how to fix them). This blog post explains how to see the progress and the result of the swap operation in the Azure Activity Log.

Continue reading “Using Azure Activity Log to check the progress of deployment slots swap operation”

Most common deployment slot swap failures and how to fix them

Azure Web App Deployment Slots are used to deploy new versions of an application code into production with no interruption to the production traffic. In order to achieve this the swap process involves multiple steps that are performed to prepare the new version of the code to successfully handle the load once it is in production slot. Some of these steps may go wrong, especially when the new version of the code does not cooperate well. This in turn either causes the swap to fail or it results in swapping new code in production while it is still not ready to handle the production load. This post describes the most common reasons why this may happen and how to correct them.

Continue reading “Most common deployment slot swap failures and how to fix them”

How to buy a certificate for an Azure Web App

If you have tried to enable SSL for your Azure Web App you know that the steps to do that are:

  1. Purchase certificate and export it into a PFX file
  2. Upload PFX file to a resource group that contains your web app
  3. Bind the web app’s hostnames to the certificate

Out of those steps the step #1 is the most non-obvious. Just by looking through the instructions in this article you can see that the process is complex and error prone.

Recently the Azure team has released an improved support for buying certificates for Azure Web Apps. Now it is possible to purchase a certificate without ever leaving the Azure Portal UI experience. In this blog post I’ll show how easy it is to buy a certificate and enable SSL for a Web App. As an example I will walk through the process of buying a certificate and enabling SSL for my web site http://ruslany.net/

Continue reading “How to buy a certificate for an Azure Web App”

Azure Web App Deployment Slot Swap with Preview

Some time ago I had a blog post describing how to warm up an Azure Web App during deployment slots swap. In that post I explained the sequence of actions that happens during the swap. One important point in that explanation is that if a site has any app settings or connection strings that are marked as “Slot” then during slot swap those settings are read from target (e.g. Production) slot and applied to the site in the staging slot. That causes the restart of the site’s worker process so that those changes take effect and become visible as process environment variable.

The restart of the worker process is OK for the majority of the swaps. But sometimes it would be useful to pause right after the production settings were applied on the staging slot and before the actual swap of host names happens. Recently Azure Web Apps team has released a “Swap with Preview” feature that supports that use case. That feature will give you a chance to verify that the web site in the staging slot works fine with production settings. Also this will allow you to warm up/initialize the site in any way you want. For example you can generate some load on that site so that its cache is completely pre-populated. After you are satisfied with how the site works in staging slot you can complete the swap so that the site is moved to production slot and starts taking on production traffic. The site’s worker process will not be restarted during that step, which means that the worker process in production slot is exactly what you have tested in staging slot.

To demonstrate how Swap with Preview works I’ve created a site and added a “Slot” setting to it with name “SlotName” and value “Production“. Also I added a “Slot” connection string with value “ProductionConnectionString“.

Continue reading “Azure Web App Deployment Slot Swap with Preview”

How to warm up Azure Web App during deployment slots swap

Azure Web App deployment slots are used to help roll out new versions of an app without downtime or cold start activation. New version is typically deployed to a staging slot, then after testing and final verification it gets swapped into a production slot. During the swap operation the Web App’s worker process may get restarted in order for some settings to take effect. Even though the swap does not proceed until the restarted worker process comes back online on every VM instance, it may still not be enough for application to be completely ready to take on production traffic. This post explains how you can use the recently enabled Application Initialization Module to completely warm up your application prior to swapping it into production.

Continue reading “How to warm up Azure Web App during deployment slots swap”

How to find out outbound IP addresses used by Azure Web App

When an Azure Web App makes an outbound network call it uses a set of predefined IP addresses. Usually the Web App developer needs to know those IP addresses in order to configure firewalls of external services to allow requests from that Web App. In the past it was not easy to discover the IP address of a Web App. There is an article with the list of known IP addresses for each Azure scale unit, but that is not updated as fast as the new Azure scale units brought up online.

Fortunately now it is much easier to discover the outbound IP addresses of an Azure Web App. The list of outbound IP addresses is now included in the REST API Site object and can be accessed by using Azure Resource Explorer. Just select the Web App in the Resource Explorer tree view and then look for the “outboundIpAddresses” property, which will contain a comma separated list of IP addresses. For example the following screenshot shows outbound IP addresses used by my site https://ruslany.net:

Continue reading “How to find out outbound IP addresses used by Azure Web App”

Using Azure Web Site as a reverse proxy

IIS has been supporting reverse proxy configuration since URL Rewrite and Application Request Routing modules were released a few years ago. It is possible to configure an IIS hosted web site to act as a reverse proxy and forward web request to other URL’s based on the incoming request URL path. This is described in details in Reverse Proxy with URL Rewrite v2 and Application Request Routing.

Not too many people know however that the same kind of configuration can be achieved with a web site hosted in Azure Web Sites. This blog post explains the configurations steps to enable that.

For example if I want to forward all the requests that come to https://ruslany.net/proxy/ to some other URL I’ll need to do two things:

  1. Enable proxy functionality in ARR
  2. Add a proxy rewrite rule

Any site hosted in Azure Web Sites has URL Rewrite and ARR enabled. However the proxy functionality is disabled by default in ARR. To enable that we will use the Azure Site Extension XDT transform which will modify the applicationHost.config file for our site and will enable proxy features.

Continue reading “Using Azure Web Site as a reverse proxy”

Azure Web Sites – block web access to non-production deployment slots

Windows Azure Web Sites supports Staged Publishing functionality, which allows you to create a staging site slot where you can publish a new version of the website and then test it before swapping to the production environment. By default the non-production deployment slot has its own hostname that you use to test the bits deployed there. Sometimes, however you may want to prevent users from browsing to your non-production deployment slot while you are testing it.

It is relatively easy to configure your site to block the http request if it is deployed to any non-production slot. For example let’s say I have a site ruslany.azurewebsites.net and I created a deployment slot for it and name the slot as ‘staging‘ (it is possible to give custom names to deployment slots now). The hostname for that deployment slot will be ‘ruslany-staging.azurewebsites.net‘. So to prevent access to the deployment slot from anybody except a few allowed IP addresses I can add the following rewrite rule to my site’s web.config file:

Continue reading “Azure Web Sites – block web access to non-production deployment slots”