Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
ai-services | Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/models.md | See [model versions](../concepts/model-versions.md) to learn about how Azure Ope | gpt-4 (0314) | | East US <br> France Central <br> South Central US <br> UK South | | gpt-4 (0613) | Australia East <br> Canada East <br> France Central <br> Sweden Central <br> Switzerland North | East US <br> East US 2 <br> Japan East <br> UK South | | gpt-4 (1106-preview) | Australia East <br> Canada East <br> East US 2 <br> France Central <br> Norway East <br> South India <br> Sweden Central <br> UK South <br> West US | | -| gpt-4 (vision-preview) | | Sweden Central <br> Switzerland North<br>Australia East <br> West US | --> [!NOTE] -> As a temporary measure, GPT-4 Turbo with Vision is currently unavailable to new customers. +| gpt-4 (vision-preview) | Sweden Central <br> West US| Switzerland North <br> Australia East | ### GPT-3.5 models |
ai-services | Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/reference.md | POST https://{your-resource-name}.openai.azure.com/openai/deployments/{deploymen |--|--|--|--| | ```your-resource-name``` | string | Required | The name of your Azure OpenAI Resource. | | ```deployment-id``` | string | Required | The name of your model deployment. You're required to first deploy a model before you can make calls. |-| ```api-version``` | string | Required |The API version to use for this operation. This follows the YYYY-MM-DD format. | +| ```api-version``` | string | Required |The API version to use for this operation. This follows the YYYY-MM-DD or YYYY-MM-DD-preview format. | **Supported versions** curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/deployments/YOUR_DEPLOYM #### Example response ```console-{"id":"chatcmpl-6v7mkQj980V1yBec6ETrKPRqFjNw9", -"object":"chat.completion","created":1679072642, -"model":"gpt-35-turbo", -"usage":{"prompt_tokens":58, -"completion_tokens":68, -"total_tokens":126}, -"choices":[{"message":{"role":"assistant", -"content":"Yes, other Azure AI services also support customer managed keys. Azure AI services offer multiple options for customers to manage keys, such as using Azure Key Vault, customer-managed keys in Azure Key Vault or customer-managed keys through Azure Storage service. This helps customers ensure that their data is secure and access to their services is controlled."},"finish_reason":"stop","index":0}]} +{ + "id": "chatcmpl-6v7mkQj980V1yBec6ETrKPRqFjNw9", + "object": "chat.completion", + "created": 1679072642, + "model": "gpt-35-turbo", + "usage": + { + "prompt_tokens": 58, + "completion_tokens": 68, + "total_tokens": 126 + }, + "choices": + [ + { + "message": + { + "role": "assistant", + "content": "Yes, other Azure AI services also support customer managed keys. + Azure AI services offer multiple options for customers to manage keys, such as + using Azure Key Vault, customer-managed keys in Azure Key Vault or + customer-managed keys through Azure Storage service. This helps customers ensure + that their data is secure and access to their services is controlled." + }, + "finish_reason": "stop", + "index": 0 + } + ] +} ```+Output formatting adjusted for ease of reading, actual output is a single block of text without line breaks. In the example response, `finish_reason` equals `stop`. If `finish_reason` equals `content_filter` consult our [content filtering guide](./concepts/content-filter.md) to understand why this is occurring. -Output formatting adjusted for ease of reading, actual output is a single block of text without line breaks. - > [!IMPORTANT] > The `functions` and `function_call` parameters have been deprecated with the release of the [`2023-12-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json) version of the API. The replacement for `functions` is the `tools` parameter. The replacement for `function_call` is the `tool_choice` parameter. Parallel function calling which was introduced as part of the [`2023-12-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json) is only supported with `gpt-35-turbo` (1106) and `gpt-4` (1106-preview) also known as GPT-4 Turbo Preview. | Parameter | Type | Required? | Default | Description | |--|--|--|--|--| | ```messages``` | array | Required | | The collection of context messages associated with this chat completions request. Typical usage begins with a [chat message](#chatmessage) for the System role that provides instructions for the behavior of the assistant, followed by alternating messages between the User and Assistant roles.|-| ```temperature```| number | Optional | 1 | What sampling temperature to use, between 0 and 2. Higher values like 0.8 will make the output more random, while lower values like 0.2 will make it more focused and deterministic.\nWe generally recommend altering this or `top_p` but not both. | +| ```temperature```| number | Optional | 1 | What sampling temperature to use, between 0 and 2. Higher values like 0.8 will make the output more random, while lower values like 0.2 will make it more focused and deterministic. We generally recommend altering this or `top_p` but not both. | | ```n``` | integer | Optional | 1 | How many chat completion choices to generate for each input message. | | ```stream``` | boolean | Optional | false | If set, partial message deltas will be sent, like in ChatGPT. Tokens will be sent as data-only server-sent events as they become available, with the stream terminated by a `data: [DONE]` message." | | ```stop``` | string or array | Optional | null | Up to 4 sequences where the API will stop generating further tokens.| |
ai-studio | Prompt Flow Tools Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/prompt-flow-tools-overview.md | -The following table provides an index of tools in prompt flow. If existing tools don't meet your requirements, you can [develop your own custom tool and make a tool package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html). +The following table provides an index of tools in prompt flow. | Tool name | Description | Environment | Package name | ||--|-|--| The following table provides an index of tools in prompt flow. If existing tools To discover more custom tools developed by the open-source community, see [More custom tools](https://microsoft.github.io/promptflow/integrations/tools/https://docsupdatetracker.net/index.html). +## Remarks +- If existing tools don't meet your requirements, you can [develop your own custom tool and make a tool package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html). +- To install the custom tools, if you are using the automatic runtime, you can readily install the package by adding the custom tool package name into the `requirements.txt` file in the flow folder. Then select the **Save and install** button to start installation. After completion, you can see the custom tools displayed in the tool list. To learn more, see [How to create and manage a runtime](../create-manage-runtime.md). + ## Next steps - [Create a flow](../flow-develop.md) |
aks | Use Azure Ad Pod Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-ad-pod-identity.md | Microsoft Entra pod-managed identities use Kubernetes primitives to associate [m > Kubernetes native capabilities to federate with any external identity providers on behalf of the > application. >-> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on was deprecated in Sept. 2024. +> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024. > > To disable the AKS Managed add-on, use the following command: `az feature unregister --namespace "Microsoft.ContainerService" --name "EnablePodIdentityPreview"`. |
aks | Use Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md | Azure Kubernetes Service (AKS) clusters require an identity to access Azure reso AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*. AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable. > [!IMPORTANT]-> The open source [Microsoft Entra pod-managed identity][entra-id-pod-managed-identity] (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on was deprecated in Sept. 2024. +> The open source [Microsoft Entra pod-managed identity][entra-id-pod-managed-identity] (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024. > > We recommend you first review [Microsoft Entra Workload ID][workload-identity-overview] overview. This authentication method replaces Microsoft Entra pod-managed identity (preview) and is the recommended method. |
api-management | Rate Limit Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rate-limit-policy.md | To understand the difference between rate limits and quotas, [see Rate limits an remaining-calls-header-name="header name" remaining-calls-variable-name="policy expression variable name" total-calls-header-name="header name">- <api name="API name" id="API id" calls="number" renewal-period="seconds" /> + <api name="API name" id="API id" calls="number" renewal-period="seconds" > <operation name="operation name" id="operation id" calls="number" renewal-period="seconds" /> </api> </rate-limit> |
api-management | Validate Client Certificate Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-client-certificate-policy.md | For more information about custom CA certificates and certificate authorities, s validate-not-after="true | false" ignore-error="true | false"> <identities>- <identityΓÇ» + <identity thumbprint="certificate thumbprint" serial-number="certificate serial number" common-name="certificate common name" For more information about custom CA certificates and certificate authorities, s dns-name="certificate DNS name" issuer-subject="certificate issuer" issuer-thumbprint="certificate issuer thumbprint"- issuer-certificate-id="certificate identifier"ΓÇ»/> + issuer-certificate-id="certificate identifier"/> </identities> </validate-client-certificate> ``` The following example validates a client certificate to match the policy's defau * [API Management access restriction policies](api-management-access-restriction-policies.md) |
api-management | Validate Content Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-content-policy.md | The policy validates the following content in the request or response against th ## Policy statement ```xml-<validate-content unspecified-content-type-action="ignore | prevent | detect" max-size="size in bytes" size-exceeded-action="ignore | prevent | detect" errors-variable-name="variable name"> +<validate-content unspecified-content-type-action="ignore | prevent | detect" max-size="size in bytes" size-exceeded-action="ignore | prevent | detect" errors-variable-name="variable name"> <content-type-map any-content-type-value="content type string" missing-content-type-value="content type string"> <type from | when="content type string" to="content type string" /> </content-type-map>- <content type="content type string" validate-as="json | xml | soap" schema-id="schema id" schema-ref="#/local/reference/path" action="ignore | prevent | detect" allow-additional-properties="true | false" /> + <content type="content type string" validate-as="json | xml | soap" schema-id="schema id" schema-ref="#/local/reference/path" action="ignore | prevent | detect" allow-additional-properties="true | false" /> </validate-content> ``` |
app-service | Configure Basic Auth Disable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-basic-auth-disable.md | Title: Disable basic authentication for deployment description: Learn how to secure App Service deployment by disabling basic authentication. keywords: azure app service, security, deployment, FTP, MsDeploy Previously updated : 11/05/2023 Last updated : 01/26/2024 -App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using [deployment credentials](deploy-configure-credentials.md). These APIs are great for browsing your site’s file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as [Microsoft Entra ID](/entr)). Entra ID uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Entra ID also lets you deploy from other Azure services using managed identities. +App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using [deployment credentials](deploy-configure-credentials.md). These APIs are great for browsing your site’s file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as [Microsoft Entra ID](/entr)). Microsoft Entra uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Microsoft Entra also lets you deploy from other Azure services using managed identities. ## Disable basic authentication To confirm that Git access is blocked, try [local Git deployment](deploy-local-g ## Deployment without basic authentication -When you disable basic authentication, deployment methods based on basic authentication stop working, such as FTP and local Git deployment. For alternate deployment methods, see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md). --<!-- Azure Pipelines with App Service deploy task (manual config) need the newer version hosted agent that supports vs2022. -OIDC GitHub actions --> +When you disable basic authentication, deployment methods that depend on basic authentication stop working. The following table shows how various deployment methods behave when basic authentication is disabled, and if there's any fallback mechanism. For more information, see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md). ++| Deployment method | When basic authentication is disabled | +|-|-| +| Visual Studio deployment | Doesn't work. | +| [FTP](deploy-ftp.md) | Doesn't work. | +| [Local Git](deploy-local-git.md) | Doesn't work. | +| Azure CLI | In Azure CLI 2.48.1 or higher, the following commands fall back to Microsoft Entra authentication:<br/>- [az webapp up](/cli/azure/webapp#az-webapp-up)<br/>- [az webapp deploy](/cli/azure/webapp#az-webapp-deploy)<br/>- [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip)<br/>- [az webapp log deployment show](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-show)<br/>- [az webapp log deployment list](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-list)<br/>- [az webapp log download](/cli/azure/webapp/log#az-webapp-log-download)<br/>- [az webapp log tail](/cli/azure/webapp/log#az-webapp-log-tail)<br/>- [az webapp browse](/cli/azure/webapp#az-webapp-browse)<br/>- [az webapp create-remote-connection](/cli/azure/webapp#az-webapp-create-remote-connection)<br/>- [az webapp ssh](/cli/azure/webapp#az-webapp-ssh)<br/>- [az functionapp deploy](/cli/azure/functionapp#az-functionapp-deploy)<br/>- [az functionapp log deployment list](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-list)<br/>- [az functionapp log deployment show](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-show)<br/>- [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az-functionapp-deployment-source-config-zip) | +| [Maven plugin](https://github.com/microsoft/azure-maven-plugins) or [Gradle plugin](https://github.com/microsoft/azure-gradle-plugins) | Works. | +| [GitHub with App Service Build Service](deploy-continuous-deployment.md?tabs=github) | Doesn't work. | +| [GitHub Actions](deploy-continuous-deployment.md?tabs=github) | - An existing GitHub Actions workflow that uses **basic authentication** can't authenticate. In the Deployment Center, disconnect the existing GitHub configuration and create a new GitHub Actions configuration with the **user-assigned identity** option instead. <br/> - If the existing GitHub Actions deployment is [manually configured](deploy-github-actions.md), try using a service principal or OpenID Connect instead. <br/> - For new GitHub Actions configuration in the Deployment Center, use the **user-assigned identity** option. | +| Deployment in [create wizard](https://portal.azure.com/#create/Microsoft.WebSite) | When **Basic authentication** is set to **Disable** and **Continuous deployment** set to **Enable**, GitHub Actions is configured with the **user-assigned identity** option (OpenID Connect). | +| [Azure Repos with App Service Build Service](deploy-continuous-deployment.md?tabs=github) | Doesn't work. | +| [BitBucket](deploy-continuous-deployment.md?tabs=bitbucket) | Doesn't work. | +| [Azure Pipelines](deploy-azure-pipelines.md) with [AzureWebApp](/azure/devops/pipelines/tasks/reference/azure-web-app-v1) task | Works. | +| [Azure Pipelines](deploy-azure-pipelines.md) with [AzureRmWebAppDeployment](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment) task | - Use the latest AzureRmWebAppDeployment task to get fallback behavior. <br/> - The **Publish Profile (`PublishProfile`)** connection type doesn't work, because it uses basic authentication. Change the connection type to **Azure Resource Manager (`AzureRM`)**. <br/> - On non-Windows Pipelines agents, authentication works. <br/> - On Windows agents, the [deployment method used by the task](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4#deployment-methods) might need to be modified. When Web Deploy is used (`DeploymentType: 'webDeploy'`) and basic authentication is disabled, the task authenticates with a Microsoft Entra token. There are additional requirements if you're not using the `windows-latest` agent or if you're using a self-hosted agent. For more information, see [I can't Web Deploy to my Azure App Service using Microsoft Entra authentication from my Windows agent](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4#i-cant-web-deploy-to-my-azure-app-service-using-microsoft-entra-id-authentication-from-my-windows-agent).<br/> - Other deployment methods work, such as **zip deploy** or **run from package**. | ## Create a custom role with no permissions for basic authentication The following are corresponding policies for slots: - [Remediation policy for FTP](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff493116f-3b7f-4ab3-bf80-0c2af35e46c2) - [Remediation policy for SCM](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c034a29-2a5f-4857-b120-f800fe5549ae) +## Frequently asked questions ++#### Why do I get a warning in Visual Studio saying that basic authentication is disabled? ++Visual Studio requires basic authentication to deploy to Azure App Service. The warning reminds you that the configuration on your app changed and you can no longer deploy to it. Either you disabled basic authentication on the app yourself, or your organization policy enforces that basic authentication is disabled for App Service apps. |
app-service | Deploy Authentication Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-authentication-types.md | Title: Authentication types by deployment methods description: Learn the available types of authentication with Azure App Service when deploying your application code. Previously updated : 07/31/2023 Last updated : 01/26/2024 Azure App Service lets you deploy your web application code and configuration by |Deployment method|Authentication  |Reference Documents | |:-|:-|:-|-|Azure CLI |Microsoft Entra authentication | In Azure CLI, version 2.48.1 or higher, the following commands have been modified to use Microsoft Entra authentication if basic authentication is turned off for your web app or function app:<br/>- [az webapp up](/cli/azure/webapp#az-webapp-up)<br/>- [az webapp deploy](/cli/azure/webapp#az-webapp-deploy)<br/>- [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip)<br/>- [az webapp log deployment show](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-show)<br/>- [az webapp log deployment list](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-list)<br/>- [az webapp log download](/cli/azure/webapp/log#az-webapp-log-download)<br/>- [az webapp log tail](/cli/azure/webapp/log#az-webapp-log-tail)<br/>- [az webapp browse](/cli/azure/webapp#az-webapp-browse)<br/>- [az webapp create-remote-connection](/cli/azure/webapp#az-webapp-create-remote-connection)<br/>- [az webapp ssh](/cli/azure/webapp#az-webapp-ssh)<br/>- [az functionapp deploy](/cli/azure/functionapp#az-functionapp-deploy)<br/>- [az functionapp log deployment list](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-list)<br/>- [az functionapp log deployment show](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-show)<br/>- [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az-functionapp-deployment-source-config-zip)<br/>For more information, see [az appservice](/cli/azure/appservice) and [az webapp](/cli/azure/webapp). | -|Azure PowerShell |Microsoft Entra authentication | In Azure PowerShell, version 9.7.1 or above, Microsoft Entra authentication is available for App Service. For more information, see [PowerShell samples for Azure App Service](samples-powershell.md). | -|SCM/Kudu/OneDeploy REST endpoint |Basic authentication, Microsoft Entra authentication |[Deploy files to App Service](deploy-zip.md) | -|Kudu UI |Basic authentication, Microsoft Entra authentication |[Deploy files to App Service](deploy-zip.md)| +|Azure CLI |Microsoft Entra ID | In Azure CLI, version 2.48.1 or higher, the following commands have been modified to use Microsoft Entra if basic authentication is turned off for your web app or function app:<br/>- [az webapp up](/cli/azure/webapp#az-webapp-up)<br/>- [az webapp deploy](/cli/azure/webapp#az-webapp-deploy)<br/>- [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip)<br/>- [az webapp log deployment show](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-show)<br/>- [az webapp log deployment list](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-list)<br/>- [az webapp log download](/cli/azure/webapp/log#az-webapp-log-download)<br/>- [az webapp log tail](/cli/azure/webapp/log#az-webapp-log-tail)<br/>- [az webapp browse](/cli/azure/webapp#az-webapp-browse)<br/>- [az webapp create-remote-connection](/cli/azure/webapp#az-webapp-create-remote-connection)<br/>- [az webapp ssh](/cli/azure/webapp#az-webapp-ssh)<br/>- [az functionapp deploy](/cli/azure/functionapp#az-functionapp-deploy)<br/>- [az functionapp log deployment list](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-list)<br/>- [az functionapp log deployment show](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-show)<br/>- [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az-functionapp-deployment-source-config-zip)<br/>For more information, see [az appservice](/cli/azure/appservice) and [az webapp](/cli/azure/webapp). | +|Azure PowerShell |Microsoft Entra | In Azure PowerShell, version 9.7.1 or above, Microsoft Entra is available for App Service. For more information, see [PowerShell samples for Azure App Service](samples-powershell.md). | +|SCM/Kudu/OneDeploy REST endpoint |Basic authentication<br/>Microsoft Entra |[Deploy files to App Service](deploy-zip.md) | +|Kudu UI |Basic authentication<br/>Microsoft Entra |[Deploy files to App Service](deploy-zip.md)| |FTP\FTPS |Basic authentication |[Deploy your app to Azure App Service using FTP/S](deploy-ftp.md) | |Visual Studio |Basic authentication  |[Quickstart: Deploy an ASP.NET web app](quickstart-dotnetcore.md)<br/>[Develop and deploy WebJobs using Visual Studio](webjobs-dotnet-deploy-vs.md)<br/>[Troubleshoot an app in Azure App Service using Visual Studio](troubleshoot-dotnet-visual-studio.md)<br/>[GitHub Actions integration in Visual Studio](/visualstudio/azure/overview-github-actions)<br/>[Deploy your application to Azure using GitHub Actions workflows created by Visual Studio](/visualstudio/deployment/azure-deployment-using-github-actions) |-|Visual Studio Code|Microsoft Entra authentication |[Quickstart: Deploy an ASP.NET web app](quickstart-dotnetcore.md)<br/> [Working with GitHub in VS Code](https://code.visualstudio.com/docs/sourcecontrol/github) | -|GitHub with GitHub Actions |Publish profile, service principal, OpenID Connect |[Deploy to App Service using GitHub Actions](deploy-github-actions.md) | -|GitHub with App Service build service as build engine|Publish profile |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | -|GitHub with Azure Pipelines as build engine|Publish profile, Azure DevOps service connection |[Deploy to App Service using Azure Pipelines](deploy-azure-pipelines.md) | -|Azure Repos with App Service build service as build engine|Publish profile |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | -|Azure Repos with Azure Pipelines as build engine |Publish profile, Azure DevOps service connection |[Deploy to App Service using GitHub Actions](deploy-github-actions.md) | -|Bitbucket |Publish profile |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | -|Local Git |Publish profile |[Local Git deployment to Azure App Service](deploy-local-git.md) | -|External Git repository|Publish profile |[Setting up continuous deployment using manual steps](https://github.com/projectkudu/kudu/wiki/Continuous-deployment#setting-up-continuous-deployment-using-manual-steps) | -|Run directly from an uploaded ZIP file |Microsoft Entra authentication |[Run your app in Azure App Service directly from a ZIP package](deploy-run-package.md) | -|Run directly from external URL |Storage account key, managed identity |[Run from external URL instead](deploy-run-package.md#run-from-external-url-instead) | -|Azure Web app plugin for Maven (Java) |Microsoft Entra authentication |[Quickstart: Create a Java app on Azure App Service](quickstart-java.md)| -|Azure WebApp Plugin for Gradle (Java) |Microsoft Entra authentication |[Configure a Java app for Azure App Service](configure-language-java.md)| -|Webhooks |Publish profile |[Web hooks](https://github.com/projectkudu/kudu/wiki/Web-hooks) | +|Visual Studio Code|Microsoft Entra |[Quickstart: Deploy an ASP.NET web app](quickstart-dotnetcore.md)<br/> [Working with GitHub in VS Code](https://code.visualstudio.com/docs/sourcecontrol/github) | +|GitHub with GitHub Actions |Publish profile (basic authentication)<br/>Service principal (Microsoft Entra)<br/>OpenID Connect (Microsoft Entra) |[Deploy to App Service using GitHub Actions](deploy-github-actions.md) | +|GitHub with App Service build service as build engine| Basic authentication|[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | +|GitHub with Azure Pipelines as build engine|Publish profile (basic authentication)<br/>Azure DevOps service connection |[Deploy to App Service using Azure Pipelines](deploy-azure-pipelines.md) | +|Azure Repos with App Service build service as build engine| Basic authentication |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | +|Azure Repos with Azure Pipelines as build engine |Publish profile (basic authentication)<br/>Azure DevOps service connection |[Deploy to App Service using GitHub Actions](deploy-github-actions.md) | +|Bitbucket | Basic authentication |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | +|Local Git | Basic authentication |[Local Git deployment to Azure App Service](deploy-local-git.md) | +|External Git repository| Basic authentication |[Setting up continuous deployment using manual steps](https://github.com/projectkudu/kudu/wiki/Continuous-deployment#setting-up-continuous-deployment-using-manual-steps) | +|Run directly from an uploaded ZIP file |Microsoft Entra |[Run your app in Azure App Service directly from a ZIP package](deploy-run-package.md) | +|Run directly from external URL |Not applicable (outbound connection) |[Run from external URL instead](deploy-run-package.md#run-from-external-url-instead) | +|Azure Web app plugin for Maven (Java) |Microsoft Entra |[Quickstart: Create a Java app on Azure App Service](quickstart-java.md)| +|Azure WebApp Plugin for Gradle (Java) |Microsoft Entra |[Configure a Java app for Azure App Service](configure-language-java.md)| +|Webhooks | Basic authentication |[Web hooks](https://github.com/projectkudu/kudu/wiki/Web-hooks) | |App Service migration assistant |Basic authentication |[Azure App Service migration tools](https://azure.microsoft.com/products/app-service/migration-tools/) | |App Service migration assistant for PowerShell scripts |Basic authentication |[Azure App Service migration tools](https://azure.microsoft.com/products/app-service/migration-tools/) |-|Azure Migrate App Service discovery/assessment/migration |Microsoft Entra authentication |[Tutorial: Assess ASP.NET web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md)<br/>[Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md) | +|Azure Migrate App Service discovery/assessment/migration |Microsoft Entra |[Tutorial: Assess ASP.NET web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md)<br/>[Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md) | |
app-service | Deploy Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-best-practices.md | Every development team has unique requirements that can make implementing an eff ### Deployment Source -A deployment source is the location of your application code. For production apps, the deployment source is usually a repository hosted by version control software such as [GitHub, BitBucket, or Azure Repos](deploy-continuous-deployment.md). For development and test scenarios, the deployment source may be [a project on your local machine](deploy-local-git.md). App Service also supports [OneDrive and Dropbox folders](deploy-content-sync.md) as deployment sources. While cloud folders can make it easy to get started with App Service, it's not typically recommended to use this source for enterprise-level production applications. +A deployment source is the location of your application code. For production apps, the deployment source is usually a repository hosted by version control software such as [GitHub, BitBucket, or Azure Repos](deploy-continuous-deployment.md). For development and test scenarios, the deployment source may be [a project on your local machine](deploy-local-git.md). ### Build Pipeline |
app-service | Deploy Configure Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-configure-credentials.md | Title: Configure deployment credentials description: Learn what types of deployment credentials are in Azure App Service and how to configure and use them. Previously updated : 02/11/2021 Last updated : 01/26/2024 and [FTP/S deployment](deploy-ftp.md). These credentials are not the same as you [!INCLUDE [app-service-deploy-credentials](../../includes/app-service-deploy-credentials.md)] > [!NOTE]-> The **Development Center (Classic)** page in the Azure portal, which is the old deployment experience, will be deprecated in March, 2021. This change will not affect any existing deployment settings in your app, and you can continue to manage app deployment in the **Deployment Center** page. +> When [basic authentication is disabled](configure-basic-auth-disable.md), you can't view or configure deployment credentials in the Deployment Center. ## <a name="userscope"></a>Configure user-scope credentials |
app-service | Deploy Content Sync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-content-sync.md | - Title: Sync content from a cloud folder -description: Learn how to deploy your app to Azure App Service via content sync from a cloud folder, including OneDrive or Dropbox. - Previously updated : 02/25/2021-------# Sync content from a cloud folder to Azure App Service -This article shows you how to sync your content to [Azure App Service](./overview.md) from Dropbox and OneDrive. --With the content sync approach, your work with your app code and content in a designated cloud folder to make sure it's in a ready-to-deploy state, and then sync to App Service with the click of a button. --Because of underlying differences in the APIs, **OneDrive for Business** is not supported at this time. --> [!NOTE] -> The **Development Center (Classic)** page in the Azure portal, which is the old deployment experience, will be deprecated in March, 2021. This change will not affect any existing deployment settings in your app, and you can continue to manage app deployment in the **Deployment Center** page. --## Enable content sync deployment --1. In the [Azure portal](https://portal.azure.com), navigate to the management page for your App Service app. --1. From the left menu, click **Deployment Center** > **Settings**. --1. In **Source**, select **OneDrive** or **Dropbox**. --1. Click **Authorize** and follow the authorization prompts. -- ![Shows how to authorize OneDrive or Dropbox in the Deployment Center in the Azure portal.](media/app-service-deploy-content-sync/choose-source.png) -- You only need to authorize with OneDrive or Dropbox once for your Azure account. To authorize a different OneDrive or Dropbox account for an app, click **Change account**. --1. In **Folder**, select the folder to synchronize. This folder is created under the following designated content path in OneDrive or Dropbox. - - * **OneDrive**: `Apps\Azure Web Apps` - * **Dropbox**: `Apps\Azure` - -1. Click **Save**. --## Synchronize content --# [Azure portal](#tab/portal) --1. In the [Azure portal](https://portal.azure.com), navigate to the management page for your App Service app. --1. From the left menu, click **Deployment Center** > **Redeploy/Sync**. -- ![Shows how to sync your cloud folder with App Service.](media/app-service-deploy-content-sync/synchronize.png) - -1. Click **OK** to confirm the sync. --# [Azure CLI](#tab/cli) --Start a sync by running the following command and replacing \<group-name> and \<app-name>: --```azurecli-interactive -az webapp deployment source sync --resource-group <group-name> --name <app-name> -``` --# [Azure PowerShell](#tab/powershell) --Start a sync by running the following command and replacing \<group-name> and \<app-name>: --```azurepowershell-interactive -Invoke-AzureRmResourceAction -ResourceGroupName <group-name> -ResourceType Microsoft.Web/sites -ResourceName <app-name> -Action sync -ApiVersion 2019-08-01 -Force ΓÇôVerbose -``` ---## Disable content sync deployment --1. In the [Azure portal](https://portal.azure.com), navigate to the management page for your App Service app. --1. From the left menu, click **Deployment Center** > **Settings** > **Disconnect**. -- ![Shows how to disconnect your cloud folder sync with your App Service app in the Azure portal.](media/app-service-deploy-content-sync/disable.png) ---## OneDrive and Dropbox integration retirements --On September 30th, 2023 the integrations for Microsoft OneDrive and Dropbox for Azure App Service and Azure Functions will be retired. If you are using OneDrive or Dropbox, you should [disable content sync deployments](#disable-content-sync-deployment) from OneDrive and Dropbox. Then, you can set up deployments from any of the following alternatives --- [GitHub Actions](deploy-github-actions.md)-- [Azure DevOps Pipelines](/azure/devops/pipelines/targets/webapp)-- [Azure CLI](./deploy-zip.md?tabs=cli)-- [VS Code](./deploy-zip.md?tabs=cli)-- [Local Git Repository](./deploy-local-git.md?tabs=cli)--## Next steps --> [!div class="nextstepaction"] -> [Deploy from local Git repo](deploy-local-git.md) |
app-service | Deploy Continuous Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-continuous-deployment.md | Title: Configure continuous deployment description: Learn how to enable CI/CD to Azure App Service from GitHub, Bitbucket, Azure Repos, or other repos. Select the build pipeline that fits your needs. ms.assetid: 6adb5c84-6cf3-424e-a336-c554f23b4000 Previously updated : 12/12/2023 Last updated : 01/26/2024 -> [!NOTE] -> The **Development Center (Classic)** page in the Azure portal, an earlier version of the deployment functionality, was deprecated in March 2021. This change doesn't affect existing deployment settings in your app, and you can continue to manage app deployment from the **Deployment Center** page in the portal. - [!INCLUDE [Prepare repository](../../includes/app-service-deploy-prepare-repo.md)] ## Configure the deployment source Select the tab that corresponds to your build provider to continue. # [GitHub](#tab/github) -4. [GitHub Actions](#how-does-the-github-actions-build-provider-work) is the default build provider. To change the provider, select **Change provider** > **App Service Build Service** (Kudu) > **OK**. -- > [!NOTE] - > To use Azure Pipelines as the build provider for your App Service app, configure CI/CD directly from Azure Pipelines. Don't configure it in App Service. The **Azure Pipelines** option just points you in the right direction. +4. [GitHub Actions](?tabs=githubactions#what-are-the-build-providers) is the default build provider. To change the provider, select **Change provider** > **App Service Build Service** > **OK**. 1. If you're deploying from GitHub for the first time, select **Authorize** and follow the authorization prompts. If you want to deploy from a different user's repository, select **Change Account**. -1. After you authorize your Azure account with GitHub, select the **Organization**, **Repository**, and **Branch** to configure CI/CD for. +1. After you authorize your Azure account with GitHub, select the **Organization**, **Repository**, and **Branch** you want. If you canΓÇÖt find an organization or repository, you might need to enable more permissions on GitHub. For more information, see [Managing access to your organization's repositories](https://docs.github.com/organizations/managing-access-to-your-organizations-repositories). -1. (Preview) Under **Authentication type**, select **User-assigned identity** for better security. For more information, see [frequently asked questions](). --1. When **GitHub Actions** is selected as the build provider, you can select the workflow file you want by using the **Runtime stack** and **Version** dropdown lists. Azure commits this workflow file into your selected GitHub repository to handle build and deploy tasks. To see the file before saving your changes, select **Preview file**. +1. Under **Authentication type**, select **User-assigned identity** for better security. For more information, see [frequently asked questions](#frequently-asked-questions). > [!NOTE]- > App Service detects the [language stack setting](configure-common.md#configure-language-stack-settings) of your app and selects the most appropriate workflow template. If you choose a different template, it might deploy an app that doesn't run properly. For more information, see [How the GitHub Actions build provider works](#how-does-the-github-actions-build-provider-work). + > If your Azure account has the [required permissions](#why-do-i-see-the-error-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials) for the **User-assigned identity** option, Azure creates a [user-assigned managed identity](#what-does-the-user-assigned-identity-option-do-for-github-actions) for you. If you don't, work with your Azure administrator to create an [identity with the required role on your app](#why-do-i-see-the-error-this-identity-does-not-have-write-permissions-on-this-app-please-select-a-different-identity-or-work-with-your-admin-to-grant-the-website-contributor-role-to-your-identity-on-this-app), then select it here in the dropdown. ++1. (Optional) To see the file before saving your changes, select **Preview file**. App Service selects a workflow template based on the [language stack setting](configure-common.md#configure-language-stack-settings) of your app and commits it into your selected GitHub repository. 1. Select **Save**. Select the tab that corresponds to your build provider to continue. # [Bitbucket](#tab/bitbucket) -The Bitbucket integration uses the App Service Build Services (Kudu) for build automation. +The Bitbucket integration uses the App Service Build Services for build automation. 4. If you're deploying from Bitbucket for the first time, select **Authorize** and follow the authorization prompts. If you want to deploy from a different user's repository, select **Change Account**. The Bitbucket integration uses the App Service Build Services (Kudu) for build a 1. Select **Save**. New commits in the selected repository and branch now deploy continuously into your App Service app. You can track the commits and deployments on the **Logs** tab.- + # [Local Git](#tab/local) See [Local Git deployment to Azure App Service](deploy-local-git.md). # [Azure Repos](#tab/repos)- - > [!NOTE] - > Azure Repos is supported as a deployment source for Windows apps. - > -4. App Service Build Service (Kudu) is the default build provider. +4. App Service Build Service is the default build provider. > [!NOTE]- > To use Azure Pipelines as the build provider for your App Service app, configure CI/CD directly from Azure Pipelines. Don't configure it in App Service. The **Azure Pipelines** option just points you in the right direction. + > To use Azure Pipelines as the build provider for your App Service app, configure it directly from Azure Pipelines. Don't configure it in App Service. The **Azure Pipelines** option just points you in the right direction. 1. Select the **Azure DevOps Organization**, **Project**, **Repository**, and **Branch** you want to deploy continuously. If your DevOps organization isn't listed, it's not yet linked to your Azure subscription. For more information, see [Create an Azure service connection](/azure/devops/pipelines/library/connect-to-azure). +# [Other repositories](#tab/others) ++For Windows apps, you can manually configure continuous deployment from a cloud Git or Mercurial repository that the portal doesn't directly support, like [GitLab](https://gitlab.com/). You do that by selecting **External Git** in the **Source** dropdown list. For more information, see [Set up continuous deployment using manual steps](https://github.com/projectkudu/kudu/wiki/Continuous-deployment#setting-up-continuous-deployment-using-manual-steps). + -- ## Disable continuous deployment See [Local Git deployment to Azure App Service](deploy-local-git.md). 1. Select **OK**. +## What are the build providers? -## Frequently asked questions +Depending on your deployment source in the Deployment Center, you might see a few options to select for build providers. Build providers help you build a CI/CD solution with Azure App Service by automating build, test, and deployment. -- [How does the GitHub Actions build provider work?](#how-does-the-github-actions-build-provider-work)-- [How do I configure continuous deployment without basic authentication?](#how-do-i-configure-continuous-deployment-without-basic-authentication)-- [What does the user-assigned identity option do for GitHub Actions?](#what-does-the-user-assigned-identity-option-do-for-github-actions)-- [I see "You do not have sufficient permissions on this app to assign role-based access to a managed identity and configure federated credentials." when I select the user-assigned identity option with GitHub Actions.](#i-see-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials-when-i-select-the-user-assigned-identity-option-with-github-actions)-- [How do I deploy from other repositories](#how-do-i-deploy-from-other-repositories)+You're not limited to the build provider options found in the Deployment Center, but App Service lets you set them up quickly and offers some integrated deployment logging experience. -#### How does the GitHub Actions build provider work? +# [GitHub Actions](#tab/githubactions) -The GitHub Actions build provider is an option for [CI/CD from GitHub](#configure-the-deployment-source). It completes these actions to set up CI/CD: +The GitHub Actions build provider is available only for [GitHub deployment](?tabs=github#configure-the-deployment-source). When configured from the app's Deployment Center, it completes these actions to set up CI/CD: - Deposits a GitHub Actions workflow file into your GitHub repository to handle build and deploy tasks to App Service.-- Adds the publishing profile for your app as a GitHub secret. The workflow file uses this secret to authenticate with App Service.-- Captures information from the [workflow run logs](https://docs.github.com/actions/managing-workflow-runs/using-workflow-run-logs) and displays it on the **Logs** tab in your app's Deployment Center.+- For basic authentication, adds the publish profile for your app as a GitHub secret. The workflow file uses this secret to authenticate with App Service. +- For user-assigned identity, see [What does the user-assigned identity option do for GitHub Actions?](#what-does-the-user-assigned-identity-option-do-for-github-actions) +- Captures information from the [workflow run logs](https://docs.github.com/actions/managing-workflow-runs/using-workflow-run-logs) and displays it on the **Logs** tab in the Deployment Center. You can customize the GitHub Actions build provider in these ways: - Customize the workflow file after it's generated in your GitHub repository. For more information, see [Workflow syntax for GitHub Actions](https://docs.github.com/actions/reference/workflow-syntax-for-github-actions). Just make sure that the workflow deploys to App Service with the [azure/webapps-deploy](https://github.com/Azure/webapps-deploy) action. - If the selected branch is protected, you can still preview the workflow file without saving the configuration and then manually add it into your repository. This method doesn't give you log integration with the Azure portal.-- Instead of using a user-assigned managed identity or the publishing profile, you can also deploy by using a [service principal](deploy-github-actions.md?tabs=userlevel) in Microsoft Entra ID.+- Instead of using basic authentication or a user-assigned identity, you can also deploy by using a [service principal](deploy-github-actions.md?tabs=userlevel) in Microsoft Entra ID. This can't be configured in the portal. ++# [App Service Build Service](#tab/appservice) ++> [!NOTE] +> App Service Build Service requires [basic authentication to be enabled](configure-basic-auth-disable.md) for the webhook to work. For more information, see [Deployment without basic authentication](configure-basic-auth-disable.md#deployment-without-basic-authentication). ++App Service Build Service is the deployment and build engine native to App Service, otherwise known as Kudu. When this option is selected, App Service adds a webhook into the repository you authorized. Any code push to the repository triggers the webhook, and App Service pulls the changes into its repository and performs any deployment tasks. For more information, see [Deploying from GitHub (Kudu)](https://github.com/projectkudu/kudu/wiki/Deploying-from-GitHub). ++Resources: ++* [Investigate common problems with continuous deployment](https://github.com/projectkudu/kudu/wiki/Investigating-continuous-deployment) +* [Project Kudu](https://github.com/projectkudu/kudu/wiki) -#### How do I configure continuous deployment without basic authentication? +# [Azure Pipelines](#tab/pipelines) -To configure continuous deployment [without basic authentication](configure-basic-auth-disable.md), try using GitHub Actions with the **user-assigned identity** option. +Azure Pipelines is part of Azure DevOps. You can configure a pipeline to build, test, and deploy your app to App Service from [any supported source repository](/azure/devops/pipelines/repos). ++To use Azure Pipelines as the build provider, don't configure it in App Service, but [go to Azure DevOps directly](https://go.microsoft.com/fwlink/?linkid=2245703). In the Deployment Center, the **Azure Pipelines** option just points you in the right direction. ++For more information, see [Deploy to App Service using Azure Pipelines](deploy-azure-pipelines.md). ++-- +++## Frequently asked questions ++- [Does the GitHub Actions build provider work with basic authentication if basic authentication is disabled?](#does-the-github-actions-build-provider-work-with-basic-authentication-if-basic-authentication-is-disabled) +- [What does the user-assigned identity option do for GitHub Actions?](#what-does-the-user-assigned-identity-option-do-for-github-actions) +- [Why do I see the error, "This identity does not have write permissions on this app. Please select a different identity, or work with your admin to grant the Website Contributor role to your identity on this app"?](#why-do-i-see-the-error-this-identity-does-not-have-write-permissions-on-this-app-please-select-a-different-identity-or-work-with-your-admin-to-grant-the-website-contributor-role-to-your-identity-on-this-app) +- [Why do I see the error, "This identity does not have write permissions on this app. Please select a different identity, or work with your admin to grant the Website Contributor role to your identity on this app"?](#why-do-i-see-the-error-this-identity-does-not-have-write-permissions-on-this-app-please-select-a-different-identity-or-work-with-your-admin-to-grant-the-website-contributor-role-to-your-identity-on-this-app) ++#### Does the GitHub Actions build provider work with basic authentication if basic authentication is disabled? ++No. Try using GitHub Actions with the **user-assigned identity** option. ++For more information, see [Deployment without basic authentication](configure-basic-auth-disable.md#deployment-without-basic-authentication). #### What does the user-assigned identity option do for GitHub Actions? -When you select **user-assigned identity** under the **GitHub Actions** source, Azure creates a [user-managed identity](/en-us/entra/identity/managed-identities-azure-resources/overview#managed-identity-types) for you and [federates it with GitHub as an authorized client](/entra/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity?pivots=identity-wif-mi-methods-azp). This user-managed identity isn't shown in the **Identities** page for your app. +When you select **user-assigned identity** under the **GitHub Actions** source, App Service configures all the necessary resources in Azure and in GitHub to enable the recommended OpenID Connect authentication with GitHub Actions. -This automatically created user-managed identity should be used only for the GitHub Actions deployment. Using it for other configurations isn't supported. +Specifically, App Service does the following operations: -#### I see "You do not have sufficient permissions on this app to assign role-based access to a managed identity and configure federated credentials." when I select the user-assigned identity option with GitHub Actions. +- [Creates a federated credential](/entra/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity?pivots=identity-wif-mi-methods-azp) between a user-assigned managed identity in Azure and your selected repository and branch in GitHub. +- Creates the secrets `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID` from the federated credential in your selected GitHub repository. +- Assigns the identity to your app. -To use the **user-assigned identity** option for your GitHub Actions deployment, you need the `Microsoft.Authorization/roleAssignments/write` permission on your app. By default, the **User Access Administrator** role and **Owner** role have this permission already, but the **Contributor** role doesn't. +In a GitHub Actions workflow in your GitHub repository, you can then use the [Azure/login](https://github.com/Azure/login) action to authenticate with your app by using OpenID Connect. For examples, see [Add the workflow file to your GitHub repository](deploy-github-actions.md#3-add-the-workflow-file-to-your-github-repository). -#### How do I deploy from other repositories +If your Azure account has the [required permissions](#why-do-i-see-the-error-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials), App Service creates a user-assigned managed identity and configures it for you. This identity isn't shown in the **Identities** page of your app. If your Azure account doesn't have the required permissions, you must select an [existing identity with the required role](#why-do-i-see-the-error-this-identity-does-not-have-write-permissions-on-this-app-please-select-a-different-identity-or-work-with-your-admin-to-grant-the-website-contributor-role-to-your-identity-on-this-app). -For Windows apps, you can manually configure continuous deployment from a cloud Git or Mercurial repository that the portal doesn't directly support, like [GitLab](https://gitlab.com/). You do that by selecting **External Git** in the **Source** dropdown list. For more information, see [Set up continuous deployment using manual steps](https://github.com/projectkudu/kudu/wiki/Continuous-deployment#setting-up-continuous-deployment-using-manual-steps). +#### Why do I see the error, "You do not have sufficient permissions on this app to assign role-based access to a managed identity and configure federated credentials"? ++The message indicates that your Azure account doesn't have the required permissions to create a user-assigned managed identity for the GitHub Actions. The required permissions (scoped to your app) are: ++- `Microsoft.Authorization/roleAssignments/write` +- `Microsoft.ManagedIdentity/userAssignedIdentities/write` ++By default, the **User Access Administrator** role and **Owner** role have these permissions already, but the **Contributor** role doesn't. If you don't have the required permissions, work with your Azure administrator to create a user-assigned managed identity with the [Website Contributor role](#why-do-i-see-the-error-this-identity-does-not-have-write-permissions-on-this-app-please-select-a-different-identity-or-work-with-your-admin-to-grant-the-website-contributor-role-to-your-identity-on-this-app). In the Deployment Center, you can then select the identity in the **GitHub** > **Identity** dropdown. ++For more information on the alternative steps, see [Deploy to App Service using GitHub Actions](deploy-github-actions.md). ++#### Why do I see the error, "This identity does not have write permissions on this app. Please select a different identity, or work with your admin to grant the Website Contributor role to your identity on this app"? ++The message indicates that the selected user-assigned managed identity doesn't have the required role [to enable OpenID Connect](#what-does-the-user-assigned-identity-option-do-for-github-actions) between the GitHub repository and the App Service app. The identity must have one of the following roles on the app: **Owner**, **Contributor**, **Websites Contributor**. The least privileged role that the identity needs is **Websites Contributor**. ## More resources -* [Deploy from Azure Pipelines to Azure App Services](/azure/devops/pipelines/apps/cd/deploy-webdeploy-webapps) -* [Investigate common problems with continuous deployment](https://github.com/projectkudu/kudu/wiki/Investigating-continuous-deployment) * [Use Azure PowerShell](/powershell/azure/)-* [Project Kudu](https://github.com/projectkudu/kudu/wiki) |
app-service | Deploy Ftp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-ftp.md | description: Learn how to deploy your app to Azure App Service using FTP or FTPS ms.assetid: ae78b410-1bc0-4d72-8fc4-ac69801247ae Previously updated : 02/26/2021 Last updated : 01/26/2024 or API app to [Azure App Service](./overview.md). The FTP/S endpoint for your app is already active. No configuration is necessary to enable FTP/S deployment. > [!NOTE]-> The **Development Center (Classic)** page in the Azure portal, which is the old deployment experience, will be deprecated in March, 2021. This change will not affect any existing deployment settings in your app, and you can continue to manage app deployment in the **Deployment Center** page. +> When [basic authentication is disabled](configure-basic-auth-disable.md), FTP/S deployment doesn't work, and you can't view or configure FTP credentials in the app's Deployment Center. ## Get deployment credentials For enhanced security, you should allow FTP over TLS/SSL only. You can also disa 1. In your app's resource page in [Azure portal](https://portal.azure.com), select **Configuration** > **General settings** from the left navigation. -2. To disable unencrypted FTP, select **FTPS Only** in **FTP state**. To disable both FTP and FTPS entirely, select **Disabled**. When finished, click **Save**. If using **FTPS Only**, you must enforce TLS 1.2 or higher by navigating to the **TLS/SSL settings** blade of your web app. TLS 1.0 and 1.1 are not supported with **FTPS Only**. +2. To disable unencrypted FTP, select **FTPS Only** in **FTP state**. To disable both FTP and FTPS entirely, select **Disabled**. When finished, select **Save**. If using **FTPS Only**, you must enforce TLS 1.2 or higher by navigating to the **TLS/SSL settings** page of your web app. TLS 1.0 and 1.1 aren't supported with **FTPS Only**. ![Disable FTP/S](./media/app-service-deploy-ftp/disable-ftp.png) A runtime application issue typically results in the right set of files deployed To determine a deployment or runtime issue, see [Deployment vs. runtime issues](https://github.com/projectkudu/kudu/wiki/Deployment-vs-runtime-issues). #### I'm not able to FTP and publish my code. How can I resolve the issue?-Check that you've entered the correct [hostname](#get-ftps-endpoint) and [credentials](#get-deployment-credentials). Check also that the following FTP ports on your machine are not blocked by a firewall: +Check that you entered the correct [hostname](#get-ftps-endpoint) and [credentials](#get-deployment-credentials). Check also that the following FTP ports on your machine aren't blocked by a firewall: - FTP control connection port: 21, 990 - FTP data connection port: 989, 10001-10300 Azure App Service supports connecting via both Active and Passive mode. Passive #### Why is my connection failing when attempting to connect over FTPS using explicit encryption? FTPS allows establishing the TLS secure connection in either an Explicit or Implicit way. + - If you connect with Implicit encryption, the connection is established via port 990. + - If you connect with Explicit encryption, the connection is established via port 21. -One thing to be aware that can affect your connection success is the URL used, this will depend on the Client Application used. -The portal will have just the URL as "ftps://" and you might need to change this. +The URL format you use can affect your connection success, and it also depends on the client application you use. The portal shows the URL as `ftps://`, but note: - Make sure to not mix both, such as attempting to connect to "ftps://" and using port 21, as it will fail to connect, even if you wish to do Explicit encryption. - The reason for this is due to an Explicit connection starting as a plain FTP connection before the AUTH method. + - If the URL you connect with starts with `ftp://`, the connection is implied to be on port 21. + - If it starts with `ftps://`, the connection is implied to be Implicit and on port 990. ++ Make sure not to mix both, such as attempting to connect to `ftps://` and using port 21, as it will fail to connect, even if you wish to do Explicit encryption. This is due to an Explicit connection starting as a plain FTP connection before the AUTH method. #### How can I determine the method that was used to deploy my Azure App Service?-Let us say you take over owning an app and you wish to find out how the Azure App Service was deployed so you can make changes and deploy them. You can determine how an Azure App Service was deployed by checking the application settings. If the app was deployed using an external package URL, you will see the WEBSITE_RUN_FROM_PACKAGE setting in the application settings with a URL value. Or if it was deployed using zip deploy, you will see the WEBSITE_RUN_FROM_PACKAGE setting with a value of 1. If the app was deployed using Azure DevOps, you will see the deployment history in the Azure DevOps portal. If Azure Functions Core Tools was used, you will see the deployment history in the Azure portal. +You can find out how an app was deployed by checking the application settings. If the app was deployed using an external package URL, you should see the `WEBSITE_RUN_FROM_PACKAGE` setting in the application settings with a URL value. Or if it was deployed using zip deploy, you should see the `WEBSITE_RUN_FROM_PACKAGE` setting with a value of `1`. If the app was deployed using Azure DevOps, you should see the deployment history in the Azure DevOps portal. If Azure Functions Core Tools is used, you should see the deployment history in the Azure portal. ## More resources |
app-service | Deploy Github Actions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-github-actions.md | Title: Configure CI/CD with GitHub Actions description: Learn how to deploy your code to Azure App Service from a CI/CD pipeline with GitHub Actions. Customize the build tasks and execute complex deployments. Previously updated : 12/14/2023 Last updated : 01/16/2024 Get started with [GitHub Actions](https://docs.github.com/en/actions/learn-githu ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- A GitHub account. If you don't have one, sign up for [free](https://github.com/join). -- A working Azure App Service app. - - .NET: [Create an ASP.NET Core web app in Azure](quickstart-dotnetcore.md) - - ASP.NET: [Create an ASP.NET Framework web app in Azure](./quickstart-dotnetcore.md?tabs=netframework48) - - JavaScript: [Create a Node.js web app in Azure App Service](quickstart-nodejs.md) - - Java: [Create a Java app on Azure App Service](quickstart-java.md) - - Python: [Create a Python app in Azure App Service](quickstart-python.md) +- A GitHub account. If you don't have one, sign up for [free](https://github.com/join). -## Workflow file overview +## Set up GitHub Actions deployment when creating the app -A workflow is defined by a YAML (.yml) file in the `/.github/workflows/` path in your repository. This definition contains the various steps and parameters that make up the workflow. +GitHub Actions deployment is integrated into the default [app creation wizard](https://portal.azure.com/#create/Microsoft.WebSite). You just need to set **Continuous deployment** to **Enable** in the Deployment tab, and configure the organization, repository, and branch you want. -The file has three sections: -|Section |Tasks | -||| -|**Authentication** | 1. Define a service principal or publish profile. <br /> 2. Create a GitHub secret. | -|**Build** | 1. Set up the environment. <br /> 2. Build the web app. | -|**Deploy** | 1. Deploy the web app. | +When you enable continuous deployment, the app creation wizard automatically picks the authentication method based on the basic authentication selection and configures your app and your GitHub repository accordingly: -## Use the Deployment Center +| Basic authentication selection | Authentication method | +|-|-| +|Disable| [User-assigned identity (OpenID Connect)](deploy-continuous-deployment.md#what-does-the-user-assigned-identity-option-do-for-github-actions) | +|Enable| [Basic authentication](configure-basic-auth-disable.md) | -You can quickly get started with GitHub Actions by using the App Service Deployment Center. This turn-key method automatically generates a workflow file based on your application stack and commits it to your GitHub repository in the correct directory. For more information, see [Continuous deployment to Azure App Service](deploy-continuous-deployment.md). +> [!NOTE] +> If you receive an error when creating your app saying that your Azure account doesn't have certain permissions, it may not have [the required permissions to create and configure the user-assigned identity](deploy-continuous-deployment.md#why-do-i-see-the-error-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials). For an alternative, see [Set up GitHub Actions deployment from the Deployment Center](#set-up-github-actions-deployment-from-the-deployment-center). ++## Set up GitHub Actions deployment from the Deployment Center ++For an existing app, you can get started quickly with GitHub Actions by using the App Service Deployment Center. This turn-key method automatically generates a GitHub Actions workflow file based on your application stack and commits it to your GitHub repository. ++The Deployment Center also lets you easily configure the more secure OpenID Connect authentication with [the **user-assigned identity** option](deploy-continuous-deployment.md#what-does-the-user-assigned-identity-option-do-for-github-actions). ++If your Azure account has the [needed permissions](deploy-continuous-deployment.md#why-do-i-see-the-error-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials), you can select to create a user-assigned identity. Otherwise, you can select an existing user-assigned managed identity in the **Identity** dropdown. You can work with your Azure administrator to create a user-assigned managed identity with the [Website Contributor role](deploy-continuous-deployment.md#why-do-i-see-the-error-this-identity-does-not-have-write-permissions-on-this-app-please-select-a-different-identity-or-work-with-your-admin-to-grant-the-website-contributor-role-to-your-identity-on-this-app). ++For more information, see [Continuous deployment to Azure App Service](deploy-continuous-deployment.md?tabs=github). -## Set up a workflow manually +## Set up a GitHub Actions workflow manually -You can also deploy a workflow without using the Deployment Center. To do so, you need to first generate deployment credentials. +You can also deploy a workflow without using the Deployment Center. -## Generate deployment credentials +1. [Generate deployment credentials](#1-generate-deployment-credentials) +1. [Configure the GitHub secret](#2-configure-the-github-secret) +1. [Add the workflow file to your GitHub repository](#3-add-the-workflow-file-to-your-github-repository) ++### 1. Generate deployment credentials The recommended way to authenticate with Azure App Services for GitHub Actions is with a user-defined managed identity, and the easiest way for that is by [configuring GitHub Actions deployment directly in the portal](deploy-continuous-deployment.md) instead and selecting **User-assigned managed identity**. In the previous example, replace the placeholders with your subscription ID, res # [OpenID Connect](#tab/openid) -OpenID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security. +OpenID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](/azure/developer/github/connect-from-azure) is more complex but offers hardened security. 1. If you don't have an existing application, register a [new Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application. To learn how to create a Create an active directory application, service princip -## Configure the GitHub secret +### 2. Configure the GitHub secret # [Publish profile](#tab/applevel) In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**. -To use [app-level credentials](#generate-deployment-credentials), paste the contents of the downloaded publish profile file into the secret's value field. Name the secret `AZURE_WEBAPP_PUBLISH_PROFILE`. +To use [app-level credentials](#1-generate-deployment-credentials), paste the contents of the downloaded publish profile file into the secret's value field. Name the secret `AZURE_WEBAPP_PUBLISH_PROFILE`. -When you configure your GitHub workflow, you use the `AZURE_WEBAPP_PUBLISH_PROFILE` in the deploy Azure Web App action. For example: +When you configure the GitHub workflow file later, you use the `AZURE_WEBAPP_PUBLISH_PROFILE` in the deploy Azure Web App action. For example: ```yaml - uses: azure/webapps-deploy@v2 When you configure your GitHub workflow, you use the `AZURE_WEBAPP_PUBLISH_PROFI In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**. -To use [user-level credentials](#generate-deployment-credentials), paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name `AZURE_CREDENTIALS`. +To use [user-level credentials](#1-generate-deployment-credentials), paste the entire JSON output from the Azure CLI command into the secret's value field. Name the secret `AZURE_CREDENTIALS`. -When you configure the workflow file later, you use the secret for the input `creds` of the Azure Login action. For example: +When you configure the GitHub workflow file later, you use the secret for the input `creds` of the [Azure/login](https://github.com/marketplace/actions/azure-login). For example: ```yaml - uses: azure/login@v1 When you configure the workflow file later, you use the secret for the input `cr # [OpenID Connect](#tab/openid) -You need to provide your application's **Client ID**, **Tenant ID** and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option. +You need to provide your application's **Client ID**, **Tenant ID** and **Subscription ID** to the [Azure/login](https://github.com/marketplace/actions/azure-login) action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option. 1. Open your GitHub repository and go to **Settings > Security > Secrets and variables > Actions > New repository secret**. You need to provide your application's **Client ID**, **Tenant ID** and **Subscr -## Set up the environment --Setting up the environment can be done using one of the setup actions. --|**Language** |**Setup Action** | -||| -|**.NET** | `actions/setup-dotnet` | -|**ASP.NET** | `actions/setup-dotnet` | -|**Java** | `actions/setup-java` | -|**JavaScript** | `actions/setup-node` | -|**Python** | `actions/setup-python` | --The following examples show how to set up the environment for the different supported languages: --**.NET** --```yaml - - name: Setup Dotnet 6.0.x - uses: actions/setup-dotnet@v3 - with: - dotnet-version: '6.0.x' -``` --**ASP.NET** --```yaml - - name: Install Nuget - uses: nuget/setup-nuget@v1 - with: - nuget-version: ${{ env.NUGET_VERSION}} -``` --**Java** --```yaml - - name: Setup Java 1.8.x - uses: actions/setup-java@v3 - with: - # If your pom.xml <maven.compiler.source> version is not in 1.8.x, - # change the Java version to match the version in pom.xml <maven.compiler.source> - java-version: '1.8.x' -``` --**JavaScript** +### 3. Add the workflow file to your GitHub repository -```yaml -env: - NODE_VERSION: '18.x' # set this to the node version to use --jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@main - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} -``` -**Python** +A workflow is defined by a YAML (.yml) file in the `/.github/workflows/` path in your GitHub repository. This definition contains the various steps and parameters that make up the workflow. -```yaml - - name: Setup Python 3.x - uses: actions/setup-python@v4 - with: - python-version: 3.x -``` +At a minimum, the workflow file would have the following distinct steps: -## Build the web app +1. Authenticate with App Service using the GitHub secret you created. +1. Build the web app. +1. Deploy the web app. -The process of building a web app and deploying to Azure App Service changes depending on the language. +To deploy your code to an App Service app, you use the [azure/webapps-deploy@v3](https://github.com/Azure/webapps-deploy/tree/releases/v3) action. The action requires the name of your web app in `app-name` and, depending on your language stack, the path of a *.zip, *.war, *.jar, or folder to deploy in `package`. For a complete list of possible inputs for the `azure/webapps-deploy@v3` action, see the [action.yml](https://github.com/Azure/webapps-deploy/blob/releases/v3/action.yml) definition. The following examples show the part of the workflow that builds the web app, in different supported languages. -For all languages, you can set the web app root directory with `working-directory`. --**.NET** --The environment variable `AZURE_WEBAPP_PACKAGE_PATH` sets the path to your web app project. --```yaml -- name: dotnet build and publish- run: | - dotnet restore - dotnet build --configuration Release - dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' -``` -**ASP.NET** --You can restore NuGet dependencies and run msbuild with `run`. --```yaml -- name: NuGet to restore dependencies as well as project-specific tools that are specified in the project file- run: nuget restore --- name: Add msbuild to PATH- uses: microsoft/setup-msbuild@v1.0.2 --- name: Run msbuild- run: msbuild .\SampleWebApplication.sln -``` --**Java** --```yaml -- name: Build with Maven- run: mvn package --file pom.xml -``` --**JavaScript** --For Node.js, you can set `working-directory` or change for npm directory in `pushd`. --```yaml -- name: npm install, build, and test- run: | - npm install - npm run build --if-present - npm run test --if-present - working-directory: my-app-folder # set to the folder with your app if it is not the root directory -``` --**Python** --```yaml -- name: Install dependencies- run: | - python -m pip install --upgrade pip - pip install -r requirements.txt -``` ---## Deploy to App Service --To deploy your code to an App Service app, use the `azure/webapps-deploy@v2` action. This action has four parameters: --| **Parameter** | **Explanation** | -||| -| **app-name** | (Required) Name of the App Service app | -| **publish-profile** | (Optional) Publish profile file contents with Web Deploy secrets | -| **package** | (Optional) Path to package or folder. The path can include *.zip, *.war, *.jar, or a folder to deploy | -| **slot-name** | (Optional) Enter an existing slot other than the production [slot](deploy-staging-slots.md) | -- # [Publish profile](#tab/applevel) -### .NET Core --Build and deploy a .NET Core app to Azure using an Azure publish profile. The `publish-profile` input references the `AZURE_WEBAPP_PUBLISH_PROFILE` secret that you created earlier. --```yaml -name: .NET Core CI --on: [push] --env: - AZURE_WEBAPP_NAME: my-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - DOTNET_VERSION: '6.0.x' # set this to the dot net version to use --jobs: - build: - runs-on: ubuntu-latest -- steps: - # Checkout the repo - - uses: actions/checkout@main - - # Setup .NET Core SDK - - name: Setup .NET Core - uses: actions/setup-dotnet@v3 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - # Run dotnet build and publish - - name: dotnet build and publish - run: | - dotnet restore - dotnet build --configuration Release - dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' - - # Deploy to Azure Web apps - - name: 'Run Azure webapp deploy action using publish profile credentials' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} # Define secret variable in repository settings as per action documentation - package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' -``` --### ASP.NET --Build and deploy an ASP.NET MVC app that uses NuGet and `publish-profile` for authentication. ---```yaml -name: Deploy ASP.NET MVC App deploy to Azure Web App --on: [push] --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NUGET_VERSION: '5.3.x' # set this to the dot net version to use --jobs: - build-and-deploy: - runs-on: windows-latest - steps: -- - uses: actions/checkout@main - - - name: Install Nuget - uses: nuget/setup-nuget@v1 - with: - nuget-version: ${{ env.NUGET_VERSION}} - - name: NuGet to restore dependencies as well as project-specific tools that are specified in the project file - run: nuget restore - - - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.0.2 -- - name: Run MSBuild - run: msbuild .\SampleWebApplication.sln - - - name: 'Run Azure webapp deploy action using publish profile credentials' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} # Define secret variable in repository settings as per action documentation - package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/SampleWebApplication/' -``` --### Java --Build and deploy a Java Spring app to Azure using an Azure publish profile. The `publish-profile` input references the `AZURE_WEBAPP_PUBLISH_PROFILE` secret that you created earlier. --```yaml -name: Java CI with Maven --on: [push] --jobs: - build: -- runs-on: ubuntu-latest -- steps: - - uses: actions/checkout@v4 - - name: Set up JDK 1.8 - uses: actions/setup-java@v3 - with: - java-version: 1.8 - - name: Build with Maven - run: mvn -B package --file pom.xml - working-directory: my-app-path - - name: Azure WebApp - uses: Azure/webapps-deploy@v2 - with: - app-name: my-app-name - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: my/target/*.jar -``` --To deploy a `war` instead of a `jar`, change the `package` value. ---```yaml - - name: Azure WebApp - uses: Azure/webapps-deploy@v2 - with: - app-name: my-app-name - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: my/target/*.war -``` --### JavaScript --Build and deploy a Node.js app to Azure using the app's publish profile. The `publish-profile` input references the `AZURE_WEBAPP_PUBLISH_PROFILE` secret that you created earlier. --```yaml -# File: .github/workflows/workflow.yml -name: JavaScript CI --on: [push] --env: - AZURE_WEBAPP_NAME: my-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: 'my-app-path' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '18.x' # set this to the node version to use --jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@main - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - working-directory: my-app-path - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} -``` --### Python --Build and deploy a Python app to Azure using the app's publish profile. Note how the `publish-profile` input references the `AZURE_WEBAPP_PUBLISH_PROFILE` secret that you created earlier. --```yaml -name: Python CI --on: - [push] --env: - AZURE_WEBAPP_NAME: my-web-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root --jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Set up Python 3.x - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Building web app - uses: azure/appservice-build@v2 - - name: Deploy web App using GH Action azure/webapps-deploy - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} -``` # [Service principal](#tab/userlevel) -### .NET Core --Build and deploy a .NET Core app to Azure using an Azure service principal. Note how the `creds` input references the `AZURE_CREDENTIALS` secret that you created earlier. ---```yaml -name: .NET Core --on: [push] --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - DOTNET_VERSION: '6.0.x' # set this to the dot net version to use --jobs: - build: - runs-on: ubuntu-latest -- steps: - # Checkout the repo - - uses: actions/checkout@main - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} -- - # Setup .NET Core SDK - - name: Setup .NET Core - uses: actions/setup-dotnet@v3 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - # Run dotnet build and publish - - name: dotnet build and publish - run: | - dotnet restore - dotnet build --configuration Release - dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' - - # Deploy to Azure Web apps - - name: 'Run Azure webapp deploy action using Azure Credentials' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name - package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' - - - name: logout - run: | - az logout -``` --### ASP.NET --Build and deploy a ASP.NET MVC app to Azure using an Azure service principal. Note how the `creds` input references the `AZURE_CREDENTIALS` secret that you created earlier. --```yaml -name: Deploy ASP.NET MVC App deploy to Azure Web App --on: [push] --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NUGET_VERSION: '5.3.x' # set this to the dot net version to use --jobs: - build-and-deploy: - runs-on: windows-latest - steps: -- # checkout the repo - - uses: actions/checkout@main - - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} -- - name: Install Nuget - uses: nuget/setup-nuget@v1 - with: - nuget-version: ${{ env.NUGET_VERSION}} - - name: NuGet to restore dependencies as well as project-specific tools that are specified in the project file - run: nuget restore - - - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.0.2 -- - name: Run MSBuild - run: msbuild .\SampleWebApplication.sln - - - name: 'Run Azure webapp deploy action using Azure Credentials' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name - package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/SampleWebApplication/' - - # Azure logout - - name: logout - run: | - az logout -``` --### Java --Build and deploy a Java Spring app to Azure using an Azure service principal. Note how the `creds` input references the `AZURE_CREDENTIALS` secret that you created earlier. --```yaml -name: Java CI with Maven --on: [push] --jobs: - build: -- runs-on: ubuntu-latest -- steps: - - uses: actions/checkout@v4 - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Set up JDK 1.8 - uses: actions/setup-java@v3 - with: - java-version: 1.8 - - name: Build with Maven - run: mvn -B package --file pom.xml - working-directory: complete - - name: Azure WebApp - uses: Azure/webapps-deploy@v2 - with: - app-name: my-app-name - package: my/target/*.jar -- # Azure logout - - name: logout - run: | - az logout -``` --### JavaScript --Build and deploy a Node.js app to Azure using an Azure service principal. Note how the `creds` input references the `AZURE_CREDENTIALS` secret that you created earlier. --```yaml -name: JavaScript CI --on: [push] --name: Node.js --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: 'my-app-path' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '18.x' # set this to the node version to use --jobs: - build-and-deploy: - runs-on: ubuntu-latest - steps: - # checkout the repo - - name: 'Checkout GitHub Action' - uses: actions/checkout@main - - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Setup Node ${{ env.NODE_VERSION }} - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - - - name: 'npm install, build, and test' - run: | - npm install - npm run build --if-present - npm run test --if-present - working-directory: my-app-path - - # deploy web app using Azure credentials - - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} -- # Azure logout - - name: logout - run: | - az logout -``` --### Python --Build and deploy a Python app to Azure using an Azure service principal. Note how the `creds` input references the `AZURE_CREDENTIALS` secret that you created earlier. --```yaml -name: Python application --on: - [push] --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root --jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} -- - name: Set up Python 3.x - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Deploy web App using GH Action azure/webapps-deploy - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} - - name: logout - run: | - az logout -``` # [OpenID Connect](#tab/openid) -### .NET Core --Build and deploy a .NET Core app to Azure using an Azure service principal. The example uses GitHub secrets for the `client-id`, `tenant-id`, and `subscription-id` values. You can also pass these values directly in the login action. ---```yaml -name: .NET Core --on: [push] --permissions: - id-token: write - contents: read --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - DOTNET_VERSION: '6.0.x' # set this to the dot net version to use --jobs: - build: - runs-on: ubuntu-latest -- steps: - # Checkout the repo - - uses: actions/checkout@main - - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} -- - # Setup .NET Core SDK - - name: Setup .NET Core - uses: actions/setup-dotnet@v3 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - # Run dotnet build and publish - - name: dotnet build and publish - run: | - dotnet restore - dotnet build --configuration Release - dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' - - # Deploy to Azure Web apps - - name: 'Run Azure webapp deploy action using publish profile credentials' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name - package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp' - - - name: logout - run: | - az logout -``` --### ASP.NET --Build and deploy a ASP.NET MVC app to Azure using an Azure service principal. The example uses GitHub secrets for the `client-id`, `tenant-id`, and `subscription-id` values. You can also pass these values directly in the login action. --```yaml -name: Deploy ASP.NET MVC App deploy to Azure Web App -on: [push] --permissions: - id-token: write - contents: read --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NUGET_VERSION: '5.3.x' # set this to the dot net version to use --jobs: - build-and-deploy: - runs-on: windows-latest - steps: -- # checkout the repo - - uses: actions/checkout@main - - - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} -- - name: Install Nuget - uses: nuget/setup-nuget@v1 - with: - nuget-version: ${{ env.NUGET_VERSION}} - - name: NuGet to restore dependencies as well as project-specific tools that are specified in the project file - run: nuget restore - - - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.0.2 -- - name: Run MSBuild - run: msbuild .\SampleWebApplication.sln - - - name: 'Run Azure webapp deploy action using publish profile credentials' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name - package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/SampleWebApplication/' - - # Azure logout - - name: logout - run: | - az logout -``` --### Java --Build and deploy a Java Spring app to Azure using an Azure service principal. The example uses GitHub secrets for the `client-id`, `tenant-id`, and `subscription-id` values. You can also pass these values directly in the login action. --```yaml -name: Java CI with Maven --on: [push] --permissions: - id-token: write - contents: read --jobs: - build: -- runs-on: ubuntu-latest -- steps: - - uses: actions/checkout@v4 - - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Set up JDK 1.8 - uses: actions/setup-java@v3 - with: - java-version: 1.8 - - name: Build with Maven - run: mvn -B package --file pom.xml - working-directory: complete - - name: Azure WebApp - uses: Azure/webapps-deploy@v2 - with: - app-name: my-app-name - package: my/target/*.jar -- # Azure logout - - name: logout - run: | - az logout -``` --### JavaScript --Build and deploy a Node.js app to Azure using an Azure service principal. The example uses GitHub secrets for the `client-id`, `tenant-id`, and `subscription-id` values. You can also pass these values directly in the login action. ---```yaml -name: JavaScript CI --on: [push] --permissions: - id-token: write - contents: read --name: Node.js --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: 'my-app-path' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '18.x' # set this to the node version to use --jobs: - build-and-deploy: - runs-on: ubuntu-latest - steps: - # checkout the repo - - name: 'Checkout GitHub Action' - uses: actions/checkout@main - - - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Setup Node ${{ env.NODE_VERSION }} - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - - - name: 'npm install, build, and test' - run: | - npm install - npm run build --if-present - npm run test --if-present - working-directory: my-app-path - - # deploy web app using Azure credentials - - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} -- # Azure logout - - name: logout - run: | - az logout -``` --### Python --Build and deploy a Python app to Azure using an Azure service principal. The example uses GitHub secrets for the `client-id`, `tenant-id`, and `subscription-id` values. You can also pass these values directly in the login action. --```yaml -name: Python application --on: - [push] --permissions: - id-token: write - contents: read --env: - AZURE_WEBAPP_NAME: my-app # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root --jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} -- - name: Set up Python 3.x - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Deploy web App using GH Action azure/webapps-deploy - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} - - name: logout - run: | - az logout -``` --+-- ## Next steps Check out references on Azure GitHub Actions and workflows: -- [Azure login](https://github.com/Azure/login)-- [Azure WebApp](https://github.com/Azure/webapps-deploy)-- [Azure WebApp for containers](https://github.com/Azure/webapps-container-deploy)-- [Docker login/logout](https://github.com/Azure/docker-login)-- [K8s deploy](https://github.com/Azure/k8s-deploy)+- [Azure/login action](https://github.com/Azure/login) +- [Azure/webapps-deploy action](https://github.com/Azure/webapps-deploy) +- [Docker/login action](https://github.com/Azure/docker-login) +- [Azure/k8s-deploy action](https://github.com/Azure/k8s-deploy) - [Actions workflows to deploy to Azure](https://github.com/Azure/actions-workflow-samples) - [Starter Workflows](https://github.com/actions/starter-workflows) - [Events that trigger workflows](https://docs.github.com/en/actions/reference/events-that-trigger-workflows) |
app-service | Deploy Local Git | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-local-git.md | Title: Deploy from local Git repo description: Learn how to enable local Git deployment to Azure App Service. One of the simplest ways to deploy code from your local machine. ms.assetid: ac50a623-c4b8-4dfd-96b2-a09420770063 Previously updated : 02/16/2021 Last updated : 01/26/2024 +> [!NOTE] +> When [basic authentication is disabled](configure-basic-auth-disable.md), Local Git deployment doesn't work, and you can't configure Local Git deployment in the app's Deployment Center. + ## Prerequisites To follow the steps in this how-to guide: In the portal, you need to create an app first, then configure deployment for it ## Configure an existing app -If you haven't created an app yet, see [Create a Git enabled app](#create-a-git-enabled-app) instead. +If you don't have an app yet, see [Create a Git enabled app](#create-a-git-enabled-app) instead. # [Azure CLI](#tab/cli) Set-AzResource -PropertyObject $PropertiesObject -ResourceGroupName <group-name> 1. In the [Azure portal](https://portal.azure.com), navigate to your app's management page. -1. From the left menu, select **Deployment Center** > **Settings**. Select **Local Git** in **Source**, then click **Save**. +1. From the left menu, select **Deployment Center** > **Settings**. Select **Local Git** in **Source**, then select **Save**. ![Shows how to enable local Git deployment for App Service in the Azure portal](./media/deploy-local-git/enable-portal.png) Set-AzResource -PropertyObject $PropertiesObject -ResourceGroupName <group-name> If your Git remote URL already contains the username and password, you won't be prompted. -1. Review the output. You may see runtime-specific automation, such as MSBuild for ASP.NET, `npm install` for Node.js, and `pip install` for Python. +1. Review the output. You might see runtime-specific automation, such as MSBuild for ASP.NET, `npm install` for Node.js, and `pip install` for Python. 1. Browse to your app in the Azure portal to verify that the content is deployed. When you push commits to your App Service repository, App Service deploys the fi git push azure main ``` - You can also change the `DEPLOYMENT_BRANCH` app setting in the Azure Portal, by selecting **Configuration** under **Settings** and adding a new Application Setting with a name of `DEPLOYMENT_BRANCH` and value of `main`. + You can also change the `DEPLOYMENT_BRANCH` app setting in the Azure portal, by selecting **Configuration** under **Settings** and adding a new Application Setting with a name of `DEPLOYMENT_BRANCH` and value of `main`. ## Troubleshoot deployment -You may see the following common error messages when you use Git to publish to an App Service app in Azure: +You might see the following common error messages when you use Git to publish to an App Service app in Azure: |Message|Cause|Resolution ||| |`Unable to access '[siteURL]': Failed to connect to [scmAddress]`|The app isn't up and running.|Start the app in the Azure portal. Git deployment isn't available when the web app is stopped.|-|`Couldn't resolve host 'hostname'`|The address information for the 'azure' remote is incorrect.|Use the `git remote -v` command to list all remotes, along with the associated URL. Verify that the URL for the 'azure' remote is correct. If needed, remove and recreate this remote using the correct URL.| +|`Couldn't resolve host 'hostname'`|The address information for the `azure` remote is incorrect.|Use the `git remote -v` command to list all remotes, along with the associated URL. Verify that the URL for the `azure` remote is correct. If needed, remove and recreate this remote using the correct URL.| |`No refs in common and none specified; doing nothing. Perhaps you should specify a branch such as 'main'.`|You didn't specify a branch during `git push`, or you haven't set the `push.default` value in `.gitconfig`.|Run `git push` again, specifying the main branch: `git push azure main`.|-|`Error - Changes committed to remote repository but deployment to website failed.`|You pushed a local branch that doesn't match the app deployment branch on 'azure'.|Verify that current branch is `master`. To change the default branch, use `DEPLOYMENT_BRANCH` application setting (see [Change deployment branch](#change-deployment-branch)). | -|`src refspec [branchname] does not match any.`|You tried to push to a branch other than main on the 'azure' remote.|Run `git push` again, specifying the main branch: `git push azure main`.| +|`Error - Changes committed to remote repository but deployment to website failed.`|You pushed a local branch that doesn't match the app deployment branch on `azure`.|Verify that current branch is `master`. To change the default branch, use `DEPLOYMENT_BRANCH` application setting (see [Change deployment branch](#change-deployment-branch)). | +|`src refspec [branchname] does not match any.`|You tried to push to a branch other than main on the `azure` remote.|Run `git push` again, specifying the main branch: `git push azure main`.| |`RPC failed; result=22, HTTP code = 5xx.`|This error can happen if you try to push a large git repository over HTTPS.|Change the git configuration on the local machine to make the `postBuffer` bigger. For example: `git config --global http.postBuffer 524288000`.| |`Error - Changes committed to remote repository but your web app not updated.`|You deployed a Node.js app with a _package.json_ file that specifies additional required modules.|Review the `npm ERR!` error messages before this error for more context on the failure. The following are the known causes of this error, and the corresponding `npm ERR!` messages:<br /><br />**Malformed package.json file**: `npm ERR! Couldn't read dependencies.`<br /><br />**Native module doesn't have a binary distribution for Windows**:<br />`npm ERR! \cmd "/c" "node-gyp rebuild"\ failed with 1` <br />or <br />`npm ERR! [modulename@version] preinstall: \make || gmake\ `| -## Additional resources +## More resources - [App Service build server (Project Kudu documentation)](https://github.com/projectkudu/kudu/wiki) - [Continuous deployment to Azure App Service](deploy-continuous-deployment.md) |
app-service | Deploy Zip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-zip.md | Title: Deploy files to App Service description: Learn to deploy various app packages or discrete libraries, static files, or startup scripts to Azure App Service Previously updated : 07/21/2023 Last updated : 01/26/2024 This ZIP package deployment uses the same Kudu service that powers continuous in - Deployment logs. - A package size limit of 2048 MB. -For more information, see [Kudu documentation](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file). - > [!NOTE]-> Files in the ZIP package are copied only if their timestamps don't match what is already deployed. Generating a zip using a build process that caches outputs can result in faster deployments. See [Deploying from a zip file or url](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file-or-url), for more information. +> Files in the ZIP package are copied only if their timestamps don't match what is already deployed. ++#### With zip deploy UI in Kudu ++In the browser, navigate to `https://<app_name>.scm.azurewebsites.net/ZipDeployUI`. ++Upload the ZIP package you created in [Create a project ZIP package](#create-a-project-zip-package) by dragging it to the file explorer area on the web page. ++When deployment is in progress, an icon in the top right corner shows you the progress in percentage. The page also shows verbose messages for the operation below the explorer area. When deployment completes, the last message should say `Deployment successful`. ++The above endpoint doesn't work for Linux App Services at this time. Consider using FTP or the [ZIP deploy API](./faq-app-service-linux.yml) instead. ++#### Without zip deploy UI in Kudu # [Azure CLI](#tab/cli) az webapp deploy --resource-group <group-name> --name <app-name> --src-path <zip This command restarts the app after deploying the ZIP package. --The following example uses the `--src-url` parameter to specify the URL of an Azure Storage account that the site should pull the ZIP from. --```azurecli-interactive -az webapp deploy --resource-group <group-name> --name <app-name> --src-url "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3 -``` - # [Azure PowerShell](#tab/powershell) -The following example uses [Publish-AzWebapp](/powershell/module/az.websites/publish-azwebapp) to upload the ZIP package. Replace the placeholders `<group-name>`, `<app-name>`, and `<zip-package-path>`. +The following example uses [Publish-AzWebapp](/powershell/module/az.websites/publish-azwebapp) to upload the ZIP package. Replace the placeholders `<group-name>`, `<app-name>`, and `<zip-package-path>` -```powershell +```azurepowershell-interactive Publish-AzWebApp -ResourceGroupName Default-Web-WestUS -Name MyApp -ArchivePath <zip-package-path> ``` # [Kudu API](#tab/api) -The following example uses the cURL tool to deploy a ZIP package. Replace the placeholders `<username>`, `<password>`, `<zip-package-path>`, and `<app-name>`. Use the [deployment credentials](deploy-configure-credentials.md) for authentication. +The following example uses the cURL tool to deploy a ZIP package. Replace the placeholders `<zip-package-path>` and `<app-name>`. If you choose basic authentication, supply the [deployment credentials](deploy-configure-credentials.md) in `<username>` and `<password>`. ```bash-curl -X POST \ - -H "Content-Type: application/octet-stream" \ - -u '<username>:<password>' \ - -T "<zip-package-path>" \ - "https://<app-name>.scm.azurewebsites.net/api/zipdeploy" -``` -+# Microsoft Entra authentication +TOKEN=$(az account get-access-token --query accessToken | tr -d '"') -The following example uses the `packageUri` parameter to specify the URL of an Azure Storage account that the web app should pull the ZIP from. +curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -T @"<zip-package-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=zip" -```bash -curl -X PUT \ - -H "Content-Type: application/json" \ +# Basic authentication +curl -X POST \ -u '<username>:<password>' \- -d '{"packageUri": "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3"}' \ - "https://<app-name>.scm.azurewebsites.net/api/zipdeploy" + -T "<zip-package-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=zip" ``` -# [Kudu UI](#tab/kudu-ui) +# [ARM template](#tab/arm) -In the browser, navigate to `https://<app_name>.scm.azurewebsites.net/ZipDeployUI`. --Upload the ZIP package you created in [Create a project ZIP package](#create-a-project-zip-package) by dragging it to the file explorer area on the web page. --When deployment is in progress, an icon in the top right corner shows you the progress in percentage. The page also shows verbose messages for the operation below the explorer area. When it is finished, the last deployment message should say `Deployment successful`. --The above endpoint does not work for Linux App Services at this time. Consider using FTP or the [ZIP deploy API](./faq-app-service-linux.yml) instead. +ARM templates only support [deployments from remotely hosted packages](#deploy-to-network-secured-apps). -- -> [!NOTE] -> To deploy a ZIP package in an [ARM template](), upload the ZIP package to an internet-accessible location, then add a `onedeploy` resource like the following JSON. Replace the placeholders `<app-name>` and `<zip-package-uri>`. -> -> ```ARM template -> { -> "type": "Microsoft.Web/sites/extensions", -> "apiVersion": "2021-03-01", -> "name": "onedeploy", -> "dependsOn": [ -> "[resourceId('Microsoft.Web/Sites', <app-name>')]" -> ], -> "properties": { -> "packageUri": "<zip-package-uri>", -> "type":"zip" -> } -> } -> ``` -> -> The \<zip-package-uri> can be a public endpoint, but it's best to use blob storage with a SAS key to protect it. For more information, see [Microsoft.Web sites/extensions 'onedeploy' 2021-03-01](/azure/templates/microsoft.web/2021-03-01/sites/extensions-onedeploy?pivots=deployment-language-arm-template). -> -> --## Enable build automation for ZIP deploy +## Enable build automation for zip deploy By default, the deployment engine assumes that a ZIP package is ready to run as-is and doesn't run any build automation. To enable the same build automation as in a [Git deployment](deploy-local-git.md), set the `SCM_DO_BUILD_DURING_DEPLOYMENT` app setting by running the following command in the [Cloud Shell](https://shell.azure.com): az webapp config appsettings set --resource-group <group-name> --name <app-name> For more information, see [Kudu documentation](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file-or-url). - ## Deploy WAR/JAR/EAR packages You can deploy your [WAR](https://wikipedia.org/wiki/WAR_(file_format)), [JAR](https://wikipedia.org/wiki/JAR_(file_format)), or [EAR](https://wikipedia.org/wiki/EAR_(file_format)) package to App Service to run your Java web app using the Azure CLI, PowerShell, or the Kudu publish API. -The deployment process used by the steps here places the package on the app's content share with the right naming convention and directory structure (see [Kudu publish API reference](#kudu-publish-api-reference)), and it's the recommended approach. If you deploy WAR/JAR/EAR packages using [FTP](deploy-ftp.md) or WebDeploy instead, you may see unkown failures due to mistakes in the naming or structure. +The deployment process shown here puts the package on the app's content share with the right naming convention and directory structure (see [Kudu publish API reference](#kudu-publish-api-reference)), and it's the recommended approach. If you deploy WAR/JAR/EAR packages using [FTP](deploy-ftp.md) or WebDeploy instead, you might see unknown failures due to mistakes in the naming or structure. # [Azure CLI](#tab/cli) Deploy a WAR package to Tomcat or JBoss EAP by using the [az webapp deploy](/cli az webapp deploy --resource-group <group-name> --name <app-name> --src-path ./<package-name>.war ``` --The following example uses the `--src-url` parameter to specify the URL of an Azure Storage account that the web app should pull the WAR from. --```azurecli-interactive -az webapp deploy --resource-group <group-name> --name <app-name> --src-url "https://storagesample.blob.core.windows.net/sample-container/myapp.war?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3 --type war -``` - The CLI command uses the [Kudu publish API](#kudu-publish-api-reference) to deploy the package and can be fully customized. # [Azure PowerShell](#tab/powershell) Publish-AzWebapp -ResourceGroupName <group-name> -Name <app-name> -ArchivePath < # [Kudu API](#tab/api) -The following example uses the cURL tool to deploy a .war, .jar, or .ear file. Replace the placeholders `<username>`, `<file-path>`, `<app-name>`, and `<package-type>` (`war`, `jar`, or `ear`, accordingly). When prompted by cURL, type in the [deployment password](deploy-configure-credentials.md). +The following example uses the cURL tool to deploy a .war, .jar, or .ear file. Replace the placeholders `<file-path>`, `<app-name>`, and `<package-type>` (`war`, `jar`, or `ear`, accordingly). If you choose basic authentication, supply the [deployment credentials](deploy-configure-credentials.md) in `<username>` and `<password>`. ```bash-curl -X POST -u <username> -T @"<file-path>" https://<app-name>.scm.azurewebsites.net/api/publish?type=<package-type> -``` +# Microsoft Entra authentication +TOKEN=$(az account get-access-token --query accessToken | tr -d '"') --The following example uses the `packageUri` parameter to specify the URL of an Azure Storage account that the web app should pull the WAR from. The WAR file could also be a JAR or EAR file. +curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -T @"<file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=<package-type>" -```bash -curl -X POST -u <username> https://<app-name>.scm.azurewebsites.net/api/publish -d '{"packageUri": "https://storagesample.blob.core.windows.net/sample-container/myapp.war?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3"}' +# Basic authentication +curl -X POST \ + -u <username>:<password> \ + -T @"<file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=<package-type>" ``` For more information, see [Kudu publish API reference](#kudu-publish-api-reference) -# [Kudu UI](#tab/kudu-ui) +# [ARM template](#tab/arm) -The Kudu UI does not support deploying JAR, WAR, or EAR applications. Please use one of the other options. +ARM templates only support [deployments from remotely hosted packages](#deploy-to-network-secured-apps). -- Not supported. See Azure CLI or Kudu API. ### Deploy a startup script -The following example uses the cURL tool to deploy a startup file for their application.Replace the placeholders `<username>`, `<startup-file-path>`, and `<app-name>`. When prompted by cURL, type in the [deployment password](deploy-configure-credentials.md). +The following example uses the cURL tool to deploy a startup file for the application. Replace the placeholders `<startup-file-path>` and `<app-name>`. If you choose basic authentication, supply the [deployment credentials](deploy-configure-credentials.md) in `<username>` and `<password>`. ```bash-curl -X POST -u <username> -T @"<startup-file-path>" https://<app-name>.scm.azurewebsites.net/api/publish?type=startup +# Microsoft Entra authentication +TOKEN=$(az account get-access-token --query accessToken | tr -d '"') ++curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -T @"<startup-file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=startup" ++# Basic authentication +curl -X POST \ + -u <username>:<password> \ + -T @"<startup-file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=startup" ``` ### Deploy a library file -The following example uses the cURL tool to deploy a library file for their application. Replace the placeholders `<username>`, `<lib-file-path>`, and `<app-name>`. When prompted by cURL, type in the [deployment password](deploy-configure-credentials.md). +The following example uses the cURL tool to deploy a library file for the application. Replace the placeholders `<lib-file-path>` and `<app-name>`. If you choose basic authentication, supply the [deployment credentials](deploy-configure-credentials.md) in `<username>` and `<password>`. ```bash-curl -X POST -u <username> -T @"<lib-file-path>" "https://<app-name>.scm.azurewebsites.net/api/publish?type=lib&path=/home/site/deployments/tools/my-lib.jar" +# Microsoft Entra authentication +TOKEN=$(az account get-access-token --query accessToken | tr -d '"') ++curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -T @"<lib-file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=lib&path=/home/site/deployments/tools/my-lib.jar" ++# Basic authentication +curl -X POST \ + -u <username>:<password> \ + -T @"<lib-file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=lib&path=/home/site/deployments/tools/my-lib.jar" ``` ### Deploy a static file -The following example uses the cURL tool to deploy a config file for their application. Replace the placeholders `<username>`, `<config-file-path>`, and `<app-name>`. When prompted by cURL, type in the [deployment password](deploy-configure-credentials.md). +The following example uses the cURL tool to deploy a config file for the application. Replace the placeholders `<config-file-path>` and `<app-name>`. If you choose basic authentication, supply the [deployment credentials](deploy-configure-credentials.md) in `<username>` and `<password>`. ++```bash +# Microsoft Entra authentication +TOKEN=$(az account get-access-token --query accessToken | tr -d '"') ++curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -T @"<config-file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=static&path=/home/site/deployments/tools/my-config.json" ++# Basic authentication +curl -X POST \ + -u <username>:<password> \ + -T @"<config-file-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=static&path=/home/site/deployments/tools/my-config.json" +``` ++# [ARM template](#tab/arm) ++ARM templates only support [deployments from remotely hosted packages](#deploy-to-network-secured-apps). ++-- ++## Deploy to network-secured apps ++Depending on your web app's networking configuration, direct access to the app from your development environment might be blocked (see [Deploying to Network-secured sites](https://azure.github.io/AppService/2021/01/04/deploying-to-network-secured-sites.html) and [Deploying to Network-secured sites, Part 2](https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html)). Instead of pushing the package or file to the web app directly, you can publish it to a storage system accessible from the web app and trigger the app to pull the ZIP from the storage location. ++The remote URL can be any publicly accessible location, but it's best to use a blob storage container with a SAS key to protect it. ++# [Azure CLI](#tab/cli) ++Use the `az webapp deploy` command like you would in the other sections, but use `--src-url` instead of `--src-path`. The following example uses the `--src-url` parameter to specify the URL of a ZIP file hosted in an Azure Storage account. ++```azurecli-interactive +az webapp deploy --resource-group <group-name> --name <app-name> --src-url "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3 --type zip +``` ++# [Azure PowerShell](#tab/powershell) ++Not supported. See Azure CLI, Kudu API, or ARM template. ++# [Kudu API](#tab/api) ++Invoke the [Kudu publish API](#kudu-publish-api-reference) like you would in the other sections, but instead of uploading a file, pass in a JSON object with `packageUri` in the request body. The following examples use this method to specify the URL of a ZIP file hosted in an Azure Storage account. Note the type is still specified as a query string. If you choose basic authentication, supply the [deployment credentials](deploy-configure-credentials.md) in `<username>` and `<password>`. ```bash-curl -X POST -u <username> -T @"<config-file-path>" "https://<app-name>.scm.azurewebsites.net/api/publish?type=static&path=/home/site/deployments/tools/my-config.json" +# Microsoft Entra authentication +TOKEN=$(az account get-access-token --query accessToken | tr -d '"') ++curl -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"packageUri": "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3"}' \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=zip" ++# Basic authentication +curl -X POST \ + -u '<username>:<password>' \ + -H "Content-Type: application/json" \ + -d '{"packageUri": "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3"}' \ + "https://<app-name>.scm.azurewebsites.net/api/publish?type=zip" +``` ++# [ARM template](#tab/arm) ++Add the following JSON to your ARM template. Replace the placeholder `<app-name>`. ++```json +{ + "type": "Microsoft.Web/sites/extensions", + "apiVersion": "2021-03-01", + "name": "onedeploy", + "dependsOn": [ + "[resourceId('Microsoft.Web/Sites', <app-name>')]" + ], + "properties": { + "packageUri": "<zip-package-uri>", + "type": "<type>", + "path": "<target-path>" + } +} ``` -# [Kudu UI](#tab/kudu-ui) +Use the following reference to help you configure the properties: -The Kudu UI does not support deploying individual files. Please use the Azure CLI or Kudu REST API. +|Property | Description | Required | +|-|-|-| +| `packageUri` | The URI of the package or file. For more information, see [Microsoft.Web sites/extensions 'onedeploy'](/azure/templates/microsoft.web/2021-03-01/sites/extensions-onedeploy?pivots=deployment-language-arm-template). | Yes | +| `type` | See the `type` parameter in [Kudu publish API reference](#kudu-publish-api-reference). | Yes | +| `path` | See the `target-path` parameter in [Kudu publish API reference](#kudu-publish-api-reference). | No | -- ## Kudu publish API reference -The `publish` Kudu API allows you to specify the same parameters from the CLI command as URL query parameters. To authenticate with the Kudu API, you can use basic authentication with your app's [deployment credentials](deploy-configure-credentials.md#userscope). +The `publish` Kudu API allows you to specify the same parameters from the CLI command as URL query parameters. To authenticate with the Kudu REST API, it's best to use token authentication, but you can also use basic authentication with your app's [deployment credentials](deploy-configure-credentials.md#userscope). -The table below shows the available query parameters, their allowed values, and descriptions. +The following table shows the available query parameters, their allowed values, and descriptions. | Key | Allowed values | Description | Required | Type | |-|-|-|-|-|-| `type` | `war`\|`jar`\|`ear`\|`lib`\|`startup`\|`static`\|`zip` | The type of the artifact being deployed, this sets the default target path and informs the web app how the deployment should be handled. <br/> - `type=zip`: Deploy a ZIP package by unzipping the content to `/home/site/wwwroot`. `target-path` parameter is optional. <br/> - `type=war`: Deploy a WAR package. By default, the WAR package is deployed to `/home/site/wwwroot/app.war`. The target path can be specified with `target-path`. <br/> - `type=jar`: Deploy a JAR package to `/home/site/wwwroot/app.jar`. The `target-path` parameter is ignored <br/> - `type=ear`: Deploy an EAR package to `/home/site/wwwroot/app.ear`. The `target-path` parameter is ignored <br/> - `type=lib`: Deploy a JAR library file. By default, the file is deployed to `/home/site/libs`. The target path can be specified with `target-path`. <br/> - `type=static`: Deploy a static file (e.g. a script). By default, the file is deployed to `/home/site/wwwroot`. <br/> - `type=startup`: Deploy a script that App Service automatically uses as the startup script for your app. By default, the script is deployed to `D:\home\site\scripts\<name-of-source>` for Windows and `home/site/wwwroot/startup.sh` for Linux. The target path can be specified with `target-path`. | Yes | String | +| `type` | `war`\|`jar`\|`ear`\|`lib`\|`startup`\|`static`\|`zip` | The type of the artifact being deployed, this sets the default target path and informs the web app how the deployment should be handled. <br/> - `type=zip`: Deploy a ZIP package by unzipping the content to `/home/site/wwwroot`. `target-path` parameter is optional. <br/> - `type=war`: Deploy a WAR package. By default, the WAR package is deployed to `/home/site/wwwroot/app.war`. The target path can be specified with `target-path`. <br/> - `type=jar`: Deploy a JAR package to `/home/site/wwwroot/app.jar`. The `target-path` parameter is ignored <br/> - `type=ear`: Deploy an EAR package to `/home/site/wwwroot/app.ear`. The `target-path` parameter is ignored <br/> - `type=lib`: Deploy a JAR library file. By default, the file is deployed to `/home/site/libs`. The target path can be specified with `target-path`. <br/> - `type=static`: Deploy a static file (such as a script). By default, the file is deployed to `/home/site/wwwroot`. <br/> - `type=startup`: Deploy a script that App Service automatically uses as the startup script for your app. By default, the script is deployed to `D:\home\site\scripts\<name-of-source>` for Windows and `home/site/wwwroot/startup.sh` for Linux. The target path can be specified with `target-path`. | Yes | String | | `restart` | `true`\|`false` | By default, the API restarts the app following the deployment operation (`restart=true`). To deploy multiple artifacts, prevent restarts on the all but the final deployment by setting `restart=false`. | No | Boolean | | `clean` | `true`\|`false` | Specifies whether to clean (delete) the target deployment before deploying the artifact there. | No | Boolean | | `ignorestack` | `true`\|`false` | The publish API uses the `WEBSITE_STACK` environment variable to choose safe defaults depending on your site's language stack. Setting this parameter to `false` disables any language-specific defaults. | No | Boolean |-| `target-path` | `"<absolute-path>"` | The absolute path to deploy the artifact to. For example, `"/home/site/deployments/tools/driver.jar"`, `"/home/site/scripts/helper.sh"`. | No | String | +| `target-path` | An absolute path | The absolute path to deploy the artifact to. For example, `"/home/site/deployments/tools/driver.jar"`, `"/home/site/scripts/helper.sh"`. | No | String | ## Next steps For more advanced deployment scenarios, try [deploying to Azure with Git](deploy ## More resources * [Kudu: Deploying from a zip file](https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file)-* [Azure App Service Deployment Credentials](deploy-ftp.md) * [Environment variables and app settings reference](reference-app-settings.md) |
app-service | Quickstart Dotnetcore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-dotnetcore.md | Title: "Quickstart: Deploy an ASP.NET web app" description: Learn how to run web apps in Azure App Service by deploying your first ASP.NET app. ms.assetid: b1e6bd58-48d1-4007-9d6c-53fd6db061e3 Previously updated : 05/03/2023 Last updated : 01/26/2024 zone_pivot_groups: app-service-ide adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021 Follow these steps to create your App Service resources and publish your project -- -1. Select the **Next: Deployment >** button at the bottom of the page. +1. Select the **Deployment** tab at the top of the page -1. In the **Deployment** tab, under **GitHub Actions settings** make sure **Continuous deployment** is *Enable*. +1. Under **GitHub Actions settings**, set **Continuous deployment** to *Enable*. 1. Under **GitHub Actions details**, authenticate with your GitHub account, and select the following options: Follow these steps to create your App Service resources and publish your project -- + > [!NOTE] + > By default, the creation wizard [disables basic authentication](configure-basic-auth-disable.md) and GitHub Actions deployment is created [using a user-assigned identity](deploy-continuous-deployment.md#what-does-the-user-assigned-identity-option-do-for-github-actions). If you get a permissions error during resource creation, your Azure account may not have [enough permissions](deploy-continuous-deployment.md#why-do-i-see-the-error-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials). You can [configure GitHub Actions deployment later](deploy-continuous-deployment.md) with an identity generated for you by an Azure administrator, or you can also enable basic authentication instead. + 1. Select the **Review + create** button at the bottom of the page. 1. After validation runs, select the **Create** button at the bottom of the page. |
app-service | Quickstart Golang | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-golang.md | - Title: 'Quickstart: Create a Go web app' -description: Deploy your first Go (GoLang) Hello World to Azure App Service in minutes. - Previously updated : 10/13/2022-----# Deploy a Go web app to Azure App Service --> [!IMPORTANT] -> Go on App Service on Linux is _experimental_. -> --In this quickstart, you'll deploy a Go web app to Azure App Service. Azure App Service is a fully managed web hosting service that supports Go 1.19 and higher apps hosted in a Linux server environment. --To complete this quickstart, you need: --- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs).-- [Go 1.19](https://go.dev/dl/) or higher installed locally.--## 1 - Sample application --First, create a folder for your project. --Go to the terminal window, change into the folder you created and run `go mod init <ModuleName>`. The ModuleName could just be the folder name at this point. --The `go mod init` command creates a go.mod file to track your code's dependencies. So far, the file includes only the name of your module and the Go version your code supports. But as you add dependencies, the go.mod file will list the versions your code depends on. --Create a file called main.go. We'll be doing most of our coding here. --```go -package main -import ( - "fmt" - "net/http" -) -func main() { - http.HandleFunc("/", HelloServer) - http.ListenAndServe(":8080", nil) -} -func HelloServer(w http.ResponseWriter, r *http.Request) { - fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) -} -``` --This program uses the `net.http` package to handle all requests to the web root with the HelloServer function. The call to `http.ListenAndServe` tells the server to listen on the TCP network address `:8080`. --Using a terminal, go to your project’s directory and run `go run main.go`. Now open a browser window and type the URL `http://localhost:8080/world`. You should see the message `Hello, world!`. --## 2 - Create a web app in Azure --To host your application in Azure, you need to create Azure App Service web app in Azure. You can create a web app using the Azure CLI. --Azure CLI commands can be run on a computer with the [Azure CLI installed](/cli/azure/install-azure-cli). --Azure CLI has a command `az webapp up` that will create the necessary resources and deploy your application in a single step. --If necessary, log in to Azure using [az login](/cli/azure/authenticate-azure-cli). --```azurecli -az login -``` --Create the webapp and other resources, then deploy your code to Azure using [az webapp up](/cli/azure/webapp#az-webapp-up). --```azurecli -az webapp up --runtime GO:1.19 --os linux --sku B1 -``` --* The `--runtime` parameter specifies what version of Go your app is running. This example uses Go 1.18. To list all available runtimes, use the command `az webapp list-runtimes --os linux --output table`. -* The `--sku` parameter defines the size (CPU, memory) and cost of the app service plan. This example uses the B1 (Basic) service plan, which will incur a small cost in your Azure subscription. For a full list of App Service plans, view the [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/) page. -* You can optionally specify a name with the argument `--name <app-name>`. If you don't provide one, then a name will be automatically generated. -* You can optionally include the argument `--location <location-name>` where `<location_name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az-appservice-list-locations) command. --The command may take a few minutes to complete. While the command is running, it provides messages about creating the resource group, the App Service plan, and the app resource, configuring logging, and doing ZIP deployment. It then gives the message, "You can launch the app at http://<app-name>.azurewebsites.net", which is the app's URL on Azure. --<pre> -The webapp '<app-name>' doesn't exist -Creating Resource group '<group-name>' ... -Resource group creation complete -Creating AppServicePlan '<app-service-plan-name>' ... -Creating webapp '<app-name>' ... -Creating zip with contents of dir /home/tulika/myGoApp ... -Getting scm site credentials for zip deployment -Starting zip deployment. This operation can take a while to complete ... -Deployment endpoint responded with status code 202 -You can launch the app at http://<app-name>.azurewebsites.net -{ - "URL": "http://<app-name>.azurewebsites.net", - "appserviceplan": "<app-service-plan-name>", - "location": "centralus", - "name": "<app-name>", - "os": "<os-type>", - "resourcegroup": "<group-name>", - "runtime_version": "go|1.19", - "runtime_version_detected": "0.0", - "sku": "FREE", - "src_path": "<your-folder-location>" -} -</pre> ---## 3 - Browse to the app --Browse to the deployed application in your web browser at the URL `http://<app-name>.azurewebsites.net`. If you see a default app page, wait a minute and refresh the browser. --The Go sample code is running a Linux container in App Service using a built-in image. --**Congratulations!** You've deployed your Go app to App Service. --## 4 - Clean up resources --When no longer needed, you can use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, and all related resources: --```azurecli-interactive -az group delete --resource-group <resource-group-name> -``` -## Next steps --> [!div class="nextstepaction"] -> [Configure an App Service app](./configure-common.md) --> [!div class="nextstepaction"] -> [Tutorial: Deploy from Azure Container Registry](./tutorial-custom-container.md) --> [!div class="nextstepaction"] -> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md) |
app-service | Quickstart Php | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-php.md | ms.assetid: 6feac128-c728-4491-8b79-962da9a40788 Previously updated : 03/10/2022 Last updated : 01/26/2024 ms.devlang: php zone_pivot_groups: app-service-platform-windows-linux To complete this quickstart, you need: * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/). * [Git](https://git-scm.com/) * [PHP](https://php.net/manual/install.php)-* [Azure CLI](/cli/azure/install-azure-cli) to run commands in any shell to provision and configure Azure resources. +* [Azure CLI](/cli/azure/install-azure-cli) to run commands in any shell to create and configure Azure resources. ## 1 - Get the sample repository To complete this quickstart, you need: You can create the web app using the [Azure CLI](/cli/azure/get-started-with-azure-cli) in Cloud Shell, and you use Git to deploy sample PHP code to the web app. -1. In a terminal window, run the following commands. It will clone the sample application to your local machine, and navigate to the directory containing the sample code. +1. In a terminal window, run the following commands to clone the sample application to your local machine and navigate to the project root. ```bash git clone https://github.com/Azure-Samples/php-docs-hello-world You can create the web app using the [Azure CLI](/cli/azure/get-started-with-azu ### [Azure CLI](#tab/cli) -Azure CLI has a command [`az webapp up`](/cli/azure/webapp#az-webapp-up) that will create the necessary resources and deploy your application in a single step. +Azure CLI has a command [`az webapp up`](/cli/azure/webapp#az-webapp-up) that creates the necessary resources and deploys your application in a single step. In the terminal, deploy the code in your local folder using the [`az webapp up`](/cli/azure/webapp#az-webapp-up) command: ```azurecli-az webapp up --runtime "PHP:8.0" --os-type=linux +az webapp up --runtime "PHP:8.2" --os-type=linux ``` - If the `az` command isn't recognized, be sure you have [Azure CLI](/cli/azure/install-azure-cli) installed.-- The `--runtime "PHP:8.0"` argument creates the web app with PHP version 8.0.+- The `--runtime "PHP:8.2"` argument creates the web app with PHP version 8.2. - The `--os-type=linux` argument creates the web app on App Service on Linux.-- You can optionally specify a name with the argument `--name <app-name>`. If you don't provide one, then a name will be automatically generated.+- You can optionally specify a name with the argument `--name <app-name>`. If you don't provide one, then a name is automatically generated. - You can optionally include the argument `--location <location-name>` where `<location_name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az_appservice_list_locations) command. - If you see the error, "Could not auto-detect the runtime stack of your app," make sure you're running the command in the code directory (See [Troubleshooting auto-detect issues with az webapp up](https://github.com/Azure/app-service-linux-docs/blob/master/AzWebAppUP/runtime_detection.md)). -The command may take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan, and the app resource, configuring logging, and doing ZIP deployment. It then gives the message, "You can launch the app at http://<app-name>.azurewebsites.net", which is the app's URL on Azure. +The command can take a few minutes to complete. While it's running, it provides messages about creating the resource group, the App Service plan, and the app resource, configuring logging, and doing ZIP deployment. It then gives the message, "You can launch the app at http://<app-name>.azurewebsites.net", which is the app's URL on Azure. <pre> The webapp '<app-name>' doesn't exist You can launch the app at http://<app-name>.azurewebsites.net "name": "<app-name>", "os": "linux", "resourcegroup": "<group-name>",- "runtime_version": "php|8.0", + "runtime_version": "php|8.2", "runtime_version_detected": "0.0", "sku": "FREE", "src_path": "//home//msangapu//myPhpApp" Browse to the deployed application in your web browser at the URL `http://<app-n ![Screenshot of the Azure portal with 'app services' typed in the search text box. In the results, the App Services option under Services is highlighted.](media/quickstart-php/azure-portal-search-for-app-services.png) -1. On the **App Services** page, select **Create**. +1. In the **App Services** page, select **+ Create**. - ![Screenshot of the App Services page in the Azure portal. The Create button in the action bar is highlighted.](media/quickstart-php/azure-portal-create-app-service.png) +1. In the **Basics** tab: -1. Fill out the **Create Web App** page as follows. - - **Resource Group**: Create a resource group named *myResourceGroup*. - - **Name**: Type a globally unique name for your web app. - - **Publish**: Select *Code*. - - **Runtime stack**: Select *PHP 8.0*. - - **Operating system**: Select *Linux*. - - **Region**: Select an Azure region close to you. - - **App Service Plan**: Create an app service plan named *myAppServicePlan*. --1. To change to the Free tier, next to **Sku and size**, select **Change size**. - -1. In the Spec Picker, select **Dev/Test** tab, select **F1**, and select the **Apply** button at the bottom of the page. -- ![Screenshot of the Spec Picker for the App Service Plan pricing tiers in the Azure portal. Dev/Test, F1, and Apply are highlighted.](media/quickstart-php/azure-portal-create-app-service-select-free-tier.png) --1. Select the **Review + create** button at the bottom of the page. --1. After validation runs, select the **Create** button at the bottom of the page. This will create an Azure resource group, app service plan, and app service. + - Under **Resource group**, select **Create new**. Type *myResourceGroup* for the name. + - Under **Name**, type a globally unique name for your web app. + - Under **Publish**, select *Code*. + - Under **Runtime stack** select *PHP 8.2*. + - Under **Operating System**, select *Linux*. + - Under **Region**, select an Azure region close to you. + - Under **App Service Plan**, create an app service plan named *myAppServicePlan*. + - Under **Pricing plan**, select **Free F1**. + + :::image type="content" source="./media/quickstart-php/app-service-details-php.png" lightbox="./media/quickstart-php/app-service-details-php.png" alt-text="Screenshot of new App Service app configuration for PHP in the Azure portal."::: -1. After the Azure resources are created, select **Go to resource**. - -1. From the left navigation, select **Deployment Center**. +1. Select the **Deployment** tab at the top of the page. - ![Screenshot of the App Service in the Azure portal. The Deployment Center option in the Deployment section of the left navigation is highlighted.](media/quickstart-php/azure-portal-configure-app-service-deployment-center.png) +1. Under **GitHub Actions settings**, set **Continuous deployment** to *Enable*. -1. Under **Settings**, select a **Source**. For this quickstart, select *GitHub*. +1. Under **GitHub Actions details**, authenticate with your GitHub account, and select the following options: -1. In the section under **GitHub**, select the following settings: - - Organization: Select your organization. - - Repository: Select *php-docs-hello-world*. - - Branch: Select the default branch for your repository. + - For **Organization** select the organization where you forked the demo project. + - For **Repository** select the *php-docs-hello-world* project. + - For **Branch** select *master*. -1. Select **Save**. + :::image type="content" source="media/quickstart-php/app-service-deploy-php.png" lightbox="media/quickstart-php/app-service-deploy-php.png" border="true" alt-text="Screenshot of the deployment options for a PHP app."::: + + > [!NOTE] + > By default, the creation wizard [disables basic authentication](configure-basic-auth-disable.md) and GitHub Actions deployment is created [using a user-assigned identity](deploy-continuous-deployment.md#what-does-the-user-assigned-identity-option-do-for-github-actions). If you get a permissions error during resource creation, your Azure account might not have [enough permissions](deploy-continuous-deployment.md#why-do-i-see-the-error-you-do-not-have-sufficient-permissions-on-this-app-to-assign-role-based-access-to-a-managed-identity-and-configure-federated-credentials). You can [configure GitHub Actions deployment later](deploy-continuous-deployment.md) with an identity generated for you by an Azure administrator, or you can also enable basic authentication instead. - ![Screenshot of the Deployment Center for the App Service, focusing on the GitHub integration settings. The Save button in the action bar is highlighted.](media/quickstart-php/azure-portal-configure-app-service-github-integration.png) +1. Select the **Review + create** button at the bottom of the page. - > [!TIP] - > This quickstart uses GitHub. Additional continuous deployment sources include Bitbucket, Local Git, Azure Repos, and External Git. FTPS is also a supported deployment method. - -1. Once the GitHub integration is saved, from the left navigation of your app, select **Overview** > **URL**. +1. After validation runs, select the **Create** button at the bottom of the page. - ![Screenshot of the App Service resource with the URL field highlighted.](media/quickstart-php/azure-portal-app-service-url.png) +1. After deployment is completed, select **Go to resource**. + +1. Browse to the deployed application in your web browser at the URL `http://<app-name>.azurewebsites.net`. The PHP sample code is running in an Azure App Service. ![Screenshot of the sample app running in Azure, showing 'Hello World!'.](media/quickstart-php/php-8-hello-world-in-browser.png) -**Congratulations!** You've deployed your first PHP app to App Service using the Azure portal. +**Congratulations!** You deployed your first PHP app to App Service using the Azure portal. ## 3 - Update and redeploy the app The PHP sample code is running in an Azure App Service. 1. Save your changes, then redeploy the app using the [az webapp up](/cli/azure/webapp#az-webapp-up) command again with these arguments: ```azurecli- az webapp up --runtime "PHP:8.0" --os-type=linux + az webapp up --runtime "PHP:8.2" --os-type=linux ``` -1. Once deployment has completed, return to the browser window that opened during the **Browse to the app** step, and refresh the page. +1. Once deployment is completed, return to the browser window that opened during the **Browse to the app** step, and refresh the page. ![Screenshot of the updated sample app running in Azure.](media/quickstart-php/hello-azure-in-browser.png) The PHP sample code is running in an Azure App Service. 1. Browse to your GitHub fork of php-docs-hello-world. -1. On your repo page, press `.` to start Visual Studio code within your browser. +1. On your repo page, press `.` to start Visual Studio Code within your browser. -![Screenshot of the forked php-docs-hello-world repo in GitHub with instructions to press the period key on this screen.](media/quickstart-php/forked-github-repo-press-period.png) + ![Screenshot of the forked php-docs-hello-world repo in GitHub with instructions to press the period key on this screen.](media/quickstart-php/forked-github-repo-press-period.png) -> [!NOTE] -> The URL will change from GitHub.com to GitHub.dev. This feature only works with repos that have files. This does not work on empty repos. + > [!NOTE] + > The URL will change from GitHub.com to GitHub.dev. This feature only works with repos that have files. This does not work on empty repos. 1. Edit **index.php** so that it shows "Hello Azure!" instead of "Hello World!" The PHP sample code is running in an Azure App Service. ![Screenshot of Visual Studio Code in the browser, Source Control panel with a commit message of 'Hello Azure' and the Commit and Push button highlighted.](media/quickstart-php/visual-studio-code-in-browser-commit-push.png) -1. Once deployment has completed, return to the browser window that opened during the **Browse to the app** step, and refresh the page. +1. Once deployment is completed, return to the browser window that opened during the **Browse to the app** step, and refresh the page. ![Screenshot of the updated sample app running in Azure, showing 'Hello Azure!'.](media/quickstart-php/php-8-hello-azure-in-browser.png) The PHP sample code is running in an Azure App Service. ![Screenshot of the App Services list in Azure. The name of the demo app service is highlighted.](media/quickstart-php/app-service-list.png) - Your web app's **Overview** page will be displayed. Here, you can perform basic management tasks like **Browse**, **Stop**, **Restart**, and **Delete**. + Your web app's **Overview** page should be displayed. Here, you can perform basic management tasks like **Browse**, **Stop**, **Restart**, and **Delete**. ![Screenshot of the App Service overview page in Azure portal. In the action bar, the Browse, Stop, Swap (disabled), Restart, and Delete button group is highlighted.](media/quickstart-php/app-service-detail.png) The PHP sample code is running in an Azure App Service. ## 5 - Clean up resources -When you're finished with the sample app, you can remove all of the resources for the app from Azure. It will not incur extra charges and keep your Azure subscription uncluttered. Removing the resource group also removes all resources in the resource group and is the fastest way to remove all Azure resources for your app. +When you're finished with the sample app, you can remove all of the resources for the app from Azure. It helps you avoid extra charges and keeps your Azure subscription uncluttered. Removing the resource group also removes all resources in the resource group and is the fastest way to remove all Azure resources for your app. ### [Azure CLI](#tab/cli) Delete the resource group by using the [az group delete](/cli/azure/group#az-gro az group delete --name myResourceGroup ``` -This command may take a minute to run. +This command takes a minute to run. ### [Portal](#tab/portal) |
