Top / Microsoft Azure / Azure App Service (Web Apps) / App Service

Azure App Service (Web Apps) App Service

This page shows how to write Terraform and Azure Resource Manager for App Service (Web Apps) App Service and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_app_service (Terraform)

The App Service in App Service (Web Apps) can be configured in Terraform with the resource name azurerm_app_service. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L42
resource "azurerm_app_service" "app_service_catalog_staging" {
  name                = "pp-catalogSta"
  location            = azurerm_resource_group.PlayPadel-Sta.location
  resource_group_name = azurerm_resource_group.PlayPadel-Sta.name
  app_service_plan_id = azurerm_app_service_plan.PlayPadelASP-Sta.id
main.tf#L30
resource "azurerm_app_service" "example" {
  name                = "Nsama-Frontend-App"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  app_settings = {
appservice-use-secure-tls-policy.tf#L3
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
}
main.tf#L34
resource "azurerm_app_service" "webapp1" {
    # creating web app
    name = var.s1_name
    resource_group_name=azurerm_resource_group.main.name
    location=azurerm_resource_group.main.location
    app_service_plan_id=azurerm_app_service_plan.sp.id
webapp.tf#L14
resource "azurerm_app_service" "SPJTestWebApp" {
  name = "SPJTestWebApp"
  location = "East Us"
  resource_group_name = "POC_DevOps_RG"
  app_service_plan_id = azurerm_app_service_plan.appserviceplan.id
appservice-authentication-enabled.tf#L1
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
appservice-enable-https-only.tf#L1
resource "azurerm_app_service" "good_example" {
    name                       = "example-app-service"
    location                   = azurerm_resource_group.example.location
    resource_group_name        = azurerm_resource_group.example.name
    app_service_plan_id        = azurerm_app_service_plan.example.id
    https_only                 = true
appservice-enable-http2.tf#L1
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
appservice-require-client-cert.tf#L3
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  client_cert_enabled = true
main.tf#L45
    resource "azurerm_app_service" "webapp" {
    name="wamdahhassan-frontend-service"
    resource_group_name=azurerm_resource_group.rg.name
    location = azurerm_resource_group.rg.location
    app_service_plan_id = azurerm_app_service_plan.sp.id
    }

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_app_service

There are 12 settings in azurerm_app_service that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure your App Service is accessible via HTTPS only

It is better to configure the App Service to be accessible via HTTPS only. By default, both HTTP and HTTPS are available.

risk-label

Ensure to use the latest version of TLS protocols

It is better to use the latest SSL/TLS version to protect connections for App Services.

risk-label

Ensure to enable authentication

It is better to enable authentication not to accept anonymous requests and make sure that all communications in the application are authenticated.

risk-label

Ensure to disable FTP deployment

It is better to disable FTP deployment. This is a traditional way and FTPS complies with industry standards and regulations. However, for enhanced security, both FTP and FTPS should be disabled.

risk-label

Ensure to register the app identity with AD

It is better to register the app identity with AD to avoid the utilization of a username and password. It is used by an app with the AD that allows it to interact with the other services.

risk-label

Ensure to enable to indicate the details of error messages

It is better to enable to indicate the details of error messages. App Service can save the error page when application errors such as HTTP code 400 or greater occur. It would help determine why the server returns the error code.

risk-label

Ensure to select the latest version of the .NET framework

It is better to select the latest version of the .NET framework for the utilization of the latest security fixes.

risk-label

Ensure to enable the logging of failed request tracing

It is better to enable the logging of failed request tracing including the request and the time taken in each IIS component. It is beneficial when we face site performance issues and specific HTTP errors.

risk-label

Ensure to enable HTTP logging

It is better to enable HTTP logging. This includes the fundamental HTTP communication details such as the HTTP method, resource URI, client IP, client port, user agent, etc.

risk-label

Ensure to select the latest PHP Version

It is better to select the latest PHP version to adapt the latest security fixes.

risk-label

Ensure to select the latest Python Version

It is better to select the latest Python version to adapt the latest security fixes.

risk-label

Ensure to enable incoming certificates for clients

It is better to enable incoming certificates for clients. If this is enabled, only the authenticated clients with valid certificates are able to access the app.

Review your Azure App Service (Web Apps) settings

You can check if the azurerm_app_service setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an App Service (within an App Service Plan). -> Note: When using Slots - the app_settings, connection_string and site_config blocks on the azurerm_app_service resource will be overwritten when promoting a Slot using the azurerm_app_service_active_slot resource.

