Developers need to be able to access the KUDU logs for deployment and diagnostic troubleshooting without having contributor access to the web app. Can a read-only role or resource provider operation be created in order to grant this level of access?85 votes
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
When an app service is integrated into Regional VNET the subnet is delegated with Microsoft.Web/Server Farm and if we delete app service we are unable to remove the service association link from the subnet. subnet goes waste and needs to raise a ticket with Microsoft. Either don't allow people to delete the function app/App Service, forcing them to disconnect from VNET prior or if it gets deleted to also clean up the delegation on the subnet.61 votes
Add support for NetworkWatcher / NSG Flow logs for App Service with Regional Vnet Integration enabled
At the moment, if one uses an App Service with Vnet Integration there is NO way to monitor the traffic that traverses this path. For organizations with requirements to monitor ALL network traffic for integrity / Security / Audit purposes - this presents a significant challenge as ALL traffic that traverses this integration is not able to be monitored. Since the App Service presents itself as on a given subnet within the Vnet - there should be NO reason that NetworkWatcher or NSG flow logs shouldn't be usable.57 votes
Thank you for the feedback, we are reviewing this request.
Connecting WebApp Service and a DBaaS (MS SQL MySQL etc)PaaS through a VNet service. We understand that there is a SNAT limitation when a webapp service is connected to a PaaS service that causes error in the application.
We need private endpoint for DB PaaS services for overcoming the SNAT limitation and also to reduce the latency while connected through private IP address.43 votes
Please remove the server header from the web app front end server and from API Management servers.
It does not matter if our web app removes the header, the front end server still has the header42 votes
There doesn't seem to be a clear and defined way to manage HTTP headers with an Azure static website. I know this feature is still in preview but my team and I are attempting to make this into a production ready web application.
When an App Service is configured with an IP Restriction, only whitelisted IP's can access the App service URL/site. Other users cant access the URL. By default the blacklisted IP's or denied IP's will receive
Error 403 - This web app is stopped. Many SR's can been be seen with this requirement to divert or return custom error message instead of 403 error. It would be great if we have a feature in portal to divert with custom message when the IP restrictions are configured for a web app.23 votes
Currently ASE allows uploading of ILB certificates through script/portal.
Provision to autopick certificate from Azure KeyVault using thumbprint should be made possible through script/portal16 votes
Currently, we have a number of Azure DevOps Pipeline Service Principles (SP) belongs to different Squad Team to manage different workloads and avoid any SP can modify the virtual network by default.
All the App Service connects to a subnet through VNet integration required a permission from the Virtual Network of Write: Create or Update Virtual Network Subnet.
By just looking at the permission name, this permission can create or update the virtual network subnet. Please create an individual permission to just perform connect to a subnet from App Service/App Service Plan with the least privilege.16 votes
If there are features that are not available in App Service, I want you to see why.
For example, App Service on Linux support VNet integration.
But Docker Compose function not support Virtual Network integration (Sep 2020, currently).
We can't see "VNet Integration" item in portal, when Docker compose selected.
I think it would be kinder to tell me why I can't see it.13 votes
Allow multiple VNET integrations inside an app service plan as it affects the existing production loads.12 votes
When the singleton lock is reset, the job may start in parallel, and I would like to detect, to able to distinguish whether the singleton lock has been reset.11 votes
I want to configure RBAC (IAM) individually for Web App with hybrid connection, but I can only configure it per Web App.
Also, although the actual status of the hybrid connection should be Service Bus, it can not be set because it is not displayed in the list.
I would like to be able to configure RBAC (IAM) separately for Web App with hybrid connections.11 votes
We have webapps that is querying Hive on HDInsight which is working fine when hosted on on-prem IIS. We need Hive ODBC driver installed on the VM to get it works.
But when we deploy on Azure App Service it's failing due to missing driver.
Can Microsoft® Hive ODBC Driver installed on Azure App Service Environment & Azure Function please?9 votes
If no access restrictions are created a default implicit allow all rule exists. Once a rule is added, say "Deny a single IP address" an implicit "Deny all" rule is added meaning you now need to add explicit rules for everything else. This should be ok if you include CIDR notation for all IP's but if someone is suing service endpoints they are now unable to access your service unless you have access to their network which is not realistic or scalable in most scenarios where you are a service provider. An explicit "Allow all" would be ideal to cater for this.
If no access restrictions are created a default implicit allow all rule exists. Once a rule is added, say "Deny a single IP address" an implicit "Deny all" rule is added meaning you now need to add explicit rules for everything else. This should be ok if you include CIDR notation for all IP's but if someone is suing service endpoints they are now unable to access your service unless you have access to their network which is not realistic or scalable in most scenarios where you are a service provider. An explicit "Allow all" would be ideal to cater…6 votes
When our webjobs are running recently, we don't know why they are hung up. The status changes from running to pending restart. But I didn't get any hang up notification. I want to create a service to monitor it, and there is no corresponding API. Can webjobs provide an API to monitor the status or send a notification when the job hangs up?6 votes
Currently, the Authentication / Authorization blade for azure web apps does not have a specific configurations for protecting virtual directories. however, many business cases need to have the main site available for public but some pages (like admin pages) need to be protected by Azure AD
Therefore, it will be great to use Azure Active Directory sign-in to protect a virtual directory in web app.
Raed Alahmad6 votes
I’d love to see a warning - at least - in the azure portal that connectionStrings with hyphens are a bad idea... that would prevent a lot of wasted debugging hours for others.5 votes
Node Apps on App Service can specify version of Node runtime in "engines" section of package.json,
But Function Apps(Runtime v2) cannot specify version by description of package.json, so they has to specify version of node by setting of WEBSITENODEDEFAULT_VERSION variable.
Is this behavior by design?4 votes
Under VMScaleSet AutoScalability config, we like to set the Default applicable only during a scheduled time (Say, set to 5 instances as default count during 6am-8am from Jan till April. For rest of the time and dates we like to shrink the Default to 1)
Added a doc with snapshots and description.4 votes
- Don't see your idea?