app-service | Tutorial Multi Region App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-multi-region-app.md | -When you deploy your application to the cloud, you choose a region in that cloud where your application infrastructure is based. If your application is deployed to a single region, and the region becomes unavailable, your application will also be unavailable. This lack of availability may be unacceptable under the terms of your application's SLA. If so, deploying your application and its services across multiple regions is a good solution. +When you deploy your application to the cloud, you choose a region in that cloud where your application infrastructure is based. If your application is deployed to a single region and the region becomes unavailable, your application will also be unavailable. This lack of availability might be unacceptable under the terms of your application's SLA. If so, deploying your application and its services across multiple regions is a good solution. -In this tutorial, you'll learn how to deploy a highly available multi-region web app. This scenario will be kept simple by restricting the application components to just a web app and [Azure Front Door](../frontdoor/front-door-overview.md), but the concepts can be expanded and applied to other infrastructure patterns. For example, if your application connects to an Azure database offering or storage account, see [active geo-replication for SQL databases](/azure/azure-sql/database/active-geo-replication-overview) and [redundancy options for storage accounts](../storage/common/storage-redundancy.md). For a reference architecture for a more detailed scenario, see [Highly available multi-region web application](/azure/architecture/reference-architectures/app-service-web-app/multi-region). +In this tutorial, you learn how to deploy a highly available multi-region web app. This scenario is kept simple by restricting the application components to just a web app and [Azure Front Door](../frontdoor/front-door-overview.md), but the concepts can be expanded and applied to other infrastructure patterns. For example, if your application connects to an Azure database offering or storage account, see [active geo-replication for SQL databases](/azure/azure-sql/database/active-geo-replication-overview) and [redundancy options for storage accounts](../storage/common/storage-redundancy.md). For a reference architecture for a more detailed scenario, see [Highly available multi-region web application](/azure/architecture/reference-architectures/app-service-web-app/multi-region). -The following architecture diagram shows the infrastructure you'll be creating during this tutorial. It consists of two identical App Services in separate regions, one being the active or primary region, and the other is the standby or secondary region. Azure Front Door is used to route traffic to the App Services and access restrictions are configured so that direct access to the apps from the internet is blocked. The dotted line indicates that traffic will only be sent to the standby region if the active region goes down. +The following architecture diagram shows the infrastructure you create in this tutorial. It consists of two identical App Services in separate regions, one being the active or primary region, and the other is the standby or secondary region. Azure Front Door is used to route traffic to the App Services and access restrictions are configured so that direct access to the apps from the internet is blocked. The dotted line indicates that traffic is sent to the standby region only if the active region goes down. Azure provides various options for load balancing and traffic routing. Azure Front Door was selected for this use case because it involves internet facing web apps hosted on Azure App Service deployed in multiple regions. To help you decide what to use for your use case if it differs from this tutorial, see the [decision tree for load balancing in Azure](/azure/architecture/guide/technology-choices/load-balancing-overview). To complete this tutorial: ## Create two instances of a web app -You'll need two instances of a web app that run in different Azure regions for this tutorial. You'll use the [region pair](../availability-zones/cross-region-replication-azure.md#azure-paired-regions) East US/West US as your two regions and create two empty web apps. Feel free to choose you're own regions if needed. +You need two instances of a web app that run in different Azure regions for this tutorial. You use the [region pair](../availability-zones/cross-region-replication-azure.md#azure-paired-regions) East US/West US as your two regions and create two empty web apps. Feel free to choose your own regions if needed. -To make management and clean-up simpler, you'll use a single resource group for all resources in this tutorial. Consider using separate resource groups for each region/resource to further isolate your resources in a disaster recovery situation. +To make management and clean-up simpler, you use a single resource group for all resources in this tutorial. Consider using separate resource groups for each region/resource to further isolate your resources in a disaster recovery situation. Run the following command to create your resource group. az appservice plan create --name <app-service-plan-west-us> --resource-group myr ### Create web apps -Once the App Service plans are created, run the following commands to create the web apps. Replace the placeholders for `<web-app-east-us>` and `<web-app-west-us>` with two globally unique names (valid characters are `a-z`, `0-9`, and `-`) and be sure to pay attention to the `--plan` parameter so that you place one app in each plan (and therefore in each region). Replace the `<runtime>` parameter with the language version of your app. Run `az webapp list-runtimes` for the list of available runtimes. If you plan on using the sample Node.js app given in this tutorial in the following sections, use "NODE:18-lts" as your runtime. +Once the App Service plans are created, run the following commands to create the web apps. Replace the placeholders for `<web-app-east-us>` and `<web-app-west-us>` with two globally unique names (valid characters are `a-z`, `0-9`, and `-`) and be sure to pay attention to the `--plan` parameter so that you place one app in each plan (and therefore in each region). Replace the `<runtime>` parameter with the language version of your app. Run `az webapp list-runtimes` for the list of available runtimes. If you plan on using the sample Node.js app given in this tutorial in the following sections, use `NODE:18-lts` as your runtime. ```azurecli-interactive az webapp create --name <web-app-east-us> --resource-group myresourcegroup --plan <app-service-plan-east-us> --runtime <runtime> A multi-region deployment can use an active-active or active-passive configurati ### Create an Azure Front Door profile -You'll now create an [Azure Front Door Premium](../frontdoor/front-door-overview.md) to route traffic to your apps. +You now create an [Azure Front Door Premium](../frontdoor/front-door-overview.md) to route traffic to your apps. -Run [az afd profile create](/cli/azure/afd/profile#az-afd-profile-create) to create an Azure Front Door profile. +Run [`az afd profile create`](/cli/azure/afd/profile#az-afd-profile-create) to create an Azure Front Door profile. > [!NOTE]-> If you want to deploy Azure Front Door Standard instead of Premium, substitute the value of the `--sku` parameter with Standard_AzureFrontDoor. You won't be able to deploy managed rules with WAF Policy if you choose the Standard SKU. For a detailed comparison of the SKUs, see [Azure Front Door tier comparison](../frontdoor/standard-premium/tier-comparison.md). +> If you want to deploy Azure Front Door Standard instead of Premium, substitute the value of the `--sku` parameter with Standard_AzureFrontDoor. You can't deploy managed rules with WAF Policy if you choose the Standard tier. For a detailed comparison of the pricing tiers, see [Azure Front Door tier comparison](../frontdoor/standard-premium/tier-comparison.md). ```azurecli-interactive az afd profile create --profile-name myfrontdoorprofile --resource-group myresourcegroup --sku Premium_AzureFrontDoor az afd profile create --profile-name myfrontdoorprofile --resource-group myresou |Parameter |Value |Description | ||||-|profile-name |myfrontdoorprofile |Name for the Azure Front Door profile, which is unique within the resource group. | -|resource-group |myresourcegroup |The resource group that contains the resources from this tutorial. | -|sku |Premium_AzureFrontDoor |The pricing tier of the Azure Front Door profile. | +|`profile-name` |`myfrontdoorprofile` |Name for the Azure Front Door profile, which is unique within the resource group. | +|`resource-group` |`myresourcegroup` |The resource group that contains the resources from this tutorial. | +|`sku` |`Premium_AzureFrontDoor` |The pricing tier of the Azure Front Door profile. | ### Add an endpoint -Run [az afd endpoint create](/cli/azure/afd/endpoint#az-afd-endpoint-create) to create an endpoint in your profile. You can create multiple endpoints in your profile after finishing the create experience. +Run [`az afd endpoint create`](/cli/azure/afd/endpoint#az-afd-endpoint-create) to create an endpoint in your profile. You can create multiple endpoints in your profile after finishing the create experience. ```azurecli-interactive az afd endpoint create --resource-group myresourcegroup --endpoint-name myendpoint --profile-name myfrontdoorprofile --enabled-state Enabled az afd endpoint create --resource-group myresourcegroup --endpoint-name myendpoi |Parameter |Value |Description | ||||-|endpoint-name |myendpoint |Name of the endpoint under the profile, which is unique globally. | -|enabled-state |Enabled |Whether to enable this endpoint. | +|`endpoint-name` |`myendpoint` |Name of the endpoint under the profile, which is unique globally. | +|`enabled-state` |`Enabled` |Whether to enable this endpoint. | ### Create an origin group -Run [az afd origin-group create](/cli/azure/afd/origin-group#az-afd-origin-group-create) to create an origin group that contains your two web apps. +Run [`az afd origin-group create`](/cli/azure/afd/origin-group#az-afd-origin-group-create) to create an origin group that contains your two web apps. ```azurecli-interactive az afd origin-group create --resource-group myresourcegroup --origin-group-name myorigingroup --profile-name myfrontdoorprofile --probe-request-type GET --probe-protocol Http --probe-interval-in-seconds 60 --probe-path / --sample-size 4 --successful-samples-required 3 --additional-latency-in-milliseconds 50 az afd origin-group create --resource-group myresourcegroup --origin-group-name |Parameter |Value |Description | ||||-|origin-group-name |myorigingroup |Name of the origin group. | -|probe-request-type |GET |The type of health probe request that is made. | -|probe-protocol |Http |Protocol to use for health probe. | -|probe-interval-in-seconds |60 |The number of seconds between health probes. | -|probe-path |/ |The path relative to the origin that is used to determine the health of the origin. | -|sample-size |4 |The number of samples to consider for load balancing decisions. | -|successful-samples-required |3 |The number of samples within the sample period that must succeed. | -|additional-latency-in-milliseconds |50 |The additional latency in milliseconds for probes to fall into the lowest latency bucket. | +|`origin-group-name` |`myorigingroup` |Name of the origin group. | +|`probe-request-type` |`GET` |The type of health probe request that is made. | +|`probe-protocol` |`Http` |Protocol to use for health probe. | +|`probe-interval-in-seconds` |`60` |The number of seconds between health probes. | +|`probe-path` |`/` |The path relative to the origin that is used to determine the health of the origin. | +|`sample-size` |`4` |The number of samples to consider for load balancing decisions. | +|`successful-samples-required` |`3` |The number of samples within the sample period that must succeed. | +|`additional-latency-in-milliseconds` |`50` |The extra latency in milliseconds for probes to fall into the lowest latency bucket. | ### Add an origin to the group -Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to add an origin to your origin group. For the `--host-name` parameter, replace the placeholder for `<web-app-east-us>` with your app name in that region. Notice the `--priority` parameter is set to "1", which indicates all traffic will be sent to your primary app. +Run [`az afd origin create`](/cli/azure/afd/origin#az-afd-origin-create) to add an origin to your origin group. For the `--host-name` parameter, replace the placeholder for `<web-app-east-us>` with your app name in that region. Notice the `--priority` parameter is set to `1`, which indicates all traffic is sent to your primary app. ```azurecli-interactive az afd origin create --resource-group myresourcegroup --host-name <web-app-east-us>.azurewebsites.net --profile-name myfrontdoorprofile --origin-group-name myorigingroup --origin-name primaryapp --origin-host-header <web-app-east-us>.azurewebsites.net --priority 1 --weight 1000 --enabled-state Enabled --http-port 80 --https-port 443 az afd origin create --resource-group myresourcegroup --host-name <web-app-east- |Parameter |Value |Description | ||||-|host-name |`<web-app-east-us>.azurewebsites.net` |The hostname of the primary web app. | -|origin-name |primaryapp |Name of the origin. | -|origin-host-header |`<web-app-east-us>.azurewebsites.net` |The host header to send for requests to this origin. If you leave this blank, the request hostname determines this value. Azure CDN origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. | -|priority |1 |Set this parameter to 1 to direct all traffic to the primary web app. | -|weight |1000 |Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | -|enabled-state |Enabled |Whether to enable this origin. | -|http-port |80 |The port used for HTTP requests to the origin. | -|https-port |443 |The port used for HTTPS requests to the origin. | +|`host-name` |`<web-app-east-us>.azurewebsites.net` |The hostname of the primary web app. | +|`origin-name` |`primaryapp` |Name of the origin. | +|`origin-host-header` |`<web-app-east-us>.azurewebsites.net` |The host header to send for requests to this origin. If you leave this blank, the request hostname determines this value. Azure CDN origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. | +|`priority` |`1` |Set this parameter to 1 to direct all traffic to the primary web app. | +|`weight` |`1000` |Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. | +|`enabled-state` |`Enabled` |Whether to enable this origin. | +|`http-port` |`80` |The port used for HTTP requests to the origin. | +|`https-port` |`443` |The port used for HTTPS requests to the origin. | -Repeat this step to add your second origin. Pay attention to the `--priority` parameter. For this origin, it's set to "2". This priority setting tells Azure Front Door to direct all traffic to the primary origin unless the primary goes down. If you set the priority for this origin to "1", Azure Front Door will treat both origins as active and direct traffic to both regions. Be sure to replace both instances of the placeholder for `<web-app-west-us>` with the name of that web app. +Repeat this step to add your second origin. Pay attention to the `--priority` parameter. For this origin, it's set to `2`. This priority setting tells Azure Front Door to direct all traffic to the primary origin unless the primary goes down. If you set the priority for this origin to `1`, Azure Front Door treats both origins as active and direct traffic to both regions. Be sure to replace both instances of the placeholder for `<web-app-west-us>` with the name of that web app. ```azurecli-interactive az afd origin create --resource-group myresourcegroup --host-name <web-app-west-us>.azurewebsites.net --profile-name myfrontdoorprofile --origin-group-name myorigingroup --origin-name secondaryapp --origin-host-header <web-app-west-us>.azurewebsites.net --priority 2 --weight 1000 --enabled-state Enabled --http-port 80 --https-port 443 az afd origin create --resource-group myresourcegroup --host-name <web-app-west- ### Add a route -Run [az afd route create](/cli/azure/afd/route#az-afd-route-create) to map your endpoint to the origin group. This route forwards requests from the endpoint to your origin group. +Run [`az afd route create`](/cli/azure/afd/route#az-afd-route-create) to map your endpoint to the origin group. This route forwards requests from the endpoint to your origin group. ```azurecli-interactive az afd route create --resource-group myresourcegroup --profile-name myfrontdoorprofile --endpoint-name myendpoint --forwarding-protocol MatchRequest --route-name route --https-redirect Enabled --origin-group myorigingroup --supported-protocols Http Https --link-to-default-domain Enabled az afd route create --resource-group myresourcegroup --profile-name myfrontdoorp |Parameter |Value |Description | ||||-|endpoint-name |myendpoint |Name of the endpoint. | -|forwarding-protocol |MatchRequest |Protocol this rule will use when forwarding traffic to backends. | -|route-name |route |Name of the route. | -|https-redirect |Enabled |Whether to automatically redirect HTTP traffic to HTTPS traffic. | -|supported-protocols |Http Https |List of supported protocols for this route. | -|link-to-default-domain |Enabled |Whether this route will be linked to the default endpoint domain. | +|`endpoint-name` |`myendpoint` |Name of the endpoint. | +|forwarding-protocol |MatchRequest |Protocol this rule uses when forwarding traffic to backends. | +|`route-name` |`route` |Name of the route. | +|https-redirect |`Enabled` |Whether to automatically redirect HTTP traffic to HTTPS traffic. | +|`supported-protocols` |`Http Https` |List of supported protocols for this route. | +|`link-to-default-domain` |`Enabled` |Whether this route is linked to the default endpoint domain. | -Allow about 15 minutes for this step to complete as it takes some time for this change to propagate globally. After this period, your Azure Front Door will be fully functional. +Allow about 15 minutes for this step to complete as it takes some time for this change to propagate globally. After this period, your Azure Front Door is fully functional. ### Restrict access to web apps to the Azure Front Door instance -If you try to access your apps directly using their URLs at this point, you'll still be able to. To ensure traffic can only reach your apps through Azure Front Door, you'll set access restrictions on each of your apps. Front Door's features work best when traffic only flows through Front Door. You should configure your origins to block traffic that hasn't been sent through Front Door. Otherwise, traffic might bypass Front Door's web application firewall, DDoS protection, and other security features. Traffic from Azure Front Door to your applications originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. By using a service tag restriction rule, you can [restrict traffic to only originate from Azure Front Door](../frontdoor/origin-security.md). +At this point, you can still access your apps directly using their URLs at this point. To ensure traffic can only reach your apps through Azure Front Door, you set access restrictions on each of your apps. Front Door's features work best when traffic only flows through Front Door. You should configure your origins to block traffic that isn't sent through Front Door yet. Otherwise, traffic might bypass Front Door's web application firewall, DDoS protection, and other security features. Traffic from Azure Front Door to your applications originates from a well known set of IP ranges defined in the `AzureFrontDoor.Backend` service tag. By using a service tag restriction rule, you can [restrict traffic to only originate from Azure Front Door](../frontdoor/origin-security.md). -Before setting up the App Service access restrictions, take note of the *Front Door ID* by running the following command. This ID will be needed to ensure traffic only originates from your specific Front Door instance. The access restriction further filters the incoming requests based on the unique HTTP header that your Azure Front Door sends. +Before setting up the App Service access restrictions, take note of the *Front Door ID* by running the following command. This ID is needed to ensure traffic only originates from your specific Front Door instance. The access restriction further filters the incoming requests based on the unique HTTP header that your Azure Front Door sends. ```azurecli-interactive az afd profile show --resource-group myresourcegroup --profile-name myfrontdoorprofile --query "frontDoorId" az webapp config access-restriction add --resource-group myresourcegroup -n <web When you create the Azure Front Door Standard/Premium profile, it takes a few minutes for the configuration to be deployed globally. Once completed, you can access the frontend host you created. -Run [az afd endpoint show](/cli/azure/afd/endpoint#az-afd-endpoint-show) to get the hostname of the Front Door endpoint. +Run [`az afd endpoint show`](/cli/azure/afd/endpoint#az-afd-endpoint-show) to get the hostname of the Front Door endpoint. ```azurecli-interactive az afd endpoint show --resource-group myresourcegroup --profile-name myfrontdoorprofile --endpoint-name myendpoint --query "hostName" ``` -In a browser, go to the endpoint hostname that the previous command returned: `<myendpoint>-<hash>.z01.azurefd.net`. Your request will automatically get routed to the primary app in East US. +In a browser, go to the endpoint hostname that the previous command returned: `<myendpoint>-<hash>.z01.azurefd.net`. Your request should automatically get routed to the primary app in East US. To test instant global failover: To test instant global failover: 1. Refresh your browser. You should see the same information page because traffic is now directed to the running app in West US. > [!TIP]- > You might need to refresh the page a couple times as failover may take a couple seconds. + > You might need to refresh the page a few times for the failover to complete. 1. Now stop the secondary app. In the preceding steps, you created Azure resources in a resource group. If you az group delete --name myresourcegroup ``` -This command may take a few minutes to run. +This command might take a few minutes to run. ## Deploy from ARM/Bicep This section contains frequently asked questions that can help you further secur ### What is the recommended method for managing and deploying application infrastructure and Azure resources? -For this tutorial, you used the Azure CLI to deploy your infrastructure resources. Consider configuring a continuous deployment mechanism to manage your application infrastructure. Since you're deploying resources in different regions, you'll need to independently manage those resources across the regions. To ensure the resources are identical across each region, infrastructure as code (IaC) such as [Azure Resource Manager templates](../azure-resource-manager/management/overview.md) or [Terraform](/azure/developer/terraform/overview) should be used with deployment pipelines such as [Azure Pipelines](/azure/devops/pipelines/get-started/what-is-azure-pipelines) or [GitHub Actions](https://docs.github.com/actions). This way, if configured appropriately, any change to resources would trigger updates across all regions you're deployed to. For more information, see [Continuous deployment to Azure App Service](deploy-continuous-deployment.md). +For this tutorial, you used the Azure CLI to deploy your infrastructure resources. Consider configuring a continuous deployment mechanism to manage your application infrastructure. Since you're deploying resources in different regions, you need to independently manage those resources across the regions. To ensure the resources are identical across each region, infrastructure as code (IaC) such as [Azure Resource Manager templates](../azure-resource-manager/management/overview.md) or [Terraform](/azure/developer/terraform/overview) should be used with deployment pipelines such as [Azure Pipelines](/azure/devops/pipelines/get-started/what-is-azure-pipelines) or [GitHub Actions](https://docs.github.com/actions). This way, if configured appropriately, any change to resources would trigger updates across all regions you're deployed to. For more information, see [Continuous deployment to Azure App Service](deploy-continuous-deployment.md). ### How can I use staging slots to practice safe deployment to production? -Deploying your application code directly to production apps/slots isn't recommended. This is because you'd want to have a safe place to test your apps and validate changes you've made before pushing to production. Use a combination of staging slots and slot swap to move code from your testing environment to production. +Deploying your application code directly to production apps/slots isn't recommended. This is because you want to have a safe place to test your apps and validate changes you make before pushing to production. Use a combination of staging slots and slot swap to move code from your testing environment to production. -You already created the baseline infrastructure for this scenario. You'll now create deployment slots for each instance of your app and configure continuous deployment to these staging slots with GitHub Actions. As with infrastructure management, configuring continuous deployment for your application source code is also recommended to ensure changes across regions are in sync. If you donΓÇÖt configure continuous deployment, youΓÇÖll need to manually update each app in each region every time there's a code change. +You already created the baseline infrastructure for this scenario. Now, you create deployment slots for each instance of your app and configure continuous deployment to these staging slots with GitHub Actions. As with infrastructure management, configuring continuous deployment for your application source code is also recommended to ensure changes across regions are in sync. If you donΓÇÖt configure continuous deployment, youΓÇÖll need to manually update each app in each region every time there's a code change. For the remaining steps in this tutorial, you should have an app ready to deploy to your App Services. If you need a sample app, you can use the [Node.js Hello World sample app](https://github.com/Azure-Samples/nodejs-docs-hello-world). Fork that repository so you have your own copy. -Be sure to set the App Service stack settings for your apps. Stack settings refer to the language or runtime used for your app. This setting can be configured using the Azure CLI with the `az webapp config set` command or in the portal with the following steps. If you use the Node.js sample, set the stack settings to "Node 18 LTS". +Be sure to set the App Service stack settings for your apps. Stack settings refer to the language or runtime used for your app. This setting can be configured using the Azure CLI with the `az webapp config set` command or in the portal with the following steps. If you use the Node.js sample, set the stack settings to **Node 18 LTS**. 1. Going to your app and selecting **Configuration** in the left-hand table of contents. 1. Select the **General settings** tab. To configure continuous deployment with GitHub Actions, complete the following s A default workflow file that uses a publish profile to authenticate to App Service is added to your GitHub repository. You can view this file by going to the `<repo-name>/.github/workflows/` directory. -### How do I disable basic auth on App Service? +### How do I disable basic authentication on App Service? -Consider [disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html), which limits access to the FTP and SCM endpoints to users that are backed by Microsoft Entra ID. If using a continuous deployment tool to deploy your application source code, disabling basic auth will require [extra steps to configure continuous deployment](deploy-github-actions.md). For example, you won't be able to use a publish profile since that authentication mechanism doesn't use Microsoft Entra backed credentials. Instead, you'll need to use either a [service principal or OpenID Connect](deploy-github-actions.md#generate-deployment-credentials). +Consider [disabling basic authentication](configure-basic-auth-disable.md), which limits access to the FTP and SCM endpoints to users that are backed by Microsoft Entra ID. If using a continuous deployment tool to deploy your application source code, disabling basic authentication requires [extra steps to configure continuous deployment](deploy-github-actions.md). For example, you can't use a publish profile since it doesn't use Microsoft Entra credentials. Instead, you need to use either a [service principal or OpenID Connect](deploy-github-actions.md#1-generate-deployment-credentials). -To disable basic auth for your App Service, run the following commands for each app and slot by replacing the placeholders for `<web-app-east-us>` and `<web-app-west-us>` with your app names. The first set of commands disables FTP access for the production sites and staging slots, and the second set of commands disables basic auth access to the WebDeploy port and SCM site for the production sites and staging slots. +To disable basic authentication for your App Service, run the following commands for each app and slot by replacing the placeholders for `<web-app-east-us>` and `<web-app-west-us>` with your app names. The first set of commands disables FTP access for the production sites and staging slots, and the second set of commands disables basic auth access to the WebDeploy port and SCM site for the production sites and staging slots. ```azurecli-interactive az resource update --resource-group myresourcegroup --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<web-app-east-us> --set properties.allow=false az resource update --resource-group myresourcegroup --name scm --namespace Micro az resource update --resource-group myresourcegroup --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<web-app-west-us>/slots/stage --set properties.allow=false ``` -For more information on disabling basic auth including how to test and monitor logins, see [Disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html). +For more information on disabling basic auth including how to test and monitor sign-ins, see [Disable basic authentication in App Service deployments](configure-basic-auth-disable.md). ### How do I deploy my code using continuous deployment if I disabled basic auth? If you disable basic auth for your App Services, continuous deployment requires To configure continuous deployment with GitHub Actions and a service principal, use the following steps. -1. Run the following command to create the [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object). Replace the placeholders with your `<subscription-id>` and app names. The output is a JSON object with the role assignment credentials that provide access to your App Service apps. Copy this JSON object for the next step. It will include your client secret, which will only be visible at this time. It's always a good practice to grant minimum access. The scope in this example is limited to just the apps, not the entire resource group. +1. Run the following command to create the [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object). Replace the placeholders with your `<subscription-id>` and app names. The output is a JSON object with the role assignment credentials that provide access to your App Service apps. Copy this JSON object for the next step. It includes your client secret, which is visible only at this time. It's always a good practice to grant minimum access. The scope in this example is limited to just the apps, not the entire resource group. ```bash az ad sp create-for-rbac --name "myApp" --role contributor --scopes /subscriptions/<subscription-id>/resourceGroups/myresourcegroup/providers/Microsoft.Web/sites/<web-app-east-us> /subscriptions/<subscription-id>/resourceGroups/myresourcegroup/providers/Microsoft.Web/sites/<web-app-west-us> --sdk-auth ``` -1. You need to provide your service principal's credentials to the Azure Login action as part of the GitHub Action workflow you'll be using. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option. +1. You need to provide your service principal's credentials to the [Azure/login](https://github.com/Azure/login) action as part of the GitHub Action workflow you're using. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option. 1. Open your GitHub repository and go to **Settings** > **Security** > **Secrets and variables** > **Actions** 1. Select **New repository secret** and create a secret for each of the following values. The values can be found in the json output you copied earlier. To configure continuous deployment with GitHub Actions and a service principal, #### Create the GitHub Actions workflow -Now that you have a service principal that can access your App Service apps, edit the default workflows that were created for your apps when you configured continuous deployment. Authentication must be done using your service principal instead of the publish profile. For sample workflows, see the "Service principal" tab in [Deploy to App Service](deploy-github-actions.md#deploy-to-app-service). The following sample workflow can be used for the Node.js sample app that was provided. +Now that you have a service principal that can access your App Service apps, edit the default workflows that were created for your apps when you configured continuous deployment. Authentication must be done using your service principal instead of the publish profile. For sample workflows, see the "Service principal" tab in [Add the workflow file to your GitHub repository](deploy-github-actions.md?tabs=userlevel#3-add-the-workflow-file-to-your-github-repository). The following sample workflow can be used for the Node.js sample app that was provided. -1. Open your app's GitHub repository and go to the `<repo-name>/.github/workflows/` directory. You'll see the autogenerated workflows. -1. For each workflow file, select the "pencil" button in the top right to edit the file. Replace the contents with the following text, which assumes you created the GitHub secrets earlier for your credential. Update the placeholder for `<web-app-name>` under the "env" section, and then commit directly to the main branch. This commit will trigger the GitHub Action to run again and deploy your code, this time using the service principal to authenticate. +1. Open your app's GitHub repository and go to the `<repo-name>/.github/workflows/` directory. You should see the autogenerated workflows. +1. For each workflow file, select the "pencil" button in the top right to edit the file. Replace the contents with the following text, which assumes you created the GitHub secrets earlier for your credential. Update the placeholder for `<web-app-name>` under the "env" section, and then commit directly to the main branch. This commit triggers the GitHub Action to run again and deploy your code, this time using the service principal to authenticate. ```yml Now that you have a service principal that can access your App Service apps, edi ### How does slot traffic routing allow me to test updates that I make to my apps? -Traffic routing with slots allows you to direct a pre-defined portion of your user traffic to each slot. Initially, 100% of traffic is directed to the production site. However, you have the ability, for example, to send 10% of your traffic to your staging slot. If you configure slot traffic routing in this way, when users try to access your app, 10% of them will automatically be routed to the staging slot with no changes to your Front Door instance. To learn more about slot swaps and staging environments in App Service, see [Set up staging environments in Azure App Service](deploy-staging-slots.md). +Traffic routing with slots allows you to direct a predefined portion of your user traffic to each slot. Initially, 100% of traffic is directed to the production site. However, you have the ability, for example, to send 10% of your traffic to your staging slot. If you configure slot traffic routing in this way, when users try to access your app, 10% of them are automatically routed to the staging slot with no changes to your Front Door instance. To learn more about slot swaps and staging environments in App Service, see [Set up staging environments in Azure App Service](deploy-staging-slots.md). ### How do I move my code from my staging slot to my production slot? -Once you're done testing and validating in your staging slots, you can perform a [slot swap](deploy-staging-slots.md#swap-two-slots) from your staging slot to your production site. You'll need to do this swap for all instances of your app in each region. During a slot swap, the App Service platform [ensures the target slot doesn't experience downtime](deploy-staging-slots.md#swap-operation-steps). +Once you're done testing and validating in your staging slots, you can perform a [slot swap](deploy-staging-slots.md#swap-two-slots) from your staging slot to your production site. You need to do this swap for all instances of your app in each region. During a slot swap, the App Service platform [ensures the target slot doesn't experience downtime](deploy-staging-slots.md#swap-operation-steps). To perform the swap, run the following command for each app. Replace the placeholder for `<web-app-name>`. az webapp deployment slot swap --resource-group MyResourceGroup -name <web-app-n After a few minutes, you can navigate to your Front Door's endpoint to validate the slot swap succeeded. -At this point, your apps are up and running and any changes you make to your application source code will automatically trigger an update to both of your staging slots. You can then repeat the slot swap process when you're ready to move that code into production. +At this point, your apps are up and running and any changes you make to your application source code automatically trigger an update to both of your staging slots. You can then repeat the slot swap process when you're ready to move that code into production. ### How else can I use Azure Front Door in my multi-region deployments? -If you're concerned about potential disruptions or issues with continuity across regions, as in some customers seeing one version of your app while others see another version, or if you're making significant changes to your apps, you can temporarily remove the site that's undergoing the slot swap from your Front Door's origin group. All traffic will then be directed to the other origin. Navigate to the **Update origin group** pane and **Delete** the origin that is undergoing the change. Once you've made all of your changes and are ready to serve traffic there again, you can return to the same pane and select **+ Add an origin** to readd the origin. +If you're concerned about potential disruptions or issues with continuity across regions, as in some customers seeing one version of your app while others see another version, or if you're making significant changes to your apps, you can temporarily remove the site that's undergoing the slot swap from your Front Door's origin group. All traffic is then directed to the other origin. Navigate to the **Update origin group** pane and **Delete** the origin that is undergoing the change. Once you've made all of your changes and are ready to serve traffic there again, you can return to the same pane and select **+ Add an origin** to readd the origin. :::image type="content" source="./media/tutorial-multi-region-app/remove-origin.png" alt-text="Screenshot showing how to remove an Azure Front Door origin."::: If you'd prefer to not delete and then readd origins, you can create extra origin groups for your Front Door instance. You can then associate the route to the origin group pointing to the intended origin. For example, you can create two new origin groups, one for your primary region, and one for your secondary region. When your primary region is undergoing a change, associate the route with your secondary region and vice versa when your secondary region is undergoing a change. When all changes are complete, you can associate the route with your original origin group that contains both regions. This method works because a route can only be associated with one origin group at a time. -To demonstrate working with multiple origins, in the following screenshot, there are three origin groups. "MyOriginGroup" consists of both web apps, and the other two origin groups each consist of the web app in their respective region. In the example, the app in the primary region is undergoing a change. Before that change was started, the route was associated with "MySecondaryRegion" so all traffic would be sent to the app in the secondary region during the change period. You can update the route by selecting "Unassociated", which will bring up the **Associate routes** pane. +To demonstrate working with multiple origins, in the following screenshot, there are three origin groups. "MyOriginGroup" consists of both web apps, and the other two origin groups each consist of the web app in their respective region. In the example, the app in the primary region is undergoing a change. Before that change was started, the route was associated with "MySecondaryRegion" so all traffic would be sent to the app in the secondary region during the change period. You can update the route by selecting **Unassociated**, which brings up the **Associate routes** pane. :::image type="content" source="./media/tutorial-multi-region-app/associate-routes.png" alt-text="Screenshot showing how to associate routes with Azure Front Door."::: ### How do I restrict access to the advanced tools site? -With Azure App service, the SCM/advanced tools site is used to manage your apps and deploy application source code. Consider [locking down the SCM/advanced tools site](app-service-ip-restrictions.md#restrict-access-to-an-scm-site) since this site will most likely not need to be reached through Front Door. For example, you can set up access restrictions that only allow you to conduct your testing and enable continuous deployment from your tool of choice. If you're using deployment slots, for production slots specifically, you can deny almost all access to the SCM site since your testing and validation will be done with your staging slots. +With Azure App service, the SCM/advanced tools site is used to manage your apps and deploy application source code. Consider [locking down the SCM/advanced tools site](app-service-ip-restrictions.md#restrict-access-to-an-scm-site) since this site most likely doesn't need to be reached through Front Door. For example, you can set up access restrictions that only allow you to conduct your testing and enable continuous deployment from your tool of choice. If you're using deployment slots, for production slots specifically, you can deny almost all access to the SCM site since your testing and validation is done with your staging slots. ## Next steps |
app-service | Tutorial Secure Ntier App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-secure-ntier-app.md | Now that the back-end SCM site is publicly accessible, you need to lock it down ## 7. Use a service principal for GitHub Actions deployment -Your Deployment Center configuration has created a default workflow file in each of your sample repositories, but it uses a publish profile by default, which uses basic auth. Since you've disabled basic auth, if you check the **Logs** tab in Deployment Center, you'll see that the automatically triggered deployment results in an error. You must modify the workflow file to use the service principal to authenticate with App Service. For sample workflows, see [Deploy to App Service](deploy-github-actions.md?tabs=userlevel#deploy-to-app-service). +Your Deployment Center configuration has created a default workflow file in each of your sample repositories, but it uses a publish profile by default, which uses basic auth. Since you've disabled basic auth, if you check the **Logs** tab in Deployment Center, you'll see that the automatically triggered deployment results in an error. You must modify the workflow file to use the service principal to authenticate with App Service. For sample workflows, see [Add the workflow file to your GitHub repository](deploy-github-actions.md?tabs=userlevel#3-add-the-workflow-file-to-your-github-repository). 1. Open one of your forked GitHub repositories and go to the `<repo-name>/.github/workflows/` directory. This command may take a few minutes to run. #### Is there an alternative to deployment using a service principal? -Since in this tutorial you've [disabled basic auth](#5-lock-down-ftp-and-scm-access), you can't authenticate with the back end SCM site with a username and password, and neither can you with a publish profile. Instead of a service principal, you can also use [OpenID Connect](deploy-github-actions.md?tabs=openid#deploy-to-app-service). +Since in this tutorial you've [disabled basic auth](#5-lock-down-ftp-and-scm-access), you can't authenticate with the back end SCM site with a username and password, and neither can you with a publish profile. Instead of a service principal, you can also use [OpenID Connect](deploy-github-actions.md?tabs=openid). #### What happens when I configure GitHub Actions deployment in App Service? |
application-gateway | Migrate V1 V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/migrate-v1-v2.md | This article primarily helps with the configuration migration. Client traffic mi [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] > [!IMPORTANT]->FRun the `Set-AzContext -Subscription <V1 application gateway SubscriptionId>` cmdlet every time before running the migration script. This is necessary to set the active Azure context to the correct subscription, because the migration script might clean up the existing resource group if it doesn't exist in current subscription context.This is not a mandatory step for version 1.0.11 & above of the migration script. +>Run the `Set-AzContext -Subscription <V1 application gateway SubscriptionId>` cmdlet every time before running the migration script. This is necessary to set the active Azure context to the correct subscription, because the migration script might clean up the existing resource group if it doesn't exist in current subscription context.This is not a mandatory step for version 1.0.11 & above of the migration script. > [!IMPORTANT] >A new stable version of the migration script , version 1.0.11 is available now , which contains important bug fixes and updates.Use this version to avoid potential issues. |
automation | Manage Sql Server In Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-sql-server-in-automation.md | To allow access from the Automation system managed identity to the Azure SQL dat 1. In the **SQL server** page, under **Settings**, select **SQL Databases**. 1. Select your database to go to the SQL database page and select **Query editor (preview)** and execute the following two queries: - CREATE USER "AutomationAccount" FROM EXTERNAL PROVIDER WITH OBJECT_ID= `ObjectID`- - EXEC sp_addrolemember `dbowner`, "AutomationAccount" + - EXEC sp_addrolemember `db_owner`, "AutomationAccount" - Automation account - replace with your Automation account's name - Object ID - replace with object (principal) ID for your system managed identity principal from step 1. |
azure-functions | Dotnet Isolated Process Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/dotnet-isolated-process-guide.md | The following snippet shows this configuration in the context of a project file: ```xml <ItemGroup> <FrameworkReference Include="Microsoft.AspNetCore.App" />- <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" /> </ItemGroup> ``` |
azure-functions | Durable Functions Isolated Create First Csharp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-isolated-create-first-csharp.md | Add the following to your app project: ```xml <ItemGroup>- <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask" Version="1.1.1" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.1.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" OutputItemType="Analyzer" /> Add the following to your app project: ```xml <ItemGroup>- <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask" Version="1.1.1" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.1.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" OutputItemType="Analyzer" /> |
azure-functions | Functions Deployment Technologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-deployment-technologies.md | Each plan has different behaviors. Not all deployment technologies are available | [Web Deploy](#web-deploy-msdeploy) |Γ£ö|Γ£ö|Γ£ö| | | | | [Source control](#source-control) |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö| | [Local Git](#local-git)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|-| [Cloud sync](#cloud-sync)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö| | [FTPS](#ftps)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö| | [In-portal editing](#portal-editing)<sup>2</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö<sup>3</sup>|Γ£ö<sup>3</sup>| You can use local Git to push code from your local machine to Azure Functions by >__Where app content is stored:__ App content is stored on the file system, which may be backed by Azure Files from the storage account specified when the function app was created. -### Cloud sync --Use cloud sync to sync your content from Dropbox and OneDrive to Azure Functions. -->__How to use it:__ Follow the instructions in [Sync content from a cloud folder](../app-service/deploy-content-sync.md). -->__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible. -->__Where app content is stored:__ The app content is in the cloud store, but a local copy is stored on the app file system, which may be backed by Azure Files from the storage account specified when the function app was created. - ### FTP/S You can use FTP/S to directly transfer files to Azure Functions, although this deployment method isn't recommended. When you're not planning on using FTP, you should disable it. If you do choose to use FTP, you should enforce FTPS. To learn how in the Azure portal, see [Enforce FTPS](../app-service/deploy-ftp.md#enforce-ftps). |
azure-functions | Functions Reference Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-python.md | The main project folder, *<project_root>*, can contain the following files: When you deploy your project to a function app in Azure, the entire contents of the main project folder, *<project_root>*, should be included in the package, but not the folder itself, which means that *host.json* should be in the package root. We recommend that you maintain your tests in a folder along with other functions (in this example, *tests/*). For more information, see [Unit testing](#unit-testing). +## Connect to a database ++[Azure Cosmos DB](../cosmos-db/introduction.md) is a fully managed NoSQL and relational database for modern app development including AI, digital commerce, Internet of Things, booking management, and other types of solutions. It offers single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Its various APIs can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table. ++To connect to Cosmos DB, first [create an account, database, and container](../cosmos-db/nosql/quickstart-portal.md). Then you may connect Functions to Cosmos DB using [trigger and bindings](functions-bindings-cosmosdb-v2.md), like this [example](functions-add-output-binding-cosmos-db-vs-code.md). You may also use the Python library for Cosmos DB, like so: ++```python +pip install azure-cosmos ++from azure.cosmos import CosmosClient, exceptions +from azure.cosmos.partition_key import PartitionKey ++# Replace these values with your Cosmos DB connection information +endpoint = "https://azure-cosmos-nosql.documents.azure.com:443/" +key = "master_key" +database_id = "cosmicwerx" +container_id = "cosmicontainer" +partition_key = "/partition_key" ++# Set the total throughput (RU/s) for the database and container +database_throughput = 1000 ++# Initialize the Cosmos client +client = CosmosClient(endpoint, key) ++# Create or get a reference to a database +try: + database = client.create_database_if_not_exists(id=database_id) + print(f'Database "{database_id}" created or retrieved successfully.') ++except exceptions.CosmosResourceExistsError: + database = client.get_database_client(database_id) + print('Database with id \'{0}\' was found'.format(database_id)) ++# Create or get a reference to a container +try: + container = database.create_container(id=container_id, partition_key=PartitionKey(path='/partitionKey')) + print('Container with id \'{0}\' created'.format(container_id)) ++except exceptions.CosmosResourceExistsError: + container = database.get_container_client(container_id) + print('Container with id \'{0}\' was found'.format(container_id)) ++# Sample document data +sample_document = { + "id": "1", + "name": "Doe Smith", + "city": "New York", + "partition_key": "NY" +} ++# Insert a document +container.create_item(body=sample_document) ++# Query for documents +query = "SELECT * FROM c where c.id = 1" +items = list(container.query_items(query, enable_cross_partition_query=True)) +``` + ::: zone pivot="python-mode-decorators" ## Blueprints |
azure-functions | Migrate Cosmos Db Version 3 Version 4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-cosmos-db-version-3-version-4.md | Update your `.csproj` project file to use the latest extension version for your <OutputType>Exe</OutputType> </PropertyGroup> <ItemGroup>- <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" /> - <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.CosmosDB" Version="4.5.1" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.CosmosDB" Version="4.6.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" /> </ItemGroup> <ItemGroup> |
azure-functions | Migrate Service Bus Version 4 Version 5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-service-bus-version-4-version-5.md | Update your `.csproj` project file to use the latest extension version for your <OutputType>Exe</OutputType> </PropertyGroup> <ItemGroup>- <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.1" /> - <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus" Version="5.15.0" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" /> + <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus" Version="5.16.0" /> <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.16.4" /> </ItemGroup> <ItemGroup> |
azure-monitor | Troubleshooter Ama Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/troubleshooter-ama-linux.md | Check for the existence of the AMA Agent Troubleshooter directory on the machine ***/var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{version}*** -To verify the Azure Monitor Agent Troubleshooter is presence, copy the following command and run in Bash as root: +To verify the Azure Monitor Agent Troubleshooter is present, copy the following command and run in Bash as root: ```Bash ls -ltr /var/lib/waagent | grep "Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-*" |
azure-monitor | Alerts Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-overview.md | For stateful alerts, while the alert itself is deleted after 30 days, the alert Stateful log alerts have these limitations: - they can trigger up to 300 alerts per evaluation.-- you can have a maximum of 5000 alerts with the `fired` alert condition.+- you can have a maximum of 6000 alerts with the `fired` alert condition. This table describes when a stateful alert is considered resolved: |
azure-monitor | Alerts Troubleshoot Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-troubleshoot-log.md | When you author an alert rule, Log Analytics creates a permission snapshot for y ### The alert rule uses a system-assigned managed identity -When you create a log alert rule with system-assigned managed identity, the identity is created without any permissions. After you create the rule, you need to assign the appropriate roles to the ruleΓÇÖs identity so that it can access the data you want to query. For example, you might need to give it a Reader role for the relevant Log Analytics workspaces, or a Reader role and a Database Viewer role for the relevant ADX cluster. See [managed identities](alerts-create-new-alert-rule.md#managed-id) for more information about using managed identities in log alerts. +When you create a log alert rule with system-assigned managed identity, the identity is created without any permissions. After you create the rule, you need to assign the appropriate roles to the ruleΓÇÖs identity so that it can access the data you want to query. For example, you might need to give it a Reader role for the relevant Log Analytics workspaces, or a Reader role and a Database Viewer role for the relevant ADX cluster. See [managed identities](https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-create-log-alert-rule#configure-the-alert-rule-details) for more information about using managed identities in log alerts. ### Metric measurement alert rule with splitting using the legacy Log Analytics API |
azure-monitor | Itsm Convert Servicenow To Webhook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsm-convert-servicenow-to-webhook.md | Title: Convert ITSM actions that send events to ServiceNow to secure webhook actions description: Learn how to convert ITSM actions that send events to ServiceNow to secure webhook actions. Previously updated : 09/20/2022 Last updated : 01/30/2024 |
azure-monitor | Itsmc Definition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-definition.md | Title: IT Service Management Connector in Log Analytics description: This article provides an overview of IT Service Management Connector (ITSMC) and information about using it to monitor and manage ITSM work items in Log Analytics and resolve problems quickly. Previously updated : 10/03/2022 Last updated : 01/30/2022 |
azure-monitor | Container Insights Metric Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-metric-alerts.md | The methods currently available for creating Prometheus alert rules are Azure Re 1. Download the template that includes the set of alert rules you want to enable. For a list of the rules for each, see [Alert rule details](#alert-rule-details). - - [Community alerts](https://aka.ms/azureprometheus-communityalerts) - - [Recommended alerts](https://aka.ms/azureprometheus-recommendedalerts) + [Recommended metric alerts](https://aka.ms/azureprometheus-recommendedmetricalerts) 2. Deploy the template by using any standard methods for installing ARM templates. For guidance, see [ARM template samples for Azure Monitor](../resource-manager-samples.md#deploy-the-sample-templates). ### [Bicep template](#tab/bicep) -1. To deploy community and recommended alerts, follow this [template](https://aka.ms/azureprometheus-alerts-bicep) and follow the README.md file in the same folder for how to deploy. +1. To deploy recommended metric alerts, follow this [template](https://aka.ms/azureprometheus-recommendedmetricalertsbicep) and follow the README.md file in the same folder for how to deploy. The configuration change can take a few minutes to finish before it takes effect ### Prerequisites You might need to enable collection of custom metrics for your cluster. See [Metrics collected by Container insights](container-insights-custom-metrics.md).- + ### Enable and configure metric alert rules #### [Azure portal](#tab/azure-portal) The following sections present information on the alert rules provided by Contai ### Community alert rules -These handpicked alerts come from the Prometheus community. Source code for these mixin alerts can be found in [GitHub](https://aka.ms/azureprometheus-communityalerts): +These handpicked alerts come from the Prometheus community. Source code for these mixin alerts can be found in [GitHub](https://aka.ms/azureprometheus-recommendedmetricalerts): | Alert name | Description | Default threshold | |:|:|:| These handpicked alerts come from the Prometheus community. Source code for thes ### Recommended alert rules The following table lists the recommended alert rules that you can enable for either Prometheus metrics or custom metrics.-Source code for the recommended alerts can be found in [GitHub](https://github.com/Azure/prometheus-collector/blob/68ab5b195a77d72b0b8e36e5565b645c3d1e2d5d/mixins/kubernetes/rules/recording_and_alerting_rules/templates/ci_recommended_alerts.json): +Source code for the recommended alerts can be found in [GitHub](https://aka.ms/azureprometheus-recommendedmetricalerts): | Prometheus alert name | Custom metric alert name | Description | Default threshold | |:|:|:|:| |
azure-monitor | Prometheus Metrics Scrape Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md | The following table has a list of all the default targets that the Azure Monitor If you want to turn on the scraping of the default targets that aren't enabled by default, edit the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap` to update the targets listed under `default-scrape-settings-enabled` to `true`. Apply the configmap to your cluster. +### Enable pod annotation-based scraping +To scrape application pods without needing to create a custom Prometheus config, annotations can be added to the pods. The annotation `prometheus.io/scrape: "true"` is required for the pod to be scraped. The annotations `prometheus.io/path` and `prometheus.io/port` indicate the path and port that the metrics are hosted at on the pod. The annotations for a pod that is hosting metrics at `<pod IP>:8080/metrics` would be: ++```yaml +metadata: + annotations: + prometheus.io/scrape: 'true' + prometheus.io/path: '/metrics' + prometheus.io/port: '8080' +``` ++Scraping these pods with specific annotations is disabled by default. To enable, in the `ama-metrics-settings-configmap`, add the regex for the namespace(s) of the pods with annotations you wish to scrape as the value of the field `podannotationnamespaceregex`. ++For example, the following setting scrapes pods with annotations only in the namespaces `kube-system` and `default`: ++```yaml +pod-annotation-based-scraping: |- + podannotationnamespaceregex = "kube-system|my-namespace" +``` ++To enable scraping for pods with annotations in all namespaces, use: ++```yaml +pod-annotation-based-scraping: |- + podannotationnamespaceregex = ".*" +``` ++ ### Customize metrics collected by default targets By default, for all the default targets, only minimal metrics used in the default recording rules, alerts, and Grafana dashboards are ingested as described in [minimal-ingestion-profile](prometheus-metrics-scrape-configuration-minimal.md). To collect all metrics from default targets, update the keep-lists in the settings configmap under `default-targets-metrics-keep-list`, and set `minimalingestionprofile` to `false`. metric_relabel_configs: regex: '.+' ``` -### Pod annotation-based scraping --The following scrape config uses the `__meta_*` labels added from the `kubernetes_sd_configs` for the `pod` role to filter for pods with certain annotations. --To scrape certain pods, specify the port, path, and scheme through annotations for the pod and the following job scrapes only the address specified by the annotation: --- `prometheus.io/scrape`: Enable scraping for this pod.-- `prometheus.io/scheme`: If the metrics endpoint is secured, you need to set scheme to `https` and most likely set the TLS config.-- `prometheus.io/path`: If the metrics path isn't /metrics, define it with this annotation.-- `prometheus.io/port`: Specify a single port that you want to scrape.--```yaml -scrape_configs: - - job_name: 'kubernetespods-sample' -- kubernetes_sd_configs: - - role: pod -- relabel_configs: - # Scrape only pods with the annotation: prometheus.io/scrape = true - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true -- # If prometheus.io/path is specified, scrape this path instead of /metrics - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) -- # If prometheus.io/port is specified, scrape this port instead of the default - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ -- # If prometheus.io/scheme is specified, scrape with this scheme instead of http - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] - action: replace - regex: (http|https) - target_label: __scheme__ -- # Include the pod namespace as a label for each metric - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: kubernetes_namespace -- # Include the pod name as a label for each metric - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: kubernetes_pod_name -- # [Optional] Include all pod labels as labels for each metric - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) -``` --See the [Apply config file](prometheus-metrics-scrape-validate.md#deploy-config-file-as-configmap) section to create a configmap from the Prometheus config. - ## Next steps [Setup Alerts on Prometheus metrics](./container-insights-metric-alerts.md)<br> |
azure-monitor | Data Collection Endpoint Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-endpoint-overview.md | This table describes the components of a data collection endpoint, related regio :::image type="content" source="media/data-collection-endpoint-overview/data-collection-endpoint-regionality-multiple-workspaces.png" alt-text="A diagram that shows monitored resources in multiple regions sending data to multiple Log Analytics workspaces in different regions using data collection endpoints." lightbox="media/data-collection-endpoint-overview/data-collection-endpoint-regionality-multiple-workspaces.png"::: +> [!NOTE] +> By default, the Microsoft.Insights resource provider isnt registered in a Subscription. Ensure to register it successfully before trying to create a Data Collection Endpoint. + ## Create a data collection endpoint # [Azure portal](#tab/portal) -1. On the **Azure Monitor** menu in the Azure portal, select **Data Collection Endpoints** under the **Settings** section. Select **Create** to create a new DCR and assignment. +1. On the **Azure Monitor** menu in the Azure portal, select **Data Collection Endpoints** under the **Settings** section. Select **Create** to create a new Data Collection Endpoint. <!-- convertborder later --> :::image type="content" source="media/data-collection-endpoint-overview/data-collection-endpoint-overview.png" lightbox="media/data-collection-endpoint-overview/data-collection-endpoint-overview.png" alt-text="Screenshot that shows data collection endpoints." border="false"::: |
azure-monitor | Prometheus Api Promql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-api-promql.md | The following limitations are in addition to those detailed in the Prometheus sp For more information on Prometheus metrics limits, see [Prometheus metrics](../../azure-monitor/service-limits.md#prometheus-metrics) ## Frequently asked questions |
azure-monitor | Search Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/search-jobs.md | Search jobs are intended to scan large volumes of data in a specific table. Ther - [project-keep](/azure/data-explorer/kusto/query/project-keep-operator) - [project-rename](/azure/data-explorer/kusto/query/projectrenameoperator) - [project-reorder](/azure/data-explorer/kusto/query/projectreorderoperator)-- [parse](/azure/data-explorer/kusto/query/whereoperator)-- [parse-where](/azure/data-explorer/kusto/query/whereoperator)+- [parse](/azure/data-explorer/kusto/query/parse-operator) +- [parse-where](/azure/data-explorer/kusto/query/parse-where-operator) You can use all functions and binary operators within these operators. |
azure-resource-manager | Bicep Extensibility Kubernetes Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-extensibility-kubernetes-provider.md | Last updated 04/18/2023 The Kubernetes provider allows you to create Kubernetes resources directly with Bicep. Bicep can deploy anything that can be deployed with the [Kubernetes command-line client (kubectl)](https://kubernetes.io/docs/reference/kubectl/kubectl/) and a [Kubernetes manifest file](../../aks/concepts-clusters-workloads.md#deployments-and-yaml-manifests). +> [!NOTE] +> Kubernetes provider is not currently supported for private clusters: +> +> ```json +> resource AKS 'Microsoft.ContainerService/managedClusters@2023-01-02-preview' = { +> properties: { +> "apiServerAccessProfile": { +> "enablePrivateCluster": "true" +> } +> } +> } +> +> ``` +> + ## Enable the preview feature This preview feature can be enabled by configuring the [bicepconfig.json](./bicep-config.md): |
backup | Backup Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-overview.md | Title: What is Azure Backup? description: Provides an overview of the Azure Backup service, and how it contributes to your business continuity and disaster recovery (BCDR) strategy. Previously updated : 01/05/2024 Last updated : 01/30/2024 Azure Backup delivers these key benefits: - [Locally redundant storage (LRS)](../storage/common/storage-redundancy.md#locally-redundant-storage) replicates your data three times (it creates three copies of your data) in a storage scale unit in a datacenter. All copies of the data exist within the same region. LRS is a low-cost option for protecting your data from local hardware failures. - [Geo-redundant storage (GRS)](../storage/common/storage-redundancy.md#geo-redundant-storage) is the default and recommended replication option. GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there's a regional outage. - [Zone-redundant storage (ZRS)](../storage/common/storage-redundancy.md#zone-redundant-storage) replicates your data in [availability zones](../availability-zones/az-overview.md#availability-zones), guaranteeing data residency and resiliency in the same region. ZRS has no downtime. So your critical workloads that require [data residency](https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/), and must have no downtime, can be backed up in ZRS.-- **Zone-redundancy** for Recovery Services vault and Backup Vault, as well as optional zone-redundancy for backup data. For more information on availability zone support and disaster recovery options see, [Reliability for Azure Backup](../reliability/reliability-backup.md).++ **Zone-redundancy** for Recovery Services vault and Backup vault, as well as optional zone-redundancy for backup data. Learn about [Reliability for Azure Backup](../reliability/reliability-backup.md). ## How Azure Backup protects from ransomware? |
backup | Sap Hana Backup Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/sap-hana-backup-support-matrix.md | Title: SAP HANA Backup support matrix description: In this article, learn about the supported scenarios and limitations when you use Azure Backup to back up SAP HANA databases on Azure VMs. Previously updated : 12/06/2023 Last updated : 01/30/2024 Azure Backup supports the backup of SAP HANA databases to Azure. This article su | -- | | | | **Topology** | SAP HANA running in Azure Linux VMs only | HANA Large Instances (HLI) | | **Regions** | **Americas** ΓÇô Central US, East US 2, East US, North Central US, South Central US, West US 2, West US 3, West Central US, West US, Canada Central, Canada East, Brazil South <br> **Asia Pacific** ΓÇô Australia Central, Australia Central 2, Australia East, Australia Southeast, Japan East, Japan West, Korea Central, Korea South, East Asia, Southeast Asia, Central India, South India, West India, China East, China East 2, China East 3, China North, China North 2, China North 3 <br> **Europe** ΓÇô West Europe, North Europe, France Central, UK South, UK West, Germany North, Germany West Central, Switzerland North, Switzerland West, Central Switzerland North, Norway East, Norway West, Sweden Central, Sweden South <br> **Africa / ME** - South Africa North, South Africa West, UAE North, UAE Central <BR> **Azure Government regions** | France South, Germany Central, Germany Northeast, US Gov IOWA |-| **OS versions** | SLES 12 with SP2, SP3, SP4 and SP5; SLES 15 with SP0, SP1, SP2, SP3, SP4, and SP5 <br><br> RHEL 7.4, 7.6, 7.7, 7.9, 8.1, 8.2, 8.4, 8.6, 8.8, and 9.0. | | +| **OS versions** | SLES 12 with SP2, SP3, SP4 and SP5; SLES 15 with SP0, SP1, SP2, SP3, SP4, and SP5 <br><br> RHEL 7.4, 7.6, 7.7, 7.9, 8.1, 8.2, 8.4, 8.6, 8.8, 9.0, and 9.2. | | | **HANA versions** | SDC on HANA 1.x, MDC on HANA 2.x SPS 04, SPS 05 Rev <= 59, SPS 06 (validated for encryption enabled scenarios as well), and SPS 07. | | | **Encryption** | SSLEnforce, HANA data encryption | | | **HANA Instances** | A single SAP HANA instance on a single Azure VM ΓÇô scale up only | Multiple SAP HANA instances on a single VM. You can protect only one of these multiple instances at a time. | Azure Backup supports the backup of SAP HANA databases to Azure. This article su | **Number of full backups per day** | One scheduled backup. <br><br> Three on-demand backups. <br><br> We recommend not to trigger more than three backups per day. However, to allow user retries in case of failed attempts, hard limit for on-demand backups is set to nine attempts. | | **HANA deployments** | HANA System Replication (HSR) | | | **Special configurations** | | SAP HANA + Dynamic Tiering <br> Cloning through LaMa |+| **Compression** | You can enable HANA Native compression via the Backup policy. [See the SAP HANA document](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/86943e9f8d5343c59577755edff8296b.html). | | +| **Multi-streaming backup** | You can increase your streaming backup throughput from *420 MBps* to *1.5 GBps*. [Learn more](#support-for-multistreaming-data-backups). | | Azure Backup supports the backup of SAP HANA databases to Azure. This article su - **VM configuration applicable for multistreaming**: To utilize the benefits of multistreaming, the VM needs to have a minimum configuration of *16 vCPUs* and *128 GB* of RAM. - **Limiting factors**: Throughput of *total disk LVM striping* and *VM network*, whichever hits first. -Learn more about [SAP HANA Azure Virtual Machine storage](/azure/sap/workloads/hana-vm-operations-storage) and [SAP HANA Azure virtual machine Premium SSD storage configurations](/azure/sap/workloads/hana-vm-premium-ssd-v1) configurations. +Learn more about [SAP HANA Azure Virtual Machine storage](/azure/sap/workloads/hana-vm-operations-storage) and [SAP HANA Azure virtual machine Premium SSD storage configurations](/azure/sap/workloads/hana-vm-premium-ssd-v1) configurations. To configure multistreaming data backups, see the [SAP documentation](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/18db704959a24809be8d01cc0a409681.html). |
communication-services | Get Phone Number | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/telephony/get-phone-number.md | -zone_pivot_groups: acs-azcli-azp-java-net-python-csharp-js +zone_pivot_groups: acs-azcli-azp-azpnew-java-net-python-csharp-js # Quickstart: Get and manage phone numbers zone_pivot_groups: acs-azcli-azp-java-net-python-csharp-js [!INCLUDE [Azure portal](./includes/phone-numbers-portal.md)] ::: zone-end + ::: zone pivot="programming-language-csharp" [!INCLUDE [Azure portal](./includes/phone-numbers-net.md)] ::: zone-end |
communication-services | Migrating To Azure Communication Services Calling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/migrating-to-azure-communication-services-calling.md | + + Title: Tutorial - Migrating from Twilio video to ACS ++description: In this tutorial, you learn how to migrate your calling product from Twilio to Azure Communication Services. ++++ Last updated : 01/26/2024+++++++# Migration Guide from Twilio Video to Azure Communication Services ++This article provides guidance on how to migrate your existing Twilio Video implementation to the [Azure Communication Services' Calling SDK](../concepts/voice-video-calling/calling-sdk-features.md) for WebJS. Twilio Video and Azure Communication Services' calling SDK for WebJS are both cloud-based platforms that enable developers to add voice and video calling features to their web applications. However, there are some key differences between them that may affect your choice of platform or require some changes to your existing code if you decide to migrate. In this article, we will compare the main features and functionalities of both platforms and provide some guidance on how to migrate your existing Twilio Video implementation to Azure Communication Services' Calling SDK for WebJS. ++## Key features of the Azure Communication Services calling SDK ++- Addressing - Azure Communication Services provides [identities](../concepts/identity-model.md) for authentication and addressing communication endpoints. These identities are used within Calling APIs, providing clients with a clear view of who is connected to a call (the roster). +- Encryption - The Calling SDK safeguards traffic by encrypting it and preventing tampering along the way. +- Device Management and Media - The SDK handles the management of audio and video devices, efficiently encodes content for transmission, and supports both screen and application sharing. +- PSTN - The SDK can initiate voice calls with the traditional Public Switched Telephone Network (PSTN), [using phone numbers acquired either in the Azure portal](../quickstarts/telephony/get-phone-number.md) or programmatically. +- Teams Meetings ΓÇô Azure Communication Services is equipped to [join Teams meetings](../quickstarts/voice-video-calling/get-started-teams-interop.md) and interact with Teams voice and its video calls. +- Notifications - Azure Communication Services provides APIs for notifying clients of incoming calls, allowing your application to listen to events (for example, incoming calls) even when your application is not running in the foreground. +- User Facing Diagnostics (UFD) - Azure Communication Services utilizes [events](../concepts/voice-video-calling/user-facing-diagnostics.md) designed to provide insights into underlying issues that could affect call quality, allowing developers to subscribe to triggers such as weak network signals or muted microphones for proactive issue awareness. +- Media Statics - Provides comprehensive insights into VoIP and video call [metrics](../concepts/voice-video-calling/media-quality-sdk.md), including call quality information, empowering developers to enhance communication experiences. +- Video Constraints - Azure Communication Services offers APIs that control [video quality among other parameters](../quickstarts/voice-video-calling/get-started-video-constraints.md) during video calls. By adjusting parameters like resolution and frame rate, the SDK supports different call situations for varied levels of video quality. ++**For a more detailed understanding of the capabilities of the Calling SDK for different platforms, consult** [**this document**](../concepts/voice-video-calling/calling-sdk-features.md#detailed-capabilities)**.** ++If you're embarking on a new project from the ground up, see the [Quickstarts of the Calling SDK](../quickstarts/voice-video-calling/get-started-with-video-calling.md?pivots=platform-web). ++**Prerequisites:** ++1. **Azure Account:** Confirm that you have an active subscription in your Azure account. New users can create a free Azure account [here](https://azure.microsoft.com/free/). +2. **Node.js 18:** Ensure Node.js 18 is installed on your system; download can be found right [here](https://nodejs.org/en). +3. **Communication Services Resource:** Set up a [Communication Services Resource](../quickstarts/create-communication-resource.md?tabs=windows&pivots=platform-azp) via your Azure portal and note down your connection string. +4. **Azure CLI:** You can get the Azure CLI installer from [here](/cli/azure/install-azure-cli-windows?tabs=azure-cli).. +5. **User Access Token:** Generate a user access token to instantiate the call client. You can create one using the Azure CLI as follows: +```console +az communication identity token issue --scope voip --connection-string "yourConnectionString" +``` ++For more information, see the guide on how to [Use Azure CLI to Create and Manage Access Tokens](../quickstarts/identity/access-tokens.md?pivots=platform-azcli). ++For Video Calling as a Teams user: ++- You also can use Teams identity. For instructions on how to generate an access token for a Teams User, [follow this guide](../quickstarts/manage-teams-identity.md?pivots=programming-language-javascript). +- Obtain the Teams thread ID for call operations using the [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). Additional information on how to create a chat thread ID can be found [here](/graph/api/chat-post?preserve-view=true&tabs=javascript&view=graph-rest-1.0#example-2-create-a-group-chat). ++### UI library ++The UI Library simplifies the process of creating modern communication user interfaces using Azure Communication Services. It offers a collection of ready-to-use UI components that you can easily integrate into your application. ++This prebuilt set of controls facilitates the creation of aesthetically pleasing designs using [Fluent UI SDK](https://developer.microsoft.com/en-us/fluentui#/) components and the development of audio/video communication experiences. If you wish to explore more about the UI Library, check out the [overview page](../concepts/ui-library/ui-library-overview.md), where you find comprehensive information about both web and mobile platforms. ++### Calling support ++The Azure Communication Services Calling SDK supports the following streaming configurations: ++| Limit | Web | Windows/Android/iOS | +||-|--| +| Maximum \# of outgoing local streams that can be sent simultaneously | 1 video and 1 screen sharing | 1 video + 1 screen sharing | +| Maximum \# of incoming remote streams that can be rendered simultaneously | 9 videos + 1 screen sharing on desktop browsers\*, 4 videos + 1 screen sharing on web mobile browsers | 9 videos + 1 screen sharing | ++## Call Types in Azure Communication Services ++Azure Communication Services offers various call types. The type of call you choose impacts your signaling schema, the flow of media traffic, and your pricing model. Further details can be found [here](../concepts/voice-video-calling/about-call-types.md). ++- Voice Over IP (VoIP) - This type of call involves one user of your application calling another over an internet or data connection. Both signaling and media traffic are routed over the internet. +- Public Switched Telephone Network (PSTN) - When your users interact with a traditional telephone number, calls are facilitated via PSTN voice calling. In order to make and receive PSTN calls, you need to introduce telephony capabilities to your Azure Communication Services resource. Here, signaling and media employ a mix of IP-based and PSTN-based technologies to connect your users. +- One-to-One Call - When one of your users connects with another through our SDKs. The call can be established via either VoIP or PSTN. +- Group Call - Involved when three or more participants connect. Any combination of VoIP and PSTN-connected users can partake in a group call. A one-to-one call can evolve into a group call by adding more participants to the call, and one of these participants can be a bot. +- Rooms Call - A Room acts as a container that manages activity between end-users of Azure Communication Services. It provides application developers with enhanced control over who can join a call, when they can meet, and how they collaborate. For a more comprehensive understanding of Rooms, please refer to the [conceptual documentation](../concepts/rooms/room-concept.md). ++## Installation ++### Install the Azure Communication Services calling SDK ++Use the `npm install` command to install the Azure Communication Services Calling SDK for JavaScript. +```console +npm install @azure/communication-common npm install @azure/communication-calling +``` ++### Remove the Twilio SDK from the project ++You can remove the Twilio SDK from your project by uninstalling the package +```console +npm uninstall twilio-video +``` ++## Object model ++The following classes and interfaces handle some of the main features of the Azure Communication Services Calling SDK: ++| **Name** | **Description** | +|--|-| +| CallClient | The main entry point to the Calling SDK. | +| AzureCommunicationTokenCredential | Implements the CommunicationTokenCredential interface, which is used to instantiate the CallAgent. | +| CallAgent | Used to start and manage calls. | +| Device Manager | Used to manage media devices. | +| Call | Used for representing a Call. | +| LocalVideoStream | Used for creating a local video stream for a camera device on the local system. | +| RemoteParticipant | Used for representing a remote participant in the Call. | +| RemoteVideoStream | Used for representing a remote video stream from a Remote Participant. | +| LocalAudioStream | Represents a local audio stream for a local microphone device | +| AudioOptions | Audio options, which are provided when making an outgoing call or joining a group call | +| AudioIssue | Represents the end of call survey audio issues, example responses would be NoLocalAudio - the other participants were unable to hear me, or LowVolume - the callΓÇÖs audio volume was low | ++When using in a Teams implementation there are a few differences: ++- Instead of `CallAgent` - use `TeamsCallAgent` for starting and managing Teams calls. +- Instead of `Call` - use `TeamsCall` for representing a Teams Call. ++## Initialize the Calling SDK (CallClient/CallAgent) ++Using the `CallClient`, initialize a `CallAgent` instance. The `createCallAgent` method uses CommunicationTokenCredential as an argument. It accepts a [user access token](../quickstarts/identity/access-tokens.md?tabs=windows&pivots=programming-language-javascript). ++### Device manager ++#### Twilio ++Twilio doesn't have a Device Manager analog, tracks are being created using the systemΓÇÖs default device. For customization, you should obtain the desired source track via: +```javascript +navigator.mediaDevices.getUserMedia() +``` ++And pass it to the track creation method. ++#### Azure Communication Services +```javascript +const { CallClient } = require('@azure/communication-calling'); +const { AzureCommunicationTokenCredential} = require('@azure/communication-common'); ++const userToken = '<USER_TOKEN>'; +const tokenCredential = new AzureCommunicationTokenCredential(userToken); ++callClient = new CallClient(); +const callAgent = await callClient.createCallAgent(tokenCredential, {displayName: 'optional user name'}); +``` ++You can use the getDeviceManager method on the CallClient instance to access deviceManager. ++```javascript +const deviceManager = await callClient.getDeviceManager(); +// Get a list of available video devices for use. +const localCameras = await deviceManager.getCameras(); ++// Get a list of available microphone devices for use. +const localMicrophones = await deviceManager.getMicrophones(); ++// Get a list of available speaker devices for use. +const localSpeakers = await deviceManager.getSpeakers(); +``` ++### Get device permissions ++#### Twilio ++Twilio Video asks for device permissions on track creation. ++#### Azure Communication Services ++Prompt a user to grant camera and/or microphone permissions: +```javascript +const result = await deviceManager.askDevicePermission({audio: true, video: true}); +``` ++The output returns with an object that indicates whether audio and video permissions were granted: +```javascript +console.log(result.audio); console.log(result.video); +``` ++## Starting a call ++### Twilio ++```javascript +import * as TwilioVideo from 'twilio-video'; ++const twilioVideo = TwilioVideo; +let twilioRoom; ++twilioRoom = await twilioVideo.connect('token', { name: 'roomName', audio: false, video: false }); +``` ++### Azure Communication Services ++To create and start a call, use one of the APIs on `callAgent` and provide a user that you created through the Communication Services identity SDK. ++Call creation and start are synchronous. The `call` instance allows you to subscribe to call events - subscribe to `stateChanged` event for value changes. +```javascript +call.on('stateChanged', async () =\> { console.log(\`Call state changed: \${call.state}\`) }); +`````` ++### Azure Communication Services 1:1 Call ++To call another Communication Services user, use the `startCall` method on `callAgent` and pass the recipient's CommunicationUserIdentifier that you [created with the Communication Services administration library](../quickstarts/identity/access-tokens.md). +```javascript +const userCallee = { communicationUserId: '\<Azure_Communication_Services_USER_ID\>' }; +const oneToOneCall = callAgent.startCall([userCallee]); +``` ++### Azure Communication Services Room Call ++To join a `room` call, you can instantiate a context object with the `roomId` property as the room identifier. To join the call, use the join method and pass the context instance. +```javascript +const context = { roomId: '\<RoomId\>' }; +const call = callAgent.join(context); +``` +A **room** offers application developers better control over who can join a call, when they meet and how they collaborate. To learn more about **rooms**, you can read the [conceptual documentation](../concepts/rooms/room-concept.md) or follow the [quick start guide](../quickstarts/rooms/join-rooms-call.md). ++### Azure Communication Services group Call ++To start a new group call or join an ongoing group call, use the `join` method and pass an object with a groupId property. The `groupId` value has to be a GUID. +```javascript +const context = { groupId: '\<GUID\>'}; +const call = callAgent.join(context); +``` ++### Azure Communication Services Teams call ++Start a synchronous one-to-one or group call with `startCall` API on `teamsCallAgent`. You can provide `MicrosoftTeamsUserIdentifier` or `PhoneNumberIdentifier` as a parameter to define the target of the call. The method returns the `TeamsCall` instance that allows you to subscribe to call events. +```javascript +const userCallee = { microsoftTeamsUserId: '\<MICROSOFT_TEAMS_USER_ID\>' }; +const oneToOneCall = teamsCallAgent.startCall(userCallee); +``` ++## Accepting and joining a call ++### Twilio ++The Twilio Video SDK the Participant is being created after joining the room, and it doesn't have any information about other rooms. ++### Azure Communication Services ++Azure Communication Services has the `CallAgent` instance, which emits an `incomingCall` event when the logged-in identity receives an incoming call. +```javascript +callAgent.on('incomingCall', async (call) =\>{ + // Incoming call + }); +``` ++The `incomingCall` event includes an `incomingCall` instance that you can accept or reject. ++When starting/joining/accepting a call with video on, if the specified video camera device is being used by another process or if it's disabled in the system, the call starts with video off, and a `cameraStartFailed:` true call diagnostic will be raised. ++```javascript +const incomingCallHandler = async (args: { incomingCall: IncomingCall }) => { + const incomingCall = args.incomingCall; ++ // Get incoming call ID + var incomingCallId = incomingCall.id ++ // Get information about this Call. This API is provided as a preview for developers and may change based on feedback that we receive. Do not use this API in a production environment. To use this api please use 'beta' release of Azure Communication Services Calling Web SDK + var callInfo = incomingCall.info; ++ // Get information about caller + var callerInfo = incomingCall.callerInfo + + // Accept the call + var call = await incomingCall.accept(); ++ // Reject the call + incomingCall.reject(); ++ // Subscribe to callEnded event and get the call end reason + incomingCall.on('callEnded', args => + { console.log(args.callEndReason); + }); ++ // callEndReason is also a property of IncomingCall + var callEndReason = incomingCall.callEndReason; +}; ++callAgentInstance.on('incomingCall', incomingCallHandler); ++``` ++After starting a call, joining a call, or accepting a call, you can also use the callAgents' `callsUpdated` event to be notified of the new Call object and start subscribing to it. +```javascript +callAgent.on('callsUpdated', (event) => { + event.added.forEach((call) => { + // User joined call + }); + + event.removed.forEach((call) => { + // User left call + }); +}); +``` ++For Azure Communication Services Teams implementation, check how to [Receive a Teams Incoming Call](../how-tos/cte-calling-sdk/manage-calls.md#receive-a-teams-incoming-call). ++## Adding participants to call ++### Twilio ++Participants can't be added or removed from Twilio Room, they need to join the Room or disconnect from it themselves. ++Local Participant in Twilio Room can be accessed this way: +```javascript +let localParticipant = twilioRoom.localParticipant; +``` ++Remote Participants in Twilio Room are represented with a map that has unique Participant SID as a key: +```javascript +twilioRoom.participants; +``` ++### Azure Communication Services ++All remote participants are represented by `RemoteParticipant` type and available through `remoteParticipants` collection on a call instance. ++The `remoteParticipants` collection returns a list of remote participants in a call: +```javascript +call.remoteParticipants; // [remoteParticipant, remoteParticipant....] +``` ++**Add participant:** ++To add a participant to a call, you can use `addParticipant`. Provide one of the Identifier types. It synchronously returns the remoteParticipant instance. ++The `remoteParticipantsUpdated` event from Call is raised when a participant is successfully added to the call. +```javascript +const userIdentifier = { communicationUserId: '<Azure_Communication_Services_USER_ID>' }; +const remoteParticipant = call.addParticipant(userIdentifier); +``` ++**Remove participant:** ++To remove a participant from a call, you can invoke `removeParticipant`. You have to pass one of the Identifier types. This method resolves asynchronously after the participant is removed from the call. The participant is also removed from the `remoteParticipants` collection. +```javascript +const userIdentifier = { communicationUserId: '<Azure_Communication_Services_USER_ID>' }; +await call.removeParticipant(userIdentifier); ++``` ++Subscribe to the call's `remoteParticipantsUpdated` event to be notified when new participants are added to the call or removed from the call. ++```javascript +call.on('remoteParticipantsUpdated', e => { + e.added.forEach(remoteParticipant => { + // Subscribe to new remote participants that are added to the call + }); + + e.removed.forEach(remoteParticipant => { + // Unsubscribe from participants that are removed from the call + }) ++}); +``` ++Subscribe to remote participant's `stateChanged` event for value changes. +```javascript +remoteParticipant.on('stateChanged', () => { + console.log(`Remote participants state changed: ${remoteParticipant.state}`) +}); +``` ++## Video ++### Starting and stopping video ++#### Twilio ++```javascript +const videoTrack = await twilioVideo.createLocalVideoTrack({ constraints }); +const videoTrackPublication = await localParticipant.publishTrack(videoTrack, { options }); +``` ++Camera is enabled by default, however it can be disabled and enabled back if necessary: +```javascript +videoTrack.disable(); +``` +Or +```javascript +videoTrack.enable(); +``` ++Later created video track should be attached locally: ++```javascript +const videoElement = videoTrack.attach(); +const localVideoContainer = document.getElementById( localVideoContainerId ); +localVideoContainer.appendChild(videoElement); ++``` ++Twilio Tracks rely on default input devices and reflect the changes in defaults. However, to change an input device, the previous Video Track should be unpublished: ++```javascript +localParticipant.unpublishTrack(videoTrack); +``` ++And a new Video Track with the correct constraints should be created. ++#### Azure Communication Services +To start a video while on a call, you have to enumerate cameras using the getCameras method on the `deviceManager` object. Then create a new instance of `LocalVideoStream` with the desired camera and then pass the `LocalVideoStream` object into the `startVideo` method of an existing call object: ++```javascript +const deviceManager = await callClient.getDeviceManager(); +const cameras = await deviceManager.getCameras(); +const camera = cameras[0] +const localVideoStream = new LocalVideoStream(camera); +await call.startVideo(localVideoStream); +``` ++After you successfully start sending video, a LocalVideoStream instance of type Video is added to the localVideoStreams collection on a call instance. +```javascript +const localVideoStream = call.localVideoStreams.find( (stream) =\> { return stream.mediaStreamType === 'Video'} ); +``` ++To stop local video while on a call, pass the localVideoStream instance that's being used for video: +```javascript +await call.stopVideo(localVideoStream); +``` ++You can switch to a different camera device while a video is sending by invoking switchSource on a localVideoStream instance: ++```javascript +const cameras = await callClient.getDeviceManager().getCameras(); +const camera = cameras[1]; +localVideoStream.switchSource(camera); +``` ++If the specified video device is being used by another process, or if it's disabled in the system: ++- While in a call, if your video is off and you start video using call.startVideo(), this method throws a `SourceUnavailableError` and `cameraStartFailed` will be set to true. +- A call to the `localVideoStream.switchSource()` method causes `cameraStartFailed` to be set to true. Our [Call Diagnostics guide](../concepts/voice-video-calling/call-diagnostics.md) provides additional information on how to diagnose call related issues. ++To verify if the local video is on or off you can use `isLocalVideoStarted` API, which returns true or false: +```javascript +call.isLocalVideoStarted; +``` ++To listen for changes to the local video, you can subscribe and unsubscribe to the `isLocalVideoStartedChanged` event ++```javascript +// Subscribe to local video event +call.on('isLocalVideoStartedChanged', () => { + // Callback(); +}); +// Unsubscribe from local video event +call.off('isLocalVideoStartedChanged', () => { + // Callback(); +}); ++``` ++### Rendering a remote user video ++#### Twilio ++As soon as a Remote Participant publishes a Video Track, it needs to be attached. `trackSubscribed` event on Room or Remote Participant allows you to detect when the track can be attached: ++```javascript +twilioRoom.on('participantConneted', (participant) => { + participant.on('trackSubscribed', (track) => { + const remoteVideoElement = track.attach(); + const remoteVideoContainer = document.getElementById(remoteVideoContainerId + participant.identity); + remoteVideoContainer.appendChild(remoteVideoElement); + }); +}); +``` ++Or ++```javascript +twilioRoom..on('trackSubscribed', (track, publication, participant) => { + const remoteVideoElement = track.attach(); + const remoteVideoContainer = document.getElementById(remoteVideoContainerId + participant.identity); + remoteVideoContainer.appendChild(remoteVideoElement); + }); +}); +``` ++#### Azure Communication Services ++To list the video streams and screen sharing streams of remote participants, inspect the `videoStreams` collections: +```javascript +const remoteVideoStream: RemoteVideoStream = call.remoteParticipants[0].videoStreams[0]; +const streamType: MediaStreamType = remoteVideoStream.mediaStreamType; +``` ++To render `RemoteVideoStream`, you have to subscribe to its `isAvailableChanged` event. If the `isAvailable` property changes to true, a remote participant is sending a stream. After that happens, create a new instance of `VideoStreamRenderer`, and then create a new `VideoStreamRendererView` instance by using the asynchronous createView method. You can then attach `view.target` to any UI element. ++Whenever availability of a remote stream changes, you can destroy the whole `VideoStreamRenderer` or a specific `VideoStreamRendererView`. If you do decide to keep them it will result in displaying a blank video frame. ++```javascript +// Reference to the html's div where we would display a grid of all remote video streams from all participants. +let remoteVideosGallery = document.getElementById('remoteVideosGallery'); ++subscribeToRemoteVideoStream = async (remoteVideoStream) => { + let renderer = new VideoStreamRenderer(remoteVideoStream); + let view; + let remoteVideoContainer = document.createElement('div'); + remoteVideoContainer.className = 'remote-video-container'; ++ let loadingSpinner = document.createElement('div'); + // See the css example below for styling the loading spinner. + loadingSpinner.className = 'loading-spinner'; + remoteVideoStream.on('isReceivingChanged', () => { + try { + if (remoteVideoStream.isAvailable) { + const isReceiving = remoteVideoStream.isReceiving; + const isLoadingSpinnerActive = remoteVideoContainer.contains(loadingSpinner); + if (!isReceiving && !isLoadingSpinnerActive) { + remoteVideoContainer.appendChild(loadingSpinner); + } else if (isReceiving && isLoadingSpinnerActive) { + remoteVideoContainer.removeChild(loadingSpinner); + } + } + } catch (e) { + console.error(e); + } + }); ++ const createView = async () => { + // Create a renderer view for the remote video stream. + view = await renderer.createView(); + // Attach the renderer view to the UI. + remoteVideoContainer.appendChild(view.target); + remoteVideosGallery.appendChild(remoteVideoContainer); + } ++ // Remote participant has switched video on/off + remoteVideoStream.on('isAvailableChanged', async () => { + try { + if (remoteVideoStream.isAvailable) { + await createView(); + } else { + view.dispose(); + remoteVideosGallery.removeChild(remoteVideoContainer); + } + } catch (e) { + console.error(e); + } + }); ++ // Remote participant has video on initially. + if (remoteVideoStream.isAvailable) { + try { + await createView(); + } catch (e) { + console.error(e); + } + } + + console.log(`Initial stream size: height: ${remoteVideoStream.size.height}, width: ${remoteVideoStream.size.width}`); + remoteVideoStream.on('sizeChanged', () => { + console.log(`Remote video stream size changed: new height: ${remoteVideoStream.size.height}, new width: ${remoteVideoStream.size.width}`); + }); +} ++``` ++Subscribe to the remote participant's videoStreamsUpdated event to be notified when the remote participant adds new video streams and removes video streams. ++```javascript +remoteParticipant.on('videoStreamsUpdated', e => { + e.added.forEach(remoteVideoStream => { + // Subscribe to new remote participant's video streams + }); ++ e.removed.forEach(remoteVideoStream => { + // Unsubscribe from remote participant's video streams + }); +}); ++``` ++### Virtual background ++#### Twilio ++To use Virtual Background, Twilio helper library should be installed: +```console +npm install @twilio/video-processors +``` ++New Processor instance should be created and loaded: ++```javascript +import { GaussianBlurBackgroundProcessor } from '@twilio/video-processors'; ++const blurProcessor = new GaussianBlurBackgroundProcessor({ assetsPath: virtualBackgroundAssets }); ++await blurProcessor.loadModel(); +``` +As soon as the model is loaded the background can be added to the video track via addProcessor method: +```javascript +videoTrack.addProcessor(processor, { inputFrameBufferType: 'video', outputFrameBufferContextType: 'webgl2' }); +``` +++#### Azure Communication Services ++Use the npm install command to install the Azure Communication Services Effects SDK for JavaScript. +```console +npm install @azure/communication-calling-effects --save +``` ++> [!NOTE] +> To use video effects with the Azure Communication Calling SDK, once you've created a LocalVideoStream, you need to get the VideoEffects feature API of the LocalVideoStream to start/stop video effects: ++```javascript +import * as AzureCommunicationCallingSDK from '@azure/communication-calling'; ++import { BackgroundBlurEffect, BackgroundReplacementEffect } from '@azure/communication-calling-effects'; ++// Get the video effects feature API on the LocalVideoStream +// (here, localVideoStream is the LocalVideoStream object you created while setting up video calling) +const videoEffectsFeatureApi = localVideoStream.feature(AzureCommunicationCallingSDK.Features.VideoEffects); ++// Subscribe to useful events +videoEffectsFeatureApi.on(ΓÇÿeffectsStartedΓÇÖ, () => { + // Effects started +}); ++videoEffectsFeatureApi.on(ΓÇÿeffectsStoppedΓÇÖ, () => { + // Effects stopped +}); ++videoEffectsFeatureApi.on(ΓÇÿeffectsErrorΓÇÖ, (error) => { + // Effects error +}); +``` ++To blur the background: ++```javascript +// Create the effect instance +const backgroundBlurEffect = new BackgroundBlurEffect(); ++// Recommended: Check support +const backgroundBlurSupported = await backgroundBlurEffect.isSupported(); ++if (backgroundBlurSupported) { + // Use the video effects feature API we created to start effects + await videoEffectsFeatureApi.startEffects(backgroundBlurEffect); +} +``` ++For background replacement with an image you need to provide the URL of the image you want as the background to this effect. Currently supported image formats are: png, jpg, jpeg, tiff, bmp, and current supported aspect ratio is 16:9 ++```javascript +const backgroundImage = 'https://linkToImageFile'; ++// Create the effect instance +const backgroundReplacementEffect = new BackgroundReplacementEffect({ + backgroundImageUrl: backgroundImage +}); ++// Recommended: Check support +const backgroundReplacementSupported = await backgroundReplacementEffect.isSupported(); ++if (backgroundReplacementSupported) { + // Use the video effects feature API as before to start/stop effects + await videoEffectsFeatureApi.startEffects(backgroundReplacementEffect); +} +``` ++Changing the image for this effect can be done by passing it via the configured method: +```javascript +const newBackgroundImage = 'https://linkToNewImageFile'; ++await backgroundReplacementEffect.configure({ + backgroundImageUrl: newBackgroundImage +}); +``` ++Switching effects can be done using the same method on the video effects feature API: ++```javascript +// Switch to background blur +await videoEffectsFeatureApi.startEffects(backgroundBlurEffect); ++// Switch to background replacement +await videoEffectsFeatureApi.startEffects(backgroundReplacementEffect); +``` ++At any time if you want to check what effects are active, you can use the `activeEffects` property. The `activeEffects` property returns an array with the names of the currently active effects and returns an empty array if there are no affects active. +```javascript +// Using the video effects feature API +const currentActiveEffects = videoEffectsFeatureApi.activeEffects; +``` ++To stop effects: +```javascript +await videoEffectsFeatureApi.stopEffects(); +``` +++## Audio ++### Starting and stopping audio ++#### Twilio ++```javascript +const audioTrack = await twilioVideo.createLocalAudioTrack({ constraints }); +const audioTrackPublication = await localParticipant.publishTrack(audioTrack, { options }); +``` ++Microphone is enabled by default, however it can be disabled and enabled back if necessary: +```javascript +audioTrack.disable(); +``` ++Or +```javascript +audioTrack.enable(); +``` ++Created Audio Track should be attached by Local Participant the same way as Video Track: ++```javascript +const audioElement = audioTrack.attach(); +const localAudioContainer = document.getElementById(localAudioContainerId); +localAudioContainer.appendChild(audioElement); +``` ++And by Remote Participant: ++```javascript +twilioRoom.on('participantConneted', (participant) => { + participant.on('trackSubscribed', (track) => { + const remoteAudioElement = track.attach(); + const remoteAudioContainer = document.getElementById(remoteAudioContainerId + participant.identity); + remoteAudioContainer.appendChild(remoteAudioElement); + }); +}); +``` ++Or ++```javascript +twilioRoom..on('trackSubscribed', (track, publication, participant) => { + const remoteAudioElement = track.attach(); + const remoteAudioContainer = document.getElementById(remoteAudioContainerId + participant.identity); + remoteVideoContainer.appendChild(remoteAudioElement); + }); +}); ++``` ++It is impossible to mute incoming audio in Twilio Video SDK. ++#### Azure Communication Services ++```javascript +await call.startAudio(); +``` ++To mute or unmute the local endpoint, you can use the mute and unmute asynchronous APIs: ++```javascript +//mute local device (microphone / sent audio) +await call.mute(); ++//unmute local device (microphone / sent audio) +await call.unmute(); +``` ++Mute incoming audio sets the call volume to 0. To mute or unmute the incoming audio, use the `muteIncomingAudio` and `unmuteIncomingAudio` asynchronous APIs: ++```javascript +//mute local device (speaker) +await call.muteIncomingAudio(); ++//unmute local device (speaker) +await call.unmuteIncomingAudio(); ++``` ++### Detecting Dominant speaker ++#### Twilio ++To detect the loudest Participant in the Room, Dominant Speaker API can be used. It can be enabled in the connection options when joining the Group Room with at least 2 participants: +```javascript +twilioRoom = await twilioVideo.connect('token', { +name: 'roomName', +audio: false, +video: false, +dominantSpeaker: true +}); +``` ++When the loudest speaker in the Room will change, the dominantSpeakerChanged event is emitted: ++```javascript +twilioRoom.on('dominantSpeakerChanged', (participant) => { + // Highlighting the loudest speaker +}); +``` ++#### Azure Communication Services ++Dominant speakers for a call are an extended feature of the core Call API and allows you to obtain a list of the active speakers in the call. This is a ranked list, where the first element in the list represents the last active speaker on the call and so on. ++In order to obtain the dominant speakers in a call, you first need to obtain the call dominant speakers feature API object: +```javascript +const callDominantSpeakersApi = call.feature(Features.CallDominantSpeakers); +``` ++Next you can obtain the list of the dominant speakers by calling `dominantSpeakers`. This has a type of `DominantSpeakersInfo`, which has the following members: ++- `speakersList` contains the list of the ranked dominant speakers in the call. These are represented by their participant ID. +- `timestamp` is the latest update time for the dominant speakers in the call. +```javascript +let dominantSpeakers: DominantSpeakersInfo = callDominantSpeakersApi.dominantSpeakers; +``` ++Also, you can subscribe to the `dominantSpeakersChanged` event to know when the dominant speakers list has changed. ++```javascript +const dominantSpeakersChangedHandler = () => { + // Get the most up-to-date list of dominant speakers + let dominantSpeakers = callDominantSpeakersApi.dominantSpeakers; +}; +callDominantSpeakersApi.on('dominantSpeakersChanged', dominantSpeakersChangedHandler); ++``` ++## Enabling screen sharing +### Twilio ++To share the screen in Twilio Video, source track should be obtained via navigator.mediaDevices ++Chromium-based browsers: +```javascript +const stream = await navigator.mediaDevices.getDisplayMedia({ + audio: false, + video: true + }); +const track = stream.getTracks()[0]; +``` ++Firefox and Safari: +```javascript +const stream = await navigator.mediaDevices.getUserMedia({ mediaSource: 'screen' }); +const track = stream.getTracks()[0]; +``` ++Obtain the screen share track can then be published and managed the same way as casual Video Track (see the ΓÇ£VideoΓÇ¥ section). ++### Azure Communication Services ++To start screen sharing while on a call, you can use asynchronous API `startScreenSharing`: +```javascript +await call.startScreenSharing(); +``` ++After successfully starting to sending screen sharing, a `LocalVideoStream` instance of type `ScreenSharing` is created and is added to the `localVideoStreams` collection on the call instance. ++```javascript +const localVideoStream = call.localVideoStreams.find( (stream) => { return stream.mediaStreamType === 'ScreenSharing'} ); +``` ++To stop screen sharing while on a call, you can use asynchronous API `stopScreenSharing`: +```javascript +await call.stopScreenSharing(); +``` ++To verify if screen sharing is on or off, you can use `isScreenSharingOn` API, which returns true or false: +```javascript +call.isScreenSharingOn; +``` ++To listen for changes to the screen share, you can subscribe and unsubscribe to the `isScreenSharingOnChanged` event ++```javascript +// Subscribe to screen share event +call.on('isScreenSharingOnChanged', () => { + // Callback(); +}); +// Unsubscribe from screen share event +call.off('isScreenSharingOnChanged', () => { + // Callback(); +}); ++``` ++## Media quality statistics ++### Twilio ++To collect real-time media stats, the getStats method can be used. +```javascript +const stats = twilioRoom.getStats(); +``` ++### Azure Communication Services ++Media quality statistics is an extended feature of the core Call API. You first need to obtain the mediaStatsFeature API object: ++```javascript +const mediaStatsFeature = call.feature(Features.MediaStats); +``` +++To receive the media statistics data, you can subscribe `sampleReported` event or `summmaryReported` event: ++- `sampleReported` event triggers every second. It's suitable as a data source for UI display or your own data pipeline. +- `summmaryReported` event contains the aggregated values of the data over intervals, which is useful when you just need a summary. ++If you want control over the interval of the summmaryReported event, you need to define `mediaStatsCollectorOptions` of type `MediaStatsCollectorOptions`. Otherwise, the SDK uses default values. +```javascript +const mediaStatsCollectorOptions: SDK.MediaStatsCollectorOptions = { + aggregationInterval: 10, + dataPointsPerAggregation: 6 +}; ++const mediaStatsCollector = mediaStatsFeature.createCollector(mediaStatsSubscriptionOptions); ++mediaStatsCollector.on('sampleReported', (sample) => { + console.log('media stats sample', sample); +}); ++mediaStatsCollector.on('summaryReported', (summary) => { + console.log('media stats summary', summary); +}); +``` ++In case you don't need to use the media statistics collector, you can call dispose method of `mediaStatsCollector`. ++```javascript +mediaStatsCollector.dispose(); +``` +++It's not necessary to call the dispose method of `mediaStatsCollector` every time the call ends, as the collectors are reclaimed internally when the call ends. ++You can learn more about media quality statistics [here](../concepts/voice-video-calling/media-quality-sdk.md?pivots=platform-web). ++## Diagnostics ++### Twilio ++To test connectivity, Twilio offers Preflight API - a test call is performed to identify signaling and media connectivity issues. ++To launch the test, an access token is required: ++```javascript +const preflightTest = twilioVideo.runPreflight(token); ++// Emits when particular call step completes +preflightTest.on('progress', (progress) => { + console.log(`Preflight progress: ${progress}`); +}); ++// Emits if the test has failed and returns error and partial test results +preflightTest.on('failed', (error, report) => { + console.error(`Preflight error: ${error}`); + console.log(`Partial preflight test report: ${report}`); +}); ++// Emits when the test has been completed successfully and returns the report +preflightTest.on('completed', (report) => { + console.log(`Preflight test report: ${report}`); +}); ++``` ++Another way to identify network issues during the call is Network Quality API, which monitors Participant's network and provides quality metrics. It can be enabled in the connection options when joining the Group Room: ++```javascript +twilioRoom = await twilioVideo.connect('token', { + name: 'roomName', + audio: false, + video: false, + networkQuality: { + local: 3, // Local Participant's Network Quality verbosity + remote: 1 // Remote Participants' Network Quality verbosity + } +}); +``` ++When the network quality for Participant changes, a `networkQualityLevelChanged` event will be emitted: +```javascript +participant.on(networkQualityLevelChanged, (networkQualityLevel, networkQualityStats) => { + // Processing Network Quality stats +}); +``` ++### Azure Communication Services +Azure Communication Services provides a feature called `"User Facing Diagnostics" (UFD)` that can be used to examine various properties of a call to determine what the issue might be. User Facing Diagnostics are events that are fired off that could indicate due to some underlying issue (poor network, the user has their microphone muted) that a user might have a poor experience. ++User-facing diagnostics is an extended feature of the core Call API and allows you to diagnose an active call. +```javascript +const userFacingDiagnostics = call.feature(Features.UserFacingDiagnostics); +``` ++Subscribe to the diagnosticChanged event to monitor when any user-facing diagnostic changes: +```javascript +/** + * Each diagnostic has the following data: + * - diagnostic is the type of diagnostic, e.g. NetworkSendQuality, DeviceSpeakWhileMuted + * - value is DiagnosticQuality or DiagnosticFlag: + * - DiagnosticQuality = enum { Good = 1, Poor = 2, Bad = 3 }. + * - DiagnosticFlag = true | false. + * - valueType = 'DiagnosticQuality' | 'DiagnosticFlag' + */ +const diagnosticChangedListener = (diagnosticInfo: NetworkDiagnosticChangedEventArgs | MediaDiagnosticChangedEventArgs) => { + console.log(`Diagnostic changed: ` + + `Diagnostic: ${diagnosticInfo.diagnostic}` + + `Value: ${diagnosticInfo.value}` + + `Value type: ${diagnosticInfo.valueType}`); ++ if (diagnosticInfo.valueType === 'DiagnosticQuality') { + if (diagnosticInfo.value === DiagnosticQuality.Bad) { + console.error(`${diagnosticInfo.diagnostic} is bad quality`); ++ } else if (diagnosticInfo.value === DiagnosticQuality.Poor) { + console.error(`${diagnosticInfo.diagnostic} is poor quality`); + } ++ } else if (diagnosticInfo.valueType === 'DiagnosticFlag') { + if (diagnosticInfo.value === true) { + console.error(`${diagnosticInfo.diagnostic}`); + } + } +}; ++userFacingDiagnostics.network.on('diagnosticChanged', diagnosticChangedListener); +userFacingDiagnostics.media.on('diagnosticChanged', diagnosticChangedListener); ++``` ++You can learn more about User Facing Diagnostics and the different diagnostic values available in [this article](../concepts/voice-video-calling/user-facing-diagnostics.md?pivots=platform-web). ++ACS also provides a pre-call diagnostics API. To Access the Pre-Call API, you need to initialize a `callClient`, and provision an Azure Communication Services access token. There you can access the `PreCallDiagnostics` feature and the `startTest` method. ++```javascript +import { CallClient, Features} from "@azure/communication-calling"; +import { AzureCommunicationTokenCredential } from '@azure/communication-common'; ++const callClient = new CallClient(); +const tokenCredential = new AzureCommunicationTokenCredential("INSERT ACCESS TOKEN"); +const preCallDiagnosticsResult = await callClient.feature(Features.PreCallDiagnostics).startTest(tokenCredential); +``` ++The Pre-Call API returns a full diagnostic of the device including details like device permissions, availability and compatibility, call quality stats and in-call diagnostics. The results are returned as a PreCallDiagnosticsResult object. ++```javascript +export declare type PreCallDiagnosticsResult = { + deviceAccess: Promise<DeviceAccess>; + deviceEnumeration: Promise<DeviceEnumeration>; + inCallDiagnostics: Promise<InCallDiagnostics>; + browserSupport?: Promise<DeviceCompatibility>; + id: string; + callMediaStatistics?: Promise<MediaStatsCallFeature>; +}; +``` ++You can learn more about ensuring precall readiness [here](../concepts/voice-video-calling/pre-call-diagnostics.md). +++## Event listeners ++### Twilio ++```javascript +twilioRoom.on('participantConneted', (participant) => { +// Participant connected +}); ++twilioRoom.on('participantDisconneted', (participant) => { +// Participant Disconnected +}); ++``` ++### Azure Communication Services ++Each object in the JavaScript Calling SDK has properties and collections. Their values change throughout the lifetime of the object. Use the `on()` method to subscribe to objects' events, and use the `off()` method to unsubscribe from objects' events. ++**Properties** ++- You must inspect their initial values, and subscribe to the `'\<property\>Changed'` event for future value updates. ++**Collections** ++- You must inspect their initial values, and subscribe to the `'\<collection\>Updated'` event for future value updates. +- The `'\<collection\>Updated'` event's payload, has an `added` array that contains values that were added to the collection. +- The `'\<collection\>Updated'` event's payload also has a removed array that contains values that were removed from the collection. ++## Leaving and ending sessions ++### Twilio +```javascript +twilioVideo.disconnect(); +``` +++### Azure Communication Services +```javascript +call.hangUp(); ++// Set the 'forEveryone' property to true to end call for all participants +call.hangUp({ forEveryone: true }); ++``` ++## Cleaning Up ++If you want to [clean up and remove a Communication Services subscription](../quickstarts/create-communication-resource.md?tabs=windows&pivots=platform-azp#clean-up-resources), you can delete the resource or resource group. |
container-apps | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/whats-new.md | This article lists significant updates and new features available in Azure Conta | - | -- | | [Generally Available: Inbound IP restrictions](./ingress-overview.md#ip-restrictions) | Enables container apps to restrict inbound HTTP or TCP traffic by allowing or denying access to a specific list of IP address ranges. | | [Generally Available: TCP support](./ingress-overview.md#tcp) | Azure Container Apps now supports using TCP-based protocols other than HTTP or HTTPS for ingress. | -| [Generally Available: Github Actions for Azure Container Apps](./github-actions.md) | Azure Container Apps allows you to use GitHub Actions to publish revisions to your container app. | +| [Generally Available: GitHub Actions for Azure Container Apps](./github-actions.md) | Azure Container Apps allows you to use GitHub Actions to publish revisions to your container app. | | [Generally Available: Azure Pipelines for Azure Container Apps](./azure-pipelines.md) | Azure Container Apps allows you to use Azure Pipelines to publish revisions to your container app. | | [Dapr: Easy component creation](./dapr-component-connection.md) | You can now configure and secure dependent Azure services to use Dapr APIs in the portal using the Service Connector feature. Learn how to [connect to Azure services via Dapr components in the Azure portal](./dapr-component-connection.md). | |
container-registry | Container Registry Tutorial Sign Build Push | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-tutorial-sign-build-push.md | Title: Sign container images with Notation and Azure Key Vault using a self-signed certificate (Preview) + Title: Sign container images with Notation and Azure Key Vault using a self-signed certificate description: In this tutorial you'll learn to create a self-signed certificate in Azure Key Vault (AKV), build and sign a container image stored in Azure Container Registry (ACR) with notation and AKV, and then verify the container image with notation. -# Sign container images with Notation and Azure Key Vault using a self-signed certificate (Preview) +# Sign container images with Notation and Azure Key Vault using a self-signed certificate Signing container images is a process that ensures their authenticity and integrity. This is achieved by adding a digital signature to the container image, which can be validated during deployment. The signature helps to verify that the image is from a trusted publisher and has not been modified. [Notation](https://github.com/notaryproject/notation) is an open source supply chain tool developed by the [Notary Project](https://notaryproject.dev/), which supports signing and verifying container images and other artifacts. The Azure Key Vault (AKV) is used to store certificates with signing keys that can be used by Notation with the Notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach signatures to container images and other artifacts as well as view those signatures. -> [!IMPORTANT] -> This feature is currently in preview. Previews are made available to you on the condition that you agree to the [supplemental terms of use][terms-of-use]. Some aspects of this feature may change prior to general availability (GA). - In this tutorial: > [!div class="checklist"] |
container-registry | Container Registry Tutorial Sign Trusted Ca | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-tutorial-sign-trusted-ca.md | Title: Sign container images with Notation and Azure Key vault using a CA-issued certificate (Preview) + Title: Sign container images with Notation and Azure Key vault using a CA-issued certificate description: In this tutorial learn to create a CA-issued certificate in Azure Key Vault, build and sign a container image stored in Azure Container Registry (ACR) with notation and AKV, and then verify the container image using notation. -# Sign container images with Notation and Azure Key Vault using a CA-issued certificate (Preview) +# Sign container images with Notation and Azure Key Vault using a CA-issued certificate Signing and verifying container images with a certificate issued by a trusted Certificate Authority (CA) is a valuable security practice. This security measure will help you to responsibly identify, authorize, and validate the identity of both the publisher of the container image and the container image itself. The Trusted Certificate Authorities (CAs) such as GlobalSign, DigiCert, and others play a crucial role in the validation of a user's or organization's identity, maintaining the security of digital certificates, and revoking the certificate immediately upon any risk or misuse. Here are some essential components that help you to sign and verify container im When you verify the image, the signature is used to validate the integrity of the image and the identity of the signer. This helps to ensure that the container images are not tampered with and are from a trusted source. -> [!IMPORTANT] -> This feature is currently in preview. Previews are made available to you on the condition that you agree to the [supplemental terms of use][terms-of-use]. Some aspects of this feature may change prior to general availability (GA). - In this article: > [!div class="checklist"] |
copilot | Build Infrastructure Deploy Workloads | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/copilot/build-infrastructure-deploy-workloads.md | Microsoft Copilot for Azure (preview) can help you quickly build custom infrastr Throughout a conversation, Microsoft Copilot for Azure (preview) asks you questions to better understand your requirements and applications. Based on the provided information, it then provides several architecture options suitable for deploying that infrastructure. After you select an option, Microsoft Copilot for Azure (preview) provides detailed descriptions of the infrastructure, including how it can be configured. Finally, Microsoft Copilot for Azure provides templates and scripts using the language of your choice to deploy your infrastructure. -To get help building infrastructure and deploying workloads, start on the [More virtual machines and related solutions](https://portal.azure.com/?feature.customportal=false#view/Microsoft_Azure_SolutionCenter/SolutionGroup.ReactView/groupid/defaultLandingVmBrowse) page in the Azure portal. +To get help building infrastructure and deploying workloads, start on the [More virtual machines and related solutions](https://portal.azure.com/#view/Microsoft_Azure_SolutionCenter/SolutionGroup.ReactView/groupid/defaultLandingVmBrowse) page in the Azure portal. You can reach this page from **Virtual machines** by selecting the arrow next to **Create**, then selecting **More VMs and related solutions**. + Once you're there, start the conversation by letting Microsoft Copilot for Azure (preview) know what you want to build and deploy. The prompts you use can vary depending on the type of workload you want to deplo ## Examples -From the **More virtual machines and related solutions** page, you can tell Microsoft Copilot for Azure (preview) "**I want to deploy a website on Azure**." Microsoft Copilot for Azure (preview) responds with a series of questions to better understand your scenario. +From the **[More virtual machines and related solutions](https://portal.azure.com/#view/Microsoft_Azure_SolutionCenter/SolutionGroup.ReactView/groupid/defaultLandingVmBrowse)** page, you can tell Microsoft Copilot for Azure (preview) "**I want to deploy a website on Azure**." Microsoft Copilot for Azure (preview) responds with a series of questions to better understand your scenario. :::image type="content" source="media/build-infrastructure-deploy-workloads/workloads-deploy-website.png" lightbox="media/build-infrastructure-deploy-workloads/workloads-deploy-website.png" alt-text="Screenshot showing Microsoft Copilot for Azure (preview) providing options to deploy a website."::: |
defender-for-cloud | Agentless Vulnerability Assessment Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md | Container vulnerability assessment powered by Microsoft Defender Vulnerability M | Recommendation | Description | Assessment Key| |--|--|--|- | [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce | - | [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f | + | [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce | + | [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f | - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](/azure/governance/resource-graph/overview#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md). |
defender-for-cloud | Endpoint Protection Recommendations Technical | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/endpoint-protection-recommendations-technical.md | Microsoft Antimalware extension logs are available at: ### Support -For more help, contact the Azure experts on the [MSDN Azure and Stack Overflow forums](https://azure.microsoft.com/support/forums/). Or file an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/) and select Get support. For information about using Azure Support, read the [Microsoft Azure support common questions](https://azure.microsoft.com/support/faq/). +For more help, contact the Azure experts in [Azure Community Support](https://azure.microsoft.com/support/community/). Or file an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/) and select Get support. For information about using Azure Support, read the [Microsoft Azure support common questions](https://azure.microsoft.com/support/faq/). |
defender-for-cloud | How To Test Attack Path And Security Explorer With Vulnerable Container Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-test-attack-path-and-security-explorer-with-vulnerable-container-image.md | If there are no entries in the list of attack paths, you can still test this fea az aks get-credentials --subscription <cluster-suid> --resource-group <your-rg> --name <your-cluster-name> ``` -1. Install [ngnix ingress Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/) : +1. Install the [ngnix ingress Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/) : ```azurecli helm install ingress-controller oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.1 After you completed testing the attack path, investigate the created attack path ## AWS: Testing the attack path and security explorer using a mock vulnerable container image -1. Create ECR repository named *mdc-mock-0001* +1. Create an ECR repository named *mdc-mock-0001* 1. Go to your AWS account and choose **Command line or programmatic access**. 1. Open a command line and choose **Option 1: Set AWS environment variables (Short-term credentials)**. Copy the credentials of the *AWS_ACCESS_KEY_ID*, *AWS_SECRET_ACCESS_KEY*, and *AWS_SESSION_TOKEN* environment variables. 1. Run the following command to get the authentication token for your Amazon ECR registry. Replace `<REGION>` with the region of your registry. Replace `<ACCOUNT>` with your AWS account ID. After you completed testing the attack path, investigate the created attack path kubectl get nodes ``` -1. Install [ngnix ingress Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/) : +1. Install the [ngnix ingress Controller](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/) : ```azurecli helm install ingress-controller oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.1 The Helm chart deploys resources onto your cluster that can be used to infer att After you completed testing the attack path, investigate the created attack path by going to **Attack path analysis**, and search for the attack path you created. For more information, see [Identify and remediate attack paths](how-to-manage-attack-path.md). +## GCP: Testing the attack path and security explorer using a mock vulnerable container image ++1. In the GCP portal, search for **Artifact Registry**, and then create a GCP repository named *mdc-mock-0001* +1. Follow [these instructions](https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling) to push the image to your repository. Run these commands: ++ ```docker + docker pull alpine + docker tag alpine <LOCATION>-docker.pkg.dev/<PROJECT_ID>/<REGISTRY>/<REPOSITORY>/mdc-mock-0001 + docker push <LOCATION>-docker.pkg.dev/<PROJECT_ID>/<REGISTRY>/<REPOSITORY>/mdc-mock-0001 + ``` ++1. Go to the GCP portal. Then go to **Kubernetes Engine** > **Clusters**. Select the **Connect** button. +1. Once connected, either run the command in the Cloud Shell or copy the connection command and run it on your machine: ++ ```gcloud-cli + gcloud container clusters get-credentials contra-bugbash-gcp --zone us-central1-c --project onboardingc-demo-gcp-1 + ``` ++1. Verify the configuration. You can check if `kubectl` is correctly configured by running: ++ ```gcloud-cli + kubectl get nodes + ``` ++1. To install the Helm chart, follow these steps: ++ 1. Under **Artifact registry** in the portal, go to the repository, and find the image URI under **Pull by digest**. + 1. Use the following command to install the Helm chart: ++ ```gcloud-cli + helm install dcspmcharts oci:/mcr.microsoft.com/mdc/stable/dcspmcharts --version 1.0.0 --namespace mdc-dcspm-demo --create-namespace --set image=<IMAGE_URI> --set distribution=GCP + ``` ++The Helm chart deploys resources onto your cluster that can be used to infer attack paths. It also includes the vulnerable image. ++> [!NOTE] +> After completing the above flow, it can take up to 24 hours to see results in the cloud security explorer and attack path. ++After you completed testing the attack path, investigate the created attack path by going to **Attack path analysis**, and search for the attack path you created. For more information, see [Identify and remediate attack paths](how-to-manage-attack-path.md). + ## Find container posture issues with cloud security explorer You can build queries in one of the following ways: |
