When setting up an Azure function you have the option to add 'Function App Settings' and also 'Application Settings' and I am confused about when you would use one over the other - can anybody explain the correct use-cases for each of the Setting types?
We could get the answer from How to manage a function app in the Azure portal.
Function app settings: where you can update the Functions runtime version used by your function app. It is also where you manage the host keys used to restrict HTTP access to all functions hosted by the function app.
Application settings blade is where you configure and manage framework versions, remote debugging, app settings, and connection strings. When you integrate your function app with other Azure and third-party services, you can modify those settings here.
Related
I have the followings TWO independent projects deployed at Azure from GitHub:
an Angular UI project as Static Web App (SWA)
an Node API project as Azure Function (AF)
AF can talk to local-run UI and Postman no problem.
When UI is deployed to Azure and talk to the same AF, it gets 405. To troubleshoot, I did
Query AF logs: FunctionAppLogs | where Level contains "error" returns zero record. FunctionAppLogs | order by TimeGenerated desc | limit 100 returns all Information for Level.
Thinking to get SWA's IP to AF's firewall rule, but it doesn't have networking tab for an IP.
When trying to enable Application Insights for SWA log, it says SWA must have at least one function
I followed this to deploy my Angular SWA. Only difference is his API AF are integrated into the project, mine is a independent project outside of the Angular.
Update, this is how I setup the SWA:
Add a Static Web App
Choose GitHub for publish source, and log in
Choose repository and branch
Complete a new Pull and Merge, project is auto-build and deployed
According to this document, you can enable Azure App Insights for Static Web Apps that use Azure Functions.
Firstly, to enable Application Insights we need an Application Insights resource.
Copy the instrumentation key for the SWA that you want your JavaScript telemetry to be sent. The same need to be added to the instrumentationKey or connectionString setting of the Application Insights JavaScript SDK.
You can add the Application Insights JavaScript SDK to your resource following one of the following two options:
npm Setup
JavaScript Snippet
Here is a sample project that you can refer to and for remote debugging you can check this document
REFERENCES:
Deeper analytics for Azure Static Web Apps
Add an API to Azure Static Web Apps with Azure Functions | Microsoft Docs
Study shows Static Web App (SWA) have integrated API when needs one, and this MS Doc has a Note SWA must have an API to use App Insights.
Another reason SWA must have an Azure Function is because it's backend running at AZ.
I am able to configure app insight directly from app insight tab, by either creating new one or selecting the existing one. In this case, it is updating APPINSIGHTS_INSTRUMENTATIONKEY and APPINSIGHTS_CONNECTION_STRING in app settings.
But, when I tried to configure app insights through app setting directly, its not working. I have configured APPINSIGHTS_INSTRUMENTATIONKEY and APPINSIGHTS_CONNECTION_STRING in app settings of a azure function app to directly. But, the related app insight is not integrated with function app.
Can anyone suggest, why it is not working.?
Looking at the release notes for SDK Version 2.0.12998:
App Insights configuration will use the APPLICATIONINSIGHTS_CONNECTION_STRING app setting if it is set (APPINSIGHTS_INSTRUMENTATIONKEY is the fallback and continues to work as-is).
Furthermore, if you read the documentation for App Insights Connection String, you will notice that when you use connection string, you can specify custom endpoints. This is not possible if you just specify the instrumentation key. In that case, SDK will connect to default endpoints.
I have several App Services in Azure: development, test, and production. I would like to share some application settings between them like variable sets in Octopus.
Let's say I have a key A which should be same in all App Services. I would like to set its value in one place but seems that I have to configure it to each App Service. When A is changed, I have to change it to everywhere instead of having one common place to change it. Is there some way to do this?
No built-in way, app settings are part of the App Service resource.
You will need to put the settings in a common database or file.
Azure Key Vault can be used for sensitive settings and table storage/blob storage works well for other settings. Azure SQL is also an option.
Your app will then need to load these settings at startup.
This is also a documented cloud design pattern: https://learn.microsoft.com/en-us/azure/architecture/patterns/external-configuration-store
I am trying to use Azure Traffic Manager (GTM) to geographically distribute load to function apps in each region.
I have tried adding an 'app service endpoint' and an 'external endpoint' (including adding the GTM name as a custom CNAME to the function app), but both result in "Error 404 - Web app not found.". The custom CNAME also never adds correctly.