>> from Terraform Registry

Tips: Best Practices for The Other Azure App Service (Web Apps) Resources

In addition to the azurerm_function_app, Azure App Service (Web Apps) has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_function_app

Ensure to enable authentication to prevent anonymous request being accepted

It is better to enable authentication to prevent anonymous requests and ensure all communications in the application are authenticated.

Review your Azure App Service (Web Apps) settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Web/sites (Azure Resource Manager)

The sites in Microsoft.Web can be configured in Azure Resource Manager with the resource name Microsoft.Web/sites. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

template.json#L101
                "ResourceType": "Microsoft.Web/sites",
                "MetricName": "Http5xx",
                "Operator": "GreaterThanOrEqual",
                "Threshold": "50",
                "TimeWindow": "PT5M",
                "Aggregation": "Total"
tests.json#L30
          "resourceType": "Microsoft.Web/sites",
          "allOf": [
              {
                  "path": "kind",
                  "regex": "api$"
              },
v1.6_Export.json#L17
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "[parameters('FunctionAppName')]",
      "location": "UK South",
      "kind": "functionapp",
      "properties": {
integration.json
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "deploymentId": {
web4.json#L38
            "type": "Microsoft.Web/sites",
            "name": "[parameters('site_name')]",
            "apiVersion": "2016-08-01",
            "location": "[resourceGroup().location]",
            "scale": null,
            "properties": {
chapter4-azure-template.json#L45
            "type": "Microsoft.Web/sites",
            "apiVersion": "2018-11-01",
            "name": "[parameters('sites_chapter4_iac_dockerimage_name')]",
            "location": "Central US",
            "dependsOn": [
                "[resourceId('Microsoft.Web/serverfarms', parameters('serverfarms_ASP_Chapter4RG_ac17_name'))]"
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {

Parameters

  • apiVersion required - string
  • extendedLocation optional
      • name optional - string

        Name of extended location.

  • identity optional
      • type optional - string

        Type of managed service identity.

      • userAssignedIdentities optional - undefined

        The list of user assigned identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}

  • kind optional - string

    Kind of resource.

  • location required - string

    Resource Location.

  • name required - string

    Unique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.

  • properties required
      • clientAffinityEnabled optional - boolean

        <code>true</code> to enable client affinity; <code>false</code> to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is <code>true</code>.

      • clientCertEnabled optional - boolean

        <code>true</code> to enable client certificate authentication (TLS mutual authentication); otherwise, <code>false</code>. Default is <code>false</code>.

      • clientCertExclusionPaths optional - string

        client certificate authentication comma-separated exclusion paths

      • clientCertMode optional - string

        This composes with ClientCertEnabled setting.

        • ClientCertEnabled: false means ClientCert is ignored.
        • ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.
        • ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.
      • cloningInfo optional
          • appSettingsOverrides optional - string

            Application setting overrides for cloned app. If specified, these settings override the settings cloned from source app. Otherwise, application settings from source app are retained.

          • cloneCustomHostNames optional - boolean

            <code>true</code> to clone custom hostnames from source app; otherwise, <code>false</code>.

          • cloneSourceControl optional - boolean

            <code>true</code> to clone source control from source app; otherwise, <code>false</code>.

          • configureLoadBalancing optional - boolean

            <code>true</code> to configure load balancing for source and destination app.

          • correlationId optional - string

            Correlation ID of cloning operation. This ID ties multiple cloning operations together to use the same snapshot.

          • hostingEnvironment optional - string

            App Service Environment.

          • overwrite optional - boolean

            <code>true</code> to overwrite destination app; otherwise, <code>false</code>.

          • sourceWebAppId required - string

            ARM resource ID of the source app. App resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName} for production slots and /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName}/slots/{slotName} for other slots.

          • sourceWebAppLocation optional - string

            Location of source app ex: West US or North Europe

          • trafficManagerProfileId optional - string

            ARM resource ID of the Traffic Manager profile to use, if it exists. Traffic Manager resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/trafficManagerProfiles/{profileName}.

          • trafficManagerProfileName optional - string

            Name of Traffic Manager profile to create. This is only needed if Traffic Manager profile does not already exist.

      • containerSize optional - integer

        Size of the function container.

      • customDomainVerificationId optional - string

        Unique identifier that verifies the custom domains assigned to the app. Customer will add this id to a txt record for verification.

      • dailyMemoryTimeQuota optional - integer

        Maximum allowed daily memory-time quota (applicable on dynamic apps only).

      • enabled optional - boolean

        <code>true</code> if the app is enabled; otherwise, <code>false</code>. Setting this value to false disables the app (takes the app offline).

      • hostingEnvironmentProfile optional
          • id optional - string

            Resource ID of the App Service Environment.