defender-for-cloud | Transition To Defender Vulnerability Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/transition-to-defender-vulnerability-management.md | securityresources severity = properties.additionalData.vulnerabilityDetails.severity, status = properties.status.code, VulnId = properties.id, - description = properties.displayName, + description = properties.description, fixStatus = properties.additionalData.softwareDetails.fixStatus, - cve = properties.additionalData.cve, Repo = properties.additionalData.artifactDetails.repositoryName, imageUri = properties.resourceDetails.id | where status == 'Unhealthy' |
defender-for-cloud | Upcoming Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md | If you're looking for the latest release notes, you can find them in the [What's | Planned change | Announcement date | Estimated date for change | |--|--|--|+| [Change in pricing for multicloud container threat detection](#change-in-pricing-for-multicloud-container-threat-detection) | January 30, 2024 | April 2024 | +| [Enforcement of Defender CSPM for Premium DevOps Security Capabilities](#enforcement-of-defender-cspm-for-premium-devops-security-value) | January 29, 2024 | March 2024 | | [Update to agentless VM scanning built-in Azure role](#update-to-agentless-vm-scanning-built-in-azure-role) |January 14, 2024 | February 2024 | | [Deprecation of two recommendations related to PCI](#deprecation-of-two-recommendations-related-to-pci) |January 14, 2024 | February 2024 | | [Four new recommendations for Azure Stack HCI resource type](#four-new-recommendations-for-azure-stack-hci-resource-type) | January 11, 2024 | February 2024 | | [Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path) | January 9, 2024 | May 2024 | | [Retirement of the Defender for Cloud Containers Vulnerability Assessment powered by Qualys](#retirement-of-the-defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys) | January 9, 2023 | March 2024 |-| [Enforcement of Defender CSPM for Premium DevOps Security Capabilities](#enforcement-of-defender-cspm-for-premium-devops-security-value) | January 29, 2024 | March 2024 | | [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) | January 4, 2024 | February 2024 | | [Upcoming change for the Defender for CloudΓÇÖs multicloud network requirements](#upcoming-change-for-the-defender-for-clouds-multicloud-network-requirements) | January 3, 2024 | May 2024 | | [Deprecation of two DevOps security recommendations](#deprecation-of-two-devops-security-recommendations) | November 30, 2023 | January 2024 | If you're looking for the latest release notes, you can find them in the [What's | [Deprecating two security incidents](#deprecating-two-security-incidents) | | November 2023 | | [Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation) | | August 2024 | +## Change in pricing for multicloud container threat detection ++**Announcement date: January 30, 2024** ++**Estimated date for change: April 2024** ++When [multicloud container threat detection](support-matrix-defender-for-containers.md) moves to GA, it will no longer be free of charge. For more information, see [Microsoft Defender for Cloud pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/). ++## Enforcement of Defender CSPM for Premium DevOps Security Value ++**Announcement date: January 29, 2024** ++**Estimated date for change: March 7, 2024** ++Defender for Cloud will begin enforcing the Defender CSPM plan check for premium DevOps security value beginning **March 7th, 2024**. If you have the Defender CSPM plan enabled on a cloud environment (Azure, AWS, GCP) within the same tenant your DevOps connectors are created in, you'll continue to receive premium DevOps capabilities at no additional cost. If you aren't a Defender CSPM customer, you have until **March 7th, 2024** to enable Defender CSPM before losing access to these security features. To enable Defender CSPM on a connected cloud environment before March 7, 2024, follow the enablement documentation outlined [here](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan). ++For more information about which DevOps security features are available across both the Foundational CSPM and Defender CSPM plans, see [our documentation outlining feature availability](devops-support.md#feature-availability). ++For more information about DevOps Security in Defender for Cloud, see the [overview documentation](defender-for-devops-introduction.md). ++For more information on the code to cloud security capabilities in Defender CSPM, see [how to protect your resources with Defender CSPM](tutorial-enable-cspm-plan.md). + ## Update to agentless VM scanning built-in Azure role **Announcement date: January 14, 2024** **Estimated date of change: February 2024** -In Azure, agentless scanning for VMs uses a built-in role (called [VM scanner operator](/azure/defender-for-cloud/faq-permissions)) with the minimum necessary permissions required to scan and assess your VMs for security issues. To continuously provide relevant scan health and configuration recommendations for VMs with encrypted volumes, an update to this role's permissions is planned. The update includes the addition of the ```Microsoft.Compute/DiskEncryptionSets/read``` permission. This permission solely enables improved identification of encrypted disk usage in VMs. It does not provide Defender for Cloud any additional capabilities to decrypt or access the content of these encrypted volumes beyond the encryption methods [already supported](/azure/defender-for-cloud/concept-agentless-data-collection#availability) prior to this change. This change is expected to take place during February 2024 and no action is required on your end. +In Azure, agentless scanning for VMs uses a built-in role (called [VM scanner operator](/azure/defender-for-cloud/faq-permissions)) with the minimum necessary permissions required to scan and assess your VMs for security issues. To continuously provide relevant scan health and configuration recommendations for VMs with encrypted volumes, an update to this role's permissions is planned. The update includes the addition of the ```Microsoft.Compute/DiskEncryptionSets/read``` permission. This permission solely enables improved identification of encrypted disk usage in VMs. It doesn't provide Defender for Cloud any additional capabilities to decrypt or access the content of these encrypted volumes beyond the encryption methods [already supported](/azure/defender-for-cloud/concept-agentless-data-collection#availability) prior to this change. This change is expected to take place during February 2024 and no action is required on your end. ## Deprecation of two recommendations related to PCI Azure Stack HCI is set to be a new resource type that can be managed through Mic **Estimated date for change: May 2024** -The Defender for Servers built-in vulnerability assessment solution powered by Qualys is on a retirement path which is estimated to complete on **May 1st, 2024**. If you're currently using the vulnerability assessment solution powered by Qualys, you should plan your [transition to the integrated Microsoft Defender vulnerability management solution](how-to-transition-to-built-in.md). +The Defender for Servers built-in vulnerability assessment solution powered by Qualys is on a retirement path, which is estimated to complete on **May 1st, 2024**. If you're currently using the vulnerability assessment solution powered by Qualys, you should plan your [transition to the integrated Microsoft Defender vulnerability management solution](how-to-transition-to-built-in.md). For more information about our decision to unify our vulnerability assessment offering with Microsoft Defender Vulnerability Management, you can read [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-cloud-unified-vulnerability-assessment-powered-by/ba-p/3990112). For more information about transitioning to our new container vulnerability asse For common questions about the transition to Microsoft Defender Vulnerability Management, see [Common questions about the Microsoft Defender Vulnerability Management solution](common-questions-microsoft-defender-vulnerability-management.md). -## Enforcement of Defender CSPM for Premium DevOps Security Value --**Announcement date: January 29, 2023** --**Estimated date for change: March 7, 2024** --Defender for Cloud will begin enforcing the Defender CSPM plan check for premium DevOps security value beginning **March 7th, 2024**. If you have the Defender CSPM plan enabled on a cloud environment (Azure, AWS, GCP) within the same tenant your DevOps connectors are created in, you will continue to receive premium DevOps capabilities at no additional cost. If you are not a Defender CSPM customer, you have until **March 7th, 2024** to enable Defender CSPM before losing access to these security features. To enable Defender CSPM on a connected cloud environment before March 7th, 2024, follow the enablement documentation outlined [here](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan). --For more information about which DevOps security features are available across both the Foundational CSPM and Defender CSPM plans, see [our documentation outlining feature availability](devops-support.md#feature-availability). --For more information about DevOps Security in Defender for Cloud, see the [overview documentation](defender-for-devops-introduction.md). --For more information on the code to cloud security capabilities in Defender CSPM, see [how to protect your resources with Defender CSPM](tutorial-enable-cspm-plan.md). - ## New version of Defender Agent for Defender for Containers **Announcement date: January 4, 2024** The following table lists the alerts to be deprecated: | AlertDisplayName | AlertType | |--|--|-| Communication with suspicious random domain name (Preview) | DNS_RandomizedDomain +| Communication with suspicious random domain name (Preview) | DNS_RandomizedDomain | | Communication with suspicious domain identified by threat intelligence (Preview) | DNS_ThreatIntelSuspectDomain | | Digital currency mining activity (Preview) | DNS_CurrencyMining | | Network intrusion detection signature activation (Preview) | DNS_SuspiciousDomain | |
expressroute | Expressroute Howto Circuit Portal Resource Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-circuit-portal-resource-manager.md | After you create your circuit, continue with the following next step: > [!div class="nextstepaction"] > [Create and modify routing for your ExpressRoute circuit](expressroute-howto-routing-portal-resource-manager.md)+> [Create a connection to a virtual network gateway (Preview)](expressroute-howto-linkvnet-portal-resource-manager.md?pivots=expressroute-preview) |
frontdoor | Front Door Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-overview.md | For a comparison of supported features in Azure Front Door, see [Tier comparison ## Where is the service available? -Azure Front Door Classic/Standard/Premium SKUs are available in Microsoft Azure (Commercial) and Azure Front Door Classic SKU is available in Microsoft Azure Government (US). +Azure Front Door Standard, Premium and Classic tiers are available in Microsoft Azure (Commercial) and Microsoft Azure Government (US). ## Pricing |
governance | Supported Tables Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/reference/supported-tables-resources.md | Title: Supported Azure Resource Manager resource types description: Provide a list of the Azure Resource Manager resource types supported by Azure Resource Graph and Change History. Previously updated : 01/22/2023 Last updated : 01/29/2023 For sample queries for this table, see [Resource Graph sample queries for resour - microsoft.sqlvirtualmachine/sqlvirtualmachinegroups - microsoft.SqlVirtualMachine/SqlVirtualMachines (SQL virtual machines) - microsoft.sqlvm/dwvm-- microsoft.storage/datamovers - microsoft.Storage/StorageAccounts (Storage accounts) - Sample query: [Find storage accounts with a specific case-insensitive tag on the resource group](../samples/samples-by-category.md#find-storage-accounts-with-a-specific-case-insensitive-tag-on-the-resource-group) - Sample query: [Find storage accounts with a specific case-sensitive tag on the resource group](../samples/samples-by-category.md#find-storage-accounts-with-a-specific-case-sensitive-tag-on-the-resource-group) |
iot-hub-device-update | Device Update Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-error-codes.md | There are two primary client-side components that may throw error codes: the Dev ### ResultCode and ExtendedResultCode -The Device Update for IoT Hub Core PnP interface reports `ResultCode` and `ExtendedResultCode`, which can be used to diagnose failures. For more information about the Device Update Core PnP interface, see [Device Update and Plug and Play](device-update-plug-and-play.md). For more details regarding the default meanings of Device Update agent ResultCode and ExtendedResultCodes, see the [Device Update Github repository](https://aka.ms/du-resultcodes). +The Device Update for IoT Hub Core PnP interface reports `ResultCode` and `ExtendedResultCode`, which can be used to diagnose failures. For more information about the Device Update Core PnP interface, see [Device Update and Plug and Play](device-update-plug-and-play.md). For more details regarding the default meanings of Device Update agent ResultCode and ExtendedResultCodes, see the [Device Update GitHub repository](https://aka.ms/du-resultcodes). `ResultCode` is a general status code and `ExtendedResultCode` is an integer with encoded error information. |
iot-operations | Howto Deploy Iot Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md | Use the Azure portal to deploy Azure IoT Operations components to your Arc-enabl ``` > [!NOTE]- > If you're using Github Codespaces in a browser, `az login` returns a localhost error in the browser window after logging in. To fix, either: + > If you're using GitHub Codespaces in a browser, `az login` returns a localhost error in the browser window after logging in. To fix, either: > > * Open the codespace in VS Code desktop, and then run `az login` again in the browser terminal. > * After you get the localhost error on the browser, copy the URL from the browser and run `curl "<URL>"` in a new terminal tab. You should see a JSON response with the message "You have logged into Microsoft Azure!." |
iot-operations | Howto Configure Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-operations/process-data/howto-configure-reference.md | To add a dataset to the data store, you have two options: | Keys | See keys configuration in the following table. | | | Timestamps referenced should be in RFC3339, ISO 8601, or Unix timestamp format.-By default, the Expiration time for a dataset is set to `12h`. This default ensures that no stale data is enriched beyond 12 hours (if the data is not updated) or grow unbounded which can fill up the disk. +By default, the expiration time for a dataset is set to `24h`. This default ensures that no stale data is enriched beyond 24 hours (if the data is not updated) or grow unbounded which can fill up the disk. Each key includes: The two keys: | Field | Example | |||-| Property name | `asset` | +| Property name | `equipment name` | | Property path | `.equipment` | | Primary key | Yes | |
machine-learning | Concept Model Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-model-monitoring.md | Title: Monitoring models in production (preview) + Title: Monitoring models in production description: Monitor the performance of models deployed to production on Azure Machine Learning. --++ reviewer: msakande Previously updated : 09/15/2023 Last updated : 01/29/2024 -# Model monitoring with Azure Machine Learning (preview) +# Model monitoring with Azure Machine Learning In this article, you learn about model monitoring in Azure Machine Learning, the signals and metrics you can monitor, and the recommended practices for using model monitoring. +## The case for model monitoring -Model monitoring is the last step in the machine learning end-to-end lifecycle. This step tracks model performance in production and aims to understand it from both data science and operational perspectives. Unlike traditional software systems, the behavior of machine learning systems is governed not just by rules specified in code, but also by model behavior learned from data. Data distribution changes, training-serving skew, data quality issues, shift in environment, or consumer behavior changes can all cause models to become stale and their performance to degrade to the point that they fail to add business value or start to cause serious compliance issues in highly regulated environments. +Model monitoring is the last step in the machine learning end-to-end lifecycle. This step tracks model performance in production and aims to understand the performance from both data science and operational perspectives. -To implement monitoring, Azure Machine Learning acquires monitoring signals through data analysis on streamed production inference data and reference data. The reference data can include historical training data, validation data, or ground truth data. Each monitoring signal has one or more metrics. Users can set thresholds for these metrics in order to receive alerts via Azure Machine Learning or Azure Monitor about model or data anomalies. These alerts can prompt users to analyze or troubleshoot monitoring signals in Azure Machine Learning studio for continuous model quality improvement. +Unlike traditional software systems, the behavior of machine learning systems is governed not just by rules specified in code, but also by model behavior learned from data. Therefore, data distribution changes, training-serving skew, data quality issues, shifts in environments, or consumer behavior changes can all cause a model to become stale. When a model becomes stale, its performance can degrade to the point that it fails to add business value or starts to cause serious compliance issues in highly regulated environments. ++## How model monitoring works in Azure Machine Learning ++To implement monitoring, Azure Machine Learning acquires monitoring signals by performing statistical computations on streamed production inference data and reference data. The reference data can be historical training data, validation data, or ground truth data. On the other hand, the production inference data refers to the model's input and output data collected in production. ++Each monitoring signal has one or more metrics. Users can set thresholds for these metrics in order to receive alerts via Azure Machine Learning or Azure Event Grid about model or data anomalies. These alerts can prompt users to analyze or troubleshoot monitoring signals in Azure Machine Learning studio for continuous model quality improvement. ++The following steps describe an example of the statistical computation used to acquire a built-in monitoring signal, such as data drift, for a model that's in production. ++* For a feature in the training data, calculate the statistical distribution of its values. This distribution is the baseline distribution for the feature. +* Calculate the statistical distribution of the feature's latest values that are seen in production. +* Compare the distribution of the feature's latest values in production with the baseline distribution by performing a statistical test or calculating a distance score. +* When the test statistic or the distance score between the two distributions exceeds a user-specified threshold, Azure Machine Learning identifies the anomaly and notifies the user. ++### Model monitoring setup ++To enable and use model monitoring in Azure Machine Learning: ++1. **Enable production inference data collection.** If you deploy a model to an Azure Machine Learning online endpoint, you can enable production inference data collection by using Azure Machine Learning [model data collection](concept-data-collection.md). However, if you deploy a model outside of Azure Machine Learning or to an Azure Machine Learning batch endpoint, you're responsible for collecting production inference data. You can then use this data for Azure Machine Learning model monitoring. +1. **Set up model monitoring.** You can use Azure Machine Learning SDK/CLI 2.0 or the studio UI to easily set up model monitoring. During the setup, you can specify your preferred monitoring signals and customize metrics and thresholds for each signal. +1. **View and analyze model monitoring results.** Once model monitoring is set up, Azure Machine Learning schedules a monitoring job to run at your specified frequency. Each run computes and evaluates metrics for all selected monitoring signals and triggers alert notifications when any specified threshold is exceeded. You can follow the link in the alert notification to view and analyze monitoring results in your Azure Machine Learning workspace. ## Capabilities of model monitoring Azure Machine Learning provides the following capabilities for continuous model monitoring: -* **Built-in monitoring signals**. Model monitoring provides built-in monitoring signals for tabular data. These monitoring signals include data drift, prediction drift, data quality, and feature attribution drift. +* **Built-in monitoring signals**. Model monitoring provides built-in monitoring signals for tabular data. These monitoring signals include data drift, prediction drift, data quality, feature attribution drift, and model performance. * **Out-of-box model monitoring setup with Azure Machine Learning online endpoint**. If you deploy your model to production in an Azure Machine Learning online endpoint, Azure Machine Learning collects production inference data automatically and uses it for continuous monitoring. * **Use of multiple monitoring signals for a broad view**. You can easily include several monitoring signals in one monitoring setup. For each monitoring signal, you can select your preferred metric(s) and fine-tune an alert threshold.-* **Use of recent past production data or training data as reference data for comparison**. For monitoring signals, Azure Machine Learning lets you set reference data using recent past production data or training data. -* **Monitoring of top N features for data drift or data quality**. If you use training data as the reference data, you can define data drift or data quality signals layering over feature importance. +* **Use of training data or recent, past production data as reference data for comparison**. For monitoring signals, Azure Machine Learning lets you set reference data using training data or recent, past production data. +* **Monitoring of top N features for data drift or data quality**. If you use training data as the reference data, you can define data drift or data quality signals layered over feature importance. * **Flexibility to define your monitoring signal**. If the built-in monitoring signals aren't suitable for your business scenario, you can define your own monitoring signal with a custom monitoring signal component.-* **Flexibility to use production inference data from any source**. If you deploy models outside of Azure Machine Learning, or if you deploy models to Azure Machine Learning batch endpoints, you can collect production inference data. You can then use the inference data in Azure Machine Learning for model monitoring. -* **Flexibility to select data window**. You have the flexibility to select a data window for both the production data and the reference data. - * By default, the data window for production data is your monitoring frequency. That is, all data collected in the past monitoring period before the monitoring job is run will be analyzed. You can use the `production_data.data_window_size` property to adjust the data window for the production data, if needed. - * By default, the data window for the reference data is the full dataset. You can adjust the reference data window with the `reference_data.data_window` property. Both rolling data window and fixed data window are supported. +* **Flexibility to use production inference data from any source**. If you deploy models outside of Azure Machine Learning, or if you deploy models to Azure Machine Learning batch endpoints, you can collect production inference data to use in Azure Machine Learning for model monitoring. ++## Lookback window size and offset ++The **lookback window size** is the duration of time (in ISO 8601 format) for your production or reference data window, looking back from the date of your monitoring run. ++The **lookback window offset** is the duration of time (in ISO 8601 format) to offset the end of your data window from the date of your monitoring run. ++For example, suppose your model is in production and you have a monitor set to run on January 31 at 3:15pm UTC, if you set a production lookback window size of `P7D` (seven days) for the monitor and a production lookback window offset of `P0D` (zero days), the monitor uses data from January 24 at 3:15pm UTC up until January 31 at 3:15pm UTC (the time your monitor runs) in the data window. ++Furthermore, for the reference data, if you set the lookback window offset to `P7D` (seven days), the reference data window ends right before the production data window starts, so that there's no overlap. You can then set your reference data lookback window size to be as large as you like. For example, by setting the reference data lookback window size to `P24D` (24 days), the reference data window includes data from January 1 at 3:15pm UTC up until January 24 at 3:15pm UTC. The following figure illustrates this example. +++In some cases, you might find it useful to set the _lookback window offset_ for your production data to a number greater than zero days. For example, if your monitor is scheduled to run weekly on Mondays at 3:15pm UTC, but you don't want to use data from the weekend in your monitoring run, you can use a _lookback window size_ of `P5D` (five days) and a _lookback window offset_ of `P2D` (two days). Then, your data window starts on the prior Monday at 3:15pm UTC and ends on Friday at 3:15pm UTC. ++In practice, you should ensure that the reference data window and the production data window don't overlap. As shown in the following figure, you can ensure non-overlapping windows by making sure that the reference data lookback window offset (`P10D` or 10 days, in this example) is greater or equal to the sum of the production data's lookback window size and its lookback window offset (seven days total). +++With Azure Machine Learning model monitoring, you can use smart defaults for your lookback window size and lookback window offset, or you can customize them to meet your needs. Also, both rolling windows and fixed windows are supported. ++### Customize lookback window size ++You have the flexibility to select a lookback window size for both the production data and the reference data. ++* By default, the lookback window size for production data is your monitoring frequency. That is, all data collected in the monitoring period before the monitoring job is run will be analyzed. You can use the `production_data.data_window.lookback_window_size` property to adjust the rolling data window for the production data. ++* By default, the lookback window for the reference data is the full dataset. You can use the `reference_data.data_window.lookback_window_size` property to adjust the reference lookback window size. ++* To specify a fixed data window for the reference data, you can use the properties `reference_data.data_window.window_start_date` and `reference_data.data_window.window_end_date`. ++### Customize lookback window offset ++You have the flexibility to select a lookback window offset for your data window for both the production data and the reference data. You can use the offset for granular control over the data your monitor uses. The offset only applies to rolling data windows. ++* By default, the offset for production data is `P0D` (zero days). You can modify this offset with the `production_data.data_window.lookback_window_offset` property. ++* By default, the offset for reference data is twice the `production_data.data_window.lookback_window_size`. This setting ensures that there's enough reference data for statistically meaningful monitoring results. You can modify this offset with the `reference_data.data_window.lookback_window_offset` property. ## Monitoring signals and metrics -Azure Machine Learning model monitoring (preview) supports the following list of monitoring signals and metrics: +Azure Machine Learning model monitoring supports the following list of monitoring signals and metrics: + |Monitoring signal | Description | Metrics | Model tasks (supported data format) | Production data | Reference data | |--|--|--|--|--|--|-| Data drift | Data drift tracks changes in the distribution of a model's input data by comparing it to the model's training data or recent past production data. | Jensen-Shannon Distance, Population Stability Index, Normalized Wasserstein Distance, Two-Sample Kolmogorov-Smirnov Test, Pearson's Chi-Squared Test | Classification (tabular data), Regression (tabular data) | Production data - model inputs | Recent past production data or training data | -| Prediction drift | Prediction drift tracks changes in the distribution of a model's prediction outputs by comparing it to validation or test labeled data or recent past production data. | Jensen-Shannon Distance, Population Stability Index, Normalized Wasserstein Distance, Chebyshev Distance, Two-Sample Kolmogorov-Smirnov Test, Pearson's Chi-Squared Test | Classification (tabular data), Regression (tabular data) | Production data - model outputs | Recent past production data or validation data | -| Data quality | Data quality tracks the data integrity of a model's input by comparing it to the model's training data or recent past production data. The data quality checks include checking for null values, type mismatch, or out-of-bounds of values. | Null value rate, data type error rate, out-of-bounds rate | Classification (tabular data), Regression (tabular data) | production data - model inputs | Recent past production data or training data | -| Feature attribution drift | Feature attribution drift tracks the contribution of features to predictions (also known as feature importance) during production by comparing it with feature importance during training.| Normalized discounted cumulative gain | Classification (tabular data), Regression (tabular data) | Production data - model inputs & outputs | Training data (required) | -|[Generative AI: Generation safety and quality](./prompt-flow/how-to-monitor-generative-ai-applications.md)|Evaluates generative AI applications for safety & quality using GPT-assisted metrics.| Groundedness, relevance, fluency, similarity, coherence|text_question_answering| prompt, completion, context, and annotation template |N/A| +| Data drift | Data drift tracks changes in the distribution of a model's input data by comparing the distribution to the model's training data or recent, past production data. | Jensen-Shannon Distance, Population Stability Index, Normalized Wasserstein Distance, Two-Sample Kolmogorov-Smirnov Test, Pearson's Chi-Squared Test | Classification (tabular data), Regression (tabular data) | Production data - model inputs | Recent past production data or training data | +| Prediction drift | Prediction drift tracks changes in the distribution of a model's predicted outputs, by comparing the distribution to validation data, labeled test data, or recent past production data. | Jensen-Shannon Distance, Population Stability Index, Normalized Wasserstein Distance, Chebyshev Distance, Two-Sample Kolmogorov-Smirnov Test, Pearson's Chi-Squared Test | Classification (tabular data), Regression (tabular data) | Production data - model outputs | Recent past production data or validation data | +| Data quality | Data quality tracks the data integrity of a model's input by comparing it to the model's training data or recent, past production data. The data quality checks include checking for null values, type mismatch, or out-of-bounds values. | Null value rate, data type error rate, out-of-bounds rate | Classification (tabular data), Regression (tabular data) | production data - model inputs | Recent past production data or training data | +| Feature attribution drift (preview) | Feature attribution drift is based on the contribution of features to predictions (also known as feature importance). Feature attribution drift tracks feature importance during production by comparing it with feature importance during training.| Normalized discounted cumulative gain | Classification (tabular data), Regression (tabular data) | Production data - model inputs & outputs | Training data (required) | +| Model performance - Classification (preview) | Model performance tracks the objective performance of a model's output in production by comparing it to collected ground truth data. | Accuracy, Precision, and Recall | Classification (tabular data) | Production data - model outputs | Ground truth data (required) | +| Model performance - Regression (preview) | Model performance tracks the objective performance of a model's output in production by comparing it to collected ground truth data. | Mean Absolute Error (MAE), Mean Squared Error (MSE), Root Mean Squared Error (RMSE) | Regression (tabular data) | Production data - model outputs | Ground truth data (required) | +|[Generative AI: Generation safety and quality](./prompt-flow/how-to-monitor-generative-ai-applications.md) (preview)|Evaluates generative AI applications for safety and quality, using GPT-assisted metrics.| Groundedness, relevance, fluency, similarity, coherence| Question & Answering | prompt, completion, context, and annotation template |N/A| +### Metrics for the data quality monitoring signal - -## How model monitoring works in Azure Machine Learning +The data quality monitoring signal tracks the integrity of a model's input data by calculating the three metrics: -Azure Machine Learning acquires monitoring signals by performing statistical computations on production inference data and reference data. This reference data can include the model's training data or validation data, while the production inference data refers to the model's input and output data collected in production. +- Null value rate +- Data type error rate +- Out-of-bounds rate -The following steps describe an example of the statistical computation used to acquire a data drift signal for a model that's in production. -* For a feature in the training data, calculate the statistical distribution of its values. This distribution is the baseline distribution. -* Calculate the statistical distribution of the feature's latest values that are seen in production. -* Compare the distribution of the feature's latest values in production against the baseline distribution by performing a statistical test or calculating a distance score. -* When the test statistic or the distance score between the two distributions exceeds a user-specified threshold, Azure Machine Learning identifies the anomaly and notifies the user. +#### Null value rate -### Enabling model monitoring +The _null value rate_ is the rate of null values in the model's input for each feature. For example, if the monitoring production data window contains 100 rows and the value for a specific feature `temperature` is null for 10 of those rows, the null value rate for `temperature` is 10%. -Take the following steps to enable model monitoring in Azure Machine Learning: +- Azure Machine Learning supports calculating the **Null value rate** for all feature data types. -* **Enable production inference data collection.** If you deploy a model to an Azure Machine Learning online endpoint, you can enable production inference data collection by using Azure Machine Learning [Model Data Collection](concept-data-collection.md). However, if you deploy a model outside of Azure Machine Learning or to an Azure Machine Learning batch endpoint, you're responsible for collecting production inference data. You can then use this data for Azure Machine Learning model monitoring. -* **Set up model monitoring.** You can use SDK/CLI 2.0 or the studio UI to easily set up model monitoring. During the setup, you can specify your preferred monitoring signals and customize metrics and thresholds for each signal. -* **View and analyze model monitoring results.** Once model monitoring is set up, a monitoring job is scheduled to run at your specified frequency. Each run computes and evaluates metrics for all selected monitoring signals and triggers alert notifications when any specified threshold is exceeded. You can follow the link in the alert notification to your Azure Machine Learning workspace to view and analyze monitoring results. +#### Data type error rate ++The _data type error rate_ is the rate of data type differences between the current production data window and the reference data. During each monitoring run, Azure Machine Learning model monitoring infers the data type for each feature from the reference data. For example, if the data type for a feature `temperature` is inferred to be `IntegerType` from the reference data, but in the production data window, 10 out of 100 values for `temperature` aren't IntegerType (perhaps they're strings), then the data type error rate for `temperature` is 10%. ++- Azure Machine Learning supports calculating the data type error rate for the following data types that are available in PySpark: `ShortType`, `BooleanType`, `BinaryType`, `DoubleType`, `TimestampType`, `StringType`, `IntegerType`, `FloatType`, `ByteType`, `LongType`, and `DateType`. +- If the data type for a feature isn't contained in this list, Azure Machine Learning model monitoring still runs but won't compute the data type error rate for that specific feature. ++#### Out-of-bounds rate ++The _out-of-bounds rate_ is the rate of values for each feature, which fall outside of the appropriate range or set determined by the reference data. During each monitoring run, Azure Machine Learning model monitoring determines the acceptable range or set for each feature from the reference data. ++- For a numerical feature, the appropriate range is a numerical interval of the minimum value in the reference dataset to the maximum value, such as [0, 100]. +- For a categorical feature, such as `color`, the appropriate range is a set of all values contained in the reference dataset, such as [`red`, `yellow`, `green`]. ++For example, if you have a numerical feature `temperature` where all values fall within the range [37, 77] in the reference dataset, but in the production data window, 10 out of 100 values for `temperature` fall outside of the range [37, 77], then the out-of-bounds rate for `temperature` is 10%. ++- Azure Machine Learning supports calculating the out-of-bounds rate for these data types that are available in PySpark: `StringType`, `IntegerType`, `DoubleType`, `ByteType`, `LongType`, and `FloatType`. +- If the data type for a feature isn't contained in this list, Azure Machine Learning model monitoring still runs but won't compute the out-of-bounds rate for that specific feature. ++Azure Machine Learning model monitoring supports up to 0.00001 precision for calculations of the null value rate, data type error rate, and out-of-bounds rate. ## Recommended best practices for model monitoring Each machine learning model and its use cases are unique. Therefore, model monitoring is unique for each situation. The following is a list of recommended best practices for model monitoring:-* **Start model monitoring as soon as your model is deployed to production.** -* **Work with data scientists that are familiar with the model to set up model monitoring.** Data scientists who have insight into the model and its use cases are in the best position to recommend monitoring signals and metrics as well as set the right alert thresholds for each metric (to avoid alert fatigue). -* **Include multiple monitoring signals in your monitoring setup.** With multiple monitoring signals, you get both a broad view and granular view of monitoring. For example, you can combine both data drift and feature attribution drift signals to get an early warning about your model performance issue. +* **Start model monitoring immediately after you deploy a model to production.** +* **Work with data scientists that are familiar with the model to set up model monitoring.** Data scientists who have insight into the model and its use cases are in the best position to recommend monitoring signals and metrics and set the right alert thresholds for each metric (to avoid alert fatigue). +* **Include multiple monitoring signals in your monitoring setup.** With multiple monitoring signals, you get both a broad view and granular view of monitoring. For example, you can combine data drift and feature attribution drift signals to get an early warning about your model performance issues. * **Use model training data as the reference data.** For reference data used as the comparison baseline, Azure Machine Learning allows you to use the recent past production data or historical data (such as training data or validation data). For a meaningful comparison, we recommend that you use the training data as the comparison baseline for data drift and data quality. For prediction drift, use the validation data as the comparison baseline.-* **Specify the monitoring frequency based on how your production data will grow over time**. For example, if your production model has much traffic daily, and the daily data accumulation is sufficient for you to monitor, then you can set the monitoring frequency to daily. Otherwise, you can consider a weekly or monthly monitoring frequency, based on the growth of your production data over time. +* **Specify the monitoring frequency, based on how your production data will grow over time**. For example, if your production model has much traffic daily, and the daily data accumulation is sufficient for you to monitor, then you can set the monitoring frequency to daily. Otherwise, you can consider a weekly or monthly monitoring frequency, based on the growth of your production data over time. * **Monitor the top N important features or a subset of features.** If you use training data as the comparison baseline, you can easily configure data drift monitoring or data quality monitoring for the top N features. For models that have a large number of features, consider monitoring a subset of those features to reduce computation cost and monitoring noise.+* **Use the model performance signal when you have access to ground truth data.** If you have access to ground truth data (also known as actuals) based on the particulars of your machine learning application, we recommended that you use the model performance signal to compare the ground truth data to your model's output. This comparison provides an objective view into the performance of your model in production. ++## Model monitoring integration with Azure Event Grid ++You can use events generated by Azure Machine Learning model monitoring runs to set up event-driven applications, processes, or CI/CD workflows with [Azure Event Grid](how-to-use-event-grid.md). ++When your model monitor detects drift, data quality issues, or model performance degradation, you can track these events with Event Grid and take action programmatically. For example, if the accuracy of your classification model in production dips below a certain threshold, you can use Event Grid to begin a retraining job that uses collected ground truth data. To learn how to integrate Azure Machine Learning with Event Grid, see [Perform continuous model monitoring in Azure Machine Learning](how-to-monitor-model-performance.md). -## Next steps +## Related content -- [Perform continuous model monitoring in Azure Machine Learning](how-to-monitor-model-performance.md) - [Model data collection](concept-data-collection.md) - [Collect production inference data](how-to-collect-production-data.md) - [Model monitoring for generative AI applications](./prompt-flow/how-to-monitor-generative-ai-applications.md) |
machine-learning | How To Auto Train Forecast | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-auto-train-forecast.md | az ml job create --file automl-hts-forecasting-pipeline.yml -w <Workspace> -g <R After the job finishes, the evaluation metrics can be downloaded locally using the same procedure as in the [single training run pipeline](#orchestrating-training-inference-and-evaluation-with-components-and-pipelines). -Also see the [demand forecasting with hierarchical time series notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/pipelines/1k_demand_forecasting_with_pipeline_components/automl-forecasting-demand-hierarchical-timeseries-in-pipeline/automl-forecasting-demand-hierarchical-timeseries-in-pipeline.ipynb) for a more detailed example. +Also see the [demand forecasting with hierarchical time series notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/pipelines/1k_demand_forecasting_with_pipeline_components/automl-forecasting-demand-hierarchical-timeseries-in-pipeline/automl-forecasting-demand-hts.ipynb) for a more detailed example. > [!NOTE] > The HTS training and inference components conditionally partition your data according to the `hierarchy_column_names` setting so that each partition is in its own file. This process can be very slow or fail when data is very large. In this case, we recommend partitioning your data manually before running HTS training or inference. |
machine-learning | How To Collect Production Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-collect-production-data.md | -In this article, you'll learn how to collect production inference data from a model deployed to an Azure Machine Learning managed online endpoint or Kubernetes online endpoint. +In this article, you learn how to use Azure Machine Learning **Data collector** to collect production inference data from a model that is deployed to an Azure Machine Learning managed online endpoint or a Kubernetes online endpoint. [!INCLUDE [machine-learning-preview-generic-disclaimer](includes/machine-learning-preview-generic-disclaimer.md)] -Azure Machine Learning **Data collector** logs inference data in Azure blob storage. You can enable data collection for new or existing online endpoint deployments. +You can enable data collection for new or existing online endpoint deployments. Azure Machine Learning data collector logs inference data in Azure Blob Storage. Data collected with the Python SDK is automatically registered as a data asset in your Azure Machine Learning workspace. This data asset can be used for model monitoring. -Data collected with the provided Python SDK is automatically registered as a data asset in your Azure Machine Learning workspace. This data asset can be used for model monitoring. --If you're interested in collecting production inference data for a MLFlow model deployed to a real-time endpoint, doing so can be done with a single toggle. To learn how to do this, see [Data collection for MLFlow models](#collect-data-for-mlflow-models). +If you're interested in collecting production inference data for an MLflow model that is deployed to a real-time endpoint, see [Data collection for MLflow models](#collect-data-for-mlflow-models). ## Prerequisites If you're interested in collecting production inference data for a MLFlow model * Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). -# [Python](#tab/python) -+# [Python SDK](#tab/python) [!INCLUDE [basic prereqs sdk](includes/machine-learning-sdk-v2-prereqs.md)] If you're interested in collecting production inference data for a MLFlow model -* Have a registered model that you can use for deployment. If you haven't already registered a model, see [Register your model as an asset in Machine Learning](how-to-manage-models.md#register-your-model-as-an-asset-in-machine-learning-by-using-the-cli). +* Have a registered model that you can use for deployment. If you don't have a registered model, see [Register your model as an asset in Machine Learning](how-to-manage-models.md#register-your-model-as-an-asset-in-machine-learning-by-using-the-cli). * Create an Azure Machine Learning online endpoint. If you don't have an existing online endpoint, see [Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md). ## Perform custom logging for model monitoring -Data collection with custom logging allows you to log pandas DataFrames directly from your scoring script before, during, and after any data transformations. With custom logging, tabular data is logged in real-time to your workspace Blob storage or a custom Blob storage container. From storage, it can be consumed by your model monitors. +Data collection with custom logging allows you to log pandas DataFrames directly from your scoring script before, during, and after any data transformations. With custom logging, tabular data is logged in real time to your workspace Blob Storage or a custom blob storage container. Your model monitors can consume the data from storage. ### Update your scoring script with custom logging code -First, you'll need to add custom logging code to your scoring script (`score.py`). For custom logging, you'll need the `azureml-ai-monitoring` package. For more information, see the comprehensive [PyPI page for the data collector SDK](https://pypi.org/project/azureml-ai-monitoring/). +To begin, add custom logging code to your scoring script (`score.py`). For custom logging, you need the `azureml-ai-monitoring` package. For more information on this package, see the comprehensive [PyPI page for the data collector SDK](https://pypi.org/project/azureml-ai-monitoring/). 1. Import the `azureml-ai-monitoring` package by adding the following line to the top of the scoring script: First, you'll need to add custom logging code to your scoring script (`score.py` 1. Declare your data collection variables (up to five of them) in your `init()` function: > [!NOTE]- > If you use the names `model_inputs` and `model_outputs` for your `Collector` objects, the model monitoring system will automatically recognize the automatically registered data assets, which will provide for a more seamless model monitoring experience. + > If you use the names `model_inputs` and `model_outputs` for your `Collector` objects, the model monitoring system automatically recognizes the automatically registered data assets to provide for a more seamless model monitoring experience. ```python global inputs_collector, outputs_collector inputs_collector = Collector(name='model_inputs') outputs_collector = Collector(name='model_outputs')- inputs_outputs_collector = Collector(name='model_inputs_outputs') ``` By default, Azure Machine Learning raises an exception if there's a failure during data collection. Optionally, you can use the `on_error` parameter to specify a function to run if logging failure happens. For instance, using the `on_error` parameter in the following code, Azure Machine Learning logs the error rather than throwing an exception: First, you'll need to add custom logging code to your scoring script (`score.py` ``` > [!NOTE]- > Currently, only pandas DataFrames can be logged with the `collect()` API. If the data is not in a DataFrame when passed to `collect()`, it will not be logged to storage and an error will be reported. + > Currently, the `collect()` API logs only pandas DataFrames. If the data is not in a DataFrame when passed to `collect()`, it won't get logged to storage and an error will be reported. -The following code is an example of a full scoring script (`score.py`) that uses the custom logging Python SDK. In this example, a third `Collector` called `inputs_outputs_collector` logs a joined DataFrame of the `model_inputs` and the `model_outputs`. This joined DataFrame enables additional monitoring signals (feature attribution drift, etc.). If you are not interested in those monitoring signals, please feel free to remove this `Collector`. +The following code is an example of a full scoring script (`score.py`) that uses the custom logging Python SDK. In this example, a third `Collector` called `inputs_outputs_collector` logs a joined DataFrame of the `model_inputs` and the `model_outputs`. This joined DataFrame enables more monitoring signals such as feature attribution drift. If you're not interested in these monitoring signals, you can remove this `Collector`. ```python import pandas as pd def init(): # instantiate collectors with appropriate names, make sure align with deployment spec inputs_collector = Collector(name='model_inputs') outputs_collector = Collector(name='model_outputs')- inputs_outputs_collector = Collector(name='model_inputs_outputs') #note: this is used to enable Feature Attribution Drift def run(data): # json data: { "data" : { "col1": [1,2,3], "col2": [2,3,4] } } def run(data): # collect outputs data, pass in correlation_context so inputs and outputs data can be correlated later outputs_collector.collect(output_df, context)-- # create a dataframe with inputs/outputs joined - this creates a URI folder (not mltable) - # input_output_df = input_df.merge(output_df, context) - input_output_df = input_df.join(output_df) -- # collect both your inputs and output - inputs_outputs_collector.collect(input_output_df, context) return output_df.to_dict() def predict(input_df): ### Update your dependencies -Before you create your deployment with the updated scoring script, you'll create your environment with the base image `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04` and the appropriate conda dependencies, then you'll build the environment using the specification in the following YAML. +Before you can create your deployment with the updated scoring script, you need to create your environment with the base image `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04` and the appropriate conda dependencies. Thereafter, you can build the environment using the specification in the following YAML. ```yml channels: name: model-env ### Update your deployment YAML -Next, we'll create the deployment YAML. Include the `data_collector` attribute and enable collection for `model_inputs` and `model_outputs`, which are the names we gave our `Collector` objects earlier via the custom logging Python SDK: +Next, you create the deployment YAML. To create the deployment YAML, include the `data_collector` attribute and enable data collection for the `Collector` objects, `model_inputs` and `model_outputs`, that you instantiated earlier via the custom logging Python SDK: ```yml data_collector: data_collector: enabled: 'True' model_outputs: enabled: 'True'- model_inputs_outputs: - enabled: 'True' ``` -The following code is an example of a comprehensive deployment YAML for a managed online endpoint deployment. You should update the deployment YAML according to your scenario. For more examples on how to format your deployment YAML for inference data logging, see [https://github.com/Azure/azureml-examples/tree/main/cli/endpoints/online/data-collector](https://github.com/Azure/azureml-examples/tree/main/cli/endpoints/online/data-collector). +The following code is an example of a comprehensive deployment YAML for a managed online endpoint deployment. You should update the deployment YAML according to your scenario. For more examples on how to format your deployment YAML for inference data logging, see [Azure model data collector examples](https://github.com/Azure/azureml-examples/tree/main/cli/endpoints/online/data-collector). ```yml $schema: https://azuremlschemas.azureedge.net/latest/managedOnlineDeployment.schema.json data_collector: enabled: 'True' model_outputs: enabled: 'True'- model_inputs_outputs: - enabled: 'True' ``` -Optionally, you can adjust the following additional parameters for your `data_collector`: +Optionally, you can adjust the following extra parameters for your `data_collector`: -- `data_collector.rolling_rate`: The rate to partition the data in storage. Value can be: Minute, Hour, Day, Month, or Year.-- `data_collector.sampling_rate`: The percentage, represented as a decimal rate, of data to collect. For instance, a value of 1.0 represents collecting 100% of data.+- `data_collector.rolling_rate`: The rate to partition the data in storage. Choose from the values: `Minute`, `Hour`, `Day`, `Month`, or `Year`. +- `data_collector.sampling_rate`: The percentage, represented as a decimal rate, of data to collect. For instance, a value of `1.0` represents collecting 100% of data. - `data_collector.collections.<collection_name>.data.name`: The name of the data asset to register with the collected data. - `data_collector.collections.<collection_name>.data.path`: The full Azure Machine Learning datastore path where the collected data should be registered as a data asset. - `data_collector.collections.<collection_name>.data.version`: The version of the data asset to be registered with the collected data in blob storage. -#### Collect data to a custom Blob storage container +#### Collect data to a custom blob storage container -If you need to collect your production inference data to a custom Blob storage container, you can do so with the data collector. +You can use the data collector to collect your production inference data to a custom blob storage container by following these steps: -To use the data collector with a custom Blob storage container, connect the storage container to an Azure Machine Learning datastore. To learn how to do so, see [create datastores](how-to-datastore.md). +1. Connect the storage container to an Azure Machine Learning datastore. For more information on connecting the storage container to the Azure Machine Learning datastore, see [create datastores](how-to-datastore.md). -Next, ensure that your Azure Machine Learning endpoint has the necessary permissions to write to the datastore destination. The data collector supports both system assigned managed identities (SAMIs) and user assigned managed identities (UAMIs). Add the identity to your endpoint. Assign the role `Storage Blob Data Contributor` to this identity with the Blob storage container which will be used as the data destination. To learn how to use managed identities in Azure, see [assign Azure roles to a managed identity](/azure/role-based-access-control/role-assignments-portal-managed-identity). +1. Check that your Azure Machine Learning endpoint has the necessary permissions to write to the datastore destination. -Then, update your deployment YAML to include the `data` property within each collection. The `data.name` is a required parameter used to specify the name of the data asset to be registered with the collected data. The `data.path` is a required parameter used to specify the fully-formed Azure Machine Learning datastore path, which is connected to your Azure Blob storage container. The `data.version` is an optional parameter used to specify the version of the data asset (defaults to 1). + The data collector supports both system assigned managed identities (SAMIs) and user assigned managed identities (UAMIs). Add the identity to your endpoint. Assign the `Storage Blob Data Contributor` role to this identity with the Blob storage container to be used as the data destination. To learn how to use managed identities in Azure, see [assign Azure roles to a managed identity](/azure/role-based-access-control/role-assignments-portal-managed-identity). -Here is an example YAML configuration of how you would do so: +1. Update your deployment YAML to include the `data` property within each collection. -```yml -data_collector: - collections: - model_inputs: - enabled: 'True' - data: - name: my_model_inputs_data_asset - path: azureml://datastores/workspaceblobstore/paths/modelDataCollector/my_endpoint/blue/model_inputs - version: 1 - model_outputs: - enabled: 'True' - data: - name: my_model_outputs_data_asset - path: azureml://datastores/workspaceblobstore/paths/modelDataCollector/my_endpoint/blue/model_outputs - version: 1 -``` + - The _required_ parameter, `data.name`, specifies the name of the data asset to be registered with the collected data. + - The _required_ parameter, `data.path`, specifies the fully formed Azure Machine Learning datastore path, which is connected to your Azure Blob Storage container. + - The _optional_ parameter, `data.version`, specifies the version of the data asset (defaults to 1). ++ The following YAML configuration shows an example of how to include the `data` property within each collection. + + ```yml + data_collector: + collections: + model_inputs: + enabled: 'True' + data: + name: my_model_inputs_data_asset + path: azureml://datastores/workspaceblobstore/paths/modelDataCollector/my_endpoint/blue/model_inputs + version: 1 + model_outputs: + enabled: 'True' + data: + name: my_model_outputs_data_asset + path: azureml://datastores/workspaceblobstore/paths/modelDataCollector/my_endpoint/blue/model_outputs + version: 1 + ``` -**Note**: You can also use the `data.path` parameter to point to datastores in different Azure subscriptions. To do so, ensure your path looks like this: `azureml://subscriptions/<sub_id>/resourcegroups/<rg_name>/workspaces/<ws_name>/datastores/<datastore_name>/paths/<path>` + > [!NOTE] + > You can also use the `data.path` parameter to point to datastores in different Azure subscriptions by providing a path that follows the format: `azureml://subscriptions/<sub_id>/resourcegroups/<rg_name>/workspaces/<ws_name>/datastores/<datastore_name>/paths/<path>` ### Create your deployment with data collection Deploy the model with custom logging enabled: $ az ml online-deployment create -f deployment.YAML ``` -For more information on how to format your deployment YAML for data collection (along with default values) with kubernetes online endpoints, see the [CLI (v2) Azure Arc-enabled Kubernetes online deployment YAML schema](reference-yaml-deployment-kubernetes-online.md). For more information on how to format your deployment YAML for data collection with managed online endpoints, see [CLI (v2) managed online deployment YAML schema](reference-yaml-deployment-managed-online.md). +For more information on how to format your deployment YAML for data collection with Kubernetes online endpoints, see the [CLI (v2) Azure Arc-enabled Kubernetes online deployment YAML schema](reference-yaml-deployment-kubernetes-online.md). ++For more information on how to format your deployment YAML for data collection with managed online endpoints, see [CLI (v2) managed online deployment YAML schema](reference-yaml-deployment-managed-online.md). ### Store collected data in a blob-Blob storage output/format -By default, the collected data will be stored at the following path in your workspace Blob storage: `azureml://datastores/workspaceblobstore/paths/modelDataCollector`. The final path in Blob will be appended with `{endpoint_name}/{deployment_name}/{collection_name}/{yyyy}/{MM}/{dd}/{HH}/{instance_id}.jsonl`. Each line in the file is a JSON object representing a single inference request/response that was logged. +__Blob storage output/format__: ++- By default, the collected data is stored at the following path in your workspace Blob Storage: `azureml://datastores/workspaceblobstore/paths/modelDataCollector`. ++- The final path in the blob will be appended with `{endpoint_name}/{deployment_name}/{collection_name}/{yyyy}/{MM}/{dd}/{HH}/{instance_id}.jsonl`. ++- Each line in the file is a JSON object representing a single inference request/response that was logged. > [!NOTE]-> `collection_name` refers to the MDC data collection name (e.g., "model_inputs" or "model_outputs"). `instance_id` is a unique id identifying the grouping of data which was logged. +> `collection_name` refers to the data collection name (e.g., `model_inputs` or `model_outputs`). +> `instance_id` is a unique id identifying the grouping of data which was logged. -The collected data will follow the following json schema. The collected data is available from the `data` key and additional metadata is provided. +The collected data follows the following JSON schema. The collected data is available from the `data` key and additional metadata is provided. ```json {"specversion":"1.0", The collected data will follow the following json schema. The collected data is "contentrange":"bytes 0-116/117"} ``` -> [!NOTE] +> [!TIP] > Line breaks are shown only for readability. In your collected .jsonl files, there won't be any line breaks. #### Store large payloads -If the payload of your data is greater than 256 kb, there will be an event in the `{instance_id}.jsonl` file contained within the `{endpoint_name}/{deployment_name}/request/.../{instance_id}.jsonl` path that points to a raw file path, which should have the following path: `blob_url/{blob_container}/{blob_path}/{endpoint_name}/{deployment_name}/{rolled_time}/{instance_id}.jsonl`. The collected data will exist at this path. +If the payload of your data is greater than 256 KB, there will be an event in the `{instance_id}.jsonl` file contained within the `{endpoint_name}/{deployment_name}/request/.../{instance_id}.jsonl` path that points to a raw file path, which should have the following path: `blob_url/{blob_container}/{blob_path}/{endpoint_name}/{deployment_name}/{rolled_time}/{instance_id}.jsonl`. The collected data will exist at this path. #### Store binary data With collected binary data, we show the raw file directly, with `instance_id` as } ``` -#### Viewing the data in the studio UI +#### View the data in the studio UI -To view the collected data in Blob storage from the studio UI: +To view the collected data in Blob Storage from the studio UI: 1. Go to thee **Data** tab in your Azure Machine Learning workspace: To view the collected data in Blob storage from the studio UI: ## Log payload -In addition to custom logging with the provided Python SDK, you can collect request and response HTTP payload data directly without the need to augment your scoring script (`score.py`). To enable payload logging, in your deployment YAML, use the names `request` and `response`: +In addition to custom logging with the provided Python SDK, you can collect request and response HTTP payload data directly without the need to augment your scoring script (`score.py`). -```yml -$schema: http://azureml/sdk-2-0/OnlineDeployment.json +1. To enable payload logging, in your deployment YAML, use the names `request` and `response`: -endpoint_name: my_endpoint -name: blue -model: azureml:my-model-m1:1 -environment: azureml:env-m1:1 -data_collector: - collections: - request: - enabled: 'True' - response: - enabled: 'True' -``` + ```yml + $schema: http://azureml/sdk-2-0/OnlineDeployment.json + + endpoint_name: my_endpoint + name: blue + model: azureml:my-model-m1:1 + environment: azureml:env-m1:1 + data_collector: + collections: + request: + enabled: 'True' + response: + enabled: 'True' + ``` -Deploy the model with payload logging enabled: +1. Deploy the model with payload logging enabled: -```bash -$ az ml online-deployment create -f deployment.YAML -``` + ```bash + $ az ml online-deployment create -f deployment.YAML + ``` -> [!NOTE] -> With payload logging, the collected data is not guaranteed to be in tabular format. Because of this, if you want to use collected payload data with model monitoring, you'll be required to provide a pre-processing component to make the data tabular. If you're interested in a seamless model monitoring experience, we recommend using the [custom logging Python SDK](#perform-custom-logging-for-model-monitoring). +With payload logging, the collected data is not guaranteed to be in tabular format. Therefore, if you want to use collected payload data with model monitoring, you'll be required to provide a preprocessing component to make the data tabular. If you're interested in a seamless model monitoring experience, we recommend using the [custom logging Python SDK](#perform-custom-logging-for-model-monitoring). -As your deployment is used, the collected data will flow to your workspace Blob storage. The following code is an example of an HTTP _request_ collected JSON: +As your deployment is used, the collected data flows to your workspace Blob storage. The following JSON code is an example of an HTTP _request_ collected: ```json {"specversion":"1.0", As your deployment is used, the collected data will flow to your workspace Blob "correlationid":"f6e806c9-1a9a-446b-baa2-901373162105","xrequestid":"f6e806c9-1a9a-446b-baa2-901373162105"} ``` -And the following code is an example of an HTTP _response_ collected JSON: +And the following JSON code is another example of an HTTP _response_ collected: ```json {"specversion":"1.0", And the following code is an example of an HTTP _response_ collected JSON: "correlationid":"f6e806c9-1a9a-446b-baa2-901373162105","xrequestid":"f6e806c9-1a9a-446b-baa2-901373162105"} ``` -## Collect data for MLFlow models --If you're deploying an MLFlow model to an Azure Machine Learning online endpoint, you can enable production inference data collection with single toggle in the studio UI. If data collection is toggled on, we'll auto-instrument your scoring script with custom logging code to ensure that the production data is logged to your workspace Blob storage. The data can then be used by your model monitors to monitor the performance of your MLFlow model in production. +## Collect data for MLflow models -To enable production data collection, while you're deploying your model, under the **Deployment** tab, select **Enabled** for **Data collection (preview)**. +If you're deploying an MLflow model to an Azure Machine Learning online endpoint, you can enable production inference data collection with single toggle in the studio UI. If data collection is toggled on, Azure Machine Learning auto-instruments your scoring script with custom logging code to ensure that the production data is logged to your workspace Blob Storage. Your model monitors can then use the data to monitor the performance of your MLflow model in production. -After enabling data collection, production inference data will be logged to your Azure Machine Learning workspace blob storage and two data assets will be created with names `<endpoint_name>-<deployment_name>-model_inputs` and `<endpoint_name>-<deployment_name>-model_outputs`. These data assets will be updated in real-time as your deployment is used in production. The data assets can then be used by your model monitors to monitor the performance of your model in production. +While you're configuring the deployment of your model, you can enable production data collection. Under the **Deployment** tab, select **Enabled** for **Data collection (preview)**. -## Next steps +After you've enabled data collection, production inference data will be logged to your Azure Machine Learning workspace Blob Storage and two data assets will be created with names `<endpoint_name>-<deployment_name>-model_inputs` and `<endpoint_name>-<deployment_name>-model_outputs`. These data assets are updated in real time as you use your deployment in production. Your model monitors can then use the data assets to monitor the performance of your model in production. -To learn how to monitor the performance of your models with the collected production inference data, see the following articles: +## Related content - [What is Azure Machine Learning model monitoring?](concept-model-monitoring.md) - [Monitor performance of models deployed to production](how-to-monitor-model-performance.md) |
machine-learning | How To Devops Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-devops-machine-learning.md | jobs: pool: vmImage: ubuntu-latest steps:- - checkout: none - task: UsePythonVersion@0 displayName: Use Python >=3.8 inputs: jobs: pool: vmImage: ubuntu-latest steps:- - checkout: none - task: UsePythonVersion@0 displayName: Use Python >=3.8 inputs: The task has four inputs: `Service Connection`, `Azure Resource Group Name`, `Az dependsOn: SubmitAzureMLJob variables: # We are saving the name of azureMl job submitted in previous step to a variable and it will be used as an inut to the AzureML Job Wait task- azureml_job_name_from_submit_job: $[ dependencies.SubmitAzureMLJob.outputs['submit_azureml_job_task.AZUREML_JOB_NAME'] ] + azureml_job_name_from_submit_job: $[ dependencies.SubmitAzureMLJob.outputs['submit_azureml_job_task.JOB_NAME'] ] steps: - task: AzureMLJobWaitTask@1 inputs: |
machine-learning | How To Enable Preview Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-enable-preview-features.md | You can enable or disable preview features anytime in [Azure Machine Learning st :::image type="content" source="./media/how-to-enable-preview-features/megaphone-icon.png" alt-text="Screenshot of the megaphone icon in Azure Machine Learning studio."::: -1. Find the feature you would like to try out and select the toggle next to it to enable or disable the feature. +1. Find the feature you would like to try out and select the toggle next to it to enable or disable the feature. If you know the feature's name, use the search field. > [!TIP] > When you disable a feature, a text box will appear that can be used to provide feedback on the feature. To learn how to provide feedback without disabling a feature, see [How do I provide feedback?](#how-do-i-provide-feedback). |
machine-learning | How To Managed Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-managed-network.md | The following diagram shows a managed VNet configured to __allow only approved o :::image type="content" source="./media/how-to-managed-network/only-approved-outbound.svg" alt-text="Diagram of managed VNet isolation configured for allow only approved outbound." lightbox="./media/how-to-managed-network/only-approved-outbound.svg"::: > [!NOTE]-> Once a managed VNet workspace is configured to __allow only approved outbound__, the workspace cannot be reconfigured to __allow internet outbound__. Please keep this in mind when configuring managed VNet for your workspace. +> Once a managed VNet workspace is configured to __allow internet outbound__, the workspace cannot be reconfigured to __disabled__. Similarily, once a managed VNet workspace is configured to __allow only approved outbound__, the workspace cannot be reconfigured to __allow internet outbound__. Please keep this in mind when selecting the isolation mode for managed VNet in your workspace. ### Azure Machine Learning studio Before following the steps in this article, make sure you have the following pre * The Azure CLI examples in this article use `ws` to represent the name of the workspace, and `rg` to represent the name of the resource group. Change these values as needed when using the commands with your Azure subscription. +* With Azure CLI and managed VNet, SSH using public IP works, but SSH using private IP doesn't work. + # [Python SDK](#tab/python) * An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/). If you plan to use __Visual Studio Code__ with Azure Machine Learning, add outbo * `update.code.visualstudio.com` * `*.vo.msecnd.net` * `marketplace.visualstudio.com`+* `vscode.download.prss.microsoft.com` ### Scenario: Use batch endpoints |
machine-learning | How To Monitor Model Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-monitor-model-performance.md | Title: Monitor performance of models deployed to production (preview) + Title: Monitor performance of models deployed to production -description: Monitor the performance of models deployed to production on Azure Machine Learning +description: Monitor the performance of models deployed to production in Azure Machine Learning --++ reviewer: msakande Previously updated : 09/15/2023 Last updated : 01/29/2024 -# Monitor performance of models deployed to production (preview) +# Monitor performance of models deployed to production -Once a machine learning model is in production, it's important to critically evaluate the inherent risks associated with it and identify blind spots that could adversely affect your business. Azure Machine Learning's model monitoring continuously tracks the performance of models in production by providing a broad view of monitoring signals and alerting you to potential issues. In this article, you learn to perform out-of box and advanced monitoring setup for models that are deployed to Azure Machine Learning online endpoints. You also learn to set up model monitoring for models that are deployed outside Azure Machine Learning or deployed to Azure Machine Learning batch endpoints. +In this article, you learn to perform out-of box and advanced monitoring setup for models that are deployed to Azure Machine Learning online endpoints. You also learn to set up monitoring for models that are deployed outside Azure Machine Learning or deployed to Azure Machine Learning batch endpoints. ++Once a machine learning model is in production, it's important to critically evaluate the inherent risks associated with it and identify blind spots that could adversely affect your business. Azure Machine Learning's model monitoring continuously tracks the performance of models in production by providing a broad view of monitoring signals and alerting you to potential issues. ## Prerequisites Once a machine learning model is in production, it's important to critically eva [!INCLUDE [basic prereqs cli](includes/machine-learning-cli-prereqs.md)] -* Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). --# [Python](#tab/python) -+# [Python SDK](#tab/python) [!INCLUDE [basic prereqs sdk](includes/machine-learning-sdk-v2-prereqs.md)] -* Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). - # [Studio](#tab/azure-studio) Before following the steps in this article, make sure you have the following prerequisites: * An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/). -* An Azure Machine Learning workspace and a compute instance. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. --* Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). +* An Azure Machine Learning workspace and a compute instance. If you don't have these resources, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. -* For monitoring a model that is deployed to an Azure Machine Learning online endpoint (Managed Online Endpoint or Kubernetes Online Endpoint): -- * A model deployed to an Azure Machine Learning online endpoint. Both Managed Online Endpoint and Kubernetes Online Endpoint are supported. If you don't have a model deployed to an Azure Machine Learning online endpoint, see [Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md). +* Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). - * Data collection enabled for your model deployment. You can enable data collection during the deployment step for Azure Machine Learning online endpoints. For more information, see [Collect production data from models deployed to a real-time endpoint](how-to-collect-production-data.md). +* For monitoring a model that is deployed to an Azure Machine Learning online endpoint (managed online endpoint or Kubernetes online endpoint), be sure to: -* For monitoring a model that is deployed to an Azure Machine Learning batch endpoint or deployed outside of Azure Machine Learning: + * Have a model already deployed to an Azure Machine Learning online endpoint. Both managed online endpoint and Kubernetes online endpoint are supported. If you don't have a model deployed to an Azure Machine Learning online endpoint, see [Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md). - * A way to collect production data and register it as an Azure Machine Learning data asset. - * The registered Azure Machine Learning data asset is continuously updated for model monitoring. - * (Recommended) The model should be registered in Azure Machine Learning workspace, for lineage tracking. + * Enable data collection for your model deployment. You can enable data collection during the deployment step for Azure Machine Learning online endpoints. For more information, see [Collect production data from models deployed to a real-time endpoint](how-to-collect-production-data.md). +* For monitoring a model that is deployed to an Azure Machine Learning batch endpoint or deployed outside of Azure Machine Learning, be sure to: + * Have a means to collect production data and register it as an Azure Machine Learning data asset. + * Update the registered data asset continuously for model monitoring. + * (Recommended) Register the model in an Azure Machine Learning workspace, for lineage tracking. > [!IMPORTANT] >-> Model monitoring jobs are scheduled to run on serverless Spark compute pool with `Standard_E4s_v3` VM instance type support only. More VM instance type support will come in the future roadmap. +> Model monitoring jobs are scheduled to run on serverless Spark compute pools with support for the following VM instance types: `Standard_E4s_v3`, `Standard_E8s_v3`, `Standard_E16s_v3`, `Standard_E32s_v3`, and `Standard_E64s_v3`. You can select the VM instance type with the `create_monitor.compute.instance_type` property in your YAML configuration or from the dropdown in the Azure Machine Learning studio. -## Set up out-of-the-box model monitoring +## Set up out-of-box model monitoring -If you deploy your model to production in an Azure Machine Learning online endpoint, Azure Machine Learning collects production inference data automatically and uses it for continuous monitoring. +Suppose you deploy your model to production in an Azure Machine Learning online endpoint and enable [data collection](how-to-collect-production-data.md) at deployment time. In this scenario, Azure Machine Learning collects production inference data, and automatically stores it in Microsoft Azure Blob Storage. You can then use Azure Machine Learning model monitoring to continuously monitor this production inference data. -You can use Azure CLI, the Python SDK, or Azure Machine Learning studio for out-of-box setup of model monitoring. The out-of-box model monitoring provides following monitoring capabilities: +You can use the Azure CLI, the Python SDK, or the studio for an out-of-box setup of model monitoring. The out-of-box model monitoring configuration provides the following monitoring capabilities: -* Azure Machine Learning will automatically detect the production inference dataset associated with a deployment to an Azure Machine Learning online endpoint and use the dataset for model monitoring. -* The recent past production inference dataset is used as the comparison baseline dataset. +* Azure Machine Learning automatically detects the production inference dataset associated with an Azure Machine Learning online deployment and uses the dataset for model monitoring. +* The comparison reference dataset is set as the recent, past production inference dataset. * Monitoring setup automatically includes and tracks the built-in monitoring signals: **data drift**, **prediction drift**, and **data quality**. For each monitoring signal, Azure Machine Learning uses:- * the recent past production inference dataset as the comparison baseline dataset. + * the recent, past production inference dataset as the comparison reference dataset. * smart defaults for metrics and thresholds.-* A monitoring job is scheduled to run daily at 3:15am (for this example) to acquire monitoring signals and evaluate each metric result against its corresponding threshold. By default, when any threshold is exceeded, an alert email is sent to the user who set up the monitoring. --## Configure feature importance --For feature importance to be enabled with any of your signals (such as data drift or data quality,) you need to provide both the 'baseline_dataset' (typically training) dataset and 'target_column_name' fields. +* A monitoring job is scheduled to run daily at 3:15am (for this example) to acquire monitoring signals and evaluate each metric result against its corresponding threshold. By default, when any threshold is exceeded, Azure Machine Learning sends an alert email to the user that set up the monitor. # [Azure CLI](#tab/azure-cli) -Azure Machine Learning model monitoring uses `az ml schedule` for model monitoring setup. You can create out-of-box model monitoring setup with the following CLI command and YAML definition: +Azure Machine Learning model monitoring uses `az ml schedule` to schedule a monitoring job. You can create the out-of-box model monitor with the following CLI command and YAML definition: ```azurecli az ml schedule create -f ./out-of-box-monitoring.yaml ``` -The following YAML contains the definition for out-of-the-box model monitoring. --```yaml -# out-of-box-monitoring.yaml -$schema: http://azureml/sdk-2-0/Schedule.json -name: fraud_detection_model_monitoring -display_name: Fraud detection model monitoring -description: Loan approval model monitoring setup with minimal configurations --trigger: - # perform model monitoring activity daily at 3:15am - type: recurrence - frequency: day #can be minute, hour, day, week, month - interval: 1 # #every day - schedule: - hours: 3 # at 3am - minutes: 15 # at 15 mins after 3am --create_monitor: - compute: # specify a spark compute for monitoring job - instance_type: standard_e4s_v3 - runtime_version: 3.2 - monitoring_target: - endpoint_deployment_id: azureml:fraud-detection-endpoint:fraud-detection-deployment -``` +The following YAML contains the definition for the out-of-box model monitoring. -# [Python](#tab/python) +# [Python SDK](#tab/python) -You can use the following code to set up out-of-the-box model monitoring: +You can use the following code to set up the out-of-box model monitoring: ```python--from azure.identity import InteractiveBrowserCredential +from azure.identity import DefaultAzureCredential from azure.ai.ml import MLClient from azure.ai.ml.entities import (+ AlertNotification, MonitoringTarget, MonitorDefinition, MonitorSchedule, RecurrencePattern, RecurrenceTrigger,- SparkResourceConfiguration, + ServerlessSparkCompute ) # get a handle to the workspace-ml_client = MLClient(InteractiveBrowserCredential(), subscription_id, resource_group, workspace) +ml_client = MLClient( + DefaultAzureCredential(), + subscription_id="subscription_id", + resource_group_name="resource_group_name", + workspace_name="workspace_name", +) +# create the compute spark_compute = ServerlessSparkCompute( instance_type="standard_e4s_v3",- runtime_version="3.2" + runtime_version="3.3" +) ++# specify your online endpoint deployment +monitoring_target = MonitoringTarget( + ml_task="classification", + endpoint_deployment_id="azureml:credit-default:main" ) -monitoring_target = MonitoringTarget(endpoint_deployment_id="azureml:fraud_detection_endpoint:fraund_detection_deployment") -monitor_definition = MonitorDefinition(compute=spark_compute, monitoring_target=monitoring_target) +# create alert notification object +alert_notification = AlertNotification( + emails=['abc@example.com', 'def@example.com'] +) ++# create the monitor definition +monitor_definition = MonitorDefinition( + compute=spark_compute, + monitoring_target=monitoring_target, + alert_notification=alert_notification +) +# specify the schedule frequency recurrence_trigger = RecurrenceTrigger( frequency="day", interval=1, schedule=RecurrencePattern(hours=3, minutes=15) ) -model_monitor = MonitorSchedule(name="fraud_detection_model_monitoring", - trigger=recurrence_trigger, - create_monitor=monitor_definition) +# create the monitor +model_monitor = MonitorSchedule( + name="credit_default_monitor_basic", + trigger=recurrence_trigger, + create_monitor=monitor_definition +) poller = ml_client.schedules.begin_create_or_update(model_monitor) created_monitor = poller.result()- ``` # [Studio](#tab/azure-studio) 1. Navigate to [Azure Machine Learning studio](https://ml.azure.com).-1. Under **Manage**, select **Monitoring**. +1. Go to your workspace. +1. Select **Monitoring** from the **Manage** section 1. Select **Add**. :::image type="content" source="media/how-to-monitor-models/add-model-monitoring.png" alt-text="Screenshot showing how to add model monitoring." lightbox="media/how-to-monitor-models/add-model-monitoring.png"::: -1. Select the model to monitor. The "Select deployment" dropdown list should be automatically populated if the model is deployed to an Azure Machine Learning online endpoint. -1. Select the deployment in the **Select deployment** box. -1. Select the training data to use as the comparison baseline in the **(Optional) Select training data** box. -1. Enter a name for the monitoring in **Monitor name**. -1. Select VM instance type for Spark pool in the **Select compute type** box. -1. Select "Spark 3.2" for the **Spark runtime version**. -1. Select your **Time zone** for monitoring the job run. -1. Select "Recurrence" or "Cron expression" scheduling. -1. For "Recurrence" scheduling, specify the repeat frequency, day, and time. For "Cron expression" scheduling, you would have to enter cron expression for monitoring run. -1. Select **Finish**. +1. On the **Basic settings** page, use **(Optional) Select model** to choose the model to monitor. +1. The **(Optional) Select deployment with data collection enabled** dropdown list should be automatically populated if the model is deployed to an Azure Machine Learning online endpoint. Select the deployment from the dropdown list. +1. Select the training data to use as the comparison reference in the **(Optional) Select training data** box. +1. Enter a name for the monitoring in **Monitor name** or keep the default name. +1. Notice that the virtual machine size is already selected for you. +1. Select your **Time zone**. +1. Select **Recurrence** or **Cron expression** scheduling. +1. For **Recurrence** scheduling, specify the repeat frequency, day, and time. For **Cron expression** scheduling, enter a cron expression for monitoring run. ++ :::image type="content" source="media/how-to-monitor-models/model-monitoring-basic-setup.png" alt-text="Screenshot of basic settings page for model monitoring." lightbox="media/how-to-monitor-models/model-monitoring-basic-setup.png"::: - :::image type="content" source="media/how-to-monitor-models/model-monitoring-basic-setup.png" alt-text="Screenshot of settings for model monitoring." lightbox="media/how-to-monitor-models/model-monitoring-basic-setup.png"::: +1. Select **Next** to go to the **Advanced settings** section. +1. Select **Next** on the **Configure data asset** page to keep the default datasets. +1. Select **Next** to go to the **Select monitoring signals** page. +1. Select **Next** to go to the **Notifications** page. Add your email to receive email notifications. +1. Review your monitoring details and select **Create** to create the monitor. ## Set up advanced model monitoring -Azure Machine Learning provides many capabilities for continuous model monitoring. See [Capabilities of model monitoring](concept-model-monitoring.md#capabilities-of-model-monitoring) for a list of these capabilities. In many cases, you need to set up model monitoring with advanced monitoring capabilities. In the following example, we set up model monitoring with these capabilities: +Azure Machine Learning provides many capabilities for continuous model monitoring. See [Capabilities of model monitoring](concept-model-monitoring.md#capabilities-of-model-monitoring) for a comprehensive list of these capabilities. In many cases, you need to set up model monitoring with advanced monitoring capabilities. In the following sections, you set up model monitoring with these capabilities: ++* Use of multiple monitoring signals for a broad view. +* Use of historical model training data or validation data as the comparison reference dataset. +* Monitoring of top N most important features and individual features. ++### Configure feature importance ++Feature importance represents the relative importance of each input feature to a model's output. For example, `temperature` might be more important to a model's prediction compared to `elevation`. Enabling feature importance can give you visibility into which features you don't want drifting or having data quality issues in production. -* Use of multiple monitoring signals for a broad view -* Use of historical model training data or validation data as the comparison baseline dataset -* Monitoring of top N features and individual features +To enable feature importance with any of your signals (such as data drift or data quality), you need to provide: -You can use Azure CLI, the Python SDK, or Azure Machine Learning studio for advanced setup of model monitoring. +- Your training dataset as the `reference_data` dataset. +- The `reference_data.data_column_names.target_column` property, which is the name of your model's output/prediction column. + +After enabling feature importance, you'll see a feature importance for each feature you're monitoring in the Azure Machine Learning model monitoring studio UI. ++You can use Azure CLI, the Python SDK, or the studio for advanced setup of model monitoring. # [Azure CLI](#tab/azure-cli) -You can create advanced model monitoring setup with the following CLI command and YAML definition: +Create advanced model monitoring setup with the following CLI command and YAML definition: ```azurecli az ml schedule create -f ./advanced-model-monitoring.yaml az ml schedule create -f ./advanced-model-monitoring.yaml The following YAML contains the definition for advanced model monitoring. -```yaml -# advanced-model-monitoring.yaml -$schema: http://azureml/sdk-2-0/Schedule.json -name: fraud_detection_model_monitoring -display_name: Fraud detection model monitoring -description: Fraud detection model monitoring with advanced configurations --trigger: - # perform model monitoring activity daily at 3:15am - type: recurrence - frequency: day #can be minute, hour, day, week, month - interval: 1 # #every day - schedule: - hours: 3 # at 3am - minutes: 15 # at 15 mins after 3am --create_monitor: - compute: - instance_type: standard_e4s_v3 - runtime_version: 3.2 - monitoring_target: - ml_task: classfiication - endpoint_deployment_id: azureml:fraud-detection-endpoint:fraud-detection-deployment - - monitoring_signals: - advanced_data_drift: # monitoring signal name, any user defined name works - type: data_drift - # target_dataset is optional. By default target dataset is the production inference data associated with Azure Machine Learning online endpoint - reference_data: - input_data: - path: azureml:my_model_training_data:1 # use training data as comparison baseline - type: mltable - data_context: training - target_column_name: fraud_detected - features: - top_n_feature_importance: 20 # monitor drift for top 20 features - metric_thresholds: - numerical: - jensen_shannon_distance: 0.01 - categorical: - pearsons_chi_squared_test: 0.02 - advanced_data_quality: - type: data_quality - # target_dataset is optional. By default target dataset is the production inference data associated with Azure Machine Learning online depoint - reference_data: - input_data: - path: azureml:my_model_training_data:1 - type: mltable - data_context: training - features: # monitor data quality for 3 individual features only - - feature_A - - feature_B - - feature_C - metric_thresholds: - numerical: - null_value_rate: 0.05 - categorical: - out_of_bounds_rate: 0.03 -- feature_attribution_drift_signal: - type: feature_attribution_drift - # production_data: is not required input here - # Please ensure Azure Machine Learning online endpoint is enabled to collected both model_inputs and model_outputs data - # Azure Machine Learning model monitoring will automatically join both model_inputs and model_outputs data and used it for computation - reference_data: - input_data: - path: azureml:my_model_training_data:1 - type: mltable - data_context: training - target_column_name: is_fraud - metric_thresholds: - normalized_discounted_cumulative_gain: 0.9 - - alert_notification: - emails: - - abc@example.com - - def@example.com -``` -# [Python](#tab/python) +# [Python SDK](#tab/python) -You can use the following code for advanced model monitoring setup: +Use the following code for advanced model monitoring setup: ```python-from azure.identity import InteractiveBrowserCredential +from azure.identity import DefaultAzureCredential from azure.ai.ml import Input, MLClient from azure.ai.ml.constants import (- MonitorFeatureType, - MonitorMetricName, MonitorDatasetContext, ) from azure.ai.ml.entities import ( AlertNotification,- FeatureAttributionDriftSignal, - FeatureAttributionDriftMetricThreshold, DataDriftSignal, DataQualitySignal,+ PredictionDriftSignal, DataDriftMetricThreshold, DataQualityMetricThreshold,+ PredictionDriftMetricThreshold, NumericalDriftMetrics, CategoricalDriftMetrics, DataQualityMetricsNumerical, DataQualityMetricsCategorical, MonitorFeatureFilter,- MonitorInputData, MonitoringTarget, MonitorDefinition, MonitorSchedule, from azure.ai.ml.entities import ( ) # get a handle to the workspace-ml_client = MLClient(InteractiveBrowserCredential(), subscription_id, resource_group, workspace) +ml_client = MLClient( + DefaultAzureCredential(), + subscription_id="subscription_id", + resource_group_name="resource_group_name", + workspace_name="workspace_name", +) +# create your compute spark_compute = ServerlessSparkCompute( instance_type="standard_e4s_v3",- runtime_version="3.2" + runtime_version="3.3" ) +# specify the online deployment (if you have one) monitoring_target = MonitoringTarget( ml_task="classification",- endpoint_deployment_id="azureml:fraud_detection_endpoint:fraund_detection_deployment" + endpoint_deployment_id="azureml:credit-default:main" ) -# training data to be used as baseline dataset +# training data to be used as reference dataset reference_data_training = ReferenceData( input_data=Input( type="mltable",- path="azureml:my_model_training_data:1" + path="azureml:credit-default-reference:1" ),- target_column_name="is_fraud", + target_column_name="DEFAULT_NEXT_MONTH", data_context=MonitorDatasetContext.TRAINING, ) # create an advanced data drift signal-features = MonitorFeatureFilter(top_n_feature_importance=20) +features = MonitorFeatureFilter(top_n_feature_importance=10) + metric_thresholds = DataDriftMetricThreshold( numerical=NumericalDriftMetrics( jensen_shannon_distance=0.01 advanced_data_drift = DataDriftSignal( metric_thresholds=metric_thresholds ) +# create an advanced prediction drift signal +metric_thresholds = PredictionDriftMetricThreshold( + categorical=CategoricalDriftMetrics( + jensen_shannon_distance=0.01 + ) +) ++advanced_prediction_drift = PredictionDriftSignal( + reference_data=reference_data_training, + metric_thresholds=metric_thresholds +) # create an advanced data quality signal-features = ['feature_A', 'feature_B', 'feature_C'] +features = ['SEX', 'EDUCATION', 'AGE'] metric_thresholds = DataQualityMetricThreshold( numerical=DataQualityMetricsNumerical( advanced_data_quality = DataQualitySignal( alert_enabled=False ) -# create feature attribution drift signal -metric_thresholds = FeatureAttributionDriftMetricThreshold(normalized_discounted_cumulative_gain=0.9) --feature_attribution_drift = FeatureAttributionDriftSignal( - reference_data=reference_data_training, - metric_thresholds=metric_thresholds, - alert_enabled=False -) - # put all monitoring signals in a dictionary monitoring_signals = { 'data_drift_advanced':advanced_data_drift,- 'data_quality_advanced':advanced_data_quality, - 'feature_attribution_drift':feature_attribution_drift + 'data_quality_advanced':advanced_data_quality } # create alert notification object alert_notification = AlertNotification( emails=['abc@example.com', 'def@example.com'] ) -# Finally monitor definition +# create the monitor definition monitor_definition = MonitorDefinition( compute=spark_compute, monitoring_target=monitoring_target, monitor_definition = MonitorDefinition( alert_notification=alert_notification ) +# specify the frequency on which to run your monitor recurrence_trigger = RecurrenceTrigger( frequency="day", interval=1, schedule=RecurrencePattern(hours=3, minutes=15) ) +# create your monitor model_monitor = MonitorSchedule(- name="fraud_detection_model_monitoring_complex", + name="credit_default_monitor_advanced", trigger=recurrence_trigger, create_monitor=monitor_definition ) poller = ml_client.schedules.begin_create_or_update(model_monitor) created_monitor = poller.result()- ``` # [Studio](#tab/azure-studio) -1. Complete the entires on the basic settings page as described in the [Set up out-of-box model monitoring](#set-up-out-of-the-box-model-monitoring) section. -1. Select **More options** to open the advanced setup wizard. +To set up advanced monitoring: -1. In the "Configure dataset" section, add a dataset to be used as the comparison baseline. We recommend using the model training data as the comparison baseline for data drift and data quality, and using the model validation data as the comparison baseline for prediction drift. --1. Select **Next**. +1. Complete the entires on the **Basic settings** page as described earlier in the [Set up out-of-box model monitoring](#set-up-out-of-box-model-monitoring) section. +1. Select **Next** to open the **Configure data asset** page of the **Advanced settings** section. +1. **Add** a dataset to be used as the reference dataset. We recommend that you use the model training data as the comparison reference dataset for data drift and data quality. Also, use the model validation data as the comparison reference dataset for prediction drift. :::image type="content" source="media/how-to-monitor-models/model-monitoring-advanced-config-data.png" alt-text="Screenshot showing how to add datasets for the monitoring signals to use." lightbox="media/how-to-monitor-models/model-monitoring-advanced-config-data.png"::: -1. In the "Select monitoring signals" section, you see three monitoring signals already added if you have selected Azure Machine Learning online deployment earlier. These signals are: data drift, prediction drift, and data quality. All these prepopulated monitoring signals use recent past production data as the comparison baseline and use smart defaults for metrics and threshold. +1. Select **Next** to go to the **Select monitoring signals** page. On this page, you see some monitoring signals already added (if you selected an Azure Machine Learning online deployment earlier). The signals (data drift, prediction drift, and data quality) use recent, past production data as the comparison reference dataset and use smart defaults for metrics and thresholds. ++ :::image type="content" source="media/how-to-monitor-models/model-monitoring-monitoring-signals.png" alt-text="Screenshot showing default monitoring signals." lightbox="media/how-to-monitor-models/model-monitoring-monitoring-signals.png"::: + 1. Select **Edit** next to the data drift signal.+1. In the data drift **Edit signal** window, configure the following: - :::image type="content" source="media/how-to-monitor-models/model-monitoring-advanced-select-signals.png" alt-text="Screenshot showing how to select monitoring signals." lightbox="media/how-to-monitor-models/model-monitoring-advanced-select-signals.png"::: + 1. For the production data asset, select your model inputs with the desired lookback window size. + 1. Select your training dataset to use as the reference dataset. + 1. Select the target (output) column. + 1. Select to monitor drift for the top N most important features, or monitor drift for a specific set of features. + 1. Select your preferred metrics and thresholds. -1. In the data drift **Edit signal** window, configure following: - 1. Change the baseline dataset to use training data. - 1. Monitor drift for top 1-20 important features, or monitor drift for specific set of features. - 1. Select your preferred metrics and set thresholds. -1. Select **Save** to return to the "Select monitoring signals" section. + :::image type="content" source="media/how-to-monitor-models/model-monitoring-configure-signals.png" alt-text="Screenshot showing how to configure selected monitoring signals." lightbox="media/how-to-monitor-models/model-monitoring-configure-signals.png"::: - :::image type="content" source="media/how-to-monitor-models/model-monitoring-advanced-config-edit-signal.png" alt-text="Screenshot showing how to edit signal settings for model monitoring." lightbox="media/how-to-monitor-models/model-monitoring-advanced-config-edit-signal.png"::: +1. Select **Save** to return to the **Select monitoring signals** page. +1. Select **Add** to open the **Edit Signal** window. +1. Select **Feature attribution drift (preview)** to configure the feature attribution drift signal as follows: -1. Select **Add** to add another signal. -1. In the "Add Signal" screen, select the **Feature Attribution Drift** panel. -1. Enter a name for Feature Attribution Drift signal. Feature attribution drift currently requires a few additional steps: -1. Configure your data assets for Feature Attribution Drift - 1. In your model creation wizard, add your custom data asset from your [custom data collection](how-to-collect-production-data.md) called 'model inputs and outputs' which combines your joined model inputs and data assets as a separate data context. - - :::image type="content" source="media/how-to-monitor-models/feature-attribution-drift-inputs-outputs.png" alt-text="Screenshot showing how to configure a custom data asset with inputs and outputs joined." lightbox="media/how-to-monitor-models/feature-attribution-drift-inputs-outputs.png"::: - - 1. Specify your training reference dataset that is used in the feature attribution drift component, and select your 'target column name' field, which is required to enable feature importance. - 1. Confirm your parameters are correct -1. Adjust the data window size according to your business case. -1. Adjust the threshold according to your need. -1. Select **Save** to return to the "Select monitoring signals" section. -1. If you're done with editing or adding signals, select **Next**. + 1. Select the production data asset with your model inputs and the desired lookback window size. + 1. Select the production data asset with your model outputs. + 1. Select the common column between these data assets to join them on. If the data was collected with the [data collector](how-to-collect-production-data.md), the common column is `correlationid`. + 1. (Optional) If you used the data collector to collect data where your model inputs and outputs are already joined, select the joined dataset as your production data asset and **Remove** step 2 in the configuration panel. + 1. Select your training dataset to use as the reference dataset. + 1. Select the target (output) column for your training dataset. + 1. Select your preferred metric and threshold. - :::image type="content" source="media/how-to-monitor-models/model-monitoring-advanced-config-add-signal.png" alt-text="Screenshot showing settings for adding signals." lightbox="media/how-to-monitor-models/model-monitoring-advanced-config-add-signal.png"::: + :::image type="content" source="media/how-to-monitor-models/model-monitoring-configure-feature-attribution-drift.png" alt-text="Screenshot showing how to configure feature attribution drift signal." lightbox="media/how-to-monitor-models/model-monitoring-configure-feature-attribution-drift.png"::: -1. In the "Notification" screen, enable alert notification for each signal. -1. Select **Next**. +1. Select **Save** to return to the **Select monitoring signals** page. - :::image type="content" source="media/how-to-monitor-models/model-monitoring-advanced-config-notification.png" alt-text="Screenshot of settings on the notification screen." lightbox="media/how-to-monitor-models/model-monitoring-advanced-config-notification.png"::: + :::image type="content" source="media/how-to-monitor-models/model-monitoring-configured-signals.png" alt-text="Screenshot showing the configured signals." lightbox="media/how-to-monitor-models/model-monitoring-configured-signals.png"::: -1. Review your settings on the "Review monitoring settings" page. -1. Select **Create** to confirm your settings for advanced model monitoring. +1. When you're finished with your monitoring signals configuration, select **Next** to go to the **Notifications** page. +1. On the **Notifications** page, enable alert notifications for each signal and select **Next**. +1. Review your settings on the **Review monitoring settings** page. :::image type="content" source="media/how-to-monitor-models/model-monitoring-advanced-config-review.png" alt-text="Screenshot showing review page of the advanced configuration for model monitoring." lightbox="media/how-to-monitor-models/model-monitoring-advanced-config-review.png"::: +1. Select **Create** to create your advanced model monitor. + -## Set up model monitoring by bringing your own production data to Azure Machine Learning +## Set up model monitoring by bringing your production data to Azure Machine Learning ++You can also set up model monitoring for models deployed to Azure Machine Learning batch endpoints or deployed outside of Azure Machine Learning. If you don't have a deployment, but you have production data, you can use the data to perform continuous model monitoring. To monitor these models, you must be able to: -You can also set up model monitoring for models deployed to Azure Machine Learning batch endpoints or deployed outside of Azure Machine Learning. If you have production data but no deployment, you can use the data to perform continuous model monitoring. To monitor these models, you must meet the following requirements: +* Collect production inference data from models deployed in production. +* Register the production inference data as an Azure Machine Learning data asset, and ensure continuous updates of the data. +* Provide a custom data preprocessing component and register it as an Azure Machine Learning component. -* You have a way to collect production inference data from models deployed in production. -* You can register the collected production inference data as an Azure Machine Learning data asset, and ensure continuous updates of the data. -* You can provide a data preprocessing component and register it as an Azure Machine Learning component. The Azure Machine Learning component must have these input and output signatures: +You must provide a custom data preprocessing component if your data isn't collected with the [data collector](how-to-collect-production-data.md). Without this custom data preprocessing component, the Azure Machine Learning model monitoring system won't know how to process your data into tabular form with support for time windowing. - | input/output | signature name | type | description | example value | +Your custom preprocessing component must have these input and output signatures: ++ | Input/Output | Signature name | Type | Description | Example value | ||||||- | input | data_window_start | literal, string | data window start-time in ISO8601 format. | 2023-05-01T04:31:57.012Z | - | input | data_window_end | literal, string | data window end-time in ISO8601 format. | 2023-05-01T04:31:57.012Z | - | input | input_data | uri_folder | The collected production inference data, which is registered as Azure Machine Learning data asset. | azureml:myproduction_inference_data:1 | - | output | preprocessed_data | mltable | A tabular dataset, which matches a subset of baseline data schema. | | + | input | `data_window_start` | literal, string | data window start-time in ISO8601 format. | 2023-05-01T04:31:57.012Z | + | input | `data_window_end` | literal, string | data window end-time in ISO8601 format. | 2023-05-01T04:31:57.012Z | + | input | `input_data` | uri_folder | The collected production inference data, which is registered as an Azure Machine Learning data asset. | azureml:myproduction_inference_data:1 | + | output | `preprocessed_data` | mltable | A tabular dataset, which matches a subset of the reference data schema. | | ++For an example of a custom data preprocessing component, see [custom_preprocessing in the azuremml-examples GitHub repo](https://github.com/Azure/azureml-examples/tree/main/cli/monitoring/components/custom_preprocessing). # [Azure CLI](#tab/azure-cli) az ml schedule create -f ./model-monitoring-with-collected-data.yaml The following YAML contains the definition for model monitoring with production inference data that you've collected. -```yaml -# model-monitoring-with-collected-data.yaml -$schema: http://azureml/sdk-2-0/Schedule.json -name: fraud_detection_model_monitoring -display_name: Fraud detection model monitoring -description: Fraud detection model monitoring with your own production data --trigger: - # perform model monitoring activity daily at 3:15am - type: recurrence - frequency: day #can be minute, hour, day, week, month - interval: 1 # #every day - schedule: - hours: 3 # at 3am - minutes: 15 # at 15 mins after 3am --create_monitor: - compute: - instance_type: standard_e4s_v3 - runtime_version: 3.2 - monitoring_target: - ml_task: classification - endpoint_deployment_id: azureml:fraud-detection-endpoint:fraud-detection-deployment - - monitoring_signals: - advanced_data_drift: # monitoring signal name, any user defined name works - type: data_drift - # define target dataset with your collected data - production_data: - input_data: - path: azureml:my_production_inference_data_model_inputs:1 # your collected data is registered as Azure Machine Learning asset - type: uri_folder - data_context: model_inputs - pre_processing_component: azureml:production_data_preprocessing:1 - reference_data: - input_data: - path: azureml:my_model_training_data:1 # use training data as comparison baseline - type: mltable - data_context: training - target_column_name: is_fraud - features: - top_n_feature_importance: 20 # monitor drift for top 20 features - metric_thresholds: - numberical: - jensen_shannon_distance: 0.01 - categorical: - pearsons_chi_squared_test: 0.02 - advanced_prediction_drift: # monitoring signal name, any user defined name works - type: prediction_drift - # define target dataset with your collected data - production_data: - input_data: - path: azureml:my_production_inference_data_model_outputs:1 # your collected data is registered as Azure Machine Learning asset - type: uri_folder - data_context: model_outputs - pre_processing_component: azureml:production_data_preprocessing:1 - reference_data: - input_data: - path: azureml:my_model_validation_data:1 # use training data as comparison baseline - type: mltable - data_context: validation - metric_thresholds: - categorical: - pearsons_chi_squared_test: 0.02 - advanced_data_quality: - type: data_quality - production_data: - input_data: - path: azureml:my_production_inference_data_model_inputs:1 # your collected data is registered as Azure Machine Learning asset - type: uri_folder - data_context: model_inputs - pre_processing_component: azureml:production_data_preprocessing:1 - reference_data: - input_data: - path: azureml:my_model_training_data:1 - type: mltable - data_context: training - metric_thresholds: - numerical: - null_value_rate: 0.03 - categorical: - out_of_bounds_rate: 0.03 - feature_attribution_drift_signal: - type: feature_attribution_drift - production_data: - # using production_data collected outside of Azure Machine Learning - - input_data: - path: azureml:my_model_inputs:1 - type: uri_folder - data_context: model_inputs - data_column_names: - correlation_id: correlation_id - pre_processing_component: azureml:model_inputs_preprocessing - data_window_size: P30D - - input_data: - path: azureml:my_model_outputs:1 - type: uri_folder - data_context: model_outputs - data_column_names: - correlation_id: correlation_id - prediction: is_fraund - prediction_probability: is_fraund_probability - pre_processing_component: azureml:model_outputs_preprocessing - data_window_size: P30D - reference_data: - input_data: - path: azureml:my_model_training_data:1 - type: mltable - data_context: training - target_column_name: is_fraud - metric_thresholds: - normalized_discounted_cumulative_gain: 0.9 - - alert_notification: - emails: - - abc@example.com - - def@example.com --``` -# [Python](#tab/python) +# [Python SDK](#tab/python) -Once you've satisfied the previous requirements, you can set up model monitoring using the following Python code: +Once you've satisfied the previous requirements, you can set up model monitoring with the following Python code: ```python from azure.identity import InteractiveBrowserCredential production_data = ProductionData( ) -# training data to be used as baseline dataset +# training data to be used as reference dataset reference_data_training = ReferenceData( input_data=Input( type="mltable", created_monitor = poller.result() # [Studio](#tab/azure-studio) -The studio currently doesn't support monitoring for models that are deployed outside of Azure Machine Learning. See the Azure CLI or Python tabs instead. +The studio currently doesn't support configuring monitoring for models that are deployed outside of Azure Machine Learning. See the Azure CLI or Python SDK tabs instead. ++Once you've configured your monitor with the CLI or SDK, you can view the monitoring results in the studio. For more information on interpreting monitoring results, see [Interpreting monitoring results](how-to-monitor-model-performance.md#interpret-monitoring-results). ## Set up model monitoring with custom signals and metrics -With Azure Machine Learning model monitoring, you have the option to define your own custom signal and implement any metric of your choice to monitor your model. You can register this signal as an Azure Machine Learning component. When your Azure Machine Learning model monitoring job runs on the specified schedule, it computes the metric(s) you have defined within your custom signal, just as it does for the prebuilt signals (data drift, prediction drift, data quality, & feature attribution drift). To get started with defining your own custom signal, you must meet the following requirement: +With Azure Machine Learning model monitoring, you can define your own custom signal and implement any metric of your choice to monitor your model. You can register this signal as an Azure Machine Learning component. When your Azure Machine Learning model monitoring job runs on the specified schedule, it computes the metric(s) you've defined within your custom signal, just as it does for the prebuilt signals (data drift, prediction drift, and data quality). -* You must define your custom signal and register it as an Azure Machine Learning component. The Azure Machine Learning component must have these input and output signatures: +To set up a custom signal to use for model monitoring, you must first define the custom signal and register it as an Azure Machine Learning component. The Azure Machine Learning component must have these input and output signatures: ### Component input signature -The component input DataFrame should contain a `mltable` with the processed data from the preprocessing component and any number of literals, each representing an implemented metric as part of the custom signal component. For example, if you have implemented one metric, `std_deviation`, then you'll need an input for `std_deviation_threshold`. Generally, there should be one input per metric with the name {metric_name}_threshold. +The component input DataFrame should contain the following items: - | signature name | type | description | example value | - ||||| - | production_data | mltable | A tabular dataset, which matches a subset of baseline data schema. | | - | std_deviation_threshold | literal, string | Respective threshold for the implemented metric. | 2 | +- An `mltable` with the processed data from the preprocessing component +- Any number of literals, each representing an implemented metric as part of the custom signal component. For example, if you've implemented the metric, `std_deviation`, then you'll need an input for `std_deviation_threshold`. Generally, there should be one input per metric with the name `<metric_name>_threshold`. ++| Signature name | Type | Description | Example value | +||||| +| production_data | mltable | A tabular dataset that matches a subset of the reference data schema. | | +| std_deviation_threshold | literal, string | Respective threshold for the implemented metric. | 2 | ### Component output signature The component output port should have the following signature. - | signature name | type | description | + | Signature name | Type | Description | ||||- | signal_metrics | mltable | The ml table that contains the computed metrics. The schema is defined in the signal_metrics schema section in the next section. | + | signal_metrics | mltable | The mltable that contains the computed metrics. The schema is defined in the next section [signal_metrics schema](#signal_metrics-schema). | #### signal_metrics schema-The component output DataFrame should contain four columns: `group`, `metric_name`, `metric_value`, and `threshold_value`: - | signature name | type | description | example value | +The component output DataFrame should contain four columns: `group`, `metric_name`, `metric_value`, and `threshold_value`. ++ | Signature name | Type | Description | Example value | |||||- | group | literal, string | Top level logical grouping to be applied to this custom metric. | TRANSACTIONAMOUNT | + | group | literal, string | Top-level logical grouping to be applied to this custom metric. | TRANSACTIONAMOUNT | | metric_name | literal, string | The name of the custom metric. | std_deviation |- | metric_value | mltable | The value of the custom metric. | 44,896.082 | - | threshold_value | | The threshold for the custom metric. | 2 | + | metric_value | numerical | The value of the custom metric. | 44,896.082 | + | threshold_value | numerical | The threshold for the custom metric. | 2 | -Here's an example output from a custom signal component computing the metric, `std_deviation`: +The following table shows an example output from a custom signal component that computes the `std_deviation` metric: | group | metric_value | metric_name | threshold_value | ||||| Here's an example output from a custom signal component computing the metric, `s | DIGITALITEMCOUNT | 7.238 | std_deviation | 2 | | PHYSICALITEMCOUNT | 5.509 | std_deviation | 2 | -An example custom signal component definition and metric computation code can be found in our GitHub repo at [https://github.com/Azure/azureml-examples/tree/main/cli/monitoring/components/custom_signal](https://github.com/Azure/azureml-examples/tree/main/cli/monitoring/components/custom_signal). +To see an example custom signal component definition and metric computation code, see [custom_signal in the azureml-examples repo](https://github.com/Azure/azureml-examples/tree/main/cli/monitoring/components/custom_signal). # [Azure CLI](#tab/azure-cli) -Once you've satisfied the previous requirements, you can set up model monitoring with the following CLI command and YAML definition: +Once you've satisfied the requirements for using custom signals and metrics, you can set up model monitoring with the following CLI command and YAML definition: ```azurecli az ml schedule create -f ./custom-monitoring.yaml ``` -The following YAML contains the definition for model monitoring with a custom signal. It's assumed that you have already created and registered your component with the custom signal definition to Azure Machine Learning. In this example, the `component_id` of the registered custom signal component is `azureml:my_custom_signal:1.0.0`: +The following YAML contains the definition for model monitoring with a custom signal. Some things to notice about the code: ++- It assumes that you've already created and registered your component with the custom signal definition in Azure Machine Learning. +- The `component_id` of the registered custom signal component is `azureml:my_custom_signal:1.0.0`. +- If you've collected your data with the [data collector](how-to-collect-production-data.md), you can omit the `pre_processing_component` property. If you wish to use a preprocessing component to preprocess production data not collected by the data collector, you can specify it. ```yaml # custom-monitoring.yaml trigger: interval: 7 # #every day create_monitor: compute:- instance_type: "standard_e8s_v3" - runtime_version: "3.2" + instance_type: "standard_e4s_v3" + runtime_version: "3.3" monitoring_signals: customSignal: type: custom create_monitor: path: azureml:my_production_data:1 data_context: test data_window:- trailing_window_size: P30D - trailing_window_offset: P7D + lookback_window_size: P30D + lookback_window_offset: P7D pre_processing_component: azureml:custom_preprocessor:1.0.0 metric_thresholds: - metric_name: std_deviation create_monitor: - abc@example.com ``` -# [Python](#tab/python) +# [Python SDK](#tab/python) The Python SDK currently doesn't support monitoring for custom signals. See the Azure CLI tab instead. The studio currently doesn't support monitoring for custom signals. See the Azur -## Next steps +## Interpret monitoring results ++After you've configured your model monitor and the first run has completed, you can navigate back to the **Monitoring** tab in Azure Machine Learning studio to view the results. ++- From the main **Monitoring** view, select the name of your model monitor to see the Monitor overview page. This page shows the corresponding model, endpoint, and deployment, along with details regarding the signals you configured. The next image shows a monitoring dashboard that includes data drift and data quality signals. Depending on the monitoring signals you configured, your dashboard might look different. ++ :::image type="content" source="media/how-to-monitor-models/monitoring-dashboard.png" alt-text="Screenshot showing a monitoring dashboard." lightbox="media/how-to-monitor-models/monitoring-dashboard.png"::: ++- Look in the **Notifications** section of the dashboard to see, for each signal, which features breached the configured threshold for their respective metrics: ++- Select the **data_drift** to go to the data drift details page. On the details page, you can see the data drift metric value for each numerical and categorical feature that you included in your monitoring configuration. When your monitor has more than one run, you'll see a trendline for each feature. ++ :::image type="content" source="media/how-to-monitor-models/data-drift-details-page.png" alt-text="Screenshot showing the details page of the data drift signal." lightbox="media/how-to-monitor-models/data-drift-details-page.png"::: ++- To view an individual feature in detail, select the name of the feature to view the production distribution compared to the reference distribution. This view also allows you to track drift over time for that specific feature. ++ :::image type="content" source="media/how-to-monitor-models/data-drift-individual-feature.png" alt-text="Screenshot showing the data drift details for an individual feature." lightbox="media/how-to-monitor-models/data-drift-individual-feature.png"::: ++- Return to the monitoring dashboard and select **data_quality** to view the data quality signal page. On this page, you can see the null value rates, out-of-bounds rates, and data type error rates for each feature you're monitoring. ++ :::image type="content" source="media/how-to-monitor-models/data-quality-details-page.png" alt-text="Screenshot showing the details page of the data quality signal." lightbox="media/how-to-monitor-models/data-quality-details-page.png"::: ++Model monitoring is a continuous process. With Azure Machine Learning model monitoring, you can configure multiple monitoring signals to obtain a broad view into the performance of your models in production. +++## Integrate Azure Machine Learning model monitoring with Azure Event Grid ++You can use events generated by Azure Machine Learning model monitoring to set up event-driven applications, processes, or CI/CD workflows with [Azure Event Grid](how-to-use-event-grid.md). You can consume events through various event handlers, such as Azure Event Hubs, Azure functions, and logic apps. Based on the drift detected by your monitors, you can take action programmatically, such as by setting up a machine learning pipeline to re-train a model and re-deploy it. ++To get started with integrating Azure Machine Learning model monitoring with Event Grid: ++1. Follow the steps in see [Set up in Azure portal](how-to-use-event-grid.md#set-up-in-azure-portal). Give your **Event Subscription** a name, such as MonitoringEvent, and select only the **Run status changed** box under **Event Types**. ++ > [!WARNING] + > + > Be sure to select **Run status changed** for the event type. Don't select **Dataset drift detected**, as it applies to data drift v1, rather than Azure Machine Learning model monitoring. ++1. Follow the steps in [Filter & subscribe to events](how-to-use-event-grid.md#filter--subscribe-to-events) to set up event filtering for your scenario. Navigate to the **Filters** tab and add the following **Key**, **Operator**, and **Value** under **Advanced Filters**: ++ - **Key**: `data.RunTags.azureml_modelmonitor_threshold_breached` + - **Value**: has failed due to one or more features violating metric thresholds + - **Operator**: String contains ++ With this filter, events are generated when the run status changes (from Completed to Failed, or from Failed to Completed) for any monitor within your Azure Machine Learning workspace. ++1. To filter at the monitoring level, use the following **Key**, **Operator**, and **Value** under **Advanced Filters**: ++ - **Key**: `data.RunTags.azureml_modelmonitor_threshold_breached` + - **Value**: `your_monitor_name_signal_name` + - **Operator**: String contains ++ Ensure that `your_monitor_name_signal_name` is the name of a signal in the specific monitor you want to filter events for. For example, `credit_card_fraud_monitor_data_drift`. For this filter to work, this string must match the name of your monitoring signal. You should name your signal with both the monitor name and the signal name for this case. ++1. When you've completed your **Event Subscription** configuration, select the desired endpoint to serve as your event handler, such as Azure Event Hubs. +1. After events have been captured, you can view them from the endpoint page: ++ :::image type="content" source="media/how-to-monitor-models/events-on-endpoint-page.png" alt-text="Screenshot showing events viewed from the endpoint page." lightbox="media/how-to-monitor-models/events-on-endpoint-page.png"::: ++You can also view events in the Azure Monitor **Metrics** tab: ++ :::image type="content" source="media/how-to-monitor-models/events-in-azure-monitor-metrics-tab.png" alt-text="Screenshot showing events viewed from the Azure monitor metrics tab." lightbox="media/how-to-monitor-models/events-in-azure-monitor-metrics-tab.png"::: ++++## Related content - [Data collection from models in production (preview)](concept-data-collection.md) - [Collect production data from models deployed for real-time inferencing](how-to-collect-production-data.md) |
machine-learning | How To R Modify Script For Production | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-r-modify-script-for-production.md | mlflow_log_param(<key-name>, <value>) ## Create an environment -To run your R script, you'll use the `ml` extension for Azure CLI, also referred to as CLI v2. The `ml` command uses a YAML job definitions file. For more information about submitting jobs with `az ml`, see [Train models with Azure Machine Learning CLI](how-to-train-model.md?tabs=azurecli#4-submit-the-training-job). +To run your R script, you'll use the `ml` extension for Azure CLI, also referred to as CLI v2. The `ml` command uses a YAML job definitions file. For more information about submitting jobs with `az ml`, see [Train models with Azure Machine Learning CLI](how-to-train-model.md?tabs=azurecli#3-submit-the-training-job). The YAML job file specifies an [environment](concept-environments.md). You'll need to create this environment in your workspace before you can run the job. |
machine-learning | How To Registry Network Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-registry-network-isolation.md | If you don't have a secure workspace configuration, you can create it using the :::image type="content" source="./media/how-to-registry-network-isolation/basic-network-isolation-registry.png" alt-text="Diagram of registry connected to Virtual network containing workspace and associated resources using private endpoint."::: -+## Limitations +If you are using an Azure Machine Learning registry with network isolation, you won't be able to see the assets in Studio. You also won't be able to perform any operations on Azure Machine Learning registry or assets under it using Studio. Please use the Azure Machine Learning CLI or SDK instead. ## Scenario: workspace configuration is secure and Azure Machine Learning registry is public This section describes the scenarios and required network configuration if you have a secure workspace configuration but using a public registry. |
machine-learning | How To Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-train-model.md | When you train using the REST API, data and training scripts must be uploaded to ### 2. Create a compute resource for training > [!NOTE]-> To try [serverless compute](./how-to-use-serverless-compute.md), skip this step and proceed to [ 4. Submit the training job](#4-submit-the-training-job). +> To try [serverless compute](./how-to-use-serverless-compute.md), skip this step and proceed to [ 3. Submit the training job](#3-submit-the-training-job). An Azure Machine Learning compute cluster is a fully managed compute resource that can be used to run the training job. In the following examples, a compute cluster named `cpu-compute` is created. curl -X PUT \ -### 4. Submit the training job +### 3. Submit the training job # [Python SDK](#tab/python) |
machine-learning | How To Troubleshoot Batch Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-troubleshoot-batch-endpoints.md | __Reason__: The access token used to invoke the REST API for the endpoint/deploy __Solution__: When generating an authentication token to be used with the Batch Endpoint REST API, ensure the `resource` parameter is set to `https://ml.azure.com`. Please notice that this resource is different from the resource you need to indicate to manage the endpoint using the REST API. All Azure resources (including batch endpoints) use the resource `https://management.azure.com` for managing them. Ensure you use the right resource URI on each case. Notice that if you want to use the management API and the job invocation API at the same time, you'll need two tokens. For details see: [Authentication on batch endpoints (REST)](how-to-authenticate-batch-endpoint.md?tabs=rest). +### No valid deployments to route to. Please check that the endpoint has at least one deployment with positive weight values or use a deployment specific header to route. ++__Reason__: Default Batch Deployment isn't set correctly. ++__Solution__: ensure the default batch deployment is set correctly. You may need to update the default batch deployment. For details see: [Update the default batch deployment](how-to-use-batch-model-deployments.md?tabs=cli&#update-the-default-batch-deployment) + ## Limitations and not supported scenarios When designing machine learning solutions that rely on batch endpoints, some configurations and scenarios may not be supported. |
machine-learning | How To Custom Tool Package Creation And Usage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/how-to-custom-tool-package-creation-and-usage.md | Last updated 09/12/2023 # Custom tool package creation and usage -When developing flows, you can not only use the built-in tools provided by prompt flow, but also develop your own custom tool. In this document, we guide you through the process of developing your own tool package, offering detailed steps and advice on how to utilize your creation. +When developing flows, you can not only use the built-in tools provided by prompt flow, but also develop your own custom tool. In this document, we guide you through the process of developing your own tool package, offering detailed steps and advice on how to utilize the custom tool package. After successful installation, your custom "tool" can show up in the tool list: :::image type="content" source="./media/how-to-custom-tool-package-creation-and-usage/test-customer-tool-on-ui.png" alt-text="Screenshot of custom tools in the UI tool list."lightbox = "./media/how-to-custom-tool-package-creation-and-usage/test-customer-tool-on-ui.png"::: ## Create your own tool package -Your tool package should be a python package. To develop your custom tool, follow the steps **Create your own tool package** and **build and share the tool package** in [Create and Use Tool package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html). You can also [Add a tool icon](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/add-a-tool-icon.html) and [Add Category and tags](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/add-category-and-tags-for-tool.html) for your tool. +Your tool package should be a python package. To develop your custom tool, follow the steps **Create your own tool package** and **build and share the tool package** in [Create and Use Tool Package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html). You can find more advanced development guidance in [How to develop a tool](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/https://docsupdatetracker.net/index.html). ## Prepare runtime -To add the custom tool to your tool list, it's necessary to create a runtime, which is based on a customized environment where your custom tool is preinstalled. Here we use [my-tools-package](https://pypi.org/project/my-tools-package/) as an example to prepare the runtime. +In order to add the custom tool to your tool list for use, it's necessary to prepare the runtime. Here we use [my-tools-package](https://pypi.org/project/my-tools-package/) as an example. ++**If you use the automatic runtime**, you can readily install the package by adding the custom tool package name into the `requirements.txt` file in the flow folder. Then select the 'Save and install' button to start installation. After completion, you can see the custom tools displayed in the tool list. To learn more, see [How to create and manage runtime](./how-to-create-manage-runtime.md). ++**If you use the compute instance runtime**, which should be based on a customized environment where your custom tool is preinstalled, please take the following steps: ### Create customized environment To add the custom tool to your tool list, it's necessary to create a runtime, wh 3. Change flow based on your requirements and run flow in the selected runtime. :::image type="content" source="./media/how-to-custom-tool-package-creation-and-usage/test-customer-tool-on-ui-step-2.png" alt-text="Screenshot of flow in Azure Machine Learning studio showing adding a tool."lightbox ="./media/how-to-custom-tool-package-creation-and-usage/test-customer-tool-on-ui-step-2.png"::: -## Test from VS Code extension -+## FAQ +### How to install the custom tool package in the VS Code extension? 1. Install prompt flow for VS Code extension :::image type="content" source="./media/how-to-custom-tool-package-creation-and-usage/prompt-flow-vs-code-extension.png" alt-text="Screenshot of prompt flow VS Code extension."lightbox ="./media/how-to-custom-tool-package-creation-and-usage/prompt-flow-vs-code-extension.png":::-2. Go to terminal and install your tool package in conda environment of the extension. Assume your conda env name is `prompt-flow`. +2. Go to terminal and install the tool package in conda environment of the extension. Assume your conda env name is `prompt-flow`. ```sh (local_test) PS D:\projects\promptflow\tool-package-quickstart> conda activate prompt-flow- (prompt-flow) PS D:\projects\promptflow\tool-package-quickstart> pip install .\dist\my_tools_package-0.0.1-py3-none-any.whl + (prompt-flow) PS D:\projects\promptflow\tool-package-quickstart> pip install my-tools-package==0.0.1 ``` 3. Go to the extension and open one flow folder. Select 'flow.dag.yaml' and preview the flow. Next, select `+` button and you can see your tools. You need to **reload the windows** to clean previous cache if you don't see your tool in the list. :::image type="content" source="./media/how-to-custom-tool-package-creation-and-usage/auto-list-tool-in-extension.png" alt-text="Screenshot of the VS Code showing the tools." lightbox ="./media/how-to-custom-tool-package-creation-and-usage/auto-list-tool-in-extension.png"::: -## FAQ - ### Why is my custom tool not showing up in the UI? You can test your tool package using the following script to ensure that you've packaged your tool YAML files and configured the package tool entry point correctly. |
machine-learning | How To Monitor Generative Ai Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/how-to-monitor-generative-ai-applications.md | -> Monitoring is currently in public preview. These previews are provided without a service-level agreement, and are not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. +> Model monitoring for generative AI applications is currently in public preview. These previews are provided without a service-level agreement, and are not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Azure Machine Learning model monitoring for generative AI applications makes it easier for you to monitor your LLM applications in production for safety and quality on a cadence to ensure it's delivering maximum business impact. Monitoring ultimately helps maintain the quality and safety of your generative AI applications. Capabilities and integrations include: |
machine-learning | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/tools-reference/overview.md | Last updated 10/24/2023 # Overview of tools in prompt flow+This page provides an overview of the tools that are available in prompt flow. It also offers instructions on how to create your own custom tool and how to install custom tools. -The following table provides an index of tools in prompt flow. If existing tools don't meet your requirements, you can [develop your own custom tool and make a tool package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html). ++## An index of tools +The following table shows an index of tools in prompt flow. | Tool name | Description | Environment | Package name | ||--|-|--| The following table provides an index of tools in prompt flow. If existing tools | [Vector DB Lookup](./vector-db-lookup-tool.md) | Searches a vector-based query from existing vector database. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) | | [Vector Index Lookup](./vector-index-lookup-tool.md) | Searches text or a vector-based query from Azure Machine Learning vector index. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) | -To discover more custom tools developed by the open-source community, see [More custom tools](https://microsoft.github.io/promptflow/integrations/tools/https://docsupdatetracker.net/index.html). --For the tools to use in the custom environment, see [Custom tool package creation and usage](../how-to-custom-tool-package-creation-and-usage.md#prepare-runtime) to prepare the runtime. Then the tools can be displayed in the tool list. +To discover more custom tools developed by the open-source community, see [More custom tools](https://microsoft.github.io/promptflow/integrations/tools/https://docsupdatetracker.net/index.html). + + +## Remarks +- If existing tools don't meet your requirements, you can [develop your own custom tool and make a tool package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html). +- To install custom tools or add more tools to the custom environment, see [Custom tool package creation and usage](../how-to-custom-tool-package-creation-and-usage.md#prepare-runtime) to prepare the runtime. Then the tools can be displayed in the tool list. |
machine-learning | Reference Yaml Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/reference-yaml-monitor.md | As the data used to train the model evolves in production, the distribution of t | `production_data` | Object | **Optional**. Description of production data to be analyzed for monitoring signal. | | | | `production_data.input_data` | Object | **Optional**. Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification. | | | | `production_data.data_context` | String | The context of data, it refers model production data and could be model inputs or model outputs | `model_inputs` | |-| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `production_data.data_window_size` | ISO8601 format |**Optional**. Data window size in days with ISO8601 format, for example `P7D`. This is the production data window to be computed for data drift. | By default the data window size is the last monitoring period. | | | `reference_data` | Object | **Optional**. Recent past production data is used as comparison baseline data if this isn't specified. Recommendation is to use training data as comparison baseline. | | | | `reference_data.input_data` | Object | Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification. | | | | `reference_data.data_context` | String | The context of data, it refers to the context that dataset was used before | `model_inputs`, `training`, `test`, `validation` | | | `reference_data.target_column_name` | Object | **Optional**. If the 'reference_data' is training data, this property is required for monitoring top N features for data drift. | | | | `reference_data.data_window` | Object | **Optional**. Data window of the reference data to be used as comparison baseline data. | Allow either rolling data window or fixed data window only. For using rolling data window, please specify `reference_data.data_window.trailing_window_offset` and `reference_data.data_window.trailing_window_size` properties. For using fixed data windows, please specify `reference_data.data_window.window_start` and `reference_data.data_window.window_end` properties. All property values must be in ISO8601 format | |-| `reference_data_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is **required** if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `reference_data_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is **required** if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `features` | Object | **Optional**. Target features to be monitored for data drift. Some models might have hundreds or thousands of features, it's always recommended to specify interested features for monitoring. | One of following values: list of feature names, `features.top_n_feature_importance`, or `all_features` | Default `features.top_n_feature_importance = 10` if `production_data.data_context` is `training`, otherwise, default is `all_features` | | `alert_enabled` | Boolean | Turn on/off alert notification for the monitoring signal. `True` or `False` | | | | `metric_thresholds` | Object | List of metrics and thresholds properties for the monitoring signal. When threshold is exceeded and `alert_enabled` is `true`, user will receive alert notification. | | | Prediction drift tracks changes in the distribution of a model's prediction outp | `production_data` | Object | **Optional**. Description of production data to be analyzed for monitoring signal. | | | | `production_data.input_data` | Object | **Optional**. Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification.| | | | `production_data.data_context` | String | The context of data, it refers model production data and could be model inputs or model outputs | `model_outputs` | |-| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `production_data.data_window_size` | ISO8601 format |**Optional**. Data window size in days with ISO8601 format, for example `P7D`. This is the production data window to be computed for prediction drift. | By default the data window size is the last monitoring period.| | | `reference_data` | Object | **Optional**. Recent past production data is used as comparison baseline data if this isn't specified. Recommendation is to use validation or testing data as comparison baseline. | | | | `reference_data.input_data` | Object | Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification. | | | | `reference_data.data_context` | String | The context of data, it refers to the context that dataset come from. | `model_outputs`, `testing`, `validation` | | | `reference_data.target_column_name` | String | The name of target column, **Required** if the `reference_data.data_context` is `testing` or `validation` | | | | `reference_data.data_window` | Object | **Optional**. Data window of the reference data to be used as comparison baseline data. | Allow either rolling data window or fixed data window only. For using rolling data window, please specify `reference_data.data_window.trailing_window_offset` and `reference_data.data_window.trailing_window_size` properties. For using fixed data windows, please specify `reference_data.data_window.window_start` and `reference_data.data_window.window_end` properties. All property values must be in ISO8601 format | |-| `reference_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. **Required** if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `reference_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. **Required** if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `alert_enabled` | Boolean | Turn on/off alert notification for the monitoring signal. `True` or `False` | | | | `metric_thresholds` | Object | List of metrics and thresholds properties for the monitoring signal. When threshold is exceeded and `alert_enabled` is `true`, user will receive alert notification. | | | | `metric_thresholds.numerical` | Object | Optional. List of metrics and thresholds in `key:value` format, `key` is the metric name, `value` is the threshold. | Allowed numerical metric names: `jensen_shannon_distance`, `normalized_wasserstein_distance`, `population_stability_index`, `two_sample_kolmogorov_smirnov_test`| | Data quality signal tracks data quality issues in production by comparing to tra | `production_data` | Object | **Optional**. Description of production data to be analyzed for monitoring signal. | | | | `production_data.input_data` | Object | **Optional**. Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification.| | | | `production_data.data_context` | String | The context of data, it refers model production data and could be model inputs or model outputs | `model_inputs`, `model_outputs` | |-| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `production_data.data_window_size` | ISO8601 format |**Optional**. Data window size in days with ISO8601 format, for example `P7D`. This is the production data window to be computed for data quality issues. | By default the data window size is the last monitoring period.| | | `reference_data` | Object | **Optional**. Recent past production data is used as comparison baseline data if this isn't specified. Recommendation is to use training data as comparison baseline. | | | | `reference_data.input_data` | Object | Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification. | | | | `reference_data.data_context` | String | The context of data, it refers to the context that dataset was used before | `model_inputs`, `model_outputs`, `training`, `test`, `validation` | | | `reference_data.target_column_name` | Object | **Optional**. If the 'reference_data' is training data, this property is required for monitoring top N features for data drift. | | | | `reference_data.data_window` | Object | **Optional**. Data window of the reference data to be used as comparison baseline data. | Allow either rolling data window or fixed data window only. For using rolling data window, please specify `reference_data.data_window.trailing_window_offset` and `reference_data.data_window.trailing_window_size` properties. For using fixed data windows, please specify `reference_data.data_window.window_start` and `reference_data.data_window.window_end` properties. All property values must be in ISO8601 format | |-| `reference_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `reference_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `features` | Object | **Optional**. Target features to be monitored for data quality. Some models might have hundreds or thousands of features. It's always recommended to specify interested features for monitoring. | One of following values: list of feature names, `features.top_n_feature_importance`, or `all_features` | Default to `features.top_n_feature_importance = 10` if `reference_data.data_context` is `training`, otherwise default is `all_features` | | `alert_enabled` | Boolean | Turn on/off alert notification for the monitoring signal. `True` or `False` | | | | `metric_thresholds` | Object | List of metrics and thresholds properties for the monitoring signal. When threshold is exceeded and `alert_enabled` is `true`, user will receive alert notification. | | | The feature attribution of a model may change over time due to changes in the di | `production_data.input_data` | Object | **Optional**. Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification.| | | | `production_data.data_context` | String | The context of data. It refers to production model inputs data. | `model_inputs`, `model_outputs`, `model_inputs_outputs` | | | `production_data.data_column_names` | Object | Correlation column name and prediction column names in `key:value` format, needed for data joining. | Allowed keys are: `correlation_id`, `prediction`, `prediction_probability` |-| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `production_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `production_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `production_data.data_window_size` | String |**Optional**. Data window size in days with ISO8601 format, for example `P7D`. This is the production data window to be computed for data quality issues. | By default the data window size is the last monitoring period.| | | `reference_data` | Object | **Optional**. Recent past production data is used as comparison baseline data if this isn't specified. Recommendation is to use training data as comparison baseline. | | | | `reference_data.input_data` | Object | Description of input data source, see [job input data](./reference-yaml-job-command.md#job-inputs) specification. | | | | `reference_data.data_context` | String | The context of data, it refers to the context that dataset was used before. Fro feature attribution drift, only `training` data allowed. | `training` | | | `reference_data.target_column_name` | String | **Required**. | | |-| `reference_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-own-production-data-to-azure-machine-learning). | | | +| `reference_data.pre_processing_component` | String | Component ID in the format of `azureml:myPreprocessing@latest` for a registered component. This is required if `reference_data.input_data.type` is `uri_folder`, see [preprocessing component specification](./how-to-monitor-model-performance.md#set-up-model-monitoring-by-bringing-your-production-data-to-azure-machine-learning). | | | | `alert_enabled` | Boolean | Turn on/off alert notification for the monitoring signal. `True` or `False` | | | | `metric_thresholds` | Object | Metric name and threshold for feature attribution drift in `key:value` format, where `key` is the metric name, and `value` is the threshold. When threshold is exceeded and `alert_enabled` is on, user will receive alert notification. | Allowed metric name: `normalized_discounted_cumulative_gain` | | |
mysql | Concepts Backup Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-backup-restore.md | After a restore from either **latest restore point** or **custom restore point** ### Backup-related questions - **How do I back up my server?**-By default, Azure Database for MySQL flexible server enables automated backups of your entire server (encompassing all databases created) with a default 7-day retention period. You can also trigger a manual backup using On-Demand backup feature. The other way to manually take a backup is by using community tools such as mysqldump as documented [here](../concepts-migrate-dump-restore.md#dump-and-restore-using-mysqldump-utility) or mydumper as documented [here](../concepts-migrate-mydumper-myloader.md#create-a-backup-using-mydumper). If you wish to back up an Azure Database for MySQL flexible server instance to a Blob storage, refer to our tech community blog [Backup Azure Database for MySQL flexible server to a Blob Storage](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/backup-azure-database-for-mysql-to-a-blob-storage/ba-p/803830). ++ By default, Azure Database for MySQL flexible server enables automated backups of your entire server (encompassing all databases created) with a default 7-day retention period. You can also trigger a manual backup using On-Demand backup feature. The other way to manually take a backup is by using community tools such as mysqldump as documented [here](../concepts-migrate-dump-restore.md#dump-and-restore-using-mysqldump-utility) or mydumper as documented [here](../concepts-migrate-mydumper-myloader.md#create-a-backup-using-mydumper). If you wish to back up an Azure Database for MySQL flexible server instance to a Blob storage, refer to our tech community blog [Backup Azure Database for MySQL flexible server to a Blob Storage](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/backup-azure-database-for-mysql-to-a-blob-storage/ba-p/803830). + - **Can I configure automatic backups to be retained for long term?**-No, currently we only support a maximum of 35 days of automated backup retention. You can take manual backups and use that for long-term retention requirement. ++ No, currently we only support a maximum of 35 days of automated backup retention. You can take manual backups and use that for long-term retention requirement. + - **What are the backup windows for my server? Can I customize it?**-The first snapshot backup is scheduled immediately after a server is created. Snapshot backups are taken once daily. Transaction log backups occur every five minutes. Backup windows are inherently managed by Azure and can't be customized. ++ The first snapshot backup is scheduled immediately after a server is created. Snapshot backups are taken once daily. Transaction log backups occur every five minutes. Backup windows are inherently managed by Azure and can't be customized. + - **Are my backups encrypted?**-All Azure Database for MySQL flexible server data, backups, and temporary files created during query execution are encrypted using AES 256-bit encryption. The storage encryption is always on and can't be disabled. ++ All Azure Database for MySQL flexible server data, backups, and temporary files created during query execution are encrypted using AES 256-bit encryption. The storage encryption is always on and can't be disabled. + - **Can I restore a single/few database(s)?**-Restoring a single/few database(s) or tables isn't supported. In case you want to restore specific databases, perform a Point in Time Restore and then extract the table(s) or database(s) needed. + + Restoring a single/few database(s) or tables isn't supported. In case you want to restore specific databases, perform a Point in Time Restore and then extract the table(s) or database(s) needed. + - **Is my server available during the backup window?**-Yes. Backups are online operations and are snapshot-based. The snapshot operation only takes few seconds and doesn't interfere with production workloads, ensuring high availability of the server. + + Yes. Backups are online operations and are snapshot-based. The snapshot operation only takes few seconds and doesn't interfere with production workloads, ensuring high availability of the server. + - **When setting up the maintenance window for the server, do we need to account for the backup window?**-No, backups are triggered internally as part of the managed service and have no bearing on the Managed Maintenance Window. + + No, backups are triggered internally as part of the managed service and have no bearing on the Managed Maintenance Window. - **Where are my automated backups stored and how do I manage their retention?**-Azure Database for MySQL flexible server automatically creates server backups and stores them in user-configured, locally redundant storage or in geo-redundant storage. These backup files can't be exported. The default backup retention period is seven days. You can optionally configure the database backup from 1 to 35 days. + + Azure Database for MySQL flexible server automatically creates server backups and stores them in user-configured, locally redundant storage or in geo-redundant storage. These backup files can't be exported. The default backup retention period is seven days. You can optionally configure the database backup from 1 to 35 days. - **How can I validate my backups?**-The best way to validate availability of successfully completed backups is to view the full-automated backups taken within the retention period in the Backup and Restore blade. If a backup fails, it isn't listed in the available backups list, and the backup service will try every 20 minutes to take a backup until a successful backup is taken. These backup failures are due to heavy transactional production loads on the server. + + The best way to validate availability of successfully completed backups is to view the full-automated backups taken within the retention period in the Backup and Restore blade. If a backup fails, it isn't listed in the available backups list, and the backup service will try every 20 minutes to take a backup until a successful backup is taken. These backup failures are due to heavy transactional production loads on the server. + - **Where can I see the backup usage?**-In the Azure portal, under the Monitoring tab - Metrics section, you can find the [Backup Storage Used](./concepts-monitoring.md) metric, which can help you monitor the total backup usage. + + In the Azure portal, under the Monitoring tab - Metrics section, you can find the [Backup Storage Used](./concepts-monitoring.md) metric, which can help you monitor the total backup usage. + - **What happens to my backups if I delete my server?**-If you delete the server, all backups that belong to the server are also deleted and can't be recovered. To protect server resources post deployment from accidental deletion or unexpected changes, administrators can use [management locks](../../azure-resource-manager/management/lock-resources.md). ++ If you delete the server, all backups that belong to the server are also deleted and can't be recovered. To protect server resources post deployment from accidental deletion or unexpected changes, administrators can use [management locks](../../azure-resource-manager/management/lock-resources.md). - **What happens to my backups when I restore a server?**-If you restore a server, then it always results in a creation of a net new server that has been restored using original server's backups. The old backup from the original server is not copied over to the newly restored server and it remains with the original server. However, for the newly created server the first snapshot backup is scheduled immediately after a server is created and the service ensures daily automated backups are taken and stored as per configured server retention period. ++ If you restore a server, then it always results in a creation of a net new server that has been restored using original server's backups. The old backup from the original server is not copied over to the newly restored server and it remains with the original server. However, for the newly created server the first snapshot backup is scheduled immediately after a server is created and the service ensures daily automated backups are taken and stored as per configured server retention period. - **How am I charged and billed for my use of backups?**-Azure Database for MySQL flexible server provides up to 100% of your provisioned server storage as backup storage at no added cost. Any more backup storage used is charged in GB per month as per the [pricing model](https://azure.microsoft.com/pricing/details/mysql/server/). Backup storage billing is also governed by the backup retention period selected and backup redundancy option chosen, apart from the transactional activity on the server, which impacts the total backup storage used directly. ++ Azure Database for MySQL flexible server provides up to 100% of your provisioned server storage as backup storage at no added cost. Any more backup storage used is charged in GB per month as per the [pricing model](https://azure.microsoft.com/pricing/details/mysql/server/). Backup storage billing is also governed by the backup retention period selected and backup redundancy option chosen, apart from the transactional activity on the server, which impacts the total backup storage used directly. + - **How are backups retained for stopped servers?**-No new backups are performed for stopped servers. All older backups (within the retention window) at the time of stopping the server are retained until the server is restarted, post which backup retention for the active server is governed by its backup retention window. ++ No new backups are performed for stopped servers. All older backups (within the retention window) at the time of stopping the server are retained until the server is restarted, post which backup retention for the active server is governed by its backup retention window. - **How will I be billed for backups for a stopped server?**-While your server instance is stopped, you're charged for provisioned storage (including Provisioned IOPS) and backup storage (backups stored within your specified retention window). Free backup storage is limited to the size of your provisioned database and only applies to active servers. ++ While your server instance is stopped, you're charged for provisioned storage (including Provisioned IOPS) and backup storage (backups stored within your specified retention window). Free backup storage is limited to the size of your provisioned database and only applies to active servers. + - **How is my backup data protected?**-Azure database for MySQL Flexible server protects your backup data by blocking any operations that could lead to loss of recovery points for the duration of the configured retention period. Backups taken during the retention period can only be read for the purpose of restoration and are deleted post retention period. Also, all backups in Azure Database for MySQL flexible server are encrypted using AES 256-bit encryption for the data stored at rest. ++ Azure database for MySQL Flexible server protects your backup data by blocking any operations that could lead to loss of recovery points for the duration of the configured retention period. Backups taken during the retention period can only be read for the purpose of restoration and are deleted post retention period. Also, all backups in Azure Database for MySQL flexible server are encrypted using AES 256-bit encryption for the data stored at rest. ++- **How does a Point-In-Time Restore (PITR) operation affect IOPS usage?** ++ During a PITR operation in Azure Database for MySQL - Flexible Server, a new server is created and data is copied from the source serverΓÇÖs storage to the new serverΓÇÖs storage. This process results in an increased IOPS usage on the source server. This increase in IOPS usage is a normal occurrence and does not indicate any issues with the source server or the PITR operation. Once the PITR operation is complete, the IOPS usage on the source server will return to its usual levels. ### Restore-related questions Azure database for MySQL Flexible server protects your backup data by blocking a Azure portal supports Point In Time Restore for all servers, allowing users to restore to latest or custom restore points. To manually restore your server from the backups taken by mysqldump/myDumper, see [Restore your database using myLoader](../concepts-migrate-mydumper-myloader.md#restore-your-database-using-myloader). - **Why is my restore taking so much time?**-The estimated time for the recovery of the server depends on several factors: ++ The estimated time for the recovery of the server depends on several factors: - The size of the databases. As a part of the recovery process, the database needs to be hydrated from the last physical backup and hence the time taken to recover will be proportional to the size of the database. - The active portion of transaction activity that needs to be replayed to recover. Recovery can take longer depending on the added transaction activity from the last successful checkpoint. - The network bandwidth if the restore is to a different region. The estimated time for the recovery of the server depends on several factors: - The presence of primary keys in the tables in the database. For faster recovery, consider adding primary keys for all the tables in your database. - **Will modifying session level database variables impact restoration?**+ Modifying session level variables and running DML statements in a MySQL client session can impact the PITR (point in time restore) operation, as these modifications don't get recorded in the binary log that is used for backup and restore operation. For example, [foreign_key_checks](http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_foreign_key_checks) are one such session-level variable, which if disabled for running a DML statement which violates the foreign key constraint results in PITR (point in time restore) failure. The only workaround in such a scenario would be to select a PITR time earlier than the time at which [foreign_key_checks](http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_foreign_key_checks) were disabled. Our recommendation is to NOT modify any session variables for a successful PITR operation. ## Next steps |
mysql | Concepts Server Parameters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-server-parameters.md | Last updated 04/26/2023 This article provides considerations and guidelines for configuring server parameters in Azure Database for MySQL flexible server. +> [!NOTE] +> This article contains references to the term *slave*, a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article. ++ ## What are server variables? The MySQL engine provides many different [server variables/parameters](https://dev.mysql.com/doc/refman/5.7/en/server-option-variable-reference.html) that can be used to configure and tune engine behavior. Some parameters can be set dynamically during runtime while others are "static", requiring a server restart in order to apply. Refer to the following sections to learn more about the limits of the several co ### lower_case_table_names -For MySQL version 5.7, default value is 1 in Azure Database for MySQL flexible server. It is important to note that while it is possible to change the supported value to 2, reverting from 2 back to 1 is not allowed. Please contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value. -For [MySQl version 8.0+](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html) lower_case_table_names can only be configured when initializing the server. [Learn more](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html). Changing the lower_case_table_names setting after the server is initialized is prohibited. For MySQL version 8.0, default value is 1 in Azure Database for MySQL flexible server. Supported value for MySQL version 8.0 are 1 and 2 in Azure Database for MySQL flexible server. Please contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value during server creation. +For MySQL version 5.7, default value is 1 in Azure Database for MySQL flexible server. It's important to note that while it is possible to change the supported value to 2, reverting from 2 back to 1 isn't allowed. Contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value. +For [MySQL version 8.0+](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html) lower_case_table_names can only be configured when initializing the server. [Learn more](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html). Changing the lower_case_table_names setting after the server is initialized is prohibited. For MySQL version 8.0, default value is 1 in Azure Database for MySQL flexible server. Supported value for MySQL version 8.0 are 1 and 2 in Azure Database for MySQL flexible server. Contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value during server creation. +++### innodb_tmpdir ++The [innodb_tmpdir](https://dev.mysql.com/doc/refman/8.0/en/innodb-parameters.html#sysvar_innodb_tmpdir) parameter in Azure Database for MySQL Flexible Server is used to define directory for temporary sort files created during online ALTER TABLE operations that rebuild. The default value of innodb_tmpdir is `/mnt/temp`. This location corresponds to the [temporary storage SSD](./concepts-service-tiers-storage.md#service-tiers-size-and-server-types), available in GiB with each server compute size. This location is ideal for operations that donΓÇÖt require a large amount of space. +If more space is needed, you can set innodb_tmpdir to `/app/work/tmpdir`. This utilizes your storage, capacity available on your Azure Database for MySQL Flexible Server. This can be useful for larger operations that require more temporary storage. +It's important to note that utilizing `/app/work/tmpdir` results in slower performance compared to the [default temp storage (SSD)](./concepts-service-tiers-storage.md#service-tiers-size-and-server-types) `/mnt/temp`. The choice should be made based on the specific requirements of the operations. +The information provided for the `innodb_tmpdir` is applicable to the parameters [innodb_temp_tablespaces_dir](https://dev.mysql.com/doc/refman/8.0/en/innodb-parameters.html#sysvar_innodb_temp_tablespaces_dir), [tmpdir](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_tmpdir), and [slave_load_tmpdir](https://dev.mysql.com/doc/refman/8.0/en/replication-options-replica.html#sysvar_replica_load_tmpdir) where the default value `/mnt/temp` is common, and the alternative directory `/app/work/tmpdir` is available for configuring increased temporary storage, with a trade-off in performance based on specific operational requirements. ### log_bin_trust_function_creators In Azure Database for MySQL flexible server, binary logs are always enabled (tha The binary logging format is always **ROW** and all connections to the server **ALWAYS** use row-based binary logging. With row-based binary logging, security issues don't exist and binary logging can't break, so you can safely allow [`log_bin_trust_function_creators`](https://dev.mysql.com/doc/refman/5.7/en/replication-options-binary-log.html#sysvar_log_bin_trust_function_creators) to remain **ON**. -If [`log_bin_trust_function_creators`] is set to OFF, if you try to create triggers you may get errors similar to *you do not have the SUPER privilege and binary logging is enabled (you might want to use the less safe `log_bin_trust_function_creators` variable)*. +If [`log_bin_trust_function_creators`] is set to OFF, if you try to create triggers you may get errors similar to *you don't have the SUPER privilege, and binary logging is enabled (you might want to use the less safe `log_bin_trust_function_creators` variable)*. ### innodb_buffer_pool_size The binary log contains "events" that describe database changes such as table cr ### event_scheduler -In Azure Database for MySQL flexible server, the `event_schedule` server parameter manages creating, scheduling, and running events, i.e., tasks that run according to a schedule, and they're run by a special event scheduler thread. When the `event_scheduler` parameter is set to ON, the event scheduler thread is listed as a daemon process in the output of SHOW PROCESSLIST. You can create and schedule events using the following SQL syntax: +In Azure Database for MySQL flexible server, the `event_schedule` server parameter manages creating, scheduling, and running events, that is, tasks that run according to a schedule, and they're run by a special event scheduler thread. When the `event_scheduler` parameter is set to ON, the event scheduler thread is listed as a daemon process in the output of SHOW PROCESSLIST. You can create and schedule events using the following SQL syntax: ```sql CREATE EVENT <event name> |
mysql | Concepts Service Tiers Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-service-tiers-storage.md | You can create an Azure Database for MySQL flexible server instance in one of th | Storage size | 20 GiB to 16 TiB | 20 GiB to 16 TiB | 20 GiB to 16 TiB | | Database backup retention period | 1 to 35 days | 1 to 35 days | 1 to 35 days | -\** With the exception of 64,80, and 96 vCores, which has 504, 504 and 672 GiB of memory respectively. +\** With the exception of 64,80, and 96 vCores, which has 504 GiB, 504 GiB and 672 GiB of memory respectively. \* Ev5 compute provides best performance among other VM series in terms of QPS and latency. learn more about performance and region availability of Ev5 compute from [here](https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/boost-azure-mysql-business-critical-flexible-server-performance/ba-p/3603698). The unique feature of the burstable compute tier is its ability to ΓÇ£burstΓÇ¥, However, itΓÇÖs important to note that once a burstable instance exhausts its CPU credits, it operates at its base CPU performance. For example, the base CPU performance of a Standard_B1s is 20% that is, 0.2 Vcore. If Burstable tier server is running a workload that requires more CPU performance than the base level, and it has exhausted its CPU credits, the server may experience performance limitations and eventually could affect various system operations for your server. -Therefore, while the Burstable compute tier offers significant cost and flexibility advantages for certain types of workloads, **it is not recommended for production workloads** that require consistent CPU performance. Note that the Burstable tier doesn't support functionality of creating [Read Replicas](./concepts-read-replicas.md) and [High availability](./concepts-high-availability.md) feature. For such workloads and features, other compute tiers, such as the General Purpose or Business Critical are more appropriate. +Therefore, while the Burstable compute tier offers significant cost and flexibility advantages for certain types of workloads, **it is not recommended for production workloads** that require consistent CPU performance. The Burstable tier doesn't support functionality of creating [Read Replicas](./concepts-read-replicas.md) and [High availability](./concepts-high-availability.md) feature. For such workloads and features, other compute tiers, such as the General Purpose or Business Critical are more appropriate. -For more information on the Azure's B-series CPU credit model, refer to the [B-series burstable instances](../../virtual-machines/sizes-b-series-burstable.md) and [B-series CPU credit model](../../virtual-machines/b-series-cpu-credit-model/b-series-cpu-credit-model.md#b-series-cpu-credit-model). +For more information on the Azure's B-series CPU credit model, see the [B-series burstable instances](../../virtual-machines/sizes-b-series-burstable.md) and [B-series CPU credit model](../../virtual-machines/b-series-cpu-credit-model/b-series-cpu-credit-model.md#b-series-cpu-credit-model). ### Monitoring CPU credits in burstable tier Monitoring your CPU credit balance is crucial for maintaining optimal performanc [CPU Credit Consumed](./concepts-monitoring.md): This metric indicates the number of CPU credits consumed by your instance. Monitoring this metric can help you understand your instanceΓÇÖs CPU usage patterns and manage its performance effectively. -[CPU Credit Remaining](./concepts-monitoring.md): This metric shows the number of CPU credits remaining for your instance. Keeping an eye on this metric can help you prevent your instance from degrading in performance due to exhausting its CPU credits. +[CPU Credit Remaining](./concepts-monitoring.md): This metric shows the number of CPU credits remaining for your instance. Keeping an eye on this metric can help you prevent your instance from degrading in performance due to exhausting its CPU credits. If the CPU Credit Remaining metric drops below a certain level (for example, less than 30% of the total available credits), this would indicate that the instance is at risk of exhausting its CPU credits if the current CPU load continues. For more information, on [how to setup alerts on metrics, refer to this guide](./how-to-alert-on-metric.md). |
mysql | Concepts Storage Iops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-storage-iops.md | Moreover, Additional IOPS with pre-provisioned refers to the flexibility of incr Autoscale IOPS offer the flexibility to scale IOPS on demand, eliminating the need to pre-provision a specific amount of IO per second. By enabling Autoscale IOPS, your server will automatically adjust IOPS based on workload requirements. With the Autoscale IOPS featured enable, you can now enjoy worry free IO management in Azure Database for MySQL flexible server because the server scales IOPs up or down automatically depending on workload needs. +**Dynamic Scaling**: Autoscale IOPS dynamically adjust the IOPS limit of your database server based on the actual demand of your workload. This ensures optimal performance without manual intervention or configuration +**Handling Workload Spikes**: Autoscale IOPS enable your database to seamlessly handle workload spikes or fluctuations without compromising the performance of your applications. This feature ensures consistent responsiveness even during peak usage periods. +**Cost Savings**: Unlike the Pre-provisioned IOPS where a fixed IOPS limit is specified and paid for regardless of usage, Autoscale IOPS lets you pay only for the number of I/O operations that you consume. With this feature, you'll only be charged for the IO your server actually utilizes, avoiding unnecessary provisioning and expenses for underutilized resources. This ensures both cost savings and optimal performance, making it a smart choice for managing your database workload efficiently. Autoscale IOPS: The Autoscale feature might not provide significant advantages i ## Frequent Asked Questions #### How to move from pre-provisioned IOPS to Autoscale IOPS?-- Access your Azure portal and locate the relevant Azure database for Azure Database for MySQL flexible server.+- Access your Azure portal and locate the relevant Azure Database for MySQL flexible server. - Go to the Settings blade and choose the Compute + Storage section. - Within the IOPS section, opt for Auto Scale IOPS and save the settings to apply the modifications. #### How soon does Autoscale IOPS take effect after making the change? Once you enable Autoscale IOPS for Azure Database for MySQL flexible server and save the settings, the changes take effect immediately after the deployment to the resource has completed successfully. This means that the Autoscale IOPS feature will be applied to your database without any delay. +#### How does a Point-In-Time Restore (PITR) operation affect IOPS usage? +During a PITR operation in Azure Database for MySQL - Flexible Server, a new server is created and data is copied from the source serverΓÇÖs storage to the new serverΓÇÖs storage. This process results in an increased IOPS usage on the source server. This increase in IOPS usage is a normal occurrence and doesn't indicate any issues with the source server or the PITR operation. Once the PITR operation is complete, the IOPS usage on the source server returns to its usual levels. For more information on PITR, you can refer to the +[Backup and Restore section](./concepts-backup-restore.md) in the Azure Database for MySQL - Flexible Server documentation. + #### How to know when IOPS have scaled up and scaled down when the server is using Autoscale IOPS feature? Or Can I monitor IOPS usage for my server? Refer to [ΓÇ£Monitor Storage performanceΓÇ¥](#monitor-storage-performance) section, which will help to identify if your server has scaled up or scaled down during specific time window. |
mysql | Create Automation Tasks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/create-automation-tasks.md | Creating an automation task doesn't immediately incur charges. The automation ta ||| ## Stop server task-Here's an example to configure stop tasks for a Azure Database for MySQL flexible server instance. +Here's an example to configure stop tasks for an Azure Database for MySQL flexible server instance. 1. Select **Stop MySQL Flexible server** task. |
openshift | Howto Deploy Java Jboss Enterprise Application Platform App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/howto-deploy-java-jboss-enterprise-application-platform-app.md | -This article uses the Azure Marketplace offer for JBoss EAP to accelerate your journey to ARO. The offer automatically provisions a number of resources including an ARO cluster with a built-in OpenShift Container Registry (OCR), the JBoss EAP Operator, and optionally a container image including JBoss EAP and your application using Source-to-Image (S2I). To see the offer, visit the [Azure portal](https://aka.ms/eap-aro-portal). If you prefer manual step-by-step guidance for running JBoss EAP on ARO that doesn't utilize the automation enabled by the offer, see [Deploy a Java application with Red Hat JBoss Enterprise Application Platform (JBoss EAP) on an Azure Red Hat OpenShift 4 cluster](/azure/developer/java/ee/jboss-eap-on-aro). +This article uses the Azure Marketplace offer for JBoss EAP to accelerate your journey to ARO. The offer automatically provisions resources including an ARO cluster with a built-in OpenShift Container Registry (OCR), the JBoss EAP Operator, and optionally a container image including JBoss EAP and your application using Source-to-Image (S2I). To see the offer, visit the [Azure portal](https://aka.ms/eap-aro-portal). If you prefer manual step-by-step guidance for running JBoss EAP on ARO that doesn't utilize the automation enabled by the offer, see [Deploy a Java application with Red Hat JBoss Enterprise Application Platform (JBoss EAP) on an Azure Red Hat OpenShift 4 cluster](/azure/developer/java/ee/jboss-eap-on-aro). ## Prerequisites This article uses the Azure Marketplace offer for JBoss EAP to accelerate your j - A Red Hat account with complete profile. If you don't have one, you can sign up for a free developer subscription through the [Red Hat Developer Subscription for Individuals](https://developers.redhat.com/register). -- Use [Azure Cloud Shell](/azure/cloud-shell/quickstart) using the Bash environment. Be sure the Azure CLI version is 2.43.0 or higher.+- A local developer command line with a UNIX command environment and Azure CLI installed. To learn how to install the Azure CLI, see [How to install the Azure CLI](/cli/azure/install-azure-cli). - [![Image of button to launch Cloud Shell in a new window.](../../includes/media/cloud-shell-try-it/hdi-launch-cloud-shell.png)](https://shell.azure.com) +- The `mysql` CLI. For instructions see [How To Install MySQL](https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-20-04). - > [!NOTE] - > You can also execute this guidance from a local developer command line with the Azure CLI installed. To learn how to install the Azure CLI, see [How to install the Azure CLI](/cli/azure/install-azure-cli). - > - > If you are using a local developer command line, you must install the `mysql` CLI. For instructions see [How To Install MySQL](https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-20-04). +> [!NOTE] +> You can also execute this guidance from the [Azure Cloud Shell](/azure/cloud-shell/quickstart). This approach has all the prerequisite tools pre-installed. +> +> [![Image of button to launch Cloud Shell in a new window.](../../includes/media/cloud-shell-try-it/hdi-launch-cloud-shell.png)](https://shell.azure.com) - Ensure the Azure identity you use to sign in has either the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) role and the [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) role or the [Owner](/azure/role-based-access-control/built-in-roles#owner) role in the current subscription. For an overview of Azure roles, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview) This article uses the Azure Marketplace offer for JBoss EAP to accelerate your j ## Get a Red Hat pull secret -The Azure Marketplace offer you use in this article requires a Red Hat pull secret. This section shows you how to get a Red Hat pull secret for Azure Red Hat OpenShift. To learn about what a Red Hat pull secret is and why you need it, see the [Get a Red Hat pull secret](/azure/openshift/tutorial-create-cluster#get-a-red-hat-pull-secret-optional) section in [Tutorial: Create an Azure Red Hat OpenShift 4 cluster](/azure/openshift/tutorial-create-cluster). +The Azure Marketplace offer used in this article requires a Red Hat pull secret. This section shows you how to get a Red Hat pull secret for Azure Red Hat OpenShift. To learn about what a Red Hat pull secret is and why you need it, see the [Get a Red Hat pull secret](/azure/openshift/tutorial-create-cluster#get-a-red-hat-pull-secret-optional) section in [Tutorial: Create an Azure Red Hat OpenShift 4 cluster](/azure/openshift/tutorial-create-cluster). Use the following steps to get the pull secret. Use the following steps to deploy a service principal and get its Application (c 1. Provide a description of the secret and a duration. When you're done, select **Add**. 1. After the client secret is added, the value of the client secret is displayed. Copy this value because you can't retrieve it later. Be sure to copy the **Value** and not the **Secret ID**. -You've now created your Microsoft Entra application, service principal, and client secret. +You've created your Microsoft Entra application, service principal, and client secret. ## Create a Red Hat Container Registry service account Use the following steps to create a Red Hat Container Registry service account a - Note down the **username**, including the prepended string (that is, `XXXXXXX|username`). Use this username when you sign in to `registry.redhat.io`. - Note down the **password**. Use this password when you sign in to `registry.redhat.io`. -You've now created your Red Hat Container Registry service account. +You've created your Red Hat Container Registry service account. ## Deploy JBoss EAP on Azure Red Hat OpenShift While you wait, you can set up the database. The following sections show you how to set up Azure Database for MySQL - Flexible Server. -### Set environment variables in the Azure Cloud Shell +### Set environment variables in the command line shell The application is a Jakarta EE application backed by a MySQL database, and is deployed to the OpenShift cluster using Source-to-Image (S2I). For more information about S2I, see the [S2I Documentation](http://red.ht/eap-aro-s2i). -Continuing in the Azure Cloud Shell, use the following command to set up some environment variables: +Open a shell, or Cloud Shell, and set the following environment variables. Replace the substitutions as appropriate. ```azurecli-interactive RG_NAME=<resource-group-name> SERVER_NAME=<database-server-name> DB_DATABASE_NAME=testdb ADMIN_USERNAME=myadmin-ADMIN_PASSWORD=<mysql-admin-password> +ADMIN_PASSWORD=Secret123456 DB_USERNAME=testuser DB_PASSWORD=Secret123456 PROJECT_NAME=eaparo-sample Replace the placeholders with the following values, which are used throughout th - `<resource-group-name>`: The name of resource group you created previously - for example, `eaparo033123rg`. - `<database-server-name>`: The name of your MySQL server, which should be unique across Azure - for example, `eaparo033123mysql`.-- `<mysql-admin-password>`: The admin password of your MySQL database server. That password should have a minimum of eight characters. The characters should be from three of the following categories: English uppercase letters, English lowercase letters, numbers (0-9), and non-alphanumeric characters (!, $, #, %, and so on).+- `ADMIN_PASSWORD`: The admin password of your MySQL database server. This article was tested using the password shown. Consult the database documentation for password rules. - `<red-hat-container-registry-service-account-username>` and `<red-hat-container-registry-service-account-password>`: The username and password of the Red Hat Container Registry service account you created before. -It's a good idea to save the fully filled out name/value pairs in a text file, in case the Azure Cloud Shell times out before you're done executing the commands. That way, you can paste them into a new instance of the Cloud Shell and easily continue. +It's a good idea to save the fully filled out name/value pairs in a text file, in case the shell exits or the Azure Cloud Shell times out before you're done executing the commands. That way, you can paste them into a new instance of the shell or Cloud Shell and easily continue. -These name/value pairs are essentially "secrets". For a production-ready way to secure Azure Red Hat OpenShift, including secret management, see [Security for the Azure Red Hat OpenShift landing zone accelerator](/azure/cloud-adoption-framework/scenarios/app-platform/azure-red-hat-openshift/security). +These name/value pairs are essentially "secrets." For a production-ready way to secure Azure Red Hat OpenShift, including secret management, see [Security for the Azure Red Hat OpenShift landing zone accelerator](/azure/cloud-adoption-framework/scenarios/app-platform/azure-red-hat-openshift/security). ### Create and initialize the database You now have a MySQL database server running and ready to connect with your app. ## Verify the functionality of the deployment -The steps in this section show you how to verify that the deployment has successfully completed. +The steps in this section show you how to verify that the deployment completes successfully. If you navigated away from the **Deployment is in progress** page, the following steps show you how to get back to that page. If you're still on the page that shows **Your deployment is complete**, you can skip to step 5. If you navigated away from the **Deployment is in progress** page, the following 1. In the navigation pane, select **Outputs**. This list shows the output values from the deployment, which includes some useful information. -1. Open Azure Cloud Shell, paste the value from the **cmdToGetKubeadminCredentials** field, and execute it. You see the admin account and credential for signing in to the OpenShift cluster console portal. The following example shows an admin account: +1. Open the shell or Azure Cloud Shell, paste the value from the **cmdToGetKubeadminCredentials** field, and execute it. You see the admin account and credential for signing in to the OpenShift cluster console portal. The following example shows an admin account: ```azurecli az aro list-credentials --resource-group eaparo033123rg --name clusterf9e8b9 If you navigated away from the **Deployment is in progress** page, the following Next, use the following steps to connect to the OpenShift cluster using the OpenShift CLI: -1. In the Azure Cloud Shell, use the following commands to download the latest OpenShift 4 CLI for GNU/Linux. If running on an OS other than GNU/Linux, download the appropriate binary for that OS. +1. In the shell or Azure Cloud Shell, use the following commands to download the latest OpenShift 4 CLI for GNU/Linux. If running on an OS other than GNU/Linux, download the appropriate binary for that OS. ```azurecli-interactive cd ~ Next, use the following steps to connect to the OpenShift cluster using the Open echo 'export PATH=$PATH:~/openshift' >> ~/.bashrc && source ~/.bashrc ``` -1. Paste the value from the **cmdToLoginWithKubeadmin** field into the Azure Cloud Shell, and execute it. You should see the `login successful` message and the project you're using. The following content is an example of the command to connect to the OpenShift cluster using the OpenShift CLI. +1. Paste the value from the **cmdToLoginWithKubeadmin** field into the shell or Azure Cloud Shell, and execute it. You should see the `login successful` message and the project you're using. The following content is an example of the command to connect to the OpenShift cluster using the OpenShift CLI. ```azurecli-interactive oc login \ The steps in this section show you how to deploy an app on the cluster. Use the following steps to deploy the app to the cluster. The app is hosted in the GitHub repo [rhel-jboss-templates/eap-coffee-app](https://github.com/Azure/rhel-jboss-templates/tree/main/eap-coffee-app). -1. In the Azure Cloud Shell, run the following commands to create a project, apply a permission to enable S2I to work, image the pull secret, and link the secret to the relative service accounts in the project for image pulling. Disregard the git warning about "'detached HEAD' state". +1. In the shell or Azure Cloud Shell, run the following commands. The commands create a project, apply a permission to enable S2I to work, image the pull secret, and link the secret to the relative service accounts in the project to enable the image pull. Disregard the git warning about "'detached HEAD' state." ```azurecli-interactive git clone https://github.com/Azure/rhel-jboss-templates.git |
operator-insights | Concept Data Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-insights/concept-data-types.md | A Data Product ingests data from one or more sources, digests and enriches this A data type is used to refer to an individual data source. Data types can be from outside the Data Product, such as from a network element. Data types can also be created within the Data Product itself by aggregating or enriching information from other data types. -Data Product operators can choose which data types to use and the data retention period for each data type. +Data Product operators can choose the data retention period for each data type. ## Data type contents Data types are presented as child resources of the Data Product within the Azure :::image type="content" source="media/concept-data-types/data-types.png" alt-text="Screenshot of Data Types portal page."::: -- Data Product operators can turn off individual data types to avoid incurring processing and storage costs associated with a data type that isn't valuable for their specific use cases.-- Data Product operators can configure different data retention periods for each data type as shown in the Data Retention page. For example, data types containing personal data are typically configured with a shorter retention period to comply with privacy legislation.+Data Product operators can configure different data retention periods for each data type as shown in the Data Retention page. For example, data types containing personal data are typically configured with a shorter retention period to comply with privacy legislation. :::image type="content" source="media/concept-data-types/data-types-data-retention.png" alt-text="Screenshot of Data Types Data Retention portal page."::: |
operator-nexus | Howto Credential Rotation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-credential-rotation.md | + + Title: Azure Operator Nexus credential rotation +description: Instructions on Credential Rotation Lifecycle Management requests. +++ Last updated : 01/29/2024+++++# Credential rotation management for on-premises devices ++This document provides an overview of the credential rotation support request that needs to be raised for requesting credential rotation on the nexus instance. ++## Prerequisites ++- Target cluster and fabric must be in running and healthy state. ++## Create support request ++Raise credential rotation request by [contacting support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). Below details are required in order to perform the credential rotation on the required target instance: + - Type of credential that needs to be rotated. Specify if the request is for fabric device or BMC or Storage or Console User or for all four types. + - Provide Tenant ID. + - Provide Subscription ID. + - Provide Resource Group Name in which the target cluster or fabric resides based on type of credential that needs to be rotated. + - Provide Target Cluster or Fabric Name based on type of credential that needs to be rotated. + - Provide Target Cluster or Fabric ARM ID based on type of credential that needs to be rotated. + - Provide Customer Key Vault ID to which rotated credentials of target cluster instance needs to be updated. ++For more information about Support plans, see [Azure Support plans](https://azure.microsoft.com/support/plans/response/). |
operator-nexus | Troubleshoot Hardware Validation Failure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/troubleshoot-hardware-validation-failure.md | + + Title: Azure Operator Nexus troubleshooting hardware validation failure +description: Troubleshoot Hardware Validation Failure for Azure Operator Nexus. +++ Last updated : 01/26/2024+++++# Troubleshoot hardware validation failure in Nexus Cluster ++This article describes how to troubleshoot a failed server hardware validation. Hardware validation is run as part of cluster deploy action. ++## Prerequisites ++- Gather the following information: + - Subscription ID + - Cluster name and resource group +- The user needs access to the Cluster's Log Analytics Workspace (LAW) ++## Locating hardware validation results ++1. Navigate to cluster resource group in the subscription +2. Expand the cluster Log Analytics Workspace (LAW) resource for the cluster +3. Navigate to the Logs tab +4. Hardware validation results can be fetched with a query against the HWVal_CL table as per the following example +++## Examining hardware validation results ++The Hardware Validation result for a given server includes the following categories. ++- system_info +- drive_info +- network_info +- health_info +- boot_info ++Expanding `result_detail` for a given category shows detailed results. ++## Troubleshooting specific failures ++### System info category ++* Memory/RAM related failure (memory_capacity_GB) + * Memory specs are defined in the SKU. + * Memory below threshold value indicates missing or failed DIMM(s). Failed DIMM(s) would also be reflected in the `health_info` category. ++ ```json + { + "field_name": "memory_capacity_GB", + "comparison_result": "Fail", + "expected": "512", + "fetched": "480" + } + ``` ++* CPU Related Failure (cpu_sockets) + * CPU specs are defined in the SKU. + * Failed `cpu_sockets` check indicates a failed CPU or CPU count mismatch. ++ ```json + { + "field_name": "cpu_sockets", + "comparison_result": "Fail", + "expected": "2", + "fetched": "1" + } + ``` ++* Model Check Failure (Model) + * Failed `Model` check indicates that wrong server is racked in the slot or there's a cabling mismatch. ++ ```json + { + "field_name": "Model", + "comparison_result": "Fail", + "expected": "R750", + "fetched": "R650" + } + ``` ++### Drive info category ++* Disk Check Failure + * Drive specs are defined in the SKU + * Mismatched capacity values indicate incorrect drives or drives inserted in to incorrect slots. + * Missing capacity and type fetched values indicate drives that are failed, missing or inserted in to incorrect slots. ++ ```json + { + "field_name": "Disk_0_Capacity_GB", + "comparison_result": "Fail", + "expected": "893", + "fetched": "3576" + } + ``` ++ ```json + { + "field_name": "Disk_0_Capacity_GB", + "comparison_result": "Fail", + "expected": "893", + "fetched": "" + } + ``` ++ ```json + { + "field_name": "Disk_0_Type", + "comparison_result": "Fail", + "expected": "SSD", + "fetched": "" + } + ``` ++### Network info category ++* NIC Check Failure + * Dell server NIC specs are defined in the SKU. + * Mismatched link status indicates loose or faulty cabling or crossed cables. + * Mismatched model indicates incorrect NIC card is inserted in to slot. + * Missing link/model fetched values indicate NICs that are failed, missing or inserted in to incorrect slots. ++ ```json + { + "field_name": "NIC.Slot.3-1-1_LinkStatus", + "comparison_result": "Fail", + "expected": "Up", + "fetched": "Down" + } + ``` ++ ```json + { + "field_name": "NIC.Embedded.2-1-1_LinkStatus", + "comparison_result": "Fail", + "expected": "Down", + "fetched": "Up" + } + ``` ++ ```json + { + "field_name": "NIC.Slot.3-1-1_Model", + "comparison_result": "Fail", + "expected": "ConnectX-6", + "fetched": "BCM5720" + } + ``` ++ ```json + { + "field_name": "NIC.Slot.3-1-1_LinkStatus", + "comparison_result": "Fail", + "expected": "Up", + "fetched": "" + } + ``` ++ ```json + { + "field_name": "NIC.Slot.3-1-1_Model", + "comparison_result": "Fail", + "expected": "ConnectX-6", + "fetched": "" + } + ``` ++* NIC Check L2 Switch Information + * HW Validation reports L2 switch information for each of the server interfaces. + * The switch connection ID (switch interface MAC) and switch port connection ID (switch interface label) are informational. ++ ```json + { + "field_name": "NIC.Slot.3-1-1_SwitchConnectionID", + "expected": "unknown", + "fetched": "c0:d6:82:23:0c:7d", + "comparison_result": "Info" + } + ``` ++ ```json + { + "field_name": "NIC.Slot.3-1-1_SwitchPortConnectionID", + "expected": "unknown", + "fetched": "Ethernet10/1", + "comparison_result": "Info" + } + ``` ++* Release 3.6 introduced cable checks for bonded interfaces. + * Mismatched cabling is reported in the result_log. + * Cable check validates that that bonded NICs connect to switch ports with same Port ID. In the following example PCI 3/1 and 3/2 connect to "Ethernet1/1" and "Ethernet1/3" respectively on TOR, triggering a failure for HWV. ++ ```json + { + "network_info": { + "network_info_result": "Fail", + "result_detail": [ + { + "field_name": "NIC.Slot.3-1-1_SwitchPortConnectionID", + "fetched": "Ethernet1/1", + }, + { + "field_name": "NIC.Slot.3-2-1_SwitchPortConnectionID", + "fetched": "Ethernet1/3", + } + ], + "result_log": [ + "Cabling problem detected on PCI Slot 3" + ] + }, + } + ``` ++### Health info category ++* Health Check Sensor Failure + * Server health checks cover various hardware component sensors. + * A failed health sensor indicates a problem with the corresponding hardware component. + * The following examples indicate fan, drive and CPU failures respectively. ++ ```json + { + "field_name": "System Board Fan1A", + "comparison_result": "Fail", + "expected": "Enabled-OK", + "fetched": "Enabled-Critical" + } + ``` ++ ```json + { + "field_name": "Solid State Disk 0:1:1", + "comparison_result": "Fail", + "expected": "Enabled-OK", + "fetched": "Enabled-Critical" + } + ``` ++ ```json + { + "field_name": "CPU.Socket.1", + "comparison_result": "Fail", + "expected": "Enabled-OK", + "fetched": "Enabled-Critical" + } + ``` ++* Health Check Lifecycle Log (LC Log) Failures + * Dell server health checks fail for recent Critical LC Log Alarms. + * The hardware validation plugin logs the alarm ID, name, and timestamp. + * Recent LC Log critical alarms indicate need for further investigation. + * The following example shows a failure for a critical Backplane voltage alarm. ++ ```json + { + "field_name": "LCLog_Critical_Alarms", + "expected": "No Critical Errors", + "fetched": "53539 2023-07-22T23:44:06-05:00 The system board BP1 PG voltage is outside of range.", + "comparison_result": "Fail" + } + ``` ++* Health Check Server Power Action Failures + * Dell server health check fail for failed server power-up or failed iDRAC reset. + * A failed server control action indicates an underlying hardware issue. + * The following example shows failed power on attempt. ++ ```json + { + "field_name": "Server Control Actions", + "expected": "Success", + "fetched": "Failed", + "comparison_result": "Fail" + } + ``` ++ ```json + "result_log": [ + "Server power up failed with: server OS is powered off after successful power on attempt", + ] + ``` ++* Health Check Power Supply Failure and Redundancy Considerations + * Dell server health checks warn when one power supply is missing or failed. + * Power supply "field_name" might be displayed as 0/PS0/Power Supply 0 and 1/PS1/Power Supply 1 for the first and second power supplies respectively. + * A failure of one power supply doesn't trigger an HW validation device failure. ++ ```json + { + "field_name": "Power Supply 1", + "expected": "Enabled-OK", + "fetched": "UnavailableOffline-Critical", + "comparison_result": "Warning" + } + ``` ++ ```json + { + "field_name": "System Board PS Redundancy", + "expected": "Enabled-OK", + "fetched": "Enabled-Critical", + "comparison_result": "Warning" + } + ``` ++### Boot info category ++* Boot Device Check Considerations + * The `boot_device_name` check is currently informational. + * Mismatched boot device name shouldn't trigger a device failure. ++ ```json + { + "comparison_result": "Info", + "expected": "NIC.PxeDevice.1-1", + "fetched": "NIC.PxeDevice.1-1", + "field_name": "boot_device_name" + } + ``` ++* PXE Device Check Considerations + * This check validates the PXE device settings. + * Failed `pxe_device_1_name` or `pxe_device_1_state` checks indicate a problem with the PXE configuration. + * Failed settings need to be fixed to enable system boot during deployment. ++ ```json + { + "field_name": "pxe_device_1_name", + "expected": "NIC.Embedded.1-1-1", + "fetched": "NIC.Embedded.1-2-1", + "comparison_result": "Fail" + } + ``` ++ ```json + { + "field_name": "pxe_device_1_state", + "expected": "Enabled", + "fetched": "Disabled", + "comparison_result": "Fail" + } + ``` ++## Adding servers back into the Cluster after a repair ++After Hardware is fixed, run BMM Replace following instructions from the following page [BMM actions](howto-baremetal-functions.md). +++ |
payment-hsm | Getting Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/getting-started.md | tags: azure-resource-manager Previously updated : 01/25/2022 Last updated : 01/25/2024 -## Availability --Azure Payment HSM is currently available in the following regions: --- East US-- West US-- South Central US-- Central US-- North Europe-- West Europe--## Prerequisites --Azure Payment HSM customers must have: --- Access to the Thales Customer Portal (Customer ID)-- Thales smart cards and card reader for payShield Manager--## Cost --The HSM devices will be charged based on the [Azure Payment HSM pricing page](https://azure.microsoft.com/pricing/details/payment-hsm/). All other Azure resources for networking and virtual machines will incur regular Azure costs too. --## payShield customization considerations --If you are using payShield on-premises today with a custom firmware, a porting exercise is required to update the firmware to a version compatible with the Azure deployment. Please contact your Thales account manager to request a quote. --Ensure that the following information is provided: --- Customization hardware platform (e.g., payShield 9000 or payShield 10K)-- Customization firmware number--## Support --For details on Azure Payment HSM prerequisites, support channels, and division of support responsibility between Microsoft, Thales, and the customer, see the [Azure Payment HSM service support guide](support-guide.md). +1. First, engage with your Microsoft account manager and get your business cases approved by Azure Payment HSM Product Manager. See [Getting started with Azure Payment HSM](getting-started.md). Ask your Microsoft account manager and CSA to send a request [via email](mailto:paymentHSMRequest@microsoft.com). +2. The Azure Payment HSM comes with payShield Manager license so you can remotely manage the HSM; you must have Thales smart cards and card readers for payShield Manager before onboarding Azure payment HSM. The minimum requirement is one compatible USB Smartcard reader with at least 5 payShield Manager Smartcards. Contact your Thales sales representative for the purchase or using existing compatible smart cards and readers. For more information, see the [Payment HSM support: Prerequisites](support-guide.md#prerequisites). ++3. Provide your contact information to the Microsoft account team and the Azure Payment HSM Product Manager [via email](mailto:paymentHSMRequest@microsoft.com), so they can set up your Thales support account. + + A Thales Customer ID will be created, so you can submit payShield 10K support issues as well as download documentation, software and firmware from Thales portal. The Thales Customer ID can be used by customer team to create individual account access to Thales support portal. ++ | Email Form | + |--| + |Trading Name:| + |Full Address:<br><br><br> + |Country:| + |Post Code:| + |Contact:| + | Address Type: Civil / Military | + | Telephone No. (with Country Code): | + | Is it state owned/governmental: Y / N + |Located in a Free trade zone: Y / N| + +4. You must next engage with the Microsoft CSAs to plan your deployment, and to understand the networking requirements and constraints/workarounds before onboarding the service. For details, see: + - [Azure Payment HSM deployment scenarios](deployment-scenarios.md) + - [Solution design for Azure Payment HSM](solution-design.md) + - [Azure Payment HSM "fastpathenabled" feature flag and tag](fastpathenabled.md) + - [Azure Payment HSM traffic inspection](inspect-traffic.md) + +5. Contact Microsoft support to get your subscription approved and receive feature registration, to access the Azure payment HSM service. See [Register the Azure Payment HSM resource providers](register-payment-hsm-resource-providers.md?tabs=azure-cli). You will not be charged at this step. +6. Follow the [Tutorials](create-payment-hsm.md) and [How-To Guides](register-payment-hsm-resource-providers.md) to create payment HSMs. Customer billing will start when the HSM resource is created. +7. Upgrade the payShield 10K firmware to their desired version. +8. Review the support process and scope here for Microsoft support and Thales's support: [Azure Payment HSM Service support guide ](support-guide.md). +9. Monitor your payShield 10K using standard SNMP V3 tools. payShield Monitor is an additional product available to provide continuous monitoring of HSMs. Contact Thales Sales rep for licensing information. ## Next steps |
payment-hsm | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/overview.md | Azure Payment HSM is a "BareMetal" service delivered using [Thales payShield 10K Payment HSMs are provisioned and connected directly to users' virtual network, and HSMs are under users' sole administration control. HSMs can be easily provisioned as a pair of devices and configured for high availability. Users of the service utilize [Thales payShield Manager](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-manager) for secure remote access to the HSMs as part of their Azure-based subscription. Multiple subscription options are available to satisfy a broad range of performance and multiple application requirements that can be upgraded quickly in line with end-user business growth. Azure payment HSM service offers highest performance level 2500 CPS. -Payment HSM devices are a variation of [Dedicated HSM](../dedicated-hsm/index.yml) devices, with more advanced cryptographic modules and features; for example, a payment HSM never decrypts the PIN value in transit. - The Azure Payment HSM solution uses hardware from [Thales](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-10k) as a vendor. Customers have [full control and exclusive access](overview.md#customer-managed-hsm-in-azure) to the Payment HSM. > [!IMPORTANT]-> Azure Payment HSM a highly specialized service. We highly recommend that you review the [Azure Payment HSM pricing page](https://azure.microsoft.com/services/payment-hsm/) and [Getting started with Azure Payment HSM](getting-started.md#support). +> Azure Payment HSM a highly specialized service. We highly recommend that you review the [Azure Payment HSM pricing page](https://azure.microsoft.com/pricing/details/payment-hsm/#pricing) and [Getting started with Azure Payment HSM](getting-started.md). ++## Azure payment HSM high-level architecture ++After a Payment HSM is provisioned, the HSM device is connected directly to a customer's virtual network, with full remote HSM management capabilities, through Thales payShield Manager and the payShield Trusted Management Device (TMD). ++Two host network interfaces and one management network interface are created at HSM provision. + ## Why use Azure Payment HSM? |
payment-hsm | Support Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/support-guide.md | This article outlines the Azure Payment HSM prerequisites, support channels, and ## Prerequisites -Microsoft will work with Thales to ensure that customers meet the prerequisites before starting the onboarding process. +Microsoft works with Thales to ensure that customers meet the prerequisites before starting the onboarding process. - Customers must have access to the [Thales CPL Customer Support Portal](https://supportportal.thalesgroup.com/csm) (Customer ID).-- Customers must have Thales smart cards and card readers for payShield Manager. If a customer need to purchase smart cards or card readers they should contact their Thales representatives, or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us).+- Customers must have Thales smart cards and card readers for payShield Manager. If a customer need to purchase smart cards or card readers they should contact their Thales representatives, or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us): + - **Item**: 971-000135-001-000 + - **Description**: PS10-RMGT-KIT2 - payShield Manager Starter Kit - for software V1.4A (1.8.3) and above + - **Items Included**: 2 Thales Card Readers, 30 PayShield Manager Smartcards + + Compatible smart cards have a blue band and are labeled "payShield Manager Card". These are the only smart cards compatible with the ciphers used to enable over-network use. - If a customer need to purchase a payShield Trusted Management Device (TMD), they should contact their Thales representatives or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us).-- Customers must download and review the "Hosted HSM End User Guide", which is available through the Thales CPL Customer Support Portal. The Hosted HSM End User Guide will provide more details on the changes to payShield to this service.+- Customers must download and review the "Hosted HSM End User Guide", which is available through the Thales CPL Customer Support Portal. The Hosted HSM End User Guide provides more details on the changes to payShield to this service. - Customers must review the "Azure Payment HSM - Get Ready for payShield 10K" guide that they received from Microsoft. (Customers who do not have the guide may request it from [Microsoft Support](#microsoft-support).) - If a customer is new to payShield or the remote management option, they should take the formal training courses available from Thales and its approved partners. - If a customer is using payShield on premises today with custom firmware, they must conduct a porting exercise to update the firmware to a version compatible with the Azure deployment. Contact a Thales account manager to request a quote. ## Firmware and license support -The HSM base firmware installed is Thales payShield10K base software version 1.4a 1.8.3 with the Premium Package license. Versions below 1.4a 1.8.3. are not supported. Customers must ensure that they only upgrade to a firmware version that meets their compliance requirements. +The HSM base firmware installed is Thales payShield10K base software version 1.4a 1.8.3. Versions below 1.4a 1.8.3. are not supported. Customers must ensure that they only upgrade to a firmware version that meets their compliance requirements. ++The licenses included in Azure payment HSM: -The Premium Package license included in Azure payment HSM features: - Premium Key Management-- Magnetic Stripe Issuing +- Magnetic Stripe Issuing - Magnetic Stripe Transaction Processing-- EMV Chip, Contactless & Mobile Issuing -- EMV Transaction Processing -- Premium Data Protection +- EMV Chip, Contactless & Mobile Issuing +- EMV Transaction Processing +- User Authentication +- Data Protection +- Legacy Commands - Remote payShield Manager - Hosted HSM -Customers are responsible for applying payShield security patches and upgrading payShield firmware for their provisioned HSMs, as needed. If customers have questions or require assistance, they should work with Thales support. +Customer set up the performance level (60CPS, 250 CPS, 2500 CPS) and LMK (1 LMK, 2LMK) when HSM is created. ++Customers are responsible for applying payShield security patches and upgrading payShield firmware for their provisioned HSMs as needed. If customers have questions or require assistance, they should work with Thales support. ++Microsoft is responsible for applying payShield security patches to unallocated HSMs. ++## Availability ++Azure Payment HSM is currently available in the following regions: -Microsoft is responsible for applying payShield security patches to unallocated HSMs. +- East US +- West US +- South Central US +- Central US +- North Europe +- West Europe ## Microsoft support -Microsoft will provide support for hardware issues, networking issues, and provisioning issues. Enterprise customers should contact their CSAM to find out details of their support contract . +Microsoft provides support for hardware issues, networking issues, and provisioning issues. Enterprise customers should contact their CSAM to find out details of their support contract. Microsoft support can be contacted by creating a support ticket through the Azure portal: - From the Azure portal homepage, select the "Support + troubleshooting" icon (a question mark in a circle) in the upper-right. - Select the "Help + Support" button.-- Select "Create a support request".+- Select "Create a support request." - On the "New support request" screen, select "Technical" as your issue type, and then "Payment HSM" as the service type. ## Thales support |
postgresql | Concepts Networking Private Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-networking-private-link.md | For a list to PaaS services that support Private Link functionality, review the The same public service instance can be referenced by multiple private endpoints in different VNets/subnets, even if they belong to different users/subscriptions (including within differing Microsoft Entra ID tenants) or if they have overlapping address spaces. +> [!NOTE] +> **Important Prerequisite:** Azure Database for PostgreSQL flexible server support for Private Endpoints in Preview requires enablement of [**Azure Database for PostgreSQL flexible server Private Endpoint capability** preview feature in your subscription](../../azure-resource-manager/management/preview-features.md). +> Only **after preview feature is enabled** you can create servers which are PE capable, i.e. can be networked using Private Link. ++ ## Key Benefits of Azure Private Link **Azure Private Link** provides the following benefits: Cross Feature Availability Matrix for preview of Private Endpoint in Azure Datab | Connection pooling with PGBouncer | Yes | Works as designed | | Private Endpoint DNS | Yes | Works as designed and [documented](../../private-link/private-endpoint-dns.md) | -> [!NOTE] -> Azure Database for PostgreSQL flexible server support for Private Endpoints in Preview requires enablement of [**Azure Database for PostgreSQL flexible server Private Endpoint capability** preview feature in your subscription](../../azure-resource-manager/management/preview-features.md). -> Only **after preview feature is enabled** you can create servers which are PE capable, i.e. can be networked using Private Link. --- ### Connect from an Azure VM in Peered Virtual Network |
postgresql | Concepts Scaling Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-scaling-resources.md | Title: Scaling resources -description: This article describes the resource scaling in Azure Database for PostgreSQL - Flexible Server. +description: This article describes the resource scaling in Azure Database for PostgreSQL flexible server. -# Scaling resources in Azure Database for PostgreSQL - Flexible Server +# Scaling resources in Azure Database for PostgreSQL flexible server [!INCLUDE [applies-to-postgresql-flexible-server](../includes/applies-to-postgresql-flexible-server.md)] -Azure Database for PostgreSQL flexible server supports both **vertical** and **horizontal** scaling options. +Azure Database for PostgreSQL flexible server supports both vertical and horizontal scaling options. -You can scale **vertically** by adding more resources to the Azure Database for PostgreSQL flexible server instance, such as increasing the instance-assigned number of CPUs and memory. Network throughput of your instance depends on the values you choose for CPU and memory. Once an Azure Database for PostgreSQL flexible server instance is created, you can independently change the CPU (vCores), the amount of storage, and the backup retention period. The number of vCores can be scaled up or down. However, the storage size however can only be increased. In addition, you can scale the backup retention period, up or down, from 7 to 35 days. The resources can be scaled using multiple tools, for instance [Azure portal](./quickstart-create-server-portal.md) or the [Azure CLI](./quickstart-create-server-cli.md). +**Vertical scaling**: You can scale vertically by adding more resources to the Azure Database for PostgreSQL flexible server instance, such as increasing the instance-assigned number of CPUs and memory. Network throughput of your instance depends on the values you choose for CPU and memory. -> [!NOTE] +After an Azure Database for PostgreSQL flexible server instance is created, you can independently change the: ++- CPU (vCores). +- Amount of storage. +- Backup retention period. ++The number of vCores can be scaled up or down, but the storage size can only be increased. You can also scale the backup retention period, up or down, from 7 to 35 days. The resources can be scaled by using multiple tools, for instance, the [Azure portal](./quickstart-create-server-portal.md) or the [Azure CLI](./quickstart-create-server-cli.md). ++> [!NOTE] > After you increase the storage size, you can't go back to a smaller storage size. -You can scale **horizontally** by creating [read replicas](./concepts-read-replicas.md). Read replicas let you scale your read workloads onto separate Azure Database for PostgreSQL flexible server instances, without affecting the performance and availability of the primary instance. +**Horizontal scaling**: You can scale horizontally by creating [read replicas](./concepts-read-replicas.md). Read replicas let you scale your read workloads onto separate Azure Database for PostgreSQL flexible server instances. They don't affect the performance and availability of the primary instance. -When you change the number of vCores or the compute tier, the instance is restarted for the new server type to take effect. During this time the system is switching over to the new server type, no new connections can be established, and all uncommitted transactions are rolled back. The overall time it takes to restart your server depends on the crash recovery process and database activity at the time of the restart. Restart typically takes a minute or less, but it can be higher and can take several minutes, depending on transactional activity at the time the restart was initiated. +When you change the number of vCores or the compute tier, the instance is restarted for the new server type to take effect. During this time, the system switches over to the new server type. No new connections can be established, and all uncommitted transactions are rolled back. -If your application is sensitive to loss of in-flight transactions that may occur during compute scaling, we recommend implementing transaction [retry pattern](../single-server/concepts-connectivity.md#handling-transient-errors). +The overall time it takes to restart your server depends on the crash recovery process and database activity at the time of the restart. Restart typically takes a minute or less, but it can be several minutes. Timing depends on the transactional activity when the restart was initiated. ++If your application is sensitive to loss of in-flight transactions that might occur during compute scaling, we recommend implementing a transaction [retry pattern](../single-server/concepts-connectivity.md#handling-transient-errors). Scaling the storage doesn't require a server restart in most cases. Similarly, backup retention period changes are an online operation. To improve the restart time, we recommend that you perform scale operations during off-peak hours. That approach reduces the time needed to restart the database server. -## Near-zero downtime scaling +## Near-zero downtime scaling ++Near-zero downtime scaling is a feature designed to minimize downtime when you modify storage and compute tiers. If you modify the number of vCores or change the compute tier, the server undergoes a restart to apply the new configuration. During this transition to the new server, no new connections can be established. -Near-zero downtime scaling is a feature designed to minimize downtime when modifying storage and compute tiers. If you modify the number of vCores or change the compute tier, the server undergoes a restart to apply the new configuration. During this transition to the new server, no new connections can be established. Typically, this process with regular scaling could take anywhere between 2 to 10 minutes. However, with the new 'Near-zero downtime' scaling feature this duration is reduced to less than 30 seconds. This significant reduction in downtime during scaling resources greatly improves the overall availability of your database instance. +Typically, this process could take anywhere between 2 to 10 minutes with regular scaling. With the new near-zero downtime scaling feature, this duration is reduced to less than 30 seconds. This reduction in downtime during scaling resources improves the overall availability of your database instance. ### How it works -When updating your Azure Database for PostgreSQL flexible server instance in scaling scenarios, we create a new copy of your server (VM) with the updated configuration, synchronize it with your current one, briefly switch to the new copy with a 30-second interruption, and retire the old server, all at no extra cost to you. This process allows for seamless updates while minimizing downtime and ensuring cost-efficiency. This scaling process is triggered when changes are made to the storage and compute tiers, and the experience remains consistent for both HA and non-HA servers. This feature is enabled in all Azure regions and there's **no customer action required** to use this capability. +When you update your Azure Database for PostgreSQL flexible server instance in scaling scenarios, we create a new copy of your server (VM) with the updated configuration. We synchronize it with your current one, and switch to the new copy with a 30-second interruption. Then we retire the old server. The process occurs all at no extra cost to you. ++This process allows for seamless updates while minimizing downtime and ensuring cost-efficiency. This scaling process is triggered when changes are made to the storage and compute tiers. The experience remains consistent for both high-availablity (HA) and non-HA servers. This feature is enabled in all Azure regions. *No customer action is required* to use this capability. > [!NOTE]-> Near-zero downtime scaling process is the _default_ operation. However, in cases where the following limitations are encountered, the system switches to regular scaling, which involves more downtime compared to the near-zero downtime scaling. +> The near-zero downtime scaling process is the _default_ operation. When the following limitations are encountered, the system switches to regular scaling, which involves more downtime compared to the near-zero downtime scaling. -### Precise Downtime Expectations +### Precise downtime expectations -* **Downtime Duration**: In most cases, the downtime ranges from 10 to 30 seconds. -* **Additional Considerations**: After a scaling event, there's an inherent DNS `Time-To-Live` (TTL) period of approximately 30 seconds. This period isn't directly controlled by the scaling process but is a standard part of DNS behavior. So, from an application perspective, the total downtime experienced during scaling could be in the range of **40 to 60 seconds**. +* **Downtime duration**: In most cases, the downtime ranges from 10 to 30 seconds. +* **Other considerations**: After a scaling event, there's an inherent DNS `Time-To-Live` (TTL) period of approximately 30 seconds. This period isn't directly controlled by the scaling process. It's a standard part of DNS behavior. From an application perspective, the total downtime experienced during scaling could be in the range of 40 to 60 seconds. -#### Considerations and limitations +#### Considerations and limitations -- In order for near-zero downtime scaling to work, you should enable all [inbound/outbound connections between the IPs in the delegated subnet when using VNET integrated networking](../flexible-server/concepts-networking-private.md#virtual-network-concepts). If these aren't enabled near zero downtime scaling process will not work and scaling will occur through the standard scaling workflow.-- Near-zero downtime scaling won't work if there are regional capacity constraints or quota limits on customer subscriptions.-- Near-zero downtime scaling doesn't work for replica server, as it is only supported on the primary server. For replica server it will automatically go through regular scaling process.-- Near-zero downtime scaling won't work if a [virtual network injected server with delegated subnet](../flexible-server/concepts-networking-private.md#virtual-network-concepts) doesn't have sufficient usable IP addresses. If you have a standalone server, one extra IP address is necessary, and for a HA-enabled server, two extra IP addresses are required.-- Replication Slots - Be aware that logical replication slots aren't preserved during near-zero downtime failover event. To maintain logical replication slots and ensure data consistency after a scale operation, it is recommended to use the [pg_failover_slot](https://github.com/EnterpriseDB/pg_failover_slots) extension. For more details, refer [Enabling extension in Flexible Server](../flexible-server/concepts-extensions.md#pg_failover_slots-preview).-- ^ For HA enabled servers, near-zero downtime scaling is currently enabled for a limited set of regions. We will be enabling this to more regions in a phased manner based upon the regional capacity.+- For near-zero downtime scaling to work, enable all [inbound/outbound connections between the IPs in the delegated subnet when you use virtual network integrated networking](../flexible-server/concepts-networking-private.md#virtual-network-concepts). If these connections aren't enabled, the near-zero downtime scaling process doesn't work and scaling occurs through the standard scaling workflow. +- Near-zero downtime scaling doesn't work if there are regional capacity constraints or quota limits on customer subscriptions. +- Near-zero downtime scaling doesn't work for a replica server because it's only supported on the primary server. For a replica server, it automatically goes through a regular scaling process. +- Near-zero downtime scaling doesn't work if a [virtual network-injected server with a delegated subnet](../flexible-server/concepts-networking-private.md#virtual-network-concepts) doesn't have sufficient usable IP addresses. If you have a standalone server, one extra IP address is necessary. For an HA-enabled server, two extra IP addresses are required. +- Logical replication slots aren't preserved during a near-zero downtime failover event. To maintain logical replication slots and ensure data consistency after a scale operation, use the [pg_failover_slot](https://github.com/EnterpriseDB/pg_failover_slots) extension. For more information, see [Enabling extension in a flexible server](../flexible-server/concepts-extensions.md#pg_failover_slots-preview). +- For HA-enabled servers, near-zero downtime scaling is currently enabled for a limited set of regions. More regions will be enabled in a phased manner based on regional capacity. ## Related content |
postgresql | Concepts Server Parameters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-server-parameters.md | Title: Server parameters -description: Describes the server parameters in Azure Database for PostgreSQL - Flexible Server. --+ Title: Server parameters - Azure Database for PostgreSQL - Flexible Server +description: Describes the server parameters in Azure Database for PostgreSQL - Flexible Server ++ Previously updated : 1/25/2024 Last updated : 01/30/2024 # Server parameters in Azure Database for PostgreSQL - Flexible Server [!INCLUDE [applies-to-postgresql-flexible-server](../includes/applies-to-postgresql-flexible-server.md)] -Azure Database for PostgreSQL flexible server provides a subset of configurable parameters for each server. For more information on Postgres parameters, see the [PostgreSQL documentation](https://www.postgresql.org/docs/current/config-setting.html). +Azure Database for PostgreSQL provides a subset of configurable parameters for each server. For more information on +Postgres parameters, see the [PostgreSQL documentation](https://www.postgresql.org/docs/current/runtime-config.html). -## An overview of PostgreSQL parameters +## An overview of PostgreSQL parameters -Azure Database for PostgreSQL server is pre-configured with optimal default values for each parameter on creation. Static parameters require a server restart. Further parameters that require superuser access cannot be configured by the user. +Azure Database for PostgreSQL - Flexible Server comes preconfigured with optimal default settings for each parameter. Parameters are categorized into one of the following types: -In order to review which parameters are available to view or to modify, we recommend going into the Azure portal, and to the Server Parameters page. You can also configure parameters on a per-user or per-database basis using `ALTER DATABASE` or `ALTER ROLE` commands. +* **Static parameters**: Parameters of this type require a server restart to implement any changes. +* **Dynamic parameters**: Parameters in this category can be altered without needing to restart the server instance; + however, changes will only apply to new connections established after the modification. +* **Read-only parameters**: Parameters within this grouping aren't user-configurable due to their critical role in + maintaining the reliability, security, or other operational aspects of the service. ->[!NOTE] -> Since Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as `postgresql.conf`. The content of the file is automatically updated based on parameter changes in the Server Parameters page. +To determine the category to which a parameter belongs, you can check the Azure portal under the **Server parameters** blade, where they're grouped into respective tabs for easy identification. +### Modification of server parameters -Here's the list of some of the parameters: +Various methods and levels are available to customize your parameters according to your specific needs. +#### Global - server level - | Parameter Name | Description | -|-|--| -| **max_connections** | You can tune max_connections on Azure Database for PostgreSQL flexible server, where it can be set to 5000 connections. See the [limits documentation](concepts-limits.md) for more details. Although it is not the best practice to set this value higher than several hundreds. See [Postgres Wiki](https://wiki.postgresql.org/wiki/Number_Of_Database_Connections) for more details. If you are considering higher values, consider using [connection pooling](concepts-pgbouncer.md) instead. | -| **shared_buffers** | The 'shared_buffers' setting changes depending on the selected SKU (SKU determines the memory available). General Purpose servers have 2 GB shared_buffers for 2 vCores; Memory Optimized servers have 4 GB shared_buffers for 2 vCores. The shared_buffers setting scales linearly (approximately) as vCores increase in a tier. | -| **shared_preload_libraries** | This parameter is available for configuration with a predefined set of supported extensions. We always load the `azure` extension (used for maintenance tasks), and the `pg_stat_statements` extension (you can use the pg_stat_statements.track parameter to control whether the extension is active). | -| **connection_throttling** | You can enable or disable temporary connection throttling per IP for too many invalid password login failures. | - | **work_mem** | This parameter specifies the amount of memory to be used by internal sort operations and hash tables before writing to temporary disk files. Increasing this parameter value can help Azure Database for PostgreSQL flexible server perform larger in-memory scans instead of spilling to disk, which is faster. This configuration is beneficial if your workload contains few queries but with many complex sorting tasks, and you have ample available memory. Be careful however, as one complex query may have number of sort, hash operations running concurrently. Each one of those operations uses as much memory as it value allows before it starts writing to disk based temporary files. Therefore on a relatively busy system total memory usage is many times of individual work_mem parameter. If you do decide to tune this value globally, you can use formula Total RAM * 0.25 / max_connections as initial value. Azure Database for PostgreSQL flexible server supports range of 4096-2097152 kilobytes for this parameter. | -| **effective_cache_size** | The effective_cache_size parameter estimates how much memory is available for disk caching by the operating system and within the database shared_buffers itself. This parameter is just a planner "hint" and does not allocate or reserve any memory. Index scans are most likely to be used against higher values; otherwise, sequential scans are used if the value is low. Recommendations are to set effective_cache_size at 50%-75% of the machineΓÇÖs total RAM. | -| **maintenance_work_mem** | The maintenance_work_mem parameter basically provides the maximum amount of memory to be used by maintenance operations like vacuum, create index, and alter table add foreign key operations. Default value for that parameter is 64 KB. ItΓÇÖs recommended to set this value higher than work_mem. | -| **effective_io_concurrency** | Sets the number of concurrent disk I/O operations that Azure Database for PostgreSQL flexible server expects can be executed simultaneously. Raising this value increases the number of I/O operations that any individual Azure Database for PostgreSQL flexible server session attempts to initiate in parallel. The allowed range is 1 to 1000, or zero to disable issuance of asynchronous I/O requests. Currently, this setting only affects bitmap heap scans. | - |**require_secure_transport** | If your application doesn't support SSL connectivity to the server, you can optionally disable secured transport from your client by turning `OFF` this parameter value. | - |**log_connections** | This parameter may be read-only, as on Azure Database for PostgreSQL flexible server all connections are logged and intercepted to make sure connections are coming in from right sources for security reasons. | -|**log_disconnections** | This parameter may be read-only, as on Azure Database for PostgreSQL flexible server all disconnections are logged. | +For altering settings globally at the instance or server level, navigate to the **Server parameters** blade in the Azure portal, or use other available tools such as Azure CLI, REST API, ARM templates, and third-party tools. ++> [!NOTE] +> Since Azure Database for PostgreSQL is a managed database service, users are not provided host or operating system access to view or modify configuration files such as `postgresql.conf`. The content of the file is automatically updated based on parameter changes made using one of the methods described above. +++#### Granular levels ++You can adjust parameters at more granular levels, thereby overriding globally set values. The scope and duration of +these modifications depend on the level at which they're made: ++* **Database level**: Utilize the `ALTER DATABASE` command for database-specific configurations. +* **Role or user level**: Use the `ALTER USER` command for user-centric settings. +* **Function, procedure level**: When defining a function or procedure, you can specify or alter the configuration parameters that will be set when the function is called. +* **Table level**: As an example, you can modify parameters related to autovacuum at this level. +* **Session level**: For the duration of an individual database session, you can adjust specific parameters. PostgreSQL facilitates this with the following SQL commands: + * The `SET` command lets you make session-specific adjustments. These changes serve as the default settings during the current session. Access to these changes may require specific `SET` privileges, and the limitations about modifiable and read-only parameters described above do apply. The corresponding SQL function is `set_config(setting_name, new_value, is_local)`. + * The `SHOW` command allows you to examine existing parameter settings. Its SQL function equivalent is `current_setting(setting_name text)`. ++Here's the list of some of the parameters. ++## Memory ++### shared_buffers ++| Attribute | Value | +|:|-:| +| Default value | 25% of total RAM | +| Allowed value | 10-75% of total RAM | +| Type | Static | +| Level | Global | +| Azure-Specific Notes | The `shared_buffers` setting scales linearly (approximately) as vCores increase in a tier. | ++#### Description ++The `shared_buffers` configuration parameter determines the amount of system memory allocated to the PostgreSQL database for buffering data. It serves as a centralized memory pool that's accessible to all database processes. When data is needed, the database process first checks the shared buffer. If the required data is present, it's quickly retrieved, thereby bypassing a more time-consuming disk read. By serving as an intermediary between the database processes and the disk, `shared_buffers` effectively reduces the number of required I/O operations. ++### huge_pages ++| Attribute | Value | +|:|-:| +| Default value | TRY | +| Allowed value | TRY, ON, OFF | +| Type | Static | +| Level | Global | +| Azure-Specific Notes | For servers with 4 or more vCores, huge pages are automatically allocated from the underlying operating system. Feature isn't available for servers with fewer than 4 vCores. The number of huge pages is automatically adjusted if any shared memory settings are changed, including alterations to `shared_buffers`. | ++#### Description ++Huge pages are a feature that allows for memory to be managed in larger blocks - typically 2 MB, as opposed to the "classic" 4 KB pages. Utilizing huge pages can offer performance advantages in several ways: they reduce the overhead associated with memory management tasks like fewer Translation Lookaside Buffer (TLB) misses and shorten the time needed for memory management, effectively offloading the CPU. Specifically, in PostgreSQL, huge pages can only be utilized for the shared memory area, a significant part of which is allocated for shared buffers. Another advantage is that huge pages prevent the swapping of the shared memory area out to disk, further stabilizing performance. ++#### Recommendations ++* For servers with significant memory resources, it's advisable to avoid disabling huge pages, as doing so could compromise performance. +* If you start with a smaller server that doesn't support huge pages but anticipate scaling up to a server that does, keeping the `huge_pages` setting at `TRY` is recommended for seamless transition and optimal performance. ++### work_mem ++| Attribute | Value | +|:--|--:| +| Default value | 4MB | +| Allowed value | 4MB-2GB | +| Type | Dynamic | +| Level | Global and granular | ++#### Description ++The `work_mem` parameter in PostgreSQL controls the amount of memory allocated for certain internal operations, such as sorting and hashing, within each database session's private memory area. Unlike shared buffers, which are in the shared memory area, `work_mem` is allocated in a per-session or per-query private memory space. By setting an adequate `work_mem` size, you can significantly improve the efficiency of these operations, reducing the need to write temporary data to disk. ++#### Key points ++* **Private connection memory**: `work_mem` is part of the private memory used by each database session, distinct from the shared memory area used by `shared_buffers`. +* **Query-specific usage**: Not all sessions or queries use `work_mem`. Simple queries like `SELECT 1` are unlikely to require any `work_mem`. However, more complex queries involving operations like sorting or hashing can consume one or multiple chunks of `work_mem`. +* **Parallel operations**: For queries that span multiple parallel backends, each backend could potentially utilize one or multiple chunks of `work_mem`. ++#### Monitoring and adjusting `work_mem` ++It's essential to continuously monitor your system's performance and adjust `work_mem` as necessary, primarily if slow query execution times related to sorting or hashing operations occur. Here are ways you can monitor it using tools available in the Azure portal: ++* **[Query performance insight](concepts-query-performance-insight.md)**: Check the **Top queries by temporary files** tab to identify queries that are generating temporary files, suggesting a potential need to increase the `work_mem`. +* **[Troubleshooting guides](concepts-troubleshooting-guides.md)**: Utilize the **High temporary files** tab in the troubleshooting guides to identify problematic queries. ++##### Granular adjustment +While managing the `work_mem` parameter, it's often more efficient to adopt a granular adjustment approach rather than setting a global value. This approach not only ensures that you allocate memory judiciously based on the specific needs of different processes and users but also minimizes the risk of encountering out-of-memory issues. HereΓÇÖs how you can go about it: ++* **User-Level**: If a specific user is primarily involved in aggregation or reporting tasks, which are memory-intensive, consider customizing the `work_mem` value for that user using the `ALTER ROLE` command to enhance the performance of their operations. ++* **Function/Procedure Level**: In cases where specific functions or procedures are generating substantial temporary files, increasing the `work_mem` at the specific function or procedure level can be beneficial. This can be done using the `ALTER FUNCTION` or `ALTER PROCEDURE` command to specifically allocate more memory to these operations. ++* **Database Level**: Alter `work_mem` at the database level if only specific databases are generating high amounts of temporary files. ++* **Global Level**: If an analysis of your system reveals that most queries are generating small temporary files, while only a few are creating large ones, it may be prudent to globally increase the `work_mem` value. This would facilitate most queries to process in memory, thus avoiding disk-based operations and improving efficiency. However, always be cautious and monitor the memory utilization on your server to ensure it can handle the increased `work_mem`. ++##### Determining the minimum `work_mem` value for sorting operations ++To find the minimum `work_mem` value for a specific query, especially one generating temporary disk files during the sorting process, you would start by considering the temporary file size generated during the query execution. For instance, if a query is generating a 20 MB temporary file: ++1. Connect to your database using psql or your preferred PostgreSQL client. +2. Set an initial `work_mem` value slightly higher than 20 MB to account for additional headers when processing in memory, using a command such as: `SET work_mem TO '25MB'`. +3. Execute `EXPLAIN ANALYZE` on the problematic query on the same session. +4. Review the output for `ΓÇ£Sort Method: quicksort Memory: xkB"`. If it indicates `"external merge Disk: xkB"`, raise the `work_mem` value incrementally and retest until `"quicksort Memory"` appears, signaling that the query is now operating in memory. +5. After determining the value through this method, it can be applied either globally or on more granular levels as described above to suit your operational needs. +++### maintenance_work_mem ++| Attribute | Value | +|:|--:| +| Default value | 211MB | +| Allowed value | 1MB-2GB | +| Type | Dynamic | +| Level | Global and granular | +| Azure-Specific Notes | | ++#### Description +`maintenance_work_mem` is a configuration parameter in PostgreSQL that governs the amount of memory allocated for maintenance operations, such as `VACUUM`, `CREATE INDEX`, and `ALTER TABLE`. Unlike `work_mem`, which affects memory allocation for query operations, `maintenance_work_mem` is reserved for tasks that maintain and optimize the database structure. Adjusting this parameter appropriately can help enhance the efficiency and speed of database maintenance operations. ->[!NOTE] -> As you scale Azure Database for PostgreSQL flexible server SKUs up or down, affecting available memory to the server, you may wish to tune your memory global parameters, such as `work_mem` or `effective_cache_size` accordingly based on information shared in the article. - ## Next steps For information on supported PostgreSQL extensions, see [the extensions document](concepts-extensions.md). |
postgresql | How To Server Logs Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-server-logs-cli.md | Title: Download server logs for Azure Database for PostgreSQL - Flexible Server with Azure CLI -description: This article describes how to download server logs using Azure CLI. + Title: Download server logs for Azure Database for PostgreSQL flexible server with Azure CLI +description: This article describes how to download server logs by using the Azure CLI. -# List and download Azure Database for PostgreSQL - Flexible Server logs by using the Azure CLI +# List and download Azure Database for PostgreSQL flexible server logs by using the Azure CLI [!INCLUDE [applies-to-postgresql-flexible-server](../includes/applies-to-postgresql-flexible-server.md)] -This article shows you how to list and download Azure Database for PostgreSQL flexible server logs using Azure CLI. +This article shows you how to list and download Azure Database for PostgreSQL flexible server logs by using the Azure CLI. ## Prerequisites -This article requires that you're running the Azure CLI version 2.39.0 or later locally. To see the version installed, run the `az --version` command. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). --You need to sign-in to your account using the [az login](/cli/azure/reference-index#az-login) command. Note the **id** property, which refers to **Subscription ID** for your Azure account. +- You must be running the Azure CLI version 2.39.0 or later locally. To see the version installed, run the `az --version` command. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). +- Sign in to your account by using the [az login](/cli/azure/reference-index#az-login) command. The `id` property refers to the **Subscription ID** for your Azure account. ```azurecli-interactive az login ``` -Select the specific subscription under your account using [az account set](/cli/azure/account) command. Make a note of the **id** value from the **az login** output to use as the value for **subscription** argument in the command. If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. To get all your subscription, use [az account list](/cli/azure/account#az-account-list). +Select the specific subscription under your account by using the [az account set](/cli/azure/account) command. Make a note of the `id` value from the `az login` output to use as the value for the `subscription` argument in the command. If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. To get all your subscriptions, use [az account list](/cli/azure/account#az-account-list). ```azurecli az account set --subscription <subscription id> ``` -## List server logs using Azure CLI +## List server logs by using the Azure CLI -Once you're configured the prerequisites and connected to your required subscription. You can list the server logs from your Azure Database for PostgreSQL flexible server instance by using the following command. +After you configure the prerequisites and connect to your required subscription, you can list the server logs from your Azure Database for PostgreSQL flexible server instance by using the following command. -> [!Note] -> You can configure your server logs in the same way as above using the [Server Parameters](./howto-configure-server-parameters-using-portal.md), setting the appropriate values for these parameters: _logfiles.download_enable_ to ON to enable this feature, and _logfiles.retention_days_ to define retention in days. Initially, server logs occupy data disk space for about an hour before moving to backup storage for the set retention period. +> [!NOTE] +> You can configure your server logs in the same way as just shown by using the [server parameters](./howto-configure-server-parameters-using-portal.md). Set the appropriate values for these parameters. Set `logfiles.download_enable` to ON to enable this feature. Set `logfiles.retention_days` to define retention in days. Initially, server logs occupy data disk space for about an hour before moving to backup storage for the set retention period. ```azurecli az postgres flexible-server server-logs list --resource-group <myresourcegroup> --server-name <serverlogdemo> --out <table> ``` -Here are the details for the above command +Here are the details for the preceding command. -|**LastModifiedTime** |**Name** |**ResourceGroup**|**SizeInKb**|**TypePropertiesType**|**Url** | +|LastModifiedTime |Name |ResourceGroup|SizeInKb|TypePropertiesType|URL | |-|||--||| |2024-01-10T13:20:15+00:00|serverlogs/postgresql_2024_01_10_12_00_00.log|myresourcegroup|242 |LOG |`https://00000000000.blob.core.windows.net/serverlogs/postgresql_2024_01_10_12_00_00.log?`| |2024-01-10T14:20:37+00:00|serverlogs/postgresql_2024_01_10_13_00_00.log|myresourcegroup|237 |LOG |`https://00000000000.blob.core.windows.net/serverlogs/postgresql_2024_01_10_13_00_00.log?`| |2024-01-10T15:20:58+00:00|serverlogs/postgresql_2024_01_10_14_00_00.log|myresourcegroup|237 |LOG |`https://00000000000.blob.core.windows.net/serverlogs/postgresql_2024_01_10_14_00_00.log?`| |2024-01-10T16:21:17+00:00|serverlogs/postgresql_2024_01_10_15_00_00.log|myresourcegroup|240 |LOG |`https://00000000000.blob.core.windows.net/serverlogs/postgresql_2024_01_10_15_00_00.log?`| +The output table here lists `LastModifiedTime`, `Name`, `ResourceGroup`, `SizeInKb`, and `Download Url` of the server logs. -The output table here lists `LastModifiedTime`, `Name`, `ResourceGroup`, `SizeInKb` and `Download Url` of the Server Logs. --By default `LastModifiedTime` is set to 72 hours, for listing files older than 72 hours, use flag `--file-last-written <Time:HH>` +By default, `LastModifiedTime` is set to 72 hours. For listing files older than 72 hours, use the flag `--file-last-written <Time:HH>`. ```azurecli az postgres flexible-server server-logs list --resource-group <myresourcegroup> --server-name <serverlogdemo> --out table --file-last-written <144> ``` -## Download server logs using Azure CLI +## Download server logs by using the Azure CLI The following command downloads the preceding server logs to your current directory. az postgres flexible-server server-logs download --resource-group <myresourcegro ``` ## Next steps-- To enable and disable Server logs from portal, you can refer to the [article.](./how-to-server-logs-portal.md)-- Learn more about [Logging](./concepts-logging.md)++- To enable and disable server logs from the portal, see [Enable, list, and download server logs for Azure Database for PostgreSQL flexible server](./how-to-server-logs-portal.md). +- Learn more about [logging](./concepts-logging.md). |
postgresql | Troubleshoot Password Authentication Failed For User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/troubleshoot-password-authentication-failed-for-user.md | + + Title: Password authentication failed for user - Azure Database for PostgreSQL - Flexible Server +description: Provides resolutions for a connection error - password authentication failed for user `<user-name>`. +++++ Last updated : 01/30/2024+++# Password authentication failed for user `<user-name>` +This article helps you solve a problem that might occur when connecting to Azure Database for PostgreSQL - Flexible Server. +++## Symptoms +When attempting to connect to Azure Database for PostgreSQL - Flexible Server, you may encounter the following error message: ++> psql: error: connection to server at "\<server-name\>.postgres.database.azure.com" (x.x.x.x), port 5432 failed: FATAL: password authentication failed for user "\<user-name\>" ++This error indicates that the password provided for the user `<user-name>` is incorrect. ++Following the initial password authentication error, you might see another error message indicating that the client is trying to reconnect to the server, this time without SSL encryption. The failure here's due to the server's `pg_hba.conf` configuration not permitting unencrypted connections. +++> connection to server at "\<server-name\>.postgres.database.azure.com" (x.x.x.x), port 5432 failed: FATAL: no pg_hba.conf entry for host "y.y.y.y", user "\<user-name\>", database "postgres", no encryption +++When using a `libpq` client that supports SSL, such as tools like `psql`, `pg_dump`, or `pgbench`, it's standard behavior to try connecting once with SSL and once without. The reason for this approach is that the server can have different `pg_hba` rules for SSL and non-SSL connections. +The combined error message you receive in this scenario looks like this: +++> psql: error: connection to server at "\<server-name\>.postgres.database.azure.com" (x.x.x.x), port 5432 failed: FATAL: password authentication failed for user "\<user-name\>" +connection to server at "\<server-name\>.postgres.database.azure.com" (x.x.x.x), port 5432 failed: FATAL: no pg_hba.conf entry for host "y.y.y.y", user "\<user-name\>", database "postgres", no encryption +++To avoid this dual attempt and specify the desired SSL mode, you can use the `sslmode` connection option in your client configuration. For instance, if you're using `libpq` variables in the bash shell, you can set the SSL mode by using the following command: ++```bash +export PGSSLMODE=require +``` +++## Cause +The error encountered when connecting to Azure Database for PostgreSQL - Flexible Server primarily stems from issues related to password authentication: ++* **Incorrect password** +The password authentication failed for user `<user-name>` error occurs when the password for the user is incorrect. This could happen due to a mistyped password, a recent password change that hasn't been updated in the connection settings, or other similar issues. ++* **User or role created without a password** +Another possible cause of this error is creating a user or role in PostgreSQL without specifying a password. Executing commands like `CREATE USER <user-name>` or `CREATE ROLE <role-name>` without an accompanying password statement results in a user or role with no password set. Attempting to connect with such a user or role without setting a password will lead to authentication failure with password authentication failed error. ++* **Potential security breach** +If the authentication failure is unexpected, particularly if there are multiple failed attempts recorded, it could indicate a potential security breach. Unauthorized access attempts might trigger such errors. ++## Resolution +If you're encountering the "password authentication failed for user `<user-name>`" error, follow these steps to resolve the issue. ++* **Try connecting with a different tool** ++ If the error comes from an application, attempt to connect to the database using a different tool, such as `psql` or pgAdmin, with the same username and password. This step helps determine if the issue is specific to the client or a broader authentication problem. Keep in mind any relevant firewall rules that might affect connectivity. For instructions on connecting using different tools, refer to the "Connect" blade in the Azure portal. ++* **Change the password** ++ If you still encounter password authentication issues after trying a different tool, consider changing the password for the user. For the administrator user, you can change the password directly in the Azure portal as described in this [link](how-to-manage-server-portal.md#reset-admin-password). For other users, or the administrator user under certain conditions, you can change the password from the command line. Ensure that you're logged in to the database as a user with the `CREATEROLE` attribute and the `ADMIN` option on their role. The command to change the password is: ++ ```sql + ALTER USER <user-name> PASSWORD '<new-password>'; + ``` ++* **Set password for user or role created without one** ++ If the cause of the error is the creation of a user or role without a password, log in to your PostgreSQL instance and set the password for the role. For roles created without the `LOGIN` privilege, make sure to grant this privilege along with setting the password: ++ ```sql + ALTER ROLE <role-name> LOGIN; + ALTER ROLE <role-name> PASSWORD '<new-password>'; + ``` + +* **Identify the Attacker's IP Address and Secure Your Database** ++ If you suspect a potential security breach is causing unauthorized access to your Azure Database for PostgreSQL - Flexible Server, follow these steps to address the issue: ++ 1. **Enable log capturing** + If log capturing isn't already on, get it set up now. It's key for keeping an eye on database activities and catching any odd access patterns. There are several ways to do this, including Azure Monitor Log Analytics and server logs, which help store and analyze database event logs. + * **Log Analytics**, Check out the setup instructions for Azure Monitor Log Analytics here: [Configure and access logs in Azure Database for PostgreSQL - Flexible Server](how-to-configure-and-access-logs.md). + * **Server logs**, For hands-on log management, head over to the Azure portal's server logs section here: [Enable, list and download server logs for Azure Database for PostgreSQL - Flexible Server](how-to-server-logs-portal.md). ++ 2. **Identify the attacker's IP address** + * Review the logs to find the IP address from which the unauthorized access attempts are being made. If the attacker is using a `libpq`-based tool, you'll see the IP address in the log entry associated with the failed connection attempt: + > connection to server at "\<server-name\>.postgres.database.azure.com" (x.x.x.x), port 5432 failed: FATAL: no pg_hba.conf entry for host "y.y.y.y", user "\<user-name\>", database "postgres", no encryption + + In this example, `y.y.y.y` is the IP address from which the attacker is trying to connect. ++ * **Modify the `log_line_prefix`** + To improve logging and make it easier to troubleshoot, you should modify the `log_line_prefix` parameter in your PostgreSQL configuration to include the remote host's IP address. To log the remote host name or IP address, add the `%h` escape code to your `log_line_prefix`. + + For instance, you can change your `log_line_prefix` to the following format for comprehensive logging: ++ ```bash + log_line_prefix = '%t [%p]: [%l-1] db=%d,user=%u,app=%a,client=%h ' + ``` + + This format includes: + + * `%t` for the timestamp of the event + * `%p` for the process ID + * `[%l-1]` for the session line number + * `%d` for the database name + * `%u` for the user name + * `%a` for the application name + * `%h` for the client IP address + + + By using this log line prefix, you're able to track the time, process ID, user, application, and client IP address associated with each log entry, providing valuable context for each event in the server log. ++ 3. **Block the attacker's IP address** + Dig into the logs to spot any suspicious IP addresses that keep showing up in unauthorized access attempts. Once you find these IPs, immediately block them in your firewall settings. This cuts off their access and prevent any more unauthorized attempts. Additionally, review your firewall rules to ensure they're not too permissive. Overly broad rules can expose your database to potential attacks. Limit access to only known and necessary IP ranges. + +++By following these steps, you should be able to resolve the authentication issues and successfully connect to your Azure Database for PostgreSQL - Flexible Server. +++++++ |
postgresql | Concepts Single To Flexible | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/concepts-single-to-flexible.md | description: Concepts about migrating your Single server to Azure Database for P Previously updated : 03/31/2023 Last updated : 01/25/2024 - ++ - references_regions -# Migration tool - Azure database for PostgreSQL Single Server to Flexible Server +# Migration tool - Azure Database for PostgreSQL - Single Server to Flexible Server Azure Database for PostgreSQL powered by the PostgreSQL community edition is available in two deployment modes: - Flexible Server The following table lists the different tools available for performing the migra | Tool | Mode | Pros | Cons | | : | : | : | : |-| Single to Flex Migration tool (**Recommended**) | Offline | - Managed migration service.<br />- No complex setup/pre-requisites required<br />- Simple to use portal-based migration experience<br />- Fast offline migration tool<br />- No limitations in terms of size of databases it can handle. | Downtime to applications. | +| Single to Flex Migration tool (**Recommended**) | Offline or Online* | - Managed migration service.<br />- No complex setup/pre-requisites required<br />- Simple to use portal-based migration experience<br />- Fast offline migration tool<br />- No limitations in terms of size of databases it can handle. | Downtime to applications. | | pg_dump and pg_restore | Offline | - Tried and tested tool that is in use for a long time<br />- Suited for databases of size less than 10 GB<br />| - Need prior knowledge of setting up and using this tool<br />- Slow when compared to other tools<br />Significant downtime to your application. |-| Azure DMS | Online | - Minimal downtime to your application<br />- Free of cost | - Complex setup<br />- High chances of migration failures<br />- Can't handle database of sizes > 1 TB<br />- Can't handle write-intensive workload | --The next section of the document gives an overview of the Single to Flex Migration tool, its implementation, limitations, and the experience that makes it the recommended tool to perform migrations from single to flexible server. > [!NOTE] > The Single to Flex Migration tool is available in all Azure regions and currently supports **Offline** migrations. Support for **Online** migrations is currently available in Central US, France Central, Germany West Central, North Central US, South Central US, North Europe, all West US regions, UK South, South Africa North, UAE North, and all regions across Asia and Australia. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image. ++The next section of the document gives an overview of the Single to Flex Migration tool, its implementation, limitations, and the experience that makes it the recommended tool to perform migrations from single to flexible server. ## Single to Flexible Migration tool - Overview The single to flex migration tool is a hosted solution where we spin up a purpose-built docker container in the target Flexible server VM and drive the incoming migrations. This docker container spins up on-demand when a migration is initiated from a single server and gets decommissioned once the migration is completed. The migration container uses a new binary called [pgcopydb](https://github.com/dimitri/pgcopydb) that provides a fast and efficient way of copying databases from one server to another. Though pgcopydb uses the traditional pg_dump and pg_restore for schema migration, it implements its own data migration mechanism that involves multi-process streaming parts from source to target. Also, pgcopydb bypasses pg_restore way of index building and drives that internally in a way that all indexes are built concurrently. So, the data migration process is quicker with pgcopydb. Following is the process diagram of the new version of the migration tool. ## Pre-migration validations-We noticed many migrations fail due to setup issues on source and target server. Most of the issues can be categorized into the following buckets: -* Issues related to authentication/permissions for the migration user on source and target server. -* [Prerequisites](#migration-prerequisites) not being taken care of, before running the migration. -* Unsupported features/configurations between the source and target. ++We noticed many migrations fail due to setup issues on source and target server. Most of the issues can be categorized into the following buckets: +- Issues related to authentication/permissions for the migration user on source and target server. +- [Prerequisites](#migration-prerequisites) not being taken care of, before running the migration. +- Unsupported features/configurations between the source and target. Pre-migration validation helps you verify if the migration setup is intact to perform a successful migration. Checks are done against a rule set and any potential problems along with the remedial actions are shown to take corrective measures. ### How to use pre-migration validation?+ A new parameter called **Migration option** is introduced while creating a migration. You can pick any of the following options-* **Validate** - Use this option to check your server and database readiness for migration to the target. **This option will not start data migration and will not require any downtime to your servers.** -The result of the Validate option can be - - **Succeeded** - No issues were found and you can plan for the migration - - **Failed** - There were errors found during validation, which can fail the migration. Go through the list of errors along with their suggested workarounds and take corrective measures before planning the migration. - - **Warning** - Warnings are informative messages that you need to keep in mind while planning the migration. +- **Validate** - Use this option to check your server and database readiness for migration to the target. **This option will not start data migration and will not require any downtime to your servers.** +The result of the Validate option can be + - **Succeeded** - No issues were found and you can plan for the migration + - **Failed** - There were errors found during validation, which can fail the migration. Go through the list of errors along with their suggested workarounds and take corrective measures before planning the migration. + - **Warning** - Warnings are informative messages that you need to keep in mind while planning the migration. - Plan your migrations better by performing pre-migration validations in advance to know the potential issues you might encounter while performing migrations. + Plan your migrations better by performing pre-migration validations in advance to know the potential issues you might encounter while performing migrations. -* **Migrate** - Use this option to kickstart the migration without going through validation process. It's recommended to perform validation before triggering a migration to increase the chances for a successful migration. Once validation is done, you can use this option to start the migration process. +- **Migrate** - Use this option to kickstart the migration without going through validation process. It's recommended to perform validation before triggering a migration to increase the chances for a successful migration. Once validation is done, you can use this option to start the migration process. -* **Validate and Migrate** - In this option, validations are performed and then migration gets triggered if all checks are in **succeeded** or **warning** state. Validation failures don't start the migration between source and target servers. +- **Validate and Migrate** - In this option, validations are performed and then migration gets triggered if all checks are in **succeeded** or **warning** state. Validation failures don't start the migration between source and target servers. We recommend customers to use pre-migration validations in the following way: 1) Choose **Validate** option and run pre-migration validation on an advanced date of your planned migration. We recommend customers to use pre-migration validations in the following way: > Pre-migration validations is generally available in all public regions. Support for CLI will be introduced at a later point in time. ## Migration of users/roles, ownerships and privileges+ Along with data migration, the tool automatically provides the following built-in capabilities: - Migration of users/roles present on your source server to the target server. - Migration of ownership of all the database objects on your source server to the target server. - Migration of permissions of database objects on your source server such as GRANTS/REVOKES to the target server. > [!NOTE] -> This functionality is enabled by default for flexible servers in all Azure public regions. It will be enabled for flexible servers in gov clouds and China regions soon. +> This functionality is enabled by default for flexible servers in all Azure public regions. It will be enabled for flexible servers in gov clouds and China regions soon. ## Limitations - You can have only one active migration or validation to your Flexible server.-- The source and target server must be in the same Azure region. Cross region migrations are enabled only for servers in India, China and UAE as Flexible server may not be available in all regions within these geographies.+- The source and target server must be in the same Azure region. Cross region migrations are enabled only for servers in India, China and UAE as Flexible server might not be available in all regions within these geographies. - The tool takes care of the migration of data and schema. It doesn't migrate managed service features such as server parameters, connection security details and firewall rules. - The migration tool shows the number of tables copied from source to target server. You need to manually validate the data in target server post migration.-- The tool migrates only user databases. System databases like azure_sys, azure_maintenance or template databases such as template0, template1 will not be migrated. +- The tool migrates only user databases. System databases like azure_sys, azure_maintenance or template databases such as template0, template1 will not be migrated. > [!NOTE] > The following limitations are applicable only for flexible servers on which the migration of users/roles functionality is enabled. - Azure Active Directory users present on your source server are not migrated to the target server. To mitigate this limitation, manually create all Azure Active Directory users on your target server using this [link](../flexible-server/how-to-manage-azure-ad-users.md) before triggering a migration. If Azure Active Directory users aren't created on target server, migration fails with appropriate error message. - If the target flexible server uses SCRAM-SHA-256 password encryption method, connection to flexible server using the users/roles on single server fails since the passwords are encrypted using md5 algorithm. To mitigate this limitation, choose the option **MD5** for **password_encryption** server parameter on your flexible server.+ ## Experience Get started with the Single to Flex migration tool by using any of the following methods: Get started with the Single to Flex migration tool by using any of the following Here, we go through the phases of an overall database migration journey, with guidance on how to use Single to Flex migration tool in the process. -### Getting started +### Get started #### Application compatibility The following table summarizes the list of networking scenarios supported by the ##### Allowlist required extensions -The migration tool automatically allowlists all extensions used by your single server databases on your flexible server except for the ones whose libraries need to be loaded at the server start. +The migration tool automatically allowlists all extensions used by your single server databases on your flexible server except for the ones whose libraries need to be loaded at the server start. Use the following select command to list all the extensions used on your Single server databases. If yes, then follow the below steps. Go to the server parameters blade and search for **shared_preload_libraries** parameter. PG_CRON and PG_STAT_STATEMENTS extensions are selected by default. Select the list of above extensions used by your single server databases to this parameter and select Save. For the changes to take effect, server restart would be required. Use the **Save and Restart** option and wait for the flexible server to restart. Use the **Save and Restart** option and wait for the flexible server to restart. > If TIMESCALEDB, POSTGIS_TOPOLOGY, POSTGIS_TIGER_GEOCODER, POSTGRES_FDW or PG_PARTMAN extensions are used in your single server, please raise a support request since the migration tool does not handle these extensions. ##### Create Azure Active Directory users on target server+ > [!NOTE] > This pre-requisite is applicable only for flexible servers on which the migration of users/roles functionality is enabled. Execute the following query on your source server to get the list of Azure Active Directory users.+ ```sql SELECT r.rolname- FROM - pg_roles r - JOIN pg_auth_members am ON r.oid = am.member - JOIN pg_roles m ON am.roleid = m.oid - WHERE - m.rolname IN ( - 'azure_ad_admin', - 'azure_ad_user', - 'azure_ad_mfa' - ); -``` + FROM + pg_roles r + JOIN pg_auth_members am ON r.oid = am.member + JOIN pg_roles m ON am.roleid = m.oid + WHERE + m.rolname IN ( + 'azure_ad_admin', + 'azure_ad_user', + 'azure_ad_mfa' + ); +``` Create the Azure Active Directory users on your target flexible server using this [link](../flexible-server/how-to-manage-azure-ad-users.md) before creating a migration. ### Migration Trigger the migration of your production databases using the **Migrate** or **Va - Make changes to your application to point the connection strings to flexible server. - Monitor the database performance closely to see if it requires performance tuning. -## Next steps +## Related content - [Migrate to Flexible Server by using the Azure portal](../migrate/how-to-migrate-single-to-flexible-portal.md) - [Migrate to Flexible Server by using the Azure CLI](../migrate/how-to-migrate-single-to-flexible-cli.md) |
postgresql | How To Migrate Single To Flexible Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/how-to-migrate-single-to-flexible-portal.md | The migration tool comes with a simple, wizard-based experience on the Azure por :::image type="content" source="./media/concepts-single-to-flexible/flexible-overview.png" alt-text="Screenshot of the flexible Overview page." lightbox="./media/concepts-single-to-flexible/flexible-overview.png"::: -4. Select the **Migrate from Single Server** button to start a migration from Single Server to Flexible Server. If this is the first time you're using the migration tool, an empty grid appears with a prompt to begin your first migration. +4. Select the **Create** button to start a migration from Single Server to Flexible Server. If this is the first time you're using the migration tool, an empty grid appears with a prompt to begin your first migration. :::image type="content" source="./media/concepts-single-to-flexible/flexible-migration-grid.png" alt-text="Screenshot of the Migration tab in flexible." lightbox="./media/concepts-single-to-flexible/flexible-migration-grid.png"::: The first tab is **Setup**. Just in case you missed it, allowlist necessary exte **Migration name** is the unique identifier for each migration to this Flexible Server target. This field accepts only alphanumeric characters and doesn't accept any special characters except a hyphen (-). The name can't start with a hyphen and should be unique for a target server. No two migrations to the same Flexible Server target can have the same name. +**Source server type** indicates the source. In this case, it is Azure Database for PostgreSQL Single server + **Migration Option** gives you the option to perform validations before triggering a migration. You can pick any of the following options - **Validate** - Checks your server and database readiness for migration to the target. - **Migrate** - Skips validations and starts migrations. It's always a good practice to choose **Validate** or **Validate and Migrate** o If **Online** migration is selected, it requires Logical replication to be turned on in the source Single server. If it's not turned on, the migration tool automatically turns on logical replication at the source Single server. Replication can also be set up manually under **Replication** tab in the Single server side pane by setting the Azure replication support level to **Logical**. Either approach restarts the source single server. -Select the **Next** button. +Select the **Next : Connect to Source** button. ### Source tab The **Source** tab prompts you to give details related to the Single Server that is the source of the databases. - After you make the **Subscription** and **Resource Group** selections, the dropdown list for server names shows Single Servers under that resource group across regions. Select the source that you want to migrate databases from. You can migrate databases from a Single Server to a target Flexible Server in the same region. Cross region migrations are enabled only for servers in India, China and UAE. After you choose the Single Server source, the **Location**, **PostgreSQL version**, and **Server admin login name** boxes are populated automatically. The server admin login name is the admin username used to create the Single Server. In the **Password** box, enter the password for that admin user. The migration tool performs the migration of single server databases as the admin user. -After filling out all the fields, select the **Next** button. +After filling out all the fields, click the **Connect to source** link. This validates that the source server details entered are correct and source server is reachable. +++Select the **Next : Select migration target** button to continue. ### Target tab -The **Target** tab displays metadata for the Flexible Server target, like subscription name, resource group, server name, location, and PostgreSQL version. +The **Target** tab displays metadata for the Flexible Server target, such as subscription name, resource group, server name, location, and PostgreSQL version. :::image type="content" source="./media/concepts-single-to-flexible/flexible-migration-target.png" alt-text="Screenshot of target database server details." lightbox="./media/concepts-single-to-flexible/flexible-migration-target.png"::: -For **Server admin login name**, the tab displays the admin username used during the creation of the Flexible Server target. Enter the corresponding password for the admin user. +For **Server admin login name**, the tab displays the admin username used during the creation of the Flexible Server target. Enter the corresponding password for the admin user. After filling out the password, click the **Connect to target** link. This validates that the target server details entered are correct and target server is reachable. -Select the **Next** button. +Click the **Next** button to select the databases to migrate. ### Select Database(s) for Migration tab -Under this tab, there's a list of user databases inside the Single Server. You can select and migrate up to eight databases in a single migration attempt. If there are more than eight user databases, the migration process is repeated between the source and target servers for the next set of databases. +Under this tab, there's a list of user databases inside the Single Server. You can select and migrate up to eight databases in a single migration attempt. If there are more than eight user databases, the migration process is repeated between the source and target servers for the next set of databases. By default, selected databases with the same name on the target are overwritten. :::image type="content" source="./media/concepts-single-to-flexible/flexible-migration-database.png" alt-text="Screenshot of Databases to migrate." lightbox="./media/concepts-single-to-flexible/flexible-migration-database.png"::: >[!NOTE] > The tool migrates only user databases. System databases or template databases such as template0, template1 will not be migrated. -### Review +Click the **Next** button to review the details. ++### Summary -The **Review** tab summarizes all the details for creating the validation or migration. Review the details and click on the start button. +The **Summary** tab summarizes all the details for creating the validation or migration. Review the details and click on the start button. :::image type="content" source="./media/concepts-single-to-flexible/flexible-migration-review.png" alt-text="Screenshot of details to review for the migration." lightbox="./media/concepts-single-to-flexible/flexible-migration-review.png"::: After you click the start button, a notification appears in a few seconds to say :::image type="content" source="./media/concepts-single-to-flexible/flexible-migration-monitor.png" alt-text="Screenshot of recently created migration details." lightbox="./media/concepts-single-to-flexible/flexible-migration-monitor.png"::: -The grid that displays the migrations has these columns: **Name**, **Status**, **Source DB server**, **Resource group**, **Region**, **Databases**, and **Start time**. The entries are displayed in the descending order of the start time with the most recent entry on the top. +The grid that displays the migrations has these columns: **Name**, **Status**, **Migration type**, **Migration mode**, **Source server**, **Source server type**, **Databases**, **Start time** and **Duration**. The entries are displayed in the descending order of the start time with the most recent entry on the top. You can use the refresh button to refresh the status of the validation or migration. You can also select the migration name in the grid to see the associated details. The validation moves to the **Succeeded** state if all validations are either in :::image type="content" source="./media/concepts-single-to-flexible/validation-successful.png" alt-text="Screenshot of the validation grid." lightbox="./media/concepts-single-to-flexible/validation-successful.png"::: -The validation grid has the following columns -- **Finding** - Represents the validation rules that are used to check readiness for migration.-- **Finding Status** - Represents the result for each rule and can have any of the three values+The validation grid has the +- **Validation details for instance** and **Validation details for databases** sections which represent the validation rules that are used to check readiness for migration. +- **Validation Status** - Represents the result for each rule and can have any of the three values - **Succeeded** - If no errors were found. - **Failed** - If there are validation errors. - **Warning** - If there are validation warnings.-- **Impacted Object** - Represents the object name for which the errors or warnings are raised. -- **Object Type** - This can have the value **Database** for database level validations and **Instance** for server level validations.+- **Duration** - Time taken for the Validation operation. +- **Start and End time** - Start and end time of the validation operation in UTC. -The validation moves to **Validation Failed** state if there are any errors in the validation. Click on the **Finding** in the grid whose status is **Failed** and a fan-out pane gives the details and the corrective action you should take to avoid this error. +The **Validation status** moves to **Failed** state if there are any errors in the validation. Click on the **Validation name** or **Database name** validation that has failed and a fan-out pane gives the details and the corrective action you should take to avoid this error. :::image type="content" source="./media/concepts-single-to-flexible/validation-failed.png" alt-text="Screenshot of the validation grid with failed status." lightbox="./media/concepts-single-to-flexible/validation-failed.png"::: In this option, validations are performed first before migration starts. After t - If validation has errors, the migration moves into a **Failed** state. - If validation completes without any error, the migration starts and the workflow will move into the sub state of **Migrating Data**. -You can see the results of validation under the **Validation** tab and monitor the migration under the **Migration** tab. +You can see the results of **Validate and Migrate** once the operation is complete. :::image type="content" source="./media/concepts-single-to-flexible/validate-and-migrate-1.png" alt-text="Screenshot showing validations tab in details page." lightbox="./media/concepts-single-to-flexible/validate-and-migrate-1.png"::: - ### Online migration > [!NOTE] -> Support for **Online** migrations is currently available in UK South, South Africa North, UAE North, and all regions across Asia and Australia. +> Support for **Online** migrations is currently available in Central US, France Central, Germany West Central, North Central US, South Central US, North Europe, all West US regions, UK South, South Africa North, UAE North, and all regions across Asia and Australia. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image. + In case of both **Migrate** as well as **Validate and Migrate**, completion of the Online migration requires another step - a Cutover action is required from the user. After the copy/clone of the base data is complete, the migration moves to `WaitingForUserAction` state and `WaitingForCutoverTrigger` substate. In this state, user can trigger cutover from the portal by selecting the migration. |
postgresql | Best Practices Migration Service Postgresql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/best-practices-migration-service-postgresql.md | + + Title: Best practices to migrate into Flexible Server +description: Best practices for a seamless migration into Azure database for PostgreSQL. +++ Last updated : 01/30/2024++++++# Best practices for seamless migration into Azure Database for PostgreSQL Preview +++This article explains common pitfalls encountered and best practices to ensure a smooth and successful migration to Azure Database for PostgreSQL. ++## Premigration validation ++As a first step in the migration, run the premigration validation before you perform a migration. You can use the **Validate** and **Validate and Migrate** options on the migration setup page. Premigration validation conducts thorough checks against a predefined rule set. The goal is to identify potential problems and provide actionable insights for remedial actions. Keep running premigration validation until it results in a **Succeeded** state. Select [premigration validations](concepts-premigration-migration-service.md) to know more. ++## Target Flexible server configuration ++During the initial base copy of data, multiple insert statements are executed on the target, which generates WALs (Write Ahead Logs). Until these WALs are archived, the logs consume storage at the target and the storage required by the database. ++To calculate the number, sign in to the source instance and execute this command for all the Database(s) to be migrated: ++`SELECT pg_size_pretty( pg_database_size('dbname') );` ++It's advisable to allocate sufficient storage on the Flexible server, equivalent to 1.25 times or 25% more storage than what is being used per the output to the command above. [Storage Autogrow](../../flexible-server/how-to-auto-grow-storage-portal.md) can also be used. ++> [!IMPORTANT] +> Storage size can't be reduced in manual configuration or Storage Autogrow. Each step in the Storage configuration spectrum doubles in size, so estimating the required storage beforehand is prudent. ++The quickstart to [Create an Azure Database for PostgreSQL flexible server using the portal](../../flexible-server/quickstart-create-server-portal.md) is an excellent place to begin. [Compute and storage options in Azure Database for PostgreSQL - Flexible Server](../../flexible-server/concepts-compute-storage.md) also gives detailed information about each server configuration. ++## Migration timeline ++Each migration has a maximum lifetime of seven days (168 hours) once it starts and will time out after seven days. You can complete your migration and application cutover once the data validation and all checks are complete to avoid the migration from timing out. In Online migrations, after the initial base copy is complete, the cutover window lasts three days (72 hours) before timing out. In Offline migrations, the applications should stop writing to the Database to prevent data loss. Similarly, for Online migration, keep traffic low throughout the migration. ++Most nonprod servers (dev, UAT, test, staging) are migrated using offline migrations. Since these servers have less data than the production servers, the migration completes fast. For production server migration, you need to know the time it would take to complete the migration to plan for it in advance. ++The time taken for a migration to complete depends on several factors. It includes the number of databases, size, number of tables inside each database, number of indexes, and data distribution across tables. It also depends on the SKU of the target server and the IOPS available on the source instance and target server. Given the many factors that can affect the migration time, it's hard to estimate the total time for the migration to complete. The best approach would be to perform a test migration with your workload. ++The following phases are considered for calculating the total downtime to perform production server migration. ++- **Migration of PITR** - The best way to get a good estimate on the time taken to migrate your production database server would be to take a point-in time restore of your production server and run the offline migration on this newly restored server. ++- **Migration of Buffer** - After completing the above step, you can plan for actual production migration during a time period when the application traffic is low. This migration can be planned on the same day or probably a week away. By this time, the size of the source server might have increased. Update your estimated migration time for your production server based on the amount of this increase. If the increase is significant, you can consider doing another test using the PITR server. But for most servers the size increase shouldn't be significant enough. ++- **Data Validation** ++Once the migration is completed for the production server, you need to verify if the data in the flexible server is an exact copy of the source instance. Customers can use open-source/third-party tools or can do the validation manually. Prepare the validation steps you would like to do before the actual migration. Validation can include: + +- Row count match for all the tables involved in the migration. ++- Matching counts for all the database objects (tables, sequences, extensions, procedures, indexes) ++- Comparing max or min IDs of key application-related columns ++ > [!NOTE] + > The size of databases needs to be the right metric for validation. The source instance might have bloats/dead tuples, which can bump up the size of the source instance. It's completely normal to have size differences between source instances and target servers. If there's an issue in the first three steps of validation, it indicates a problem with the migration. ++- **Migration of server settings** - Any custom server parameters, firewall rules (if applicable), tags, and alerts must be manually copied from the source instance to the target. ++- **Changing connection strings** - The application should change its connection strings to a flexible server after successful validation. This activity is coordinated with the application team to change all the references of connection strings pointing to the source instance. In the flexible server, the user parameter can be used in the **user=username** format in the connection string. ++For example: psql -h **myflexserver**.postgres.database.azure.com -u user1 -d db1 ++While a migration often runs without a hitch, it's good practice to plan for contingencies if more time is required for debugging or if a migration needs to be restarted. ++## Migration speed benchmarking ++The following table shows the time it takes to perform migrations for databases of various sizes using the migration service. The migration was performed using a flexible server with the SKU – **Standard_D4ds_v4(4 cores, 16GB Memory, 128 GB disk, and 500 iops)** ++| Database size | Approximate time taken (HH:MM) | +| : | : | +| 1 GB | 00:01 | +| 5 GB | 00:03 | +| 10 GB | 00:08 | +| 50 GB | 00:35 | +| 100 GB | 01:00 | +| 500 GB | 04:00 | +| 1,000 GB | 07:00 | ++> [!NOTE] +> The above numbers give you an approximation of the time taken to complete the migration. We strongly recommend running a test migration with your workload to get a precise value for migrating your server. ++> [!IMPORTANT] +> Pick a higher SKU for your flexible server to perform faster migrations. Azure Database for PostgreSQL Flexible server supports near zero downtime Compute & IOPS scaling so the SKU can be updated with minimal downtime. You can always change the SKU to match the application needs post-migration. ++### Improve migration speed - Parallel migration of tables ++A powerful SKU is recommended for the target, as the PostgreSQL migration service runs out of a container on the Flexible server. A powerful SKU enables more tables to be migrated in parallel. You can scale the SKU back to your preferred configuration after the migration. This section contains steps to improve the migration speed in case the data distribution among the tables needs to be more balanced and/or a more powerful SKU doesn't significantly impact the migration speed. ++If the data distribution on the source is highly skewed, with most of the data present in one table, the allocated compute for migration needs to be fully utilized, and it creates a bottleneck. So, we split large tables into smaller chunks, which are then migrated in parallel. This feature applies to tables with more than 10000000 (10 m) tuples. Splitting the table into smaller chunks is possible if one of the following conditions is satisfied. ++1. The table must have a column with a simple (not composite) primary key or unique index of type int or significant int. ++ > [!NOTE] + > In the case of approaches #2 or #3, the user must carefully evaluate the implications of adding a unique index column to the source schema. Only after confirmation that adding a unique index column will not affect the application should the user go ahead with the changes. ++1. If the table doesn't have a simple primary key or unique index of type int or significant int but has a column that meets the data type criteria, the column can be converted into a unique index using the command below. This command doesn't require a lock on the table. ++ ```sql + create unique index concurrently partkey_idx on <table name> (column name); + ``` ++1. If the table doesn't have a simple int/big int primary key or unique index or any column that meets the data type criteria, you can add such a column using [ALTER](https://www.postgresql.org/docs/current/sql-altertable.html) and drop it post-migration. Running the ALTER command requires a lock on the table. ++ ```sql + alter table <table name> add column <column name> big serial unique; + ``` ++If any of the above conditions are satisfied, the table is migrated in multiple partitions in parallel, which should provide a marked increase in the migration speed. ++#### How it works ++- The migration service looks up the maximum and minimum integer value of the table's Primary key/Unique index that must be split up and migrated in parallel. +- If the difference between the minimum and maximum value is more than 10000000 (10 m), then the table is split into multiple parts, and each part is migrated in parallel. ++In summary, the PostgreSQL migration service migrates a table in parallel threads and reduces the migration time if: ++- The table has a column with a simple primary key or unique index of type int or significant int. +- The table has at least 10000000 (10 m) rows so that the difference between the minimum and maximum value of the primary key is more than 10000000 (10 m). +- The SKU used has idle cores, which can be used for migrating the table in parallel. ++## Vacuum bloat in the PostgreSQL database ++Over time, as data is added, updated, and deleted, PostgreSQL might accumulate dead rows and wasted storage space. This bloat can lead to increased storage requirements and decreased query performance. Vacuuming is a crucial maintenance task that helps reclaim this wasted space and ensures the database operates efficiently. Vacuuming addresses issues such as dead rows and table bloat, ensuring efficient use of storage. More importantly, it helps ensure a quicker migration as the migration time taken is a function of the Database size. ++PostgreSQL provides the VACUUM command to reclaim storage occupied by dead rows. The `ANALYZE` option also gathers statistics, further optimizing query planning. For tables with heavy write activity, the `VACUUM` process can be more aggressive using `VACUUM FULL`, but it requires more time to execute. ++- Standard Vacuum ++```sql +VACUUM your_table; +``` ++- Vacuum with Analyze ++```sql +VACUUM ANALYZE your_table; +``` ++- Aggressive Vacuum for Heavy Write Tables ++```sql +VACUUM FULL your_table; +``` ++In this example, replace your_table with the actual table name. The `VACUUM` command without **FULL** reclaims space efficiently, while `VACUUM ANALYZE` optimizes query planning. The `VACUUM FULL` option should be used judiciously due to its heavier performance impact. ++Some Databases store large objects, such as images or documents, that can contribute to database bloat over time. The `VACUUMLO` command is designed for large objects in PostgreSQL. ++- Vacuum Large Objects ++```sql +VACUUMLO; +``` ++Regularly incorporating these vacuuming strategies ensures a well-maintained PostgreSQL database. ++## Special consideration ++There are special conditions that typically refer to unique circumstances, configurations, or prerequisites that learners need to be aware of before proceeding with a tutorial or module. These conditions could include specific software versions, hardware requirements, or additional tools that are necessary for successful completion of the learning content. ++### Database with postgres_fdw extension ++The [postgres_fdw module](https://www.postgresql.org/docs/current/postgres-fdw.html) provides the foreign-data wrapper postgres_fdw, which can be used to access data stored in external PostgreSQL servers. If your database uses this extension, the following steps must be performed to ensure a successful migration. ++1. Temporarily remove (unlink) Foreign data wrapper on the source instance. +1. Perform data migration of rest using the Migration service. +1. Restore the Foreign data wrapper roles, user, and Links to the target after migration. ++### Database with postGIS extension ++The Postgis extension has breaking changes/compact issues between different versions. If you migrate to a flexible server, the application should be checked against the newer postGIS version to ensure that the application isn't impacted or that the necessary changes must be made. The [postGIS news](https://postgis.net/news/) and [release notes](https://postgis.net/docs/release_notes.html#idm45191) are a good starting point to understand the breaking changes across versions. ++### Database connection cleanup ++Sometimes, you might encounter this error when starting a migration: ++`CL003:Target database cleanup failed in the pre-migration step. Reason: Unable to kill active connections on the target database created by other users. Please add the pg_signal_backend role to the migration user using the command 'GRANT pg_signal_backend to <migrationuser>' and try a new migration.` ++In this case, you can grant the `migration user` permission to close all active connections to the database or close the connections manually before retrying the migration. ++## Related content ++- [Migration service](concepts-migration-service-postgresql.md) +- [Known issues and limitations](concepts-known-issues-migration-service.md) |
postgresql | Concepts Known Issues Migration Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/concepts-known-issues-migration-service.md | + + Title: "Migration service - known issues and limitations" +description: Providing the limitations of the migration service in Azure Database for PostgreSQL +++ Last updated : 01/30/2024+++++# Known issues and limitations - migration service in Azure Database for PostgreSQL Preview +++This article describes the known issues and limitations associated with the migrations service in Azure Database for PostgreSQL. ++## Common limitations ++Here are common limitations that apply to migration scenarios: ++- You can have only one active migration or validation to your Flexible server. ++- The migration service doesn't migrate users and roles. ++- The migration service shows the number of tables copied from source to target. You must manually check the data and PostgreSQL objects on the target server post-migration. ++- The migration service only migrates user databases, not system databases such as template_0 and template_1. ++- The migration service doesn't support moving POSTGIS, TIMESCALEDB, POSTGIS_TOPOLOGY, POSTGIS_TIGER_GEOCODER, PG_PARTMAN extensions from source to target. ++- You can't move extensions not supported by the Azure Database for PostgreSQL ΓÇô Flexible server. The supported extensions are in [Extensions - Azure Database for PostgreSQL](/azure/postgresql/flexible-server/concepts-extensions). ++- User-defined collations can't be migrated into Azure Database for PostgreSQL ΓÇô flexible server. ++- You can't migrate to an older version. For instance, you can't migrate from PostgreSQL 15 to Azure Database for PostgreSQL version 14. ++- The migration service only works with preferred or required SSLMODE values. ++- The migration service doesn't support superuser privileges and objects. ++- The following PostgreSQL objects can't be migrated into the PostgreSQL flexible server target: + - Create casts + - Creation of FTS parsers and FTS templates + - Users with superuser roles + - Create TYPE ++- The migration service doesn't support migration at the object level, that is, at the table level or schema level. ++- The migration service is unable to perform migration when the source database is Azure Database for PostgreSQL single server with no public access or is an on-premises/AWS using a private IP, and the target Azure Database for PostgreSQL Flexible Server is accessible only through a private endpoint. ++- Migration to burstable SKUs is not supported; databases must first be migrated to a non-burstable SKU and then scaled down if needed. ++## Related content ++- [Migration service](concepts-migration-service-postgresql.md) +- [Network setup](how-to-network-setup-migration-service.md) +- [Premigration validations](concepts-premigration-migration-service.md) |
postgresql | Concepts Migration Service Postgresql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/concepts-migration-service-postgresql.md | + + Title: Migration service in Azure Database for PostgreSQL +description: Concepts about migrating into Azure database for PostgreSQL - Flexible Server. +++ Last updated : 01/30/2024++++++# Migration service in Azure Database for PostgreSQL Preview +++The migration service in Azure Database for PostgreSQL simplifies the process of moving your PostgreSQL databases to Azure, offering migration options from an Azure Database for PostgreSQL single server, AWS RDS for PostgreSQL, on-premises servers, and Azure virtual machines (VMs). The migration service is designed to help you move to Azure Database for PostgreSQL - Flexible Server with ease and confidence. ++Some advantages for using the migration service include: ++- Managed migration service. +- Support for schema and data migrations. +- No complex setup. +- Simple to use portal/cli based migration experience. +- No limitations in terms of size of databases it can handle. ++For information about migration from single server to flexible server, visit [Migration tool](../concepts-single-to-flexible.md). +++## Why choose flexible server? ++Azure Database for PostgreSQL powered by the PostgreSQL community edition is available in this deployment mode: flexible server is the next-generation managed PostgreSQL service in Azure that provides maximum flexibility over your database and built-in cost-optimizations and offers several advantages over peer products. ++- **[Superior performance](../../flexible-server/overview.md)** - Flexible server runs on Linux VM that is best suited to run PostgreSQL engine. ++- **[Cost Savings](../../flexible-server/how-to-deploy-on-azure-free-account.md)** ΓÇô Flexible server allows you to stop and start an on-demand server to lower your TCO. Your compute tier billing is stopped immediately, which allows you to have significant cost savings during development and testing and for time-bound predictable production workloads. ++- **[Support for new PG versions](../../flexible-server/concepts-supported-versions.md)** - Flexible server supports all major PostgreSQL versions beginning with version 11. ++- **Minimized Latency** ΓÇô You can collocate your flexible server in the same availability zone as the application server, resulting in a minimal latency. ++- **[Connection Pooling](../../flexible-server/concepts-pgbouncer.md)** - Flexible server has a built-in connection pooling mechanism using **pgBouncer** to support thousands of active connections with low overhead. ++- **[Server Parameters](../../flexible-server/concepts-server-parameters.md)** - Flexible server offers a rich set of server parameters for configuration and tuning. ++- **[Custom Maintenance Window](../../flexible-server/concepts-maintenance.md)** - You can schedule the maintenance window of the flexible server for a specific day and time of the week. ++- **[High Availability](../../flexible-server/concepts-high-availability.md)** - Flexible server supports HA within the same availability zone and across availability zones by configuring a warm standby server in sync with the primary. ++- **[Security](../../flexible-server/concepts-security.md)** - Flexible server offers multiple layers of information protection and encryption to protect your data. ++## How to migrate to Azure Database for PostgreSQL flexible server? ++The options you can consider migrating from the source PostgreSQL instance to the Flexible server are: ++**Offline migration** ΓÇô In an offline migration, all applications connecting to your source instance are stopped, and the database(s) are copied to a flexible server. ++**Online migration** - In an online migration, applications connecting to your source instance aren't stopped while database(s) are copied to a flexible server. The initial copy of the databases is followed by replication to keep the flexible server in sync with the source instance. A cutover is performed when the flexible server completely syncs with the source instance, resulting in minimal downtime. ++The following table gives an overview of offline and online options. ++| Option | PROs | CONs | Recommended For +||||| +| Offline | - Simple, easy, and less complex to execute.<br />- Very fewer chances of failure.<br />- No restrictions regarding database objects it can handle | Downtime to applications. | - Best for scenarios where simplicity and a high success rate are essential.<br>- Ideal for scenarios where the database can be taken offline without significant impact on business operations.<br>- Suitable for databases when the migration process can be completed within a planned maintenance window. | +| Online | - Very minimal downtime to application. <br /> - Ideal for large databases and customers having limited downtime requirements. | - Replication used in online migration has multiple [restrictions](https://www.postgresql.org/docs/current/logical-replication-restrictions.html) (for example, Primary Keys needed in all tables). <br /> - Tough and more complex to execute than offline migration. <br /> - Greater chances of failure due to the complexity of migration. <br /> - There's an impact on the source instance's storage and computing if the migration runs for a long time. The impact needs to be monitored closely during migration. | - Best suited for businesses where continuity is critical and downtime must be kept to an absolute minimum.<br>- Recommended for databases when the migration process needs to occur without interrupting ongoing operations. | ++The following table lists the various sources supported by the migration service. ++| PostgreSQL Source Type | Offline Migration | Online Migration | +||-|| +| [Azure Database for PostgreSQL ΓÇô Single server](../how-to-migrate-single-to-flexible-portal.md) | Supported | Supported | +| [AWS RDS for PostgreSQL](tutorial-migration-service-offline-aws.md) | Supported | Planned for future release | +| [On-premises](tutorial-migration-service-offline-iaas.md) | Supported | Planned for future release | +| [Azure VM](tutorial-migration-service-offline-iaas.md) | Supported | Planned for future release | ++++## Advantages of the migration service in Azure Database for PostgreSQL Over Azure DMS (Classic) ++Below are the key benefits of using this service for your PostgreSQL migrations: +- **Fully Managed Service**: The migration Service in Azure Database for PostgreSQL is a fully managed service, meaning that we handle the complexities of the migration process. +- **Comprehensive Migration**: Supports both schema and data migrations, ensuring a complete and accurate transfer of your entire database environment to Azure +- **Ease of Setup**: Designed to be user-friendly, eliminating complex setup procedures that can often be a barrier to starting a migration project. +- **No Data Size Constraints**: With the ability to handle databases of any size, the service surpasses the 1TB data migration limit of Azure DMS(Classic), making it suitable for all types of database migrations. +- **Addressing DMS(Classic) Limitations**: The migration service resolves many of the issues and limitations encountered with Azure DMS (Classic), leading to a more reliable migration process. +- **Interface Options**: Users can choose between a portal-based interface for an intuitive experience or a command-line interface (CLI) for automation and scripting, accommodating various user preferences. +++## Get started ++Get started with the Single to Flexible migration tool by using any of the following methods: ++- [Offline migration from on-premises or IaaS](tutorial-migration-service-offline-iaas.md) +- [Offline migration from AWS RDS for PostgreSQL](tutorial-migration-service-offline-aws.md) ++## Additional information ++The migration service is a hosted solution where we use binary called [pgcopydb](https://github.com/dimitri/pgcopydb) that provides a fast and efficient way of copying databases from the source PostgreSQL instance to the target. ++## Related content ++- [Premigration validations](concepts-premigration-migration-service.md) +- [Migrate from on-premises and Azure VMs](tutorial-migration-service-offline-iaas.md) +- [Migrate from AWS RDS for PostgreSQL](tutorial-migration-service-offline-aws.md) +- [Network setup](how-to-network-setup-migration-service.md) +- [Known issues and limitations](concepts-known-issues-migration-service.md) |
postgresql | Concepts Premigration Migration Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/concepts-premigration-migration-service.md | + + Title: "Migration service - premigration validations" +description: premigration validations to identify issues before running migrations +++ Last updated : 01/30/2024+++++# Premigration validations for the migrations service in Azure Database for PostgreSQL Preview +++Premigration validation is a set of rules that involves assessing and verifying the readiness of a source database system for migration to Azure Database for PostgreSQL. This process identifies and addresses potential issues affecting the database's migration or post-migration operation. ++## How do you use the premigration validation feature? ++To use premigration validation when migrating to Azure Database for PostgreSQL - flexible server, you can select the appropriate migration option either through the Azure portal during the setup or by specifying the `--migration-option` parameter in the Azure CLI when creating a migration. Here's how to do it in both methods: ++### Use the Azure portal ++- Navigate to the migration tab within the Azure Database for PostgreSQL. ++- Select the **Create** button ++- In the Setup page, choose the migration option that includes validation. This could be labeled as **validate**, **validate and migrate** ++ :::image type="content" source="media\concepts-premigration-migration-service\premigration-option.png" alt-text="Screenshot of premigration option to start migration." lightbox="media\concepts-premigration-migration-service\premigration-option.png"::: ++### Use Azure CLI ++- Open your command-line interface. ++- Ensure you have the Azure CLI installed and you're logged into your Azure account using az sign-in. ++- The version should be at least 2.56.0 or above to use the migration option. ++Construct your migration task creation command with the Azure CLI. ++```bash +az postgres flexible-server migration create --subscription <subscription ID> --resource-group <Resource group Name> --name <Flexible server Name> --migration-name <Unique migration ID> --migration-option ValidateAndMigrate --properties "Path of the JSON File" --migration-mode offline +``` ++Include the `--migration-option` parameter followed by the option validate to perform only the premigration **Validate**, **Migrate**, or **ValidateAndMigrate** to perform validation and then proceed with the migration if the validation is successful. ++## Pre-migration validation options ++You can pick any of the following options. ++- **Validate** - Use this option to check your server and database readiness for migration to the target. **This option will not start data migration and will not require any server downtime.** + - Plan your migrations better by performing premigration validations in advance to know the potential issues you might encounter while performing migrations. ++- **Migrate** - Use this option to kickstart the migration without going through a validation process. Perform validation before triggering a migration to increase the chances of success. Once validation is done, you can use this option to start the migration process. ++- **ValidateandMigrate** - This option performs validations, and migration gets triggered if all checks are in the **succeeded** or **warning** state. Validation failures don't start the migration between source and target servers. ++We recommend that customers use premigration validations to identify issues before running migrations. This helps you to plan your migrations better and avoid any surprises during the migration process. ++1. Choose the **Validate** option and run premigration validation on an advanced date of your planned migration. ++1. Analyze the output and take any remedial actions for any errors. ++1. Rerun Step 1 until the validation is successful. ++1. Start the migration using the **Validate and Migrate** option on the planned date and time. ++## Validation states ++The result post running the validated option can be: ++- **Succeeded** - No issues were found, and you can plan for the migration +- **Failed** - There were errors found during validation, which can cause the migration to fail. Review the list of errors and their suggested workarounds and take corrective measures before planning the migration. +- **Warning** - Warnings are informative messages you must remember while planning the migration. +++## Related content ++- [Migration service](concepts-migration-service-postgresql.md) +- [Known issues and limitations](concepts-known-issues-migration-service.md) +- [Network setup](how-to-network-setup-migration-service.md) |
postgresql | How To Network Setup Migration Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/how-to-network-setup-migration-service.md | + + Title: "Migration service - networking scenarios" ++description: Network scenarios for connecting source and target +++ Last updated : 01/30/2024+++++# Network guide for migration service in Azure Database for PostgreSQL Preview +++This document outlines various scenarios for connecting a source database to an Azure Database for PostgreSQL using the migration service. Each scenario presents different networking requirements and configurations to establish a successful connection for migration. Specific details vary based on the actual network setup and requirements of the source and target environments. ++## Scenario 1: On-premises source to Azure Database for PostgreSQL with public access ++**Networking Steps:** ++- The source database server must have a public IP address. +- Configure the firewall to allow outbound connections on the PostgreSQL port (default 5432). +- Ensure the source database server is accessible over the internet. +- Verify the network configuration by testing connectivity from the target Azure Database for PostgreSQL to the source database, confirming that the migration service can access the source data. ++## Scenario 2: Private IP on-premises source to virtual network-Integrated Azure Database for PostgreSQL via Express Route/IPSec VPN +++**Networking Steps:** ++- Set up a Site-to-Site VPN or ExpressRoute for a secure, reliable connection between the on-premises network and Azure. +- Configure Azure's Virtual Network (virtual network) to allow access from the on-premises IP range. +- Set up Network Security Group (NSG) rules to allow traffic on the PostgreSQL port (default 5432) from the on-premises network. +- Verify the network configuration by testing connectivity from the target Azure Database for PostgreSQL to the source database, confirming that the migration service can access the source data. ++## Scenario 3: AWS RDS for PostgreSQL to Azure Database for PostgreSQL +++The source database in another cloud provider (AWS) must have a public IP or a direct connection to Azure. ++**Networking Steps:** ++- **Public Access:** + - If your AWS RDS instance isn't publicly accessible, you can modify the instance to allow connections from Azure. This can be done through the AWS Management Console by changing the Publicly Accessible setting to Yes. + - In the AWS RDS security group, add an inbound rule to allow traffic from the Azure Database for PostgreSQL's public IP address/domain. ++- **Private Access** + - Establish a secure connection using express route, or a VPN from AWS to Azure. + - In the AWS RDS security group, add an inbound rule to allow traffic from the Azure Database for PostgreSQL's public IP address/domain or the range of IP addresses in the Azure virtual network on the PostgreSQL port (default 5432). + - Create an Azure Virtual Network (virtual network) where your Azure Database for PostgreSQL resides. Configure the virtual network's Network Security Group (NSG) to allow outbound connections to the AWS RDS instance's IP address on the PostgreSQL port. + - Set up NSG rules in Azure to permit incoming connections from the cloud provider, AWS RDS IP range. + - Test the connectivity between AWS RDS and Azure Database for PostgreSQL to ensure no network issues. ++## Scenario 4: Azure VMs to Azure Database for PostgreSQL (different virtual networks) ++This scenario describes connectivity between an Azure VMs and an Azure Database for PostgreSQL located in different virtual networks. Virtual network peering and appropriate NSG rules are required to facilitate traffic between the VNets. +++**Networking Steps:** ++- Set up virtual network peering between the two VNets to enable direct network connectivity. +- Configure NSG rules to allow traffic between the VNets on the PostgreSQL port. ++## Scenario 5: Azure VMs to Azure PostgreSQL (same virtual network) ++When an Azure VM and Azure Database for PostgreSQL are within the same virtual network, the configuration is straightforward. NSG rules should be set to allow internal traffic on the PostgreSQL port, with no additional firewall rules necessary for the Azure Database for PostgreSQL since the traffic remains within the VNet. +++**Networking Steps:** ++- Ensure that the VM and the PostgreSQL server are in the same virtual network. +- Configure NSG rules to allow traffic within the virtual network on the PostgreSQL port. +- No other firewall rules are needed for the Azure Database for PostgreSQL since the traffic is internal to the virtual network. ++## Resources for Networking Setup ++- To establish an **ExpressRoute** connection, refer to the [Azure ExpressRoute Overview](/azure/expressroute/expressroute-introduction). +- For setting up an **IPsec VPN**, consult the guide on [Azure Point-to-Site VPN connections](/azure/vpn-gateway/point-to-site-about). +- For virtual network peering, [Azure Virtual Network peering](/azure/virtual-network/virtual-network-peering-overview) ++## Related content ++- [Migration service](concepts-migration-service-postgresql.md) +- [Known issues and limitations](concepts-known-issues-migration-service.md) +- [Premigration validations](concepts-premigration-migration-service.md) +- https://ops.microsoft.com/#/repos/b6b6fd6c-9d21-fafb-c32b-81062ab07537 |
postgresql | Tutorial Migration Service Offline Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/tutorial-migration-service-offline-aws.md | + + Title: "Tutorial: Offline migration from AWS RDS using the migration service with the Azure portal and Azure CLI" +description: "Learn to migrate seamlessly from AWS RDS to Azure Database for PostgreSQL - Flexible Server using the new migration service in Azure, simplifying the transition while ensuring data integrity and efficient deployment." +++ Last updated : 01/30/2024++++++# Tutorial: Offline migration to Azure Database for PostgreSQL from AWS RDS PostgreSQL using migration service Preview +++This tutorial guides you in migrating a PostgreSQL instance from your AWS RDS to Azure Database for a PostgreSQL flexible server using the Azure portal and Azure CLI. ++The migration service in Azure Database for PostgreSQL is a fully managed service that's integrated into the Azure portal and Azure CLI. It's designed to simplify your migration journey to Azure Database for PostgreSQL flexible server. ++In this document, you learn: +> [!div class="checklist"] +> - Prerequisites +> - Configure the migration task +> - Monitor the migration +> - Post migration +++#### [Portal](#tab/portal) ++## Configure the migration task ++The migration service comes with a simple, wizard-based experience on the Azure portal. ++1. Open your web browser and go to the [portal](https://portal.azure.com/). Enter your credentials to sign in. The default view is your service dashboard. ++1. Go to your Azure Database for the PostgreSQL flexible server. ++1. In the **Overview** tab of the flexible server, on the left menu, scroll down to **Migration** and select it. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\offline-portal-select-migration-pane.png" alt-text="Screenshot of the migration selection." lightbox="media\tutorial-migration-service-offline-iaas\offline-portal-select-migration-pane.png"::: ++1. Select the **Create** button to migrate from AWS RDS to a flexible server. ++ > [!NOTE] + > The first time you use the migration service, an empty grid appears with a prompt to begin your first migration. ++ If migrations to your flexible server target have already been created, the grid now contains information about attempted migrations. ++1. Select the **Create** button to go through a wizard-based series of tabs to perform a migration. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\portal-offline-create-migration.png" alt-text="Screenshot of the create migration page." lightbox="media\tutorial-migration-service-offline-iaas\portal-offline-create-migration.png"::: ++## Setup ++The first tab is the setup tab. ++The user needs to provide multiple details related to the migration like the migration name, source server type, option, and mode. ++- **Migration name** is the unique identifier for each migration to this Flexible Server target. This field accepts only alphanumeric characters and doesn't accept any special characters except a hyphen (-). The name can't start with a hyphen and should be unique for a target server. No two migrations to the same Flexible Server target can have the same name. ++- **Source Server Type** - Depending on your PostgreSQL source, you can select AWS RDS for PostgreSQL. ++- **Migration Option** - Allows you to perform validations before triggering a migration. You can pick any of the following options + - **Validate** - Checks your server and database readiness for migration to the target. + - **Migrate** - Skips validations and starts migrations. + - **Validate and Migrate** - Performs validation before triggering a migration. Migration gets triggered if there are no validation failures. + - Choosing the **Validate** or **Validate and Migrate** option is always a good practice to perform premigration validations before running the migration. ++To learn more about the premigration validation, visit [premigration](concepts-premigration-migration-service.md). ++- **Migration mode** allows you to pick the mode for the migration. **Offline** is the default option. ++Select the **Next: Connect to source** button. +++## Connect to the source ++The **Connect to Source** tab prompts you to give details related to the source selected in the **Setup Tab**, which is the source of the databases. ++- **Server Name** - Provide the Hostname or the IP address of the source PostgreSQL instance ++- **Port** - Port number of the Source server ++- **Server admin login name** - Username of the source PostgreSQL server ++- **Password** - Password of the source PostgreSQL server ++- **SSL Mode** - Supported values are preferred and required. When the SSL at the source PostgreSQL server is OFF, use the SSLMODE=prefer. If the SSL at the source server is ON, use the SSLMODE=require. SSL values can be determined in postgresql.conf file. ++- **Test Connection** - Performs the connectivity test between target and source. Once the connection is successful, users can go ahead with the next step; they need to identify the networking issues between the target and source and verify the username/password for the source. Test connection takes a few minutes to establish a connection between the target and source. ++After the successful test connection, select the **Next: Select Migration target** button. +++## Connect to the target ++The **select migration target** tab displays metadata for the Flexible Server target, like subscription name, resource group, server name, location, and PostgreSQL version. ++- **Admin username** - Admin username of the target PostgreSQL server ++- **Password** - Password of the target PostgreSQL server ++- **Test Connection** - Performs the connectivity test between target and source. Once the connection is successful, users can proceed with the next step. Otherwise, we need to identify the networking issues between the target and the source and verify the username/password for the target. Test connection takes a few minutes to establish a connection between the target and source ++After the successful test connection, select the **Next: Select Database(s) for Migration** +++## Select databases for migration ++Under the **Select database for migration** tab, you can choose a list of user databases to migrate from your source PostgreSQL server. +After selecting the databases, select the **Next:Summary** +++## Summary ++The **Summary** tab summarizes all the source and target details for creating the validation or migration. Review the details and select the **Start Validation and Migration** button. +++## Monitor the migration ++After you select the **Start Validation and Migration** button, a notification appears in a few seconds to say that the validation or migration creation is successful. You're redirected automatically to the **Migration** page of flexible server. The entry is in the **InProgress** state and **PerformingPreRequisiteSteps** substate. The workflow takes 2-3 minutes to set up the migration infrastructure and check network connections. +++The grid that displays the migrations has these columns: **Name**, **Status**, **Migration mode**, **Migration type**, **Source server**, **Source server type**, **Databases**, **Duration** and **Start time**. The entries are displayed in the descending order of the start time, with the most recent entry on the top. You can use the refresh button to refresh the status of the validation or migration run. ++## Migration details ++Select the migration name in the grid to see the associated details. ++In the **Setup** tab, we have selected the migration option as **Validate and Migrate**. In this scenario, validations are performed first before migration starts. After the **PerformingPreRequisiteSteps** substrate is completed, the workflow moves into the substrate of **Validation in Progress**. ++- If validation has errors, the migration moves into a **Failed** state. ++- If validation is complete without any error, the migration starts, and the workflow moves into the substate of **Migrating Data**. ++Validation details are available at the instance and database level. ++- **Validation at Instance level** + - Contains validation related to the connectivity check, source version, that is, PostgreSQL version >= 9.5, server parameter check, that is, if the extensions are enabled in the server parameters of the Azure Database for PostgreSQL - flexible server. ++- **Validation at Database level** + - It contains validation of the individual databases related to extensions and collations support in Azure Database for PostgreSQL, a flexible server. ++You can see the **validation** and the **migration** status under the migration details page. +++Possible migration states include: ++- **InProgress**: The migration infrastructure setup is underway, or the actual data migration is in progress. +- **Canceled**: The migration is canceled or deleted. +- **Failed**: The migration has failed. +- **Validation Failed** : The validation has failed. +- **Succeeded**: The migration has succeeded and is complete. +- **WaitingForUserAction**: Applicable only for online migration. Waiting for user action to perform cutover. ++Possible migration substates include: ++- **PerformingPreRequisiteSteps**: Infrastructure setup is underway for data migration. +- **Validation in Progress**: Validation is in progress. +- **MigratingData**: Data migration is in progress. +- **CompletingMigration**: Migration is in the final stages of completion. +- **Completed**: Migration has been completed. +- **Failed**: Migration is failed. ++Possible validation substates include: ++- **Failed**: Validation is failed. +- **Succeeded**: Validation is successful. +- **Warning**: Validation is in Warning. Warnings are informative messages that you must remember while planning the migration. ++## Cancel the migration ++You can cancel any ongoing validations or migrations. The workflow must be in the **InProgress** state to be canceled. You can't cancel a validation or migration that's in the **Succeeded** or **Failed** state. ++- Canceling a validation stops further validation activity, and the validation moves to a **Can be called** state. +- Canceling a migration stops further migration activity on your target server and moves to a **Can be called** state. It doesn't drop or roll back any changes on your target server. Be sure to drop the databases on your target server involved in a canceled migration. ++#### [CLI](#tab/cli) ++## End-to-end flow tutorial ++To begin migrating using Azure CLI, you need to install the Azure CLI on your local machine. +++## Connect to the source ++- In this tutorial, the source AWS RDS for PostgreSQL version is 13.13 ++- For this tutorial, we're going to migrate "ticketdb," "inventorydb," and "timedb" into Azure Database for PostgreSQL flexible server. +++## Perform migration using CLI ++- Open the command prompt and sign in into Azure using the `az login` command ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\success-az-login-cli.png" alt-text="Screenshot of the az success sign in." lightbox="media\tutorial-migration-service-offline-iaas\success-az-login-cli.png"::: ++- Edit the below placeholders `<< >>` in the JSON lines and store them in the local machine as `<<filename>>.json` where the CLI is being invoked. In this tutorial, we have saved the file in C:\migration-CLI\migration_body.json ++```bash +{ +"properties": { +"SourceDBServerResourceId": "<<source hostname or IP address>>:<<port>>@<<username>>", + "SecretParameters": { + "AdminCredentials": { + "SourceServerPassword": "<<Source Password>>", + "TargetServerPassword": "<<Target Password>>" + } + }, + "targetServerUserName":"<<Target username>>", + "DBsToMigrate": [ + "<<comma separated list of databases like - "ticketdb","timedb","inventorydb">>" + ], + "OverwriteDBsInTarget": "true", + "MigrationMode": "Offline", + "sourceType": "AWS", + "sslMode": "Require" + } +} +``` ++- Run the following command to check if any migrations are running. The migration name is unique across the migrations within the Azure Database for PostgreSQL flexible server target. ++ ```bash + az postgres flexible-server migration list --subscription <<subscription ID>> --resource-group <<resource group name>> --name <<Name of the Flexible Server>> --filter All + ``` ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\list-CLI.png" alt-text="Screenshot of list the migration runs in CLI." lightbox="media\tutorial-migration-service-offline-iaas\list-CLI.png"::: ++- In the above steps, there are no migrations performed so we start with the new migration by running the following command ++ ```bash + az postgres flexible-server migration create --subscription <<subscription ID>> --resource-group <<resource group name>> --name <<Name of the Flexible Server>> --migration-name <<Unique Migration Name>> --migration-option ValidateAndMigrate --properties "C:\migration-cli\migration_body.json" + ``` ++- Run the following command to initiate the migration status in the previous step. You can check the status of the migration by providing the migration name ++ ```bash + az postgres flexible-server migration show --subscription <<subscription ID>> --resource-group <<resource group name>> --name <<Name of the Flexible Server>> --migration-name <<Migration ID>> + ``` ++- The status of the migration progress is shown in the CLI. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\status-migration-cli-aws.png" alt-text="Screenshot of status migration CLI." lightbox="media\tutorial-migration-service-offline-iaas\status-migration-cli-aws.png"::: ++- You can also see the status of the PostgreSQL flexible server portal in the Azure Database. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\status-migration-portal-aws.png" alt-text="Screenshot of status migration portal." lightbox="media\tutorial-migration-service-offline-iaas\status-migration-portal-aws.png"::: +++## Post migration ++After completing the databases, you need to manually validate the data between source and target and verify that all the objects in the target database are successfully created. ++After migration, you can perform the following tasks: ++- Verify the data on your flexible server and ensure it's an exact copy of the source instance. ++- Post verification, enable the high availability option on your flexible server as needed. ++- Change the SKU of the flexible server to match the application needs. This change needs a database server restart. ++- If you change any server parameters from their default values in the source instance, copy those server parameter values in the flexible server. ++- Copy other server settings like tags, alerts, and firewall rules (if applicable) from the source instance to the flexible server. ++- Make changes to your application to point the connection strings to a flexible server. ++- Monitor the database performance closely to see if it requires performance tuning. ++## Related content ++- [Migration service](concepts-migration-service-postgresql.md) +- [Migrate from on-premises and Azure VMs](tutorial-migration-service-offline-iaas.md) +- [Best practices](best-practices-migration-service-postgresql.md) +- [Known Issues and limitations](concepts-known-issues-migration-service.md) +- [Network setup](how-to-network-setup-migration-service.md) +- [premigration validations](concepts-premigration-migration-service.md) + |
postgresql | Tutorial Migration Service Offline Iaas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/migrate/migration-service/tutorial-migration-service-offline-iaas.md | + + Title: "Tutorial: Offline migration from on-premises and Azure virtual machines using the migration service with the Azure portal and CLI" +description: "Learn to migrate seamlessly from on-premises or an Azure VM to Azure Database for PostgreSQL - Flexible Server using the new migration service in Azure, simplifying the transition while ensuring data integrity and efficient deployment." +++ Last updated : 01/30/2024++++++# Tutorial: Offline migration to Azure Database for PostgreSQL from on-premises or Azure VM-hosted PostgreSQL using migration service Preview +++This tutorial guides you in migrating a PostgreSQL instance from your on-premises or Azure virtual machines (VMs) to Azure Database for PostgreSQL flexible server using the Azure portal and Azure CLI. ++The migration service in Azure Database for PostgreSQL is a fully managed service integrated into the Azure portal and Azure CLI. It's designed to simplify your migration journey to Azure Database for PostgreSQL flexible server. ++In this document, you learn: +> [!div class="checklist"] +> - Prerequisites +> - Configure the migration task +> - Monitor the migration +> - Post migration +++#### [Portal](#tab/portal) ++## Configure the migration task ++The migration service comes with a simple, wizard-based experience on the Azure portal. ++1. Open your web browser and go to the [portal](https://portal.azure.com/). Enter your credentials to sign in. The default view is your service dashboard. ++1. Go to your Azure Database for the PostgreSQL flexible server. ++1. In the **Overview** tab of the flexible server, on the left menu, scroll down to **Migration** and select it. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\offline-portal-select-migration-pane.png" alt-text="Screenshot of the migration selection." lightbox="media\tutorial-migration-service-offline-iaas\offline-portal-select-migration-pane.png"::: ++1. Select the **Create** button to migrate to a flexible server from on-premises or Azure VMs. ++ > [!NOTE] + > The first time you use the migration service, an empty grid appears with a prompt to begin your first migration. ++ If migrations to your flexible server target have already been created, the grid now contains information about attempted migrations. ++1. Select the **Create** button to go through a wizard-based series of tabs to perform a migration. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\portal-offline-create-migration.png" alt-text="Screenshot of the create migration page." lightbox="media\tutorial-migration-service-offline-iaas\portal-offline-create-migration.png"::: ++## Setup ++The first tab is the setup tab. ++The user needs to provide multiple details related to the migration, like the migration name, source server type, option, and mode. ++- **Migration name** is the unique identifier for each migration to this Flexible Server target. This field accepts only alphanumeric characters and doesn't accept any special characters except a hyphen (-). The name can't start with a hyphen and should be unique for a target server. No two migrations to the same Flexible Server target can have the same name. ++- **Source Server Type** - Depending on your PostgreSQL source, you can select Azure Database for PostgreSQL single server, on-premises, Azure VM. ++- **Migration Option** - Allows you to perform validations before triggering a migration. You can pick any of the following options + - **Validate** - Checks your server and database readiness for migration to the target. + - **Migrate** - Skips validations and starts migrations. + - **Validate and Migrate** - Performs validation before triggering a migration. Migration gets triggered if there are no validation failures. + - Choosing the **Validate** or **Validate and Migrate** option is always a good practice to perform premigration validations before running the migration. ++To learn more about the premigration validation, visit [premigration](concepts-premigration-migration-service.md). ++- **Migration mode** allows you to pick the mode for the migration. **Offline** is the default option. ++Select the **Next: Connect to source** button. +++## Connect to the source ++The **Connect to Source** tab prompts you to give details related to the source selected in the **Setup Tab**, which is the source of the databases. ++- **Server Name** - Provide the Hostname or the IP address of the source PostgreSQL instance ++- **Port** - Port number of the Source server ++- **Server admin login name** - Username of the source PostgreSQL server ++- **Password** - Password of the source PostgreSQL server ++- **SSL Mode** - Supported values are preferred and required. When the SSL at the source PostgreSQL server is OFF, use the SSLMODE=prefer. If the SSL at the source server is ON, use the SSLMODE=require. SSL values can be determined in postgresql.conf file. ++- **Test Connection** - Performs the connectivity test between target and source. Once the connection is successful, users can go ahead with the next step; they need to identify the networking issues between the target and source and verify the username/password for the source. Test connection takes a few minutes to establish a connection between the target and source. ++After the successful test connection, select the **Next: Select Migration target** button. +++## Connect to the target ++The **select migration target** tab displays metadata for the Flexible Server target, like subscription name, resource group, server name, location, and PostgreSQL version. ++- **Admin username** - Admin username of the target PostgreSQL server ++- **Password** - Password of the target PostgreSQL server ++- **Test Connection** - Performs the connectivity test between target and source. Once the connection is successful, users can proceed with the next step. Otherwise, we need to identify the networking issues between the target and the source and verify the username/password for the target. Test connection takes a few minutes to establish a connection between the target and source ++After the successful test connection, select the **Next: Select Database(s) for Migration** +++## Select databases for migration ++Under the **Select database for migration** tab, you can choose a list of user databases to migrate from your source PostgreSQL server. ++After selecting the databases, select the **Next: Summary**. +++## Summary ++The **Summary** tab summarizes all the source and target details for creating the validation or migration. Review the details and select the **Start Validation and Migration** button. +++## Monitor the migration ++After you select the **Start Validation and Migration** button, a notification appears in a few seconds to say that the validation or migration creation is successful. You're automatically redirected to the flexible server's **Migration** page. The entry is in the **InProgress** state and **PerformingPreRequisiteSteps** substate. The workflow takes 2-3 minutes to set up the migration infrastructure and check network connections. +++The grid that displays the migrations has these columns: **Name**, **Status**, **Migration mode**, **Migration type**, **Source server**, **Source server type**, **Databases**, **Duration** and **Start time**. The entries are displayed in the descending order of the start time, with the most recent entry on the top. You can use the refresh button to refresh the status of the validation or migration run. ++## Migration details ++Select the migration name in the grid to see the associated details. ++In the **Setup** tab, we have selected the migration option as **Validate and Migrate**. In this scenario, validations are performed first before migration starts. After the **PerformingPreRequisiteSteps** substrate is completed, the workflow moves into the substrate of **Validation in Progress**. ++- If validation has errors, the migration moves into a **Failed** state. ++- If validation is complete without any error, the migration starts, and the workflow moves into the substate of **Migrating Data**. ++Validation details are available at Instance and Database level. ++- **Validation at Instance level** + - Contains validation related to the connectivity check, source version, that is, PostgreSQL version >= 9.5, server parameter check, that is, if the extensions are enabled in the server parameters of the Azure Database for PostgreSQL - flexible server. +- **Validation at Database level** + - It contains validation of the individual databases related to extensions and collations support in Azure Database for PostgreSQL, a flexible server. ++You can see the **validation** and the **migration** status under the migration details page. ++Possible migration states include: ++- **InProgress**: The migration infrastructure setup is underway, or the actual data migration is in progress. +- **Canceled**: The migration is canceled or deleted. +- **Failed**: The migration has failed. +- **Validation Failed** : The validation has failed. +- **Succeeded**: The migration has succeeded and is complete. +- **WaitingForUserAction**: Applicable only for online migration. Waiting for user action to perform cutover. ++Possible migration substates include: ++- **PerformingPreRequisiteSteps**: Infrastructure setup is underway for data migration. +- **Validation in Progress**: Validation is in progress. +- **MigratingData**: Data migration is in progress. +- **CompletingMigration**: Migration is in the final stages of completion. +- **Completed**: Migration has been completed. +- **Failed**: Migration is failed. ++Possible validation substates include: ++- **Failed**: Validation is failed. +- **Succeeded**: Validation is successful. +- **Warning**: Validation is in Warning. Warnings are informative messages that you must remember while planning the migration. ++## Cancel the migration ++You can cancel any ongoing validations or migrations. The workflow must be in the **InProgress** state to be canceled. You can't cancel a validation or migration that's in the **Succeeded** or **Failed** state. ++- Canceling a validation stops further validation activity, and the validation moves to a **Can be called** state. ++- Canceling a migration stops further migration activity on your target server and moves to a **Can be called** state. It doesn't drop or roll back any changes on your target server. Be sure to drop the databases on your target server involved in a canceled migration. ++#### [CLI](#tab/cli) ++To begin migrating using Azure CLI, you need to install the Azure CLI on your local machine. +++## Connect to the source ++In this tutorial, the source PostgreSQL version used is 14.8, and it's installed in one of the Azure VMs with the operating system Ubuntu. ++We're going to migrate "ticketdb","inventorydb","salesdb" into Azure Database for PostgreSQL flexible server. +++## Perform migration using CLI ++- Open the command prompt and sign in to the Azure using `az login` command ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\success-az-login-CLI.png" alt-text="Screenshot of the az success sign in." lightbox="media\tutorial-migration-service-offline-iaas\success-az-login-CLI.png"::: ++- Edit the below placeholders `<< >>` in the JSON lines and store them in the local machine as `<<filename>>.json` where the CLI is being invoked. In this tutorial, we have saved the file in C:\migration-CLI\migration_body.json ++ ```bash + { + "properties": { + "SourceDBServerResourceId": "<<source hostname or IP address>>:<<port>>@<<username>>", + "SecretParameters": { + "AdminCredentials": { + "SourceServerPassword": "<<Source Password>>", + "TargetServerPassword": "<<Target Password>>" + } + }, + "targetServerUserName":"<<Target username>>", + "DBsToMigrate": [ + "<<comma separated list of databases like - "ticketdb","timedb","salesdb">>" + ], + "OverwriteDBsInTarget": "true", + "MigrationMode": "Offline", + "sourceType": "AzureVM", + "sslMode": "Prefer" + } + } + ``` ++- Run the following command to check if any migrations are running. The migration name is unique across the migrations within the Azure Database for PostgreSQL flexible server target. ++ ```bash + az postgres flexible-server migration list --subscription <<subscription ID>> --resource-group <<resource group name>> --name <<Name of the Flexible Server>> --filter All + ``` ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\list-CLI.png" alt-text="Screenshot of list the migration runs in CLI." lightbox="media\tutorial-migration-service-offline-iaas\list-CLI.png"::: ++- In the above steps, there are no migrations performed so we start with the new migration by running the following command ++ ```bash + az postgres flexible-server migration create --subscription <<subscription ID>> --resource-group <<resource group name>> --name <<Name of the Flexible Server>> --migration-name <<Unique Migration Name>> --migration-option ValidateAndMigrate --properties "C:\migration-cli\migration_body.json" + ``` ++- Run the following command to initiate the migration status in the previous step. You can check the status of the migration by providing the migration name ++ ```bash + az postgres flexible-server migration show --subscription <<subscription ID>> --resource-group <<resource group name>> --name <<Name of the Flexible Server>> --migration-name <<Migration ID>> + ``` ++- The status of the migration progress is shown in the CLI. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\status-migration-cli.png" alt-text="Screenshot of status migration CLI." lightbox="media\tutorial-migration-service-offline-iaas\status-migration-cli.png"::: ++- You can also see the status in the Azure Database for PostgreSQL flexible server portal. ++ :::image type="content" source="media\tutorial-migration-service-offline-iaas\status-migration-portal.png" alt-text="Screenshot of status migration portal." lightbox="media\tutorial-migration-service-offline-iaas\status-migration-portal.png"::: +++## Post migration ++After completing the databases, you need to manually validate the data between source and target and verify that all the objects in the target database are successfully created. ++After migration, you can perform the following tasks: ++- Verify the data on your flexible server and ensure it's an exact copy of the source instance. ++- Post verification, enable the high availability option on your flexible server as needed. ++- Change the SKU of the flexible server to match the application needs. This change needs a database server restart. ++- If you change any server parameters from their default values in the source instance, copy those server parameter values in the flexible server. ++- Copy other server settings like tags, alerts, and firewall rules (if applicable) from the source instance to the flexible server. ++- Make changes to your application to point the connection strings to a flexible server. ++- Monitor the database performance closely to see if it requires performance tuning. ++## Related content ++- [Migration service](concepts-migration-service-postgresql.md) +- [Migrate from AWS RDS](tutorial-migration-service-offline-aws.md) +- [Best practices](best-practices-migration-service-postgresql.md) +- [Known Issues and limitations](concepts-known-issues-migration-service.md) +- [Network setup](how-to-network-setup-migration-service.md) +- [Premigration validations](concepts-premigration-migration-service.md) + |
private-5g-core | Ue Usage Event Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/ue-usage-event-hub.md | You can monitor UE usage based on the monitoring data generated by Azure Event H ## Prerequisites -- You must already have an Event Hubs instance with a shared access policy. The shared access policy must have send and receive access configured.- > [!NOTE] - > Only the first shared access policy for the event hub will be used by this feature. Any additional shared access policies will be ignored. -- You must have a user assigned managed identity that has the Resource Policy Contributor or Owner role for the Event Hubs instance and is assigned to the Packet Core Control Plane for the site.+- You must have an Event Hubs instance with a shared access policy. The shared access policy must have send and receive access configured. +- You must have a user assigned managed identity that has the Contributor or Owner role for the Event Hubs instance and is assigned to the Packet Core Control Plane for the site. ++>[!TIP] +> A default shared access policy will be created automatically if the Packet Core Control Plane is configured with the required managed identity. ## Configure UE usage monitoring -UE usage monitoring can be configured during [site creation](create-a-site.md) or at a later stage by [modifying the packet core](modify-packet-core.md). +UE usage monitoring can be enabled during [site creation](create-a-site.md) or at a later stage by [modifying the packet core configuration](modify-packet-core.md). ++Once Event Hubs is receiving data from your AP5GC deployment, you can write an application using SDKs [such as .NET](/azure/event-hubs/event-hubs-dotnet-standard-getstarted-send?tabs=passwordless%2Croles-azure-portal) to consume event data and produce metrics. -Once Event Hubs is receiving data from your AP5GC deployment you can write an application, using SDKs such as [.NET](/azure/event-hubs/event-hubs-dotnet-standard-getstarted-send?tabs=passwordless%2Croles-azure-portal), to consume event data and produce useful metric data. +>[!TIP] +> If you create the managed identity after enabling UE usage monitoring, you will need to refresh the packet core configuration by making a dummy configuration change. See [Modify a packet core instance](modify-packet-core.md). ## Reported UE usage data |
route-server | About Dual Homed Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/route-server/about-dual-homed-network.md | Title: About dual-homed network with Azure Route Server -description: Learn how Azure Route Server works in a dual-homed network. -+description: Learn how to utilize Azure Route Server in a dual-homed network where you can connect a spoke virtual network (VNet) to more than one hub VNet. -- Previously updated : 01/27/2023 -++ Last updated : 01/30/2024+#CustomerIntent: As an Azure administrator, I want to peer spoke virtual networks (VNets) to more than one hub VNet so that the resources in the spoke VNets can communicated through either of the hub VNets. # About dual-homed network with Azure Route Server In the control plane, the NVA in the hub VNet will learn about on-premises route In the data plane, the virtual machines in the spoke VNet will send all traffic destined for the on-premises network to the NVA in the hub VNet first. Then the NVA will forward the traffic to the on-premises network through ExpressRoute. Traffic from on-premises will traverse the same data path in the reverse direction. You'll notice none of the route servers are in the data path. -## Next steps +## Related content * Learn about [Azure Route Server support for ExpressRoute and Azure VPN](expressroute-vpn-support.md) * Learn how to [configure peering between Azure Route Server and Network Virtual Appliance](tutorial-configure-route-server-with-quagga.md)- |
spring-apps | Application Observability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/application-observability.md | - Title: Optimize application observability for Azure Spring Apps -description: Learn how to observe the application of Azure Spring Apps. ---- Previously updated : 10/02/2023----# Optimize application observability for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ❌ C# --**This article applies to:** <br> -❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise --This article shows you how to observe your production applications deployed on Azure Spring Apps and diagnose and investigate production issues. Observability is the ability to collect insights, analytics, and actionable intelligence through the logs, metrics, traces, and alerts. --To find out if your applications meet expectations and to discover and predict issues in all applications, focus on the following areas: --- **Availability**: Check that the application is available and accessible to the user.-- **Reliability**: Check that the application is reliable and can be used normally.-- **Failure**: Understand that the application isn't working properly and further fixes are required.-- **Performance**: Understand which performance issues the application encounters that need further attention and find out the root cause of the problem.-- **Alerts**: Know the current state of the application. Proactively notify others and take necessary actions when the application isn't working properly.--This article uses the well-known [PetClinic](https://github.com/azure-samples/spring-petclinic-microservices) sample app as the production application. For more information on how to deploy PetClinic to Azure Spring Apps and use MySQL as the persistent store, see the following articles: --- [Deploy microservice applications to Azure Spring Apps](./quickstart-deploy-microservice-apps.md)-- [Integrate Azure Spring Apps with Azure Database for MySQL](./quickstart-integrate-azure-database-mysql.md)--Log Analytics and Application Insights are deeply integrated with Azure Spring Apps. You can use Log Analytics to diagnose your application with various log queries and use Application Insights to investigate production issues. For more information, see the following articles: --- [Overview of Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md)-- [Azure Monitor Insights overview](../azure-monitor/insights/insights-overview.md)--## Prerequisites --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]---## Query logs to diagnose an application problem --If you encounter production issues, you need to do a root cause analysis. Finding logs is an important part of this analysis, especially for distributed applications with logs spread across multiple applications. The trace data collected by Application Insights can help you find the log information for all related links, including the exception stack information. --This section explains how to use Log Analytics to query the application logs and use Application Insights to investigate request failures. For more information, see the following articles: --- [Log Analytics tutorial](../azure-monitor/logs/log-analytics-tutorial.md)-- [Application Map: Triage distributed applications](../azure-monitor/app/app-map.md)--### Log queries --This section explains how to query application logs from the `AppPlatformLogsforSpring` table hosted by Azure Spring Apps. You can use the [Kusto Query Language](/azure/data-explorer/kusto/query/) to customize your queries for application logs. --To see the built-in example query statements or to write your own queries, open the Azure Spring Apps instance and go to the **Logs** menu. --#### Show the application logs that contain the "error" or "exception" terms --To see the application logs containing the terms "error" or "exception", select **Alerts** on the **Queries** page, and then select **Run** in the **Show the application logs which contain the "error" or "exception" terms** section. --The following query shows the application logs from the last hour that contains the terms "error" or "exception". You can customize the query with any keyword you want to search for. --```sql -AppPlatformLogsforSpring -| where TimeGenerated > ago(1h) -| where Log contains "error" or Log contains "exception" -| project TimeGenerated , ServiceName , AppName , InstanceName , Log , _ResourceId -``` ---#### Show the error and exception number of each application --To see the error and exception number of an application, select **Alerts** on the **Queries** page, and then select **Run** in the **Show the error and exception number of each application** section. --The following query shows a pie chart of the number of the logs in the last 24 hours that contain the terms "error" or "exception". To view the results in a table format, select **Result**. --```sql -AppPlatformLogsforSpring -| where TimeGenerated > ago(24h) -| where Log contains "error" or Log contains "exception" -| extend FullAppName = strcat(ServiceName, "/", AppName) -| summarize count_per_app = count() by FullAppName, ServiceName, AppName, _ResourceId -| sort by count_per_app desc -| render piechart -``` ---#### Query the customers service log with a key word --Use the following query to see a list of logs in the `customers-service` app that contain the term "root cause". Update the query to use the keyword that you're looking for. --```sql -AppPlatformLogsforSpring -| where AppName == "customers-service" -| where Log contains "root cause" -| project-keep InstanceName, Log -``` ---### Investigate request failures --Use the following steps to investigate request failures in the application cluster and to view the failed request list and specific examples of the failed requests: --1. Go to the Azure Spring Apps instance overview page. --1. On the navigation menu, select **Application Insights** to go to the Application Insights overview page. Then, select **Failures**. -- :::image type="content" source="media/application-observability/application-insights-failures.png" alt-text="Screenshot of the Azure portal that shows the Application Insights Failures page." lightbox="media/application-observability/application-insights-failures.png"::: --1. On the **Failure** page, select the `PUT` operation that has the most failed requests count, select **1 Samples** to go into the details, and then select the suggested sample. -- :::image type="content" source="media/application-observability/application-insights-failure-suggested-sample.png" alt-text="Screenshot of the Azure portal that shows the Select a sample operation pane with the suggested failure sample." lightbox="media/application-observability/application-insights-failure-suggested-sample.png"::: --1. Go to the **End-to-end transaction details** page to view the full call stack in the right panel. -- :::image type="content" source="media/application-observability/application-insights-e2e-exception.png" alt-text="Screenshot of the Azure portal that shows the End-to-end transaction details page with Application Insights failures." lightbox="media/application-observability/application-insights-e2e-exception.png"::: --## Improve the application performance using Application Insights --If there's a performance issue, the trace data collected by Application Insights can help find the log information of all relevant links, including the execution time of each link, to help find the location of the performance bottleneck. --To use Application Insights to investigate the performance issues, use the following steps: --1. Go to the Azure Spring Apps instance overview page. --1. On the navigation menu, select **Application Insights** to go to the Application Insights overview page. Then, select **Performance**. -- :::image type="content" source="media/application-observability/application-insights-performance.png" alt-text="Screenshot of the Azure portal that shows the Application Insights Performance page." lightbox="media/application-observability/application-insights-performance.png"::: --1. On the **Performance** page, select the slowest `GET /api/gateway/owners/{ownerId}` operation, select **3 Samples** to go into the details, and then select the suggested sample. -- :::image type="content" source="media/application-observability/application-insights-performance-suggested-sample.png" alt-text="Screenshot of the Azure portal that shows the Select a sample operation pane with the suggested performance sample." lightbox="media/application-observability/application-insights-performance-suggested-sample.png"::: --1. Go to the **End-to-end transaction details** page to view the full call stack in the right panel. -- :::image type="content" source="media/application-observability/application-insights-e2e-performance.png" alt-text="Screenshot of the Azure portal that shows the End-to-end transaction details page with the Application Insights performance issue." lightbox="media/application-observability/application-insights-e2e-performance.png"::: ---## Next steps --> [!div class="nextstepaction"] -> [Set up a staging environment](../spring-apps/how-to-staging-environment.md) --> [!div class="nextstepaction"] -> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) --> [!div class="nextstepaction"] -> [Use TLS/SSL certificates](./how-to-use-tls-certificate.md) |
spring-apps | Application Observability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/application-observability.md | + + Title: Optimize application observability for Azure Spring Apps +description: Learn how to observe the application of Azure Spring Apps. ++++ Last updated : 10/02/2023++++# Optimize application observability for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** <br> +❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise ++This article shows you how to observe your production applications deployed on Azure Spring Apps and diagnose and investigate production issues. Observability is the ability to collect insights, analytics, and actionable intelligence through the logs, metrics, traces, and alerts. ++To find out if your applications meet expectations and to discover and predict issues in all applications, focus on the following areas: ++- **Availability**: Check that the application is available and accessible to the user. +- **Reliability**: Check that the application is reliable and can be used normally. +- **Failure**: Understand that the application isn't working properly and further fixes are required. +- **Performance**: Understand which performance issues the application encounters that need further attention and find out the root cause of the problem. +- **Alerts**: Know the current state of the application. Proactively notify others and take necessary actions when the application isn't working properly. ++This article uses the well-known [PetClinic](https://github.com/azure-samples/spring-petclinic-microservices) sample app as the production application. For more information on how to deploy PetClinic to Azure Spring Apps and use MySQL as the persistent store, see the following articles: ++- [Deploy microservice applications to Azure Spring Apps](../enterprise/quickstart-deploy-microservice-apps.md?pivots=sc-standard&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) +- [Integrate Azure Spring Apps with Azure Database for MySQL](quickstart-integrate-azure-database-mysql.md) ++Log Analytics and Application Insights are deeply integrated with Azure Spring Apps. You can use Log Analytics to diagnose your application with various log queries and use Application Insights to investigate production issues. For more information, see the following articles: ++- [Overview of Log Analytics in Azure Monitor](../../azure-monitor/logs/log-analytics-overview.md) +- [Azure Monitor Insights overview](../../azure-monitor/insights/insights-overview.md) ++## Prerequisites ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +++## Query logs to diagnose an application problem ++If you encounter production issues, you need to do a root cause analysis. Finding logs is an important part of this analysis, especially for distributed applications with logs spread across multiple applications. The trace data collected by Application Insights can help you find the log information for all related links, including the exception stack information. ++This section explains how to use Log Analytics to query the application logs and use Application Insights to investigate request failures. For more information, see the following articles: ++- [Log Analytics tutorial](../../azure-monitor/logs/log-analytics-tutorial.md) +- [Application Map: Triage distributed applications](../../azure-monitor/app/app-map.md) ++### Log queries ++This section explains how to query application logs from the `AppPlatformLogsforSpring` table hosted by Azure Spring Apps. You can use the [Kusto Query Language](/azure/data-explorer/kusto/query/) to customize your queries for application logs. ++To see the built-in example query statements or to write your own queries, open the Azure Spring Apps instance and go to the **Logs** menu. ++#### Show the application logs that contain the "error" or "exception" terms ++To see the application logs containing the terms "error" or "exception", select **Alerts** on the **Queries** page, and then select **Run** in the **Show the application logs which contain the "error" or "exception" terms** section. ++The following query shows the application logs from the last hour that contains the terms "error" or "exception". You can customize the query with any keyword you want to search for. ++```sql +AppPlatformLogsforSpring +| where TimeGenerated > ago(1h) +| where Log contains "error" or Log contains "exception" +| project TimeGenerated , ServiceName , AppName , InstanceName , Log , _ResourceId +``` +++#### Show the error and exception number of each application ++To see the error and exception number of an application, select **Alerts** on the **Queries** page, and then select **Run** in the **Show the error and exception number of each application** section. ++The following query shows a pie chart of the number of the logs in the last 24 hours that contain the terms "error" or "exception". To view the results in a table format, select **Result**. ++```sql +AppPlatformLogsforSpring +| where TimeGenerated > ago(24h) +| where Log contains "error" or Log contains "exception" +| extend FullAppName = strcat(ServiceName, "/", AppName) +| summarize count_per_app = count() by FullAppName, ServiceName, AppName, _ResourceId +| sort by count_per_app desc +| render piechart +``` +++#### Query the customers service log with a key word ++Use the following query to see a list of logs in the `customers-service` app that contain the term "root cause". Update the query to use the keyword that you're looking for. ++```sql +AppPlatformLogsforSpring +| where AppName == "customers-service" +| where Log contains "root cause" +| project-keep InstanceName, Log +``` +++### Investigate request failures ++Use the following steps to investigate request failures in the application cluster and to view the failed request list and specific examples of the failed requests: ++1. Go to the Azure Spring Apps instance overview page. ++1. On the navigation menu, select **Application Insights** to go to the Application Insights overview page. Then, select **Failures**. ++ :::image type="content" source="media/application-observability/application-insights-failures.png" alt-text="Screenshot of the Azure portal that shows the Application Insights Failures page." lightbox="media/application-observability/application-insights-failures.png"::: ++1. On the **Failure** page, select the `PUT` operation that has the most failed requests count, select **1 Samples** to go into the details, and then select the suggested sample. ++ :::image type="content" source="media/application-observability/application-insights-failure-suggested-sample.png" alt-text="Screenshot of the Azure portal that shows the Select a sample operation pane with the suggested failure sample." lightbox="media/application-observability/application-insights-failure-suggested-sample.png"::: ++1. Go to the **End-to-end transaction details** page to view the full call stack in the right panel. ++ :::image type="content" source="media/application-observability/application-insights-e2e-exception.png" alt-text="Screenshot of the Azure portal that shows the End-to-end transaction details page with Application Insights failures." lightbox="media/application-observability/application-insights-e2e-exception.png"::: ++## Improve the application performance using Application Insights ++If there's a performance issue, the trace data collected by Application Insights can help find the log information of all relevant links, including the execution time of each link, to help find the location of the performance bottleneck. ++To use Application Insights to investigate the performance issues, use the following steps: ++1. Go to the Azure Spring Apps instance overview page. ++1. On the navigation menu, select **Application Insights** to go to the Application Insights overview page. Then, select **Performance**. ++ :::image type="content" source="media/application-observability/application-insights-performance.png" alt-text="Screenshot of the Azure portal that shows the Application Insights Performance page." lightbox="media/application-observability/application-insights-performance.png"::: ++1. On the **Performance** page, select the slowest `GET /api/gateway/owners/{ownerId}` operation, select **3 Samples** to go into the details, and then select the suggested sample. ++ :::image type="content" source="media/application-observability/application-insights-performance-suggested-sample.png" alt-text="Screenshot of the Azure portal that shows the Select a sample operation pane with the suggested performance sample." lightbox="media/application-observability/application-insights-performance-suggested-sample.png"::: ++1. Go to the **End-to-end transaction details** page to view the full call stack in the right panel. ++ :::image type="content" source="media/application-observability/application-insights-e2e-performance.png" alt-text="Screenshot of the Azure portal that shows the End-to-end transaction details page with the Application Insights performance issue." lightbox="media/application-observability/application-insights-e2e-performance.png"::: +++## Next steps ++> [!div class="nextstepaction"] +> [Set up a staging environment](../enterprise/how-to-staging-environment.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](../enterprise/how-to-custom-domain.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) ++> [!div class="nextstepaction"] +> [Use TLS/SSL certificates](../enterprise/how-to-use-tls-certificate.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | How To Access Data Plane Azure Ad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac.md | + + Title: "Access Config Server and Service Registry" ++description: How to access Config Server and Service Registry Endpoints with Microsoft Entra role-based access control. ++++ Last updated : 08/25/2021++++# Access Config Server and Service Registry ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ++This article explains how to access the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps using Microsoft Entra role-based access control (RBAC). ++> [!NOTE] +> Applications deployed and running inside the Azure Spring Apps service are automatically wired up with certificate-based authentication and authorization when accessing the managed Spring Cloud Config Server and Service Registry. You don't need to follow this guidance for these applications. The related certificates are fully managed by the Azure Spring Apps platform, and are automatically injected in your application when connected to Config Server and Service Registry. ++<a name='assign-role-to-azure-ad-usergroup-msi-or-service-principal'></a> ++## Assign role to Microsoft Entra user/group, MSI, or service principal ++Assign the role to the [user | group | service-principal | managed-identity] at [management-group | subscription | resource-group | resource] scope. ++| Role name | Description | +|-|| +| Azure Spring Apps Config Server Reader | Allow read access to Azure Spring Apps Config Server. | +| Azure Spring Apps Config Server Contributor | Allow read, write, and delete access to Azure Spring Apps Config Server. | +| Azure Spring Apps Service Registry Reader | Allow read access to Azure Spring Apps Service Registry. | +| Azure Spring Apps Service Registry Contributor | Allow read, write, and delete access to Azure Spring Apps Service Registry. | ++For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). ++## Access Config Server and Service Registry Endpoints ++After the role is assigned, the assignee can access the Spring Cloud Config Server and the Spring Cloud Service Registry endpoints using the following procedures: ++1. Get an access token. After a Microsoft Entra user is assigned the role, they can use the following commands to sign in to Azure CLI with user, service principal, or managed identity to get an access token. For details, see [Authenticate Azure CLI](/cli/azure/authenticate-azure-cli). ++ ```azurecli + az login + az account get-access-token + ``` ++1. Compose the endpoint. We support the default endpoints of the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps. ++ * *'https://SERVICE_NAME.svc.azuremicroservices.io/eureka/{path}'* + * *'https://SERVICE_NAME.svc.azuremicroservices.io/config/{path}'* ++ >[!NOTE] + > If you're using Microsoft Azure operated by 21Vianet, replace `*.azuremicroservices.io` with `*.microservices.azure.cn`. For more information, see the section [Check endpoints in Azure](/azure/china/resources-developer-guide#check-endpoints-in-azure) in the [Microsoft Azure operated by 21Vianet developer guide](/azure/china/resources-developer-guide). ++1. Access the composed endpoint with the access token. Put the access token in a header to provide authorization: `--header 'Authorization: Bearer {TOKEN_FROM_PREVIOUS_STEP}'`. ++ For example: ++ a. Access an endpoint like `https://SERVICE_NAME.svc.azuremicroservices.io/config/actuator/health` to see the health status of Config Server. ++ b. Access an endpoint like `https://SERVICE_NAME.svc.azuremicroservices.io/eureka/eureka/apps` to see the registered apps in Spring Cloud Service Registry (Eureka here). ++ If the response is `401 Unauthorized`, check to see if the role is successfully assigned. It will take several minutes for the role to take effect or to verify that the access token has not expired. ++For more information about actuator endpoint, see [Production ready endpoints](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-endpoints). ++For Eureka endpoints, see [Eureka-REST-operations](https://github.com/Netflix/eureka/wiki/Eureka-REST-operations) ++For config server endpoints and detailed path information, see [ResourceController.java](https://github.com/spring-cloud/spring-cloud-config/blob/main/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/resource/ResourceController.java) and [EncryptionController.java](https://github.com/spring-cloud/spring-cloud-config/blob/main/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/encryption/EncryptionController.java). ++## Register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps ++After the role is assigned, you can register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps with Microsoft Entra token authentication. Both Config Server and Service Registry support [custom REST template](https://cloud.spring.io/spring-cloud-config/reference/html/#custom-rest-template) to inject the bearer token for authentication. ++For more information, see the samples [Access Azure Spring Apps managed Config Server](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-config-server-client) and [Access Azure Spring Apps managed Service Registry](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-eureka-client). The following sections explain some important details in these samples. ++**In *AccessTokenManager.java*:** ++`AccessTokenManager` is responsible for getting an access token from Microsoft Entra ID. Configure the service principal's sign-in information in the *application.properties* file and initialize `ApplicationTokenCredentials` to get the token. You can find this file in both samples. ++```java +prop.load(in); +tokenClientId = prop.getProperty("access.token.clientId"); +String tenantId = prop.getProperty("access.token.tenantId"); +String secret = prop.getProperty("access.token.secret"); +String clientId = prop.getProperty("access.token.clientId"); +credentials = new ApplicationTokenCredentials( + clientId, tenantId, secret, AzureEnvironment.AZURE); +``` ++**In *CustomConfigServiceBootstrapConfiguration.java*:** ++`CustomConfigServiceBootstrapConfiguration` implements the custom REST template for Config Server and injects the token from Microsoft Entra ID as `Authorization` headers. You can find this file in the [Config Server sample](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-config-server-client). ++```java +public class RequestResponseHandlerInterceptor implements ClientHttpRequestInterceptor { ++ @Override + public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { + String accessToken = AccessTokenManager.getToken(); + request.getHeaders().remove(AUTHORIZATION); + request.getHeaders().add(AUTHORIZATION, "Bearer " + accessToken); ++ ClientHttpResponse response = execution.execute(request, body); + return response; + } ++} +``` ++**In *CustomRestTemplateTransportClientFactories.java*:** ++The previous two classes are for the implementation of the custom REST template for Spring Cloud Service Registry. The `intercept` part is the same as in the Config Server above. Be sure to add `factory.mappingJacksonHttpMessageConverter()` to the message converters. You can find this file in the [Spring Cloud Service Registry sample](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-eureka-client). ++```java +private RestTemplate customRestTemplate() { + /* + * Inject your custom rest template + */ + RestTemplate restTemplate = new RestTemplate(); + restTemplate.getInterceptors() + .add(new RequestResponseHandlerInterceptor()); + RestTemplateTransportClientFactory factory = new RestTemplateTransportClientFactory(); ++ restTemplate.getMessageConverters().add(0, factory.mappingJacksonHttpMessageConverter()); ++ return restTemplate; +} +``` ++If you're running applications on a Kubernetes cluster, we recommend that you use an IP address to register Spring Cloud Service Registry for access. ++```properties +eureka.instance.prefer-ip-address=true +``` ++## Next steps ++* [Authenticate Azure CLI](/cli/azure/authenticate-azure-cli) +* [Production ready endpoints](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-endpoints) +* [Create roles and permissions](../enterprise/how-to-permissions.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | How To Appdynamics Java Agent Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-appdynamics-java-agent-monitor.md | + + Title: "How to monitor Spring Boot apps with the AppDynamics Java Agent (Preview)" ++description: How to use the AppDynamics Java agent to monitor Spring Boot applications in Azure Spring Apps. ++++ Last updated : 06/07/2022++ms.devlang: azurecli +++# How to monitor Spring Boot apps with the AppDynamics Java Agent ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌️ Enterprise ++This article explains how to use the AppDynamics Java Agent to monitor Spring Boot applications in Azure Spring Apps. ++With the AppDynamics Java Agent, you can: ++- Monitor applications +- Configure the AppDynamics Java Agent using environment variables +- Check all monitoring data from the AppDynamics dashboard ++The following video introduces the AppDynamics Java in-process agent. ++<br> ++> [!VIDEO https://www.youtube.com/embed/4dZuRX5bNAs] ++## Prerequisites ++* [Azure CLI](/cli/azure/install-azure-cli) +* [An AppDynamics account](https://www.appdynamics.com/) ++## Activate the AppDynamics Java in-process agent ++For the whole workflow, you need to: ++* Activate the AppDynamics Java in-process agent in Azure Spring Apps to generate application metrics data. +* Connect the AppDynamics Agent to the AppDynamics Controller to collect and visualize the data in the controller. ++![Diagram showing a Spring Boot application in 'Azure Spring Apps' box with a two-directional arrow connecting it to an 'AppDynamics Agent' box, which also has an arrow pointing to an 'AppDynamics Controller' box](media/how-to-appdynamics-java-agent-monitor/appdynamics-activation.jpg) ++### Activate an application with the AppDynamics Agent using the Azure CLI ++To activate an application through the Azure CLI, use the following steps. ++1. Create a resource group. +1. Create an instance of Azure Spring Apps. +1. Create an application using the following command. Replace the placeholders *\<...>* with your own values. ++ ```azurecli + az spring app create \ + --resource-group "<your-resource-group-name>" \ + --service "<your-Azure-Spring-Apps-instance-name>" \ + --name "<your-app-name>" \ + --is-public true + ``` ++1. Create a deployment with the AppDynamics Agent using environment variables. ++ ```azurecli + az spring app deploy \ + --resource-group "<your-resource-group-name>" \ + --service "<your-Azure-Spring-Apps-instance-name>" \ + --name "<your-app-name>" \ + --artifact-path app.jar \ + --jvm-options="-javaagent:/opt/agents/appdynamics/java/javaagent.jar" \ + --env APPDYNAMICS_AGENT_APPLICATION_NAME=<your-app-name> \ + APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY=<your-agent-access-key> \ + APPDYNAMICS_AGENT_ACCOUNT_NAME=<your-agent-account-name> \ + APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME=true \ + APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX=<your-agent-node-name> \ + APPDYNAMICS_AGENT_TIER_NAME=<your-agent-tier-name> \ + APPDYNAMICS_CONTROLLER_HOST_NAME=<your-AppDynamics-controller-host-name> \ + APPDYNAMICS_CONTROLLER_SSL_ENABLED=true \ + APPDYNAMICS_CONTROLLER_PORT=443 + ``` ++Azure Spring Apps pre-installs the AppDynamics Java agent to the path */opt/agents/appdynamics/java/javaagent.jar*. You can activate the agent from your applications' JVM options, then configure the agent using environment variables. You can find values for these variables at [Monitor Azure Spring Apps with Java Agent](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent). For more information about how these variables help to view and organize reports in the AppDynamics UI, see [Tiers and Nodes](https://docs.appdynamics.com/21.9/en/application-monitoring/tiers-and-nodes). ++### Activate an application with the AppDynamics Agent using the Azure portal ++To activate an application through the Azure portal, use the following steps. ++1. Navigate to your Azure Spring Apps instance in the Azure portal. ++1. Select **Apps** in the **Settings** section of the navigation pane. ++ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-list.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-list.png"::: ++1. Select the app, and then select **Configuration** in the navigation pane. ++1. Use the **General settings** tab to update values such as the JVM options. ++ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-general.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app in an Azure Spring Apps instance, with the General settings tab selected." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-general.png"::: ++1. Select **Environment variables** to add or update the variables used by your application. ++ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-env.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app in an Azure Spring Apps instance, with the Environment variables tab selected." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-env.png"::: ++## Automate provisioning ++You can also run a provisioning automation pipeline using Terraform, Bicep, or Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. ++### Automate provisioning using Terraform ++To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). ++```terraform +resource "azurerm_spring_cloud_java_deployment" "example" { + ... + jvm_options = "-javaagent:/opt/agents/appdynamics/java/javaagent.jar" + ... + environment_variables = { + "APPDYNAMICS_AGENT_APPLICATION_NAME" : "<your-app-name>", + "APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY" : "<your-agent-access-key>", + "APPDYNAMICS_AGENT_ACCOUNT_NAME" : "<your-agent-account-name>", + "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME" : "true", + "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX" : "<your-agent-node-name>", + "APPDYNAMICS_AGENT_TIER_NAME" : "<your-agent-tier-name>", + "APPDYNAMICS_CONTROLLER_HOST_NAME" : "<your-AppDynamics-controller-host-name>", + "APPDYNAMICS_CONTROLLER_SSL_ENABLED" : "true", + "APPDYNAMICS_CONTROLLER_PORT" : "443" + } +} +``` ++### Automate provisioning using Bicep ++To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). ++```bicep +deploymentSettings: { + environmentVariables: { + APPDYNAMICS_AGENT_APPLICATION_NAME : '<your-app-name>' + APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY : '<your-agent-access-key>' + APPDYNAMICS_AGENT_ACCOUNT_NAME : '<your-agent-account-name>' + APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME : 'true' + APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX : '<your-agent-node-name>' + APPDYNAMICS_AGENT_TIER_NAME : '<your-agent-tier-name>' + APPDYNAMICS_CONTROLLER_HOST_NAME : '<your-AppDynamics-controller-host-name>' + APPDYNAMICS_CONTROLLER_SSL_ENABLED : 'true' + APPDYNAMICS_CONTROLLER_PORT : '443' + } + jvmOptions: '-javaagent:/opt/agents/appdynamics/java/javaagent.jar' +} +``` ++### Automate provisioning using an ARM template ++To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). ++```JSON +"deploymentSettings": { + "environmentVariables": { + "APPDYNAMICS_AGENT_APPLICATION_NAME" : "<your-app-name>", + "APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY" : "<your-agent-access-key>", + "APPDYNAMICS_AGENT_ACCOUNT_NAME" : "<your-agent-account-name>", + "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME" : "true", + "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX" : "<your-agent-node-name>", + "APPDYNAMICS_AGENT_TIER_NAME" : "<your-agent-tier-name>", + "APPDYNAMICS_CONTROLLER_HOST_NAME" : "<your-AppDynamics-controller-host-name>", + "APPDYNAMICS_CONTROLLER_SSL_ENABLED" : "true", + "APPDYNAMICS_CONTROLLER_PORT" : "443" + }, + "jvmOptions": "-javaagent:/opt/agents/appdynamics/java/javaagent.jar", + ... +} +``` ++## Review reports in the AppDynamics dashboard ++This section shows various reports in AppDynamics. ++The following screenshot shows an overview of your apps in the AppDynamics dashboard: +++The **Application Dashboard** shows the overall information for each of your apps, as shown in the following screenshots using example applications: ++- `api-gateway` ++ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-api-gateway.jpg" alt-text="AppDynamics screenshot showing the Application Dashboard for the example api-gateway app." lightbox="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-api-gateway.jpg"::: ++- `customers-service` ++ :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-customers-service.jpg" alt-text="AppDynamics screenshot showing the Application Dashboard for the example customers-service app." lightbox="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-customers-service.jpg"::: ++The following screenshot shows how you can get basic information from the **Database Calls** dashboard. +++You can also get information about the slowest database calls, as shown in these screenshots: ++++The following screenshot shows memory usage analysis in the **Heap** section of the **Memory** page: +++You can also see the garbage collection process, as shown in this screenshot: +++The following screenshot shows the **Slow Transactions** page: +++You can define more metrics for the JVM, as shown in this screenshot of the **Metric Browser**: +++## View AppDynamics Agent logs ++By default, Azure Spring Apps will print the *info* level logs of the AppDynamics Agent to `STDOUT`. The logs will be mixed with the application logs. You can find the explicit agent version from the application logs. ++You can also get the logs of the AppDynamics Agent from the following locations: ++* Azure Spring Apps logs +* Azure Spring Apps Application Insights +* Azure Spring Apps LogStream ++## Learn about AppDynamics Agent upgrade ++The AppDynamics Agent will be upgraded regularly with JDK (quarterly). Agent upgrade may affect the following scenarios: ++* Existing applications using AppDynamics Agent before upgrade will be unchanged, but will require restart or redeploy to engage the new version of AppDynamics Agent. +* Applications created after upgrade will use the new version of AppDynamics Agent. ++## Configure virtual network injection instance outbound traffic ++For virtual network injection instances of Azure Spring Apps, make sure the outbound traffic is configured correctly for AppDynamics Agent. For details, see [SaaS Domains and IP Ranges](https://docs.appdynamics.com/display/PA?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). ++## Understand the limitations ++To understand the limitations of the AppDynamics Agent, see [Monitor Azure Spring Apps with Java Agent](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent). ++## Next steps ++[Use Application Insights Java In-Process Agent in Azure Spring Apps](../enterprise/how-to-application-insights.md?pivots=sc-standard&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | How To Built In Persistent Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-built-in-persistent-storage.md | + + Title: Use built-in persistent storage in Azure Spring Apps | Microsoft Docs +description: Learn how to use built-in persistent storage in Azure Spring Apps +++ Last updated : 10/28/2021+++++# Use built-in persistent storage in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ++Azure Spring Apps provides two types of built-in storage for your application: persistent and temporary. ++By default, Azure Spring Apps provides temporary storage for each application instance. Temporary storage is limited to 5 GB per instance with */tmp* as the default mount path. ++> [!WARNING] +> If you restart an application instance, the associated temporary storage is permanently deleted. ++Persistent storage is a file-share container managed by Azure and allocated per application. All instances of an application share data stored in persistent storage. An Azure Spring Apps instance can have a maximum of 10 applications with persistent storage enabled. Each application is allocated 50 GB of persistent storage. The default mount path for persistent storage is */persistent*. ++## Enable or disable built-in persistent storage ++You can enable or disable built-in persistent storage using the Azure portal or Azure CLI. ++#### [Portal](#tab/azure-portal) ++Use the following steps to enable or disable built-in persistent storage using the Azure portal. ++1. Go to your Azure Spring Apps instance in the Azure portal. ++1. Select **Apps** to view apps for your service instance, and then select an app to display the app's **Overview** page. ++ :::image type="content" source="media/how-to-built-in-persistent-storage/app-selected.png" lightbox="media/how-to-built-in-persistent-storage/app-selected.png" alt-text="Screenshot of Azure portal showing the Apps page."::: ++1. On the **Overview** page, select **Configuration**. ++ :::image type="content" source="media/how-to-built-in-persistent-storage/select-configuration.png" lightbox="media/how-to-built-in-persistent-storage/select-configuration.png" alt-text="Screenshot of Azure portal showing details for an app."::: ++1. On the **Configuration** page, select **Persistent Storage**. ++ :::image type="content" source="media/how-to-built-in-persistent-storage/select-persistent-storage.png" lightbox="media/how-to-built-in-persistent-storage/select-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Configuration page."::: ++1. On the **Persistent Storage** tab, select **Enable** to enable persistent storage, or **Disable** to disable persistent storage. ++ :::image type="content" source="media/how-to-built-in-persistent-storage/enable-persistent-storage.png" lightbox="media/how-to-built-in-persistent-storage/enable-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Persistent Storage tab."::: ++If persistent storage is enabled, the **Persistent Storage** tab displays the storage size and path. ++#### [Azure CLI](#tab/azure-cli) ++If necessary, install the Azure Spring Apps extension for the Azure CLI using this command: ++```azurecli +az extension add --name spring +``` ++Other operations: ++- To create an app with built-in persistent storage enabled: ++ ```azurecli + az spring app create -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage true + ``` ++- To enable built-in persistent storage for an existing app: ++ ```azurecli + az spring app update -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage true + ``` ++- To disable built-in persistent storage in an existing app: ++ ```azurecli + az spring app update -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage false + ``` ++++> [!WARNING] +> If you disable an application's persistent storage, all of that storage is deallocated and all of the stored data is permanently lost. ++## Next steps ++- [Quotas and service plans for Azure Spring Apps](../enterprise/quotas.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) +- [Scale an application in Azure Spring Apps](../enterprise/how-to-scale-manual.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | How To Config Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-config-server.md | + + Title: Configure your managed Spring Cloud Config Server in Azure Spring Apps +description: Learn how to configure a managed Spring Cloud Config Server in Azure Spring Apps on the Azure portal ++++ Last updated : 12/10/2021++++# Configure a managed Spring Cloud Config Server in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise ++This article shows you how to configure a managed Spring Cloud Config Server in Azure Spring Apps service. ++Spring Cloud Config Server provides server and client-side support for an externalized configuration in a distributed system. The Config Server instance provides a central place to manage external properties for applications across all environments. For more information, see the [Spring Cloud Config documentation](https://spring.io/projects/spring-cloud-config). ++> [!NOTE] +> To use config server in the Standard consumption and dedicated plan, you must enable it first. For more information, see [Enable and disable Spring Cloud Config Server in Azure Spring Apps](../consumption-dedicated/quickstart-standard-consumption-config-server.md). ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- An already provisioned and running Azure Spring Apps service instance using the Basic or Standard plan. To set up and launch an Azure Spring Apps service, see [Quickstart: Deploy your first application to Azure Spring Apps](../enterprise/quickstart.md?pivots=sc-standard&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). Spring Cloud Config Server isn't applicable to the Enterprise plan. +- [Git](https://git-scm.com/downloads). ++## Restriction ++There are some restrictions when you use Config Server with a Git back end. The following properties are automatically injected into your application environment to access Config Server and Service Discovery. If you also configure those properties from your Config Server files, you might experience conflicts and unexpected behavior. ++```yaml +eureka.client.service-url.defaultZone +eureka.client.tls.keystore +eureka.instance.preferIpAddress +eureka.instance.instance-id +server.port +spring.cloud.config.tls.keystore +spring.config.import +spring.application.name +spring.jmx.enabled +management.endpoints.jmx.exposure.include +``` ++> [!CAUTION] +> Don't put these properties in your Config Server application files. ++## Create your Config Server files ++Azure Spring Apps supports Azure DevOps Server, GitHub, GitLab, and Bitbucket for storing your Config Server files. When your repository is ready, you can create the configuration files and store them there. ++Some configurable properties are available only for certain types. The following sections describe the properties for each repository type. ++> [!NOTE] +> Config Server takes `master` (on Git) as the default label if you don't specify one. However, GitHub has recently changed the default branch from `master` to `main`. To avoid Azure Spring Apps Config Server failure, be sure to pay attention to the default label when setting up Config Server with GitHub, especially for newly-created repositories. ++### Public repository ++When you use a public repository, your configurable properties are more limited than with a private repository. ++The following table lists the configurable properties that you can use to set up a public Git repository. ++> [!NOTE] +> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, you can use *default-label*, but not *defaultLabel*. ++| Property | Required | Feature | +|:-|-|| +| `uri` | Yes | The URI of the Git repository that's used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | +| `default-label` | No | The default label of the Git repository. Should be the branch name, tag name, or commit ID of the repository. | +| `search-paths` | No | An array of strings that are used to search subdirectories of the Git repository. | ++### Private repository with SSH authentication ++The following table lists the configurable properties that you can use to set up a private Git repository with SSH. ++> [!NOTE] +> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, you can use *default-label*, but not *defaultLabel*. ++| Property | Required | Feature | +|:|-|| +| `uri` | Yes | The URI of the Git repository used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | +| `default-label` | No | The default label of the Git repository. Should be the branch name, tag name, or commit ID of the repository. | +| `search-paths` | No | An array of strings used to search subdirectories of the Git repository. | +| `private-key` | No | The SSH private key to access the Git repository. Required when the URI starts with `git@` or `ssh://`. | +| `host-key` | No | The host key of the Git repository server. Shouldn't include the algorithm prefix as covered by `host-key-algorithm`. | +| `host-key-algorithm` | No | The host key algorithm. Should be *ssh-dss*, *ssh-rsa*, *ecdsa-sha2-nistp256*, *ecdsa-sha2-nistp384*, or *ecdsa-sha2-nistp521*. Required only if `host-key` exists. | +| `strict-host-key-checking` | No | Indicates whether the Config Server instance fails to start when using the private `host-key`. Should be *true* (default value) or *false*. | ++### Private repository with basic authentication ++The following table lists the configurable properties that you can use to set up a private Git repository with basic authentication. ++> [!NOTE] +> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, use *default-label*, not *defaultLabel*. ++| Property | Required | Feature | +|:-|-|-| +| `uri` | Yes | The URI of the Git repository that's used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | +| `default-label` | No | The default label of the Git repository. Should be the *branch name*, *tag name*, or *commit-id* of the repository. | +| `search-paths` | No | An array of strings used to search subdirectories of the Git repository. | +| `username` | No | The username that's used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | +| `password` | No | The password or personal access token used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | ++> [!NOTE] +> Many Git repository servers support the use of tokens rather than passwords for HTTP basic authentication. Some repositories allow tokens to persist indefinitely. However, some Git repository servers, including Azure DevOps Server, force tokens to expire in a few hours. Repositories that cause tokens to expire shouldn't use token-based authentication with Azure Spring Apps. If you use such a token, remember to update it before it expires. +> +> GitHub has removed support for password authentication, so you need to use a personal access token instead of password authentication for GitHub. For more information, see [Token authentication requirements for Git operations](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/). ++### Other Git repositories ++The following table lists the configurable properties you can use to set up Git repositories with a pattern. ++> [!NOTE] +> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, use *default-label*, not *defaultLabel*. ++| Property | Required | Feature | +|:--|-|| +| `repos` | No | A map consisting of the settings for a Git repository with a given name. | +| `repos."uri"` | Yes on `repos` | The URI of the Git repository that's used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | +| `repos."name"` | Yes on `repos` | A name to identify the repository; for example, *team-A* or *team-B*. Required only if `repos` exists. | +| `repos."pattern"` | No | An array of strings used to match an application name. For each pattern, use the format *{application}/{profile}* format with wildcards. | +| `repos."default-label"` | No | The default label of the Git repository. Should be the branch name, tag name, or commit IOD of the repository. | +| `repos."search-paths`" | No | An array of strings used to search subdirectories of the Git repository. | +| `repos."username"` | No | The username used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | +| `repos."password"` | No | The password or personal access token used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | +| `repos."private-key"` | No | The SSH private key to access Git repository. Required when the URI begins with `git@` or `ssh://`. | +| `repos."host-key"` | No | The host key of the Git repository server. Shouldn't include the algorithm prefix as covered by `host-key-algorithm`. | +| `repos."host-key-algorithm"` | No | The host key algorithm. Should be *ssh-dss*, *ssh-rsa*, *ecdsa-sha2-nistp256*, *ecdsa-sha2-nistp384*, or *ecdsa-sha2-nistp521*. Required only if `host-key` exists. | +| `repos."strict-host-key-checking"` | No | Indicates whether the Config Server instance fails to start when using the private `host-key`. Should be *true* (default value) or *false*. | ++The following table shows some examples of patterns for configuring your service with an optional extra repository. For more information, see the [Extra repositories](#extra-repositories) section and the [Pattern Matching and Multiple Repositories section](https://cloud.spring.io/spring-cloud-config/reference/html/#_pattern_matching_and_multiple_repositories) of the Spring documentation. ++| Patterns | Description | +|:--|| +| *test-config-server-app-0/\** | The pattern and repository URI matches a Spring boot application named `test-config-server-app-0` with any profile. | +| *test-config-server-app-1/dev* | The pattern and repository URI matches a Spring boot application named `test-config-server-app-1` with a dev profile. | +| *test-config-server-app-2/prod* | The pattern and repository URI matches a Spring boot application named `test-config-server-app-2` with a prod profile. | +++## Attach your Config Server repository to Azure Spring Apps ++Now that your configuration files are saved in a repository, use the following steps to connect Azure Spring Apps to the repository. ++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. Go to your Azure Spring Apps **Overview** page. ++1. Select **Config Server** in the left navigation pane. ++1. In the **Default repository** section, set **URI** to `https://github.com/Azure-Samples/piggymetrics-config`. ++1. Select **Validate**. ++ :::image type="content" source="media/how-to-config-server/portal-config.png" lightbox="media/how-to-config-server/portal-config.png" alt-text="Screenshot of Azure portal showing the Config Server page."::: ++1. When validation is complete, select **Apply** to save your changes. ++ :::image type="content" source="media/how-to-config-server/validate-complete.png" lightbox="media/how-to-config-server/validate-complete.png" alt-text="Screenshot of Azure portal showing Config Server page with Apply button highlighted."::: ++Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. ++### Enter repository information directly to the Azure portal ++You can enter repository information for the default repository and, optionally, for extra repositories. ++#### Default repository ++Use the steps in this section to enter repository information for a public or private repository. ++- **Public repository**: In the **Default repository** section, in the **Uri** box, paste the repository URI. Enter *config* for the **Label** setting. Ensure that the **Authentication** setting is *Public*, and then select **Apply**. ++- **Private repository**: Azure Spring Apps supports basic password/token-based authentication and SSH. ++ - **Basic Authentication**: In the **Default repository** section, in the **Uri** box, paste the repository URI, and then select the setting under **Authentication** to open the **Edit Authentication** pane. In the **Authentication type** drop-down list, select **HTTP Basic**, and then enter your username and password/token to grant access to Azure Spring Apps. Select **OK**, and then select **Apply** to finish setting up your Config Server instance. ++ :::image type="content" source="media/how-to-config-server/basic-auth.png" lightbox="media/how-to-config-server/basic-auth.png" alt-text="Screenshot of the Default repository section showing authentication settings for Basic authentication."::: ++ > [!NOTE] + > Many Git repository servers support the use of tokens rather than passwords for HTTP basic authentication. Some repositories allow tokens to persist indefinitely. However, some Git repository servers, including Azure DevOps Server, force tokens to expire in a few hours. Repositories that cause tokens to expire shouldn't use token-based authentication with Azure Spring Apps. If you use such a token, remember to update it before it expires. + > + > GitHub has removed support for password authentication, so you need to use a personal access token instead of password authentication for GitHub. For more information, see [Token authentication requirements for Git operations](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/). ++ - **SSH**: In the **Default repository** section, in the **Uri** box, paste the repository URI, and then select the setting under **Authentication** to open the **Edit Authentication** pane. In the **Edit Authentication** pane, in the **Authentication type** drop-down list, select **SSH**, and then enter your private key. Optionally, specify your host key and host key algorithm. Include your public key in your Config Server repository. Select **OK**, and then select **Apply** to finish setting up your Config Server instance. ++ :::image type="content" source="media/how-to-config-server/ssh-auth.png" lightbox="media/how-to-config-server/ssh-auth.png" alt-text="Screenshot of the Default repository section showing authentication settings for SSH authentication."::: ++#### Extra repositories ++If you want to configure your service with an optional extra repository, specify the **Uri** and **Authentication** settings as you did for the default repository. Be sure to include a **Name** setting for your pattern, and then select **Apply** to attach it to your instance. ++### Enter repository information into a YAML file ++If you've written a YAML file with your repository settings, you can import the file directly from your local machine to Azure Spring Apps. The following example shows a simple YAML file for a private repository with basic authentication. ++```yaml +spring: + cloud: + config: + server: + git: + uri: https://github.com/azure-spring-apps-samples-pr/config-server-repository.git + username: <username> + password: <password/token> +``` ++Select the **Import settings** button, and then select the YAML file from your project directory. Select **Import**. +++Your **Notifications** displays an `async` operation. Config Server should report success after 1-2 minutes. The information from your YAML file displays in the Azure portal. Select **Apply** to finish the import. ++## Use Azure Repos for Azure Spring Apps configuration ++Azure Spring Apps can access Git repositories that are public, secured by SSH, or secured using HTTP basic authentication. HTTP basic authentication is the easiest of the options for creating and managing repositories with Azure Repos. ++### Get repo URL and credentials ++Use the following steps to get your repo URL and credentials. ++1. In the Azure Repos portal for your project, select the **Clone** button: ++1. Copy the clone URL from the textbox. This URL is typically in the following form: ++ ```text + https://<organization name>@dev.azure.com/<organization name>/<project name>/_git/<repository name> + ``` ++ Remove everything after `https://` and before `dev.azure.com`, including the `@` symbol. The resulting URL should be in the following form: ++ ```text + https://dev.azure.com/<organization name>/<project name>/_git/<repository name> + ``` ++ Save this URL for use in the next section. ++1. Select **Generate Git Credentials** to display a username and password, which should be saved for use in the following section. ++### Configure Azure Spring Apps to access the Git repository ++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. Go to your Azure Spring Apps **Overview** page. ++1. Select the service to configure. ++1. In the left pane of the service page under **Settings**, select the **Config Server** tab. Configure the repository you created, as follows: ++ - Add the repository URI that you saved in the previous section. + - Select the setting under **Authentication** to open the **Edit Authentication** pane. + - For **Authentication type**, select **HTTP Basic**. + - For **Username**, specify the user name that you saved in the previous section. + - For **Password**, specify the password that you saved in the previous section. + - Select **OK**, and then wait for the operation to complete. ++ :::image type="content" source="media/how-to-config-server/config-server-azure-repos.png" lightbox="media/how-to-config-server/config-server-azure-repos.png" alt-text="Screenshot of repository configuration settings."::: ++## Delete your configuration ++Select **Reset** on the **Config Server** tab to erase your existing settings. Delete the config server settings if you want to connect your Config Server instance to another source, such as when you're moving from GitHub to Azure DevOps Server. ++## Config Server refresh ++When properties are changed, services consuming those properties must be notified before changes can be made. The default solution for Spring Cloud Config Server is to manually trigger the refresh event, which may not be feasible if there are many app instances. For more information, see [Centralized Configuration](https://spring.io/guides/gs/centralized-configuration/) ++Instead, you can automatically refresh values from Config Server by letting the config client poll for changes based on a refresh internal. Use the following steps to automatically refresh values from Config Server. ++1. Register a scheduled task to refresh the context in a given interval, as shown in the following example. ++ ```java + @ConditionalOnBean({RefreshEndpoint.class}) + @Configuration + @AutoConfigureAfter({RefreshAutoConfiguration.class, RefreshEndpointAutoConfiguration.class}) + @EnableScheduling + public class ConfigClientAutoRefreshConfiguration implements SchedulingConfigurer { + @Value("${spring.cloud.config.refresh-interval:60}") + private long refreshInterval; + @Value("${spring.cloud.config.auto-refresh:false}") + private boolean autoRefresh; + private RefreshEndpoint refreshEndpoint; + public ConfigClientAutoRefreshConfiguration(RefreshEndpoint refreshEndpoint) { + this.refreshEndpoint = refreshEndpoint; + } + @Override + public void configureTasks(ScheduledTaskRegistrar scheduledTaskRegistrar) { + if (autoRefresh) { + // set minimal refresh interval to 5 seconds + refreshInterval = Math.max(refreshInterval, 5); + scheduledTaskRegistrar.addFixedRateTask(() -> refreshEndpoint.refresh(), refreshInterval * 1000); + } + } + } + ``` ++1. Enable autorefresh and set the appropriate refresh interval in your *application.yml* file. In the following example, the client polls for configuration changes every 60 seconds, which is the minimum value you can set for a refresh interval. ++ By default, autorefresh is set to *false* and the refresh-interval is set to *60 seconds*. ++ ```yaml + spring: + cloud: + config: + auto-refresh: true + refresh-interval: 60 + management: + endpoints: + web: + exposure: + include: + - refresh + ``` ++1. Add @RefreshScope in your code. In the following example, the variable `connectTimeout` is automatically refreshed every 60 seconds. ++ ```java + @RestController + @RefreshScope + public class HelloController { + @Value("${timeout:4000}") + private String connectTimeout; + } + ``` ++For more information, see the [config-client-polling](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/config-client-polling) sample. ++## Next steps ++In this article, you learned how to enable and configure your Spring Cloud Config Server instance. To learn more about managing your application, see [Scale an application in Azure Spring Apps](../enterprise/how-to-scale-manual.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). |