According to the last comment on this post, the ability to do this should now be supported:
Setting up a custom domain with an Azure Function app
I am unable to comment back on the post as I am a new user.
I have tried adding an 'app service endpoint' and an 'external endpoint' (including adding the GTM name as a custom CNAME to the function app)
Azure Traffic Manager is only eligible for use with App Services at the 'Standard' level or above as mentioned here. If your function isn't host in an app plan at the 'Standard' level or above, Azure Traffic Manager will not work.
If you are not using 'Standard' or higher level app plan, Azure Functions Proxies would be a workaround for you. Please check following thread which discuss the similar problem.
Azure Functions Traffic Manager
Here is the quick reference from the answer provided by Dakota Kincer.
So the answer I arrived to after Traffic manager didntsupport Azure functions was to overall build 3 Azure functions. I built an East and a West that has my azure function code on it. Then I built a main Azure Function that has 0 code. It only has Azure proxies on it that route to my 2 other Azure Functions. The route is controlled by a variable in the proxy string that is help in the main API app settings. Using %myvariable% you can set part of the url. When I need to publish I switch the variable to the secondary URL location. Update the Primary and then switch the URL to its original primary location. This will have to work for now till traffic manager is integrated into functions or a better solution arises.
I am unable to comment back on the post as I am a new user.
You could modify your post if you want to provide more information.
Traffic Manager supports Azure functions monitoring. You can enable this by going to TM settings -> endpoints -> add endpoint -> choose Azure endpoint type -> App Service for Target resource type -> under Target Resource choose Function app which you want to monitor.
Most likely you want to be able to access function apps under specific domain domain, for example my-domain.com. For that under Custom Header Settings specify host:my-domain.com. You'll need to setup custom domain in function apps configuration too.
I have two applications:
MVC Site (User-facing Web App secured via OAuth -> Google)
Web API Site ("Private" Web Services)
These are hosted in an App Service Plan in Azure. These web services will only be consumed by my own applications - I don't need to worry about outside consumption. In fact, I specifically don't want outside consumption. My Web App is using OAuth to Google - that shouldn't matter here.
So to get to the heart of my question: My web services currently have no authentication/authorization model in the code but I don't want it just publicly available to anybody. On prem, we just lock this down via IIS using Windows Auth and set the service account for the consuming web app to run as a user that Windows Auth allows access to. I'd like to do the equivalent in Azure.
I understand Azure isn't exactly the same but I have to believe this is possible. I have even gotten my web services locked down the way I want using the settings in the Authentication/Authorization tab (I can try to navigate to it but I only get my Swagger UI once I login with a valid organizational account). So half of my battle is solved but I cannot figure out how to do the other half - the equivalent of setting the service account for my consuming MVC application to run as.
Can I do this via the portal without having to code specifically to this scenario? I'd really like a PaaS-level or IaaS-level solution for the security portion of consuming the above locked-down services. I'm also open to other avenues if I'm going down the wrong path in having a PaaS or IaaS security solution to this problem. I'm not against making code changes - we did have a one-liner in our RestSharp code to engage Windows Authentication, but the bulk of the work/configuration was outside of code and that's what I'm going for here.
If going the IaaS path you can host the application inside of an VM in the exact same way as you did before when running it directly on-top of IIS. The benefit is that you can get running the same way as before but you will still need to manage the VM; i.e install updates and take care of its security.
However, if you want to have a PaaS solution, then you need to modify the code of your front-end application to pass on the authentication token to the back-end API, assuming the back-end accepts the same authentication as the front-end. See https://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-get-started/ as an example on how to pass on authentication information from one app to another.
Alternatively you can use the app identity to make calls to your back-end API. This way the calls are not related to any user but are instead done in the context of the app. See https://github.com/Azure-Samples/active-directory-dotnet-daemon for more details on how to set it up, both configuration and needed code.
If you want to allow your users to sign-in using their Google accounts then you could handle authorization to your API using the app identity (second alternative above), assuming the API is independent of the requesting users identity.
Enabling authentication for a Azure Web App directly through the menus in the Azure Portal adds Azure AD authentication in-front of your application and require your to pass an access token generated by Azure AD to your API for it to work.