      • hostNamesDisabled optional - boolean

        <code>true</code> to disable the public hostnames of the app; otherwise, <code>false</code>. If <code>true</code>, the app is only accessible via API management process.

      • hostNameSslStates optional array
          • hostType optional - string

            Indicates whether the hostname is a standard or repository hostname.

          • name optional - string

            Hostname.

          • sslState optional - string

            SSL type.

          • thumbprint optional - string

            SSL certificate thumbprint.

          • toUpdate optional - boolean

            Set to <code>true</code> to update existing hostname.

          • virtualIP optional - string

            Virtual IP address assigned to the hostname if IP based SSL is enabled.

      • httpsOnly optional - boolean

        HttpsOnly: configures a web site to accept only https requests. Issues redirect for http requests

      • hyperV optional - boolean

        Hyper-V sandbox.

      • isXenon optional - boolean

        Obsolete: Hyper-V sandbox.

      • keyVaultReferenceIdentity optional - string

        Identity to use for Key Vault Reference authentication.

      • redundancyMode optional - string

        Site redundancy mode.

      • reserved optional - boolean

        <code>true</code> if reserved; otherwise, <code>false</code>.

      • scmSiteAlsoStopped optional - boolean

        <code>true</code> to stop SCM (KUDU) site when the app is stopped; otherwise, <code>false</code>. The default is <code>false</code>.

      • serverFarmId optional - string

        Resource ID of the associated App Service plan, formatted as: "/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}".

      • siteConfig optional
          • acrUseManagedIdentityCreds optional - boolean

            Flag to use Managed Identity Creds for ACR pull

          • acrUserManagedIdentityID optional - string

            If using user managed identity, the user managed identity ClientId

          • alwaysOn optional - boolean

            <code>true</code> if Always On is enabled; otherwise, <code>false</code>.

          • apiDefinition optional
              • url optional - string

                The URL of the API definition.

          • apiManagementConfig optional
              • id optional - string

                APIM-Api Identifier.

          • appCommandLine optional - string

            App command line to launch.

          • appSettings optional array
              • name optional - string

                Pair name.

              • value optional - string

                Pair value.

          • autoHealEnabled optional - boolean

            <code>true</code> if Auto Heal is enabled; otherwise, <code>false</code>.

          • autoHealRules optional
              • actions optional
                  • actionType optional - string

                    Predefined action to be taken.

                  • customAction optional
                      • exe optional - string

                        Executable to be run.

                      • parameters optional - string

                        Parameters for the executable.

                  • minProcessExecutionTime optional - string

                    Minimum time the process must execute before taking the action

              • triggers optional
                  • privateBytesInKB optional - integer

                    A rule based on private bytes.

                  • requests optional
                      • count optional - integer

                        Request Count.

                      • timeInterval optional - string

                        Time interval.

                  • slowRequests optional
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path.

                      • timeInterval optional - string

                        Time interval.

                      • timeTaken optional - string

                        Time taken.

                  • slowRequestsWithPath optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path.

                      • timeInterval optional - string

                        Time interval.

                      • timeTaken optional - string

                        Time taken.

                  • statusCodes optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path

                      • status optional - integer

                        HTTP status code.

                      • subStatus optional - integer

                        Request Sub Status.

                      • timeInterval optional - string

                        Time interval.

                      • win32Status optional - integer

                        Win32 error code.

                  • statusCodesRange optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string
                      • statusCodes optional - string

                        HTTP status code.

                      • timeInterval optional - string

                        Time interval.

          • autoSwapSlotName optional - string

            Auto-swap slot name.

          • azureStorageAccounts optional - undefined

            List of Azure Storage Accounts.

          • connectionStrings optional array
              • connectionString optional - string

                Connection string value.

              • name optional - string

                Name of connection string.

              • type optional - string

                Type of database.

          • cors optional
          • defaultDocuments optional - array

            Default documents.

          • detailedErrorLoggingEnabled optional - boolean

            <code>true</code> if detailed error logging is enabled; otherwise, <code>false</code>.

          • documentRoot optional - string

            Document root.

          • experiments optional
              • rampUpRules optional array
                  • actionHostName optional - string

                    Hostname of a slot to which the traffic will be redirected if decided to. E.g. myapp-stage.azurewebsites.net.

                  • changeDecisionCallbackUrl optional - string

                    Custom decision algorithm can be provided in TiPCallback site extension which URL can be specified. See TiPCallback site extension for the scaffold and contracts. https://www.siteextensions.net/packages/TiPCallback/

                  • changeIntervalInMinutes optional - integer

                    Specifies interval in minutes to reevaluate ReroutePercentage.

