Create and configure Azure App Service
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Azure App Service allows you to run web applications and APIs without managing servers. As an Azure Administrator, you must understand how to protect an app with backups, control access with networking features, and use deployment slots for safer application updates. These topics are tested in the AZ-104 exam.
This guide explains all three areas in detail.
1. Configure Backups for Azure App Service
Backups help you restore an app if something goes wrong—such as code errors, data corruption, or accidental deletion.
1.1 Prerequisites for Backups
Before you can configure backups, make sure:
- The App Service Plan is Standard, Premium, or Isolated.
- Basic or Free tiers do not support backups.
- You have a Storage Account (Blob Storage) to store backup files.
1.2 What App Service Backup Includes
A backup can include:
- Application code and files
- App configuration (app settings and connection strings)
- Database (if configured — SQL Database or MySQL)
1.3 Configure Backup (Portal Steps)
- Go to your App Service.
- Under Settings, select Backups.
- Choose your Storage account and container.
- Select Database if you want to include it.
- Turn on Scheduled backup if desired.
- Choose a frequency, such as daily or hourly.
- Choose how many backups Azure should keep (backup retention).
1.4 Backup Scheduling and Retention
You can configure:
- Backup frequency (daily/hourly)
- Retention count (e.g., keep last 30 backups)
Backups are stored as ZIP files in Azure Storage.
1.5 Restore from Backup
Azure allows you to restore:
- To the same App Service
- To a new App Service (safe option if you want to test the restore)
The restore process replaces:
- App code
- Settings
- Connected database (if selected)
1.6 Common Exam Points
- App Service backup requires Standard tier or higher.
- Backups need a Storage Account container.
- Restoring overwrites existing content unless restored to a new app.
- Backup can include databases.
2. Configure App Service Networking
Networking controls who can access your App Service and how your app communicates with other Azure resources. Networking features help improve security, connectivity, and traffic flow.
2.1 Inbound Traffic Controls (Traffic Coming into Your App)
2.1.1 Access Restrictions
You can control which IPs or networks can access the app.
- Found under Networking > Access Restrictions
- You can allow or deny:
- IP addresses
- Azure VNets
- Service Tags (e.g., AzureFrontDoor, Internet)
Use case:
Allow traffic only from your corporate network’s public IP.
2.2 Outbound Traffic Controls (App Connecting to Other Resources)
2.2.1 VNet Integration
Allows your App Service to access internal resources inside a virtual network (VNet), such as:
- Azure SQL in a private endpoint
- Internal APIs
- File shares
- Virtual Machines
App Service Plan tier requirement:
- Standard, Premium, or better.
Two types:
- Regional VNet integration
- Common mode
- Works with Resources in same region
- Gateway-required VNet integration
- Legacy method using VPN Gateway
- Rare in modern implementations
2.2.2 Private Endpoints
A private endpoint exposes your App Service on a private IP address from your VNet.
This means:
- No traffic goes over public internet.
- Only VNet-connected resources can access the app.
Used in highly secure environments.
2.3 Hybrid Connections
Used when your app needs to connect to on-premises resources, such as:
- On-premises database
- On-premises web service
It works over port 443 outbound, making it easy for corporate networks without complex firewall rules.
2.4 App Service Environment (ASE) – Premium Option
ASE is an isolated environment running inside your own VNet.
Key points:
- Maximum security
- For high-scale, enterprise environments
- Expensive
- Not required for most AZ-104 tasks, but you should know it exists
2.5 Common Exam Points
- VNet Integration enables outbound access to VNet resources.
- Private Endpoints allow secure inbound access.
- Access Restrictions control who can access your app.
- Hybrid Connections allow access to on-premises resources.
- App Service Plan tier determines available networking features.
3. Configure Deployment Slots
Deployment slots allow you to host multiple versions of your web app under the same App Service Plan.
Slots are separate, live environments such as:
- Production (main app)
- Staging
- Testing
- Development
3.1 App Service Plan Requirements
Deployment slots are available in:
- Standard, Premium, or Isolated tiers
- Free and Basic plans do not support them
3.2 Why Deployment Slots Are Important
They allow safer and smoother deployments:
- You can deploy code to Staging first.
- Test the app without affecting users.
- When ready, swap staging and production.
This ensures:
- Zero-downtime deployment
- Lower risk
- Easy rollback (swap back if needed)
3.3 Slot Settings
Some settings can be marked as “slot-specific”, meaning they stay with the slot during swaps.
Examples of slot-specific settings:
- Database connection strings for testing vs production
- App settings used only in staging
This ensures testing does not impact production data.
3.4 Swap Operation
During a swap:
- URLs of the slots remain the same
- Content and configuration move between them
Azure performs:
- Warmup of the staging slot
- Ensures app is ready before swap
- Swaps settings and content
- Production slot now runs the staged version
3.5 Auto-Swap
Auto-swap automatically pushes code from staging to production when updated.
Useful for continuous deployment pipelines.
3.6 Common Exam Points
- Deployment slots are available only in Standard or higher tiers.
- Swap supports zero-downtime deployment.
- Slot-specific settings stay within the slot.
- You can test in a slot before going live.
- Slots share the same App Service Plan, meaning shared compute resources.
Summary Table for Exam Revision
| Feature | Required Tier | Purpose | Key Points |
|---|---|---|---|
| Backups | Standard+ | Protect app & data | Stored in Storage Account, can include DB |
| VNet Integration | Standard+ | Outbound access to VNet | Lets app access SQL, VMs, APIs |
| Private Endpoint | Premium+ | Private inbound access | App exposed via private IP |
| Access Restrictions | All tiers | Control inbound requests | Allow/deny IPs, VNets, service tags |
| Deployment Slots | Standard+ | Safer deployments | Staging/testing environments, swap |
Final Notes for AZ-104 Exam
You should understand:
- When backups are available
- How to configure and restore backups
- How App Service networking works (VNet Integration, Private Endpoints, Access Restrictions, Hybrid Connections)
- How deployment slots work, including swaps and slot-specific settings
This topic appears frequently in the exam, so knowing these concepts well is important.
