azure-app-service-best-practices

📁 seligj95/azure-app-service-skills 📅 9 days ago

总安装量

周安装量

#51017

全站排名

安装命令

npx skills add https://github.com/seligj95/azure-app-service-skills --skill azure-app-service-best-practices

Agent 安装分布

github-copilot 1

Skill 文档

When to Apply

Reference these guidelines when:

Deploying new App Service web apps to production
Reviewing existing configurations for optimization
Setting up CI/CD pipelines and deployment strategies
Implementing security and authentication
Troubleshooting performance issues
Planning cost optimization
Migrating to App Service from other platforms

Rule Categories by Priority

Priority	Category	Impact	Prefix
1	Security	CRITICAL	`security-`
2	Reliability	CRITICAL	`reliability-`
3	Performance	HIGH	`perf-`
4	Deployment	HIGH	`deploy-`
5	Configuration	MEDIUM	`config-`
6	Cost Optimization	MEDIUM	`cost-`
7	Monitoring	MEDIUM	`monitor-`

Quick Reference

1. Security (CRITICAL)

Rule	Description
`security-managed-identity`	Use Managed Identity instead of credentials in app settings
`security-https-only`	Enforce HTTPS-only connections
`security-keyvault-refs`	Store secrets in Key Vault with app setting references
`security-min-tls`	Require TLS 1.2 minimum
`security-disable-ftp`	Disable FTP/FTPS deployments
`security-auth-provider`	Use built-in authentication (Easy Auth) when applicable
`security-vnet-integration`	Use VNet integration for backend service access
`security-private-endpoints`	Use private endpoints for sensitive workloads

2. Reliability (CRITICAL)

Rule	Description
`reliability-always-on`	Enable Always On (Basic+ tier) to prevent cold starts
`reliability-health-check`	Configure health check endpoint for load balancer probing
`reliability-deployment-slots`	Use staging slots for zero-downtime deployments
`reliability-auto-heal`	Enable auto-heal rules for automatic recovery
`reliability-zone-redundancy`	Enable zone redundancy for production (Premium v3)
`reliability-backup`	Configure automated backups for stateful apps
`reliability-multi-region`	Use Traffic Manager or Front Door for multi-region HA

3. Performance (HIGH)

Rule	Description
`perf-right-size-sku`	Choose appropriate SKU for workload (don’t over/under provision)
`perf-linux-plans`	Prefer Linux plans for better performance and lower cost
`perf-local-cache`	Enable local cache for read-heavy file access
`perf-http2`	Enable HTTP/2 for multiplexed connections
`perf-arr-affinity`	Disable ARR affinity for stateless apps
`perf-connection-pooling`	Use connection pooling for database connections
`perf-async-patterns`	Use async patterns to maximize throughput
`perf-cdn-static`	Use CDN for static content delivery

4. Deployment (HIGH)

Rule	Description
`deploy-slots-swap`	Deploy to staging slot, then swap to production
`deploy-ci-cd`	Use GitHub Actions or Azure Pipelines for automated deployments
`deploy-run-from-package`	Use Run From Package for faster, atomic deployments
`deploy-warm-up`	Configure slot warm-up rules before swap
`deploy-rollback-plan`	Maintain ability to swap back for quick rollbacks
`deploy-slot-settings`	Mark slot-specific settings (connection strings, feature flags)

5. Configuration (MEDIUM)

Rule	Description
`config-startup-command`	Set explicit startup command for Linux apps
`config-64bit`	Use 64-bit platform for memory-intensive workloads
`config-timezone`	Set WEBSITE_TIME_ZONE for scheduled tasks
`config-env-separation`	Use slot settings to separate dev/staging/prod configs
`config-cors`	Configure CORS explicitly (avoid wildcard in production)
`config-websockets`	Enable WebSockets only if needed

6. Cost Optimization (MEDIUM)

Rule	Description
`cost-reserved-instances`	Use reserved instances for predictable workloads (1-3 year)
`cost-dev-test-pricing`	Use Dev/Test pricing for non-production
`cost-right-tier`	Start with lower SKU, scale up based on metrics
`cost-shared-plan`	Share App Service plans across low-traffic apps
`cost-auto-scale`	Configure autoscale instead of over-provisioning
`cost-stop-dev`	Stop/deallocate dev apps when not in use