                  • changeStep optional - number

                    In auto ramp up scenario this is the step to add/remove from <code>ReroutePercentage</code> until it reaches \n<code>MinReroutePercentage</code> or <code>MaxReroutePercentage</code>. Site metrics are checked every N minutes specified in <code>ChangeIntervalInMinutes</code>.\nCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified in <code>ChangeDecisionCallbackUrl</code>.

                  • maxReroutePercentage optional - number

                    Specifies upper boundary below which ReroutePercentage will stay.

                  • minReroutePercentage optional - number

                    Specifies lower boundary above which ReroutePercentage will stay.

                  • name optional - string

                    Name of the routing rule. The recommended name would be to point to the slot which will receive the traffic in the experiment.

                  • reroutePercentage optional - number

                    Percentage of the traffic which will be redirected to <code>ActionHostName</code>.

          • ftpsState optional - string

            State of FTP / FTPS service.

          • functionAppScaleLimit optional - integer

            Maximum number of workers that a site can scale out to. This setting only applies to the Consumption and Elastic Premium Plans

          • functionsRuntimeScaleMonitoringEnabled optional - boolean

            Gets or sets a value indicating whether functions runtime scale monitoring is enabled. When enabled, the ScaleController will not monitor event sources directly, but will instead call to the runtime to get scale status.

          • handlerMappings optional array
              • arguments optional - string

                Command-line arguments to be passed to the script processor.

              • extension optional - string

                Requests with this extension will be handled using the specified FastCGI application.

              • scriptProcessor optional - string

                The absolute path to the FastCGI application.

          • healthCheckPath optional - string

            Health check path

          • http20Enabled optional - boolean

            Http20Enabled: configures a web site to allow clients to connect over http2.0

          • httpLoggingEnabled optional - boolean

            <code>true</code> if HTTP logging is enabled; otherwise, <code>false</code>.

          • ipSecurityRestrictions optional array
              • action optional - string

                Allow or Deny access for this IP range.

              • description optional - string

                IP restriction rule description.

              • headers optional - array

                IP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..

                • If the property is null or empty (default), all hosts(or lack of) are allowed.
                • A value is compared using ordinal-ignore-case (excluding port number).
                • Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
                • Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
                • If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
                • If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
              • ipAddress optional - string

                IP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.

              • name optional - string

                IP restriction rule name.

              • priority optional - integer

                Priority of IP restriction rule.

              • subnetMask optional - string

                Subnet mask for the range of IP addresses the restriction is valid for.

              • subnetTrafficTag optional - integer

                (internal) Subnet traffic tag

              • tag optional - string

                Defines what this IP filter will be used for. This is to support IP filtering on proxies.

              • vnetSubnetResourceId optional - string

                Virtual network resource id

              • vnetTrafficTag optional - integer

                (internal) Vnet traffic tag

          • javaContainer optional - string

            Java container.

          • javaContainerVersion optional - string

            Java container version.

          • javaVersion optional - string

            Java version.

          • keyVaultReferenceIdentity optional - string

            Identity to use for Key Vault Reference authentication.

          • limits optional
              • maxDiskSizeInMb optional - integer

                Maximum allowed disk size usage in MB.

              • maxMemoryInMb optional - integer

                Maximum allowed memory usage in MB.

              • maxPercentageCpu optional - number

                Maximum allowed CPU usage percentage.

          • linuxFxVersion optional - string

            Linux App Framework and version

          • loadBalancing optional - string

            Site load balancing.

          • localMySqlEnabled optional - boolean

            <code>true</code> to enable local MySQL; otherwise, <code>false</code>.

          • logsDirectorySizeLimit optional - integer

            HTTP logs directory size limit.

          • managedPipelineMode optional - string

            Managed pipeline mode.

          • managedServiceIdentityId optional - integer

            Managed Service Identity Id

          • minimumElasticInstanceCount optional - integer

            Number of minimum instance count for a site This setting only applies to the Elastic Plans

          • minTlsVersion optional - string

            MinTlsVersion: configures the minimum version of TLS required for SSL requests.

          • netFrameworkVersion optional - string

            .NET Framework version.

          • nodeVersion optional - string

            Version of Node.js.

          • numberOfWorkers optional - integer

            Number of workers.

          • phpVersion optional - string

            Version of PHP.

          • powerShellVersion optional - string

            Version of PowerShell.

          • preWarmedInstanceCount optional - integer

            Number of preWarmed instances. This setting only applies to the Consumption and Elastic Plans

          • publicNetworkAccess optional - string

            Property to allow or block all public traffic.

          • publishingUsername optional - string

            Publishing user name.

          • push optional
              • kind optional - string

                Kind of resource.

              • properties optional
                  • dynamicTagsJson optional - string

                    Gets or sets a JSON string containing a list of dynamic tags that will be evaluated from user claims in the push registration endpoint.

                  • isPushEnabled required - boolean

                    Gets or sets a flag indicating whether the Push endpoint is enabled.

                  • tagsRequiringAuth optional - string

                    Gets or sets a JSON string containing a list of tags that require user authentication to be used in the push registration endpoint. Tags can consist of alphanumeric characters and the following: '_', '@', '#', '.', ':', '-'. Validation should be performed at the PushRequestHandler.

                  • tagWhitelistJson optional - string

                    Gets or sets a JSON string containing a list of tags that are whitelisted for use by the push registration endpoint.

          • pythonVersion optional - string

            Version of Python.

          • remoteDebuggingEnabled optional - boolean

            <code>true</code> if remote debugging is enabled; otherwise, <code>false</code>.

          • remoteDebuggingVersion optional - string

            Remote debugging version.

          • requestTracingEnabled optional - boolean

            <code>true</code> if request tracing is enabled; otherwise, <code>false</code>.

          • requestTracingExpirationTime optional - string

            Request tracing expiration time.

          • scmIpSecurityRestrictions optional array
              • action optional - string

                Allow or Deny access for this IP range.

              • description optional - string

                IP restriction rule description.

              • headers optional - array

                IP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..

                • If the property is null or empty (default), all hosts(or lack of) are allowed.
                • A value is compared using ordinal-ignore-case (excluding port number).
                • Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
                • Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
                • If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
                • If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
              • ipAddress optional - string

                IP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.

              • name optional - string

                IP restriction rule name.

              • priority optional - integer

                Priority of IP restriction rule.

              • subnetMask optional - string

                Subnet mask for the range of IP addresses the restriction is valid for.

              • subnetTrafficTag optional - integer

                (internal) Subnet traffic tag

              • tag optional - string

                Defines what this IP filter will be used for. This is to support IP filtering on proxies.

              • vnetSubnetResourceId optional - string

                Virtual network resource id

              • vnetTrafficTag optional - integer

                (internal) Vnet traffic tag

          • scmIpSecurityRestrictionsUseMain optional - boolean

            IP security restrictions for scm to use main.

          • scmMinTlsVersion optional - string

            ScmMinTlsVersion: configures the minimum version of TLS required for SSL requests for SCM site.

          • scmType optional - string

            SCM type.

          • tracingOptions optional - string

            Tracing options.

          • use32BitWorkerProcess optional - boolean

            <code>true</code> to use 32-bit worker process; otherwise, <code>false</code>.

          • virtualApplications optional array
              • physicalPath optional - string

                Physical path.

              • preloadEnabled optional - boolean

                <code>true</code> if preloading is enabled; otherwise, <code>false</code>.

              • virtualDirectories optional array
                  • physicalPath optional - string

                    Physical path.

                  • virtualPath optional - string

                    Path to virtual application.

              • virtualPath optional - string

                Virtual path.

          • vnetName optional - string

            Virtual Network name.

          • vnetPrivatePortsCount optional - integer

            The number of private ports assigned to this app. These will be assigned dynamically on runtime.

          • vnetRouteAllEnabled optional - boolean

            Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.

          • websiteTimeZone optional - string

            Sets the time zone a site uses for generating timestamps. Compatible with Linux and Windows App Service. Setting the WEBSITE_TIME_ZONE app setting takes precedence over this config. For Linux, expects tz database values https://www.iana.org/time-zones (for a quick reference see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For Windows, expects one of the time zones listed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

          • webSocketsEnabled optional - boolean

            <code>true</code> if WebSocket is enabled; otherwise, <code>false</code>.

          • windowsFxVersion optional - string

            Xenon App Framework and version

          • xManagedServiceIdentityId optional - integer

            Explicit Managed Service Identity Id

      • storageAccountRequired optional - boolean

        Checks if Customer provided storage account is required

      • virtualNetworkSubnetId optional - string

        Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}

  • tags optional - string

    Resource tags.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure App Service (Web Apps) Resources

Frequently asked questions

What is Azure App Service (Web Apps) App Service?

Azure App Service (Web Apps) App Service is a resource for App Service (Web Apps) of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure App Service (Web Apps) App Service?

For Terraform, the miguelsierramartin/PlayPadel, NsamaChibulu/Project2Services and returntocorp/semgrep-rules source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the SkillsFundingAgency/dfc-providerportal-monitoring, ajf214/personal-arm-templates and mrpaulandrew/procfwk source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents