sites
Summary
Details
Enable diagnostics logging
Impact: Low Category: Monitoring and Alerting
APRL GUID: 493f6079-3bb6-4a56-96ba-ab3248474cb1
Description:
Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging.
Potential Benefits:
Monitoring and Alerting
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Monitor Performance
Impact: High Category: Monitoring and Alerting
APRL GUID: a7e8bb3d-8ceb-442d-b26f-007cd63f9ffc
Description:
Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring.
Potential Benefits:
Real-time insights and issue diagnosis
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Separate web apps from web APIs
Impact: Low Category: Scalability
APRL GUID: 78a5c033-ff51-4332-8a71-83464c34494b
Description:
If your solution includes both a web front end and a web API, decomposing them into separate App Service apps facilitates solution decomposition by workload, allowing for independent scaling. Initially, you can deploy both in the same plan and separate them for independent scaling when necessary.
Potential Benefits:
Independent scaling, easier management
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Create a separate storage account for logs
Impact: Medium Category: Scalability
APRL GUID: 3f9ddb59-0bb3-4acb-9c9b-99aa1776f0ab
Description:
Creating a separate storage account for logs and not using the same one for application data prevents logging activities from reducing application performance by ensuring that the resources dedicated to handling application data are not burdened by logging processes.
Potential Benefits:
Improves app performance
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Deploy to a staging slot
Impact: Low Category: Governance
APRL GUID: a1d91661-32d4-430b-b3b6-5adeb0975df7
Description:
Create a deployment slot for staging to deploy updates, verify them, and ensure all instances are warmed up before production swap, reducing bad update chances. An LKG slot allows easy rollback to a previous good deployment if issues arise later, enhancing reliability.
Potential Benefits:
Safer updates and easy rollback
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Display App Service with the count of deployment slots for Apps under eligible App service plans and it shows if deployment slot is enabled or not
resources
| where type =~ 'microsoft.web/sites' or type =~ 'microsoft.web/sites/slots'
| extend isSlot = iff(type =~ 'microsoft.web/sites/slots', 1, 0)
| extend AspName = iff(isSlot == 1, split(name, '/')[0], name)
| extend Sku = tostring(properties.sku)
| where tolower(Sku) contains "standard" or tolower(Sku) contains "premium" or tolower(Sku) contains "isolatedv2"
| project id, name, AspName, isSlot, Sku
| summarize Slots = countif(isSlot == 1) by id, name, AspName, Sku
| extend DeploymentSlotEnabled = iff(Slots > 1, true, false)
| where DeploymentSlotEnabled = false
| project recommendationId="a1d91661-32d4-430b-b3b6-5adeb0975df7", name, id, tags="", param1=Sku, param2=Slots, param3="DeploymentSlotEnabled=false"
Store configuration as app settings
Impact: Medium Category: Other Best Practices
APRL GUID: 0b80b67c-afbe-4988-ad58-a85a146b681e
Description:
Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.
Potential Benefits:
Enhanced reliability via automation
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Provides a list of Azure App Service resources that don't have App Settings configured
appserviceresources
| where type == "microsoft.web/sites/config"
| extend AppSettings = iif(isempty(properties.AppSettings), true, false)
| where AppSettings == false
| project recommendationId="0b80b67c-afbe-4988-ad58-a85a146b681e", id, name, tags="", param1="AppSettings is not configured"
Enable Health check for App Services
Impact: High Category: Other Best Practices
APRL GUID: fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d
Description:
Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application.
Potential Benefits:
Enhanced reliability via automation
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Check if Health Check is enabled for App Service
resources
| where type =~ 'microsoft.web/sites'
| where properties.kind has 'app'
| join kind = inner
(
appserviceresources
| where isnull(properties.HealthCheckPath) == true
| project name
) on name
| project recommendationId = "fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d", name, id, tags, param1 = "Healthcheckpath = not set"
Configure network access restrictions
Impact: Medium Category: Governance
APRL GUID: aab6b4a4-9981-43a4-8728-35c7ecbb746d
Description:
Use network access restrictions to define a priority-ordered allow/deny list that controls network access to your app. Web application firewalls, such as the one available in Application Gateway, are recommended for protection of public-facing web applications.
