I have an ASP .Net Core 2.2 Web API which connects to a MySQL Database.
It is hosted on Azure App Service.
Currently I am storing the connection strings in the appsettings.json file:
"ConnectionStrings": {
"MyDataContext": "Server=server1.mysql.database.azure.com;user id=username;Pwd=password;persistsecurityinfo=True;database=db1;"
}
And I read the connection strings in Startup.cs (in the ConfigureServices method) like this:
services.AddDbContext<MyContext>(options => options.UseMySql(Configuration.GetConnectionString("MyDataContext")));
I read that I can store these connection strings in the Azure App Service Settings instead, as it offers some advantages. I've been trying to do this, but am struggling to get it to work.
My first question is, when adding the connection string to Azure App Service Settings (under the Connection Strings section), what do I put in for Name in the Name/Value pairs? Do I just put "MyDataContext" or do I put in "ConnectionStrings:MyDataContext"? (I'm trying to keep the same structure as I have in the appsettings.json file).
My second question is, can I still read the connections string in my Startup.ConfigureServices method the same way I am doing now? From what I understand, Azure App Service will automatically inject the connection string store in Settings into the Configuration object in the API? I'm not sure if I'm missing something, but it's not working...
Yes and yes.
Yes, you can name the connection string as almost anything you want, though I've discovered recently that certain characters aren't allowed, but Azure doesn't tell you this, it will just strip them out and not tell you, so to be safe I'd only use alphanumeric characters, you can use CamelCasing if you need to. You don't need to prefix with anything like ConnectionStrings: as this is done automatically by Azure, and the syntax has changed in the most recent version anyway.
And yes, if you haven't specified your own ConfigurationBuilder, your web app should call CreateDefaultBuilder which will add environment variables at runtime. The code you've written will stay the same and you can delete the connection string from your appsettings.json file, if you keep it in there it will get overridden anyway.
It is a good idea to remove connection strings from the appsettings.json file if you are able to store them in Azure instead for security reasons, so that you are not storing either database server address nor connection credentials in your source code. One step up from this is using Managed Identity in conjunction with Active Directory, where you specify an AD username in the connection string but no password, then assign that user (or the user's group) as the server admin.
It looks like there's a slight delay (a couple of seconds at least) when changing the Settings of an Azure App Service - I was too quick...
Related
I have an application hosted in Azure PAAS. The connection string for the application is stored under 'Configuration' -> 'Connection strings'
My application has a PowerShell instance. I want to iterate through all the Connection strings present under 'Configuration' -> 'Connection strings'
I have seen the Azure document. As my application itself is the app, can there be a way to skip the details like 'subscriptionId', 'resourceGroupName' and 'name'?
This will help to make the code more generic.
As my application itself is the app, can there be a way to skip the
details like 'subscriptionId', 'resourceGroupName' and 'name'?
AFAIK, Its not possible to acquire the connection strings using Rest API, or PowerShell of an Azure web application without providing Resource group name or subscription.
The MS DOCUMENT you have followed is to list the connection strings which is correct but we need to pass those credentials to achieve the same.
If my understanding is correct as its your own application and if its publicly hosted then anyone will not be able to get the resource group name, application name(If you are using custom domain) or subscription details.
Alternatively, we can use the Az cli by providing the resource group only :-
For more information please refer the below links:-
SO THREAD|Get the list of azure web app settings to be swapped using PowerShell
If you are going to use the REST API calls for your code, then the simple answer is just: No.
I think in all cases the answer is going to be no honestly..
You can't drop those unique IDs, because those are required parameters to retrieve the correct data.
If you want to make the code more generic, then you should write the code to retrieve the values for those parameters. Instead of hardcoding the values.
Your powershell code will always need to authenticate, or use a Managed Identity, and the identity used to authenticate will always have the subscriptionid as value in its object. As for the rest, well i think you get the gist of what im suggesting.
