Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

sites

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Enable diagnostics loggingLowMonitoring and AlertingNoPreview
Monitor PerformanceMediumMonitoring and AlertingNoPreview
Separate web apps from web APIsLowScalabilityNoPreview
Create a separate storage account for logsMediumScalabilityNoPreview
Deploy to a staging slotLowGovernanceYesPreview
Store configuration as app settingsMediumOther Best PracticesYesPreview
Enable Health check for App ServicesMediumOther Best PracticesYesPreview
Configure network access restrictionsMediumGovernanceYesPreview
Set minimum instance count to 2 for app serviceMediumScalabilityYesPreview
Enable auto heal for Functions AppLowHigh AvailabilityYesPreview
No warmup trigger added to Function AppMediumMonitoring and AlertingNoPreview
Ensure unique hostid set for Function AppLowGovernanceNoPreview
Ensure Function App runs a supported versionMediumGovernanceNoPreview
Ensure FUNCTIONS_WORKER_RUNTIME is set properlyMediumGovernanceNoPreview

Details


Enable diagnostics logging

Impact:  Low Category:  Monitoring and Alerting PG Verified:  Preview

APRL GUID:  493f6079-3bb6-4a56-96ba-ab3248474cb1

Description:

Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging.

Potential Benefits:

Monitoring and Alerting
Learn More:
Enable diagnostics logging for apps in Azure App Service

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg




Monitor Performance

Impact:  Medium Category:  Monitoring and Alerting PG Verified:  Preview

APRL GUID:  a7e8bb3d-8ceb-442d-b26f-007cd63f9ffc

Description:

Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring.

Potential Benefits:

Real-time insights and issue diagnosis
Learn More:
Application Insights
Application monitoring for Azure App Service

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg




Separate web apps from web APIs

Impact:  Low Category:  Scalability PG Verified:  Preview

APRL GUID:  78a5c033-ff51-4332-8a71-83464c34494b

Description:

If your solution includes both a web front end and a web API, decomposing them into separate App Service apps facilitates solution decomposition by workload, allowing for independent scaling. Initially, you can deploy both in the same plan and separate them for independent scaling when necessary.

Potential Benefits:

Independent scaling, easier management
Learn More:
Resiliency checklist for specific Azure services

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Create a separate storage account for logs

Impact:  Medium Category:  Scalability PG Verified:  Preview

APRL GUID:  3f9ddb59-0bb3-4acb-9c9b-99aa1776f0ab

Description:

Creating a separate storage account for logs and not using the same one for application data prevents logging activities from reducing application performance by ensuring that the resources dedicated to handling application data are not burdened by logging processes.

Potential Benefits:

Improves app performance
Learn More:
Resiliency checklist

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Deploy to a staging slot

Impact:  Low Category:  Governance PG Verified:  Preview

APRL GUID:  a1d91661-32d4-430b-b3b6-5adeb0975df7

Description:

Create a deployment slot for staging to deploy updates, verify them, and ensure all instances are warmed up before production swap, reducing bad update chances. An LKG slot allows easy rollback to a previous good deployment if issues arise later, enhancing reliability.

Potential Benefits:

Safer updates and easy rollback
Learn More:
Set up staging environments in Azure App Service

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Display App Service with the count of deployment slots for Apps under eligible App service plans and it shows if deployment slot is enabled or not

resources
| where type =~ 'microsoft.web/sites' or type =~ 'microsoft.web/sites/slots'
| extend isSlot = iff(type =~ 'microsoft.web/sites/slots', 1, 0)
| extend AspName = iff(isSlot == 1, split(name, '/')[0], name)
| extend Sku = tostring(properties.sku)
| where tolower(Sku) contains "standard" or tolower(Sku) contains "premium" or tolower(Sku) contains "isolatedv2"
| project id, name, AspName, isSlot, Sku
| summarize Slots = countif(isSlot == 1) by id, name, AspName, Sku
| extend DeploymentSlotEnabled = iff(Slots > 1, true, false)
| where DeploymentSlotEnabled = false
| project recommendationId="a1d91661-32d4-430b-b3b6-5adeb0975df7", name, id, tags="", param1=Sku, param2=Slots, param3="DeploymentSlotEnabled=false"



Store configuration as app settings

Impact:  Medium Category:  Other Best Practices PG Verified:  Preview

APRL GUID:  0b80b67c-afbe-4988-ad58-a85a146b681e

Description:

Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability.

Potential Benefits:

Enhanced reliability via automation
Learn More:
Configure web apps in Azure App Service

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Provides a list of Azure App Service resources that don't have App Settings configured

appserviceresources
| where type == "microsoft.web/sites/config"
| extend AppSettings = iif(isempty(properties.AppSettings), true, false)
| where AppSettings == false
| project  recommendationId="0b80b67c-afbe-4988-ad58-a85a146b681e", id, name, tags="", param1="AppSettings is not configured"



Enable Health check for App Services

Impact:  Medium Category:  Other Best Practices PG Verified:  Preview

APRL GUID:  fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d

Description:

Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application.