spring-apps | How To Dynatrace One Agent Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-dynatrace-one-agent-monitor.md | + + Title: How to monitor Spring Boot apps with Dynatrace Java OneAgent +description: How to use Dynatrace Java OneAgent to monitor Spring Boot applications in Azure Spring Apps ++++ Last updated : 06/07/2022++ms.devlang: azurecli +++# How to monitor Spring Boot apps with Dynatrace Java OneAgent ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌️ Enterprise ++This article shows you how to use Dynatrace OneAgent to monitor Spring Boot applications in Azure Spring Apps. ++With the Dynatrace OneAgent, you can: ++* Monitor apps with the Dynatrace OneAgent. +* Configure the Dynatrace OneAgent by using environment variables. +* Check all monitoring data from Dynatrace dashboard. ++The following video introduces Dynatrace OneAgent. ++<br> ++> [!VIDEO https://www.youtube.com/embed/PF0_SxuiZ2w] ++## Prerequisites ++* [Azure CLI](/cli/azure/install-azure-cli) +* [A Dynatrace account](https://www.dynatrace.com/) +* [A Dynatrace PaaS token and tenant token](https://www.dynatrace.com/support/help/reference/dynatrace-concepts/access-tokens/) ++## Activate Dynatrace OneAgent ++The following sections describe how to activate Dynatrace OneAgent. ++### Prepare your Azure Spring Apps environment ++1. Create an instance of Azure Spring Apps. +1. Create an application that you want to report to Dynatrace by running the following command. Replace the placeholders *\<...>* with your own values. + ```azurecli + az spring app create \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-name> \ + --name <your-application-name> \ + --is-public true + ``` ++### Determine the values for the required environment variables ++To activate Dynatrace OneAgent on your Azure Spring Apps instance, you need to configure four environment variables: `DT_TENANT`, `DT_TENANTTOKEN`, `DT_CONNECTION_POINT`, and `DT_CLUSTER_ID`. For more information, see [Integrate OneAgent with Azure Spring Apps](https://www.dynatrace.com/support/help/shortlink/azure-spring). ++For applications with multiple instances, Dynatrace has several ways to group them. `DT_CLUSTER_ID` is one of the ways. For more information, see [Process group detection](https://www.dynatrace.com/support/help/how-to-use-dynatrace/process-groups/configuration/pg-detection). ++### Add the environment variables to your application ++You can add the environment variable key/value pairs to your application using either the Azure portal or the Azure CLI. ++#### Option 1: Azure CLI ++To add the key/value pairs using the Azure CLI, run the following command, replacing the placeholders *\<...>* with the values determined in the previous steps. ++```azurecli +az spring app deploy \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-name> \ + --name <your-application-name> \ + --artifact-path app.jar \ + --env \ + DT_TENANT=<your-environment-ID> \ + DT_TENANTTOKEN=<your-tenant-token> \ + DT_CONNECTION_POINT=<your-communication-endpoint> +``` ++#### Option 2: Azure portal ++To add the key/value pairs using the Azure portal, use the following steps: ++1. In your Azure Spring Apps instance, select **Apps** in the navigation pane. ++ :::image type="content" source="media/how-to-dynatrace-one-agent-monitor/existing-applications.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/how-to-dynatrace-one-agent-monitor/existing-applications.png"::: ++1. Select the application from the list, and then select **Configuration** in the navigation pane. ++1. Use the **Environment variables** tab to add or update the variables used by your application. ++ :::image type="content" source="media/how-to-dynatrace-one-agent-monitor/configuration-application.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app with the Environment variables tab selected." lightbox="media/how-to-dynatrace-one-agent-monitor/configuration-application.png"::: ++## Automate provisioning ++Using Terraform, Bicep, or Azure Resource Manager template (ARM template), you can also run a provisioning automation pipeline. This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. ++### Automate provisioning using Terraform ++To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). ++```terraform +environment_variables = { + "DT_TENANT": "<your-environment-ID>", + "DT_TENANTTOKEN": "<your-tenant-token>", + "DT_CONNECTION_POINT": "<your-communication-endpoint>", + "DT_CLUSTER_ID": "<your-cluster-ID>" +} +``` ++### Automate provisioning using a Bicep file ++To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). ++```bicep +environmentVariables: { + DT_TENANT: '<your-environment-ID>' + DT_TENANTTOKEN: '<your-tenant-token>' + DT_CONNECTION_POINT: '<your-communication-endpoint>' + DT_CLUSTER_ID: '<your-cluster-ID>' +} +``` ++### Automate provisioning using an ARM template ++To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). ++```json +"environmentVariables": { + "DT_TENANT": "<your-environment-ID>", + "DT_TENANTTOKEN": "<your-tenant-token>", + "DT_CONNECTION_POINT": "<your-communication-endpoint>", + "DT_CLUSTER_ID": "<your-cluster-ID>" +} +``` ++## View reports in Dynatrace ++This section describes how to find various reports in Dynatrace. ++> [!NOTE] +> The Dynatrace menu and user interface will evolve gradually. For this reason, the dashboard may be moved to other sections in the Dynatrace website, and the following screenshots may not reflect the current version of the user interface. ++After you add the environment variables to your application, Dynatrace starts collecting data. To view reports, use the [Dynatrace menu](https://www.dynatrace.com/support/help/get-started/navigation/), go to **Services**, and then select your application. ++You can find the **Service flow** from **\<your-app-name>/Details/Service flow**: +++You can find the **Method hotspots** from **\<your-app-name>/Details/Method hotspots**: +++You can find the **Database statements** from **\<your-app-name>/Details/Response time analysis**: +++Next, go to the **Multidimensional analysis** section. ++You can find the **Top database statements** from **Multidimensional analysis/Top database statements**: +++You can find the **Exceptions overview** from **Multidimensional analysis/Exceptions overview**: +++Next, go to the **Profiling and optimization** section. ++You can find the **CPU analysis** from **Profiling and optimization/CPU analysis**: +++Next, go to the **Databases** section. ++You can find **Backtrace** from **Databases/Details/Backtrace**: +++## View Dynatrace OneAgent logs ++By default, Azure Spring Apps prints the *info* level logs of the Dynatrace OneAgent to `STDOUT`. The logs are mixed with the application logs. You can find the explicit agent version from the application logs. ++You can also get the logs of the Dynatrace agent from the following locations: ++* Azure Spring Apps logs +* Azure Spring Apps Application Insights +* Azure Spring Apps LogStream ++You can apply some environment variables provided by Dynatrace to configure logging for the Dynatrace OneAgent. For example, `DT_LOGLEVELCON` controls the level of logs. The default value for `DT_LOGLEVELCON` is `info`. You can disable the logs of the agent by setting `DT_LOGLEVELCON` to `off`. If logging is disabled, Dynatrace support requests that you first enable logging to diagnose any agent issues effectively. You must then restart the app, which is necessary for the change to take effect. For other log levels, consult the Dynatrace support team. ++> [!CAUTION] +> We strongly recommend that you don't override the default logging behavior provided by Azure Spring Apps for Dynatrace. If you do, the logging scenarios previously described are blocked, and the log file(s) may be lost. For example, you shouldn't output the `DT_LOGLEVELFILE` environment variable to your applications. ++## Dynatrace OneAgent upgrade ++The Dynatrace OneAgent auto-upgrade is disabled and is upgraded quarterly with the JDK. Agent upgrade may affect the following scenarios: ++* Existing applications using Dynatrace OneAgent before upgrade are unchanged, but require restart or redeploy to engage the new version of Dynatrace OneAgent. +* Applications created after upgrade use the new version of Dynatrace OneAgent. ++## Virtual network injection instance outbound traffic configuration ++For a virtual network injection instance of Azure Spring Apps, you need to make sure the outbound traffic for Dynatrace communication endpoints is configured correctly for Dynatrace OneAgent. For information about how to get `communicationEndpoints`, see [Deployment API - GET connectivity information for OneAgent](https://www.dynatrace.com/support/help/dynatrace-api/environment-api/deployment/oneagent/get-connectivity-info/). For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](../enterprise/vnet-customer-responsibilities.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). ++## Dynatrace support model ++For information about limitations when deploying Dynatrace OneAgent in application-only mode, see the [Cloud application platforms](https://www.dynatrace.com/support/help/technology-support/oneagent-platform-and-capability-support-matrix/#cloud-application-platforms) section of [OneAgent platform and capability support matrix](https://www.dynatrace.com/support/help/technology-support/oneagent-platform-and-capability-support-matrix). ++## Next steps ++[Use Application Insights Java In-Process Agent in Azure Spring Apps](../enterprise/how-to-application-insights.md?pivots=sc-standard&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | How To Elastic Apm Java Agent Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-elastic-apm-java-agent-monitor.md | + + Title: How to monitor Spring Boot apps with Elastic APM Java Agent +description: How to use Elastic APM Java Agent to monitor Spring Boot applications running in Azure Spring Apps ++++ Last updated : 06/07/2022++++# How to monitor Spring Boot apps with Elastic APM Java Agent ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ++This article explains how to use Elastic APM Agent to monitor Spring Boot applications running in Azure Spring Apps. ++With the Elastic Observability Solution, you can achieve unified observability to: ++* Monitor apps using the Elastic APM Java Agent and using persistent storage with Azure Spring Apps. +* Use diagnostic settings to ship Azure Spring Apps logs to Elastic. For more information, see [Analyze logs with Elastic (ELK) using diagnostics settings](../enterprise/how-to-elastic-diagnostic-settings.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). ++The following video introduces unified observability for Spring Boot applications using Elastic. ++<br> ++> [!VIDEO https://www.youtube.com/embed/KjmQX1SxZdA] ++## Prerequisites ++* [Azure CLI](/cli/azure/install-azure-cli) +* [Deploy Elastic on Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement) +* [Manage your APM & Fleet Server](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-manage-apm-and-fleet.html) ++## Deploy the Spring Petclinic application ++This article uses the Spring Petclinic sample to walk through the required steps. Use the following steps to deploy the sample application: ++1. Follow the steps in [Deploy Spring Boot apps using Azure Spring Apps and MySQL](https://github.com/Azure-Samples/spring-petclinic-microservices#readme) until you reach the [Deploy Spring Boot applications and set environment variables](https://github.com/Azure-Samples/spring-petclinic-microservices#deploy-spring-boot-applications-and-set-environment-variables) section. ++1. Use the Azure Spring Apps extension for Azure CLI with the following command to create an application to run in Azure Spring Apps: ++ ```azurecli + az spring app create \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-instance-name> \ + --name <your-app-name> \ + --is-public true + ``` ++## Enable custom persistent storage for Azure Spring Apps ++Use the following steps to enable custom persistent storage: ++1. Follow the steps in [How to enable your own persistent storage in Azure Spring Apps](../enterprise/how-to-custom-persistent-storage.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). ++1. Use the following Azure CLI command to add persistent storage for your Azure Spring Apps apps. ++ ```azurecli + az spring app append-persistent-storage \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-instance-name> \ + --name <your-app-name> \ + --persistent-storage-type AzureFileVolume \ + --share-name <your-Azure-file-share-name> \ + --mount-path <unique-mount-path> \ + --storage-name <your-mounted-storage-name> + ``` ++## Activate Elastic APM Java Agent ++Before proceeding, you need your Elastic APM server connectivity information handy, which assumes you've deployed Elastic on Azure. For more information, see [How to deploy and manage Elastic on Microsoft Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement). To get this information, use the following steps: ++1. In the Azure portal, go to the **Overview** page of your Elastic deployment, then select **Manage Elastic Cloud Deployment**. ++ :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-link-from-microsoft-azure.png" alt-text="Screenshot of Azure portal 'Elasticsearch (Elastic Cloud)' page." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-link-from-microsoft-azure.png"::: ++1. Under your deployment on Elastic Cloud Console, select the **APM & Fleet** section to get Elastic APM Server endpoint and secret token. ++ :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-endpoint-secret.png" alt-text="Elastic screenshot 'A P M & Fleet' page." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-endpoint-secret.png"::: ++1. Download Elastic APM Java Agent from [Maven Central](https://search.maven.org/search?q=g:co.elastic.apm%20AND%20a:elastic-apm-agent). ++ :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/maven-central-repository-search.png" alt-text="Maven Central screenshot with jar download highlighted." lightbox="media/how-to-elastic-apm-java-agent-monitor/maven-central-repository-search.png"::: ++1. Upload Elastic APM Agent to the custom persistent storage you enabled earlier. Go to Azure Fileshare and select **Upload** to add the agent JAR file. ++ :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/upload-files-microsoft-azure.png" alt-text="Screenshot of Azure portal showing 'Upload files' pane of 'File share' page." lightbox="media/how-to-elastic-apm-java-agent-monitor/upload-files-microsoft-azure.png"::: ++1. After you have the Elastic APM endpoint and secret token, use the following command to activate Elastic APM Java agent when deploying applications. The placeholder *`<agent-location>`* refers to the mounted storage location of the Elastic APM Java Agent. ++ ```azurecli + az spring app deploy \ + --name <your-app-name> \ + --artifact-path <unique-path-to-your-app-jar-on-custom-storage> \ + --jvm-options='-javaagent:<elastic-agent-location>' \ + --env ELASTIC_APM_SERVICE_NAME=<your-app-name> \ + ELASTIC_APM_APPLICATION_PACKAGES='<your-app-package-name>' \ + ELASTIC_APM_SERVER_URL='<your-Elastic-APM-server-URL>' \ + ELASTIC_APM_SECRET_TOKEN='<your-Elastic-APM-secret-token>' + ``` ++## Automate provisioning ++You can also run a provisioning automation pipeline using Terraform, Bicep, or an Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. ++### Automate provisioning using Terraform ++To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). ++```terraform +resource "azurerm_spring_cloud_java_deployment" "example" { + ... + jvm_options = "-javaagent:<elastic-agent-location>" + ... + environment_variables = { + "ELASTIC_APM_SERVICE_NAME"="<your-app-name>", + "ELASTIC_APM_APPLICATION_PACKAGES"="<your-app-package>", + "ELASTIC_APM_SERVER_URL"="<your-Elastic-APM-server-URL>", + "ELASTIC_APM_SECRET_TOKEN"="<your-Elastic-APM-secret-token>" + } +} +``` ++### Automate provisioning using a Bicep file ++To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). ++```bicep +deploymentSettings: { + environmentVariables: { + ELASTIC_APM_SERVICE_NAME='<your-app-name>', + ELASTIC_APM_APPLICATION_PACKAGES='<your-app-package>', + ELASTIC_APM_SERVER_URL='<your-Elastic-APM-server-URL>', + ELASTIC_APM_SECRET_TOKEN='<your-Elastic-APM-secret-token>' + }, + jvmOptions: '-javaagent:<elastic-agent-location>', + ... +} +``` ++### Automate provisioning using an ARM template ++To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). ++```json +"deploymentSettings": { + "environmentVariables": { + "ELASTIC_APM_SERVICE_NAME"="<your-app-name>", + "ELASTIC_APM_APPLICATION_PACKAGES"="<your-app-package>", + "ELASTIC_APM_SERVER_URL"="<your-Elastic-APM-server-URL>", + "ELASTIC_APM_SECRET_TOKEN"="<your-Elastic-APM-secret-token>" + }, + "jvmOptions": "-javaagent:<elastic-agent-location>", + ... +} +``` ++## Upgrade Elastic APM Java Agent ++To plan your upgrade, see [Upgrade versions](https://www.elastic.co/guide/en/cloud/current/ec-upgrade-deployment.html) for Elastic Cloud on Azure, and [Breaking Changes](https://www.elastic.co/guide/en/apm/server/current/breaking-changes.html) for APM. After you've upgraded APM Server, upload the Elastic APM Java agent JAR file in the custom persistent storage. Then, restart your apps with the updated JVM options pointing to the upgraded Elastic APM Java agent JAR. ++## Monitor applications and metrics with Elastic APM ++Use the following steps to monitor applications and metrics: ++1. In the Azure portal, go to the **Overview** page of your Elastic deployment, then select the Kibana link. ++ :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-kibana-link.png" alt-text="Screenshot of Azure portal showing Elasticsearch page with 'Deployment U R L / Kibana' highlighted." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-kibana-link.png"::: ++1. After Kibana is open, search for *APM* in the search bar, then select **APM**. ++ :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-kibana-search-apm.png" alt-text="Elastic / Kibana screenshot showing A P M search results." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-kibana-search-apm.png"::: ++Kibana APM is the curated application to support Application Monitoring workflows. Here you can view high-level details such as request/response times, throughput, and the transactions in a service with the most impact on the duration. +++You can drill down in a specific transaction to understand the transaction-specific details such as the distributed tracing. +++Elastic APM Java agent also captures the JVM metrics from the Azure Spring Apps apps that are available with Kibana App for users for troubleshooting. +++Using the inbuilt AI engine in the Elastic solution, you can also enable Anomaly Detection on the Azure Spring Apps Services and choose an appropriate action - such as Teams notification, creation of a JIRA issue, a webhook-based API call, and others. +++## Next steps ++* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](../enterprise/quickstart.md?pivots=sc-standard&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) +* [Deploy Elastic on Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement) |
spring-apps | How To Launch From Source | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-launch-from-source.md | + + Title: How to Deploy Spring Boot applications from Azure CLI +description: In this quickstart, learn how to launch your application in Azure Spring Apps directly from your source code +++ Last updated : 11/12/2021+++++# How to Deploy Spring Boot applications from Azure CLI ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ❌️ Enterprise ++Azure Spring Apps enables Spring Boot applications on Azure. ++You can launch applications directly from Java source code or from a pre-built JAR. This article explains the deployment procedures. ++## Prerequisites ++Before you begin, ensure that your Azure subscription has the required dependencies: ++1. [Install Git](https://git-scm.com/) +2. [Install JDK 8](https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) +3. [Install Maven 3.0 or above](https://maven.apache.org/download.cgi) +4. [Install the Azure CLI](/cli/azure/install-azure-cli) +5. [Sign up for an Azure subscription](https://azure.microsoft.com/free/) ++> [!TIP] +> The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled, including the latest versions of Git, JDK, Maven, and the Azure CLI. If you are logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../../cloud-shell/overview.md) ++## Install the Azure CLI extension ++Install the Azure Spring Apps extension for the Azure CLI with the following command ++```azurecli +az extension add --name spring +``` ++## Provision a service instance using the Azure CLI ++Sign in to the Azure CLI and choose your active subscription. ++```azurecli +az login +az account list -o table +az account set --subscription <subscription-id> +``` ++Create a resource group to contain your service in Azure Spring Apps. You can learn more about [Azure Resource Groups](../../azure-resource-manager/management/overview.md). ++```azurecli +az group create --location eastus --name <resource-group-name> +``` ++Run the following commands to provision an instance of Azure Spring Apps. Prepare a name for your service in Azure Spring Apps. The name must be between 4 and 32 characters and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++```azurecli +az spring create --resource-group <resource-group-name> --name <resource-name> +``` ++The service instance will take about five minutes to deploy. ++Set your default resource group name and Azure Spring Apps instance name using the following commands: ++```azurecli +az config set defaults.group=<service-group-name> +az config set defaults.spring=<service-instance-name> +``` ++## Create the application in Azure Spring Apps ++The following command creates an application in Azure Spring Apps in your subscription. This creates an empty service to which you can upload your application. ++```azurecli +az spring app create --name <app-name> +``` ++## Deploy your Spring Boot application ++You can deploy your application from a pre-built JAR or from a Gradle or Maven repository. Find instructions for each case below. ++### Deploy a pre-built JAR ++To deploy from a JAR built on your local machine, ensure that your build produces a [fat-JAR](https://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-create-an-executable-jar-with-maven). ++To deploy the fat-JAR to an active deployment ++```azurecli +az spring app deploy --name <app-name> --artifact-path <path-to-fat-JAR> +``` ++To deploy the fat-JAR to a specific deployment ++```azurecli +az spring app deployment create --app <app-name> \ + --name <deployment-name> \ + --artifact-path <path-to-fat-JAR> +``` ++### Deploy from source code ++Azure Spring Apps uses [kpack](https://github.com/pivotal/kpack) to build your project. You can use Azure CLI to upload your source code, build your project using kpack, and deploy it to the target application. ++> [!WARNING] +> The project must produce only one JAR file with a `main-class` entry in the `MANIFEST.MF` in `target` (for Maven deployments) or `build/libs` (for Gradle deployments). Multiple JAR files with `main-class` entries will cause the deployment to fail. ++For single module Maven / Gradle projects: ++```azurecli +cd <path-to-maven-or-gradle-source-root> +az spring app deploy --name <app-name> --source-path +``` ++For Maven / Gradle projects with multiple modules, repeat for each module: ++```azurecli +cd <path-to-maven-or-gradle-source-root> +az spring app deploy --name <app-name> --source-path \ + --target-module <relative-path-to-module> +``` ++### Show deployment logs ++Review the kpack build logs using the following command: ++```azurecli +az spring app show-deploy-log --name <app-name> +``` ++> [!NOTE] +> The kpack logs will only show the latest deployment if that deployment was built from source using kpack. ++## Assign a public endpoint to an application ++1. Open the **Apps** pane to view apps for your service instance. +2. Select an application to view its **Overview** page. +3. Select **Assign endpoint** to assign a public endpoint to the application. This process can take a few minutes. +4. Copy the URL from the **Overview** page and paste it into your browser to view running application. ++## Next steps ++[Quickstart: Monitoring Azure Spring Apps with logs, metrics, and tracing](quickstart-logs-metrics-tracing.md) ++More samples are available on GitHub: [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). |
spring-apps | How To New Relic Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-new-relic-monitor.md | + + Title: How to monitor Spring Boot apps using New Relic Java agent ++description: Learn how to monitor Spring Boot applications using the New Relic Java agent. ++++ Last updated : 06/08/2021++ms.devlang: azurecli +++# How to monitor Spring Boot apps using New Relic Java agent ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise ++This article shows you how to monitor of Spring Boot applications in Azure Spring Apps with the New Relic Java agent. ++With the New Relic Java agent, you can: ++* Consume the New Relic Java agent. +* Configure the New Relic Java agent using environment variables. +* Check all monitoring data from the New Relic dashboard. ++The following video describes how to activate and monitor Spring Boot applications in Azure Spring Apps using New Relic One. ++<br> ++> [!VIDEO https://www.youtube.com/embed/4GQPwJSP3ys?list=PLPeZXlCR7ew8LlhnSH63KcM0XhMKxT1k_] ++## Prerequisites ++* A [New Relic](https://newrelic.com/) account. +* [Azure CLI version 2.0.67 or later](/cli/azure/install-azure-cli). ++## Activate the New Relic Java in process agent ++Use the following procedure to access the agent: ++1. Create an instance of Azure Spring Apps. ++1. Create an application. ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --is-public true \ + ``` ++1. Create a deployment with the New Relic agent and environment variables. ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --artifact-path app.jar \ + --jvm-options="-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar" \ + --env NEW_RELIC_APP_NAME=appName \ + NEW_RELIC_LICENSE_KEY=newRelicLicenseKey + ``` ++Azure Spring Apps preinstalls the New Relic Java agent to */opt/agents/newrelic/java/newrelic-agent.jar*. Customers can activate the agent from applications' **JVM options**, and configure the agent using the [New Relic Java agent environment variables](https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables). ++## Azure portal ++You can also activate this agent from the Azure portal with the following procedure. ++1. In your Azure Spring Apps instance, select **Apps** in the navigation pane. ++ :::image type="content" source="media/how-to-new-relic-monitor/find-app.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/how-to-new-relic-monitor/find-app.png"::: ++1. Select the application from the list, and then select **Configuration** in the navigation pane. ++1. Use the **General settings** tab to update values such as the JVM options. ++ :::image type="content" source="media/how-to-new-relic-monitor/update-jvm-option.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app with the General settings tab selected." lightbox="media/how-to-new-relic-monitor/update-jvm-option.png"::: ++1. Select **Environment variables** to add or update the variables used by your application. ++ :::image type="content" source="media/how-to-new-relic-monitor/configurations-update-environment.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app with the Environment variables tab selected." lightbox="media/how-to-new-relic-monitor/configurations-update-environment.png"::: ++1. View the application api/gateway **Summary** page from the New Relic dashboard. ++ :::image type="content" source="media/how-to-new-relic-monitor/app-summary-page.png" alt-text="Screenshot of the New Relic dashboard showing the API Gateway summary page." lightbox="media/how-to-new-relic-monitor/app-summary-page.png"::: ++1. View the application customers-service **Summary** page from the New Relic dashboard. ++ :::image type="content" source="media/how-to-new-relic-monitor/customers-service.png" alt-text="Screenshot of the New Relic dashboard showing the Customers Service page." lightbox="media/how-to-new-relic-monitor/customers-service.png"::: ++1. View the **Service Map** page from the New Relic dashboard. ++ :::image type="content" source="media/how-to-new-relic-monitor/service-map.png" alt-text="Screenshot of the New Relic dashboard showing the Service Map page." lightbox="media/how-to-new-relic-monitor/service-map.png"::: ++1. View the **JVMs** page of the application from the New Relic dashboard. ++ :::image type="content" source="media/how-to-new-relic-monitor/jvm-page.png" alt-text="Screenshot of the New Relic dashboard showing the JVM page." lightbox="media/how-to-new-relic-monitor/jvm-page.png"::: ++1. View the application profile from the New Relic dashboard. ++ :::image type="content" source="media/how-to-new-relic-monitor/profile-app.png" alt-text="Screenshot of the New Relic dashboard showing the Application Profile page." lightbox="media/how-to-new-relic-monitor/profile-app.png"::: ++## Automate provisioning ++You can also run a provisioning automation pipeline using Terraform, Bicep, or an Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. ++### Automate provisioning using Terraform ++To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). ++```terraform +resource "azurerm_spring_cloud_java_deployment" "example" { + ... + jvm_options = "-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar" + ... + environment_variables = { + "NEW_RELIC_APP_NAME": "<app-name>", + "NEW_RELIC_LICENSE_KEY": "<new-relic-license-key>" + } +} +``` ++### Automate provisioning using a Bicep file ++To configure the environment variables in a Bicep file, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). ++```bicep +deploymentSettings: { + environmentVariables: { + NEW_RELIC_APP_NAME : '<app-name>', + NEW_RELIC_LICENSE_KEY : '<new-relic-license-key>' + }, + jvmOptions: '-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar', + ... +} +``` ++### Automate provisioning using an ARM template ++To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). ++```json +"deploymentSettings": { + "environmentVariables": { + "NEW_RELIC_APP_NAME" : "<app-name>", + "NEW_RELIC_LICENSE_KEY" : "<new-relic-license-key>" + }, + "jvmOptions": "-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar", + ... +} +``` ++## Forward application logs to New Relic ++The New Relic agent can collect application logs directly from your apps, and forward them to New Relic. For more information, see [Forward your logs to New Relic](https://docs.newrelic.com/docs/logs/forward-logs/enable-log-management-new-relic/) and [APM logs in context](https://docs.newrelic.com/docs/logs/logs-context/get-started-logs-context/). ++## View New Relic Java Agent logs ++By default, Azure Spring Apps prints the logs of the New Relic Java agent to `STDOUT`. The logs are mixed with the application logs. You can find the explicit agent version from the application logs. ++You can also get the logs of the New Relic agent from the following locations: ++* Azure Spring Apps logs +* Azure Spring Apps Application Insights +* Azure Spring Apps LogStream ++You can use some environment variables provided by New Relic to configure the logging of the New Agent, such as, `NEW_RELIC_LOG_LEVEL` to control the level of logs. For more information, see [New Relic logging configuration](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#cfg-log_level). ++> [!NOTE] +> Do not use `finer` or `finest` unless New Relic Support asks you to do that. These logging levels can generate excessive overhead. For most situations, use `info`. ++> [!CAUTION] +> We strongly recommend that you don't override the logging default behavior provided by Azure Spring Apps for New Relic. If you do, the logging scenarios previously described are blocked, and the log file(s) may be lost. For example, you shouldn't pass the following environment variables to your applications. Log file(s) may be lost after restart or redeployment of application(s). +> +> * NEW_RELIC_LOG +> * NEW_RELIC_LOG_FILE_PATH ++## New Relic Java Agent update/upgrade ++The New Relic Java agent update/upgrade the JDK regularly. The agent update/upgrade may affect following scenarios. ++* Existing applications that use the New Relic Java agent before update/upgrade are unchanged. +* Existing applications that use the New Relic Java agent before update/upgrade require restart or redeploy to engage the new version of the New Relic Java agent. +* New applications created after update/upgrade use the new version of the New Relic Java agent. ++## Vnet Injection Instance Outbound Traffic Configuration ++For a vnet injection instance of Azure Spring Apps, you need to make sure the outbound traffic is configured correctly for the New Relic Java agent. For more information, see [Networks of New Relic](https://docs.newrelic.com/docs/using-new-relic/cross-product-functions/install-configure/networks/#agents). ++## Next steps ++[Use Application Insights Java In-Process Agent in Azure Spring Apps](../enterprise/how-to-application-insights.md?pivots=sc-standard&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | How To Service Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/how-to-service-registration.md | + + Title: Discover and register your Spring Boot applications in Azure Spring Apps +description: Discover and register your Spring Boot applications with managed Spring Cloud Service Registry (OSS) in Azure Spring Apps. ++++ Last updated : 05/09/2022++zone_pivot_groups: programming-languages-spring-apps +++# Discover and register your Spring Boot applications ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise ++This article shows you how to register your application using Spring Cloud Service Registry. ++Service registration and discovery are key requirements for maintaining a list of live app instances to call, and routing and load balancing inbound requests. Configuring each client manually takes time and introduces the possibility of human error. Azure Spring Apps provides two options for you to solve this problem: ++> [!NOTE] +> To use service registry in the Standard consumption and dedicated plan, you must enable it first. For more information, see [Enable and disable Eureka Server in Azure Spring Apps](../consumption-dedicated/quickstart-standard-consumption-eureka-server.md). ++* Use Kubernetes Service Discovery approach to invoke calls among your apps. ++ Azure Spring Apps creates a corresponding Kubernetes service for every app running in it using the app name as the Kubernetes service name. You can invoke calls from one app to another app by using the app name in an HTTP/HTTPS request such as `http(s)://{app name}/path`. This approach is also suitable for the Enterprise plan. For more information, see the [Kubernetes registry code sample](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/k8s-service-registry). ++ > [!NOTE] + > This approach isn't suitable for Standard consumption and dedicated (Preview). ++* Use Managed Spring Cloud Service Registry (OSS) in Azure Spring Apps. ++ After configuration, a Service Registry server will control service registration and discovery for your applications. The Service Registry server maintains a registry of live app instances, enables client-side load-balancing, and decouples service providers from clients without relying on DNS. +++For information about how to set up service registration for a Steeltoe app, see [Prepare a Java Spring application for deployment in Azure Spring Apps](../enterprise/how-to-prepare-app-deployment.md?tabs=basic-standard-plan&pivots=programming-language-csharp&toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). ++++## Register your application using Spring Cloud Service Registry ++Before your application can manage service registration and discovery using Spring Cloud Service Registry, you must include the following dependency for `spring-cloud-starter-netflix-eureka-client` in your *pom.xml* file: ++```xml +<dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> +</dependency> +``` ++## Update the top level class ++Finally, add an annotation to the top level class of your application, as shown in the following example: ++```java +package foo.bar; ++import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.cloud.netflix.eureka.EnableEurekaClient; ++@SpringBootApplication +@EnableEurekaClient +public class DemoApplication { ++ public static void main(String[] args) { + SpringApplication.run(DemoApplication.class, args); + } +} +``` ++The Spring Cloud Service Registry server endpoint is injected as an environment variable in your application. Applications can register themselves with the Service Registry server and discover other dependent applications. ++> [!NOTE] +> It can take a few minutes for the changes to propagate from the server to all applications. ++## Next steps ++In this article, you learned how to register your application using Spring Cloud Service Registry. To learn how to access the Spring Cloud Service Registry using Microsoft Entra role-based access control (RBAC), see [Access Config Server and Service Registry](how-to-access-data-plane-azure-ad-rbac.md). |
spring-apps | Quickstart Deploy Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/quickstart-deploy-apps.md | + + Title: "Quickstart - Build and deploy apps to Azure Spring Apps" +description: Describes app deployment to Azure Spring Apps. ++++ Last updated : 11/15/2021++zone_pivot_groups: programming-languages-spring-apps +++# Quickstart: Build and deploy apps to Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise +++This quickstart explains how to build and deploy Spring applications to Azure Spring Apps using the Azure CLI. ++## Prerequisites ++- Completion of the previous quickstarts in this series: + - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md). + - [Set up Azure Spring Apps Config Server](./quickstart-setup-config-server.md). ++## Download the sample app ++Use the following steps to download the sample app. If you've been using the Azure Cloud Shell, switch to a local command prompt. ++1. Create a new folder and clone the sample app repository. ++ ```console + mkdir source-code + ``` ++ ```console + cd source-code + ``` ++ ```console + git clone https://github.com/Azure-Samples/azure-spring-apps-samples + ``` ++1. Navigate to the repository directory. ++ ```console + cd azure-spring-apps-samples + ``` ++## Deploy PlanetWeatherProvider ++Use the following steps to deploy the PlanetWeatherProvider project. ++1. Create an app for the `PlanetWeatherProvider` project in your Azure Spring Apps instance. ++ ```azurecli + az spring app create --name planet-weather-provider --runtime-version NetCore_31 + ``` ++ To enable automatic service registration, you've given the app the same name as the value of `spring.application.name` in the project's *appsettings.json* file: ++ ```json + "spring": { + "application": { + "name": "planet-weather-provider" + } + } + ``` ++ This command may take several minutes to run. ++1. Change directory to the `PlanetWeatherProvider` project folder. ++ ```console + cd steeltoe-sample/src/planet-weather-provider + ``` ++1. Create the binaries and the *.zip* file to be deployed. ++ ```console + dotnet publish -c release -o ./publish + ``` ++ > [!TIP] + > The project file contains the following XML to package the binaries in a *.zip* file after writing them to the *./publish* folder: + > + > ```xml + > <Target Name="Publish-Zip" AfterTargets="Publish"> + > <ZipDirectory SourceDirectory="$(PublishDir)" DestinationFile="$(MSBuildProjectDirectory)/publish-deploy-planet.zip" Overwrite="true" /> + > </Target> + > ``` ++1. Deploy the project to Azure. ++ Make sure that the command prompt is in the project folder before running the following command. ++ ```azurecli + az spring app deploy \ + --name planet-weather-provider \ + --runtime-version NetCore_31 \ + --main-entry Microsoft.Azure.SpringCloud.Sample.PlanetWeatherProvider.dll \ + --artifact-path ./publish-deploy-planet.zip + ``` ++ The `--main-entry` option specifies the relative path from the *.zip* file's root folder to the *.dll* file that contains the application's entry point. After the service uploads the *.zip* file, it extracts all the files and folders, and then tries to execute the entry point in the specified *.dll* file. ++ This command may take several minutes to run. ++## Deploy SolarSystemWeather ++Use the following steps to deploy the SolarSystemWeather project. ++1. Create another app in your Azure Spring Apps instance for the project. ++ ```azurecli + az spring app create --name solar-system-weather --runtime-version NetCore_31 + ``` ++ `solar-system-weather` is the name that is specified in the `SolarSystemWeather` project's *appsettings.json* file. ++ This command may take several minutes to run. ++1. Change directory to the `SolarSystemWeather` project. ++ ```console + cd ../solar-system-weather + ``` ++1. Create the binaries and *.zip* file to be deployed. ++ ```console + dotnet publish -c release -o ./publish + ``` ++1. Deploy the project to Azure. ++ ```azurecli + az spring app deploy \ + --name solar-system-weather \ + --runtime-version NetCore_31 \ + --main-entry Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.dll \ + --artifact-path ./publish-deploy-solar.zip + ``` ++ This command may take several minutes to run. ++## Assign public endpoint ++Before testing the application, get a public endpoint for an HTTP GET request to the `solar-system-weather` application. ++1. Run the following command to assign the endpoint. ++ ```azurecli + az spring app update --name solar-system-weather --assign-endpoint true + ``` ++1. Run the following command to get the URL of the endpoint. ++ Windows: ++ ```azurecli + az spring app show --name solar-system-weather --output table + ``` ++ Linux: ++ ```azurecli + az spring app show --name solar-system-weather | grep url + ``` ++## Test the application ++To test the application, send a GET request to the `solar-system-weather` app. In a browser, navigate to the public URL with `/weatherforecast` appended to it. For example: `https://servicename-solar-system-weather.azuremicroservices.io/weatherforecast` ++The output is JSON: ++```json +[{"Key":"Mercury","Value":"very warm"},{"Key":"Venus","Value":"quite unpleasant"},{"Key":"Mars","Value":"very cool"},{"Key":"Saturn","Value":"a little bit sandy"}] +``` ++This response shows that both Spring apps are working. The `SolarSystemWeather` app returns data that it retrieved from the `PlanetWeatherProvider` app. ++++This article explains how to build and deploy Spring applications to Azure Spring Apps. You can use Azure CLI, the Maven plugin, or Intellij. This article describes each alternative. ++## Prerequisites ++- Completion of the previous quickstarts in this series: + - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md). + - [Set up Azure Spring Apps Config Server](./quickstart-setup-config-server.md). +- [JDK 17](/azure/developer/java/fundamentals/java-jdk-install) +- [Maven 3.0 or above](https://maven.apache.org/download.cgi) +- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- Optionally, [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). Install the Azure Spring Apps extension with the following command: `az extension add --name spring` +- Optionally, [the Azure Toolkit for IntelliJ](https://plugins.jetbrains.com/plugin/8053-azure-toolkit-for-intellij/). ++#### [CLI](#tab/Azure-CLI) ++## Build the Spring applications locally ++Use the following commands to clone the sample repository, navigate to the sample folder, and then build the project. ++```bash +git clone https://github.com/azure-samples/spring-petclinic-microservices +cd spring-petclinic-microservices +mvn clean package -DskipTests -Denv=cloud +``` ++Compiling the project takes 5-10 minutes. When the project is compiled, you should have individual JAR files for each service in their respective folders. ++## Create and deploy apps on Azure Spring Apps ++Use the following steps to create and deploys apps on Azure Spring Apps using the CLI. ++1. If you didn't run the following commands in the previous quickstarts, run them now to set the CLI defaults. ++ ```azurecli + az configure --defaults group=<resource-group-name> spring=<service-name> + ``` ++1. Create the two core Spring applications for PetClinic: `api-gateway` and `customers-service`. ++ ```azurecli + az spring app create \ + --name api-gateway \ + --runtime-version Java_17 \ + --instance-count 1 \ + --memory 2Gi \ + --assign-endpoint + az spring app create \ + --name customers-service \ + --runtime-version Java_17 \ + --instance-count 1 \ + --memory 2Gi + ``` ++1. Deploy the JAR files built in the previous step. ++ ```azurecli + az spring app deploy \ + --name api-gateway \ + --artifact-path spring-petclinic-api-gateway/target/api-gateway-3.0.1.jar \ + --jvm-options="-Xms2048m -Xmx2048m" + az spring app deploy \ + --name customers-service \ + --artifact-path spring-petclinic-customers-service/target/customers-service-3.0.1.jar \ + --jvm-options="-Xms2048m -Xmx2048m" + ``` ++1. Query the app status after deployments with the following command. ++ ```azurecli + az spring app list --output table + ``` ++ This command produces output similar to the following example: ++ ```output + Name Location ResourceGroup Production Deployment Public Url Provisioning Status CPU Memory Running Instance Registered Instance Persistent Storage + -- - -- -- -- -- + api-gateway eastus xxxxxx-sp default https://<service name>-api-gateway.azuremicroservices.io Succeeded 1 2 1/1 1/1 - + customers-service eastus <service name> default Succeeded 1 2 1/1 1/1 - + ``` ++## Verify the services ++Access `api-gateway` and `customers-service` from a browser with the **Public Url** shown previously, in the format of `https://<service name>-api-gateway.azuremicroservices.io`. +++> [!TIP] +> To troubleshot deployments, you can use the following command to get logs streaming in real time whenever the app is running `az spring app logs --name <app name> --follow`. ++## Deploy extra apps ++To get the PetClinic app functioning with all features like Admin Server, Visits, and Veterinarians, deploy the other apps with following commands: ++```azurecli +az spring app create \ + --name admin-server \ + --runtime-version Java_17 \ + --instance-count 1 \ + --memory 2Gi \ + --assign-endpoint +az spring app create \ + --name vets-service \ + --runtime-version Java_17 \ + --instance-count 1 \ + --memory 2Gi +az spring app create \ + --name visits-service \ + --runtime-version Java_17 \ + --instance-count 1 \ + --memory 2Gi +az spring app deploy \ + --name admin-server \ + --runtime-version Java_17 \ + --artifact-path spring-petclinic-admin-server/target/admin-server-3.0.1.jar \ + --jvm-options="-Xms1536m -Xmx1536m" +az spring app deploy \ + --name vets-service \ + --runtime-version Java_17 \ + --artifact-path spring-petclinic-vets-service/target/vets-service-3.0.1.jar \ + --jvm-options="-Xms1536m -Xmx1536m" +az spring app deploy \ + --name visits-service \ + --runtime-version Java_17 \ + --artifact-path spring-petclinic-visits-service/target/visits-service-3.0.1.jar \ + --jvm-options="-Xms1536m -Xmx1536m" +``` ++#### [Maven](#tab/Maven) ++## Build the Spring applications locally ++Use the following commands to clone the sample repository, navigate to the sample folder, and then build the project. ++```bash +git clone https://github.com/azure-samples/spring-petclinic-microservices +cd spring-petclinic-microservices +mvn clean package -DskipTests -Denv=cloud +``` ++Compiling the project takes 5-10 minutes. When the project is compiled, you should have individual JAR files for each service in their respective folders. ++## Generate configurations and deploy to Azure Spring Apps ++The following steps show you how to generate configurations and deploy to Azure Spring Apps: ++1. Go to the *spring-petclinic-customers-service* folder. Generate configurations by running the following command. If you've already signed-in with Azure CLI, the command automatically picks up the credentials. Otherwise, it signs you in using a prompt with instructions. For more information, see [Authentication](https://github.com/microsoft/azure-maven-plugins/wiki/Authentication) on the [azure-maven-plugins](https://github.com/microsoft/azure-maven-plugins) wiki. ++ ```bash + mvn com.microsoft.azure:azure-spring-apps-maven-plugin:1.17.0:config -DappName=customers-service + ``` ++ You're asked to provide the following values: ++ - **Subscription:** The subscription you used to create an Azure Spring Apps instance. + - **Service Instance:** The name of your Azure Spring Apps instance. + - **Public endpoint:** Whether to assign a public endpoint to the app. Select **No**. ++1. Verify that the `appName` elements in the POM files are correct: ++ ```xml + <build> + <plugins> + <plugin> + <groupId>com.microsoft.azure</groupId> + <artifactId>azure-spring-apps-maven-plugin</artifactId> + <version>1.17.0</version> + <configuration> + <subscriptionId>xxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx</subscriptionId> + <clusterName>v-spr-cld</clusterName> + <appName>customers-service</appName> + ``` ++ The POM now contains the plugin dependencies and configurations. ++1. Deploy the apps by using the following command: ++ ```bash + mvn azure-spring-apps:deploy + ``` ++1. Go to the *spring-petclinic-api-gateway* folder. Run the following commands to generate the configuration and deploy `api-gateway`. Select **yes** for **Public endpoint**. ++ ```bash + mvn com.microsoft.azure:azure-spring-apps-maven-plugin:1.17.0:config -DappName=api-gateway + mvn azure-spring-apps:deploy + ``` ++## Verify the services ++A successful deployment command returns a URL in the form: `https://<service name>-spring-petclinic-api-gateway.azuremicroservices.io`. Use it to navigate to the running service. ++ :::image type="content" source="media/quickstart-deploy-apps/access-customers-service.png" alt-text="Screenshot of the PetClinic customers service." lightbox="media/quickstart-deploy-apps/access-customers-service.png"::: ++You can also navigate the Azure portal to find the URL. ++1. Navigate to the service. +1. Select **Apps**. +1. Select **api-gateway**. +1. Find the URL on the **api-gateway | Overview** page. ++## Deploy extra apps ++To get the PetClinic app functioning with all sections like Admin Server, Visits, and Veterinarians, you can deploy the other Spring applications. Rerun the configuration command and select the following applications. ++- admin-server +- vets-service +- visits-service ++Correct the app names in each *pom.xml* file for these modules, and then run the `deploy` command again. ++#### [IntelliJ](#tab/IntelliJ) ++## Import sample project in IntelliJ ++Use the following steps to import the sample project in IntelliJ. ++1. Download and unzip the source repository for this tutorial, or clone it using Git: `git clone https://github.com/azure-samples/spring-petclinic-microservices` ++1. Open the IntelliJ **Welcome** dialog and select **Import Project** to open the import wizard. ++1. Select the *spring-petclinic-microservices* folder. ++ :::image type="content" source="media/quickstart-deploy-apps/import-project-1-pet-clinic.png" alt-text="Screenshot of the IntelliJ import wizard showing the PetClinic sample project." lightbox="media/quickstart-deploy-apps/import-project-1-pet-clinic.png"::: ++### Deploy the api-gateway app to Azure Spring Apps ++To deploy to Azure, you must sign in with your Azure account with Azure Toolkit for IntelliJ and choose your subscription. For sign-in details, see [Create a Hello World web app for Azure App Service using IntelliJ](/azure/developer/java/toolkit-for-intellij/create-hello-world-web-app#installation-and-sign-in). ++1. Right-click your project in IntelliJ project explorer, and select **Azure** -> **Deploy to Azure Spring Apps**. ++ :::image type="content" source="media/quickstart-deploy-apps/deploy-to-azure-1-pet-clinic.png" alt-text="Screenshot of the IntelliJ project explorer showing how to deploy the PetClinic sample project." lightbox="media/quickstart-deploy-apps/deploy-to-azure-1-pet-clinic.png"::: ++1. In the **Name** field, append *:api-gateway* to the existing **Name**. +1. In the **Artifact** textbox, select *spring-petclinic-api-gateway-3.0.1*. +1. In the **Subscription** textbox, verify your subscription. +1. In the **Spring Apps** textbox, select the instance of Azure Spring Apps that you created in [Provision Azure Spring Apps instance](./quickstart-provision-service-instance.md). +1. In the **App:** textbox, select **Create app...**. +1. Enter *api-gateway*, then select **OK**. +1. Set **Public Endpoint** to *Enable*. +1. Specify the memory to 2 GB and JVM options: `-Xms2048m -Xmx2048m`. ++ :::image type="content" source="media/quickstart-deploy-apps/memory-jvm-options.png" alt-text="Screenshot of memory and JVM options." lightbox="media/quickstart-deploy-apps/memory-jvm-options.png"::: ++1. In the **Before launch** section of the dialog, double-click **Run Maven Goal**. +1. In the **Working directory** textbox, navigate to the *spring-petclinic-microservices/spring-petclinic-api-gateway* folder. +1. In the **Command line** textbox, enter *package -DskipTests*. Select **OK**. ++ :::image type="content" source="media/quickstart-deploy-apps/deploy-to-azure-spring-apps-2-pet-clinic.png" alt-text="Screenshot of the spring-petclinic-microservices/gateway page and command line textbox." lightbox="media/quickstart-deploy-apps/deploy-to-azure-spring-apps-2-pet-clinic.png"::: ++1. Start the deployment by selecting the **Run** button at the bottom of the **Deploy Azure Spring Apps app** dialog. The plug-in runs the command `mvn package` on the `api-gateway` app and deploys the JAR file generated by the `package` command. ++### Deploy customers-service and other apps to Azure Spring Apps ++Repeat the previous steps to deploy `customers-service` and other Pet Clinic apps to Azure Spring Apps: ++1. Modify the **Name** and **Artifact** to identify the `customers-service` app. +1. In the **App:** textbox, select **Create app...** to create `customers-service` app. +1. Verify that the **Public Endpoint** option is set to *Disabled*. +1. In the **Before launch** section of the dialog, switch the **Working directory** to the *petclinic/customers-service* folder. +1. Start the deployment by selecting the **Run** button at the bottom of the **Deploy Azure Spring Apps app** dialog. ++## Verify the services ++Navigate to the URL of the form: `https://<service name>-spring-petclinic-api-gateway.azuremicroservices.io` ++ :::image type="content" source="media/quickstart-deploy-apps/access-customers-service.png" alt-text="Screenshot of the PetClinic customers service." lightbox="media/quickstart-deploy-apps/access-customers-service.png"::: ++You can also navigate the Azure portal to find the URL. ++1. Navigate to the service +1. Select **Apps** +1. Select **api-gateway** +1. Find the URL on the **api-gateway | Overview** page ++## Deploy extra apps ++Other Spring applications included in this sample can be deployed similarly. ++- admin-server +- vets-service +- visits-service +++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Set up a Log Analytics workspace](quickstart-setup-log-analytics.md) |
spring-apps | Quickstart Integrate Azure Database Mysql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/quickstart-integrate-azure-database-mysql.md | + + Title: "Quickstart - Integrate with Azure Database for MySQL" +description: Explains how to provision and prepare an Azure Database for MySQL instance, and then configure Pet Clinic on Azure Spring Apps to use it as a persistent database with only one command. ++++ Last updated : 08/28/2022++++# Quickstart: Integrate Azure Spring Apps with Azure Database for MySQL ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ++Pet Clinic, as deployed in the default configuration [Quickstart: Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md), uses an in-memory database (HSQLDB) that is populated with data at startup. This quickstart explains how to provision and prepare an Azure Database for MySQL instance and then configure Pet Clinic on Azure Spring Apps to use it as a persistent database. ++## Prerequisites ++An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free). ++## Create an Azure Database for MySQL instance ++Create an Azure Database for MySQL flexible server using the [az mysql flexible-server create](/cli/azure/mysql/flexible-server#az-mysql-flexible-server-create) command. Replace the placeholders `<database-name>`, `<resource-group-name>`, `<MySQL-flexible-server-name>`, `<admin-username>`, and `<admin-password>` with a name for your new database, the name of your resource group, a name for your new server, and an admin username and password. Use single quotes around the value for `admin-password`. ++```azurecli-interactive +az mysql flexible-server create \ + --resource-group <resource-group-name> \ + --name <MySQL-flexible-server-name> \ + --database-name <database-name> \ + --public-access 0.0.0.0 \ + --admin-user <admin-username> \ + --admin-password '<admin-password>' +``` ++> [!NOTE] +> The `Standard_B1ms` SKU is used by default. For pricing details, see [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/). ++> [!TIP] +> The password should be at least eight characters long and contain at least one English uppercase letter, one English lowercase letter, one number, and one non-alphanumeric character (!, $, #, %, and so on.). ++## Connect your application to the MySQL database ++Use [Service Connector](../../service-connector/overview.md) to connect the app hosted in Azure Spring Apps to your MySQL database. ++> [!NOTE] +> The service binding feature in Azure Spring Apps is being deprecated in favor of Service Connector. ++### [Azure CLI](#tab/azure-cli) ++1. If you're using Service Connector for the first time, start by running the command [az provider register](/cli/azure/provider#az-provider-register) to register the Service Connector resource provider. ++ ```azurecli-interactive + az provider register --namespace Microsoft.ServiceLinker + ``` ++1. Run the `az spring connection create` command to create a service connection between the `customers-service` app and the Azure MySQL database. Replace the placeholders for the following settings with your own information. Use single quotes around the value for MySQL server `secret`. ++ | Setting | Description | + ||| + | `--connection` | The name of the connection that identifies the connection between your app and target service. | + | `--resource-group` | The name of the resource group that contains the app hosted by Azure Spring Apps. | + | `--service` | The name of the Azure Spring Apps resource. | + | `--app` | The name of the application hosted by Azure Spring Apps that connects to the target service. | + | `--target-resource-group` | The name of the resource group with the storage account. | + | `--server` | The MySQL server you want to connect to | + | `--database` | The name of the database you created earlier. | + | `--secret name= secret=` | The MySQL server username and password. | ++ ```azurecli-interactive + az spring connection create mysql-flexible \ + --resource-group <Azure-Spring-Apps-resource-group-name> \ + --service <Azure-Spring-Apps-resource-name> \ + --app customers-service \ + --connection <mysql-connection-name-for-app> \ + --target-resource-group <mySQL-server-resource-group> \ + --server <server-name> \ + --database <database-name> \ + --secret name=<username> secret='<secret>' + ``` ++ > [!TIP] + > If the `az spring` command isn't recognized by the system, check that you have installed the Azure Spring Apps extension by running `az extension add --name spring`. ++### [Azure portal](#tab/azure-portal) ++1. In the Azure portal, type the name of your Azure Spring Apps instance in the search box at the top of the screen and select your instance. +1. Under **Settings**, select **Apps**, and then select the `customers-service` application from the list. +1. Select **Service Connector** from the left table of contents and select **Create**. ++ :::image type="content" source="media/quickstart-integrate-azure-database-mysql/create-service-connection.png" alt-text="Screenshot of the Azure portal, in the Azure Spring Apps instance, create a connection with Service Connector."::: ++1. Select or enter the following settings in the table. ++ | Setting | Example | Description | + ||--|-| + | **Service type** | *DB for MySQL flexible server* | Select DB for MySQL flexible server as your target service | + | **Connection name** | *mysql_9e8af* | The connection name that identifies the connection between your app and target service. Use the connection name provided by Service Connector or enter your own connection name. | + | **Subscription** | *My Subscription* | The subscription that contains your target service. The default value is the subscription that contains the app deployed to Azure Spring Apps. | + | **MySQL flexible server** | *MySQL80* | Select the MySQL flexible server you want to connect to. | + | **MySQL database** | *petclinic* | Select the database you created earlier. | + | **Client type** | *SpringBoot* | Select the application stack that works with the target service you selected. | ++ :::image type="content" source="media/quickstart-integrate-azure-database-mysql/basics-tab.png" alt-text="Screenshot of the Azure portal, filling out the basics tab in Service Connector."::: ++1. Select **Next: Authentication** to select the authentication type. Then select **Connection string > Database credentials** and enter your database username and password. ++1. Select **Next: Networking** to select the network configuration and select **Configure firewall rules to enable access to target service**. Enter your username and password so that your app can reach the database. ++1. Select **Next: Review + Create** to review the provided information. Wait a few seconds for Service Connector to validate the information and select **Create** to create the service connection. ++++Repeat these steps to create connections for the `customers-service`, `vets-service`, and `visits-service` applications. ++## Check connection to MySQL database ++### [Azure CLI](#tab/azure-cli) ++Run the `az spring connection validate` command to show the status of the connection between the `customers-service` app and the Azure MySQL database. Replace the placeholders with your own information. ++```azurecli-interactive +az spring connection validate \ + --resource-group <Azure-Spring-Apps-resource-group-name> \ + --service <Azure-Spring-Apps-resource-name> \ + --app customers-service \ + --connection <mysql-connection-name-for-app> \ + --output table +``` ++The following output is displayed: ++```Output +Name Result Description + -- - +Target resource existence validated. success +Target service firewall validated. success +Username and password validated. success +``` ++> [!TIP] +> To get more details about the connection between your services, remove `--output table` from the above command. ++### [Azure portal](#tab/azure-portal) ++Azure Spring Apps connections are displayed under **Settings > Service Connector**. Select **Validate** to check your connection status, and select **Learn more** to review the connection validation details. +++++Repeat these instructions to validate the connections for the `customers-service`, `vets-service`, and `visits-service` applications. ++## Update apps to use MySQL profile ++The following section explains how to update the apps to connect to the MySQL database. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to set an environment variable to activate the `mysql` profile for the `customers-service` app: ++```azurecli +az spring app update \ + --resource-group <Azure-Spring-Apps-resource-group-name> \ + --service <Azure-Spring-Apps-resource-name> \ + --name customers-service \ + --env SPRING_PROFILES_ACTIVE=mysql +``` ++### [Azure portal](#tab/azure-portal) ++Use the following steps to set an environment variable to activate the `mysql` profile for the `customers-service` app: ++1. Go to the Azure Spring Apps instance overview page, select **Apps** from the navigation menu, and then select the **customers-service** application from the list. ++1. On the **customers-service Overview** page, select **Configuration** from the navigation menu. ++1. On the **Configuration** page, select **Environment variables**. Enter `SPRING_PROFILES_ACTIVE` for **Key**, enter `mysql` for **Value**, and then select **Save**. ++ :::image type="content" source="media/quickstart-integrate-azure-database-mysql/customers-service-app-configuration.png" alt-text="Screenshot of the Azure portal showing the configuration settings for the customers-service app." lightbox="media/quickstart-integrate-azure-database-mysql/customers-service-app-configuration.png"::: ++++Repeat these instructions to update app configuration for the `customers-service`, `vets-service`, and `visits-service` applications. ++## Validate the apps ++To validate the Pet Clinic service and to query records from the MySQL database to confirm the database connection, follow the instructions in the [Verify the services](./quickstart-deploy-apps.md?pivots=programming-language-java#verify-the-services) section of [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md). ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group by using the [az group delete](/cli/azure/group#az-group-delete) command, which deletes the resources in the resource group. Replace `<resource-group>` with the name of your resource group. ++```azurecli +az group delete --name <resource-group> +``` ++## Next steps ++* [Bind an Azure Database for MySQL instance to your application in Azure Spring Apps](../enterprise/how-to-bind-mysql.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) +* [Use a managed identity to connect Azure SQL Database to an app in Azure Spring Apps](../enterprise/connect-managed-identity-to-azure-sql.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | Quickstart Logs Metrics Tracing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/quickstart-logs-metrics-tracing.md | + + Title: "Quickstart - Monitoring Azure Spring Apps apps with logs, metrics, and tracing" +description: Use log streaming, log analytics, metrics, and tracing to monitor PetClinic sample apps on Azure Spring Apps. ++++ Last updated : 10/12/2021++zone_pivot_groups: programming-languages-spring-apps +++# Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise +++With the built-in monitoring capability in Azure Spring Apps, you can debug and monitor complex issues. Azure Spring Apps integrates Steeltoe [distributed tracing](https://docs.steeltoe.io/api/v3/tracing/) with Azure's [Application Insights](../../azure-monitor/app/app-insights-overview.md). This integration provides powerful logs, metrics, and distributed tracing capability from the Azure portal. ++The following procedures explain how to use Log Streaming, Log Analytics, Metrics, and Distributed Tracing with the sample app that you deployed in the preceding quickstarts. ++## Prerequisites ++- Complete the previous quickstarts in this series: ++ - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md). + - [Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps](./quickstart-setup-config-server.md). + - [Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md). + - [Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md). ++## Logs ++There are two ways to see logs on Azure Spring Apps: **Log Streaming** of real-time logs per app instance or **Log Analytics** for aggregated logs with advanced query capability. ++### Log streaming ++You can use log streaming in the Azure CLI with the following command. ++```azurecli +az spring app logs --name solar-system-weather --follow +``` ++You're shown output similar to the following example: ++```output +=> ConnectionId:0HM2HOMHT82UK => RequestPath:/weatherforecast RequestId:0HM2HOMHT82UK:00000003, SpanId:|e8c1682e-46518cc0202c5fd9., TraceId:e8c1682e-46518cc0202c5fd9, ParentId: => Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) +Executing action method Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) - Validation state: Valid +←[40m←[32minfo←[39m←[22m←[49m: Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController[0] ++=> ConnectionId:0HM2HOMHT82UK => RequestPath:/weatherforecast RequestId:0HM2HOMHT82UK:00000003, SpanId:|e8c1682e-46518cc0202c5fd9., TraceId:e8c1682e-46518cc0202c5fd9, ParentId: => Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) +Retrieved weather data from 4 planets +←[40m←[32minfo←[39m←[22m←[49m: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2] ++=> ConnectionId:0HM2HOMHT82UK => RequestPath:/weatherforecast RequestId:0HM2HOMHT82UK:00000003, SpanId:|e8c1682e-46518cc0202c5fd9., TraceId:e8c1682e-46518cc0202c5fd9, ParentId: => Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) +Executing ObjectResult, writing value of type 'System.Collections.Generic.KeyValuePair`2[[System.String, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]][]'. +←[40m←[32minfo←[39m←[22m←[49m: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2] +``` ++> [!TIP] +> Use `az spring app logs -h` to explore more parameters and log stream functionality. ++### Log Analytics ++1. In the Azure portal, go to the **service | Overview** page and select **Logs** in the **Monitoring** section. Select **Run** on one of the sample queries for Azure Spring Apps. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-entry.png" alt-text="Screenshot of the Logs opening page." lightbox="media/quickstart-logs-metrics-tracing/logs-entry.png"::: ++1. Edit the query to remove the Where clauses that limit the display to warning and error logs. ++1. Select **Run**. You're shown logs. For more information, see [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md). ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-query-steeltoe.png" alt-text="Screenshot of a Logs Analytics query." lightbox="media/quickstart-logs-metrics-tracing/logs-query-steeltoe.png"::: ++1. To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). ++## Metrics ++1. In the Azure portal, go to the **service | Overview** page and select **Metrics** in the **Monitoring** section. Add your first metric by selecting one of the .NET metrics under **Performance (.NET)** or **Request (.NET)** in the **Metric** drop-down, and `Avg` for **Aggregation** to see the timeline for that metric. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/metrics-basic-cpu-steeltoe.png" alt-text="Screenshot of the Metrics page." lightbox="media/quickstart-logs-metrics-tracing/metrics-basic-cpu-steeltoe.png"::: ++1. Select **Add filter** in the toolbar, select `App=solar-system-weather` to see CPU usage only for the **solar-system-weather** app. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/metrics-filter-steeltoe.png" alt-text="Screenshot of adding a filter." lightbox="media/quickstart-logs-metrics-tracing/metrics-filter-steeltoe.png"::: ++1. Dismiss the filter created in the preceding step, select **Apply Splitting**, and select `App` for **Values** to see CPU usage by different apps. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/metrics-split-steeltoe.png" alt-text="Screenshot of applying splitting." lightbox="media/quickstart-logs-metrics-tracing/metrics-split-steeltoe.png"::: ++## Distributed tracing ++1. In the Azure portal, go to the **service | Overview** page and select **Distributed tracing** in the **Monitoring** section. Then select the **View application map** tab on the right. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-entry.png" alt-text="Screenshot of the Distributed tracing page." lightbox="media/quickstart-logs-metrics-tracing/tracing-entry.png"::: ++1. You can now see the status of calls between apps. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-overview-steeltoe.png" alt-text="Screenshot of the Application map page." lightbox="media/quickstart-logs-metrics-tracing/tracing-overview-steeltoe.png"::: ++1. Select the link between **solar-system-weather** and **planet-weather-provider** to see more details such as the slowest calls by HTTP methods. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-call-steeltoe.png" alt-text="Screenshot of Application map details." lightbox="media/quickstart-logs-metrics-tracing/tracing-call-steeltoe.png"::: ++1. Finally, select **Investigate Performance** to explore more powerful built-in performance analysis. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-performance-steeltoe.png" alt-text="Screenshot of Performance page." lightbox="media/quickstart-logs-metrics-tracing/tracing-performance-steeltoe.png"::: ++++With the built-in monitoring capability in Azure Spring Apps, you can debug and monitor complex issues. Azure Spring Apps integrates [Spring Cloud Sleuth](https://spring.io/projects/spring-cloud-sleuth) with Azure's [Application Insights](../../azure-monitor/app/app-insights-overview.md). This integration provides powerful logs, metrics, and distributed tracing capability from the Azure portal. The following procedures explain how to use Log Streaming, Log Analytics, Metrics, and Distributed tracing with deployed PetClinic apps. ++## Prerequisites ++- Complete the previous quickstarts in this series: ++ - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md). + - [Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps](./quickstart-setup-config-server.md). + - [Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md). + - [Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md). ++## Logs ++There are two ways to see logs on Azure Spring Apps: **Log Streaming** of real-time logs per app instance or **Log Analytics** for aggregated logs with advanced query capability. ++### Log streaming ++#### [CLI](#tab/Azure-CLI) ++You can use log streaming in the Azure CLI with the following command. ++```azurecli +az spring app logs \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name api-gateway \ + --follow +``` ++You're shown logs like this: +++> [!TIP] +> Use `az spring app logs -h` to explore more parameters and log stream functionalities. ++To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). ++#### [IntelliJ](#tab/IntelliJ) ++To get the logs using Azure Toolkit for IntelliJ: ++1. Select **Azure Explorer**, then **Spring Cloud**. ++1. Right-click the running app. ++1. Select **Streaming Logs** from the drop-down list. ++ ![Select streaming logs](media/quickstart-logs-metrics-tracing/streaming-logs.png) ++1. Select **Instance**. ++ ![Select instance](media/quickstart-logs-metrics-tracing/select-instance.png) ++1. The streaming log is visible in the output window. ++ ![Streaming log output](media/quickstart-logs-metrics-tracing/streaming-log-output.png) ++ To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). ++++### Log Analytics ++1. Go to the **service | Overview** page and select **Logs** in the **Monitoring** section. Select **Run** on one of the sample queries for Azure Spring Apps. ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-entry.png" alt-text="Screenshot of the Logs opening page." lightbox="media/quickstart-logs-metrics-tracing/logs-entry.png"::: ++1. Then you're shown filtered logs. For more information, see [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md). ++ :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-query.png" alt-text="Screenshot of filtered logs." lightbox="media/quickstart-logs-metrics-tracing/logs-query.png"::: ++## Metrics ++Navigate to the `Application insights` blade, and then navigate to the `Metrics` blade. You can see metrics contributed by Spring Boot apps, Spring modules, and dependencies. ++The following chart shows `gateway-requests` (Spring Cloud Gateway), `hikaricp_connections` (JDBC Connections), and `http_client_requests`. +++Spring Boot registers several core metrics, including JVM, CPU, Tomcat, and Logback. The Spring Boot autoconfiguration enables the instrumentation of requests handled by Spring MVC. All three REST controllers (`OwnerResource`, `PetResource`, and `VisitResource`) are instrumented by the `@Timed` Micrometer annotation at the class level. ++The `customers-service` application has the following custom metrics enabled: ++- @Timed: `petclinic.owner` +- @Timed: `petclinic.pet` ++The `visits-service` application has the following custom metrics enabled: ++- @Timed: `petclinic.visit` ++You can see these custom metrics in the `Metrics` blade: +++You can use the Availability Test feature in Application Insights and monitor the availability of applications: +++Navigate to the `Live Metrics` blade to can see live metrics with low latencies (less than one second): +++## Tracing ++Open the Application Insights created by Azure Spring Apps and start monitoring Spring applications. ++Navigate to the `Application Map` blade: +++Navigate to the `Performance` blade: +++Navigate to the `Performance/Dependenices` blade - you can see the performance number for dependencies, particularly SQL calls: +++Select a SQL call to see the end-to-end transaction in context: +++Navigate to the `Failures/Exceptions` blade - you can see a collection of exceptions: +++Select an exception to see the end-to-end transaction and stacktrace in context: ++++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++In an earlier quickstart, you also set the default resource group name. If you don't intend to continue to the next quickstart, clear out that default by running the following CLI command: ++```azurecli +az config set defaults.group= +``` ++## Next steps ++To explore more monitoring capabilities of Azure Spring Apps, see: ++> [!div class="nextstepaction"] +> [Analyze logs and metrics with diagnostics settings](../enterprise/diagnostic-services.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) +> [Stream Azure Spring Apps app logs in real-time](../enterprise/how-to-log-streaming.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) |
spring-apps | Quickstart Provision Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/quickstart-provision-service-instance.md | + + Title: "Quickstart - Provision an Azure Spring Apps service" +description: Describes creation of an Azure Spring Apps service instance for app deployment. ++++ Last updated : 7/28/2022++zone_pivot_groups: programming-languages-spring-apps +++# Provision an Azure Spring Apps service instance ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise ++This article shows you how to provision a Basic or Standard plan Azure Spring Apps service instance. ++Azure Spring Apps supports multiple plans. For more information, see [Quotas and service plans for Azure Spring Apps](../enterprise/quotas.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json). To learn how to create service instances for other plans, see the following articles: ++- [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](../consumption-dedicated/quickstart-provision-standard-consumption-service-instance.md) +- [Migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan](../enterprise/how-to-migrate-standard-tier-to-enterprise-tier.md?toc=/azure/spring-apps/basic-standard/toc.json&bc=/azure/spring-apps/basic-standard/breadcrumb/toc.json) ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- (Optional) [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). ++## Provision an instance of Azure Spring Apps ++Use the following steps to create an instance of Azure Spring Apps: ++#### [Azure portal](#tab/Azure-portal) ++1. In a new browser tab, open the [Azure portal](https://portal.azure.com/). ++1. Using the search box, search for *Azure Spring Apps*. ++1. Select **Azure Spring Apps** from the search results. ++ :::image type="content" source="media/quickstart-provision-service-instance/spring-apps-start.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps service in search results." lightbox="media/quickstart-provision-service-instance/spring-apps-start.png"::: ++1. On the Azure Spring Apps page, select **Create**. ++ :::image type="content" source="media/quickstart-provision-service-instance/spring-apps-create.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps resource with Create button highlighted."::: ++1. Fill out the form on the Azure Spring Apps **Create** page. Consider the following guidelines: ++ - **Subscription**: Select the subscription you want to be billed for this resource. + - **Resource group**: Creating new resource groups for new resources is a best practice. You use this value in later steps as `<resource-group-name>`. + - **Service Details/Name**: Specify the `<service-instance-name>`. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. + - **Location**: Select the location for your service instance. + - **Zone Redundant**: Select to create your service instance with an availability zone. + - Select **Standard** for the **Pricing tier** option. ++ :::image type="content" source="media/quickstart-provision-service-instance/portal-start.png" alt-text="Screenshot of Azure portal showing the Azure Spring Apps Create page." lightbox="media/quickstart-provision-service-instance/portal-start.png"::: ++1. Select **Review and create**. ++#### [Azure CLI](#tab/Azure-CLI) ++1. Use the following command to add or update the Azure Spring Apps extension for the Azure CLI: ++ ```azurecli + az extension add --upgrade --name spring + ``` ++1. Use the following commands to sign in to the Azure CLI and choose your active subscription. If you have access to only one subscription, you can skip the `az account set` command. ++ ```azurecli + az login + az account list --output table + az account set --subscription <subscription-name-or-ID> + ``` ++1. Prepare a name for your Azure Spring Apps service. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++1. use the following commands to create a resource group to contain your Azure Spring Apps service instance, and to create the service instance: ++ ```azurecli + az group create \ + --name <resource-group-name> \ + --location <resource-group-region> + az spring create \ + --resource-group <resource-group-name> \ + --name <service-instance-name> + ``` ++++## Clean up resources ++If you plan to continue working with subsequent tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +az group delete --name <resource-group-name> +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Set up Azure Spring Apps Config Server](./quickstart-setup-config-server.md) |
spring-apps | Quickstart Setup Config Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/quickstart-setup-config-server.md | + + Title: "Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps" +description: Describes the setup of Azure Spring Apps Config Server for app deployment. ++++ Last updated : 7/19/2022++zone_pivot_groups: programming-languages-spring-apps +++# Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ++Config Server is a centralized configuration service for distributed systems. It uses a pluggable repository layer that currently supports local storage, Git, and Subversion. In this quickstart, you set up the Config Server to get data from a Git repository. +++## Prerequisites ++- Completion of the previous quickstart in this series: [Provision Azure Spring Apps service](./quickstart-provision-service-instance.md). +- Azure Spring Apps Config Server is only applicable to the Basic or Standard plan. ++## Config Server procedures ++Set up your Config Server with the location of the git repository for the project by running the following command. Replace *\<service instance name>* with the name of the service you created earlier. The default value for service instance name that you set in the preceding quickstart doesn't work with this command. ++```azurecli +az spring config-server git set -n <service instance name> --uri https://github.com/Azure-Samples/azure-spring-apps-samples --search-paths steeltoe-sample/config +``` ++This command tells Config Server to find the configuration data in the [steeltoe-sample/config](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/steeltoe-sample/config) folder of the sample app repository. Since the name of the app that gets the configuration data is `planet-weather-provider`, the file that's used is [planet-weather-provider.yml](https://github.com/Azure-Samples/azure-spring-apps-samples/blob/main/steeltoe-sample/config/planet-weather-provider.yml). ++++## Prerequisites ++- [JDK 17](/azure/developer/java/fundamentals/java-jdk-install) +- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- Optionally, [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). Install the Azure Spring Apps extension with the following command: `az extension add --upgrade --name spring` +- Optionally, [the Azure Toolkit for IntelliJ](https://plugins.jetbrains.com/plugin/8053-azure-toolkit-for-intellij/). ++## Config Server procedures ++#### [Azure portal](#tab/Azure-portal) ++The following procedure sets up the Config Server using the Azure portal to deploy the [PetClinic sample](https://github.com/azure-samples/spring-petclinic-microservices). ++1. Go to the service **Overview** page and select **Config Server**. ++1. In the **Default repository** section, set **URI** to `https://github.com/azure-samples/spring-petclinic-microservices-config`. ++1. Select **Validate**. Validation checks the schema and accessibility of your git repo to make sure it's correct. ++ :::image type="content" source="media/quickstart-setup-config-server/portal-config.png" alt-text="Screenshot of Azure portal showing Config Server page." lightbox="media/quickstart-setup-config-server/portal-config.png"::: ++1. When validation is complete, select **Apply** to save your changes. ++ :::image type="content" source="media/quickstart-setup-config-server/validate-complete.png" alt-text="Screenshot of Azure portal showing Config Server page with Apply button highlighted." lightbox="media/quickstart-setup-config-server/validate-complete.png"::: ++Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. ++#### [Azure CLI](#tab/Azure-CLI) ++The following procedure uses the Azure CLI to set up Config Server to deploy the [Pet Clinic sample](https://github.com/azure-samples/spring-petclinic-microservices). ++Run the following command to set the Default repository. ++```azurecli +az spring config-server git set -n <service instance name> --uri https://github.com/azure-samples/spring-petclinic-microservices-config +``` +++> [!TIP] +> For information on using a private repository for Config Server, see [Configure a managed Spring Cloud Config Server in Azure Spring Apps](./how-to-config-server.md). ++## Troubleshooting of Azure Spring Apps Config Server ++The following procedure explains how to troubleshoot Config Server settings. ++1. In the Azure portal, go to the service **Overview** page and select **Logs**. ++1. In the **Queries** pane under **Show the application logs that contain the "error" or "exception" terms**, + select **Run**. ++ :::image type="content" source="media/quickstart-setup-config-server/setup-config-server-query.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps query." lightbox="media/quickstart-setup-config-server/setup-config-server-query.png"::: ++ The following error in the logs indicates that the Spring Apps service can't locate properties from Config Server: `java.lang.illegalStateException` ++1. Go to the service **Overview** page. ++1. Select **Diagnose and solve problems**. ++1. Under **Availability and Performance**, select **Troubleshoot**. ++ :::image type="content" source="media/quickstart-setup-config-server/setup-config-server-diagnose.png" alt-text="Screenshot of Azure portal showing Diagnose and solve problems page." lightbox="media/quickstart-setup-config-server/setup-config-server-diagnose.png"::: ++ Azure portal displays the **Availability and Performance** page, which provides various information about Config Server health status. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When you no longer need it, delete the resource group, which deletes the resources in the resource group. To delete the resource group, enter the following commands in the Azure CLI: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md) |
spring-apps | Quickstart Setup Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/basic-standard/quickstart-setup-log-analytics.md | + + Title: "Quickstart - Set up a Log Analytics workspace in Azure Spring Apps" +description: This article describes the setup of a Log Analytics workspace for app deployment. ++++ Last updated : 12/09/2021++ms.devlang: azurecli +++# Quickstart: Set up a Log Analytics workspace ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ++This quickstart explains how to set up a Log Analytics workspace in Azure Spring Apps for application development. ++Log Analytics is a tool in the Azure portal that's used to edit and run log queries with data in Azure Monitor Logs. You can write a query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze those records. You can also write a more advanced query to do statistical analysis and visualize the results in a chart to identify particular trends. Whether you work with the results of your queries interactively or use them with other Azure Monitor features, Log Analytics is the tool that you use to write and test queries. ++You can set up Azure Monitor Logs for your application in Azure Spring Apps to collect logs and run log queries via Log Analytics. ++## Prerequisites ++Complete the previous quickstart in this series: [Provision an Azure Spring Apps service](./quickstart-provision-service-instance.md). ++#### [Portal](#tab/Azure-Portal) ++## Create a Log Analytics workspace ++To create a workspace, follow the steps in [Create a Log Analytics workspace in the Azure portal](../../azure-monitor/logs/quick-create-workspace.md). ++## Set up Log Analytics for a new service ++In the wizard for creating an Azure Spring Apps service instance, you can configure the **Log Analytics workspace** field with an existing workspace or create one. +++## Set up Log Analytics for an existing service ++1. In the Azure portal, go to the **Diagnostic settings** section under **Monitoring**. ++ :::image type="content" source="media/quickstart-setup-log-analytics/diagnostic-settings-entry.png" alt-text="Screenshot that shows the location of diagnostic settings." lightbox="media/quickstart-setup-log-analytics/diagnostic-settings-entry.png"::: ++1. If no settings exist, select **Add diagnostic setting**. You can also select **Edit setting** to update existing settings. ++1. Fill out the form on the **Diagnostic setting** page: ++ - **Diagnostic setting name**: Set a unique name for the configuration. + - **Logs** > **Categories**: Select **ApplicationConsole** and **SystemLogs**. For more information on log categories and contents, see [Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations](../../azure-monitor/essentials/diagnostic-settings.md). + - **Destination details**: Select **Send to Log Analytics workspace** and specify the Log Analytics workspace that you created previously. ++ :::image type="content" source="media/quickstart-setup-log-analytics/diagnostic-settings-edit-form.png" alt-text="Screenshot that shows an example of set-up diagnostic settings." lightbox="media/quickstart-setup-log-analytics/diagnostic-settings-edit-form.png"::: ++1. Select **Save**. ++#### [CLI](#tab/Azure-CLI) ++## Create a Log Analytics workspace ++Use the following commands to create a Log Analytics workspace and get the workspace ID: ++```azurecli +az monitor log-analytics workspace create \ + --workspace-name <new-workspace-name> \ + --resource-group <your-resource-group> \ + --location <your-service-region> \ + --query id --output tsv +``` ++If you have an existing workspace, you can get the workspace ID by using the following commands: ++```azurecli +az monitor log-analytics workspace show \ + --resource-group <your-resource-group> \ + --workspace-name <workspace-name> \ + --query id --output tsv +``` ++## Set up Log Analytics for a new service ++Setting up for a new service isn't applicable when you're using the Azure CLI. ++## Set up Log Analytics for an existing service ++1. Get the instance ID for the Azure Spring Apps service: ++ ```azurecli + az spring show \ + --name <spring-cloud-service-name> \ + --resource-group <your-resource-group> \ + --query id --output tsv + ``` ++1. Configure the diagnostic settings. For more information on log categories and contents, see [Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations](../../azure-monitor/essentials/diagnostic-settings.md). ++ ```azurecli + az monitor diagnostic-settings create \ + --name "<new-name-for-settings>" \ + --resource "<service-instance-id>" \ + --workspace "<workspace-id>" \ + --logs '[ + { + "category": "ApplicationConsole", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "SystemLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ]' + ``` ++++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md) |
spring-apps | Concept Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/concept-metrics.md | - Title: Metrics for Azure Spring Apps -description: Learn how to review metrics in Azure Spring Apps --- Previously updated : 09/08/2020-----# Metrics for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --Azure Metrics explorer is a component of the Microsoft Azure portal that allows plotting charts, visually correlating trends, and investigating spikes and dips in metrics. Use the metrics explorer to investigate the health and utilization of your resources. --In an Azure Spring Apps instance, you can view metrics on the following pages: --* The application overview page, which shows quick status charts. To view this page, select **Apps** from the navigation pane, and then select an app. --* The common metrics page, which shows common metrics available to all apps in the Azure Spring Apps instance. For the Enterprise plan, it also shows common metrics for Tanzu Spring Cloud Gateway. To view this page, select **Metrics** from the navigation pane. You can build your own charts in the common metrics page and pin them to your Dashboard. ---## Application overview page --Select **Apps** in the navigation pane and then select an app from the list. The app overview page presents metrics charts that enable you to perform a quick status check of your application. ---Azure Spring Apps provides these five charts with metrics that are updated every minute: --* **Http Server Errors**: Error count for HTTP requests to your app -* **Data In**: Bytes received by your app -* **Data Out**: Bytes sent by your app -* **Requests**: Requests received by your app -* **Average Response Time**: Average response time from your app --For the chart, you can select a time range from one hour to seven days. --## Common metrics page --Select **Metrics** in the navigation pane to access common metrics. Select a metric to use from the **Metric** dropdown. ---For metric details, see the [User metric options](#user-metrics-options) section. --Next, select the aggregation type for each metric: ---The aggregation type indicates how to aggregate metric points in the chart by time. There's one raw metric point every minute, and the pre-aggregation type within a minute is pre-defined by metrics type. --* Sum: Sum all values as target output. -* Average: Use the Average value in the period as target output. -* Max/Min: Use the Max/Min value in the period as target output. --The time range can also be adjusted from last 30 minutes to last 30 days or a custom time range. ---The default view includes all of an Azure Spring Apps service's application's metrics together. Metrics of one app or instance can be filtered in the display. Select **Add filter**, set the property to **App**, and select the target application you want to monitor in the **Values** text box. --You can use two kinds of filters (properties): --* App: filter by app name -* Instance: filter by app instance -* Deployment: filter by deployment name ---You can also use the **Apply splitting** option, which draws multiple lines for one app: --->[!TIP] -> You can build your own charts on the metrics page and pin them to your **Dashboard**. Start by naming your chart. Next, select **Pin to dashboard in the top right corner**. You can now check on your application at your Portal **Dashboard**. --## User metrics options --> [!NOTE] -> For Spring Boot applications, to see metrics from Spring Boot Actuator, add the `spring-boot-starter-actuator` dependency. For more information, see the [Add actuator dependency](concept-manage-monitor-app-spring-boot-actuator.md#add-actuator-dependency) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md). --The following tables show the available metrics and details. --### Error -->[!div class="mx-tdCol2BreakAll"] ->| Name | Spring Boot Actuator metric name | Unit | Description | ->|-|-|-|| ->| `tomcat.global.error` | `tomcat.global.error` | Count | Number of errors that occurred in processed requests. | --### Performance -->[!div class="mx-tdCol2BreakAll"] ->| Name | Spring Boot Actuator metric name | Unit | Description | ->|-|-|-|| ->| `system.cpu.usage` | `system.cpu.usage` | Percent | Recent CPU usage for the whole system (Obsolete and don't suggest using it). This value is a double in the [0.0,1.0] interval. A value of 0.0 means that all CPUs were idle during the recent period of time observed, while a value of 1.0 means that all CPUs were actively running 100% of the time during the recent period being observed.| ->| `process.cpu.usage` | App CPU Usage Percentage | Percent | Recent CPU usage for the Java Virtual Machine process (Obsolete and don't suggest using it). This value is a double in the [0.0,1.0] interval. A value of 0.0 means that none of the CPUs were running threads from the JVM process during the recent period of time observed, while a value of 1.0 means that all CPUs were actively running threads from the JVM 100% of the time during the recent period being observed. Threads from the JVM include the application threads as well as the JVM internal threads.| ->| App CPU Usage | | Percent | Recent CPU usage of the JVM process against the CPU allocated to this app. This value is a double in the [0.0,1.0] interval. A value of 0.0 means that none of the CPUs were running threads from the JVM process during the recent period of time observed, while a value of 1.0 means that all CPUs were actively running threads from the JVM 100% of the time during the recent period being observed. Threads from the JVM include the application threads as well as the JVM internal threads.| ->| App CPU Usage (Deprecated) | | Percent | Deprecated metric of App CPU Usage. Use the new App CPU Usage metric instead.| ->| App Memory Usage | | Percent | Recent memory usage of the JVM process against the memory allocated to this app. This value is a double in the [0.0,1.0] interval. A value of 0.0 means that none of the memory was allocated by threads from the JVM process during the recent period of time observed, while a value of 1.0 means that all memory was allocated by threads from the JVM 100% of the time during the recent period being observed. Threads from the JVM include the application threads as well as the JVM internal threads.| ->| `jvm.memory.committed` | `jvm.memory.committed` | Bytes | Represents the amount of memory that is guaranteed to be available for use by the JVM. The JVM may release memory to the system and committed could be less than init. committed will always be greater than or equal to used. | ->| `jvm.memory.used` | `jvm.memory.used` | Bytes | Represents the amount of memory currently used in bytes. | ->| `jvm.memory.max` | `jvm.memory.max` | Bytes | Represents the maximum amount of memory that can be used for memory management. The amount of used and committed memory will always be less than or equal to max if max is defined. A memory allocation may fail if it attempts to increase the used memory such that used > committed even if used <= max would still be true (for example, when the system is low on virtual memory). | ->| `jvm.gc.max.data.size` | `jvm.gc.max.data.size` | Bytes | The peak memory usage of the old generation memory pool since the Java virtual machine was started. | ->| `jvm.gc.live.data.size` | `jvm.gc.live.data.size` | Bytes | Size of old generation memory pool after a full garbage collection (GC). | ->| `jvm.gc.memory.promoted` | `jvm.gc.memory.promoted` | Bytes | Count of positive increases in the size of the old generation memory pool before GC to after GC. | ->| `jvm.gc.memory.allocated` | `jvm.gc.memory.allocated` | Bytes | Incremented for an increase in the size of the young generation memory pool after one GC to before the next. | ->| `jvm.gc.pause.total.count` | `jvm.gc.pause` (total-count) | Count | Total GC count after this JMV started, including Young and Old GC. | ->| `jvm.gc.pause.total.time` | `jvm.gc.pause` (total-time) | Milliseconds | Total GC time consumed after this JMV started, including Young and Old GC. | --### Performance (.NET) -->[!div class="mx-tdCol2BreakAll"] ->| Name | Spring Boot Actuator metric name | Unit | Description | ->||--||| ->| CPU usage | `cpu-usage` | Percent | The percent of the process's CPU usage relative to all of the system CPU resources [0-100]. | ->| Working set | `working-set` | Megabytes | Amount of working set used by the process. | ->| GC heap size | `gc-heap-size` | Megabytes | Total heap size reported by the garbage collector. | ->| Gen 0 GC count | `gen-0-gc-count` | Count | Number of Generation 0 garbage collections per second. | ->| Gen 1 GC count | `gen-1-gc-count` | Count | Number of Generation 1 garbage collections per second. | ->| Gen 2 GC count | `gen-2-gc-count` | Count | Number of Generation 2 garbage collections per second. | ->| Time in GC | `timein-gc` | Percent | The percent of time in garbage collection since the last garbage collection. | ->| Gen 0 heap size | `gen-0-size` | Bytes | Generation 0 heap size. | ->| Gen 1 heap size | `gen-1-size` | Bytes | Generation 1 heap size. | ->| Gen 2 heap size | `gen-2-size` | Bytes | Generation 2 heap size. | ->| LOH heap size | `loh-size` | Bytes | Large Object Heap heap size. | ->| Allocation rate | `alloc-rate` | Bytes | Number of bytes allocated per second. | ->| Assembly count | `assembly-count` | Count | Number of assemblies loaded. | ->| Exception count | `exception-count` | Count | Number of exceptions per second. | ->| Thread pool thread count | `threadpool-thread-count` | Count | Number of thread pool threads. | ->| Monitor lock contention count | `monitor-lock-contention-count` | Count | The number of times per second there was contention when trying to take a monitor's lock. | ->| Thread pool queue length | `threadpool-queue-length` | Count | Thread pool work items queue length. | ->| Thread pool completed items count | `threadpool-completed-items-count` | Count | Thread pool completed work items count. | ->| Active timers count | `active-timer-count` | Count | The number of timers that are currently active. An active timer is one that is registered to tick at some point in the future, and has not yet been canceled. | --For more information, see [Investigate performance counters (dotnet-counters)](/dotnet/core/diagnostics/dotnet-counters). --### Request -->[!div class="mx-tdCol2BreakAll"] ->| Name | Spring Boot Actuator metric name | Unit | Description | ->|-|-|-|| ->| `tomcat.global.sent` | `tomcat.global.sent` | Bytes | Amount of data Tomcat web server sent. | ->| `tomcat.global.received` | `tomcat.global.received` | Bytes | Amount of data Tomcat web server received. | ->| `tomcat.global.request.total.count` | `tomcat.global.request` (total-count) | Count | Total count of Tomcat web server processed requests. | ->| `tomcat.global.request.max` | `tomcat.global.request.max` | Milliseconds | Maximum time of Tomcat web server to process a request. | --### Request (.NET) -->[!div class="mx-tdCol2BreakAll"] ->| Name | Spring Boot Actuator metric name | Unit | Description | ->||--||| ->| Requests per second | `requests-per-second` | Count | Request rate. | ->| Total requests | `total-requests` | Count | Total number of requests. | ->| Current requests | `current-requests` | Count | Number of current requests. | ->| Failed requests | `failed-requests` | Count | Number of failed requests. | --For more information, see [Investigate performance counters (dotnet-counters)](/dotnet/core/diagnostics/dotnet-counters). --### Session -->[!div class="mx-tdCol2BreakAll"] ->| Name | Spring Boot Actuator metric name | Unit | Description | ->|-|-|-|| ->| `tomcat.sessions.active.max` | `tomcat.sessions.active.max` | Count | Maximum number of sessions that have been active at the same time. | ->| `tomcat.sessions.alive.max` | `tomcat.sessions.alive.max` | Milliseconds | Longest time (in seconds) that an expired session was alive. | ->| `tomcat.sessions.created` | `tomcat.sessions.created` | Count | Number of sessions that have been created. | ->| `tomcat.sessions.expired` | `tomcat.sessions.expired` | Count | Number of sessions that have expired. | ->| `tomcat.sessions.rejected` | `tomcat.sessions.rejected` | Count | Number of sessions that were not created because the maximum number of active sessions reached. | ->| `tomcat.sessions.active.current` | `tomcat.sessions.active.current` | Count | Tomcat Session Active Count. | --### Ingress -->[!div class="mx-tdCol2BreakAll"] ->| Display name | Azure metric name | Unit | Description | ->|--|--|-|-| ->| Bytes Received | `IngressBytesReceived` | Bytes | Count of bytes received by Azure Spring Apps from the clients. | ->| Bytes Sent | `IngressBytesSent` | Bytes | Count of bytes sent by Azure Spring Apps to the clients. | ->| Requests | `IngressRequests` | Count | Count of requests by Azure Spring Apps from the clients. | ->| Failed Requests | `IngressFailedRequests` | Count | Count of failed requests by Azure Spring Apps from the clients. | ->| Response Status | `IngressResponseStatus` | Count | HTTP response status returned by Azure Spring Apps. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories. | ->| Response Time | `IngressResponseTime` | Seconds | Http response time return by Azure Spring Apps. | ->| Throughput In (bytes/s) | `IngressBytesReceivedRate`| BytesPerSecond | Bytes received per second by Azure Spring Apps from the clients. | ->| Throughput Out (bytes/s) | `IngressBytesSentRate` | BytesPerSecond | Bytes sent per second by Azure Spring Apps to the clients. | --### Gateway --The following table applies to the Tanzu Spring Cloud Gateway in Enterprise plan only. -->[!div class="mx-tdCol2BreakAll"] ->| Display name | Azure metric name | Unit | Description | ->| | - | | - | ->| `jvm.gc.live.data.size` | `GatewayJvmGcLiveDataSizeBytes` | Bytes | Size of old generation memory pool after a full GC. | ->| `jvm.gc.max.data.size` | `GatewayJvmGcMaxDataSizeBytes` | Bytes | Max size of old generation memory pool. | ->| `jvm.gc.memory.promoted` | `GatewayJvmGcMemoryPromotedBytesTotal` | Bytes | Count of positive increases in the size of the old generation memory pool before GC to after GC. | ->| `jvm.gc.pause.max.time` | `GatewayJvmGcPauseSecondsMax` | Seconds | GC Pause Max Time. | ->| `jvm.gc.pause.total.count` | `GatewayJvmGcPauseSecondsCount` | Count | GC Pause Count. | ->| `jvm.gc.pause.total.time` | `GatewayJvmGcPauseSecondsSum` | Seconds | GC Pause Total Time. | ->| `jvm.memory.committed` | `GatewayJvmMemoryCommittedBytes` | Bytes | Memory assigned to JVM in bytes. | ->| `jvm.memory.used` | `GatewayJvmMemoryUsedBytes` | Bytes | Memory Used in bytes. | ->| Max time of requests | `GatewayHttpServerRequestsMilliSecondsMax` | Milliseconds | The max time of requests. | ->| `process.cpu.usage` | `GatewayProcessCpuUsage` | Percent | The recent CPU usage for the JVM process. | ->| Request count | `GatewayHttpServerRequestsSecondsCount` | Count | The number of requests. | ->| `system.cpu.usage` | `GatewaySystemCpuUsage` | Percent | The recent CPU usage for the whole system. | ->| Throttled requests count | `GatewayRatelimitThrottledCount` | Count | The count of the throttled requests. | --## Next steps --* [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md) -* [Analyze metrics with Azure Monitor metrics explorer](../azure-monitor/essentials/analyze-metrics.md) -* [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md) -* [Tutorial: Monitor Spring app resources using alerts and action groups](./tutorial-alerts-action-groups.md) -* [Quotas and Service Plans for Azure Spring Apps](./quotas.md) |
spring-apps | Concept Security Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/concept-security-controls.md | - Title: Security controls for Azure Spring Apps Service -description: Use security controls built in into Azure Spring Apps Service. ---- Previously updated : 04/23/2020----# Security controls for Azure Spring Apps Service --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --Security controls are built into Azure Spring Apps Service. --A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities. For each control, we use *Yes* or *No* to indicate whether it is currently in place for the service. We use *N/A* for a control that is not applicable to the service. --**Data protection security controls** --| Security control | Yes/No | Notes | Documentation | -|:-|:-|:-|:-| -| Server-side encryption at rest: Microsoft-managed keys | Yes | User uploaded source and artifacts, config server settings, app settings, and data in persistent storage are stored in Azure Storage, which automatically encrypts the content at rest.<br><br>Config server cache, runtime binaries built from uploaded source, and application logs during the application lifetime are saved to Azure managed disk, which automatically encrypts the content at rest.<br><br>Container images built from user uploaded source are saved in Azure Container Registry, which automatically encrypts the image content at rest. | [Azure Storage encryption for data at rest](../storage/common/storage-service-encryption.md)<br><br>[Server-side encryption of Azure managed disks](../virtual-machines/disk-encryption.md)<br><br>[Container image storage in Azure Container Registry](../container-registry/container-registry-storage.md) | -| Encryption in transient | Yes | User app public endpoints use HTTPS for inbound traffic by default. | | -| API calls encrypted | Yes | Management calls to configure Azure Spring Apps service occur via Azure Resource Manager calls over HTTPS. | [Azure Resource Manager](../azure-resource-manager/index.yml) | -| Customer Lockbox | Yes | Provide Microsoft with access to relevant customer data during support scenarios. | [Customer Lockbox for Microsoft Azure](../security/fundamentals/customer-lockbox-overview.md) --**Network access security controls** --| Security control | Yes/No | Notes | Documentation | -|:-|:-|:-|:-| -| Service Tag | Yes | Use **AzureSpringCloud** service tag to define outbound network access controls on [network security groups](../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../firewall/service-tags.md), to allow traffic to applications in Azure Spring Apps. | [Service tags](../virtual-network/service-tags-overview.md) | --## Next steps --* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md) |
spring-apps | Connect Managed Identity To Azure Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/connect-managed-identity-to-azure-sql.md | - Title: Use Managed identity to connect Azure SQL Database to an app deployed to Azure Spring Apps -description: Set up managed identity to connect Azure SQL to an app deployed to Azure Spring Apps. ---- Previously updated : 09/26/2022----# Use a managed identity to connect Azure SQL Database to an app deployed to Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to create a managed identity for an app deployed to Azure Spring Apps and use it to access Azure SQL Database. --[Azure SQL Database](https://azure.microsoft.com/services/sql-database/) is the intelligent, scalable, relational database service built for the cloud. It’s always up to date, with AI-powered and automated features that optimize performance and durability. Serverless compute and Hyperscale storage options automatically scale resources on demand, so you can focus on building new applications without worrying about storage size or resource management. --## Prerequisites --* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. -* Follow the [Spring Data JPA tutorial](/azure/developer/java/spring-framework/configure-spring-data-jpa-with-azure-sql-server) to provision an Azure SQL Database and get it work with a Java app locally. -* Follow the [Azure Spring Apps system-assigned managed identity tutorial](./how-to-enable-system-assigned-managed-identity.md) to provision an app in Azure Spring Apps with managed identity enabled. --## Connect to Azure SQL Database with a managed identity --You can connect your application to an Azure SQL Database with a managed identity by following manual steps or using [Service Connector](../service-connector/overview.md). --### [Manual configuration](#tab/manual) --### Grant permission to the managed identity --Connect to your SQL server and run the following SQL query: --```sql -CREATE USER [<managed-identity-name>] FROM EXTERNAL PROVIDER; -ALTER ROLE db_datareader ADD MEMBER [<managed-identity-name>]; -ALTER ROLE db_datawriter ADD MEMBER [<managed-identity-name>]; -ALTER ROLE db_ddladmin ADD MEMBER [<managed-identity-name>]; -GO -``` --The value of the `<managed-identity-name>` placeholder follows the rule `<service-instance-name>/apps/<app-name>`; for example: `myspringcloud/apps/sqldemo`. You can also use the following command to query the managed identity name with Azure CLI: --```azurecli -az ad sp show --id <identity-object-ID> --query displayName -``` --### Configure your Java app to use a managed identity --Open the *src/main/resources/application.properties* file, then add `Authentication=ActiveDirectoryMSI;` at the end of the `spring.datasource.url` line, as shown in the following example. Be sure to use the correct value for the $AZ_DATABASE_NAME variable. --```properties -spring.datasource.url=jdbc:sqlserver://$AZ_DATABASE_NAME.database.windows.net:1433;database=demo;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;Authentication=ActiveDirectoryMSI; -``` --#### [Service Connector](#tab/service-connector) --> [!NOTE] -> Service Connectors are created at the deployment level. So, if another deployment is created, you need to create the connections again. --Configure your app deployed to Azure Spring Apps to connect to an Azure SQL Database with a system-assigned managed identity using the `az spring connection create` command, as shown in the following example. --1. Use the following command to install the Service Connector passwordless extension for the Azure CLI: -- ```azurecli - az extension add --name serviceconnector-passwordless --upgrade - ``` --1. Use the following command to connect to the database: -- ```azurecli - az spring connection create sql \ - --resource-group $SPRING_APP_RESOURCE_GROUP \ - --service $SPRING_APP_SERVICE_NAME \ - --app $APP_NAME \ - --deployment $DEPLOYMENT_NAME \ - --target-resource-group $SQL_RESOURCE_GROUP \ - --server $SQL_SERVER_NAME \ - --database $DATABASE_NAME \ - --system-identity - ``` --1. Use the following command to check the creation result: -- ```azurecli - export CONNECTION_NAME=$(az spring connection list \ - --resource-group $SPRING_APP_RESOURCE_GROUP \ - --service $SPRING_APP_SERVICE_NAME \ - --app $APP_NAME \ - --query '[0].name' \ - --output tsv) - - az spring connection list-configuration \ - --resource-group $SPRING_APP_RESOURCE_GROUP \ - --service $SPRING_APP_SERVICE_NAME \ - --app $APP_NAME \ - --connection $CONNECTION_NAME - ``` ----## Build and deploy the app to Azure Spring Apps --Rebuild the app and deploy it to the Azure Spring Apps provisioned in the second bullet point under Prerequisites. You now have a Spring Boot application authenticated by a managed identity that uses JPA to store and retrieve data from an Azure SQL Database in Azure Spring Apps. --## Next steps --* [How to access Storage blob with managed identity in Azure Spring Apps](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/managed-identity-storage-blob) -* [How to enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md) -* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) -* [Authenticate Azure Spring Apps with Key Vault in GitHub Actions](./github-actions-key-vault.md) |
spring-apps | How To Custom Persistent Storage With Standard Consumption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/how-to-custom-persistent-storage-with-standard-consumption.md | + + Title: How to enable your own persistent storage in Azure Spring Apps with the Standard consumption and dedicated plan +description: Learn how to enable your own persistent storage in Azure Spring Apps. ++++ Last updated : 03/21/2023++++# How to enable your own persistent storage in Azure Spring Apps with the Standard consumption and dedicated plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how to enable your own persistent storage in Azure Spring Apps. ++Your own storage and the built-in persistent storage in Azure Spring Apps differ in the following ways: ++- In built-in storage, artifacts generated by your application get uploaded into Azure Storage accounts. In your own storage, artifacts generated by your application get uploaded into a storage account that you control. ++- In built-in storage, Microsoft Azure controls the encryption-at-rest and the lifetime management policies for those artifacts. In your own storage, you control the encryption-at-rest policy, the lifetime management policy, and network access. ++You can also mount your own persistent storage not only to Azure Spring Apps but to other service instances in the environment such as Azure Container Apps. This capability is possible because your Azure Spring Apps instance is deployed in the Azure Container Apps environment. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. +- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md). +- A Spring app deployed to Azure Spring Apps. ++## Set up the environment ++Use the following commands to set the following variables to the names of your resources and current region setting. ++```bash +export RESOURCE_GROUP="<resource-group-name>" +export LOCATION="eastus" +export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" +export AZURE_SPRING_APPS_INSTANCE="<Azure-Spring-Apps-instance-name>" +export APP_NAME="<Spring-app-name>" +``` ++## Set up a storage account ++Use the following steps to create a storage account and establish a file share to mount to the Spring app. ++1. Create an Azure Storage account by using the following commands. The `STORAGE_ACCOUNT_NAME` variable includes a randomly generated suffix to ensure uniqueness. ++ ```azurecli + export STORAGE_ACCOUNT_NAME="myasastorageaccount$RANDOM" ++ az storage account create \ + --resource-group $RESOURCE_GROUP \ + --name $STORAGE_ACCOUNT_NAME \ + --location "$LOCATION" \ + --kind StorageV2 \ + --sku Standard_LRS \ + --query provisioningState \ + --enable-large-file-share + ``` ++ This command returns a success message upon successful completion. ++1. Create the Azure Storage file share by using the following commands: ++ ```azurecli + export FILE_SHARE_NAME="<file-share-name>" ++ az storage share-rm create \ + --resource-group $RESOURCE_GROUP \ + --storage-account $STORAGE_ACCOUNT_NAME \ + --name $FILE_SHARE_NAME \ + --quota 1024 \ + --enabled-protocols SMB \ + --output table + ``` ++1. Get the Storage Account key by using the following command: ++ ```azurecli + export STORAGE_ACCOUNT_KEY=$(az storage account keys list \ + --account-name $STORAGE_ACCOUNT_NAME \ + --query "[0].value" \ + --output tsv) + ``` ++ The storage account key is required to create the storage link in your Azure Container Apps environment. ++## Link the storage to the Azure Container Apps environment ++Create the storage link in the Azure Container Apps environment by using the following commands. The `az containerapp env storage set` command creates a link between the environment and the file share created with the `az storage share-rm` command. ++```azurecli +export STORAGE_MOUNT_NAME="<storage-account-name>" ++az containerapp env storage set \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ + --storage-name $STORAGE_MOUNT_NAME \ + --azure-file-account-name $STORAGE_ACCOUNT_NAME \ + --azure-file-account-key $STORAGE_ACCOUNT_KEY \ + --azure-file-share-name $FILE_SHARE_NAME \ + --access-mode ReadWrite \ + --output table +``` ++Now that the storage account and environment are linked, you can use the storage mount in your Azure Spring Apps instance. ++## Add storage to an app ++Add the persistent storage to your existing app by using the following command: ++```azurecli +az spring app append-persistent-storage \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_INSTANCE \ + --name $APP_NAME \ + --persistent-storage-type AzureFileVolume \ + --mount-path /var/log/nginx \ + --storage-name $STORAGE_MOUNT_NAME +``` ++## Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++- [Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network](./standard-consumption-customer-responsibilities.md) |