I'm trying to use the Get-AzWebApp PowerShell command to get a list of azure app services and then read the configuration/connection strings from each one. Does this still work if the web.config of each app service has the connection strings stored in a separate file, so e.g. in web.config we have
<connectionStrings configSource="App_Config\ConnectionStrings.config" />
Would we expect this to work still?
Does this still work if the web.config of each app service has the connection strings stored in a separate file, so e.g. in web.config we have
<connectionStrings configSource="App_Config\ConnectionStrings.config" / >
Would we expect this to work still?
Currently it is not possible. Fetch the connection strings from files is not possible in an app service.
In a PowerShell we cannot edit or add bulk connection strings and app settings using files.
We can add the connection String/ App Settings it will be added like key value. So, whatever we add in an App Settings we can get that as string value.
I have WebJobs running under my Azure Web App. For Web App you can set that the Web App will use remote connection strings (that you setup on Azure portal).
Is it possible to do the same for WebJobs?
So they would be looking for remote connection string instead of using a connections string from (for example) "app.config".
Could you add the connection string as Web Config value that can be accessed by either the site or webjob?
Further more details you could refer to this blog:Configuring Azure Web Jobs.
The main steps are as follows:
Install CloudConfigurationManager package Microsoft.WindowsAzure.ConfigurationManager
Set your connection strings to the app setting.
Retrieve connection string using the CloudConfigurationManager:
var myConnectionString = CloudConfigurationManager.GetSetting("MyConnectionString");
I found out that a connection string setup on Azure Portal overwrites connection string with the same name in .config files. Which means that no additional setup is required.
Azure Portal Connection string takes priority over local *.config connection string.
I successfully tested this.
I developed a cron trigger azure fuction who needs to search for soe data in my database.
Localy i can connect whit sql server, so i change the connection string in loca.settings.json to connect in azure sql and published the function, but the function cant connect with database.
I need to do something more than configure the local.settings.json?
The local.settings.json is only used for local testing. It's not even exported to azure.
You need to create a connection string in your application settings.
In Azure Functions - click Platform features and then Configuration.
Set the connection string
A function app hosts the execution of your functions in Azure. As a best security practice, store connection strings and other secrets in your function app settings. Using application settings prevents accidental disclosure of the connection string with your code. You can access app settings for your function app right from Visual Studio.
You must have previously published your app to Azure. If you haven't already done so, Publish your function app to Azure.
In Solution Explorer, right-click the function app project and choose Publish > Manage application settings.... Select Add setting, in New app setting name, type sqldb_connection, and select OK.
Application settings for the function app.
In the new sqldb_connection setting, paste the connection string you copied in the previous section into the Local field and replace {your_username} and {your_password} placeholders with real values. Select Insert value from local to copy the updated value into the Remote field, and then select OK.
Add SQL connection string setting.
The connection strings are stored encrypted in Azure (Remote). To prevent leaking secrets, the local.settings.json project file (Local) should be excluded from source control, such as by using a .gitignore file.
https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenario-database-table-cleanup
If you are using entity framework core to make a connection, Other Way of connection to SQL is by using dependency injection from .netcore library.
You can keep the connection string in Azure Key-vault or the config file from there you can read the same using azure function startup class. which need below code setup in your function app.
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
[assembly: FunctionsStartup(typeof( TEST.Startup))]
namespace TEST
{
internal class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
Contract.Requires(builder != null);
builder.Services.AddHttpClient();
var configBuilder = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("local.settings.json", optional: true, reloadOnChange: true)
.AddAzureKeyVault($"https://XYZkv.vault.azure.net/");
var configuration = configBuilder.Build();
var conn = configuration["connectionString"];
builder.Services.AddDbContext<yourDBContext>(
options => options.UseSqlServer(configuration["connectionString"]));
}
}
}
after that where ever you are injecting this dbcontext, with context object you can do all CRUD operations by following microsoft's entity framework core library documentation.
Having just dealt with this beast (using a custom handler with Linux), I believe the simple way is to upgrade your App to premium-plan, allowing you to access the "Networking" page from "App Service plans". This should allow you to put both sql-server and app in the same virtual network, which probably makes it easier. (but what do I know?)