Potential Benefits:

Enhanced reliability via automation
Learn More:
Monitor the health of App Service instances

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Check if Health Check is enabled for App Service

resources
| where type =~ 'microsoft.web/sites'
| where properties.kind has 'app'
| join kind = inner
    (
    appserviceresources
    | where isnull(properties.HealthCheckPath) == true
    | project  name
    ) on name
| project recommendationId = "fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d", name, id, tags, param1 = "Healthcheckpath = not set"


Configure network access restrictions

Impact:  Medium Category:  Governance PG Verified:  Preview

APRL GUID:  aab6b4a4-9981-43a4-8728-35c7ecbb746d

Description:

Use network access restrictions to define a priority-ordered allow/deny list that controls network access to your app. Web application firewalls, such as the one available in Application Gateway, are recommended for protection of public-facing web applications.

Potential Benefits:

Enhanced security
Learn More:
Set up Azure App Service access restrictions

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Check if Network access restrictions defined for App service

resources
| where type =~ 'microsoft.web/sites'
| where properties.kind has 'app'
| join kind = inner
    (
    appserviceresources
    | mv-expand IpSecurityRestrictions = properties.IpSecurityRestrictions
    | where isnotnull(IpSecurityRestrictions) == true
    | project name
    ) on name
| project recommendationId = "aab6b4a4-9981-43a4-8728-35c7ecbb746d", name, id, tags, param1 = "No network restrictions set"


Set minimum instance count to 2 for app service

Impact:  Medium Category:  Scalability PG Verified:  Preview

APRL GUID:  9e6682ac-31bc-4635-9959-ab74b52454e6

Description:

App Service should be configured with a minimum of two instances for production workloads. If apps have a longer warmup time a minimum of three instances should be used.

Potential Benefits:

Improves app performace
Learn More:
Ultimate guide to running healthy apps in the cloud

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Provides a list of App services that do not have minimum instance count of 2

resources
| where type =~ 'microsoft.web/sites'
| where properties.kind has 'app'
| join kind = inner
    (
    appserviceresources
    | where properties.PreWarmedInstanceCount < 2
    | project name
    ) on name
| project recommendationId = "9e6682ac-31bc-4635-9959-ab74b52454e6", name, id, tags, param1 = "PreWarmedInstanceCount is less than 2"


Enable auto heal for Functions App

Impact:  Low Category:  High Availability PG Verified:  Preview

APRL GUID:  c6c4b962-5af4-447a-9d74-7b9c53a5dff5

Description:

Auto Heal allows you to mitigate your apps when it runs into unexpected situations like HTTP server errors, resource exhaustion, etc. You can configure different triggers based on your need and choose to recycle the app to recover it from a bad state.

Potential Benefits:

Improved app availability
Learn More:
Announcing the New Auto Healing Experience in App Service Diagnostics - Azure App Service

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// Provides a list of Azure Function App resources that do not have auto heal enabled

Resources
| where type =~ 'microsoft.web/sites'
| where properties.kind contains 'functionapp'
| join kind=inner
    (appserviceresources
    | where type == "microsoft.web/sites/config"
    | where properties.AutoHealEnabled == 'false'
    | project id, name, tenantId, location, resourceGroup, properties.AutoHealEnabled
    ) on name
| project recommendationID = "c6c4b962-5af4-447a-9d74-7b9c53a5dff5", name, id, type, kind, param1="AutoHealEnabled =false"


No warmup trigger added to Function App

Impact:  Medium Category:  Monitoring and Alerting PG Verified:  Preview

APRL GUID:  52f368ee-1d77-4b34-92db-64be269642d0

Description:

Add a warmup trigger to pre-load custom dependencies during the pre-warming process so that your functions are ready to start processing requests immediately.

Potential Benefits:

Improved app availability
Learn More:
Azure Functions Warmup Trigger

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg


Ensure unique hostid set for Function App

Impact:  Low Category:  Governance PG Verified:  Preview

APRL GUID:  0b06a688-0dd6-4d73-9f72-6666ff853ca9

Description:

A host ID must be between 1 and 32 characters, contain only lowercase letters, numbers, and dashes, not start or end with a dash, and not contain consecutive dashes. The host ID value should be unique for all apps/slots you're running.

Potential Benefits:

Easier management
Learn More:
Resource naming restrictions - Azure Resource Manager

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg


Ensure Function App runs a supported version

Impact:  Medium Category:  Governance PG Verified:  Preview

APRL GUID:  c9a278b7-024b-454b-bd54-41587c512b74

Description:

Beginning on December 13, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime have reached the end of life (EOL) of extended support. We highly recommend you migrating your function apps to version 4.x of the Functions runtime.

Potential Benefits:

Better governance
Learn More:
Migrate version 3.x to 4.x

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg


Ensure FUNCTIONS_WORKER_RUNTIME is set properly

Impact:  Medium Category:  Governance PG Verified:  Preview

APRL GUID:  7c608f46-46b2-4cc0-bbd6-1d457c16671c

Description:

The FUNCTIONS_WORKER_RUNTIME setting in the Function App configuration should be set to the appropriate value based on the language you are using. This setting is used to determine the language worker that will be used to execute your functions.

Potential Benefits:

Better governance
Learn More:
FUNCTIONS_WORKER_RUNTIME

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg