Web Apps

Web Apps in Azure App Service provides a scalable, reliable, and easy-to-use environment for hosting web applications. Select from a range of frameworks and templates to create a web site in seconds. Use any tool or OS to develop your site with .NET, PHP, Node.js, Python and more. Choose from a variety of source control options including TFS, GitHub, BitBucket and others to set up continuous integration and develop as a team.

More details about the services are available in the App Service documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow or MSDN.

Products that we listen to in this space include: App Service, Web Apps, API Apps and Web App for Containers.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Remove Weak SSL Cyphers from App Services

    App Services currently supports the following Cyphers:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
    (Default) REG_SZ NCRYPT_SCHANNEL_INTERFACE
    Functions REG_MULTI_SZ
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256\
    0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384\
    0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256\
    0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384\
    0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256\
    0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384\
    0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256\
    0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
    \0TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\
    0TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\
    0TLS_RSA_WITH_AES_256_GCM_SHA384\
    0TLS_RSA_WITH_AES_128_GCM_SHA256\
    0TLS_RSA_WITH_AES_256_CBC_SHA256\
    0TLS_RSA_WITH_AES_128_CBC_SHA256\
    0TLS_RSA_WITH_AES_256_CBC_SHA\
    0TLS_RSA_WITH_AES_128_CBC_SHA\
    0TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384\
    0TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256\
    0TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384\
    0TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384\
    0TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256\
    0TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384\
    0TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256\
    0TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384\
    0TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256\
    0TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384\
    0TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\
    0TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\
    0TLS_DHE_DSS_WITH_AES_256_CBC_SHA\
    0TLS_DHE_DSS_WITH_AES_128_CBC_SHA\
    0TLS_RSA_WITH_3DES_EDE_CBC_SHA\
    0TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\
    0TLS_RSA_WITH_RC4_128_SHA\
    0TLS_RSA_WITH_RC4_128_MD5\
    0TLS_RSA_WITH_NULL_SHA256\
    0TLS_RSA_WITH_NULL_SHA\
    0SSL_CK_RC4_128_WITH_MD5\
    0SSL_CK_DES_192_EDE3_CBC_WITH_MD5

    All Old/Weak Cyphers should be removed to increase security of the service.

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add alerts/notification for Auto heal application.

    Adding alerts or notification when the there is a Proactive auto healing or Mitigation rules in the application.

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API Apps  ·  Flag idea as inappropriate…  ·  Admin →
  3. Use actual endpoint testing for custom domains rather than checking CNAME value

    Our domain is “example-domain.com”. Let’s say I’m trying to set up an App Service called “booking-service”, which will be assigned the default URL of “booking-service.azurewebsites.net”. At the *end* of this whole process, I want to have an App Service in Azure responding to the hostname “booking-service.example-domain.com”, sitting behind our CDN (Cloudflare).

    The failing path:
    Step 1: I create the App Service in Azure. This generates the “booking-service.azurewebsites.net” URL.
    Step 2: I create the CNAME “booking-service.example-domain.com” on Cloudflare’s control panel pointing to “booking-service.azurewebsites.net”, leaving the proxy/CDN/IP-hiding feature *enabled*. While in their control panel, we select the “CNAME” record type, however in…

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Deployment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Install odbc driver in Python Stack images

    I created a new Web app with Python 3.7 runtime. I created and deployed a python script, using pyodbc.
    A query on my Azure SQL database results in an error that it can not find the drivers to connect to Microsoft Sql Server:

    2018-11-12T15:37:56.956170588Z File "/home/site/wwwroot/apps/download.py", line 7, in <module>
    2018-11-12T15:37:56.956174588Z import pyodbc
    2018-11-12T15:37:56.956178388Z ImportError: libodbc.so.2: cannot open shared object file: No such file or directory

    Is it possible to have this driver in the Python Runtime Web app?

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add more native Cloud Apps to conditional base access

    Currently there is only a small set of Cloud Apps available in the Cloud App section to in- or exclude in conditional based access.

    My current configuration blocks all access to all Cloud Apps except the user is either member of a exception group or i excluded an application explicitly (e. g. Exchange Online or Sharepoint) or the device is marked as compliance (Intune) or the device is coming from a trusted location.

    My first problem is, that i cannot onboard devices outside the company without adding the users to the exception group. The Intune Webportal (https://portal.manage.microsoft.com) is…

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  App Gallery  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support SSH to specific container in multi-container setup (Compose or Kubernetes)

    Currently the docs (https://docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-ssh-support) only describe setting up SSH access to a single container. But what if I have a multi container setup? For example PHP-FPM with an Nginx reverse proxy.

    It seems the SSH access is only supported for the public facing container (in this case Nginx).

    It would be great if I could setup SSH access to all containers.

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Linux  ·  Flag idea as inappropriate…  ·  Admin →
  7. Enable users to isolate an App Service Plan instance in order to perform offline debug

    It’s difficult to balance root causing live fails with keeping a production application running. This feature request attempts to address this by asking for a way to isolate an ASP instance in a running application.

    By isolating a misbehaving instance you can prevent it from affecting the behavior of the application overall. It can be studied for root cause without app devs or support being pressured to do this live on a production app. When debug is complete it could be terminated.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  8. Application Security Groups (ASG) support for App Service Environments (ASE)

    As stated in the comments section of this page https://azure.microsoft.com/en-us/blog/applicationsecuritygroups/
    "It's on the roadmap, all services integrated with VNet like ASE and SQL MI will be part of ASGs groups, as of today the scope doesn't cover subnets for those services, we are exploring options in the near future."

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  9. [Linux] Add support to restrict IP access for Web Apps Linux / Docker

    Don't have this functionality became unfeasible use of Linux / Docker Web Apps in production environment

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Linux  ·  Flag idea as inappropriate…  ·  Admin →
  10. [Azure web app LINUX] VSTS deploy to slot

    Currently I am using VSTS for my CI/CD to azure web app linux
    However, unfortunately, there's still a pretty significant downtime for every deployment.

    I tried to create a staging slot to minimize the downtime, and swap to production. however, VSTS doesn't allow me to deploy to my staging slot.

    I created a github issues too here https://github.com/Microsoft/vsts-tasks/issues/4460

    If I can't deploy to my slot, what's the point of having slot in the first place? Please prioritize this as I think this is a pretty important feature

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Linux  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support Healthcheck for Docker on App Service

    We just learned the hard way that HEALTHCHECK declarations in Docker containers stop working if the container is running in App Service, because App Service for some reason seems to alter the behavior of our containers to do some "internal" healtchecks.

    I believe that this goes very much against the spirit of containerized applications. I have to trust that my container behaves the same no matter who runs it.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  12. Hybrid Connection settings lost on slot creation but included in slot swap

    Summary:
    When creating a new slot for an existing Web App, the Hybrid Connections are not copied to the created slot despite 'Configuration Source' being set to the production app, which has Hybrid Connections configured.

    This is a problem because slot swap operations DO include the Hybrid Connection configurations. Therefore in order to deploy using a new staging slot, one must reconfigure the Hybrid Connections each time before doing the final swap into production.

    Our particular use-case is that we are setting up an automated deployment process and would like the process to first recreate the staging slot by deleting…

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Bugs  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure App Service Environment ILB - Support for Internal Certificate Authorities

    Currently the documentation for Azure App Service Environment with ILB claims it supports internal certificate authorities.

    Per - https://docs.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase#post-ilb-ase-creation-validation

    As part of the documentation it is recommended that a user bundles their server auth certificate with the full certificate chain - thus producing a PFX file or base64 encoding it and uploading through powershell.

    However when testing with OpenSSL or on an iOS device, the first request never sees the full certificate chain and fails with "invalid server certificate". It is on a subsequent request the full chain is delivered - leaving users to hit refresh once in their browser…

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support KeyVault out of box in App Services Environment

    Currently ASE allows uploading of ILB certificates through script/portal.

    Provision to autopick certificate from Azure KeyVault using thumbprint should be made possible through script/portal

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Supportability  ·  Flag idea as inappropriate…  ·  Admin →
  15. Enable Azure Resource Move for App Service Environment

    Simply allow Azure Resource Move in between RGs and Subscriptions for App Service Environments

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  16. Outbound ip addresses as an environment variable

    We can get web app outbound ip addresses as a environment variable. It s too much simplier to get ip adresses from application.

    Environment.GetVariable("OUTBOUND_IP_ADDRESS")

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  1 comment  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  17. 12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Deployment  ·  Flag idea as inappropriate…  ·  Admin →
  18. Offer higher memory / RAM app service plans

    I can see this has been raised before but we would really like to see plan options with higher memory. We could host about twice as many applications on the same plan if memory was increased to something like 32gb. Our apps aren't CPU intensive but need more memory, nor any more up.

    Thanks!

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  App Service Environment  ·  Flag idea as inappropriate…  ·  Admin →
  19. The *.azurewebsites root certificate needs a stronger signature algorithm (SHA2 or SHA3)

    Our *********** testing has revealed that the root certificate in the *.azurewebsites.net SSL certificate chain uses a weak SSL certificate signature algorithm (SHA1 with RSA). Can you please update the SSL certificate so that the full chain uses signature algorithms of at least SHA2? It would also be nice if App Service supported the ability to block SSL connections that do not provide server name indication (SNI) for one of the custom domain names. This would prevent the default *azurewebsites.net certificate from being returned when the *********** testing tool establishes an SSL connection just using the IP address without SNI.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. ARM Template be able to retrieve the ILB private IP address as output

    Using Terraform azurerm_template_deployment to deploy ILB ASE v2 and trying to retrieve IP address as output param so we can populate DNS. Unfortunately, this functionality appears to be broken:

    For more info see:

    https://social.msdn.microsoft.com/Forums/en-US/fc4a78c1-c887-413f-ab19-ffcfa2188ba8/obtain-internal-ip-of-ilb-ase?forum=windowsazurewebsitespreview

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base