Instead, if you don't have the extra cash laying around, you can try what I did, and set up a private endpoint, and use the proxy connection setting for your database:
Create a virtual network
I used Address space: 10.1.0.0/16 (default I think)
Add subnet 10.1.0.0/24 with any name (adding a subnet is required)
Go to "Private link center" and create a private endpoint.
any name, resource-group you fancy
use resource type "Microsoft.Sql/Server" and you should be able to select your sql-server (which I assume you have created already) and also set target sub-resource to "sqlServer" (the only option)
In the next step your virtual network and submask should be auto-selected
set Private DNS integration to yes (or suffer later).
Update your firewall by going to Sql Databases, select your database and click "Set Server Firewall" from the overview tab.
Set Connection Policy to proxy. (You either do this, or upgrade to premium!)
Add existing virtual network (rule with any name)
Whitelist IPs
There probably is some other way, but the azure-cli makes it easy to get all possible IP's your app might use: az functionapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
whitelist them all! (copy paste exercise)
Find your FQDN from Private link center > Private Endpoints > DNS Configuration. It's probably something like yourdb.privatelink.database.windows.net
Update your app to use this url. You just update your sql server connection string and replace the domain, for example as ADO string: Server=tcp:yourdb.privatelink.database.windows.net,1433;Initial Catalog=somedbname;Persist Security Info=False;User ID=someuser;Password=abc123;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;
Also note that I at some point during all of this I switched to TrustServerCertificate=True and now I can't bother to figure out if it does a difference or not. So I left it as an exercise to the reader to find out.
So what we have done here...?
We have forced your function app to go outside the "azure-sphere" by connecting to the private endpoint. I think that if you bounce between azure-services directly, then you'll need some sort of authentication (like logging in to your DB using AD), and in my case, using custom handler and linux base for my app, I think that means you need some trust negotiation (kerberos perhaps?). I couldn't figure that out, so I came up with this instead.
I have tried adding DefaultConnection from my appsettings.json file to Azure's Application Settings but Azure will not override the connection string.
Any article or blog I can find states that all I should need to do is add the connection string name as it states in the appsettings.json file and Azure should do the rest (e.g. https://tehremo.wordpress.com/2016/10/07/override-connection-strings-app-settings-in-asp-net-core-and-azure-app-service/) however when the application is published it is using my local connection string.
My Startup.cs file looks like the following:
NOTE: I am publishing using VSTS continuous delivery with "Deploy Azure App Service" release task.
I just had a similar problem (the problem was with PostgreSQL connection string type, I had to change it to custom) and now it works for me, so these are the pieces:
This is my appsettings.json file. I have a value for 'Psql' set in my appsettings.Development.json, but in the appsettings.json it is left empty.
These are the settings which are set in the Azure portal. Please note, that there are two ways to override the connection string.
This is the part of my Startup.cs file. Pay attention to the order of how the settings are applied in the Startup constructor and the way I get the connection string in the ConfigureServices method (GetConnectionString is a standard extension method).
Additional info from my comments below:
Azure GUI (Connection strings, Application settings) uses environment variables internally, so the appsettings.json will stay the same.
If there is a need for an appsettings.json's value to be overwritten during VSTS release activity (before it will be published to Azure), Colin's ALM Corner Build & Release Tools can be used. Here are the links to Colin's ALM Corner Build & Release Tools and tutorial.
Thanks #pasul, your help was much appreciated and helped me find an alternative solution. In order to deploy using VSTS task and replace application settings, you will need to add variables to the release task and pass into the task the json file in question for variable substitution.
When in "Deploy Azure App Service" release task you should see a "File Transforms and Variable Substitution" section. In here you will supply the path to the json file you want to swap variable values.
Then you will need to click on the options button on the release environment. You will see an option to configure variables in the pop out menu.
From here you can add the json property you want to modify as a variable. In my case the connection string. Which will look like the following:
"ConnectionStrings.DefaultConnection"
Then just put in your connection string value. VSTS will then swap out these values for you when deploying.