spring-apps | Quickstart Access Standard Consumption Within Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-access-standard-consumption-within-virtual-network.md | + + Title: Quickstart - Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network +description: Learn how to access applications in a virtual network that are using the Azure Spring Apps Standard consumption and dedicated plan. ++++ Last updated : 06/21/2023++++# Quickstart: Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how to access your application in a virtual network using Azure Spring Apps Standard consumption and dedicated plan. ++When you create an Azure Container Apps environment in an existing virtual network, you can access all the apps inside the environment only within that virtual network. In addition, when you create an instance of Azure Spring Apps inside the Azure Container Apps environment, you can access the applications in the Azure Spring Apps instance only from the virtual network. For more information, see [Provide a virtual network to an internal Azure Container Apps environments](../../container-apps/vnet-custom-internal.md?tabs=bash&pivots=azure-portal). ++## Create a private DNS zone ++Create a private DNS zone named as the default domain of the Azure Container Apps environment - `<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io` - with an A record. ++Use the following command to get the default domain of Azure Container Apps environment. ++```azurecli +az containerapp env show \ + --resource-group <resource-group-name> \ + --name <Azure-Container-Apps-environment-name> \ + --query 'properties.defaultDomain' +``` ++Use the following command to create a Private DNS Zone for applications in the virtual network. ++```azurecli +az network private-dns zone create \ + --resource-group <resource-group-name> \ + --name <private-dns-zone-name> +``` ++## Create an A record ++Create an A record that contains the name `<DNS Suffix>` and the static IP address of the Azure Container Apps environment. ++Use the following command to get the static IP address for an Azure Container Apps environment. ++```azurecli +az containerapp env show \ + --resource-group <resource-group-name> \ + --name <Azure-Container-Apps-environment-name> \ + --query 'properties.staticIp' +``` ++Use the following command to create the A record: ++```azurecli +az network private-dns record-set a add-record \ + --resource-group <resource-group-name> \ + --zone-name <private-dns-zone-name> \ + --record-set-name '*' \ + --ipv4-address <static-ip> +``` ++## Link the virtual network ++Use the following command to create a virtual network link to the private DNS zone of the virtual network. ++```azurecli +az network private-dns link vnet create \ + --resource-group <resource-group-name> \ + --name <link-name> \ + --zone-name <private-dns-zone-name> \ + --virtual-network <virtual-network-name> \ + --registration-enabled false +``` ++## Access the application ++Now you can access an application in an Azure Spring Apps instance within your virtual network, using the URL of the application. ++## Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan](./quickstart-apps-autoscale-standard-consumption.md) |
spring-apps | Quickstart Analyze Logs And Metrics Standard Consumption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-analyze-logs-and-metrics-standard-consumption.md | + + Title: Quickstart - Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan +description: Learn how to analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan. ++++ Last updated : 06/21/2023++++# Quickstart: Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article shows you how to analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md). +- A Spring app deployed to Azure Spring Apps. ++## Analyze logs ++The following sections describe various tools in Azure that you can use to analyze your consumption and dedicated plan usage. ++### Configure logging options ++You can configure logging options in the Azure Container Apps environment where you deploy your Azure Spring Apps instance. You can choose between the following log destinations: ++- **Log Analytics** - Azure Monitor Log Analytics is the default storage and viewing option. Your logs are stored in a Log Analytics workspace where you can view and analyze them using Log Analytics queries. ++- **Azure Monitor** - Azure Monitor routes logs to one or more of the following destinations: ++ - A Log Analytics workspace for viewing and analysis. + - An Azure storage account to archive. + - An Azure event hub for data ingestion and analytic services. + - An Azure partner monitoring solution such as Datadog, Elastic, Logz.io, and others. ++- **None** - You can disable the storage of log data. ++You can enable logs in Azure Spring Apps in the following ways: ++- When you select **Log Analytics** as the logging option. +- When you select **Azure Monitor** as the logging option, with the **Spring App console logs** category selected in the **Diagnostic** setting. ++For more information, see [Log storage and monitoring options in Azure Container Apps](../../container-apps/log-options.md). ++### Query logs by using Log Analytics ++Log Analytics is a tool in the Azure portal that you can use to view and analyze log data. By using Log Analytics, you can write Kusto queries and then sort, filter, and visualize the results in charts to spot trends and identify issues. You can work interactively with the query results or use them with other features such as alerts, dashboards, and workbooks. ++The following sections describe various methods to view logs. ++#### Use logs ++Use the following steps to query log data. ++1. In the Azure portal, go to your Azure Spring Apps instance. +1. Select **Logs** from the navigation pane. +1. In the **New Query 1** settings, enter a query such as the following example: ++ ```sql + AppEnvSpringAppConsoleLogs_CL + | limit 50 + ``` ++1. Select **Run**. ++#### Use Log Analytics ++Use the following steps to perform analytics on log data. ++1. In the Azure portal, go to your Azure Spring Apps instance. +1. Select **Log Analytics** in the navigation pane. +1. Select the Log Analytics workspace where you chose to store the logs. +1. To open the **Log Search** pane, select **Logs**. +1. To view logs, in the **Tables** search box, enter a query such as the following example: ++ ```sql + AppEnvSpringAppConsoleLogs_CL + | limit 50 + ``` ++1. To view the search result, select **Run**. +1. You can search the logs of the specific application, deployment, or instance by setting a filter condition, as shown in the following example: ++ ```sql + AppEnvSpringAppConsoleLogs_CL + | where ContainerAppName_s == "YourAppName" and RevisionName_s has "YourDeploymentName" and ContainerGroupName_s == "YourInstanceName" + | limit 50 + ``` ++ > [!NOTE] + > `==` is case sensitive, but `=~` isn't. ++To learn more about the query language used in Log Analytics, see [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, see [Query data in Azure Monitor using Azure Data Explorer](/azure/data-explorer/query-monitor-data). ++## Analyze metrics ++Azure Monitor collects metric data from your Azure Spring Apps instance at regular intervals to help you gain insights into the performance and health of your Spring apps. ++To visualize the data, select **Metrics** in the navigation pane in your Azure Spring Apps instance. You can also retrieve raw metric data through the [Azure CLI](/cli/azure/monitor/metrics) and Azure [PowerShell cmdlets](/powershell/module/az.monitor/get-azmetric). ++### Available metrics ++Azure Spring Apps provides the metrics described in the following table: ++| Title | Description | Metric ID | Unit | +|--|--|-|--| +| CPU usage nanocores | CPU usage in nanocores (1,000,000,000 nanocores = 1 core) | `UsageNanoCores` | nanocores | +| Memory working set bytes | Working set memory used in bytes | `WorkingSetBytes` | bytes | +| Network in bytes | Network received bytes | `RxBytes` | bytes | +| Network out bytes | Network transmitted bytes | `TxBytes` | bytes | +| Requests | Requests processed | `Requests` | n/a | +| Restart count | Restart count of Spring App | `RestartCount` | n/a | ++### Use metrics explorer ++The Azure Monitor metrics explorer enables you to create charts from metric data to help you analyze your Azure Spring Apps resource and network usage over time. You can pin charts to a dashboard or in a shared workbook. ++1. Open the metrics explorer in the Azure portal by selecting **Metrics** in the navigation pane on the overview page of your Azure Spring Apps instance. To learn more about metrics explorer, see [Getting started with metrics explorer](../../azure-monitor/essentials/metrics-getting-started.md). ++1. Create a chart by selecting a metric in the **Metric** dropdown menu. You can modify the chart by changing the aggregation, adding more metrics, changing time ranges and intervals, adding filters, and applying splitting. ++#### Add filters ++Optionally, you can create filters to limit the data shown based on application name and instance name. Use the following steps to create a filter: ++1. Select **Add filter**. +1. Select **App** or **Instance** from the **Property** list. +1. Select values from the **Value** list. ++## Next steps ++> [!div class="nextstepaction"] +> [How to enable your own persistent storage in Azure Spring Apps with the Standard consumption and dedicated plan](./how-to-custom-persistent-storage-with-standard-consumption.md) |
spring-apps | Quickstart Apps Autoscale Standard Consumption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-apps-autoscale-standard-consumption.md | + + Title: Quickstart - Set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan +description: Learn how to set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan. ++++ Last updated : 06/21/2023++++# Quickstart: Set up autoscale for applications in the Azure Spring Apps Standard consumption and dedicated plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how to set up autoscale rules for your applications in Azure Spring Apps Standard consumption and dedicated plan. The plan uses an Azure Container Apps environment to host your Spring applications, and provides the following management and support: ++- Manages automatic horizontal scaling through a set of declarative scaling rules. +- Supports all the scaling rules that Azure Container Apps supports. ++For more information, see [Azure Container Apps documentation](../../container-apps/index.yml). ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, see [Azure free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md). +- A Spring app deployed to Azure Spring Apps. ++## Scale definition ++Scaling is defined by the combination of limits and rules. ++- Limits are the minimum and maximum number of instances that your Spring allows. ++ | Scale limit | Default value | Min value | Max value | + |--||--|--| + | Minimum number of instances per deployment | 1 | 0 | 30 | + | Maximum number of instances per deployment | 10 | 1 | 30 | ++ By default, the minimum instance count of your Spring application is set to 1 to ensure that your deployment is always running. If you want to scale in to zero, you can set the minimum instance count to zero. ++- Rules are the criteria that the autoscaling abides by to add or remove instances. The scale rules include HTTP, TCP, and Custom rules as described in the [Scale rules](../../container-apps/scale-app.md#scale-rules) section of [Set scaling rules in Azure Container Apps](../../container-apps/scale-app.md). ++ If you define more than one scale rule, the autoscaling begins when the first condition of any rule is met. ++- The *polling interval* and *cooldown period* are two time spans that occur during autoscaling. + - The polling interval defines the time span between each polling action of real time data as defined by your rules. The polling interval is set to 30 seconds by default. + - The cooldown period applies only when scaling to zero - for example, to wait five minutes after the last time autoscaling checked the message queue and it was empty. ++## Set up autoscale settings ++You can set up autoscale settings for your application by using the Azure portal or Azure CLI. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to define autoscale settings and rules. ++1. Sign in to the Azure portal. +1. Select **Azure Spring Apps** under **Azure services**. +1. In the **Name** column, select the Azure Spring Apps instance that you want to autoscale. +1. On the overview page for your Azure Spring Apps instance, select **Apps** in the navigation pane. +1. Select the application that you want to autoscale. +1. On the overview page for the selected app, select **Scale out** in the navigation pane. +1. On the **Scale out (Preview)** page, select the deployment you want to autoscale. +1. Set up the instance limits of your deployment. +1. Select **Add** to add your scale rules. +++### [Azure CLI](#tab/azure-cli) ++Use the following commands to create an application in Azure Spring Apps with an autoscaling rule, based on [Keda Azure Service Bus Scaler](https://keda.sh/docs/2.8/scalers/azure-service-bus/). ++```azurecli-interactive +az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <app-name> \ + --secrets "connection-string-secret=<service-bus-connection-string>" \ + --scale-rule-name azure-servicebus-queue-rule \ + --scale-rule-type azure-servicebus \ + --scale-rule-metadata "queueName=my-queue" \ + "namespace=service-bus-namespace" \ + "messageCount=5" \ + --scale-rule-auth "connection=connection-string-secret" \ + --min-replicas 0 \ + --max-replicas 5 +``` ++The replicas count is adjusted automatically according to the count of messages in Azure Service Bus Queue. When there are no messages in the queue, your application is scaled to 0 replica. When there are messages in the queue, the application is scaled out according to the message count. ++++## Custom scaling rules ++For information on defining custom rules, see [Keda scalers](https://keda.sh/docs/2.9/scalers/). The following sections show two examples of setting scale rules on MySQL and Cron. ++### Set up auto scaling rules on MySQL database ++The following CLI commands show you how to autoscale your Spring application based on [Keda MySQL Scaler](https://keda.sh/docs/2.8/scalers/mysql/). First, create a secret to store your SQL connection string. This secret is used for your scale rule authentication. Then, set up a rule which scales the app based on the rows count of a table. ++```azurecli-interactive +az spring app update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <app-name> \ + --secrets mysqlconnectionstring="<username>:<pwd>@tcp(<server name>:3306)/<database name>" ++az spring app scale \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <app-name> \ + --scale-rule-type mysql \ + --scale-rule-name <your rule name> \ + --scale-rule-auth "connectionString=mysqlconnectionstring" \ + --scale-rule-metadata queryValue=4 query="SELECT count(*) FROM mytable" \ + --min-replicas 0 \ + --max-replicas 3 +``` ++### Create a rule based on Linux cron ++The following commands show you how to set up a rule based on [Keda Cron Scaler](https://keda.sh/docs/2.8/scalers/cron/). The replicas are scaled to the desired number during the cron time interval. ++```azurecli-interactive +az spring app scale \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <app-name> \ + --scale-rule-type cron \ + --scale-rule-name testscalerule \ + --scale-rule-metadata timezone="Asia/Shanghai" \ + start="10 * * * *" \ + end="15 * * * *" \ + desiredReplicas="3" \ + --min-replicas 0 \ + --max-replicas 3 +``` ++## Scaling events ++You can find the scaling events from the system logs of your underlying container app, and filter the EventSource by using `KEDA`, as shown in the following example: ++```sql +ContainerAppSystemLogs_CL +| where ContainerAppName_s == 'YourAppName' and EventSource_s == 'KEDA' +``` ++## Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternately, to delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan](./quickstart-standard-consumption-custom-domain.md) |
spring-apps | Quickstart Provision Standard Consumption App Environment With Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-provision-standard-consumption-app-environment-with-virtual-network.md | + + Title: Quickstart - Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network +description: Learn how to create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network. ++++ Last updated : 06/21/2023++++# Quickstart: Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network. An Azure Container Apps environment creates a secure boundary around a group of applications. Applications deployed to the same environment are deployed in the same virtual network and write logs to the same Log Analytics workspace. ++When you create an Azure Spring Apps instance in an Azure Container Apps environment, it shares the same virtual network with other services and resources in the same Azure Container Apps environment. ++All apps are in the same Azure Container Apps environment in the following scenarios: ++- When you deploy frontend apps as containers in Azure Container Apps. +- When you deploy Spring apps in the Azure Spring Apps Standard consumption and dedicated plan. ++You can also deploy your Azure Container Apps environment to an existing virtual network created by your IT team. This scenario simplifies the virtual network experience for running polyglot apps. ++> [!NOTE] +> You can use an existing virtual network that has a dedicated subnet with a CIDR range of `/23` or higher. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` ++## Create an Azure Spring Apps instance in an Azure Container Apps environment ++Use the following steps to create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network. ++> [!IMPORTANT] +> The Consumption workload profile has a pay-as-you-go billing model, with no starting cost. You're billed for the dedicated workload profile based on the provisioned resources. For more information, see [Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)](../../container-apps/workload-profiles-overview.md) and [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). ++### [Azure portal](#tab/Azure-portal) ++1. Open the [Azure portal](https://portal.azure.com/). ++1. In the search box, search for *Azure Spring Apps*, and then select **Azure Spring Apps** in the results. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-start.png" alt-text="Screenshot of the Azure portal showing Azure Spring Apps in search results, with Azure Spring Apps highlighted in the search bar and in the results." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-start.png"::: ++1. On the Azure Spring Apps page, select **Create**. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-create.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps page with the Create button highlighted." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-create.png"::: ++1. Fill out the **Basics** form on the Azure Spring Apps **Create** page using the following guidelines: ++ - **Project Details**: ++ - **Subscription**: Select the subscription you want to be billed for this resource. + - **Resource group**: Select an existing resource group or create a new one. ++ - **Service Details**: ++ - **Name**: Create the name for the Azure Spring Apps instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. + - **Location**: Currently, only the following regions are supported: Australia East, Central US, East US, East US 2, West Europe, East Asia, North Europe, South Central US, UK South, West US 3. ++ - **Plan**: Select **Standard Consumption and dedicated** for the **Pricing tier** option. ++ - **App Environment**: ++ - Select **Create new** to create a new Azure Container Apps environment or select an existing environment from the dropdown menu. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/select-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with Consumption and Dedicated workload profiles selected for the plan." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/select-azure-container-apps-environment.png"::: ++1. Fill out the **Basics** form on the **Create Container Apps environment** page. Use the default value `asa-standard-consumption-app-env` for the **Environment name** and choose **Consumption and Dedicated workload profiles** for the **Plan**. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Basics tab selected." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment.png"::: ++1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. If you wish to add a dedicated workload profile to the same Azure Container Apps environment, you can select the **Workload profiles** tab and then select **Add workload profile**. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-workload-profiles.png" alt-text="Screenshot of the Azure portal showing the Create Workload Profiles tab." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-workload-profiles.png"::: ++1. Select **Networking** and then specify the settings using the following guidelines: ++ - For **Use your own virtual network**, select **Yes**. + - Select the names for **Virtual network** and for **Infrastructure subnet** from the dropdown menus or use **Create new** as needed. + - Set **Virtual IP** to **External**. You can set the value to **Internal** if you prefer to use only internal IP addresses available in the virtual network instead of a public static IP. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment-virtual-network.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Networking tab selected." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment-virtual-network.png"::: ++ >[!NOTE] + > The subnet associated with an Azure Container Apps environment requires a CIDR prefix of `/23` or higher. ++1. Select **Create**. ++1. On the Azure Spring Apps **Create** page, select **Review and Create** to finish creating the Azure Spring Apps instance. ++### [Azure CLI](#tab/Azure-CLI) ++1. Use the following command to sign in to Azure: ++ ```azurecli + az login + ``` ++1. Use the following command to install the Azure Container Apps extension for the Azure CLI: ++ ```azurecli + az extension add --name containerapp --upgrade + ``` ++1. Use the following command to register the `Microsoft.App` namespace: ++ ```azurecli + az provider register --namespace Microsoft.App + ``` ++1. If you haven't previously used the Azure Monitor Log Analytics workspace, register the `Microsoft.OperationalInsights` provider by using the following command: ++ ```azurecli + az provider register --namespace Microsoft.OperationalInsights + ``` ++1. Use the following commands to create variables to store various values. If you're using an existing virtual network, specify the name of that network and its resource group. Otherwise, specify the name of a new virtual network and resource group to create. ++ ```bash + export RESOURCE_GROUP="<resource-group-name>" + export LOCATION="eastus" + export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" + export VNET_NAME="<virtual-network-name>" + ``` ++1. If you aren't using an existing virtual network, use the following commands to create an Azure virtual network and subnet to associate with the Azure Container Apps environment. The virtual network must have a subnet available for the environment deployment. ++ ```azurecli + az network vnet create \ + --resource-group $RESOURCE_GROUP \ + --name $VNET_NAME \ + --location $LOCATION \ + --address-prefix 10.0.0.0/16 ++ az network vnet subnet create \ + --resource-group $RESOURCE_GROUP \ + --vnet-name $VNET_NAME \ + --name $INFRASTRUCTURE_SUBNET \ + --address-prefixes 10.0.0.0/23 + ``` ++1. Use the following command to get the ID for the infrastructure subnet and store it in a variable: ++ ```azurecli + export INFRASTRUCTURE_SUBNET=$(az network vnet subnet show \ + --resource-group $RESOURCE_GROUP \ + --vnet-name $VNET_NAME \ + --name infrastructure-subnet \ + --query "id" \ + --output tsv \ + | tr -d '[:space:]') + ``` ++1. Use the following command to create the Azure Container Apps environment using the infrastructure subnet ID: ++ ```azurecli + az containerapp env create \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ + --location $LOCATION \ + --infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET \ + --enable-workload-profiles + ``` ++ > [!NOTE] + > You can create an internal Azure Container Apps environment that doesn't use a public static IP, but instead uses only internal IP addresses available in the custom virtual network. For more information, see the [Create an environment](../../container-apps/vnet-custom-internal.md?tabs=bash&pivots=azure-cli#create-an-environment) section of [Provide a virtual network to an internal Azure Container Apps environment](../../container-apps/vnet-custom-internal.md?tabs=bash&pivots=azure-cli). ++ The following table describes the parameters used in the `containerapp env create` command. ++ | Parameter | Description | + |-|--| + | `name` | The name of the Azure Container Apps environment. | + | `resource-group` | The name of the resource group. | + | `location` | The Azure location where the environment is to deploy. | + | `infrastructure-subnet-resource-id` | The Resource ID of a subnet for infrastructure components and user application containers. | + | `internal-only` | (Optional) Sets the environment to use only internal IP addresses available in the custom virtual network instead of a public static IP. (Requires the infrastructure subnet resource ID.) | ++1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. You can also add a dedicated workload profile to the same Azure Container Apps environment with the following command: ++ ```azurecli + az containerapp env workload-profile set \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_CONTAINER_APPS_ENVIRONMENT + --workload-profile-name my-wlp \ + --workload-profile-type D4 \ + --min-nodes 1 \ + --max-nodes 2 + ``` ++++## Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network](./quickstart-access-standard-consumption-within-virtual-network.md) |
spring-apps | Quickstart Provision Standard Consumption Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-provision-standard-consumption-service-instance.md | + + Title: Quickstart - Provision an Azure Spring Apps Standard consumption and dedicated plan service instance +description: Learn how to create a Standard consumption and dedicated plan in Azure Spring Apps for app deployment. ++++ Last updated : 06/21/2023++++# Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how to create a Standard consumption and dedicated plan in Azure Spring Apps for application deployment. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` ++## Provision a Standard consumption and dedicated plan instance ++You can use either the Azure portal or the Azure CLI to create a Standard consumption and dedicated plan. ++> [!IMPORTANT] +> The Consumption workload profile has a pay-as-you-go billing model, with no starting cost. You're billed for the dedicated workload profile based on the provisioned resources. For more information, see [Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)](../../container-apps/workload-profiles-overview.md) and [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). ++### [Azure portal](#tab/Azure-portal) ++Use the following steps to create an instance of Azure Spring Apps using the Azure portal. ++1. Open the [Azure portal](https://portal.azure.com/). ++1. In the search box, search for *Azure Spring Apps*, and then select **Azure Spring Apps** from the results. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-start.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps service highlighted in the search results." lightbox="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-start.png"::: ++1. On the Azure Spring Apps page, select **Create**. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-create.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps resource with the Create button highlighted." lightbox="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-create.png"::: ++1. Fill out the **Basics** form on the Azure Spring Apps **Create** page using the following guidelines: ++ - **Project Details** ++ - **Subscription**: Select the subscription you want to be billed for this resource. + - **Resource group**: Select an existing resource group or create a new one. ++ - **Service Details** ++ - **Name**: Create the name for the Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. + - **Location**: Currently, only the following regions are supported: Australia East, Central US, East US, East US 2, West Europe, East Asia, North Europe, South Central US, UK South, West US 3. + - **Plan**: Select **Standard Consumption and dedicated** for the **Pricing tier** option. ++ - **App Environment** ++ - Select **Create new** to create a new Azure Container Apps environment, or select an existing environment from the dropdown menu. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/select-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps Create page." lightbox="media/quickstart-provision-standard-consumption-service-instance/select-azure-container-apps-environment.png"::: ++1. Fill out the **Basics** form on the **Create Container Apps environment** page. Use the default value `asa-standard-consumption-app-env` for the **Environment name** and choose **Consumption and Dedicated workload profiles** for the **Plan**. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/create-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Consumption and Dedicated workload profiles selected for the plan." lightbox="media/quickstart-provision-standard-consumption-service-instance/create-azure-container-apps-environment.png"::: ++1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. If you wish to add a dedicated workload profile to the same Azure Container Apps environment, you can select the **Workload profiles** tab and select **Add workload profile**. ++ :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/create-workload-profiles.png" alt-text="Screenshot of the Azure portal showing the Create Workload Profiles tab." lightbox="media/quickstart-provision-standard-consumption-service-instance/create-workload-profiles.png"::: ++1. Select **Review and create**. ++1. On the Azure Spring Apps **Create** page, select **Review and Create** to finish creating the Azure Spring Apps instance. ++>[!NOTE] +> Optionally, you can also create an Azure Container Apps environment with your own virtual network. For more information, see [Quickstart: Create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network](quickstart-provision-standard-consumption-app-environment-with-virtual-network.md). ++### [Azure CLI](#tab/Azure-CLI) ++The following sections show you how to create an instance of Azure Spring Apps using the Azure CLI. ++## Create an Azure Container Apps environment ++An Azure Container Apps environment creates a secure boundary around a group of applications. Apps deployed to the same environment are deployed in the same virtual network and write logs to the same Log Analytics workspace. ++You can create the Azure Container Apps environment in one of two ways: ++- Using your own virtual network. For more information, see [Quickstart: Create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network](quickstart-provision-standard-consumption-app-environment-with-virtual-network.md). ++- Using a system assigned virtual network, as described in the following procedure. ++1. Use the following command to sign in to Azure: ++ ```azurecli + az login + ``` ++1. Use the following command to install the Azure Container Apps extension for the Azure CLI: ++ ```azurecli + az extension add --name containerapp --upgrade + ``` ++1. Use the following command to register the `Microsoft.App` namespace: ++ ```azurecli + az provider register --namespace Microsoft.App + ``` ++1. If you haven't previously used the Azure Monitor Log Analytics workspace, register the `Microsoft.OperationalInsights` provider by using the following command: ++ ```azurecli + az provider register --namespace Microsoft.OperationalInsights + ``` ++1. Use the following commands to create variables to store name and location information. Be sure to replace the placeholder values with your own values. ++ ```bash + export RESOURCE_GROUP="<resource-group-name>" + export LOCATION="eastus" + export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" + ``` ++1. Use the following command to create a resource group: ++ ```azurecli + az group create \ + --name $RESOURCE_GROUP \ + --location $LOCATION + ``` ++1. Use the following command to create the Azure Container Apps environment: ++ ```azurecli + az containerapp env create \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ + --location $LOCATION \ + --enable-workload-profiles + ``` ++1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. You can also add a dedicated workload profile to the same Azure Container Apps environment by using the following command: ++ ```azurecli + az containerapp env workload-profile set \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ + --workload-profile-name my-wlp \ + --workload-profile-type D4 \ + --min-nodes 1 \ + --max-nodes 2 + ``` ++## Deploy an Azure Spring Apps instance ++Use the following steps to deploy the service instance: ++1. Use the following command to install the latest Azure CLI extension for Azure Spring Apps: ++ ```azurecli + az extension remove --name spring && \ + az extension add --name spring + ``` ++1. Use the following command to register the `Microsoft.AppPlatform` provider for the Azure Spring Apps: ++ ```azurecli + az provider register --namespace Microsoft.AppPlatform + ``` ++1. Use the following commands to create variables to store name and location information. You can skip the first three variables if you set them in the previous section. Be sure to replace the placeholder values with your own values. ++ ```azurecli + export RESOURCE_GROUP="<resource-group-name>" + export LOCATION="eastus" + export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" ++ export AZURE_SPRING_APPS_INSTANCE="<Azure-Spring-Apps-instance-name>" + export MANAGED_ENV_RESOURCE_ID=$(az containerapp env show \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ + --query id \ + --output tsv) + ``` ++1. Use the following command to deploy a Standard consumption and dedicated plan for an Azure Spring Apps instance on top of the container environment. Create your Azure Spring Apps instance by specifying the resource of the Azure Container Apps environment you created. ++ ```azurecli + az spring create \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_SPRING_APPS_INSTANCE \ + --managed-environment $MANAGED_ENV_RESOURCE_ID \ + --sku StandardGen2 \ + --location $LOCATION + ``` ++1. After the deployment, an infrastructure resource group is created in your subscription to host the underlying resources for the Azure Spring Apps Standard consumption and dedicated plan instance. The resource group is named `{AZURE_CONTAINER_APPS_ENVIRONMENT}_SpringApps_{SPRING_APPS_SERVICE_ID}`, as shown with the following command: ++ ```azurecli + export SERVICE_ID=$(az spring show \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_SPRING_APPS_INSTANCE \ + --query properties.serviceId \ + --output tsv) + export INFRA_RESOURCE_GROUP=${AZURE_CONTAINER_APPS_ENVIRONMENT}_SpringApps_${SERVICE_ID} + echo ${INFRA_RESOURCE_GROUP} + ``` ++++## Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network](./quickstart-provision-standard-consumption-app-environment-with-virtual-network.md) |
spring-apps | Quickstart Standard Consumption Config Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-standard-consumption-config-server.md | + + Title: Quickstart - Enable and disable Cloud Config Server in Azure Spring Apps +description: Learn how to enable and disable Spring Cloud Config Server in Azure Spring Apps. ++++ Last updated : 06/21/2023++++# Quickstart: Enable and disable Spring Cloud Config Server in Azure Spring Apps ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how to enable and disable Spring Cloud Config Server for service registration and discovery in Azure Spring Apps. +Spring Cloud Config Server is a centralized configuration service for distributed systems. Config Server uses a pluggable repository layer that currently supports local storage, Git, and Subversion. In this quickstart, you set up the Config Server to get data from a Git repository. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli). Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. +- [Git](https://git-scm.com/downloads). +- The completion of [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](./quickstart-provision-standard-consumption-service-instance.md). ++## Set up Config Server ++Use the following command to set up Config Server with the project specified by the `--uri` parameter. This example uses the Git repository for Azure Spring Apps as an example project. ++```azurecli +az spring config-server git set \ + --name <Azure-Spring-Apps-instance-name> \ + --uri https://github.com/Azure-Samples/azure-spring-apps-samples \ + --search-paths steeltoe-sample/config +``` ++> [!TIP] +> For information on using a private repository for Config Server, see [Configure a managed Spring Cloud Config Server in Azure Spring Apps](../basic-standard/how-to-config-server.md?toc=/azure/spring-apps/consumption-dedicated/toc.json&bc=/azure/spring-apps/consumption-dedicated/breadcrumb/toc.json). ++## Enable Config Server ++Use the following command to enable Config Server: ++```azurecli +az spring config-server enable \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-instance-name> +``` ++## Disable Config Server ++Use the following command to disable Config Server: ++```azurecli +az spring config-server disable \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-instance-name> +``` ++## Next steps ++- [Enable and disable Eureka Server in Azure Spring Apps](quickstart-standard-consumption-eureka-server.md) |
spring-apps | Quickstart Standard Consumption Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-standard-consumption-custom-domain.md | + + Title: Quickstart - Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan +description: Learn how to map a web domain to apps in Azure Spring Apps. ++++ Last updated : 06/21/2023++++# Quickstart: Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++ This article shows you how to map a custom web site domain, such as `https://www.contoso.com`, to your app in Azure Spring Apps. This mapping is accomplished by using a `CNAME` record that the Domain Name Service (DNS) uses to store node names throughout the network. ++The mapping secures the custom domain with a certificate and enforces Transport Layer Security (TLS), also known as the Secure Sockets Layer (SSL). ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli) +- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md). +- A Spring app deployed to Azure Spring Apps. +- A domain name registered in the DNS registry as provided by a web hosting or domain provider. +- A certificate resource created under an Azure Container Apps environment. For more information, see [Add certificate in Container App](../../container-apps/custom-domains-certificates.md). ++## Map a custom domain ++To map the custom domain, you create the CNAME record and then use the Azure CLI to bind the domain to an app in Azure Spring Apps. ++First, use the following steps to create the `CNAME` record: ++1. Contact your DNS provider to request a `CNAME` record to map your domain to the Full Qualified Domain Name (FQDN) of your Spring app. ++1. Add a `TXT` record with the name `asuid.{subdomain}` with the value being the verification ID of your Azure Container Apps environment. You can obtain this value by using the following command. ++ ```azurecli + az containerapp env show \ + --resource-group <resource-group-name> \ + --name <Azure-Container-Apps-environment-name> \ + --query 'properties.customDomainConfiguration.customDomainVerificationId' + ``` ++ After you add the `CNAME` and `TXT` record, the DNS records page will resemble the following table. ++ | Name | Type | Value | + |||--| + | `{subdomain}` | `CNAME` | `testapp.agreeablewater-4c8480b3.eastus.azurecontainerapps.io` | + | `asuid.{subdomain}` | `A` | `6K861CL04CATKUCFF604024064D57PB52F5DF7B67BC3033BA9808BDA8998U270` | ++1. Next, bind the custom domain to your app by using the following command. ++ ```azurecli + az spring app custom-domain bind \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app <app-name> \ + --domain-name <your-custom-domain-name> \ + --certificate <name-of-your-certificate-under-Azure-Container-Apps-environment> + ``` ++## Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan](./quickstart-analyze-logs-and-metrics-standard-consumption.md) |
spring-apps | Quickstart Standard Consumption Eureka Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/quickstart-standard-consumption-eureka-server.md | + + Title: Quickstart - Enable and disable Eureka Server in Azure Spring Apps +description: Learn how to enable and disable Eureka Server in Azure Spring Apps. ++++ Last updated : 06/21/2023++++# Quickstart: Enable and disable Eureka Server in Azure Spring Apps ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes how to enable and disable Eureka Server for service registration and discovery in Azure Spring Apps. Service registration and discovery are key requirements for maintaining a list of live app instances to call, and for routing and load balancing inbound requests. Configuring each client manually takes time and introduces the possibility of human error. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli). Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. +- [Git](https://git-scm.com/downloads). +- The completion of [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](./quickstart-provision-standard-consumption-service-instance.md). ++## Enable the Eureka Server ++Use the following command to enable Eureka server: ++```azurecli +az spring eureka-server enable \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-instance-name> +``` ++## Disable the Eureka Server ++Use the following command to disable Eureka server: ++```azurecli +az spring eureka-server disable + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-instance-name> +``` ++## Next steps ++> [!div class="nextstepaction"] +> [Discover and register your Spring Boot applications in Azure Spring Apps](../basic-standard/how-to-service-registration.md?toc=/azure/spring-apps/consumption-dedicated/toc.json&bc=/azure/spring-apps/consumption-dedicated/breadcrumb/toc.json) |
spring-apps | Standard Consumption Customer Responsibilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/consumption-dedicated/standard-consumption-customer-responsibilities.md | + + Title: Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network +description: Learn about the customer responsibilities for running an Azure Spring Apps Standard consumption and dedicated plan service instance in a virtual network. ++++ Last updated : 03/21/2023++++# Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise ++This article describes the customer responsibilities for running an Azure Spring Apps Standard consumption and dedicated plan service instance in a virtual network. ++Use Network Security Groups (NSGs) to configure virtual networks to conform to the settings required by Kubernetes. ++To control all inbound and outbound traffic for the Azure Container Apps environment, you can use NSGs to lock down a network with more restrictive rules than the default NSG rules. ++## NSG allow rules ++The following tables describe how to configure a collection of NSG allow rules. ++> [!NOTE] +> The subnet associated with a Azure Container Apps environment requires a CIDR prefix of `/23` or larger. ++### Outbound with ServiceTags ++| Protocol | Port | ServiceTag | Description | +|-|--|--|-| +| UDP | `1194` | `AzureCloud.<region>` | Required for internal Azure Kubernetes Service (AKS) secure connection between underlying nodes and the control plane. Replace `<region>` with the region where your container app is deployed. | +| TCP | `9000` | `AzureCloud.<region>` | Required for internal AKS secure connection between underlying nodes and the control plane. Replace `<region>` with the region where your container app is deployed. | +| TCP | `443` | `AzureMonitor` | Allows outbound calls to Azure Monitor. | +| TCP | `443` | `Azure Container Registry` | Enables the Azure Container Registry as described in [Virtual network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| TCP | `443` | `MicrosoftContainerRegistry`| The service tag for container registry for Microsoft containers. | +| TCP | `443` | `AzureFrontDoor.FirstParty` | A dependency of the `MicrosoftContainerRegistry` service tag. | +| TCP | `443`, `445` | `Azure Files` | Enables Azure Storage as described in [Virtual network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md). | ++### Outbound with wild card IP rules ++| Protocol | Port | IP | Description | +|-|--|-|| +| TCP | `443` | \* | Set all outbound traffic on port `443` to allow all fully qualified domain name (FQDN) based outbound dependencies that don't have a static IP. | +| UDP | `123` | \* | NTP server. | +| TCP | `5671` | \* | Container Apps control plane. | +| TCP | `5672` | \* | Container Apps control plane. | +| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment - for example, `10.0.0.0/21`. | ++### Outbound with FQDN requirements/application rules ++| Protocol | Port | FQDN | Description | +|-|-|-|--| +| TCP | `443` | `mcr.microsoft.com` | Microsoft Container Registry (MCR). | +| TCP | `443` | `*.cdn.mscr.io` | MCR storage backed by the Azure Content Delivery Network (CDN). | +| TCP | `443` | `*.data.mcr.microsoft.com` | MCR storage backed by the Azure CDN. | ++### Outbound with FQDN for third-party application performance management (optional) ++| Protocol | Port | FQDN | Description | +|-|-|-|-| +| TCP | `443/80` | `collector*.newrelic.com` | The required networks of New Relic application and performance monitoring (APM) agents from the US region. See APM Agents Networks. | +| TCP | `443/80` | `collector*.eu01.nr-data.net` | The required networks of New Relic APM agents from the EU region. See APM Agents Networks. | +| TCP | `443` | `*.live.dynatrace.com` | The required network of Dynatrace APM agents. | +| TCP | `443` | `*.live.ruxit.com` | The required network of Dynatrace APM agents. | +| TCP | `443/80` | `*.saas.appdynamics.com` | The required network of AppDynamics APM agents. See SaaS Domains and IP Ranges. | ++#### Considerations ++- If you're running HTTP servers, you might need to add ports `80` and `443`. +- Adding deny rules for some ports and protocols with lower priority than `65000` may cause service interruption and unexpected behavior. ++## Next steps ++- [Azure Spring Apps documentation](./index.yml) |
spring-apps | Cost Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/cost-management.md | - Title: Manage costs for Azure Spring Apps -description: Learn about how to manage costs in Azure Spring Apps. --- Previously updated : 03/28/2023-----# Manage costs for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise --This article describes the cost-saving options and capabilities that Azure Spring Apps provides. --## Save more on the Enterprise plan --For the Enterprise plan, we now offer further discounts for longer commitments on both the Microsoft and VMware (by Broadcom) parts of the pricing. For more information, see [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). --For the Microsoft part of the pricing, the Enterprise plan currently has yearly discounted pricing options available. For more information, see [Maximizing Value: Streamlined Cloud Solutions with Prime Cost Savings for Spring Apps](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/maximizing-value-streamlined-cloud-solutions-with-prime-cost/ba-p/3904599). --For the VMware (by Broadcom) part of the pricing, the negotiable discount varies based on the number of years you sign up for. For more information, reach out to your sales representative. --## Monthly free grants --The first 50 vCPU hours and 100-GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --## Start and stop instances --If you have Azure Spring Apps instances that don't need to run continuously, you can save costs by reducing the number of running instances. For more information, see [Start or stop your Azure Spring Apps service instance](how-to-start-stop-service.md). --## Scale and autoscale --You can manually scale computing capacities to accommodate a changing environment. For more information, see [Scale an application in Azure Spring Apps](how-to-scale-manual.md). --Autoscale reduces operating costs by terminating redundant resources when they're no longer needed. For more information, see [Set up autoscale for applications](how-to-setup-autoscale.md). --You can also set up autoscale rules for your applications in the Azure Spring Apps Standard consumption and dedicated plan. For more information, see [Quickstart: Set up autoscale for applications in the Azure Spring Apps Standard consumption and dedicated plan](quickstart-apps-autoscale-standard-consumption.md). --## Stop maintaining unused environments --If you set up several environments while developing a product, it's important to remove the environments that are no longer in use once the product is live. --## Remove unnecessary deployments --If you use strategies like blue-green deployment to reduce downtime, it can result in many idle deployments on staging slots, especially multiple app instances that aren't needed once newer versions are deployed to production. --## Avoid over allocating resources --Java users often reserve more processing power and memory than they really need. While it's fine to use large app instances during the initial months in production, you should adjust resource allocation based on usage data. --## Avoid unnecessary scaling --If you use more app instances than you need, you should adjust the number of instances based on real usage data. --## Streamline monitoring data collection --If you collect more logs, metrics, and traces than you can use or afford, you must determine what's necessary for troubleshooting, capacity planning, and monitoring production. For example, you can reduce the frequency of application performance monitoring or be more selective about which logs, metrics, and traces you send to data aggregation tools. --## Deactivate debug mode --If you forget to switch off debug mode for apps, a large amount of data is collected and sent to monitoring platforms. Forgetting to deactivate debug mode could be unnecessary and costly. --## Next steps --[Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md) |
spring-apps | Diagnostic Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/diagnostic-services.md | - Title: Analyze logs and metrics in Azure Spring Apps | Microsoft Docs -description: Learn how to analyze diagnostics data in Azure Spring Apps --- Previously updated : 01/06/2020-----# Analyze logs and metrics with diagnostics settings --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to analyze diagnostics data in Azure Spring Apps. --Using the diagnostics functionality of Azure Spring Apps, you can analyze logs and metrics with any of the following --* Use Azure Log Analytics. There is a delay when exporting logs to Log Analytics. -* Save logs to a storage account for auditing or manual inspection. You can specify the retention time (in days). -* Stream logs to your event hub for ingestion by a third-party service or custom analytics solution. --Choose the log category and metric category you want to monitor. --> [!TIP] -> If you just want to stream your logs, you can use the Azure CLI command [az spring app logs](/cli/azure/spring/app#az-spring-app-logs). --## Logs --| Log | Description | -||-| -| **ApplicationConsole** | Console log of all customer applications. | -| **SystemLogs** | The available `LogType` values are `ConfigServer`(Basic/Standard only), `ServiceRegistry`(all plans), `ApiPortal`(Enterprise plan only), `ApplicationConfigurationService`(Enterprise plan only), `SpringCloudGateway` (Enterprise plan only), and `SpringCloudGatewayOperator` (Enterprise plan only) | -| **IngressLogs** | [Ingress logs](#show-ingress-log-entries-containing-a-specific-host) of all customer's applications, only access logs. | -| **BuildLogs** | [Build logs](#show-build-log-entries-for-a-specific-app) of all customer's applications for each build stage. | --## Metrics --For a complete list of metrics, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](concept-metrics.md). --To get started, enable one of these services to receive the data. To learn about configuring Log Analytics, see [Get started with Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md). --## Configure diagnostics settings --1. In the Azure portal, go to your Azure Spring Apps instance. -1. Select **diagnostics settings** option, and then select **Add diagnostics setting**. -1. Enter a name for the setting, and then choose where you want to send the logs. You can select any combination of the following three options: - * **Archive to a storage account** - * **Stream to an event hub** - * **Send to Log Analytics** - * **Send to partner solution** --1. Choose which log category and metric category you want to monitor, and then specify the retention time (in days). The retention time applies only to the storage account. -1. Select **Save**. --> [!NOTE] -> There might be a gap of up to 15 minutes between when logs or metrics are emitted and when they appear in your storage account, your event hub, or Log Analytics. -> If the Azure Spring Apps instance is deleted or moved, the operation won't cascade to the **diagnostics settings** resources. The **diagnostics settings** resources have to be deleted manually before the operation against its parent, the Azure Spring Apps instance. Otherwise, if a new Azure Spring Apps instance is provisioned with the same resource ID as the deleted one, or if the Azure Spring Apps instance is moved back, the previous **diagnostics settings** resources continue extending it. --## View the logs and metrics --There are various methods to view logs and metrics as described under the following headings. --### Use the Logs blade --1. In the Azure portal, go to your Azure Spring Apps instance. -1. To open the **Log Search** pane, select **Logs**. -1. In the **Tables** search box - * To view logs, enter a simple query such as: -- ```sql - AppPlatformLogsforSpring - | limit 50 - ``` -- * To view metrics, enter a simple query such as: -- ```sql - AzureMetrics - | limit 50 - ``` --1. To view the search result, select **Run**. --### Use Log Analytics --1. In the Azure portal, in the left pane, select **Log Analytics**. -1. Select the Log Analytics workspace that you chose when you added your diagnostics settings. -1. To open the **Log Search** pane, select **Logs**. -1. In the **Tables** search box, - * to view logs, enter a simple query such as: -- ```sql - AppPlatformLogsforSpring - | limit 50 - ``` -- * to view metrics, enter a simple query such as: -- ```sql - AzureMetrics - | limit 50 - ``` --1. To view the search result, select **Run**. -1. You can search the logs of the specific application or instance by setting a filter condition: -- ```sql - AppPlatformLogsforSpring - | where ServiceName == "YourServiceName" and AppName == "YourAppName" and InstanceName == "YourInstanceName" - | limit 50 - ``` -- > [!NOTE] - > `==` is case sensitive, but `=~` is not. --To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). --### Use your storage account --1. In the Azure portal, find **Storage accounts** in left navigation panel or search box. -1. Select the storage account that you chose when you added your diagnostics settings. -1. To open the **Blob Container** pane, select **Blobs**. -1. To review application logs, search for a container called **insights-logs-applicationconsole**. -1. To review application metrics, search for a container called **insights-metrics-pt1m**. --To learn more about sending diagnostics information to a storage account, see [Store and view diagnostics data in Azure Storage](../storage/common/storage-introduction.md). --### Use your event hub --1. In the Azure portal, find **Event Hubs** in left navigation panel or search box. --1. Search for and select the event hub that you chose when you added your diagnostics settings. -1. To open the **Event Hub List** pane, select **Event Hubs**. -1. To review application logs, search for an event hub called **insights-logs-applicationconsole**. -1. To review application metrics, search for an event hub called **insights-metrics-pt1m**. --To learn more about sending diagnostics information to an event hub, see [Streaming Azure Diagnostics data in the hot path by using Event Hubs](../azure-monitor/agents/diagnostics-extension-stream-event-hubs.md). --## Analyze the logs --Azure Log Analytics is running with a Kusto engine so you can query your logs for analysis. For a quick introduction to querying logs by using Kusto, review the [Log Analytics tutorial](../azure-monitor/logs/log-analytics-tutorial.md). --Application logs provide critical information and verbose logs about your application's health, performance, and more. In the next sections are some simple queries to help you understand your application's current and past states. --### Show application logs from Azure Spring Apps --To review a list of application logs from Azure Spring Apps, sorted by time with the most recent logs shown first, run the following query: --```sql -AppPlatformLogsforSpring -| project TimeGenerated , ServiceName , AppName , InstanceName , Log -| sort by TimeGenerated desc -``` --### Show logs entries containing errors or exceptions --To review unsorted log entries that mention an error or exception, run the following query: --```sql -AppPlatformLogsforSpring -| project TimeGenerated , ServiceName , AppName , InstanceName , Log -| where Log contains "error" or Log contains "exception" -``` --Use this query to find errors, or modify the query terms to find specific error codes or exceptions. --### Show the number of errors and exceptions reported by your application over the last hour --To create a pie chart that displays the number of errors and exceptions logged by your application in the last hour, run the following query: --```sql -AppPlatformLogsforSpring -| where TimeGenerated > ago(1h) -| where Log contains "error" or Log contains "exception" -| summarize count_per_app = count() by AppName -| sort by count_per_app desc -| render piechart -``` --### Show ingress log entries containing a specific host --To review log entries that are generated by a specific host, run the following query: --```sql -AppPlatformIngressLogs -| where TimeGenerated > ago(1h) and Host == "ingress-asc.test.azuremicroservices.io" -| project TimeGenerated, RemoteIP, Host, Request, Status, BodyBytesSent, RequestTime, ReqId, RequestHeaders -| sort by TimeGenerated -``` --Use this query to find response `Status`, `RequestTime`, and other properties of this specific host's ingress logs. --### Show ingress log entries for a specific requestId --To review log entries for a specific `requestId` value *\<request_ID>*, run the following query: --```sql -AppPlatformIngressLogs -| where TimeGenerated > ago(1h) and ReqId == "<request_ID>" -| project TimeGenerated, RemoteIP, Host, Request, Status, BodyBytesSent, RequestTime, ReqId, RequestHeaders -| sort by TimeGenerated -``` --### Show build log entries for a specific app --To review log entries for a specific app during the build process, run the following query: --```sql -AppPlatformBuildLogs -| where TimeGenerated > ago(1h) and PodName contains "<app-name>" -| sort by TimeGenerated -``` --### Show build log entries for a specific app in a specific build stage --To review log entries for a specific app in a specific build stage, run the following query. Replace the *`<app-name>`* placeholder with your application name. Replace the *`<build-stage>`* placeholder with one of the following values, which represent the stages of the build process: `prepare`, `detect`, `restore`, `analyze`, `build`, `export`, or `completion`. --```sql -AppPlatformBuildLogs -| where TimeGenerated > ago(1h) and PodName contains "<app-name>" and ContainerName == "<build-stage>" -| sort by TimeGenerated -``` --### Show VMware Spring Cloud Gateway logs in the Enterprise plan --To review log entries for VMware Spring Cloud Gateway logs in the Enterprise plan, run the following query: --```sql -AppPlatformSystemLogs  -| where LogType == "SpringCloudGateway" -| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  -| limit 100 -``` --Another component, named Spring Cloud Gateway Operator, controls the lifecycle of Spring Cloud Gateway and routes. If you encounter any issues with the route not taking effect, check the logs for this component. To review log entries for VMware Spring Cloud Gateway Operator in the Enterprise plan, run the following query: --```sql -AppPlatformSystemLogs  -| where LogType == "SpringCloudGatewayOperator" -| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  -| limit 100 -``` --### Show Application Configuration Service for Tanzu logs in the Enterprise plan --To review log entries for Application Configuration Service for Tanzu logs in the Enterprise plan, run the following query: --```sql -AppPlatformSystemLogs  -| where LogType == "ApplicationConfigurationService" -| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  -| limit 100 -``` --### Show Tanzu Service Registry logs in the Enterprise plan --To review log entries for Tanzu Service Registry logs in the Enterprise plan, run the following query: --```sql -AppPlatformSystemLogs  -| where LogType == "ServiceRegistry" -| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  -| limit 100 -``` --### Show API portal for VMware Tanzu logs in the Enterprise plan --To review log entries for API portal for VMware Tanzu logs in the Enterprise plan, run the following query: --```sql -AppPlatformSystemLogs  -| where LogType == "ApiPortal" -| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  -| limit 100 -``` --### Learn more about querying application logs --Azure Monitor provides extensive support for querying application logs by using Log Analytics. To learn more about this service, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md). For more information about building queries to analyze your application logs, see [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md). --## Frequently asked questions (FAQ) --### How do I convert multi-line Java stack traces into a single line? --There is a workaround to convert your multi-line stack traces into a single line. You can modify the Java log output to reformat stack trace messages, replacing newline characters with a token. If you use Java Logback library, you can reformat stack trace messages by adding `%replace(%ex){'[\r\n]+', '\\n'}%nopex` as follows: --```xml -<configuration> - <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender"> - <encoder> - <pattern> - level: %level, message: "%logger{36}: %msg", exceptions: "%replace(%ex){'[\r\n]+', '\\n'}%nopex"%n - </pattern> - </encoder> - </appender> - <root level="INFO"> - <appender-ref ref="CONSOLE"/> - </root> -</configuration> -``` --You can then replace the token with newline characters in Log Analytics as below: --```sql -AppPlatformLogsforSpring -| extend Log = array_strcat(split(Log, '\\n'), '\n') -``` --You may be able to use the same strategy for other Java log libraries. --## Next steps --* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md) |
spring-apps | Access App Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/access-app-virtual-network.md | + + Title: Access an app in Azure Spring Apps in a virtual network +description: Shows how to access an app in Azure Spring Apps in a virtual network. ++++ Last updated : 11/30/2021++ms.devlang: azurecli +++# Access an app in Azure Spring Apps in a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article explains how to access an endpoint for your application in a private network. ++When you assign an endpoint on an application in an Azure Spring Apps service instance deployed in your virtual network, the endpoint uses a private fully qualified domain name (FQDN). The domain is only accessible in the private network. Apps and services use the application endpoint. They include the *Test Endpoint* described in the [View apps and deployments](./how-to-staging-environment.md#view-apps-and-deployments) section of [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md). *Log streaming*, described in [Stream Azure Spring Apps app logs in real-time](./how-to-log-streaming.md), also works only within the private network. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. +- An existing application in an Azure Spring Apps service instance deployed to a virtual network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). ++## Find the IP for your application ++### [Azure portal](#tab/azure-portal) ++Use the following steps to find the IP address for your application. ++1. Go to the Azure Spring Apps service **Networking** page. ++1. Select the **Vnet injection** tab. ++1. In the **General info** section, find **Endpoint** and copy the **IP Address** value. The example in the following screenshot uses the IP address `10.0.1.6`: ++ :::image type="content" source="media/access-app-virtual-network/find-ip-address.png" alt-text="Screenshot of the Azure portal that shows the Vnet injection Endpoint information." lightbox="media/access-app-virtual-network/find-ip-address.png"::: ++### [Azure CLI](#tab/azure-CLI) ++Use the following steps to initialize the local environment and find the IP address for your application. ++1. Use the following commands to define various environment variables. Be sure to replace the placeholders with your actual values. ++ ```azurecli + export SUBSCRIPTION='<subscription-ID>' + export RESOURCE_GROUP='<resource-group-name>' + export AZURE_SPRING_APPS_INSTANCE_NAME='<Azure-Spring-Apps-instance-name>' + export VIRTUAL_NETWORK_NAME='<Azure-Spring-Apps-virtual-network-name>' + export APP_NAME='<application-name>' + ``` ++1. Use the following commands to sign in to the Azure CLI and choose your active subscription: ++ ```azurecli + az login + az account set --subscription ${SUBSCRIPTION} + ``` ++1. Use the following commands to find the IP address for your application. ++ ```azurecli + export SERVICE_RUNTIME_RG=$(az spring show \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_SPRING_APPS_INSTANCE_NAME \ + --query "properties.networkProfile.serviceRuntimeNetworkResourceGroup" \ + --output tsv) + export IP_ADDRESS=$(az network lb frontend-ip list \ + --lb-name kubernetes-internal \ + --resource-group $SERVICE_RUNTIME_RG \ + --query "[0].privateIPAddress" \ + --output tsv) + echo $IP_ADDRESS + ``` ++++## Add a DNS for the IP ++If you have your own DNS solution for your virtual network, like Active Directory Domain Controller, Infoblox, or another, you need to point the domain `*.private.azuremicroservices.io` to the [IP address](#find-the-ip-for-your-application). Otherwise, use the following instructions to create an **Azure Private DNS Zone** in your subscription to translate/resolve the private fully qualified domain name (FQDN) to its IP address. ++> [!NOTE] +> If you're using Microsoft Azure operated by 21Vianet, be sure to replace `private.azuremicroservices.io` with `private.microservices.azure.cn` in this article. For more information, see the [Check Endpoints in Azure](/azure/china/resources-developer-guide#check-endpoints-in-azure) section of the [Azure China developer guide](/azure/china/resources-developer-guide). ++## Create a private DNS zone ++### [Azure portal](#tab/azure-portal) ++Use the following steps to create a private DNS zone for an application in the private network: ++1. Open the Azure portal. Using the search box, search for *Private DNS zones*. Select **Private DNS zones** from the search results. ++1. On the **Private DNS zones** page, select **Add**. ++1. Fill out the form on the **Create Private DNS zone** page. Enter *private.azuremicroservices.io* as the **Name** of the zone. ++1. Select **Review + Create**. ++1. Select **Create**. ++### [Azure CLI](#tab/azure-CLI) ++Use the following command to create the private DNS zone: ++```azurecli +az network private-dns zone create \ + --resource-group $RESOURCE_GROUP \ + --name private.azuremicroservices.io +``` ++++It might take a few minutes to create the zone. ++## Link the virtual network ++To link the private DNS zone to the virtual network, you need to create a virtual network link. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to link the private DNS zone you created to the virtual network holding your Azure Spring Apps service: ++1. Select the private DNS zone resource you created - for example, **private.azuremicroservices.io**. ++1. Select **Virtual network links**, and then select **Add**. ++1. For **Link name**, enter *azure-spring-apps-dns-link*. ++1. For **Virtual network**, select the virtual network you created previously. ++ :::image type="content" source="media/access-app-virtual-network/add-virtual-network-link.png" alt-text="Screenshot of the Azure portal that shows the Add virtual network link page." lightbox="media/access-app-virtual-network/add-virtual-network-link.png"::: ++1. Select **OK**. ++### [Azure CLI](#tab/azure-CLI) ++Use the following command to link the private DNS zone you created to the virtual network holding your Azure Spring Apps service: ++```azurecli +az network private-dns link vnet create \ + --resource-group $RESOURCE_GROUP \ + --name azure-spring-apps-dns-link \ + --zone-name private.azuremicroservices.io \ + --virtual-network $VIRTUAL_NETWORK_NAME \ + --registration-enabled false +``` ++++## Create DNS record ++You must create an "A" type record in the private DNS zone. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to use the private DNS zone to translate/resolve DNS. ++1. Select the private DNS zone resource you created - for example, **private.azuremicroservices.io**. ++1. Select **Record set**. ++1. In **Add record set**, enter or select the following information: ++ | Setting | Value | + ||| + | Name | Enter *\**. | + | Type | Select **A**. | + | TTL | Enter *1*. | + | TTL unit | Select **Hours**. | + | IP address | Enter the [IP address](#find-the-ip-for-your-application). The following screenshot uses the IP address *10.1.0.7*. | ++ :::image type="content" source="media/access-app-virtual-network/private-dns-zone-add-record.png" alt-text="Screenshot of the Azure portal that shows the Add record set page." lightbox="media/access-app-virtual-network/private-dns-zone-add-record.png"::: ++1. Select **OK**. ++### [Azure CLI](#tab/azure-CLI) ++Use the following commands to create the A record in your DNS zone: ++```azurecli +az network private-dns record-set a add-record \ + --resource-group $RESOURCE_GROUP \ + --zone-name private.azuremicroservices.io \ + --record-set-name '*' \ + --ipv4-address $IP_ADDRESS +``` ++++## Assign a private FQDN for your application ++You can assign a private FQDN for your application after you deploy Azure Spring Apps in a virtual network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). ++### [Azure portal](#tab/azure-portal) ++Use the following steps to assign a private FQDN: ++1. Select the Azure Spring Apps service instance deployed in your virtual network, and open the **Apps** tab. ++1. Select the application to open the **Overview** page. ++1. Select **Assign Endpoint** to assign a private FQDN to your application. Assigning an FQDN can take a few minutes. ++ :::image type="content" source="media/access-app-virtual-network/assign-private-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Overview page with Assign endpoint highlighted." lightbox="media/access-app-virtual-network/assign-private-endpoint.png"::: ++1. The assigned private FQDN (labeled **URL**) is now available. You can only access the URL within the private network, but not on the internet. ++### [Azure CLI](#tab/azure-CLI) ++Use the following command to assign an endpoint to your application: ++```azurecli +az spring app update \ + --resource-group $RESOURCE_GROUP \ + --name $APP_NAME \ + --service $AZURE_SPRING_APPS_INSTANCE_NAME \ + --assign-endpoint true +``` ++++## Access the application's private FQDN ++After the assignment, you can access the application's private FQDN in the private network. For example, you can create a jumpbox machine in the same virtual network or in a peered virtual network. Then, on that jumpbox or virtual machine, you can access the private FQDN. +++## Clean up resources ++If you plan to continue working with subsequent articles, you might want to leave these resources in place. When you no longer need them, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using the Azure CLI, use the following command: ++```azurecli +az group delete --name $RESOURCE_GROUP +``` ++## Next steps ++- [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md) +- [Troubleshooting Azure Spring Apps in virtual networks](./troubleshooting-vnet.md) +- [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md) |
spring-apps | Breaking Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/breaking-changes.md | + + Title: Azure Spring Apps API breaking changes +description: Describes the breaking changes introduced by the latest Azure Spring Apps stable API version. ++++ Last updated : 05/25/2022++++# Azure Spring Apps API breaking changes ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes breaking changes introduced into the Azure Spring Apps API. ++The Azure Spring Apps service releases the new stable API version 2022-04-01. The new API version introduces breaking changes based on the previous stable API version 2020-07-01. We suggest that you update your API calls to the new API version. ++## Previous API deprecation date ++The previous API version 2020-07-01 will not be supported starting April, 2025. ++## API breaking changes from 2020-07-01 to 2022-04-01 ++### Deprecate number value CPU and MemoryInGB in Deployments ++Deprecate field `properties.deploymentSettings.cpu` and `properties.deploymentSettings.memoryInGB` in the `Spring/Apps/Deployments` resource. Use `properties.deploymentSettings.resourceRequests.cpu` and `properties.deploymentSettings.resourceRequests.memory` instead. ++### RBAC role change for blue-green deployment ++Deprecate field `properties.activeDeploymentName` in the `Spring/Apps` resource. Use `POST/SUBSCRIPTIONS/RESOURCEGROUPS/PROVIDERS/MICROSOFT.APPPLATFORM/SPRING/APPS/SETACTIVEDEPLOYMENTS` for blue-green deployment. This action needs a separate RBAC role `spring/apps/setActiveDeployments/action` to perform. ++### Move options from different property bags for the Spring/Apps/Deployments resource ++- Deprecate `properties.createdTime`. Use `systemData.createdAt`. +- Deprecate `properties.deploymentSettings.jvmOptions`. Use `properties.source.jvmOptions`. +- Deprecate `properties.deploymentSettings.jvmOptions`. Use `properties.source.runtimeVersion`. +- Deprecate `properties.deploymentSettings.netCoreMainEntryPath`. Use `properties.source.netCoreMainEntryPath`. +- Deprecate `properties.appName`, which you can extract from `id`. ++## Updates in the Azure CLI extension ++### Add new RBAC role for blue-green deployment ++You need to add RBAC role `spring/apps/setActiveDeployments/action` to perform the following Azure CLI commands: ++```azurecli +az spring app set-deployment \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <app-name> \ + --deployment <deployment-name> +az spring app unset-deployment \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <app-name> +``` ++### Output updates ++If you're using the Azure CLI `spring-cloud` extension with a version lower than 3.0.0, and you want to upgrade the extension version or migrate to the `spring` extension, then you should take care of the following output updates. ++- `az spring app` command output: Remove `properties.activeDeploymentName`. Use `properties.activeDeployment.name` instead. +- `az spring app` command output: Remove `properties.createdTime`. Use `systemData.createdAt` instead. +- `az spring app` command output: Remove `properties.activeDeployment.properties.deploymentSettings.cpu`. Use `properties.activeDeployment.properties.deploymentSettings.resourceRequests.cpu` instead. +- `az spring app` command output: Remove `properties.activeDeployment.properties.deploymentSettings.memoryInGB`. Use `properties.activeDeployment.properties.deploymentSettings.resourceRequests.memory` instead. +- `az spring app` command output: Remove `properties.activeDeployment.properties.deploymentSettings.jvmOptions`. Use `properties.activeDeployment.properties.source.jvmOptions` instead. +- `az spring app` command output: Remove `properties.activeDeployment.properties.deploymentSettings.runtimeVersion`. Use `properties.activeDeployment.properties.source.runtimeVersion` instead. +- `az spring app` command output: Remove `properties.activeDeployment.properties.deploymentSettings.netCoreMainEntryPath`. Use `properties.activeDeployment.properties.source.netCoreMainEntryPath` instead. |
spring-apps | Concept App Customer Responsibilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-app-customer-responsibilities.md | + + Title: Version support for Java, Spring Boot, and more ++description: This article describes the version support for Java, Spring Boot, and Spring Cloud, and the customer responsibilities when developing Azure Spring Apps. +++++ Last updated : 08/10/2023+++# Version support for Java, Spring Boot, and more ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise ++This article describes the support policy for Java, Spring Boot, and Spring Cloud versions for all Azure Spring Apps plans, and versions of other SDKs and OS images for the Enterprise plan. ++Azure Spring Apps provides and maintains the SDKs and base OS images necessary to run your apps. To make sure your applications are compatible with such managed components, follow the version support policy for the components described in this article. ++## Version support for all plans ++The following sections describe the version support that applies to all plans. ++### Java runtime version ++You can choose any LTS Java version as the major version that's officially supported and receives regular updates. ++For more information, see [Java long-term support for Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure). ++### Spring Boot and Spring Cloud versions ++You can choose any version of Spring Boot or Spring Cloud that's compatible with the Java version you installed. ++For new versions, Azure Spring Apps supports the latest Spring Boot or Spring Cloud major version starting 30 days after its release. The latest minor version is supported as soon as it's released. ++For old versions, Azure Spring Apps doesn't require you to upgrade Spring Boot or Spring Cloud to receive support. However, with the officially supported new versions, you can get the best experience with some of the managed components - for example, Config Server and Eureka Server for the Standard consumption and dedicated plan and the Standard plan, [Tanzu components](vmware-tanzu-components.md) for the Enterprise plan, and metric collection for all plans. ++For more information, see the official support timeline of [Spring Boot](https://spring.io/projects/spring-boot#support) and [Spring Cloud](https://spring.io/projects/spring-cloud#overview). The Enterprise plan provides commercial support for Spring Boot, while the other plans provide OSS support. ++## Version support for the Enterprise plan ++The following sections describe the version support that applies to the Enterprise plan. ++### Polyglot SDKs ++You can deploy polyglot applications to the Enterprise plan with source code. To enjoy the best stability, use SDKs with LTS versions that are officially supported. ++When you deploy your polyglot applications to the Enterprise plan, assign specific LTS versions for the SDKs. Otherwise, the default SDK version might change during the regular upgrades for builder components. For more information about deploying polyglot apps, see [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md). ++| Type | Support policy | +|--|-| +| Java | [Java support on Azure](/azure/developer/java/fundamentals/java-support-on-azure) | +| Tomcat | [Tomcat versions](https://tomcat.apache.org/whichversion.html) | +| .NET | [.NET and .NET core support policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) | +| Python | [Status of Python versions](https://devguide.python.org/versions/) | +| Go | [Go release history](https://go.dev/doc/devel/release) | +| NodeJS | [Nodejs releases](https://nodejs.org/en/about/previous-releases/) | +| PHP | [PHP supported versions](https://www.php.net/supported-versions.php) | ++### Stack image support ++You can choose any stack image during builder configuration. We recommend using an LTS image that's officially supported. For more information, see [The Ubuntu lifecycle and release cadence](https://ubuntu.com/about/release-cycle#ubuntu). ++## Keep track of version upgrade ++Prepare early for the deprecation of any major component LTS version that your applications rely on. You'll receive notification from Microsoft one month prior to the end of support on Azure Spring Apps. ++For regular upgrades, you can find specific information in your activity log after the upgrade is complete. |
spring-apps | Concept App Status | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-app-status.md | + + Title: App status in Azure Spring Apps +description: Learn the app status categories in Azure Spring Apps +++ Last updated : 03/30/2022+++++# App status in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to view app status for Azure Spring Apps. ++The Azure Spring Apps UI delivers information about the status of running applications. There's an **Apps** option for each resource group in a subscription that displays general status of application types. For each application type, there's a display of **Application instances**. ++## Apps status ++To view general status of an application type, select **Apps** in the left navigation pane of a resource group to display the following status information of the deployed app: ++* **Provisioning state**: Shows the deployment’s provisioning state. +* **Running instance**: Shows how many app instances are running and how many app instances you desire. If you stop the app, this column shows **stopped**. +* **Registered status**: Shows how many app instances are registered to Eureka and how many app instances you desire. If you stop the app, this column shows **stopped**. Eureka isn't applicable to the Enterprise plan. For more information if you're using the Enterprise plan, see [Use Service Registry](how-to-enterprise-service-registry.md). +++## Deployment status ++The deployment status shows the running state of the deployment. The status is reported as one of the following values: ++| Value | Definition | +||--| +| Running | The deployment SHOULD be running. | +| Stopped | The deployment SHOULD be stopped. | ++## Provisioning status ++The *deployment provisioning* status describes the state of operations of the deployment resource. This status shows the comparison between the functionality and the deployment definition. ++The provisioning state is accessible only from the CLI. It's reported as one of the following values: ++| Value | Definition | +|--|| +| Creating | The resource is creating and isn't ready. | +| Updating | The resource is updating and the functionality may be different from the deployment definition until the update is complete. | +| Succeeded | Successfully supplied resources and deploys the binary. The deployment's functionality is the same as the definition and all app instances are working. | +| Failed | Failed to achieve the *Succeeded* goal. | +| Deleting | The resource is being deleted which prevents operation, and the resource isn't available in this status. | ++## App instances status ++The *app instance* status represents every instance of the app. To view the status of a specific instance of a deployed app, select the **App instance** pane and then select the **App Instance Name** value for the app. The following status values will appear: ++* **Status**: Whether the instance is running or its current state +* **Discovery Status**: The registered status of the app instance in the Eureka server +++### App instance status ++The instance status is reported as one of the following values: ++| Value | Definition | +|-|| +| Starting | The binary is successfully deployed to the given instance. The instance booting the jar file may fail because the jar can't run properly. Azure Spring Apps will restart the app instance in 60 seconds if it detects that the app instance is still in the *Starting* state. | +| Running | The instance works. The instance can serve requests from inside Azure Spring Apps. | +| Failed | The app instance failed to start the user’s binary after several retries. The app instance may be in one of the following states:<br/>- The app may stay in the *Starting* status and never be ready for serving requests.<br/>- The app may boot up but crashed in a few seconds. | +| Terminating | The app instance is shutting down. The app may not serve requests and the app instance will be removed. | ++### App discovery status ++The discovery status of the instance is reported as one of the following values: ++| Value | Definition | +|-|| +| UP | The app instance is registered to Eureka and ready to receive traffic | +| OUT_OF_SERVICE | The app instance is registered to Eureka and able to receive traffic. but shuts down for traffic intentionally. | +| DOWN | The app instance is registered but not able to receive traffic. | +| UNREGISTERED | The app instance isn't registered to Eureka. | +| N/A | The app instance is running with custom container or service discovery is not enabled. | ++## App registration status ++The app registration status shows the state in service discovery. Azure Spring Apps uses Eureka for service discovery. For more information on how the Eureka client calculates the state, see [Eureka's health checks](https://cloud.spring.io/spring-cloud-static/Greenwich.RELEASE/multi/multi__service_discovery_eureka_clients.html#_eureka_s_health_checks). +## Next steps ++* [Prepare a Spring or Steeltoe application for deployment in Azure Spring Apps](how-to-prepare-app-deployment.md) |
spring-apps | Concept Manage Monitor App Spring Boot Actuator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-manage-monitor-app-spring-boot-actuator.md | + + Title: "Manage and monitor app with Spring Boot Actuator" +description: Learn how to manage and monitor app with Spring Boot Actuator. ++++ Last updated : 05/06/2022++++# Manage and monitor app with Spring Boot Actuator ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++After deploying new binary to your app, you may want to check the functionality and see information about your running application. This article explains how to access the API from a test endpoint provided by Azure Spring Apps and expose the production-ready features for your app. ++## Prerequisites ++This article assumes that you have a Spring Boot 2.x application that can be successfully deployed and booted on Azure Spring Apps service. See [Quickstart: Launch an existing application in Azure Spring Apps using the Azure portal](./quickstart.md) ++## Verify app through test endpoint ++1. Go to **Application dashboard** and select your app to enter the app overview page. ++1. In the **Overview** pane, you should see **Test Endpoint**. Access this endpoint from command line or browser and observe the API response. ++1. Note the **Test endpoint** URI that will be used in the coming section. ++>[!TIP] +> * If the app returns a front-end page and references other files through relative path, confirm that your test endpoint ends with a slash (/). This will ensure that the CSS file is loaded correctly. +> * If you view your API from a brower and your browser requires you to enter login credentials to view the page, use [URL decode](https://www.urldecoder.org/) to decode your test endpoint. URL decode returns a URL in the form "https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/\<app-name>/\<deployment-name>". Use this form to access your endpoint. ++## Add actuator dependency ++To add the actuator to a Maven-based project, add the 'Starter' dependency: ++```xml +<dependencies> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> + </dependency> +</dependencies> +``` ++Compile the new binary and deploy it to your app. ++## Enable production-ready features ++Actuator endpoints let you monitor and interact with your application. By default, Spring Boot application exposes `health` and `info` endpoints to show arbitrary application info and health information. ++To observe the configuration and configurable environment, we need to enable `env` and `configgrops` endpoints as well. ++1. Go to app **Overview** pane, select **Configuration** in the setting menu, go to the **Environment variables** configuration page. +1. Add the following properties as in the "key:value" form. This environment will open the Spring Actuator endpoint "health". ++ ```properties + management.endpoints.web.exposure.include: health + ``` ++1. Select the **Save** button, your application will restart automatically and load the new environment variables. ++You can now go back to the app overview pane and wait until the Provisioning Status changes to "Succeeded". There will be more than one running instance. ++> [!NOTE] +> Once you expose the app to public, these actuator endpoints are exposed to public as well. You can hide all endpoints by deleting the environment variables `management.endpoints.web.exposure.include`, and set `management.endpoints.web.exposure.exclude=*` ++## View the actuator endpoint to view application information ++1. You can now access the url `"<test-endpoint>/actuator/"` to see all endpoints exposed by Spring Boot Actuator. +1. Access url `"<test-endpoint>/actuator/env"`, you can see active profiles used by the app, and all environment variables loaded. +1. If you want to search a specific environment, you can access url `"<test-endpoint>/actuator/env/{toMatch}"` to view it. ++To view all the endpoints built-in, see [Exposing Endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints) ++## Next steps ++* [Understand metrics for Azure Spring Apps](./concept-metrics.md) +* [Understanding app status in Azure Spring Apps](./concept-app-status.md) |
spring-apps | Concept Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-metrics.md | + + Title: Metrics for Azure Spring Apps +description: Learn how to review metrics in Azure Spring Apps +++ Last updated : 09/08/2020+++++# Metrics for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++Azure Metrics explorer is a component of the Microsoft Azure portal that allows plotting charts, visually correlating trends, and investigating spikes and dips in metrics. Use the metrics explorer to investigate the health and utilization of your resources. ++In an Azure Spring Apps instance, you can view metrics on the following pages: ++* The application overview page, which shows quick status charts. To view this page, select **Apps** from the navigation pane, and then select an app. ++* The common metrics page, which shows common metrics available to all apps in the Azure Spring Apps instance. For the Enterprise plan, it also shows common metrics for Tanzu Spring Cloud Gateway. To view this page, select **Metrics** from the navigation pane. You can build your own charts in the common metrics page and pin them to your Dashboard. +++## Application overview page ++Select **Apps** in the navigation pane and then select an app from the list. The app overview page presents metrics charts that enable you to perform a quick status check of your application. +++Azure Spring Apps provides these five charts with metrics that are updated every minute: ++* **Http Server Errors**: Error count for HTTP requests to your app +* **Data In**: Bytes received by your app +* **Data Out**: Bytes sent by your app +* **Requests**: Requests received by your app +* **Average Response Time**: Average response time from your app ++For the chart, you can select a time range from one hour to seven days. ++## Common metrics page ++Select **Metrics** in the navigation pane to access common metrics. Select a metric to use from the **Metric** dropdown. +++For metric details, see the [User metric options](#user-metrics-options) section. ++Next, select the aggregation type for each metric: +++The aggregation type indicates how to aggregate metric points in the chart by time. There's one raw metric point every minute, and the pre-aggregation type within a minute is pre-defined by metrics type. ++* Sum: Sum all values as target output. +* Average: Use the Average value in the period as target output. +* Max/Min: Use the Max/Min value in the period as target output. ++The time range can also be adjusted from last 30 minutes to last 30 days or a custom time range. +++The default view includes all of an Azure Spring Apps service's application's metrics together. Metrics of one app or instance can be filtered in the display. Select **Add filter**, set the property to **App**, and select the target application you want to monitor in the **Values** text box. ++You can use two kinds of filters (properties): ++* App: filter by app name +* Instance: filter by app instance +* Deployment: filter by deployment name +++You can also use the **Apply splitting** option, which draws multiple lines for one app: +++>[!TIP] +> You can build your own charts on the metrics page and pin them to your **Dashboard**. Start by naming your chart. Next, select **Pin to dashboard in the top right corner**. You can now check on your application at your Portal **Dashboard**. ++## User metrics options ++> [!NOTE] +> For Spring Boot applications, to see metrics from Spring Boot Actuator, add the `spring-boot-starter-actuator` dependency. For more information, see the [Add actuator dependency](concept-manage-monitor-app-spring-boot-actuator.md#add-actuator-dependency) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md). ++The following tables show the available metrics and details. ++### Error ++>[!div class="mx-tdCol2BreakAll"] +>| Name | Spring Boot Actuator metric name | Unit | Description | +>|-|-|-|| +>| `tomcat.global.error` | `tomcat.global.error` | Count | Number of errors that occurred in processed requests. | ++### Performance ++>[!div class="mx-tdCol2BreakAll"] +>| Name | Spring Boot Actuator metric name | Unit | Description | +>|-|-|-|| +>| `system.cpu.usage` | `system.cpu.usage` | Percent | Recent CPU usage for the whole system (Obsolete and don't suggest using it). This value is a double in the [0.0,1.0] interval. A value of 0.0 means that all CPUs were idle during the recent period of time observed, while a value of 1.0 means that all CPUs were actively running 100% of the time during the recent period being observed.| +>| `process.cpu.usage` | App CPU Usage Percentage | Percent | Recent CPU usage for the Java Virtual Machine process (Obsolete and don't suggest using it). This value is a double in the [0.0,1.0] interval. A value of 0.0 means that none of the CPUs were running threads from the JVM process during the recent period of time observed, while a value of 1.0 means that all CPUs were actively running threads from the JVM 100% of the time during the recent period being observed. Threads from the JVM include the application threads as well as the JVM internal threads.| +>| App CPU Usage | | Percent | Recent CPU usage of the JVM process against the CPU allocated to this app. This value is a double in the [0.0,1.0] interval. A value of 0.0 means that none of the CPUs were running threads from the JVM process during the recent period of time observed, while a value of 1.0 means that all CPUs were actively running threads from the JVM 100% of the time during the recent period being observed. Threads from the JVM include the application threads as well as the JVM internal threads.| +>| App CPU Usage (Deprecated) | | Percent | Deprecated metric of App CPU Usage. Use the new App CPU Usage metric instead.| +>| App Memory Usage | | Percent | Recent memory usage of the JVM process against the memory allocated to this app. This value is a double in the [0.0,1.0] interval. A value of 0.0 means that none of the memory was allocated by threads from the JVM process during the recent period of time observed, while a value of 1.0 means that all memory was allocated by threads from the JVM 100% of the time during the recent period being observed. Threads from the JVM include the application threads as well as the JVM internal threads.| +>| `jvm.memory.committed` | `jvm.memory.committed` | Bytes | Represents the amount of memory that is guaranteed to be available for use by the JVM. The JVM may release memory to the system and committed could be less than init. committed will always be greater than or equal to used. | +>| `jvm.memory.used` | `jvm.memory.used` | Bytes | Represents the amount of memory currently used in bytes. | +>| `jvm.memory.max` | `jvm.memory.max` | Bytes | Represents the maximum amount of memory that can be used for memory management. The amount of used and committed memory will always be less than or equal to max if max is defined. A memory allocation may fail if it attempts to increase the used memory such that used > committed even if used <= max would still be true (for example, when the system is low on virtual memory). | +>| `jvm.gc.max.data.size` | `jvm.gc.max.data.size` | Bytes | The peak memory usage of the old generation memory pool since the Java virtual machine was started. | +>| `jvm.gc.live.data.size` | `jvm.gc.live.data.size` | Bytes | Size of old generation memory pool after a full garbage collection (GC). | +>| `jvm.gc.memory.promoted` | `jvm.gc.memory.promoted` | Bytes | Count of positive increases in the size of the old generation memory pool before GC to after GC. | +>| `jvm.gc.memory.allocated` | `jvm.gc.memory.allocated` | Bytes | Incremented for an increase in the size of the young generation memory pool after one GC to before the next. | +>| `jvm.gc.pause.total.count` | `jvm.gc.pause` (total-count) | Count | Total GC count after this JMV started, including Young and Old GC. | +>| `jvm.gc.pause.total.time` | `jvm.gc.pause` (total-time) | Milliseconds | Total GC time consumed after this JMV started, including Young and Old GC. | ++### Performance (.NET) ++>[!div class="mx-tdCol2BreakAll"] +>| Name | Spring Boot Actuator metric name | Unit | Description | +>||--||| +>| CPU usage | `cpu-usage` | Percent | The percent of the process's CPU usage relative to all of the system CPU resources [0-100]. | +>| Working set | `working-set` | Megabytes | Amount of working set used by the process. | +>| GC heap size | `gc-heap-size` | Megabytes | Total heap size reported by the garbage collector. | +>| Gen 0 GC count | `gen-0-gc-count` | Count | Number of Generation 0 garbage collections per second. | +>| Gen 1 GC count | `gen-1-gc-count` | Count | Number of Generation 1 garbage collections per second. | +>| Gen 2 GC count | `gen-2-gc-count` | Count | Number of Generation 2 garbage collections per second. | +>| Time in GC | `timein-gc` | Percent | The percent of time in garbage collection since the last garbage collection. | +>| Gen 0 heap size | `gen-0-size` | Bytes | Generation 0 heap size. | +>| Gen 1 heap size | `gen-1-size` | Bytes | Generation 1 heap size. | +>| Gen 2 heap size | `gen-2-size` | Bytes | Generation 2 heap size. | +>| LOH heap size | `loh-size` | Bytes | Large Object Heap heap size. | +>| Allocation rate | `alloc-rate` | Bytes | Number of bytes allocated per second. | +>| Assembly count | `assembly-count` | Count | Number of assemblies loaded. | +>| Exception count | `exception-count` | Count | Number of exceptions per second. | +>| Thread pool thread count | `threadpool-thread-count` | Count | Number of thread pool threads. | +>| Monitor lock contention count | `monitor-lock-contention-count` | Count | The number of times per second there was contention when trying to take a monitor's lock. | +>| Thread pool queue length | `threadpool-queue-length` | Count | Thread pool work items queue length. | +>| Thread pool completed items count | `threadpool-completed-items-count` | Count | Thread pool completed work items count. | +>| Active timers count | `active-timer-count` | Count | The number of timers that are currently active. An active timer is one that is registered to tick at some point in the future, and has not yet been canceled. | ++For more information, see [Investigate performance counters (dotnet-counters)](/dotnet/core/diagnostics/dotnet-counters). ++### Request ++>[!div class="mx-tdCol2BreakAll"] +>| Name | Spring Boot Actuator metric name | Unit | Description | +>|-|-|-|| +>| `tomcat.global.sent` | `tomcat.global.sent` | Bytes | Amount of data Tomcat web server sent. | +>| `tomcat.global.received` | `tomcat.global.received` | Bytes | Amount of data Tomcat web server received. | +>| `tomcat.global.request.total.count` | `tomcat.global.request` (total-count) | Count | Total count of Tomcat web server processed requests. | +>| `tomcat.global.request.max` | `tomcat.global.request.max` | Milliseconds | Maximum time of Tomcat web server to process a request. | ++### Request (.NET) ++>[!div class="mx-tdCol2BreakAll"] +>| Name | Spring Boot Actuator metric name | Unit | Description | +>||--||| +>| Requests per second | `requests-per-second` | Count | Request rate. | +>| Total requests | `total-requests` | Count | Total number of requests. | +>| Current requests | `current-requests` | Count | Number of current requests. | +>| Failed requests | `failed-requests` | Count | Number of failed requests. | ++For more information, see [Investigate performance counters (dotnet-counters)](/dotnet/core/diagnostics/dotnet-counters). ++### Session ++>[!div class="mx-tdCol2BreakAll"] +>| Name | Spring Boot Actuator metric name | Unit | Description | +>|-|-|-|| +>| `tomcat.sessions.active.max` | `tomcat.sessions.active.max` | Count | Maximum number of sessions that have been active at the same time. | +>| `tomcat.sessions.alive.max` | `tomcat.sessions.alive.max` | Milliseconds | Longest time (in seconds) that an expired session was alive. | +>| `tomcat.sessions.created` | `tomcat.sessions.created` | Count | Number of sessions that have been created. | +>| `tomcat.sessions.expired` | `tomcat.sessions.expired` | Count | Number of sessions that have expired. | +>| `tomcat.sessions.rejected` | `tomcat.sessions.rejected` | Count | Number of sessions that were not created because the maximum number of active sessions reached. | +>| `tomcat.sessions.active.current` | `tomcat.sessions.active.current` | Count | Tomcat Session Active Count. | ++### Ingress ++>[!div class="mx-tdCol2BreakAll"] +>| Display name | Azure metric name | Unit | Description | +>|--|--|-|-| +>| Bytes Received | `IngressBytesReceived` | Bytes | Count of bytes received by Azure Spring Apps from the clients. | +>| Bytes Sent | `IngressBytesSent` | Bytes | Count of bytes sent by Azure Spring Apps to the clients. | +>| Requests | `IngressRequests` | Count | Count of requests by Azure Spring Apps from the clients. | +>| Failed Requests | `IngressFailedRequests` | Count | Count of failed requests by Azure Spring Apps from the clients. | +>| Response Status | `IngressResponseStatus` | Count | HTTP response status returned by Azure Spring Apps. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories. | +>| Response Time | `IngressResponseTime` | Seconds | Http response time return by Azure Spring Apps. | +>| Throughput In (bytes/s) | `IngressBytesReceivedRate`| BytesPerSecond | Bytes received per second by Azure Spring Apps from the clients. | +>| Throughput Out (bytes/s) | `IngressBytesSentRate` | BytesPerSecond | Bytes sent per second by Azure Spring Apps to the clients. | ++### Gateway ++The following table applies to the Tanzu Spring Cloud Gateway in Enterprise plan only. ++>[!div class="mx-tdCol2BreakAll"] +>| Display name | Azure metric name | Unit | Description | +>| | - | | - | +>| `jvm.gc.live.data.size` | `GatewayJvmGcLiveDataSizeBytes` | Bytes | Size of old generation memory pool after a full GC. | +>| `jvm.gc.max.data.size` | `GatewayJvmGcMaxDataSizeBytes` | Bytes | Max size of old generation memory pool. | +>| `jvm.gc.memory.promoted` | `GatewayJvmGcMemoryPromotedBytesTotal` | Bytes | Count of positive increases in the size of the old generation memory pool before GC to after GC. | +>| `jvm.gc.pause.max.time` | `GatewayJvmGcPauseSecondsMax` | Seconds | GC Pause Max Time. | +>| `jvm.gc.pause.total.count` | `GatewayJvmGcPauseSecondsCount` | Count | GC Pause Count. | +>| `jvm.gc.pause.total.time` | `GatewayJvmGcPauseSecondsSum` | Seconds | GC Pause Total Time. | +>| `jvm.memory.committed` | `GatewayJvmMemoryCommittedBytes` | Bytes | Memory assigned to JVM in bytes. | +>| `jvm.memory.used` | `GatewayJvmMemoryUsedBytes` | Bytes | Memory Used in bytes. | +>| Max time of requests | `GatewayHttpServerRequestsMilliSecondsMax` | Milliseconds | The max time of requests. | +>| `process.cpu.usage` | `GatewayProcessCpuUsage` | Percent | The recent CPU usage for the JVM process. | +>| Request count | `GatewayHttpServerRequestsSecondsCount` | Count | The number of requests. | +>| `system.cpu.usage` | `GatewaySystemCpuUsage` | Percent | The recent CPU usage for the whole system. | +>| Throttled requests count | `GatewayRatelimitThrottledCount` | Count | The count of the throttled requests. | ++## Next steps ++* [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](../basic-standard/quickstart-logs-metrics-tracing.md) +* [Analyze metrics with Azure Monitor metrics explorer](../../azure-monitor/essentials/analyze-metrics.md) +* [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md) +* [Tutorial: Monitor Spring app resources using alerts and action groups](./tutorial-alerts-action-groups.md) +* [Quotas and Service Plans for Azure Spring Apps](./quotas.md) |
spring-apps | Concept Outbound Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-outbound-type.md | + + Title: Customize Azure Spring Apps egress with a user-defined route +description: Learn how to customize Azure Spring Apps egress with a user-defined route. ++++ Last updated : 10/20/2022++++# Customize Azure Spring Apps egress with a user-defined route ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to customize an instance's egress route to support custom network scenarios. For example, you might want to customize an instance's egress route for networks that disallow public IPs and require the instance to sit behind a network virtual appliance (NVA). ++By default, Azure Spring Apps provisions a Standard SKU Load Balancer that you can set up and use for egress. However, the default setup may not meet the requirements of all scenarios. For example, public IPs may not be allowed, or more hops may be required for egress. When you use this feature to customize egress, Azure Spring Apps doesn't create public IP resources. ++## Prerequisites ++- All prerequisites for deploying Azure Spring Apps in a virtual network. For more information, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +- An API version of `2022-09-01 preview` or greater. +- [Azure CLI version 1.1.7 or later](/cli/azure/install-azure-cli). ++## Limitations ++- You can only define `OutboundType` when you create a new Azure Spring Apps service instance, and you can't updated it afterwards. `OutboundType` works only with a virtual network. +- Setting `outboundType` to `UserDefinedRouting` requires a user-defined route with valid outbound connectivity for your instance. +- Setting `outboundType` to `UserDefinedRouting` implies that the ingress source IP routed to the load-balancer may not match the instance's outgoing egress destination address. ++## Overview of outbound types in Azure Spring Apps ++You can customize an Azure Spring Apps instance with a unique `outboundType` of type `loadBalancer` or `userDefinedRouting`. ++### Outbound type loadBalancer ++The default `outboundType` value is `loadBalancer`. If `outboundType` is set to `loadBalancer`, Azure Spring Apps automatically configures egress paths and expects egress from the load balancers created by the Azure Spring Apps resource provider. Two load balancers are recreated: one for the service runtime and another for the user app. A public IP address is provisioned for each load balancer. The load balancer is used for egress traffic for the generated public IP. ++### Outbound type userDefinedRouting ++> [!NOTE] +> Using an outbound type is an advanced networking scenario and requires proper network configuration. ++If `outboundType` is set to `userDefinedRouting`, Azure Spring Apps doesn't automatically configure egress paths. You must set up egress paths yourself. You could still find two load balancers in your resource group. They're only used for internal traffic and don't expose any public IP. You must prepare two route tables associated with two subnets: one to service the runtime and another for the user app. ++> [!IMPORTANT] +> An `outboundType` of `userDefinedRouting` requires a route for `0.0.0.0/0` and the next hop destination of a network virtual appliance in the route table. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). ++## See also ++- [Control egress traffic for an Azure Spring Apps instance](how-to-create-user-defined-route-instance.md) |
spring-apps | Concept Security Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-security-controls.md | + + Title: Security controls for Azure Spring Apps Service +description: Use security controls built in into Azure Spring Apps Service. ++++ Last updated : 04/23/2020++++# Security controls for Azure Spring Apps Service ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++Security controls are built into Azure Spring Apps Service. ++A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities. For each control, we use *Yes* or *No* to indicate whether it is currently in place for the service. We use *N/A* for a control that is not applicable to the service. ++**Data protection security controls** ++| Security control | Yes/No | Notes | Documentation | +|:-|:-|:-|:-| +| Server-side encryption at rest: Microsoft-managed keys | Yes | User uploaded source and artifacts, config server settings, app settings, and data in persistent storage are stored in Azure Storage, which automatically encrypts the content at rest.<br><br>Config server cache, runtime binaries built from uploaded source, and application logs during the application lifetime are saved to Azure managed disk, which automatically encrypts the content at rest.<br><br>Container images built from user uploaded source are saved in Azure Container Registry, which automatically encrypts the image content at rest. | [Azure Storage encryption for data at rest](../../storage/common/storage-service-encryption.md)<br><br>[Server-side encryption of Azure managed disks](../../virtual-machines/disk-encryption.md)<br><br>[Container image storage in Azure Container Registry](../../container-registry/container-registry-storage.md) | +| Encryption in transient | Yes | User app public endpoints use HTTPS for inbound traffic by default. | | +| API calls encrypted | Yes | Management calls to configure Azure Spring Apps service occur via Azure Resource Manager calls over HTTPS. | [Azure Resource Manager](../../azure-resource-manager/index.yml) | +| Customer Lockbox | Yes | Provide Microsoft with access to relevant customer data during support scenarios. | [Customer Lockbox for Microsoft Azure](../../security/fundamentals/customer-lockbox-overview.md) ++**Network access security controls** ++| Security control | Yes/No | Notes | Documentation | +|:-|:-|:-|:-| +| Service Tag | Yes | Use **AzureSpringCloud** service tag to define outbound network access controls on [network security groups](../../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../../firewall/service-tags.md), to allow traffic to applications in Azure Spring Apps. | [Service tags](../../virtual-network/service-tags-overview.md) | ++## Next steps ++* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md) |
spring-apps | Concept Understand App And Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-understand-app-and-deployment.md | + + Title: "App and deployment in Azure Spring Apps" +description: Explains the distinction between application and deployment in Azure Spring Apps. ++++ Last updated : 07/23/2020++++# App and deployment in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++*App* and *Deployment* are the two key concepts in the resource model of Azure Spring Apps. In Azure Spring Apps, an *App* is an abstraction of one business app. One version of code or binary deployed as the *App* runs in a *Deployment*. Apps run in an *Azure Spring Apps service instance*, or simply *service instance*, as shown next. +++You can have multiple service instances within a single Azure subscription, but the Azure Spring Apps Service is easiest to use when all of the Apps that make up a business app reside within a single service instance. One reason is that the Apps are likely to communicate with each other. They can easily do that by using Eureka service registry in the service instance. ++The Azure Spring Apps Standard plan allows one App to have one production deployment and one staging deployment, so that you can do blue/green deployment on it easily. ++## App ++The following features/properties are defined on app level. ++| Features | Description | +|:--|:--| +| Public</br>Endpoint | The URL to access the app. | +| Custom</br>Domain | The `CNAME` record that secures the custom domain. | +| Service</br>Binding | The out-of-box connection with other Azure services. | +| Managed</br>Identity | The managed identity by Microsoft Entra ID allows your app to easily access other Microsoft Entra protected resources such as Azure Key Vault. | +| Persistent</br>Storage | The setting that enables data to persist beyond app restart. | ++## Deployment ++The following features/properties are defined on the deployment level, and are exchanged when swapping the production and staging deployment. ++| Features | Description | +|:--|:--| +| CPU | The number of vcores per app instance. | +| Memory | The GB of memory per app instance. | +| Instance</br>Count | The number of app instances, set manually or automatically. | +| Auto-Scale | The scale instance count automatically based on predefined rules and schedules. | +| JVM</br>Options | The JVM options to set. | +| Environment</br>Variables | The environment variables to set. | +| Runtime</br>Version | Either *Java 8* or *Java 11*. | ++## Environment ++Azure Spring Apps mounts some read-only YAML files to your deployed apps. These files contain the Azure context of a deployment. The following list shows the paths and contents of these YAML files: ++- */etc/azure-spring-cloud/context/azure-spring-apps.yml* ++ ```yaml + AZURE_SPRING_APPS: + SUBSCRIPTION_ID: <your-azure-subscription-id> + RESOURCE_GROUP: <your-resource-group-name> + NAME: <your-azure-spring-apps-name> + ``` ++- */etc/azure-spring-cloud/context/azure-spring-apps-deployment.yml* ++ ```yaml + AZURE_SPRING_APPS: + APP: + NAME: <your-app-name> + DEPLOYMENT: + NAME: <your-deployment-name> + ACTIVE: true # true if the deployment is in production, false if in staging + ``` ++If your app is a Spring Boot app, these two file paths are added to the `SPRING_CONFIG_ADDITIONAL_LOCATION` environment variable. This way, your app can load these properties as configurations and use them in your code. For example, you can use the `@ConfigurationProperties` annotation to bind the YAML properties to a Java class. The following code snippet shows how to create a `@Configuration` class that represents the Azure context: ++```java +import lombok.Data; +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.context.annotation.Configuration; ++@Configuration +@ConfigurationProperties(prefix = "azure-spring-apps") +@Data +public class AzureSpringAppsContext { ++ private String subscriptionId; + private String resourceGroup; + private String name; ++ private AppContext app; + private DeploymentContext deployment; ++ @Data + public static class AppContext { + private String name; + } ++ @Data + public static class DeploymentContext { + private String name; + private boolean active; + } +} +``` ++For any other polyglot apps, you may need to read and access corresponding properties by using the corresponding file read/write libraries in your apps. ++## Restrictions ++- An app must have one production deployment. The API blocks the deletion of a production deployment. You should swap a deployment to staging before deleting it. +- An app can have at most two deployments. The API blocks the creation of more than two deployments. Deploy your new binary to either the existing production or staging deployment. +- Deployment management isn't available in the Basic plan. Use the Standard or Enterprise plan for blue-green deployment capability. ++## Next steps ++- [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md) |
spring-apps | Concept Zero Downtime Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concept-zero-downtime-deployment.md | + + Title: Zero downtime deployment in Azure Spring Apps +description: Learn about zero downtime deployment with blue-green deployment strategies in Azure Spring Apps. +++ Last updated : 06/01/2023+++++# Zero downtime deployment in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes the zero downtime deployment support in Azure Spring Apps. ++Achieving zero downtime deployments is a fundamental goal for mission-critical applications. Your application needs to be available even when new releases are rolled out during business hours. With zero downtime deployment support in Azure Spring Apps, you can complete the deployment process from start to finish without any workload interruptions. ++## Zero downtime with blue-green deployment strategy ++You can achieve zero downtime with [blue-green deployment strategies](concepts-blue-green-deployment-strategies.md) in Azure Spring Apps. +A blue-green deployment eliminates downtime by running two deployment versions, with only one of the deployments serving production traffic at any time. A blue-green deployment provides zero downtime by allowing you to switch to the other deployment version if something disrupts the live deployment. ++When you perform a blue-green switch, Azure Spring Apps performs the following underlying operations: ++- If the Eureka client is enabled for the deployment, overrides and sets the Eureka registry status to `UP` for instances in the `production` deployment. +- If the Eureka client is enabled for the deployment, overrides and sets the Eureka registry status to `OUT_OF_SERVICE` for instances in the `staging` deployment. +- If a public endpoint is enabled for the app, updates ingress rules to route public traffic to instances in the `production` deployment. ++> [!NOTE] +> For a blue-green deployment, you can achieve zero down time even for single-replica deployment. ++## Zero downtime with rolling update strategy ++For a deployment with a replica number of two or higher, you can achieve zero downtime with a rolling update strategy from Azure Spring Apps. When you deploy a new version to an existing deployment, or restart a deployment, Azure Spring Apps uses underlying Kubernetes rolling updates to perform the update. ++Rolling updates enable deployment updates to take place with zero downtime by incrementally updating instances with new instances. Your application continues to serve production traffic when performing a rolling update if the deployment replica number is two or higher. For more information, see [Performing a Rolling Update](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/). ++> [!WARNING] +> For single-replica deployment, you might see downtime during the deployment update. To ensure application availability, we recommend that you deploy with at least two replicas for your production workload. ++> [!NOTE] +> To gracefully start or shutdown your application, you must configure health probes for your deployments. For more information, see [How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps](./how-to-configure-health-probes-graceful-termination.md). Kubernetes checks these probes during the rolling update process, and the Nginx ingress controller routes traffic to instances with a succeeded readiness probe. ++When you scale in your application instances, Azure Spring Apps uses underlying Kubernetes [Container Lifecycle Hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) to gracefully shut down the pods. ++In the hook, Azure Spring Apps performs the following operations for a shutting down an application container: ++- If the Eureka client is enabled, overrides and sets the instance's Eureka registry status to `OUT_OF_SERVICE`. +- Waits a few seconds to continue to serve any traffic from Nginx or other applications before Kubernetes shuts down the application container. ++## Next steps ++- [Blue-green deployment strategies in Azure Spring Apps](concepts-blue-green-deployment-strategies.md) +- [How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps](how-to-configure-health-probes-graceful-termination.md) |
spring-apps | Concepts Blue Green Deployment Strategies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concepts-blue-green-deployment-strategies.md | + + Title: "Blue-green deployment strategies in Azure Spring Apps" +description: This topic explains two approaches to blue-green deployments in Azure Spring Apps. ++++ Last updated : 11/12/2021++++# Blue-green deployment strategies in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes the blue-green deployment support in Azure Spring Apps. ++Azure Spring Apps (Standard plan and higher) permits two deployments for every app, only one of which receives production traffic. This pattern is commonly known as blue-green deployment. Azure Spring Apps's support for blue-green deployment, together with a [Continuous Delivery (CD)](/devops/deliver/what-is-continuous-delivery) pipeline and rigorous automated testing, allows agile application deployments with high confidence. ++## Alternating deployments ++The simplest way to implement blue-green deployment with Azure Spring Apps is to create two fixed deployments and always deploy to the deployment that isn't receiving production traffic. With the [Azure Spring Apps task for Azure Pipelines](/azure/devops/pipelines/tasks/deploy/azure-spring-cloud), you can deploy this way just by setting the `UseStagingDeployment` flag to `true`. ++Here's how the alternating deployments approach works in practice: ++Suppose your application has two deployments: `deployment1` and `deployment2`. Currently, `deployment1` is set as the production deployment, and is running version `v3` of the application. ++This makes `deployment2` the staging deployment. Thus, when the Continuous Delivery (CD) pipeline is ready to run, it deploys the next version of the app, version `v4`, onto the staging deployment `deployment2`. ++![Two deployments: deployment1 receives production traffic](media/concepts-blue-green-deployment-strategies/alternating-deployments-1.png) ++After `v4` has started up on `deployment2`, you can run automated and manual tests against it through a private test endpoint to ensure `v4` meets all expectations. ++![V4 is now deployed on deployment2 and undergoes testing](media/concepts-blue-green-deployment-strategies/alternating-deployments-2.png) ++When you have confidence in `v4`, you can set `deployment2` as the production deployment so that it receives all production traffic. `v3` will remain running on `deployment1` in case you discover a critical issue that requires rolling back. ++![V4 on deployment2 now receives production traffic](media/concepts-blue-green-deployment-strategies/alternating-deployments-3.png) ++Now, `deployment1` is the staging deployment. So the next run of the deployment pipeline deploys onto `deployment1`. ++![V5 deployed on deployment1](media/concepts-blue-green-deployment-strategies/alternating-deployments-4.png) ++You can now test `V5` on `deployment1`'s private test endpoint. ++![V5 tested on deployment1](media/concepts-blue-green-deployment-strategies/alternating-deployments-5.png) ++Finally, after `v5` meets all your expectations, you set `deployment1` as the production deployment once again, so that `v5` receives all production traffic. ++![V5 receives traffic on deployment1](media/concepts-blue-green-deployment-strategies/alternating-deployments-6.png) ++### Tradeoffs of the alternating deployments approach ++The alternating deployments approach is simple and fast, as it doesn't require the creation of new deployments. However, it does present several disadvantages, as described in the following sections. ++#### Persistent staging deployment ++The staging deployment always remains running, and thus consuming resources of the Azure Spring Apps instance. This effectively doubles the resource requirements of each application on Azure Spring Apps. ++#### The approval race condition ++Suppose in the above application, the release pipeline requires manual approval before each new version of the application can receive production traffic. This creates the risk that while one version (`v6`) awaits manual approval on the staging deployment, the deployment pipeline will run again and overwrite it with a newer version (`v7`). Then, when the approval for `v6` is granted, the pipeline that deployed `v6` will set the staging deployment as production. But now it will be the unapproved `v7`, not the approved `v6`, that is deployed on that deployment and receives traffic. ++![The approval race condition](media/concepts-blue-green-deployment-strategies/alternating-deployments-race-condition.png) ++You may be able to prevent the race condition by ensuring that the deployment flow for one version can't begin until the deployment flow for all previous versions is complete or aborted. Another way to prevent the approval race condition is to use the Named Deployments approach described below. ++## Named deployments ++In the named deployments approach, a new deployment is created for each new version of the application being deployed. After the application is tested on its bespoke deployment, that deployment is set as the production deployment. The deployment containing the previous version can be allowed to persist just long enough to be confident that a rollback won't be needed. ++In the illustration below, version `v5` is running on the deployment `deployment-v5`. The deployment name now contains the version because the deployment was created specifically for this version. There's no other deployment at the outset. Now, to deploy version `v6`, the deployment pipeline creates a new deployment `deployment-v6` and deploys app version `v6` there. ++![Deploying new version on a named deployment](media/concepts-blue-green-deployment-strategies/named-deployment-1.png) ++There's no risk of another version being deployed in parallel. First, Azure Spring Apps doesn't allow the creation of a third deployment while two deployments already exist. Second, even if it was possible to have more than two deployments, each deployment is identified by the version of the application it contains. Thus, the pipeline orchestrating the deployment of `v6` would only attempt to set `deployment-v6` as the production deployment. ++![New version receives production traffic named deployment](media/concepts-blue-green-deployment-strategies/named-deployment-2.png) ++After the deployment created for the new version receives production traffic, you'll need to remove the deployment containing the previous version to make room for future deployments. You may wish to postpone by some number of minutes or hours so you can roll back to the previous version if you discover a critical issue in the new version. ++![After a fallback period, deleting the previous deployment](media/concepts-blue-green-deployment-strategies/named-deployment-3.png) ++### Tradeoffs of the named deployments approach ++The named deployments approach has the following benefits: ++* It prevents the approval race condition. +* It reduces resource consumption by deleting the staging deployment when it's not in use. ++However, there are drawbacks as well, as described in the following section. ++#### Deployment pipeline failures ++Between the time a deployment starts and the time the staging deployment is deleted, any additional attempts to run the deployment pipeline will fail. The pipeline will attempt to create a new deployment, which will result in an error because only two deployments are permitted per application in Azure Spring Apps. ++Therefore, the deployment orchestration must either have the means to retry a failed deployment process at a later time, or the means to ensure that the deployment flows for each version will remain queued until the flow is completed for all previous versions. ++## Next steps ++* [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) |
spring-apps | Concepts For Java Memory Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/concepts-for-java-memory-management.md | + + Title: Java memory management ++description: Introduces concepts for Java memory management to help you understand Java applications in Azure Spring Apps. ++++ Last updated : 07/15/2022++++# Java memory management ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes various concepts related to Java memory management to help you understand the behavior of Java applications hosted in Azure Spring Apps. ++## Java memory model ++A Java application's memory has several parts, and there are different ways to divide the parts. This article discusses Java memory as divided into heap memory, non-heap memory, and direct memory. ++### Heap memory ++Heap memory stores all class instances and arrays. Each Java virtual machine (JVM) has only one heap area, which is shared among threads. ++Spring Boot Actuator can observe the value of heap memory. Spring Boot Actuator takes the heap value as part of `jvm.memory.used/committed/max`. For more information, see the [jvm.memory.used/committed/max](tools-to-troubleshoot-memory-issues.md#jvmmemoryusedcommittedmax) section in [Tools to troubleshoot memory issues](tools-to-troubleshoot-memory-issues.md). ++Heap memory is divided into *young generation* and *old generation*. These terms are described in the following list, along with related terms. ++- *Young generation*: all new objects are allocated and aged in young generation. ++ - *Eden space*: new objects are allocated in Eden space. + - *Survivor space*: objects will be moved from Eden to survivor space after surviving one garbage collection cycle. Survivor space can be divided to two parts: s1 and s2. ++- *Old generation*: also called *tenured space*. Objects that have remained in the survivor spaces for a long time will be moved to old generation. ++Before Java 8, another section called *permanent generation* was also part of the heap. Starting with Java 8, permanent generation was replaced by metaspace in non-heap memory. ++### Non-heap memory ++Non-heap memory is divided into the following parts: ++- The part of non-heap memory that replaced the permanent generation (or *permGen*) starting with Java 8. Spring Boot Actuator observes this section and takes it as part of `jvm.memory.used/committed/max`. In other words, `jvm.memory.used/committed/max` is the sum of heap memory and the former permGen part of non-heap memory. The former permanent generation is composed of the following parts: ++ - *Metaspace*, which stores the class definitions loaded by class loaders. + - *Compressed class space*, which is for compressed class pointers. + - *Code cache*, which stores native code compiled by JIT. ++- Other memory such as the thread stack, which isn't observed by Spring Boot Actuator. ++### Direct memory ++Direct memory is native memory allocated by `java.nio.DirectByteBuffer`, which is used in third party libraries like nio and gzip. ++Spring Boot Actuator doesn't observe the value of direct memory. ++The following diagram summarizes the Java memory model described in the previous section. +++## Java garbage collection ++There are three terms regarding of Java Garbage Collection (GC): "Minor GC", "Major GC", and "Full GC". These terms aren't clearly defined in the JVM specification. Here, we consider "Major GC" and "Full GC" to be equivalent. ++Minor GC performs when Eden space is full. It removes all dead objects in young generation and moves live objects to from Eden space to s1 of survivor space, or from s1 to s2. ++Full GC or major GC does garbage collection in the entire heap. Full GC can also collect parts like metaspace and direct memory, which can be cleaned only by full GC. ++The maximum heap size influences the frequency of minor GC and full GC. The maximum metaspace and maximum direct memory size influence full GC. ++When you set the maximum heap size to a lower value, garbage collections occur more frequently, which slow the app a little, but better limits the memory usage. When you set the maximum heap size to a higher value, garbage collections occur less frequently, which may create more out-of-memory (OOM) risk. For more information, see the [Types of out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md#types-of-out-of-memory-issues) section of [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md). ++Metaspace and direct memory can be collected only by full GC. When metaspace or direct memory is full, full GC will occur. ++## Java memory configurations ++The following sections describe important aspects of Java memory configuration. ++### Java containerization ++Applications in Azure Spring Apps run in container environments. For more information, see [Containerize your Java applications](/azure/developer/java/containers/overview?toc=/azure/spring-cloud/toc.json&bc=/azure/spring-cloud/breadcrumb/toc.json). ++### Important JVM options ++You can configure the maximum size of each part of memory by using JVM options. You can set JVM options by using Azure CLI commands or through the Azure portal. For more information, see the [Modify configurations to fix problems](tools-to-troubleshoot-memory-issues.md#modify-configurations-to-fix-problems) section of [Tools to troubleshoot memory issues](tools-to-troubleshoot-memory-issues.md). ++The following list describes the JVM options: ++- Heap size configuration ++ - `-Xms` sets the initial heap size by absolute value. + - `-Xmx` sets the maximum heap size by absolute value. + - `-XX:InitialRAMPercentage` sets the initial heap size by the percentage of heap size / app memory size. + - `-XX:MaxRAMPercentage` sets the maximum heap size by the percentage of heap size / app memory size. ++- Direct memory size configuration ++ - `-XX:MaxDirectMemorySize` sets the maximum direct memory size by absolute value. For more information, see [MaxDirectMemorySize](https://docs.oracle.com/en/java/javase/11/tools/java.html#GUID-3B1CE181-CD30-4178-9602-230B800D4FAE__GUID-2E02B495-5C36-4C93-8597-0020EFDC9A9C) in the Oracle documentation. ++- Metaspace size configuration ++ - `-XX:MaxMetaspaceSize` sets the maximum metaspace size by absolute value. ++### Default maximum memory size ++The following sections describe how default maximum memory sizes are set. ++#### Default maximum heap size ++Azure Spring Apps sets the default maximum heap memory size to about 50%-80% of app memory for Java apps. Specifically, Azure Spring Apps uses the following settings: ++- If the app memory < 1 GB, the default maximum heap size will be 50% of app memory. +- If 1 GB <= the app memory < 2 GB, the default maximum heap size will be 60% of app memory. +- If 2 GB <= the app memory < 3 GB, the default maximum heap size will be 70% of app memory. +- If 3 GB <= the app memory, the default maximum heap size will be 80% of app memory. ++#### Default maximum direct memory size ++When the maximum direct memory size isn't set using JVM options, the JVM automatically sets the maximum direct memory size to the value returned by [Runtime.getRuntime.maxMemory()](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html#maxMemory--). This value is approximately equal to the maximum heap memory size. For more information, see the [JDK 8 VM.java file](http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/a71d26266469/src/share/classes/sun/misc/VM.java#l282>%20jdk8). ++### Memory usage layout ++Heap size is influenced by your throughput. Basically, when configuring, you can keep the default maximum heap size, which leaves reasonable memory for other parts. ++The metaspace size depends on the complexity of your code, such as the number of classes. ++The direct memory size depends on your throughput and your use of third party libraries like nio and gzip. ++The following list describes a typical memory layout sample for 2-GB apps. You can refer to this list to configure your memory size settings. ++- Total Memory (2048M) +- Heap memory: Xmx is 1433.6M (70% of total memory). The reference value of daily memory usage is 1200M. + - Young generation + - Survivor space (S0, S1) + - Eden space + - Old generation +- Non-heap memory + - Observed part (observed by Spring Boot Actuator) + - Metaspace: the daily usage reference value is 50M-256M + - Code cache + - Compressed class space + - Not observed part (not observed by Spring Boot Actuator): the daily usage reference value is 150M-250M. + - Thread stack + - GC, internal symbol and other +- Direct memory: the daily usage reference value is 10M-200M. ++The following diagram shows the same information. Numbers in grey are the reference values of daily memory usage. +++Overall, when configuring maximum memory sizes, you should consider the usage of each part in memory, and the sum of all maximum sizes shouldn't exceed total available memory. ++## Java OOM ++OOM means the application is out of memory. There are two different concepts: container OOM and JVM OOM. For more information, see [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md). ++## See also ++- [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md) +- [Tools to troubleshoot memory issues](tools-to-troubleshoot-memory-issues.md) |