7. Monitoring (MEDIUM)

Rule	Description
`monitor-app-insights`	Enable Application Insights for APM
`monitor-diagnostic-settings`	Configure diagnostic settings to Log Analytics
`monitor-alerts`	Set up alerts for HTTP errors, response time, CPU
`monitor-availability`	Configure availability tests for uptime monitoring
`monitor-log-streaming`	Enable application logging for troubleshooting

Anti-Patterns to Avoid

Anti-Pattern	Problem	Solution
Storing secrets in app settings	Credentials exposed in portal/APIs	Use Key Vault references
Deploying directly to production	Downtime risk, no rollback	Use deployment slots
Using Free/Shared for production	No SLA, shared resources	Use Basic+ with Always On
Polling-based scaling	Slow reaction, resource waste	Use metric-based autoscale
Synchronous blocking calls	Thread starvation	Use async/await patterns
Large app packages	Slow cold starts	Optimize dependencies, use Run From Package
Hardcoded connection strings	Difficult rotation, env coupling	Use app settings + Key Vault
Ignoring health checks	Bad instances receive traffic	Configure health check path

Implementation Examples

Enable Security Essentials

# Managed Identity
az webapp identity assign --name <app> --resource-group <rg>

# HTTPS Only + TLS 1.2
az webapp update --name <app> --resource-group <rg> --https-only true
az webapp config set --name <app> --resource-group <rg> --min-tls-version 1.2

# Disable FTP
az webapp config set --name <app> --resource-group <rg> --ftps-state Disabled

Enable Reliability Essentials

# Always On
az webapp config set --name <app> --resource-group <rg> --always-on true

# Health Check
az webapp config set --name <app> --resource-group <rg> \
  --generic-configurations '{"healthCheckPath": "/health"}'

# Create staging slot
az webapp deployment slot create --name <app> --resource-group <rg> --slot staging

Enable Performance Essentials

# HTTP/2
az webapp config set --name <app> --resource-group <rg> --http20-enabled true

# Disable ARR affinity (stateless apps)
az webapp update --name <app> --resource-group <rg> --client-affinity-enabled false

# Run From Package
az webapp config appsettings set --name <app> --resource-group <rg> \
  --settings WEBSITE_RUN_FROM_PACKAGE=1

Configure Autoscaling

az monitor autoscale create \
  --resource-group <rg> \
  --resource <plan-name> \
  --resource-type Microsoft.Web/serverfarms \
  --min-count 2 --max-count 10 --count 2

az monitor autoscale rule create \
  --resource-group <rg> \
  --autoscale-name <rule-name> \
  --condition "CpuPercentage > 70 avg 5m" \
  --scale out 1

SKU Selection Guide

Workload	Recommended SKU	Why
Dev/Test	F1, B1	Low cost, sufficient for testing
Low-traffic production	B1, S1	Always On, custom domains, SLA
Standard production	S1-S3	Autoscale, slots, backups
High-performance	P1V2-P3V2	More memory/CPU, faster storage
Mission-critical	P1V3-P3V3	Zone redundancy, best performance

References

Security Rules: See references/rules/security.md for detailed security rule explanations
CLI Reference: See references/cli-reference.md for command documentation
Troubleshooting: See references/troubleshooting.md for diagnostics

Scripts

scripts/audit.sh – Audit App Service configuration against best practices
scripts/health-check.sh – App health check and diagnostics

Related Skills

Install complementary App Service skills for specialized guidance:

# Install all App Service skills
npx skills add seligj95/azure-app-service-skills

Skill	Focus
`azure-app-service-deployment`	GitHub Actions CI/CD, deployment slots, Run From Package
`azure-app-service-monitoring`	Application Insights, KQL queries, alerts, availability tests
`azure-app-service-security`	Managed Identity, Key Vault integration, Easy Auth, access restrictions
`azure-app-service-networking`	VNet integration, private endpoints, Front Door, Traffic Manager
`azure-app-service-environment`	App Service Environment v3 for isolated, dedicated deployments
`azure-app-service-troubleshooting`	HTTP error diagnosis, startup failures, Kudu tools, auto-heal

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台