Web Apps
Web Apps in Azure App Service provides a scalable, reliable, and easy-to-use environment for hosting web applications. Select from a range of frameworks and templates to create a web site in seconds. Use any tool or OS to develop your site with .NET, PHP, Node.js, Python and more. Choose from a variety of source control options including TFS, GitHub, BitBucket and others to set up continuous integration and develop as a team.
More details about the services are available in the App Service documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow or MSDN.
Products that we listen to in this space include: App Service, Web Apps, API Apps and Web App for Containers.
-
Provide acceptable scale out time for instances in ASE Isolated instance types
Scaling is a core feature of App Services. We used ASE for the additional features however it means we are stuck with 40 mins scale out time to add an instance. Per support this is by design, however this is not documented anywhere in public domain.
Scaling is supposed to help us get customers on to Azure, if it takes 40 mins to add an instance, it will not meet the business needs, we abandoned ASE only due to this issue. Kindly document current scale out time in public documentation so that user know this before hand.
Ultimate goal should…79 votesThanks for the feedback!
You’re right that ASE scaling operations take longer than the common plans on multi-tenant App Service. We are looking at ways to decrease the time so it will on par with multi-tenant but this means a new infrastructure is needed with managing a pool or pre-assigned VMs to the ASEs.
This is documented here, though without a time frame mentioned as it depends on a numbers of factors: https://docs.microsoft.com/en-us/azure/app-service/environment/using-an-ase#how-scale-works.
We will update when there is more information here.
Thanks,
Oded -
Azure App Service Certificate : Add support for EV certificates (Extended Validation)
Azure App Service Certificate permit to have standard SSL and Wildcard. But need to add a new SKU for permit customers to register an EV Certificate too (Extended Validation)
75 votesYou can get EV certificates from Azure Key Vault service today or bring your own certificate from external CA and import it via “Upload Certificate”. You would then have to upload the certificate from Key Vault as documented here https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
We are looking into how to improve the experience in Azure portal .
-
Provide more secure TLS ciphers
Currently Chrome flags the CBC ciphers as obsolete. CBC ciphers are at the top of the cipher preference list of Azure Web Apps as you can see there: https://www.ssllabs.com/ssltest/analyze.html?d=test.azurewebsites.net
More info: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-SuitesSo please provide some more secure ciphers from the ECDHE cipher suite like TLSECDHERSAWITHAES256GCMSHA384, TLSECDHERSAWITHAES128GCMSHA256, TLSECDHERSAWITHCHACHA20POLY1305SHA256.
74 votesHi there,
We are constantly reviewing cipher suites and will update more in the future.
Thanks,
Oded -
Linux Static Site on Nginx
One of the most common web techniques today is static generated web sites. Ideally, there would be an option along with Node, Php etc for Static HTML. This would allow configuration for just running Nginx web servers to host static sites.
56 votesThanks for your suggestion, we will evaluate the suggestion and post an update when we have news to share.
Ahmed
App Service Team -
55 votes
With the release of Azure App Service on Linux, we are looking in supporting Golang as a built-in runtime stack. In the meanwhile you can create a custom container that supports Go.
A link of how to use a custom docker container with Web App for Containers:
https://docs.microsoft.com/en-us/azure/app-service/containers/quickstart-custom-docker-imageThanks,
Ahmed, App Service -
Fix export of resource type 'Microsoft.Web/sites/config'
get error :"Could not get resources of the type 'Microsoft.Web/sites/config'. Resources of this type will not be exported. (Code: ExportTemplateProviderError)"
Among the obvious it would be nice to see how to set various app settings like turning off PHP and activating 'Always On' or maybe turning off 'ARR Affinity'.
54 votes -
FTP accounts tied to subscription, not user. Not enough auditing
In the current model, FTP credentials are tied to a user's azure login. Thus, we have no visibility into credentials that are set, as we cannot see other people's FTP credentials they've set. Furthermore, when an FTP account is created or deleted, nothing is logged. This makes it difficult to audit who has access. With the logins being tied to the user, when the user leaves, there is no way for us to reclaim that username unless they delete their ftp credentials first. This doesn't always work, as a user may depart abruptly or not on good terms. Although the…
50 votesHi there,
Thanks for logging this idea. It’s definitely a valid request and we’ll leave it under review to see it collects more support from users.
As a reference, take a look at the deployment credentials doc we have out: https://docs.microsoft.com/en-us/azure/app-service-web/app-service-deployment-credentials
Thanks,
Oded -
Document healthcheck URL requirement for custom containers
With Web App for Containers, it seems Azure uses a special URL "/robots933456.txt" to check when the container has started, and expects a valid HTTP response (404 is fine). This requirement for custom containers should be mentioned in the documentation! (and preferably, it should be configurable)
44 votes -
Allow AAD multi-tenant Apps using App Service Authentication and Authorization
Allow Azure Active Directory (AAD) multi-tenant Apps using App Service Authentication and Authorization.
After on-boarding a tenant with a multi tenant AAD App (Client), the tenant is not able to login to protected Web/Api Apps on App Services.
The ClientId used is the same in AAD Multitenant App.
The STS url is/can only be configured for the App/Client primary tenant GUID.There are no options to enable-multi tenant STS on App Service Authentication and authorization interface.
41 votesLeaving this under review for now to see if there is more user support for development.