Potential Benefits:
Enhanced security
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Check if Network access restrictions defined for App service
resources
| where type =~ 'microsoft.web/sites'
| where properties.kind has 'app'
| join kind = inner
(
appserviceresources
| mv-expand IpSecurityRestrictions = properties.IpSecurityRestrictions
| where isnotnull(IpSecurityRestrictions) == true
| project name
) on name
| project recommendationId = "aab6b4a4-9981-43a4-8728-35c7ecbb746d", name, id, tags, param1 = "No network restrictions set"
Set minimum instance count to 2 for app service
Impact: High Category: Scalability
APRL GUID: 9e6682ac-31bc-4635-9959-ab74b52454e6
Description:
App Service should be configured with a minimum of two instances for production workloads. If apps have a longer warmup time a minimum of three instances should be used.
Potential Benefits:
Improves app performace
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Provides a list of App services that do not have minimum instance count of 2
resources
| where type =~ 'microsoft.web/sites'
| where properties.kind has 'app'
| join kind = inner
(
appserviceresources
| where properties.PreWarmedInstanceCount < 2
| project name
) on name
| project recommendationId = "9e6682ac-31bc-4635-9959-ab74b52454e6", name, id, tags, param1 = "PreWarmedInstanceCount is less than 2"
Enable auto heal for Functions App
Impact: Low Category: High Availability
APRL GUID: c6c4b962-5af4-447a-9d74-7b9c53a5dff5
Description:
Auto Heal allows you to mitigate your apps when it runs into unexpected situations like HTTP server errors, resource exhaustion, etc. You can configure different triggers based on your need and choose to recycle the app to recover it from a bad state.
Potential Benefits:
Improved app availability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Provides a list of Azure Function App resources that do not have auto heal enabled
Resources
| where type =~ 'microsoft.web/sites'
| where properties.kind contains 'functionapp'
| join kind=inner
(appserviceresources
| where type == "microsoft.web/sites/config"
| where properties.AutoHealEnabled == 'false'
| project id, name, tenantId, location, resourceGroup, properties.AutoHealEnabled
) on name
| project recommendationID = "c6c4b962-5af4-447a-9d74-7b9c53a5dff5", name, id, type, kind, param1="AutoHealEnabled =false"
No warmup trigger added to Function App
Impact: Medium Category: Monitoring and Alerting
APRL GUID: 52f368ee-1d77-4b34-92db-64be269642d0
Description:
Add a warmup trigger to pre-load custom dependencies during the pre-warming process so that your functions are ready to start processing requests immediately.
Potential Benefits:
Improved app availability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Ensure unique hostid set for Function App
Impact: Low Category: Governance
APRL GUID: 0b06a688-0dd6-4d73-9f72-6666ff853ca9
Description:
A host ID must be between 1 and 32 characters, contain only lowercase letters, numbers, and dashes, not start or end with a dash, and not contain consecutive dashes. The host ID value should be unique for all apps/slots you're running.
Potential Benefits:
Easier management
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Ensure Function App runs a supported version
Impact: Medium Category: Governance
APRL GUID: c9a278b7-024b-454b-bd54-41587c512b74
Description:
Beginning on December 13, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime have reached the end of life (EOL) of extended support. We highly recommend you migrating your function apps to version 4.x of the Functions runtime.
Potential Benefits:
Better governance
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg
Ensure FUNCTIONS_WORKER_RUNTIME is set properly
Impact: Medium Category: Governance
APRL GUID: 7c608f46-46b2-4cc0-bbd6-1d457c16671c
Description:
The FUNCTIONS_WORKER_RUNTIME setting in the Function App configuration should be set to the appropriate value based on the language you are using. This setting is used to determine the language worker that will be used to execute your functions.
Potential Benefits:
Better governance
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// cannot-be-validated-with-arg