Thanks,
Oded -
A method to allow folks to access the FTP transfer logs when ftp is used to deploy code changes to their azure web apps.
Allow site admins to access the ftp transfer logs when ftp is the selected method used to make web site deployment updates. We use ftp to allow site updates, and we've had an incident where having access to those logs would be very helpful.
35 votesWe’re looking into to see what is currently supported here.
Thanks
Oded -
Disaster Recovery for Azure WebApp
Currently, we have to deploy the Azure WebApp twice, one in West Europe and other in North Europe to support Disaster Recovery.
It means that we need to update the both WebApps if we want to deploy new artifacts in WebApp.
It is very difficult to sync artifacts in both WebApps.
It would be great if Azure provides the RA-GRS(Read-access geo-redundant storage) feature for WebApp like Azure SQL Database.
With this feature the synching of artifacts between both WebApps done by RA-GRS feature.
So we will not deploy the new artifacts in both web app, when we deploy the artifacts…34 votesThanks fort the feature request! We have work on the backlog for disaster recovery, but we don’t have a timeline to share at the moment.
Thanks,
Oded -
PowerShell and CLI support for the management of App Service Environments
Azure PowerShell and Azure CLI commands to support the management of an App Service Environments (at least v2). Hopefully this could include the ability to get management IP information, do scaling, and if it is an ILB ASE update the ILB Certificate.
33 votesCLI and Poweshell for scaling is available in ASE v2 through the same App Service commands.
We are expanding CLI and PowerShell support more down the road.
Thanks,
Oded -
Option to hide/anonymize IPs in webserver logs to be GDPR compliant
It would be very helpfull if there would be an option to hide/anonymize IPs in webapps webserver logs. Right now you have to disable webserver logs completely to be GDPR compliant which might be not best practice.
33 votesHi all,
Thank you for the feedback and recommendations on this important topic!
We will look at adding this to our feature roadmap though we don’t have any timing to share right now.
For additional guidance please refer to “Azure Data Subject Request GDPR Documentation” under the Service Trust Portal: https://servicetrust.microsoft.com/ViewPage/GDPRDSR. Specifically read through, Part 1 – Step 5, which discusses the removal of personal data and timing in which you can leverage retention period settings for the logs.
Thanks,
Oded -
Auto-scale up and down not just out, for web apps
Hi
Can you expand the auto-scaling feature to include up and down scaling as well as in / out?
so for example, scale the web app up a tier in peak and down a tier i off hours. Or something to that effect.
Thanks
31 votesThis is an interesting idea, though not feasible at the moment. We will leave this on the roadmap to review later on.
Thanks,
Oded -
Provide access to HTTPERR logs
Currently, enabling "Web Server Logging" appears to archive only the W3C request logs. The HTTPERR logs are the only way to see any requests that failed or were rejected by the server due to TCP timeouts, idle connections, filled request queues, and similar circumstances.
30 votesJust an update that we still have this on our backlog. If it gains more user support, we will look to prioritize this and add the view to our internal support center.
Thanks,
Oded -
Better inform users of when their App Service Certificates are about to expire or have not auto renewed (7 days?)
This week another of our customer's sites went down due to an Azure App Service certificate expiring without us being notified of its pending expiry - we mark all App Service Certificates to Auto Renew and some of them do infact renew and rebind without our intervention, others certificates have got stuck on the domain validation phase (which we validated 1st time we bought the certificate ofcourse) and the latest certificate is now expired and the Manual Renew button is disabled as it seems to think its outside the 60 day renewal window.
A simple email to us (we receive…
30 votesWe are currently investigating options on improving renewal of certs and notifying customers.
-
Enable application logging in ILB ASE
Currently there is no way to access our applications trace logs in an ILB ASE environment. I understand the Log Stream button is greyed out in the portal, but even using Kudu, FTP, blob, or streaming in VS, none of these are working in ILB ASE, and support tells us this is a known issue. This is a huge downside for us because we depend on our customized application log messages for troubleshooting.
29 votesThanks for the request. This is under review and we will discuss internally how to support.
Thanks,
Oded -
Add feedback on the Portal on Automatic Swaps
When we configure a staging slot with Continuous Deployment and Auto-Swap we need some sort of visual feedback to know when the swap was done. Right now what we see is that the Active Deployment of the staging slot changes to the previous deploy checkpoint and that's how we know it swapped.
It would be great if on the production slot we could get at least some sort of message saying the current Active Deployment that was swapped or at least some sort of visual aid.26 votesThank you Matias, we are reviewing this idea.
Daria, App Service
-
[Linux] - Set Docker Image Tag as a slot setting in Application Settings of a Web App for Containers
When swapping between staging and production slots of a Web App for Containers, it would be really handy to have the option of keeping the tag of each image in its respective slot (e.g. image:latest for production, image:dev for staging) and not get them to swap after each slot swap.
Imagine you setup Continuous Deployment through Dockerhub. You push code changes on GitHub, and image build is triggered and then an image pull request from Azure to Dockerhub. If a swap has preceded the above flow, then newly build images would end up in the opposite from desired deployment slots. …26 votesThank you for the feature request. We will be taking a look.
Oded
-
Strict-Transport-Security
With the ability now to force HTTPS, it would be nice if Strict-Transport-Security HTTP Header should also be set and knock another finding off of the security report:
Details on The Header:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security25 votesWe’ll be taking a look.
Thanks,
Oded
- Don't see your idea?