spring-apps | Connect Managed Identity To Azure Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/connect-managed-identity-to-azure-sql.md | + + Title: Use Managed identity to connect Azure SQL Database to an app deployed to Azure Spring Apps +description: Set up managed identity to connect Azure SQL to an app deployed to Azure Spring Apps. ++++ Last updated : 09/26/2022++++# Use a managed identity to connect Azure SQL Database to an app deployed to Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to create a managed identity for an app deployed to Azure Spring Apps and use it to access Azure SQL Database. ++[Azure SQL Database](https://azure.microsoft.com/services/sql-database/) is the intelligent, scalable, relational database service built for the cloud. It’s always up to date, with AI-powered and automated features that optimize performance and durability. Serverless compute and Hyperscale storage options automatically scale resources on demand, so you can focus on building new applications without worrying about storage size or resource management. ++## Prerequisites ++* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. +* Follow the [Spring Data JPA tutorial](/azure/developer/java/spring-framework/configure-spring-data-jpa-with-azure-sql-server) to provision an Azure SQL Database and get it work with a Java app locally. +* Follow the [Azure Spring Apps system-assigned managed identity tutorial](./how-to-enable-system-assigned-managed-identity.md) to provision an app in Azure Spring Apps with managed identity enabled. ++## Connect to Azure SQL Database with a managed identity ++You can connect your application to an Azure SQL Database with a managed identity by following manual steps or using [Service Connector](../../service-connector/overview.md). ++### [Manual configuration](#tab/manual) ++### Grant permission to the managed identity ++Connect to your SQL server and run the following SQL query: ++```sql +CREATE USER [<managed-identity-name>] FROM EXTERNAL PROVIDER; +ALTER ROLE db_datareader ADD MEMBER [<managed-identity-name>]; +ALTER ROLE db_datawriter ADD MEMBER [<managed-identity-name>]; +ALTER ROLE db_ddladmin ADD MEMBER [<managed-identity-name>]; +GO +``` ++The value of the `<managed-identity-name>` placeholder follows the rule `<service-instance-name>/apps/<app-name>`; for example: `myspringcloud/apps/sqldemo`. You can also use the following command to query the managed identity name with Azure CLI: ++```azurecli +az ad sp show --id <identity-object-ID> --query displayName +``` ++### Configure your Java app to use a managed identity ++Open the *src/main/resources/application.properties* file, then add `Authentication=ActiveDirectoryMSI;` at the end of the `spring.datasource.url` line, as shown in the following example. Be sure to use the correct value for the $AZ_DATABASE_NAME variable. ++```properties +spring.datasource.url=jdbc:sqlserver://$AZ_DATABASE_NAME.database.windows.net:1433;database=demo;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;Authentication=ActiveDirectoryMSI; +``` ++#### [Service Connector](#tab/service-connector) ++> [!NOTE] +> Service Connectors are created at the deployment level. So, if another deployment is created, you need to create the connections again. ++Configure your app deployed to Azure Spring Apps to connect to an Azure SQL Database with a system-assigned managed identity using the `az spring connection create` command, as shown in the following example. ++1. Use the following command to install the Service Connector passwordless extension for the Azure CLI: ++ ```azurecli + az extension add --name serviceconnector-passwordless --upgrade + ``` ++1. Use the following command to connect to the database: ++ ```azurecli + az spring connection create sql \ + --resource-group $SPRING_APP_RESOURCE_GROUP \ + --service $SPRING_APP_SERVICE_NAME \ + --app $APP_NAME \ + --deployment $DEPLOYMENT_NAME \ + --target-resource-group $SQL_RESOURCE_GROUP \ + --server $SQL_SERVER_NAME \ + --database $DATABASE_NAME \ + --system-identity + ``` ++1. Use the following command to check the creation result: ++ ```azurecli + export CONNECTION_NAME=$(az spring connection list \ + --resource-group $SPRING_APP_RESOURCE_GROUP \ + --service $SPRING_APP_SERVICE_NAME \ + --app $APP_NAME \ + --query '[0].name' \ + --output tsv) + + az spring connection list-configuration \ + --resource-group $SPRING_APP_RESOURCE_GROUP \ + --service $SPRING_APP_SERVICE_NAME \ + --app $APP_NAME \ + --connection $CONNECTION_NAME + ``` ++++## Build and deploy the app to Azure Spring Apps ++Rebuild the app and deploy it to the Azure Spring Apps provisioned in the second bullet point under Prerequisites. You now have a Spring Boot application authenticated by a managed identity that uses JPA to store and retrieve data from an Azure SQL Database in Azure Spring Apps. ++## Next steps ++* [How to access Storage blob with managed identity in Azure Spring Apps](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/managed-identity-storage-blob) +* [How to enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md) +* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +* [Authenticate Azure Spring Apps with Key Vault in GitHub Actions](./github-actions-key-vault.md) |
spring-apps | Cost Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/cost-management.md | + + Title: Manage costs for Azure Spring Apps +description: Learn about how to manage costs in Azure Spring Apps. +++ Last updated : 03/28/2023+++++# Manage costs for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise ++This article describes the cost-saving options and capabilities that Azure Spring Apps provides. ++## Save more on the Enterprise plan ++For the Enterprise plan, we now offer further discounts for longer commitments on both the Microsoft and VMware (by Broadcom) parts of the pricing. For more information, see [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). ++For the Microsoft part of the pricing, the Enterprise plan currently has yearly discounted pricing options available. For more information, see [Maximizing Value: Streamlined Cloud Solutions with Prime Cost Savings for Spring Apps](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/maximizing-value-streamlined-cloud-solutions-with-prime-cost/ba-p/3904599). ++For the VMware (by Broadcom) part of the pricing, the negotiable discount varies based on the number of years you sign up for. For more information, reach out to your sales representative. ++## Monthly free grants ++The first 50 vCPU hours and 100-GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++## Start and stop instances ++If you have Azure Spring Apps instances that don't need to run continuously, you can save costs by reducing the number of running instances. For more information, see [Start or stop your Azure Spring Apps service instance](how-to-start-stop-service.md). ++## Scale and autoscale ++You can manually scale computing capacities to accommodate a changing environment. For more information, see [Scale an application in Azure Spring Apps](how-to-scale-manual.md). ++Autoscale reduces operating costs by terminating redundant resources when they're no longer needed. For more information, see [Set up autoscale for applications](how-to-setup-autoscale.md). ++You can also set up autoscale rules for your applications in the Azure Spring Apps Standard consumption and dedicated plan. For more information, see [Quickstart: Set up autoscale for applications in the Azure Spring Apps Standard consumption and dedicated plan](../consumption-dedicated/quickstart-apps-autoscale-standard-consumption.md). ++## Stop maintaining unused environments ++If you set up several environments while developing a product, it's important to remove the environments that are no longer in use once the product is live. ++## Remove unnecessary deployments ++If you use strategies like blue-green deployment to reduce downtime, it can result in many idle deployments on staging slots, especially multiple app instances that aren't needed once newer versions are deployed to production. ++## Avoid over allocating resources ++Java users often reserve more processing power and memory than they really need. While it's fine to use large app instances during the initial months in production, you should adjust resource allocation based on usage data. ++## Avoid unnecessary scaling ++If you use more app instances than you need, you should adjust the number of instances based on real usage data. ++## Streamline monitoring data collection ++If you collect more logs, metrics, and traces than you can use or afford, you must determine what's necessary for troubleshooting, capacity planning, and monitoring production. For example, you can reduce the frequency of application performance monitoring or be more selective about which logs, metrics, and traces you send to data aggregation tools. ++## Deactivate debug mode ++If you forget to switch off debug mode for apps, a large amount of data is collected and sent to monitoring platforms. Forgetting to deactivate debug mode could be unnecessary and costly. ++## Next steps ++[Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](../consumption-dedicated/quickstart-provision-standard-consumption-service-instance.md) |
spring-apps | Diagnostic Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/diagnostic-services.md | + + Title: Analyze logs and metrics in Azure Spring Apps | Microsoft Docs +description: Learn how to analyze diagnostics data in Azure Spring Apps +++ Last updated : 01/06/2020+++++# Analyze logs and metrics with diagnostics settings ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to analyze diagnostics data in Azure Spring Apps. ++Using the diagnostics functionality of Azure Spring Apps, you can analyze logs and metrics with any of the following ++* Use Azure Log Analytics. There is a delay when exporting logs to Log Analytics. +* Save logs to a storage account for auditing or manual inspection. You can specify the retention time (in days). +* Stream logs to your event hub for ingestion by a third-party service or custom analytics solution. ++Choose the log category and metric category you want to monitor. ++> [!TIP] +> If you just want to stream your logs, you can use the Azure CLI command [az spring app logs](/cli/azure/spring/app#az-spring-app-logs). ++## Logs ++| Log | Description | +||-| +| **ApplicationConsole** | Console log of all customer applications. | +| **SystemLogs** | The available `LogType` values are `ConfigServer`(Basic/Standard only), `ServiceRegistry`(all plans), `ApiPortal`(Enterprise plan only), `ApplicationConfigurationService`(Enterprise plan only), `SpringCloudGateway` (Enterprise plan only), and `SpringCloudGatewayOperator` (Enterprise plan only) | +| **IngressLogs** | [Ingress logs](#show-ingress-log-entries-containing-a-specific-host) of all customer's applications, only access logs. | +| **BuildLogs** | [Build logs](#show-build-log-entries-for-a-specific-app) of all customer's applications for each build stage. | ++## Metrics ++For a complete list of metrics, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](concept-metrics.md). ++To get started, enable one of these services to receive the data. To learn about configuring Log Analytics, see [Get started with Log Analytics in Azure Monitor](../../azure-monitor/logs/log-analytics-tutorial.md). ++## Configure diagnostics settings ++1. In the Azure portal, go to your Azure Spring Apps instance. +1. Select **diagnostics settings** option, and then select **Add diagnostics setting**. +1. Enter a name for the setting, and then choose where you want to send the logs. You can select any combination of the following three options: + * **Archive to a storage account** + * **Stream to an event hub** + * **Send to Log Analytics** + * **Send to partner solution** ++1. Choose which log category and metric category you want to monitor, and then specify the retention time (in days). The retention time applies only to the storage account. +1. Select **Save**. ++> [!NOTE] +> There might be a gap of up to 15 minutes between when logs or metrics are emitted and when they appear in your storage account, your event hub, or Log Analytics. +> If the Azure Spring Apps instance is deleted or moved, the operation won't cascade to the **diagnostics settings** resources. The **diagnostics settings** resources have to be deleted manually before the operation against its parent, the Azure Spring Apps instance. Otherwise, if a new Azure Spring Apps instance is provisioned with the same resource ID as the deleted one, or if the Azure Spring Apps instance is moved back, the previous **diagnostics settings** resources continue extending it. ++## View the logs and metrics ++There are various methods to view logs and metrics as described under the following headings. ++### Use the Logs blade ++1. In the Azure portal, go to your Azure Spring Apps instance. +1. To open the **Log Search** pane, select **Logs**. +1. In the **Tables** search box + * To view logs, enter a simple query such as: ++ ```sql + AppPlatformLogsforSpring + | limit 50 + ``` ++ * To view metrics, enter a simple query such as: ++ ```sql + AzureMetrics + | limit 50 + ``` ++1. To view the search result, select **Run**. ++### Use Log Analytics ++1. In the Azure portal, in the left pane, select **Log Analytics**. +1. Select the Log Analytics workspace that you chose when you added your diagnostics settings. +1. To open the **Log Search** pane, select **Logs**. +1. In the **Tables** search box, + * to view logs, enter a simple query such as: ++ ```sql + AppPlatformLogsforSpring + | limit 50 + ``` ++ * to view metrics, enter a simple query such as: ++ ```sql + AzureMetrics + | limit 50 + ``` ++1. To view the search result, select **Run**. +1. You can search the logs of the specific application or instance by setting a filter condition: ++ ```sql + AppPlatformLogsforSpring + | where ServiceName == "YourServiceName" and AppName == "YourAppName" and InstanceName == "YourInstanceName" + | limit 50 + ``` ++ > [!NOTE] + > `==` is case sensitive, but `=~` is not. ++To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). ++### Use your storage account ++1. In the Azure portal, find **Storage accounts** in left navigation panel or search box. +1. Select the storage account that you chose when you added your diagnostics settings. +1. To open the **Blob Container** pane, select **Blobs**. +1. To review application logs, search for a container called **insights-logs-applicationconsole**. +1. To review application metrics, search for a container called **insights-metrics-pt1m**. ++To learn more about sending diagnostics information to a storage account, see [Store and view diagnostics data in Azure Storage](../../storage/common/storage-introduction.md). ++### Use your event hub ++1. In the Azure portal, find **Event Hubs** in left navigation panel or search box. ++1. Search for and select the event hub that you chose when you added your diagnostics settings. +1. To open the **Event Hub List** pane, select **Event Hubs**. +1. To review application logs, search for an event hub called **insights-logs-applicationconsole**. +1. To review application metrics, search for an event hub called **insights-metrics-pt1m**. ++To learn more about sending diagnostics information to an event hub, see [Streaming Azure Diagnostics data in the hot path by using Event Hubs](../../azure-monitor/agents/diagnostics-extension-stream-event-hubs.md). ++## Analyze the logs ++Azure Log Analytics is running with a Kusto engine so you can query your logs for analysis. For a quick introduction to querying logs by using Kusto, review the [Log Analytics tutorial](../../azure-monitor/logs/log-analytics-tutorial.md). ++Application logs provide critical information and verbose logs about your application's health, performance, and more. In the next sections are some simple queries to help you understand your application's current and past states. ++### Show application logs from Azure Spring Apps ++To review a list of application logs from Azure Spring Apps, sorted by time with the most recent logs shown first, run the following query: ++```sql +AppPlatformLogsforSpring +| project TimeGenerated , ServiceName , AppName , InstanceName , Log +| sort by TimeGenerated desc +``` ++### Show logs entries containing errors or exceptions ++To review unsorted log entries that mention an error or exception, run the following query: ++```sql +AppPlatformLogsforSpring +| project TimeGenerated , ServiceName , AppName , InstanceName , Log +| where Log contains "error" or Log contains "exception" +``` ++Use this query to find errors, or modify the query terms to find specific error codes or exceptions. ++### Show the number of errors and exceptions reported by your application over the last hour ++To create a pie chart that displays the number of errors and exceptions logged by your application in the last hour, run the following query: ++```sql +AppPlatformLogsforSpring +| where TimeGenerated > ago(1h) +| where Log contains "error" or Log contains "exception" +| summarize count_per_app = count() by AppName +| sort by count_per_app desc +| render piechart +``` ++### Show ingress log entries containing a specific host ++To review log entries that are generated by a specific host, run the following query: ++```sql +AppPlatformIngressLogs +| where TimeGenerated > ago(1h) and Host == "ingress-asc.test.azuremicroservices.io" +| project TimeGenerated, RemoteIP, Host, Request, Status, BodyBytesSent, RequestTime, ReqId, RequestHeaders +| sort by TimeGenerated +``` ++Use this query to find response `Status`, `RequestTime`, and other properties of this specific host's ingress logs. ++### Show ingress log entries for a specific requestId ++To review log entries for a specific `requestId` value *\<request_ID>*, run the following query: ++```sql +AppPlatformIngressLogs +| where TimeGenerated > ago(1h) and ReqId == "<request_ID>" +| project TimeGenerated, RemoteIP, Host, Request, Status, BodyBytesSent, RequestTime, ReqId, RequestHeaders +| sort by TimeGenerated +``` ++### Show build log entries for a specific app ++To review log entries for a specific app during the build process, run the following query: ++```sql +AppPlatformBuildLogs +| where TimeGenerated > ago(1h) and PodName contains "<app-name>" +| sort by TimeGenerated +``` ++### Show build log entries for a specific app in a specific build stage ++To review log entries for a specific app in a specific build stage, run the following query. Replace the *`<app-name>`* placeholder with your application name. Replace the *`<build-stage>`* placeholder with one of the following values, which represent the stages of the build process: `prepare`, `detect`, `restore`, `analyze`, `build`, `export`, or `completion`. ++```sql +AppPlatformBuildLogs +| where TimeGenerated > ago(1h) and PodName contains "<app-name>" and ContainerName == "<build-stage>" +| sort by TimeGenerated +``` ++### Show VMware Spring Cloud Gateway logs in the Enterprise plan ++To review log entries for VMware Spring Cloud Gateway logs in the Enterprise plan, run the following query: ++```sql +AppPlatformSystemLogs  +| where LogType == "SpringCloudGateway" +| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  +| limit 100 +``` ++Another component, named Spring Cloud Gateway Operator, controls the lifecycle of Spring Cloud Gateway and routes. If you encounter any issues with the route not taking effect, check the logs for this component. To review log entries for VMware Spring Cloud Gateway Operator in the Enterprise plan, run the following query: ++```sql +AppPlatformSystemLogs  +| where LogType == "SpringCloudGatewayOperator" +| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  +| limit 100 +``` ++### Show Application Configuration Service for Tanzu logs in the Enterprise plan ++To review log entries for Application Configuration Service for Tanzu logs in the Enterprise plan, run the following query: ++```sql +AppPlatformSystemLogs  +| where LogType == "ApplicationConfigurationService" +| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  +| limit 100 +``` ++### Show Tanzu Service Registry logs in the Enterprise plan ++To review log entries for Tanzu Service Registry logs in the Enterprise plan, run the following query: ++```sql +AppPlatformSystemLogs  +| where LogType == "ServiceRegistry" +| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  +| limit 100 +``` ++### Show API portal for VMware Tanzu logs in the Enterprise plan ++To review log entries for API portal for VMware Tanzu logs in the Enterprise plan, run the following query: ++```sql +AppPlatformSystemLogs  +| where LogType == "ApiPortal" +| project TimeGenerated , LogType, Level , ServiceName , Thread , Stack , Log , _ResourceId  +| limit 100 +``` ++### Learn more about querying application logs ++Azure Monitor provides extensive support for querying application logs by using Log Analytics. To learn more about this service, see [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md). For more information about building queries to analyze your application logs, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md). ++## Frequently asked questions (FAQ) ++### How do I convert multi-line Java stack traces into a single line? ++There is a workaround to convert your multi-line stack traces into a single line. You can modify the Java log output to reformat stack trace messages, replacing newline characters with a token. If you use Java Logback library, you can reformat stack trace messages by adding `%replace(%ex){'[\r\n]+', '\\n'}%nopex` as follows: ++```xml +<configuration> + <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern> + level: %level, message: "%logger{36}: %msg", exceptions: "%replace(%ex){'[\r\n]+', '\\n'}%nopex"%n + </pattern> + </encoder> + </appender> + <root level="INFO"> + <appender-ref ref="CONSOLE"/> + </root> +</configuration> +``` ++You can then replace the token with newline characters in Log Analytics as below: ++```sql +AppPlatformLogsforSpring +| extend Log = array_strcat(split(Log, '\\n'), '\n') +``` ++You may be able to use the same strategy for other Java log libraries. ++## Next steps ++* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md) |
spring-apps | Expose Apps Gateway End To End Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/expose-apps-gateway-end-to-end-tls.md | + + Title: Expose applications with end-to-end TLS in a virtual network using Application Gateway ++description: How to expose applications to the internet using Application Gateway ++++ Last updated : 02/28/2022++ms.devlang: java +# ms.devlang: java, azurecli +++# Expose applications with end-to-end TLS in a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article explains how to expose applications to the internet using Application Gateway. When an Azure Spring Apps service instance is deployed in your virtual network, applications on the service instance are only accessible in the private network. To make the applications accessible on the Internet, you need to integrate with Azure Application Gateway. ++## Prerequisites ++- [Azure CLI version 2.0.4 or later](/cli/azure/install-azure-cli). +- An Azure Spring Apps service instance deployed in a virtual network with an application accessible over the private network using the default `.private.azuremicroservices.io` domain suffix. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md) +- A custom domain to be used to access the application. +- A certificate, stored in Key Vault, which matches the custom domain to be used to establish the HTTPS listener. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../../key-vault/certificates/tutorial-import-certificate.md). ++## Configure Application Gateway for Azure Spring Apps ++We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation). ++To configure Application Gateway in front of Azure Spring Apps, use the following steps. ++1. Follow the instructions in [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). +1. Follow the instructions in [Access your application in a private network](./access-app-virtual-network.md). +1. Acquire a certificate for your domain of choice and store that in Key Vault. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../../key-vault/certificates/tutorial-import-certificate.md). +1. Configure a custom domain and corresponding certificate from Key Vault on an app deployed onto Azure Spring Apps. For more information, see [Tutorial: Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md). +1. Deploy Application Gateway in a virtual network configured according to the following list: + - Use Azure Spring Apps in the backend pool, referenced by the domain suffixed with `private.azuremicroservices.io`. + - Include an HTTPS listener using the same certificate from Key Vault. + - Configure the virtual network with HTTP settings that use the custom domain name configured on Azure Spring Apps instead of the domain suffixed with `private.azuremicroservices.io`. +1. Configure your public DNS to point to Application Gateway. ++## Define variables ++Next, use the following commands to define variables for the resource group and virtual network you created as directed in [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). Customize the values based on your real environment. When you define `SPRING_APP_PRIVATE_FQDN`, remove `https://` from the URI. ++```bash +export SUBSCRIPTION='subscription-id' +export RESOURCE_GROUP='my-resource-group' +export LOCATION='eastus' +export SPRING_CLOUD_NAME='name-of-spring-cloud-instance' +export APPNAME='name-of-app-in-azure-spring-apps' +export SPRING_APP_PRIVATE_FQDN='$APPNAME.private.azuremicroservices.io' +export VIRTUAL_NETWORK_NAME='azure-spring-apps-vnet' +export APPLICATION_GATEWAY_SUBNET_NAME='app-gw-subnet' +export APPLICATION_GATEWAY_SUBNET_CIDR='10.1.2.0/24' +``` ++## Sign in to Azure ++Use the following command to sign in to the Azure CLI and choose your active subscription. ++```azurecli +az login +az account set --subscription $SUBSCRIPTION +``` ++## Acquire a certificate ++### [Use a publicly signed certificate](#tab/public-cert) ++For production deployments, you'll most likely use a publicly signed certificate. In this case, import the certificate in Azure Key Vault. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../../key-vault/certificates/tutorial-import-certificate.md). Make sure the certificate includes the entire certificate chain. ++### [Use a self-signed certificate](#tab/self-signed-cert) ++When you need a self-signed certificate for testing or development, you need to create it. You'll also need to ensure that the list of "Subject Alternative Names" in the certificate contains the domain name on which you'll expose the application. When creating a self-signed certificate through Azure Key Vault, you can do so through the Azure portal. Alternatively, when using the Azure CLI, you'll need a policy JSON file. ++To request the default policy, use the following command: ++```azurecli +az keyvault certificate get-default-policy +``` ++Next, adapt the policy JSON as shown in the following example, indicating the `subject` and `SubjectAlternativeNames`: ++```json +{ + // ... + "subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=myapp.mydomain.com", + "subjectAlternativeNames": { + "dnsNames": [ + "myapp.mydomain.com", + "*.myapp.mydomain.com" + ], + "emails": [ + "hello@contoso.com" + ], + "upns": [] + } + // ... +} +``` ++After you've finished updating the policy JSON (see [Update Certificate Policy](/rest/api/keyvault/certificates/update-certificate-policy/update-certificate-policy)), you can create a self-signed certificate in Key Vault by using the following commands: ++```azurecli +export KV_NAME='name-of-key-vault' +export CERT_NAME_IN_KEY_VAULT='name-of-certificate-in-key-vault' ++az keyvault certificate create \ + --vault-name $KV_NAME \ + --name $CERT_NAME_IN_KEY_VAULT \ + --policy "$KV_CERT_POLICY" +``` ++++## Configure the public domain name on Azure Spring Apps ++Traffic will enter the application deployed on Azure Spring Apps using the public domain name. To configure your application to listen to this host name and do so over HTTPS, use the following commands to add a custom domain to your app: ++```azurecli +export KV_NAME='name-of-key-vault' +export KV_RG='resource-group-name-of-key-vault' +export CERT_NAME_IN_AZURE_SPRING_APPS='name-of-certificate-in-Azure-Spring-Apps' +export CERT_NAME_IN_KEY_VAULT='name-of-certificate-with-intermediaries-in-key-vault' +export DOMAIN_NAME=myapp.mydomain.com ++# provide permissions to Azure Spring Apps to read the certificate from Key Vault: +export VAULTURI=$(az keyvault show \ + --resource-group $KV_RG \ + --name $KV_NAME \ + --query properties.vaultUri \ + --output tsv) ++# get the object id for the Azure Spring Apps Domain-Management Service Principal: +export ASADM_OID=$(az ad sp show \ + --id 03b39d0f-4213-4864-a245-b1476ec03169 \ + --query objectId \ + --output tsv) ++# allow this Service Principal to read and list certificates and secrets from Key Vault: +az keyvault set-policy \ + --resource-group $KV_RG \ + --name $KV_NAME \ + --object-id $ASADM_OID \ + --certificate-permissions get list \ + --secret-permissions get list ++# add custom domain name and configure TLS using the certificate: +az spring certificate add \ + --resource-group $RESOURCE_GROUP \ + --service $SPRING_CLOUD_NAME \ + --name $CERT_NAME_IN_AZURE_SPRING_APPS \ + --vault-certificate-name $CERT_NAME_IN_KEY_VAULT \ + --vault-uri $VAULTURI +az spring app custom-domain bind \ + --resource-group $RESOURCE_GROUP \ + --service $SPRING_CLOUD_NAME \ + --domain-name $DOMAIN_NAME \ + --certificate $CERT_NAME_IN_AZURE_SPRING_APPS \ + --app $APPNAME +``` +## Create network resources ++The Azure Application Gateway to be created will join the same virtual network as--or peered virtual network to--the Azure Spring Apps service instance. First create a new subnet for the Application Gateway in the virtual network using `az network vnet subnet create`, and also create a Public IP address as the Frontend of the Application Gateway using `az network public-ip create`. ++```azurecli +export APPLICATION_GATEWAY_PUBLIC_IP_NAME='app-gw-public-ip' +az network vnet subnet create \ + --name $APPLICATION_GATEWAY_SUBNET_NAME \ + --resource-group $RESOURCE_GROUP \ + --vnet-name $VIRTUAL_NETWORK_NAME \ + --address-prefix $APPLICATION_GATEWAY_SUBNET_CIDR +az network public-ip create \ + --resource-group $RESOURCE_GROUP \ + --location $LOCATION \ + --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ + --allocation-method Static \ + --sku Standard +``` ++## Create a managed identity for Application Gateway ++Application Gateway will need to be able to access Key Vault to read the certificate. To do so, it will use a user-assigned [managed identity](/entra/identity/managed-identities-azure-resources/overview). Create the managed identity by using the following command: ++```azurecli +export APPGW_IDENTITY_NAME='name-for-appgw-managed-identity' +az identity create \ + --resource-group $RESOURCE_GROUP \ + --name $APPGW_IDENTITY_NAME +``` ++Then fetch the objectId for the managed identity as it will be used later on to give rights to access the certificate in Key Vault: ++```azurecli +export APPGW_IDENTITY_CLIENTID=$(az identity show \ + --resource-group $RESOURCE_GROUP \ + --name $APPGW_IDENTITY_NAME \ + --query clientId \ + --output tsv) +export APPGW_IDENTITY_OID=$(az ad sp show \ + --id $APPGW_IDENTITY_CLIENTID \ + --query objectId \ + --output tsv) +``` ++## Set policy on Key Vault ++Configure Key Vault using the following command so that the managed identity for Application Gateway is allowed to access the certificate stored in Key Vault: ++```azurecli +az keyvault set-policy \ + --name $KV_NAME \ + --resource-group $KV_RG \ + --object-id $APPGW_IDENTITY_OID \ + --secret-permissions get list \ + --certificate-permissions get list +``` ++## Create Application Gateway ++Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Make sure to use the user-assigned managed identity and to point to the certificate in Key Vault using the certificate's Secret ID. Then update the HTTP setting using `az network application-gateway http-settings update` to use the public host name. ++```azurecli +export APPGW_NAME='name-for-application-gateway' ++export KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show \ + --name $CERT_NAME_IN_KEY_VAULT \ + --vault-name $KV_NAME \ + --query sid \ + --output tsv) ++az network application-gateway create \ + --name $APPGW_NAME \ + --resource-group $RESOURCE_GROUP \ + --location $LOCATION \ + --capacity 2 \ + --sku Standard_v2 \ + --frontend-port 443 \ + --http-settings-cookie-based-affinity Disabled \ + --http-settings-port 443 \ + --http-settings-protocol Https \ + --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ + --vnet-name $VIRTUAL_NETWORK_NAME \ + --subnet $APPLICATION_GATEWAY_SUBNET_NAME \ + --servers $SPRING_APP_PRIVATE_FQDN \ + --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \ + --identity $APPGW_IDENTITY_NAME +``` ++It can take up to 30 minutes for Azure to create the application gateway. ++### Update HTTP Settings to use the domain name towards the backend ++#### [Use a publicly signed certificate](#tab/public-cert-2) ++Update the HTTP settings to use the public domain name as the hostname instead of the domain suffixed with ".private.azuremicroservices.io" to send traffic to Azure Spring Apps with. ++```azurecli +az network application-gateway http-settings update \ + --resource-group $RESOURCE_GROUP \ + --gateway-name $APPGW_NAME \ + --host-name-from-backend-pool false \ + --host-name $DOMAIN_NAME \ + --name appGatewayBackendHttpSettings +``` ++#### [Use a self-signed certificate](#tab/self-signed-cert-2) ++Update the HTTP settings to use the public domain name as the hostname instead of the domain suffixed with ".private.azuremicroservices.io" to send traffic to Azure Spring Apps with. Given that a self-signed certificate is used, it will need to be allow-listed on the HTTP Settings of Application Gateway. ++To allowlist the certificate, first fetch the public portion of it from Key Vault by using the following command: ++```azurecli +az keyvault certificate download \ + --vault-name $KV_NAME \ + --name $CERT_NAME_IN_KEY_VAULT \ + --file ./selfsignedcert.crt \ + --encoding DER +``` ++Then upload it to Application Gateway using this command: ++```azurecli +az network application-gateway root-cert create \ + --resource-group $RG \ + --cert-file ./selfsignedcert.crt \ + --gateway-name $APPGW_NAME \ + --name MySelfSignedTrustedRootCert +``` ++Now you can update the HTTP Settings to trust the new (self-signed) root certificate by using this command: ++```azurecli +az network application-gateway http-settings update \ + --resource-group $RG \ + --gateway-name $APPGW_NAME \ + --host-name-from-backend-pool false \ + --host-name $DOMAIN_NAME \ + --name appGatewayBackendHttpSettings \ + --root-certs MySelfSignedTrustedRootCert +``` ++++### Check the deployment of Application Gateway ++After it's created, check the backend health by using the following command. The output of this command enables you to determine whether the application gateway reaches your application through its private FQDN. ++```azurecli +az network application-gateway show-backend-health \ + --name $APPGW_NAME \ + --resource-group $RESOURCE_GROUP +``` ++The output indicates the healthy status of backend pool, as shown in the following example: ++```output +{ + "backendAddressPools": [ + { + "backendHttpSettingsCollection": [ + { + "servers": [ + { + "address": "my-azure-spring-apps-hello-vnet.private.azuremicroservices.io", + "health": "Healthy", + "healthProbeLog": "Success. Received 200 status code", + "ipConfiguration": null + } + ] + } + ] + } + ] +} +``` ++## Configure DNS and access the application ++Now configure the public DNS to point to Application Gateway using a CNAME or A-record. You can find the public address for Application Gateway by using the following command: ++```azurecli +az network public-ip show \ + --resource-group $RESOURCE_GROUP \ + --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ + --query [ipAddress] \ + --output tsv +``` ++You can now access the application using the public domain name. ++## Next steps ++- [Troubleshooting Azure Spring Apps in VNET](./troubleshooting-vnet.md) +- [Customer Responsibilities for Running Azure Spring Apps in VNET](./vnet-customer-responsibilities.md) |
spring-apps | Expose Apps Gateway Tls Termination | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/expose-apps-gateway-tls-termination.md | + + Title: "Expose applications to the internet using Application Gateway with TLS termination" ++description: How to expose applications to internet using Application Gateway with TLS termination ++++ Last updated : 11/09/2021++++# Expose applications to the internet with TLS Termination at Application Gateway ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This article explains how to expose applications to the internet using Application Gateway. ++When an Azure Spring Apps service instance is deployed in your virtual network (VNET), applications on the service instance are only accessible in the private network. To make the applications accessible on the Internet, you need to integrate with Azure Application Gateway. The incoming encrypted traffic can be decrypted at the application gateway or it can be passed to Azure Spring Apps encrypted to achieve end-to-end TLS/SSL. For dev and test purposes, you can start with SSL termination at the application gateway, which is covered in this guide. For production, we recommend end-to-end TLS/SSL with private certificate, as described in [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). ++## Prerequisites ++- [Azure CLI version 2.0.4 or later](/cli/azure/install-azure-cli). +- An Azure Spring Apps service instance deployed in a virtual network with an application accessible over the private network using the default `.private.azuremicroservices.io` domain suffix. For more information, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md) +- A custom domain to be used to access the application. +- A certificate, stored in Key Vault, which matches the custom domain to be used to establish the HTTPS listener. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../../key-vault/certificates/tutorial-import-certificate.md). ++## Configure Application Gateway for Azure Spring Apps ++We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation). ++To configure Application Gateway in front of Azure Spring Apps in a private VNET, use the following steps. ++1. Follow the instructions in [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +1. Follow the instructions in [Access your application in a private network](access-app-virtual-network.md). +1. Acquire a certificate for your domain of choice and store that in Key Vault. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../../key-vault/certificates/tutorial-import-certificate.md). +1. Configure a custom domain and corresponding certificate from Key Vault on an app deployed onto Azure Spring Apps. For more information, see [Tutorial: Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). +1. Deploy Application Gateway in a virtual network configured according to the following list: + - Use Azure Spring Apps in the backend pool, referenced by the domain suffixed with `private.azuremicroservices.io`. + - Include an HTTPS listener using the same certificate from Key Vault. + - Configure the virtual network with HTTP settings that use the custom domain name configured on Azure Spring Apps instead of the domain suffixed with `private.azuremicroservices.io`. +1. Configure your public DNS to point to the application gateway. ++## Define variables ++Next, use the following commands to define variables for the resource group and virtual network you created as directed in [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). Replace the *\<...>* placeholders with real values based on your actual environment. When you define `SPRING_APP_PRIVATE_FQDN`, remove `https://` from the URI. ++```bash +export SUBSCRIPTION='<subscription-id>' +export RESOURCE_GROUP='<resource-group-name>' +export LOCATION='eastus' +export SPRING_CLOUD_NAME='<name-of-Azure-Spring-Apps-instance>' +export APPNAME='<name-of-app-in-Azure-Spring-Apps>' +export SPRING_APP_PRIVATE_FQDN='$APPNAME.private.azuremicroservices.io' +export VIRTUAL_NETWORK_NAME='azure-spring-apps-vnet' +export APPLICATION_GATEWAY_SUBNET_NAME='app-gw-subnet' +export APPLICATION_GATEWAY_SUBNET_CIDR='10.1.2.0/24' +``` ++## Sign in to Azure ++Use the following command to sign in to the Azure CLI and choose your active subscription. ++```azurecli +az login +az account set --subscription $SUBSCRIPTION +``` ++## Configure the public domain name on Azure Spring Apps ++Traffic will enter the application deployed on Azure Spring Apps using the public domain name. To configure your application to listen to this host name over HTTP, use the following commands to add a custom domain to your app, replacing the *\<...>* placeholders with real values: ++```azurecli +export KV_NAME='<name-of-key-vault>' +export KV_RG='<resource-group-name-of-key-vault>' +export CERT_NAME_IN_KV='<name-of-certificate-with-intermediaries-in-key-vault>' +export DOMAIN_NAME=myapp.mydomain.com ++az spring app custom-domain bind \ + --resource-group $RESOURCE_GROUP \ + --service $SPRING_CLOUD_NAME \ + --domain-name $DOMAIN_NAME \ + --app $APPNAME +``` ++## Create network resources ++The application gateway to be created will join the same virtual network as the Azure Spring Apps service instance. First, create a new subnet for the application gateway in the virtual network, then create a public IP address as the frontend of the application gateway, as shown in the following example. ++```azurecli +export APPLICATION_GATEWAY_PUBLIC_IP_NAME='app-gw-public-ip' +az network vnet subnet create \ + --name $APPLICATION_GATEWAY_SUBNET_NAME \ + --resource-group $RESOURCE_GROUP \ + --vnet-name $VIRTUAL_NETWORK_NAME \ + --address-prefix $APPLICATION_GATEWAY_SUBNET_CIDR +az network public-ip create \ + --resource-group $RESOURCE_GROUP \ + --location $LOCATION \ + --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ + --allocation-method Static \ + --sku Standard +``` ++### Create a managed identity for the application gateway ++Your application gateway will need to be able to access Key Vault to read the certificate. To do this, the application gateway will use a user-assigned managed identity. For more information, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) Create the managed identity by using the following command, replacing the *\<...>* placeholder: ++```azurecli +export APPGW_IDENTITY_NAME='<name-for-appgw-managed-identity>' +az identity create \ + --resource-group $RESOURCE_GROUP \ + --name $APPGW_IDENTITY_NAME +``` ++Then, use the following command to fetch the `objectId` for the managed identity. This value will be used later on to give rights to access the certificate in Key Vault. ++```azurecli +export APPGW_IDENTITY_CLIENTID=$(az identity show \ + --resource-group $RESOURCE_GROUP \ + --name $APPGW_IDENTITY_NAME \ + --query clientId \ + --output tsv) +export APPGW_IDENTITY_OID=$(az ad sp show \ + --id $APPGW_IDENTITY_CLIENTID \ + --query objectId \ + --output tsv) +``` ++### Set policy on Key Vault ++Configure Key Vault using the following command so that the managed identity for the application gateway is allowed to access the certificate stored in Key Vault: ++```azurecli +az keyvault set-policy \ + --resource-group $KV_RG \ + --name $KV_NAME \ + --object-id $APPGW_IDENTITY_OID \ + --secret-permissions get list \ + --certificate-permissions get list +``` ++## Create an application gateway ++### [CLI](#tab/azure-cli) ++Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Be sure to use the user-assigned managed identity and point to the certificate in Key Vault using the certificate's secret ID. ++```azurecli +export APPGW_NAME='<name-for-application-gateway>' +export CERT_NAME_IN_KV='<name-of-certificate-in-key-vault>' +export KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show \ + --name $CERT_NAME_IN_KV \ + --vault-name $KV_NAME \ + --query sid \ + --output tsv) ++az network application-gateway create \ + --name $APPGW_NAME \ + --resource-group $RESOURCE_GROUP \ + --location $LOCATION \ + --capacity 2 \ + --sku Standard_v2 \ + --frontend-port 443 \ + --http-settings-cookie-based-affinity Disabled \ + --http-settings-port 80 \ + --http-settings-protocol Http \ + --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ + --vnet-name $VIRTUAL_NETWORK_NAME \ + --subnet $APPLICATION_GATEWAY_SUBNET_NAME \ + --servers $SPRING_APP_PRIVATE_FQDN \ + --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \ + --identity $APPGW_IDENTITY_NAME +``` ++It can take up to 30 minutes for Azure to create the application gateway. ++### [Azure portal](#tab/azure-portal) ++Create an application gateway using the following steps to enable SSL termination at the application gateway. ++1. Sign in to the Azure portal and create a new Application Gateway resource. +1. Fill in the required fields for creating the application gateway. Leave the default values as they are. +1. After you provide a value for the **Virtual network** field, the **Subnet** field appears. Create a separate subnet for the application gateway in the VNET, as shown in the following screenshot. ++ :::image type="content" source="media/expose-apps-gateway-tls-termination/create-application-gateway-basics.png" alt-text="Screenshot of Azure portal 'Create application gateway' page."::: ++1. Create a public IP address and assign it to the frontend of the application gateway, as shown in the following screenshot. ++ :::image type="content" source="media/expose-apps-gateway-tls-termination/create-frontend-ip.png" alt-text="Screenshot of Azure portal showing Frontends tab of 'Create application gateway' page."::: ++1. Create a backend pool for the application gateway. Select **Target** as your FQDN of the application deployed in Azure Spring Apps. ++ :::image type="content" source="media/expose-apps-gateway-tls-termination/create-backend-pool.png" alt-text="Screenshot of Azure portal 'Add a backend pool' page."::: ++1. Create a routing rule with HTTP listener. + 1. Select the public IP that you created earlier. + 1. Select **HTTPS** as protocol and **443** as port. + 1. Choose a certificate from Key Vault. + 1. Select the managed identity you created earlier. + 1. Select the right key vault and certificate, which were added to the key vault earlier. ++ :::image type="content" source="media/expose-apps-gateway-tls-termination/create-routingrule-with-http-listener.png" alt-text="Screenshot of Azure portal 'Add a routing rule' page."::: ++ 1. Select the **Backend targets** tab. ++ :::image type="content" source="media/expose-apps-gateway-tls-termination/create-backend-http-settings.png" alt-text="Screenshot of Azure portal 'Add a H T T P setting' page."::: ++1. Select **Review and Create** to create the application gateway. ++It can take up to 30 minutes for Azure to create the application gateway. ++++### Update HTTP settings to use the domain name towards the backend ++Update the HTTP settings to use the public domain name as the hostname instead of the domain suffixed with `.private.azuremicroservices.io` to send traffic to Azure Spring Apps with. ++```azurecli +az network application-gateway http-settings update \ + --resource-group $RESOURCE_GROUP \ + --gateway-name $APPGW_NAME \ + --host-name-from-backend-pool false \ + --host-name $DOMAIN_NAME \ + --name appGatewayBackendHttpSettings +``` ++### Check the deployment of the application gateway ++After it's created, check the backend health by using the following command. The output of this command enables you to determine whether the application gateway reaches your application through its private fully qualified domain name (FQDN). ++```azurecli +az network application-gateway show-backend-health \ + --name $APPGW_NAME \ + --resource-group $RESOURCE_GROUP +``` ++The output indicates the healthy status of backend pool, as shown in the following example: ++```output +{ + "backendAddressPools": [ + { + "backendHttpSettingsCollection": [ + { + "servers": [ + { + "address": "my-azure-spring-apps-hello-vnet.private.azuremicroservices.io", + "health": "Healthy", + "healthProbeLog": "Success. Received 200 status code", + "ipConfiguration": null + } + ] + } + ] + } + ] +} +``` ++## Configure DNS and access the application ++Configure the public DNS to point to the application gateway using a CNAME or A-record. You can find the public address for the application gateway by using the following command: ++```azurecli +az network public-ip show \ + --resource-group $RESOURCE_GROUP \ + --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ + --query [ipAddress] \ + --output tsv +``` ++You can now access the application using the public domain name. ++## Clean up resources ++If you plan to continue working with subsequent articles, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following command: ++```azurecli +az group delete --name $RESOURCE_GROUP +``` ++## Next steps ++- [Exposing applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md) +- [Troubleshooting Azure Spring Apps in VNET](./troubleshooting-vnet.md) +- [Customer Responsibilities for Running Azure Spring Apps in VNET](./vnet-customer-responsibilities.md) |
spring-apps | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/faq.md | + + Title: Frequently asked questions about Azure Spring Apps | Microsoft Docs +description: This article answers frequently asked questions about Azure Spring Apps. +++ Last updated : 09/08/2020+++zone_pivot_groups: programming-languages-spring-apps +++# Azure Spring Apps FAQ ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article answers frequently asked questions about Azure Spring Apps. ++## General ++### Why Azure Spring Apps? ++Azure Spring Apps provides a platform as a service (PaaS) for Spring developers. Azure Spring Apps manages your application infrastructure so that you can focus on application code and business logic. Core features built into Azure Spring Apps include Eureka, Config Server, Service Registry Server, VMware Tanzu Build Service, Blue-green deployment, and more. This service also enables developers to bind their applications with other Azure services, such as Azure Cosmos DB, Azure Database for MySQL, and Azure Cache for Redis. ++Azure Spring Apps enhances the application diagnostics experience for developers and operators by integrating Azure Monitor, Application Insights, and Log Analytics. ++### How secure is Azure Spring Apps? ++Security and privacy are among the top priorities for Azure and Azure Spring Apps customers. Azure helps ensure that only customers have access to application data, logs, or configurations by securely encrypting all of this data. ++* The service instances in Azure Spring Apps are isolated from each other. +* Azure Spring Apps provides complete TLS/SSL and certificate management. +* Critical security patches for OpenJDK and Spring runtimes are applied to Azure Spring Apps as soon as possible. ++### How does Azure Spring Apps host my applications? ++Each service instance in Azure Spring Apps is backed by Azure Kubernetes Service with multiple worker nodes. Azure Spring Apps manages the underlying Kubernetes cluster for you, including high availability, scalability, Kubernetes version upgrade, and so on. ++Azure Spring Apps intelligently schedules your applications on the underlying Kubernetes worker nodes. To provide high availability, Azure Spring Apps distributes applications with two or more instances on different nodes. ++### In which regions is the Azure Spring Apps Basic/Standard plan available? ++See [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-apps). ++### In which regions is the Azure Spring Apps Enterprise plan available? ++While the Azure Spring Apps Basic/Standard plan is available in regions of China, the Enterprise plan is not available in all regions on Azure China. ++### Is any customer data stored outside of the specified region? ++Azure Spring Apps is a regional service. All customer data in Azure Spring Apps is stored to a single, specified region. To learn more about geo and region, see [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/). ++### What are the known limitations of Azure Spring Apps? ++Azure Spring Apps has the following known limitations: ++* `spring.application.name` is overridden by the application name that's used to create each application. +* `server.port` defaults to port `1025` in the Basic/Standard plan and to port `8080` in the Enterprise plan. If you apply any other value, the default value overrides the one that you specify, so avoid specifying a server port in your code. If your code sets the server port explicitly rather than using `server.port`, ensure that the port is either `1025` or `8080` depending on the pricing plan of your Azure Spring Apps service instance. +* The Azure portal, Azure Resource Manager templates, and Terraform don't support uploading application packages. You can upload application packages by deploying the application using the Azure CLI, Azure DevOps, Maven Plugin for Azure Spring Apps, Azure Toolkit for IntelliJ, and the Visual Studio Code extension for Azure Spring Apps. ++### What pricing plans are available? ++Which one should I use and what are the limits within each plan? ++* Azure Spring Apps offers three pricing plans: Basic, Standard, and Enterprise. The Basic plan is targeted for Dev/Test and trying out Azure Spring Apps. The Standard plan is optimized to run general purpose production traffic. The Enterprise plan is for production workloads with VMware Tanzu components. See [Azure Spring Apps pricing details](https://azure.microsoft.com/pricing/details/spring-apps/) for limits and feature level comparison. ++### What's the difference between Service Binding and Service Connector? ++We're not actively developing more capabilities for Service Binding. Instead, there's a new Azure-wise solution named [Service Connector](../../service-connector/overview.md). On the one hand, the new solution brings you consistent integration experience across App hosting services on Azure like App Service. On the other hand, it covers your needs better by starting with supporting 10+ most used target Azure services including MySQL, SQL DB, Azure Cosmos DB, Postgres DB, Redis, Storage and more. Service Connector is currently in Public Preview, we invite you to try out the new experience. ++### How can I provide feedback and report issues? ++If you encounter any issues with Azure Spring Apps, create an [Azure Support Request](../../azure-portal/supportability/how-to-create-azure-support-request.md). To submit a feature request or provide feedback, go to [Azure Feedback](https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4). ++### How do I get VMware Spring Runtime support (Enterprise plan only) ++The Enterprise plan has built-in VMware Spring Runtime Support, so you can open support tickets to [VMware](https://aka.ms/ascevsrsupport) if you think your issue is in the scope of VMware Spring Runtime Support. To better understand VMware Spring Runtime Support itself, see the [VMware Spring Runtime](https://tanzu.vmware.com/spring-runtime). To understand the details about how to register and use this support service, see the Support section in the [Enterprise plan FAQ from VMware](https://aka.ms/EnterpriseTierFAQ). For any other issues, open support tickets with Microsoft. ++> [!IMPORTANT] +> After you create an Enterprise plan instance, your entitlement is ready within ten business days. If you encounter any exceptions, raise a support ticket with Microsoft to get help with it. ++## Development ++### I'm a Spring developer but new to Azure. What's the quickest way for me to learn how to develop an application in Azure Spring Apps? ++For the quickest way to get started with Azure Spring Apps, follow the instructions in [Quickstart: Launch an application in Azure Spring Apps by using the Azure portal](./quickstart.md). ++### Where can I view my Spring application logs and metrics? ++Find metrics in the App Overview tab and the [Azure Monitor](../../azure-monitor/essentials/data-platform-metrics.md#metrics-explorer) tab. ++Azure Spring Apps supports exporting Spring application logs and metrics to Azure Storage, Event Hubs, and [Log Analytics](../../azure-monitor/logs/data-platform-logs.md). The table name in Log Analytics is *AppPlatformLogsforSpring*. To learn how to enable it, see [Diagnostic services](diagnostic-services.md). ++### Does Azure Spring Apps support distributed tracing? ++Yes. For more information, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md). +++### What resource types does Service Binding support? ++Three services are currently supported: ++* Azure Cosmos DB +* Azure Database for MySQL +* Azure Cache for Redis. ++### Can I view, add, or move persistent volumes from inside my applications? ++Yes. ++### How many outbound public IP addresses does an Azure Spring Apps instance have? ++The number of outbound public IP addresses varies according to the plans and other factors. ++| Azure Spring Apps instance type | Default number of outbound public IP addresses | +||| +| Basic plan instances | 1 | +| Standard/Enterprise plan instances | 2 | +| VNet injection instances | 1 | ++### Can I increase the number of outbound public IP addresses? ++Yes, you can open a [support ticket](https://azure.microsoft.com/support/faq/) to request for more outbound public IP addresses. ++### When I delete/move an Azure Spring Apps service instance, are its extension resources deleted/moved as well? ++It depends on the logic of resource providers that own the extension resources. The extension resources of a `Microsoft.AppPlatform` instance don't belong to the same namespace, so the behavior varies by resource provider. For example, the delete/move operation won't cascade to the **diagnostics settings** resources. If a new Azure Spring Apps instance is provisioned with the same resource ID as the deleted one, or if the previous Azure Spring Apps instance is moved back, the previous **diagnostics settings** resources continue extending it. ++You can delete the Azure Spring Apps diagnostic settings by using Azure CLI: ++```azurecli + az monitor diagnostic-settings delete --name $DIAGNOSTIC_SETTINGS_NAME --resource $AZURE_SPRING_APPS_RESOURCE_ID +``` +++## Java runtime and OS versions ++### Which versions of Java runtime are supported in Azure Spring Apps? ++Azure Spring Apps supports Java LTS versions with the most recent builds, currently Java 8, Java 11, and Java 17 are supported. ++### How long are Java 8, Java 11, and Java 17 LTS versions supported? ++See [Java long-term support for Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure). ++### What is the retire policy for older Java runtimes? ++Public notice is sent out at 12 months before any old runtime version is retired. You have 12 months to migrate to a later version. ++* Subscription admins get email notification when we retire a Java version. +* The retirement information is published in the documentation. ++### How can I get support for issues at the Java runtime level? ++See [Java long-term support for Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure). ++### What is the operation system to run my apps? ++The most recent Ubuntu LTS version is used, currently [Ubuntu 20.04 LTS (Focal Fossa)](https://releases.ubuntu.com/focal/) is the default OS. ++### How often are OS security patches applied? ++Security patches applicable to Azure Spring Apps are rolled out to production on a monthly basis. +Critical security patches (CVE score >= 9) applicable to Azure Spring Apps are rolled out as soon as possible. ++## Deployment ++### Does Azure Spring Apps support blue-green deployment? ++Yes. For more information, see [Set up a staging environment](./how-to-staging-environment.md). ++### Can I access Kubernetes to manipulate my application containers? ++No. Azure Spring Apps abstracts the developer from the underlying architecture, allowing you to concentrate on application code and business logic. ++### Does Azure Spring Apps support building containers from source? ++Yes. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). ++### Does Azure Spring Apps support autoscaling in app instances? ++Yes. For more information, see [Set up autoscale for applications](./how-to-setup-autoscale.md). ++### How does Azure Spring Apps monitor the health status of my application? ++Azure Spring Apps continuously probes port `1025` for customer's applications with the Basic/Standard pricing plan, or port `8080` with the Enterprise plan. These probes determine whether the application container is ready to start accepting traffic and whether Azure Spring Apps needs to restart the application container. Internally, Azure Spring Apps uses Kubernetes liveness and readiness probes to achieve the status monitoring. ++>[!NOTE] +> Because of these probes, you currently can't launch applications in Azure Spring Apps without exposing port `1025` or `8080`. ++### Whether and when is my application restarted? ++Yes. For more information, see [Monitor app lifecycle events using Azure Activity log and Azure Service Health](./monitor-app-lifecycle-events.md). ++### What are the best practices for migrating existing Spring applications to Azure Spring Apps? ++For more information, see [Migrate Spring applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-apps). +++## .NET Core versions ++### Which .NET Core versions are supported? ++.NET Core 3.1 and later versions. ++### How long is .NET Core 3.1 supported? ++Until December 3, 2022. See [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core). ++## Troubleshooting ++### What are the impacts of service registry rarely unavailable? ++In some rare scenarios, you can see errors from your application logs similar to the following example: ++```output +RetryableEurekaHttpClient: Request execution failure with status code 401; retrying on another server if available +``` ++The Spring framework raises this issue at a low rate due to network instability or other network issues. There should be no impacts to the user experience. The Eureka client has both heartbeat and retry policy to take care of this problem. You can consider it a transient error and skip it safely. ++## Next steps ++If you have further questions, see the [Azure Spring Apps troubleshooting guide](./troubleshoot.md). |
spring-apps | Github Actions Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/github-actions-key-vault.md | + + Title: Authenticate Azure Spring Apps with Key Vault in GitHub Actions +description: How to use Azure Key Vault with a CI/CD workflow for Azure Spring Apps with GitHub Actions ++++ Last updated : 09/08/2020++++# Authenticate Azure Spring Apps with Azure Key Vault in GitHub Actions ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use Key Vault with a CI/CD workflow for Azure Spring Apps with GitHub Actions. ++Key vault is a secure place to store keys. Enterprise users need to store credentials for CI/CD environments in scope that they control. The key to get credentials in the key vault should be limited to resource scope. It has access to only the key vault scope, not the entire Azure scope. It's like a key that can only open a strong box not a master key that can open all doors in a building. It's a way to get a key with another key, which is useful in a CICD workflow. ++## Generate Credential ++To generate a key to access the key vault, execute command below on your local machine: ++```azurecli +az ad sp create-for-rbac --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.KeyVault/vaults/<KEY_VAULT> --json-auth +``` ++The scope specified by the `--scopes` parameter limits the key access to the resource. It can only access the strong box. ++With results: ++```output +{ + "clientId": "<GUID>", + "clientSecret": "<GUID>", + "subscriptionId": "<GUID>", + "tenantId": "<GUID>", + "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", + "resourceManagerEndpointUrl": "https://management.azure.com/", + "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", + "galleryEndpointUrl": "https://gallery.azure.com/", + "managementEndpointUrl": "https://management.core.windows.net/" +} +``` ++Then save the results to GitHub **secrets** as described in [Set up your GitHub repository and authenticate with Azure](./how-to-github-actions.md#set-up-github-repository-and-authenticate). ++## Add Access Policies for the Credential ++The credential you created above can get only general information about the Key Vault, not the contents it stores. To get secrets stored in the Key Vault, you need set access policies for the credential. ++Go to the **Key Vault** dashboard in Azure portal, select the **Access control** menu, then open the **Role assignments** tab. Select **Apps** for **Type** and `This resource` for **scope**. You should see the credential you created in previous step: ++![Set access policy](media/github-actions-key-vault/key-vault1.png) ++Copy the credential name, for example, `azure-cli-2020-01-19-04-39-02`. Open the **Access policies** menu, then select the **Add Access Policy** link. Select `Secret Management` for **Template**, then select **Principal**. Paste the credential name in **Principal**/**Select** input box: ++![Select](media/github-actions-key-vault/key-vault2.png) ++Select the **Add** button in the **Add access policy** dialog, then select **Save**. ++## Generate full-scope Azure Credential ++This is the master key to open all doors in the building. The procedure is similar to the previous step, but here we change the scope to generate the master key: ++```azurecli +az ad sp create-for-rbac --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID> --json-auth +``` ++Again, results: ++```output +{ + "clientId": "<GUID>", + "clientSecret": "<GUID>", + "subscriptionId": "<GUID>", + "tenantId": "<GUID>", + "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", + "resourceManagerEndpointUrl": "https://management.azure.com/", + "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", + "galleryEndpointUrl": "https://gallery.azure.com/", + "managementEndpointUrl": "https://management.core.windows.net/" +} +``` ++Copy the entire JSON string. Go back to **Key Vault** dashboard. Open the **Secrets** menu, then select the **Generate/Import** button. Input the secret name, such as `AZURE-CREDENTIALS-FOR-SPRING`. Paste the JSON credential string to the **Value** input box. You may notice the value input box is a one-line text field, rather than a multi-line text area. You can paste the complete JSON string there. ++![Full scope credential](media/github-actions-key-vault/key-vault3.png) ++## Combine credentials in GitHub Actions ++Set the credentials used when the CICD pipeline executes: ++```console +on: [push] ++jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} # Strong box key you generated in the first step + - uses: Azure/get-keyvault-secrets@v1.0 + with: + keyvault: "<Your Key Vault Name>" + secrets: "AZURE-CREDENTIALS-FOR-SPRING" # Master key to open all doors in the building + id: keyvaultaction + - uses: azure/login@v1 + with: + creds: ${{ steps.keyvaultaction.outputs.AZURE-CREDENTIALS-FOR-SPRING }} + - name: Azure CLI script + uses: azure/CLI@v1 + with: + azcliversion: 2.0.75 + inlineScript: | + az extension add --name spring # Spring CLI commands from here + az spring list ++``` ++## Next steps ++* [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) |
spring-apps | How To Access App From Internet Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-access-app-from-internet-virtual-network.md | + + Title: Expose applications on Azure Spring Apps to the internet from a public network +description: Describes how to expose applications on Azure Spring Apps to the internet from a public network. ++++ Last updated : 08/09/2022++ms.devlang: azurecli +++# Expose applications on Azure Spring Apps to the internet from a public network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This article describes how to expose applications on Azure Spring Apps to the internet from a public network. ++You can expose applications to the internet with TLS Termination or end-to-end TLS using Application Gateway. These approaches are described in [Expose applications to the internet with TLS Termination at Application Gateway](./expose-apps-gateway-tls-termination.md) and [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md). These approaches work well, but Application Gateway can involve a complicated setup and extra expense. ++If you don't want to use Application Gateway for advanced operations, you can expose your applications to the internet with one click using the Azure portal or one command using the Azure CLI. The only extra expense is a standard public IP for one Azure Spring Apps service instance, regardless of how many apps you want to expose. ++## Prerequisites ++- An Azure Spring Apps service instance deployed in a virtual network and an app created in it. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). ++## Assign a public fully qualified domain name (FQDN) for your application in a virtual network injection instance +++### [Azure portal](#tab/azure-portal) ++Use the following steps to assign a public FQDN for your application. ++1. Select the Azure Spring Apps service instance deployed in your virtual network, and then open the **Apps** tab in the menu on the left. ++1. Select the application to show the **Overview** page. ++1. Select **Assign Public Endpoint** to assign a public FQDN to your application. Assigning an FQDN can take a few minutes. ++ :::image type="content" source="media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png" alt-text="Screenshot of Azure portal showing how to assign a public FQDN to your application." lightbox="media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png"::: ++The assigned public FQDN (labeled **URL**) is now available. It can only be accessed within the public network. ++### [Azure CLI](#tab/azure-CLI) ++Use the following command to assign a public endpoint to your app. Be sure to replace the placeholders with your actual values. ++```azurecli +az spring app update \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --assign-public-endpoint true +``` ++++## Use a public URL to access your application from both inside and outside the virtual network ++You can use a public URL to access your application both inside and outside the virtual network. Follow the steps in [Access your application in a private network](./access-app-virtual-network.md) to bind the domain `.private.azuremicroservices.io` to the service runtime Subnet private IP address in your private DNS zone while keeping the **Assign Endpoint** in a disable state. You can then access the app using the **public URL** from both inside and outside the virtual network. ++## Secure traffic to the public endpoint ++To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. ++> [!NOTE] +> If you couldn't access your application in a virtual network injection instance from internet after you have assigned a public FQDN, check your network security group first to see whether you have allowed such inbound traffic. ++## Next steps ++- [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md) +- [Troubleshooting Azure Spring Apps in virtual networks](./troubleshooting-vnet.md) +- [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md) |
spring-apps | How To Application Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-application-insights.md | + + Title: How to use Application Insights Java In-Process Agent in Azure Spring Apps +description: How to monitor apps using Application Insights Java In-Process Agent in Azure Spring Apps. ++++ Last updated : 06/20/2022++zone_pivot_groups: spring-apps-tier-selection +++# Use Application Insights Java In-Process Agent in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. +> +> With Spring Boot Native Image applications, use the [Azure Monitor OpenTelemetry Distro / Application Insights in Spring Boot native image Java application](https://aka.ms/AzMonSpringNative) project instead of the Application Insights Java agent. +++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌️ Enterprise ++This article explains how to monitor applications by using the Application Insights Java agent in Azure Spring Apps. ++With this feature you can: ++* Search tracing data with different filters. +* View a dependency map of Spring applications. +* Check request performance. +* Monitor real-time live metrics. +* Check request failures. +* Check application metrics. +* Check application logs. ++Application Insights can provide many observable perspectives, including: ++* Application map +* Performance +* Failures +* Metrics +* Live Metrics +* Availability +* Logs ++## Using the Application Insights feature ++When the **Application Insights** feature is enabled, you can: ++* In the navigation pane, select **Application Insights** to view the **Overview** page of Application Insights. The **Overview** page shows you an overview of all running applications. +* Select **Application Map** to see the status of calls between applications. ++ :::image type="content" source="media/how-to-application-insights/insights-process-agent-map.png" alt-text="Screenshot of Azure portal Application Insights with Application map page showing." lightbox="media/how-to-application-insights/insights-process-agent-map.png"::: ++* Select the link between customers-service and `petclinic` to see more details such as a query from SQL. +* Select an endpoint to see all the applications making requests to the endpoint. ++* In the navigation pane, select **Performance** to see the performance data of all applications' operations, dependencies, and roles. ++ :::image type="content" source="media/how-to-application-insights/insights-process-agent-performance.png" alt-text="Screenshot of Azure portal Application Insights with Performance page showing." lightbox="media/how-to-application-insights/insights-process-agent-performance.png"::: ++* In the navigation pane, select **Failures** to see any unexpected failures or exceptions from your applications. ++ :::image type="content" source="media/how-to-application-insights/insights-process-agent-failures.png" alt-text="Screenshot of Azure portal Application Insights with Failures page showing." lightbox="media/how-to-application-insights/insights-process-agent-failures.png"::: ++* In the navigation pane, select **Metrics** and select the namespace to see both Spring Boot metrics and custom metrics, if any. ++ :::image type="content" source="media/how-to-application-insights/insights-process-agent-metrics.png" alt-text="Screenshot of Azure portal Application Insights with Metrics page showing." lightbox="media/how-to-application-insights/insights-process-agent-metrics.png"::: ++* In the navigation pane, select **Live Metrics** to see the real-time metrics for different dimensions. ++ :::image type="content" source="media/how-to-application-insights/petclinic-microservices-live-metrics.png" alt-text="Screenshot of Azure portal Application Insights with Live Metrics page showing." lightbox="media/how-to-application-insights/petclinic-microservices-live-metrics.png"::: ++* In the navigation pane, select **Availability** to monitor the availability and responsiveness of Web apps by creating [Availability tests in Application Insights](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability). ++ :::image type="content" source="media/how-to-application-insights/petclinic-microservices-availability.png" alt-text="Screenshot of Azure portal Application Insights with Availability page showing." lightbox="media/how-to-application-insights/petclinic-microservices-availability.png"::: ++* In the navigation pane, select **Logs** to view all applications' logs, or one application's logs when filtering by `cloud_RoleName`. ++ :::image type="content" source="media/how-to-application-insights/application-insights-application-logs.png" alt-text="Screenshot of Azure portal Application Insights with Logs page showing." lightbox="media/how-to-application-insights/application-insights-application-logs.png"::: ++## Manage Application Insights using the Azure portal +++Enable the Java In-Process Agent by using the following procedure. ++1. Go to the **service | Overview** page of your service instance, then select **Application Insights** in the **Monitoring** section. +1. Select **Enable Application Insights** to enable Application Insights in Azure Spring Apps. +1. Select an existing instance of Application Insights or create a new one. +1. When **Application Insights** is enabled, you can configure one optional sampling rate (default 10.0%). ++ :::image type="content" source="media/how-to-application-insights/insights-process-agent.png" alt-text="Screenshot of Azure portal Azure Spring Apps instance with Application Insights page showing and 'Enable Application Insights' checkbox highlighted." lightbox="media/how-to-application-insights/insights-process-agent.png"::: ++1. Select **Save** to save the change. ++> [!NOTE] +> Don't use the same Application Insights instance in different Azure Spring Apps instances, or you're shown mixed data. ++++You can use the Portal to check or update the current settings in Application Insights. ++### Enable Application Insights using the Azure portal ++1. Select **Application Insights**. +1. Enable Application Insights by selecting **Edit binding**, or the **Unbound** hyperlink. ++ :::image type="content" source="media/how-to-application-insights/application-insights-binding-enable.png" alt-text="Screenshot of Azure portal Azure Spring Apps instance with Application Insights page showing and drop-down menu visible with 'Edit binding' option."::: ++1. Edit **Application Insights** or **Sampling rate**, then select **Save**. ++### Disable Application Insights ++1. Select **Application Insights**. +1. Select **Unbind binding** to disable Application Insights. ++ :::image type="content" source="media/how-to-application-insights/application-insights-unbind-binding.png" alt-text="Screenshot of Azure portal Azure Spring Apps instance with Application Insights page showing and drop-down menu visible with 'Unbind binding' option."::: ++### Change Application Insights Settings ++Select the name under the *Application Insights* column to open the Application Insights section. +++### Edit Application Insights buildpack bindings in Build Service ++To check and update the current settings for the Application Insights buildpack bindings in Build Service, follow these steps: ++1. Select **Build Service**. +1. Choose your builder. +1. Select **Edit** under the Bindings column. ++Application Insights settings are found in the *ApplicationInsights* item listed under the *Binding type* column. ++1. Select the **Bound** hyperlink, or select **Edit Binding** under the ellipse, to open and edit the Application Insights buildpack bindings. ++ :::image type="content" source="media/how-to-application-insights/application-insights-builder-settings.png" alt-text="Screenshot of Azure portal 'Edit bindings for default builder' pane."::: ++1. Edit the binding settings, then select **Save**. ++ :::image type="content" source="media/how-to-application-insights/application-insights-edit-binding.png" alt-text="Screenshot of Azure portal 'Edit binding' pane."::: +++## Manage Application Insights using Azure CLI ++You can manage Application Insights using Azure CLI commands. In the following commands, be sure to replace the *\<placeholder>* text with the values described. The *\<service-instance-name>* placeholder refers to the name of your Azure Spring Apps instance. ++### Enable Application Insights ++To configure Application Insights when creating an Azure Spring Apps instance, use the following command. For the `app-insights` argument, you can specify an Application Insights name or resource ID. +++```azurecli +az spring create \ + --resource-group <resource-group-name> \ + --name "service-instance-name" \ + --app-insights <name-or-resource-ID> \ + --sampling-rate <sampling-rate> +``` ++++```azurecli +az spring create \ + --resource-group <resource-group-name> \ + --name "service-instance-name" \ + --app-insights <name-or-resource-ID> \ + --sampling-rate <sampling-rate> + --sku Enterprise +``` +++You can also use an Application Insights connection string (preferred) or instrumentation key, as shown in the following example. +++```azurecli +az spring create \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --app-insights-key <connection-string-or-instrumentation-key> \ + --sampling-rate <sampling-rate> +``` ++++```azurecli +az spring create \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --app-insights-key <connection-string-or-instrumentation-key> \ + --sampling-rate <sampling-rate> + --sku Enterprise +``` +++### Disable Application Insights ++To disable Application Insights when creating an Azure Spring Apps instance, use the following command: +++```azurecli +az spring create \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --disable-app-insights +``` ++++```azurecli +az spring create \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --disable-app-insights + --sku Enterprise +``` ++++### Check Application Insights settings ++To check the Application Insights settings of an existing Azure Spring Apps instance, use the following command: ++```azurecli +az spring app-insights show \ + --resource-group <resource-group-name> \ + --name <service-instance-name> +``` ++### Update Application Insights ++To update Application Insights to use a connection string (preferred) or instrumentation key, use the following command: ++```azurecli +az spring app-insights update \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --app-insights-key <connection-string-or-instrumentation-key> \ + --sampling-rate <sampling-rate> +``` ++To update Application Insights to use the resource name or ID, use the following command: ++```azurecli +az spring app-insights update \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --app-insights <name-or-resource-ID> \ + --sampling-rate <sampling-rate> +``` ++### Disable Application Insights with the update command ++To disable Application Insights on an existing Azure Spring Apps instance, use the following command: ++```azurecli +az spring app-insights update \ + --resource-group <resource-group-name> \ + --name <service-instance-name> \ + --disable +``` ++++### Manage Application Insights buildpack bindings ++This section applies to the Enterprise plan only, and provides instructions that supplement the previous section. ++The Azure Spring Apps Enterprise plan uses buildpack bindings to integrate [Azure Application Insights](../../azure-monitor/app/app-insights-overview.md) with the type `ApplicationInsights`. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++To create an Application Insights buildpack binding, use the following command: ++```azurecli +az spring build-service builder buildpack-binding create \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ + --type ApplicationInsights \ + --properties sampling-percentage=<your-sampling-percentage> \ + connection-string=<your-connection-string> +``` ++To list all buildpack bindings, and find Application Insights bindings the type `ApplicationInsights`, use the following command: ++```azurecli +az spring build-service builder buildpack-binding list \ + --resource-group <your-resource-group-name> \ + --service <your-service-resource-name> \ + --builder-name <your-builder-name> +``` ++To replace an Application Insights buildpack binding, use the following command: ++```azurecli +az spring build-service builder buildpack-binding set \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ + --type ApplicationInsights \ + --properties sampling-percentage=<your-sampling-percentage> \ + connection-string=<your-connection-string> +``` ++To get an Application Insights buildpack binding, use the following command: ++```azurecli +az spring build-service builder buildpack-binding show \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ +``` ++To delete an Application Insights buildpack binding, use the following command: ++```azurecli +az spring build-service builder buildpack-binding delete \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ +``` +++## Automation +++The following sections describe how to automate your deployment using Bicep, Azure Resource Manager templates (ARM templates) or Terraform. ++### Bicep ++To deploy using a Bicep file, copy the following content into a *main.bicep* file. For more information, see [Microsoft.AppPlatform Spring/monitoringSettings](/azure/templates/microsoft.appplatform/spring/monitoringsettings). ++```bicep +param springName string +param location string = resourceGroup().location ++resource spring 'Microsoft.AppPlatform/Spring@2020-07-01' = { + name: springName + location: location + properties: {} +} ++resource monitorSetting 'Microsoft.AppPlatform/Spring/monitoringSettings@2020-11-01-preview' = { + parent: spring + name: 'default' + properties: { + appInsightsInstrumentationKey: '00000000-0000-0000-0000-000000000000' + appInsightsSamplingRate: 88 + } +} +``` ++### ARM templates ++To deploy using an ARM template, copy the following content into an *azuredeploy.json* file. For more information, see [Microsoft.AppPlatform Spring/monitoringSettings](/azure/templates/microsoft.appplatform/spring/monitoringsettings). ++```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "springName": { + "type": "string" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + } + }, + "resources": [ + { + "type": "Microsoft.AppPlatform/Spring", + "apiVersion": "2020-07-01", + "name": "[parameters('springName')]", + "location": "[parameters('location')]", + "properties": {} + }, + { + "type": "Microsoft.AppPlatform/Spring/monitoringSettings", + "apiVersion": "2020-11-01-preview", + "name": "[format('{0}/{1}', parameters('springName'), 'default')]", + "properties": { + "appInsightsInstrumentationKey": "00000000-0000-0000-0000-000000000000", + "appInsightsSamplingRate": 88 + }, + "dependsOn": [ + "[resourceId('Microsoft.AppPlatform/Spring', parameters('springName'))]" + ] + } + ] +} +``` ++### Terraform ++For a Terraform deployment, use the following template. For more information, see [azurerm_spring_cloud_service](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_service). ++```terraform +provider "azurerm" { + features {} +} ++resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} ++resource "azurerm_application_insights" "example" { + name = "tf-test-appinsights" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + application_type = "web" +} ++resource "azurerm_spring_cloud_service" "example" { + name = "example-springcloud" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "S0" ++ config_server_git_setting { + uri = "https://github.com/Azure-Samples/piggymetrics" + label = "config" + search_paths = ["dir1", "dir2"] + } ++ trace { + connection_string = azurerm_application_insights.example.connection_string + sample_rate = 10.0 + } ++ tags = { + Env = "staging" + } +} +``` ++++Automation in the Enterprise plan is pending support. Documentation is added as soon as it's available. +++## Java agent update/upgrade +++The Java agent is updated/upgraded regularly with the JDK, which may affect the following scenarios. ++> [!NOTE] +> The JDK version is updated/upgraded quarterly per year. ++* Existing applications that use the Java agent before updating/upgrading aren't affected. +* Applications created after updating/upgrading use the new version of the Java agent. +* Existing applications that didn't previously use the Java agent require restart or redeployment to use the new version of the Java agent. ++++The Java agent is updated/upgraded when the buildpack is updated. ++++## Java agent configuration hot-loading ++Azure Spring Apps has enabled a hot-loading mechanism to adjust the settings of agent configuration without restart of applications. ++> [!NOTE] +> The hot-loading mechanism has a delay in minutes. ++* When the Java agent has been previously enabled, changes to the Application Insights instance and/or SamplingRate do NOT require applications to be restarted. +* If you enable the Java agent, then you must restart applications. +* When you disable the Java agent, applications stop sending all monitoring data after a delay in minutes. You can restart applications to remove the agent from the Java runtime environment. +++## Concept matching between Azure Spring Apps and Application Insights ++| Azure Spring Apps | Application Insights | +| | | +| `App` | * __Application Map__/Role<br />* __Live Metrics__/Role<br />* __Failures__/Roles/Cloud Role<br />* __Performance__/Roles/Could Role | +| `App Instance` | * __Application Map__/Role Instance<br />* __Live Metrics__/Service Name<br />* __Failures__/Roles/Cloud Instance<br />* __Performance__/Roles/Could Instance | ++The name `App Instance` from Azure Spring Apps is changed or generated in the following scenarios: ++* You create a new application. +* You deploy a JAR file or source code to an existing application. +* You initiate a blue/green deployment. +* You restart the application. +* You stop the deployment of an application, and then restart it. ++When data is stored in Application Insights, it contains the history of Azure Spring Apps app instances created or deployed since the Java agent was enabled. For example, in the Application Insights portal, you can see application data created yesterday, but then deleted within a specific time range, like the last 24 hours. The following scenarios show how this works: ++* You created an application around 8:00 AM today from Azure Spring Apps with the Java agent enabled, and then you deployed a JAR file to this application around 8:10 AM today. After some testing, you change the code and deploy a new JAR file to this application at 8:30 AM today. Then, you take a break, and when you come back around 11:00 AM, you check some data from Application Insights. You see: + * Three instances in Application Map with time ranges in the last 24 hours, and Failures, Performance, and Metrics. + * One instance in Application Map with a time range in the last hour, and Failures, Performance, and Metrics. + * One instance in Live Metrics. +* You created an application around 8:00 AM today from Azure Spring Apps with the Java agent enabled, and then you deployed a JAR file to this application around 8:10 AM today. Around 8:30 AM today, you try a blue/green deployment with another JAR file. Currently, you have two deployments for this application. After a break around 11:00 AM today, you want to check some data from Application Insights. You see: + * Three instances in Application Map with time ranges in the last 24 hours, and Failures, Performance, and Metrics. + * Two instances in Application Map with time ranges in last hour, and Failures, Performance, and Metrics. + * Two instances in Live Metrics. ++## Next steps ++* [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md) +* [Analyze logs and metrics](diagnostic-services.md) +* [Stream logs in real time](./how-to-log-streaming.md) +* [Application Map](../../azure-monitor/app/app-map.md) +* [Live Metrics](../../azure-monitor/app/live-stream.md) +* [Performance](../../azure-monitor/app/tutorial-performance.md) +* [Failures](../../azure-monitor/app/tutorial-runtime-exceptions.md) +* [Metrics](../../azure-monitor/essentials/tutorial-metrics.md) +* [Logs](../../azure-monitor/logs/data-platform-logs.md) |
spring-apps | How To Bind Cosmos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-bind-cosmos.md | + + Title: Connect an Azure Cosmos DB to your application in Azure Spring Apps +description: Learn how to connect Azure Cosmos DB to your application in Azure Spring Apps +++ Last updated : 11/09/2022+++++# Connect an Azure Cosmos DB database to your application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++Instead of manually configuring your Spring Boot applications, you can automatically connect selected Azure services to your applications by using Azure Spring Apps. This article demonstrates how to connect your application to an Azure Cosmos DB database. ++## Prerequisites ++* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +* An Azure Cosmos DB database instance. +* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++## Prepare your project ++### [Java](#tab/Java) ++1. Add one of the following dependencies to your application's *pom.xml* file. Choose the dependency that is appropriate for your API type. ++ * API type: NoSQL ++ ```xml + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-starter-data-cosmos</artifactId> + </dependency> + ``` ++ * API type: MongoDB ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-data-mongodb</artifactId> + </dependency> + ``` ++ * API type: Cassandra ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-data-cassandra</artifactId> + </dependency> + ``` ++1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. ++### [Polyglot](#tab/Polyglot) ++All the connection strings and credentials are injected as environment variables, which you can reference in your application code. ++For the default environment variable names, see the following articles: ++* [Azure Cosmos DB for Table](../../service-connector/how-to-integrate-cosmos-table.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) +* [Azure Cosmos DB for NoSQL](../../service-connector/how-to-integrate-cosmos-sql.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) +* [Azure Cosmos DB for MongoDB](../../service-connector/how-to-integrate-cosmos-db.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) +* [Azure Cosmos DB for Gremlin](../../service-connector/how-to-integrate-cosmos-gremlin.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) +* [Azure Cosmos DB for Cassandra](../../service-connector/how-to-integrate-cosmos-cassandra.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) ++++## Connect your app to the Azure Cosmos DB ++### [Service Connector](#tab/Service-Connector) ++> [!NOTE] +> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. ++#### Use the Azure CLI ++Use the Azure CLI to configure your Spring app to connect to a Cosmos NoSQL Database by using the `az spring connection create` command, as shown in the following example. Be sure to replace the variables in the example with actual values. ++> [!NOTE] +> Updating Azure Cosmos DB database settings can take a few minutes to complete. ++> [!NOTE] +> If you're using Cosmos Cassandra, use `--key_space` instead of `--database`. If you're using Cosmos Table, use `--table` instead of `--database`. For more information, see [Quickstart: Create a service connection in Azure Spring Apps with the Azure CLI](../../service-connector/quickstart-cli-spring-cloud-connection.md). ++```azurecli +az spring connection create cosmos-sql \ + --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --target-resource-group $COSMOSDB_RESOURCE_GROUP \ + --account $COSMOSDB_ACCOUNT_NAME \ + --database $DATABASE_NAME \ + --secret +``` ++> [!NOTE] +> If you're using [Service Connector](../../service-connector/overview.md) for the first time, start by running the command `az provider register --namespace Microsoft.ServiceLinker` to register the Service Connector resource provider. ++> [!TIP] +> Run the command `az spring connection list-support-types --output table` to get a list of supported target services and authentication methods for Azure Spring Apps. If the `az spring` command isn't recognized by the system, check that you have installed the required extension by running `az extension add --name spring`. ++#### Use the Azure portal ++Alternatively, you can use the Azure portal to configure this connection by completing the following steps. The Azure portal provides the same capabilities as the Azure CLI and provides an interactive experience. ++1. Select your Azure Spring Apps instance in the Azure portal and select **Apps** from the navigation menu. Choose the app you want to connect and select **Service Connector** on the navigation menu. ++1. Select **Create**. ++1. On the **Basics** tab, for service type, select Cosmos DB, then choose a subscription. For API type, select Core (SQL), choose a Cosmos DB account, and a database. For client type, select Java, then select **Next: Authentication**. If you haven't created your database yet, see [Quickstart: Create an Azure Cosmos DB account, database, container, and items from the Azure portal](../../cosmos-db/nosql/quickstart-portal.md). ++1. On the **Authentication** tab, choose **Connection string**. Service Connector automatically retrieves the access key from your Cosmos DB account. Select **Next: Networking**. ++1. On the **Networking** tab, select **Configure firewall rules to enable access to target service**, then select **Next: Review + Create**. ++1. On the **Review + Create** tab, wait for the validation to pass and then select **Create**. The creation can take a few minutes to complete. ++1. Once the connection between your Spring apps and your Cosmos DB database has been generated, you can see it in the Service Connector page and select the unfold button to view the configured connection variables. ++### [Terraform](#tab/Terraform) ++The following Terraform script shows how to set up an app deployed to Azure Spring Apps with an Azure Cosmos DB account. ++```terraform +provider "azurerm" { + features {} +} ++variable "application_name" { + type = string + description = "The name of your application" + default = "demo-cosmosdb" +} ++resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} ++resource "azurerm_cosmosdb_account" "cosmosdb" { + name = "cosmosacct-${var.application_name}-001" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + offer_type = "Standard" + kind = "GlobalDocumentDB" ++ consistency_policy { + consistency_level = "Session" + } ++ geo_location { + failover_priority = 0 + location = azurerm_resource_group.example.location + } +} ++resource "azurerm_cosmosdb_sql_database" "cosmosdb" { + name = "cosmos-${var.application_name}-001" + resource_group_name = azurerm_cosmosdb_account.cosmosdb.resource_group_name + account_name = azurerm_cosmosdb_account.cosmosdb.name +} ++resource "azurerm_spring_cloud_service" "example" { + name = "${var.application_name}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location +} ++resource "azurerm_spring_cloud_app" "example" { + name = "${var.application_name}-app" + resource_group_name = azurerm_resource_group.example.name + service_name = azurerm_spring_cloud_service.example.name + is_public = true + https_only = true +} ++resource "azurerm_spring_cloud_java_deployment" "example" { + name = "default" + spring_cloud_app_id = azurerm_spring_cloud_app.example.id + quota { + cpu = "2" + memory = "4Gi" + } + instance_count = 1 + jvm_options = "-XX:+PrintGC" + runtime_version = "Java_11" ++ environment_variables = { + "spring.cloud.azure.cosmos.endpoint" : azurerm_cosmosdb_account.cosmosdb.endpoint + "spring.cloud.azure.cosmos.key" : azurerm_cosmosdb_account.cosmosdb.primary_key + "spring.cloud.azure.cosmos.database" : azurerm_cosmosdb_sql_database.cosmosdb.name + } +} ++resource "azurerm_spring_cloud_active_deployment" "example" { + spring_cloud_app_id = azurerm_spring_cloud_app.example.id + deployment_name = azurerm_spring_cloud_java_deployment.example.name +} +``` ++++## Next steps ++In this article, you learned how to connect your application in Azure Spring Apps to an Azure Cosmos DB database. To learn more about connecting services to your application, see [Connect to an Azure Cache for Redis cache](./how-to-bind-redis.md). |
spring-apps | How To Bind Mysql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-bind-mysql.md | + + Title: How to connect an Azure Database for MySQL instance to your application in Azure Spring Apps +description: Learn how to connect an Azure Database for MySQL instance to your application in Azure Spring Apps +++ Last updated : 11/09/2022+++++# Connect an Azure Database for MySQL instance to your application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++With Azure Spring Apps, you can connect selected Azure services to your applications automatically, instead of having to configure your Spring Boot application manually. This article shows you how to connect your application to your Azure Database for MySQL instance. ++## Prerequisites ++* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +* An Azure Database for MySQL Flexible Server instance. +* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++## Prepare your project ++### [Java](#tab/Java) ++1. In your project's *pom.xml* file, add the following dependency: ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-data-jpa</artifactId> + </dependency> + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-starter-jdbc-mysql</artifactId> + </dependency> + ``` ++1. In the *application.properties* file, remove any `spring.datasource.*` properties. ++1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. ++### [Polyglot](#tab/Polyglot) ++All the connection strings and credentials are injected as environment variables, which you can reference in your application code. ++For the default environment variable names, see [Integrate Azure Database for MySQL with Service Connector](../../service-connector/how-to-integrate-mysql.md#default-environment-variable-names-or-application-properties-and-sample-code). ++++## Connect your app to the Azure Database for MySQL instance ++### [Service Connector](#tab/Service-Connector) ++> [!NOTE] +> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. ++Follow these steps to configure your Spring app to connect to an Azure Database for MySQL Flexible Server with a system-assigned managed identity. ++1. Use the following command to install the Service Connector passwordless extension for the Azure CLI. ++ ```azurecli + az extension add --name serviceconnector-passwordless --upgrade + ``` ++1. Then, use the following command to create a user-assigned managed identity for Microsoft Entra authentication. Be sure to replace the variables in the example with actual values. For more information, see [Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](../../mysql/flexible-server/how-to-azure-ad.md). ++ ```azurecli + export AZ_IDENTITY_RESOURCE_ID=$(az identity create \ + --name $AZURE_USER_IDENTITY_NAME \ + --resource-group $AZURE_IDENTITY_RESOURCE_GROUP \ + --query id \ + --output tsv) + ``` ++1. Run the `az spring connection create` command, as shown in the following example. Be sure to replace the variables in the example with actual values. ++ ```azurecli + az spring connection create mysql-flexible \ + --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --target-resource-group $MYSQL_RESOURCE_GROUP \ + --server $MYSQL_SERVER_NAME \ + --database $DATABASE_NAME \ + --system-identity mysql-identity-id=$AZ_IDENTITY_RESOURCE_ID + ``` ++### [Terraform](#tab/Terraform) ++The following Terraform script shows how to set up an Azure Spring Apps app with Azure Database for MySQL. ++```terraform +provider "azurerm" { + features {} +} ++variable "application_name" { + type = string + description = "The name of your application" + default = "demo-abc" +} ++variable "administrator_login" { + type = string + description = "The MySQL administrator login" + default = "myadmin" +} ++resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} ++resource "random_password" "password" { + length = 32 + special = true + override_special = "_%@" +} ++resource "azurerm_mysql_server" "database" { + name = "mysql-${var.application_name}-001" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location ++ administrator_login = var.administrator_login + administrator_login_password = random_password.password.result ++ sku_name = "B_Gen5_1" + storage_mb = 5120 + version = "5.7" + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + infrastructure_encryption_enabled = false + public_network_access_enabled = true + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} ++resource "azurerm_mysql_database" "database" { + name = "mysqldb-${var.application_name}-001" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mysql_server.database.name + charset = "utf8" + collation = "utf8_unicode_ci" +} ++# This rule is to enable the 'Allow access to Azure services' checkbox +resource "azurerm_mysql_firewall_rule" "database" { + name = "mysqlfw-${var.application_name}-001" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mysql_server.database.name + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} ++resource "azurerm_spring_cloud_service" "example" { + name = "example-springcloud" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location +} ++resource "azurerm_spring_cloud_app" "example" { + name = "example-springcloudapp" + resource_group_name = azurerm_resource_group.example.name + service_name = azurerm_spring_cloud_service.example.name + is_public = true + https_only = true +} ++resource "azurerm_spring_cloud_java_deployment" "example" { + name = "default" + spring_cloud_app_id = azurerm_spring_cloud_app.example.id + quota { + cpu = "2" + memory = "4Gi" + } + instance_count = 2 + jvm_options = "-XX:+PrintGC" + runtime_version = "Java_11" ++ environment_variables = { + "spring.datasource.url" : "jdbc:mysql://${azurerm_mysql_server.database.fqdn}:3306/${azurerm_mysql_database.database.name}?useSSL=true&requireSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC" + "spring.datasource.username" : "${var.administrator_login}@${azurerm_mysql_server.database.name}" + "spring.datasource.password" : random_password.password.result + "spring.jpa.properties.hibernate.dialect" : "org.hibernate.dialect.MySQL5InnoDBDialect" + } +} ++resource "azurerm_spring_cloud_active_deployment" "example" { + spring_cloud_app_id = azurerm_spring_cloud_app.example.id + deployment_name = azurerm_spring_cloud_java_deployment.example.name +} +``` ++++## Next steps ++In this article, you learned how to connect an application in Azure Spring Apps to an Azure Database for MySQL instance. To learn more about connecting services to an application, see [Connect an Azure Cosmos DB database to an application in Azure Spring Apps](./how-to-bind-cosmos.md). |
spring-apps | How To Bind Postgres | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-bind-postgres.md | + + Title: How to bind an Azure Database for PostgreSQL to your application in Azure Spring Apps +description: Learn how to bind an Azure Database for PostgreSQL instance to your application in Azure Spring Apps. +++ Last updated : 09/26/2022+++zone_pivot_group_filename: spring-apps/postgresql-zone-pivot-groups.json +zone_pivot_groups: passwordless-postgresql +++# Bind an Azure Database for PostgreSQL to your application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++With Azure Spring Apps, you can bind select Azure services to your applications automatically, instead of having to configure your Spring Boot application manually. This article shows you how to bind your application to your Azure Database for PostgreSQL instance. ++In this article, we include two authentication methods: Microsoft Entra authentication and PostgreSQL authentication. The Passwordless tab shows the Microsoft Entra authentication and the Password tab shows the PostgreSQL authentication. ++Microsoft Entra authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. ++PostgreSQL authentication uses accounts stored in PostgreSQL. If you choose to use passwords as credentials for the accounts, these credentials are stored in the user table. Because these passwords are stored in PostgreSQL, you need to manage the rotation of the passwords by yourself. +++## Prerequisites ++* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +* An Azure Database for PostgreSQL Flexible Server instance. +* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++## Prepare your project ++### [Java](#tab/JavaFlex) ++Use the following steps to prepare your project. ++1. In your project's *pom.xml* file, add the following dependency: ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-data-jpa</artifactId> + </dependency> + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-starter-jdbc-postgresql</artifactId> + </dependency> + ``` ++1. In the *application.properties* file, remove any `spring.datasource.*` properties. ++1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. ++### [Polyglot](#tab/PolyglotFlex) ++All the connection strings and credentials are injected as environment variables, which you can reference in your application code. ++For the default environment variable names, see [Integrate Azure Database for PostgreSQL with Service Connector](../../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-code). ++++## Bind your app to the Azure Database for PostgreSQL instance ++> [!NOTE] +> Be sure to select only one of the following approaches to create a connection. If you've already created tables with one connection, other users can't access or modify the tables. When you try the other approach, the application will throw errors such as "Permission denied". To fix this issue, connect to a new database or delete and recreate an existing one. ++> [!NOTE] +> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. ++### [Passwordless (Recommended)](#tab/Passwordlessflex) ++1. Install the [Service Connector](../../service-connector/overview.md) passwordless extension for the Azure CLI: ++ ```azurecli + az extension add --name serviceconnector-passwordless --upgrade + ``` ++1. Configure Azure Spring Apps to connect to the PostgreSQL Database with a system-assigned managed identity using the `az spring connection create` command. ++ ```azurecli + az spring connection create postgres-flexible \ + --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ + --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --deployment $DEPLOYMENT_NAME \ + --target-resource-group $POSTGRES_RESOURCE_GROUP \ + --server $POSTGRES_SERVER_NAME \ + --database $DATABASE_NAME \ + --system-identity + ``` ++### [Password](#tab/Secretsflex) ++Use the following steps to bind your app using a secret. ++1. Note the admin username and password of your Azure Database for PostgreSQL account. ++1. Connect to the server, create a database named **testdb** from a PostgreSQL client, and then create a new non-admin account. ++1. Run the following command to connect to the database with admin username and password. ++ ```azurecli + az spring connection create postgres-flexible \ + --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ + --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --deployment $DEPLOYMENT_NAME \ + --target-resource-group $POSTGRES_RESOURCE_GROUP \ + --server $POSTGRES_SERVER_NAME \ + --database $DATABASE_NAME \ + --secret name=$USERNAME secret=$PASSWORD + ``` ++++++## Prerequisites ++* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +* An Azure Database for PostgreSQL Single Server instance. +* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++## Prepare your project ++### [Java](#tab/JavaSingle) ++Use the following steps to prepare your project. ++1. In your project's *pom.xml* file, add the following dependency: ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-data-jpa</artifactId> + </dependency> + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-starter-jdbc-postgresql</artifactId> + </dependency> + ``` ++1. In the *application.properties* file, remove any `spring.datasource.*` properties. ++1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. ++### [Polyglot](#tab/PolyglotSingle) ++All the connection strings and credentials will be injected as the environment variables, which can be referenced in your application codes. ++You can find the default environment variable names in this doc: [Integrate Azure Database for PostgreSQL with Service Connector](../../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-code) ++++## Bind your app to the Azure Database for PostgreSQL instance ++> [!NOTE] +> Service Connectors are created at the deployment level. So if another deployment is created, you need to create the connections again. ++### [Passwordless](#tab/PasswordlessSingle) ++1. Install the [Service Connector](../../service-connector/overview.md) passwordless extension for the Azure CLI: ++ ```azurecli + az extension add --name serviceconnector-passwordless --upgrade + ``` ++1. Configure Azure Spring Apps to connect to the PostgreSQL Database with a system-assigned managed identity using the `az spring connection create` command. ++ ```azurecli + az spring connection create postgres \ + --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ + --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --deployment $DEPLOYMENT_NAME \ + --target-resource-group $POSTGRES_RESOURCE_GROUP \ + --server $POSTGRES_SERVER_NAME \ + --database $DATABASE_NAME \ + --system-identity + ``` ++### [Password](#tab/SecretsSingle) ++Use the following steps to bind your app using a secret. ++1. Note the admin username and password of your Azure Database for PostgreSQL account. ++1. Connect to the server, create a database named **testdb** from a PostgreSQL client, and then create a new non-admin account. ++1. Run the following command to connect to the database with admin username and password. ++ ```azurecli + az spring connection create postgres \ + --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ + --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --deployment $DEPLOYMENT_NAME \ + --target-resource-group $POSTGRES_RESOURCE_GROUP \ + --server $POSTGRES_SERVER_NAME \ + --database $DATABASE_NAME \ + --secret name=$USERNAME secret=$PASSWORD + ``` +++++## Next steps ++In this article, you learned how to bind an application in Azure Spring Apps to an Azure Database for PostgreSQL instance. To learn more about binding services to an application, see [Bind an Azure Cosmos DB database to an application in Azure Spring Apps](./how-to-bind-cosmos.md). |
spring-apps | How To Bind Redis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-bind-redis.md | + + Title: Connect Azure Cache for Redis to your application in Azure Spring Apps +description: Learn how to connect Azure Cache for Redis to your application in Azure Spring Apps +++ Last updated : 10/31/2019+++++# Connect Azure Cache for Redis to your application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++Instead of manually configuring your Spring Boot applications, you can automatically connect selected Azure services to your applications by using Azure Spring Apps. This article shows how to connect your application to Azure Cache for Redis. ++## Prerequisites ++* A deployed Azure Spring Apps instance +* An Azure Cache for Redis service instance +* The Azure Spring Apps extension for the Azure CLI ++If you don't have a deployed Azure Spring Apps instance, follow the steps in the [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). ++## Prepare your project ++### [Java](#tab/Java) ++1. Add the following dependency to your project's *pom.xml* file: ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-data-redis-reactive</artifactId> + </dependency> + ``` ++1. Remove any `spring.redis.*` properties from the *application.properties* file ++1. Update the current deployment using `az spring app update` or create a new deployment using `az spring app deployment create`. ++### [Polyglot](#tab/Polyglot) ++All the connection strings and credentials are injected as environment variables, which you can reference in your application code. ++For the default environment variable names, see [Integrate Azure Cache for Redis with Service Connector](../../service-connector/how-to-integrate-redis-cache.md#default-environment-variable-names-or-application-properties-and-sample-code). ++++## Connect your app to the Azure Cache for Redis ++### [Service Connector](#tab/Service-Connector) ++> [!NOTE] +> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. ++1. Use the Azure CLI to configure your Spring app to connect to a Redis database with an access key using the `az spring connection create` command, as shown in the following example. ++ ```azurecli + az spring connection create redis \ + --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \ + --app $APP_NAME \ + --deployment $DEPLOYMENT_NAME \ + --target-resource-group $REDIS_RESOURCE_GROUP \ + --server $REDIS_SERVER_NAME\ + --database $REDIS_DATABASE_NAME \ + --secret + ``` ++ > [!NOTE] + > If you're using [Service Connector](../../service-connector/overview.md) for the first time, start by running the command `az provider register --namespace Microsoft.ServiceLinker` to register the Service Connector resource provider. + > + > If you're using Redis Enterprise, use the `az spring connection create redis-enterprise` command instead. ++ > [!TIP] + > Run the command `az spring connection list-support-types --output table` to get a list of supported target services and authentication methods for Azure Spring Apps. If the `az spring` command isn't recognized by the system, check that you have installed the required extension by running `az extension add --name spring`. ++1. Alternatively, you can use the Azure portal to configure this connection by completing the following steps. The Azure portal provides the same capabilities as the Azure CLI and provides an interactive experience. ++ 1. Select your Azure Spring Apps instance in the Azure portal and then select **Apps** from the navigation menu. Choose the app you want to connect and then select **Service Connector** on the navigation menu. ++ 1. Select **Create**. ++ 1. On the **Basics** tab, for service type, select Cache for Redis. Choose a subscription and a Redis cache server. Fill in the Redis database name ("0" in this example) and under client type, select Java. Select **Next: Authentication**. ++ 1. On the **Authentication** tab, choose **Connection string**. Service Connector automatically retrieves the access key from your Redis database account. Select **Next: Networking**. ++ 1. On the **Networking** tab, select **Configure firewall rules to enable access to target service**, then select **Review + Create**. ++ 1. On the **Review + Create** tab, wait for the validation to pass and then select **Create**. The creation can take a few minutes to complete. ++ 1. Once the connection between your Spring app your Redis database has been generated, you can see it in the Service Connector page and select the unfold button to view the configured connection variables. ++### [Terraform](#tab/Terraform) ++The following Terraform script shows how to set up an Azure Spring Apps app with Azure Cache for Redis. ++```terraform +provider "azurerm" { + features {} +} ++variable "application_name" { + type = string + description = "The name of your application" + default = "demo-abc" +} ++resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} ++resource "azurerm_redis_cache" "redis" { + name = "redis-${var.application_name}-001" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + capacity = 0 + family = "C" + sku_name = "Standard" + enable_non_ssl_port = false + minimum_tls_version = "1.2" +} ++resource "azurerm_spring_cloud_service" "example" { + name = "${var.application_name}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location +} ++resource "azurerm_spring_cloud_app" "example" { + name = "${var.application_name}-app" + resource_group_name = azurerm_resource_group.example.name + service_name = azurerm_spring_cloud_service.example.name + is_public = true + https_only = true +} ++resource "azurerm_spring_cloud_java_deployment" "example" { + name = "default" + spring_cloud_app_id = azurerm_spring_cloud_app.example.id + quota { + cpu = "2" + memory = "4Gi" + } + instance_count = 2 + jvm_options = "-XX:+PrintGC" + runtime_version = "Java_11" ++ environment_variables = { + "spring.redis.host" = azurerm_redis_cache.redis.hostname + "spring.redis.password" = azurerm_redis_cache.redis.primary_access_key + "spring.redis.port" = "6380" + "spring.redis.ssl" = "true" + } +} ++resource "azurerm_spring_cloud_active_deployment" "example" { + spring_cloud_app_id = azurerm_spring_cloud_app.example.id + deployment_name = azurerm_spring_cloud_java_deployment.example.name +} +``` ++++## Next steps ++In this article, you learned how to connect your application in Azure Spring Apps to Azure Cache for Redis. To learn more about connecting services to your application, see [Connect to an Azure Database for MySQL instance](./how-to-bind-mysql.md). |
spring-apps | How To Capture Dumps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-capture-dumps.md | + + Title: Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps +description: Learn how to manually capture a heap dump, a thread dump, or start Java Flight Recorder. ++++ Last updated : 01/21/2022++++# Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to manually generate a heap dump or thread dump, and how to start Java Flight Recorder (JFR). ++Effective troubleshooting is critical to ensure you can fix issues in production environments and keep your business online. Azure Spring Apps provides application log streaming and query, rich metrics emitting, alerts, distributed tracing, and so forth. However, when you get alerts about requests with high latency, JVM heap leak, or high CPU usage, there's no last-mile solution. For this reason, we've enabled you to manually generate a heap dump, generate a thread dump, and start JFR. ++## Prerequisites ++* A deployed Azure Spring Apps service instance. To get started, see [Quickstart: Deploy your first application to Azure Spring Apps](quickstart.md). +* At least one application already created in your service instance. +* Your own persistent storage as described in [How to enable your own persistent storage in Azure Spring Apps](how-to-custom-persistent-storage.md). This storage is used to save generated diagnostic files. The paths you provide in the parameter values below should be under the mount path of the persistent storage bound to your app. If you want to use a path under the mount path, be sure to create the subpath beforehand. ++## Generate a heap dump ++Use the following command to generate a heap dump of your app in Azure Spring Apps. ++```azurecli +az spring app deployment generate-heap-dump \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> \ + --deployment <deployment-name> \ + --app-instance <app-instance name> \ + --file-path <your-target-file-path-in-your-persistent-storage-mount-path> +``` ++## Generate a thread dump ++Use the following command to generate a thread dump of your app in Azure Spring Apps. ++```azurecli +az spring app deployment generate-thread-dump \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> \ + --deployment <deployment-name> \ + --app-instance <app-instance name> \ + --file-path <your-target-file-path-in-your-persistent-storage-mount-path> +``` ++## Start JFR ++Use the following command to start JFR for your app in Azure Spring Apps. ++```azurecli +az spring app deployment start-jfr \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> \ + --deployment <deployment-name> \ + --app-instance <app-instance name> \ + --file-path <your-target-file-path-in-your-persistent-storage-mount-path> \ + --duration <duration-of-JFR> +``` ++The default value for `duration` is 60 seconds. ++## Generate a dump using the Azure portal ++Use the following steps to generate a heap or thread dump of your app in Azure Spring Apps. ++1. In the Azure portal, navigate to your target app, then select **Troubleshooting**. ++ :::image type="content" source="media/how-to-capture-dumps/app-troubleshooting.png" alt-text="Screenshot of the Azure portal showing the app Overview page with the Troubleshooting button highlighted." lightbox="media/how-to-capture-dumps/app-troubleshooting.png"::: ++1. In the **Troubleshooting** pane, select the app instance and the type of dump you'd like to collect. ++ :::image type="content" source="media/how-to-capture-dumps/heap-dump.png" alt-text="Screenshot of the Azure portal Troubleshooting pane." lightbox="media/how-to-capture-dumps/heap-dump.png"::: ++1. In the **File path** field, specify the mount path of your persistent storage. +1. Select **Collect**. ++## Get your diagnostic files ++Navigate to the target file path in your persistent storage and find your dump/JFR. From there, you can download them to your local machine. The name of the generated file will be similar to *`<app-instance>_heapdump_<time-stamp>.hprof`* for the heap dump, *`<app-instance>_threaddump_<time-stamp>.txt`* for the thread dump, and *`<app-instance>_JFR_<time-stamp>.jfr`* for the JFR file. ++## Next steps ++* [Use the diagnostic settings of JVM options for advanced troubleshooting in Azure Spring Apps](how-to-dump-jvm-options.md) |
spring-apps | How To Cicd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-cicd.md | + + Title: Automate application deployments to Azure Spring Apps +description: Describes how to use the Azure Spring Apps task for Azure Pipelines. +++ Last updated : 09/13/2021+++zone_pivot_groups: programming-languages-spring-apps +++# Automate application deployments to Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use the [Azure Spring Apps task for Azure Pipelines](/azure/devops/pipelines/tasks/deploy/azure-spring-cloud) to deploy applications. ++Continuous integration and continuous delivery tools let you quickly deploy updates to existing applications with minimal effort and risk. Azure DevOps helps you organize and control these key jobs. ++The following video describes end-to-end automation using tools of your choice, including Azure Pipelines. ++<br> ++> [!VIDEO https://www.youtube.com/embed/D2cfXAbUwDc?list=PLPeZXlCR7ew8LlhnSH63KcM0XhMKxT1k_] +++## Create an Azure Resource Manager service connection ++First, create an Azure Resource Manager service connection to your Azure DevOps project. For instructions, see [Connect to Microsoft Azure](/azure/devops/pipelines/library/connect-to-azure). Be sure to select the same subscription you're using for your Azure Spring Apps service instance. ++## Build and deploy apps ++You can now build and deploy your projects using a series of tasks. The following Azure Pipelines template defines variables, a .NET Core task to build the application, and an Azure Spring Apps task to deploy the application. ++```yaml +variables: + workingDirectory: './steeltoe-sample' + planetMainEntry: 'Microsoft.Azure.SpringCloud.Sample.PlanetWeatherProvider.dll' + solarMainEntry: 'Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.dll' + planetAppName: 'planet-weather-provider' + solarAppName: 'solar-system-weather' + serviceName: '<your service name>' ++steps: +# Restore, build, publish and package the zipped planet app +- task: DotNetCoreCLI@2 + inputs: + command: 'publish' + publishWebProjects: false + arguments: '--configuration Release' + zipAfterPublish: false + modifyOutputPath: false + workingDirectory: $(workingDirectory) ++# Deploy the planet app +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<Service Connection Name>' + Action: 'Deploy' + AzureSpringCloud: $(serviceName) + AppName: 'testapp' + DeploymentType: 'Artifacts' + UseStagingDeployment: false + DeploymentName: 'default' + Package: $(workingDirectory)/src/$(planetAppName)/publish-deploy-planet.zip + RuntimeVersion: 'NetCore_31' + DotNetCoreMainEntryPath: $(planetMainEntry) ++# Deploy the solar app +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<Service Connection Name>' + Action: 'Deploy' + AzureSpringCloud: $(serviceName) + AppName: 'testapp' + DeploymentType: 'Artifacts' + UseStagingDeployment: false + DeploymentName: 'default' + Package: $(workingDirectory)/src/$(solarAppName)/publish-deploy-solar.zip + RuntimeVersion: 'NetCore_31' + DotNetCoreMainEntryPath: $(solarMainEntry) +``` +++## Set up an Azure Spring Apps instance and an Azure DevOps project ++First, use the following steps to set up an existing Azure Spring Apps instance for use with Azure DevOps. ++1. Go to your Azure Spring Apps instance, then create a new app. +1. Go to the Azure DevOps portal, then create a new project under your chosen organization. If you don't have an Azure DevOps organization, you can create one for free. +1. Select **Repos**, then import the [Spring Boot demo code](https://github.com/spring-guides/gs-spring-boot) to the repository. ++## Create an Azure Resource Manager service connection ++Next, create an Azure Resource Manager service connection to your Azure DevOps project. For instructions, see [Connect to Microsoft Azure](/azure/devops/pipelines/library/connect-to-azure). Be sure to select the same subscription you're using for your Azure Spring Apps service instance. ++## Build and deploy apps ++You can now build and deploy your projects using a series of tasks. The following sections show you various options for deploying your app using Azure DevOps. ++### Deploy using a pipeline ++To deploy using a pipeline, follow these steps: ++1. Select **Pipelines**, then create a new pipeline with a Maven template. +1. Edit the *azure-pipelines.yml* file to set the `mavenPomFile` field to *'complete/pom.xml'*. +1. Select **Show assistant** on the right side, then select the **Azure Spring Apps** template. +1. Select the service connection you created for your Azure Subscription, then select your Azure Spring Apps instance and app instance. +1. Disable **Use Staging Deployment**. +1. Set **Package or folder** to *complete/target/spring-boot-complete-0.0.1-SNAPSHOT.jar*. +1. Select **Add** to add this task to your pipeline. + + Your pipeline settings should match the following image. ++ :::image type="content" source="media/how-to-cicd/pipeline-task-setting.jpg" alt-text="Screenshot of pipeline settings." lightbox="media/how-to-cicd/pipeline-task-setting.jpg"::: ++ You can also build and deploy your projects using following pipeline template. This example first defines a Maven task to build the application, followed by a second task that deploys the JAR file using the Azure Spring Apps task for Azure Pipelines. ++ ```yaml + steps: + - task: Maven@3 + inputs: + mavenPomFile: 'complete/pom.xml' + - task: AzureSpringCloud@0 + inputs: + azureSubscription: '<your service connection name>' + Action: 'Deploy' + AzureSpringCloud: <your Azure Spring Apps service> + AppName: <app-name> + DeploymentType: 'Artifacts' + UseStagingDeployment: false + DeploymentName: 'default' + Package: ./target/your-result-jar.jar + ``` ++3. Select **Save and run**, then wait for job to finish. ++### Blue-green deployments ++The deployment shown in the previous section receives application traffic immediately upon deployment. This enables you to test the application in the production environment before it receives any customer traffic. ++#### Edit the pipeline file ++To build the application the same way as shown previously and deploy it to a staging deployment, use the following template. In this example, the staging deployment must already exist. For an alternative approach, see [Blue-green deployment strategies](concepts-blue-green-deployment-strategies.md). ++```yaml +steps: +- task: Maven@3 + inputs: + mavenPomFile: 'pom.xml' +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<your service connection name>' + Action: 'Deploy' + AzureSpringCloud: <your Azure Spring Apps service> + AppName: <app-name> + DeploymentType: 'Artifacts' + UseStagingDeployment: true + Package: ./target/your-result-jar.jar +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<your service connection name>' + Action: 'Set Production' + AzureSpringCloud: <your Azure Spring Apps service> + AppName: <app-name> + UseStagingDeployment: true +``` ++#### Use the Releases section ++The following steps show you how to enable a blue-green deployment from the **Releases** section. ++1. Select **Pipelines** and create a new pipeline for your Maven build and publish artifact. + 1. Select **Azure Repos Git** for your code location. + 1. Select a repository where your code is located. + 1. Select the **Maven** template and modify the file to set the `mavenPomFile` field to *`complete/pom.xml`*. + 1. Select **Show assistant** on the right side and select the **Publish build artifacts** template. + 1. Set **Path to publish** to *complete/target/spring-boot-complete-0.0.1-SNAPSHOT.jar*. + 1. Select **Save and run**. ++1. Select **Releases**, then **Create release**. +1. Add a new pipeline, and select **Empty job** to create a job. +1. Under **Stages** select the line **1 job, 0 task** ++ :::image type="content" source="media/how-to-cicd/create-new-job.jpg" alt-text="Screenshot of where to select to add a task to a job." lightbox="media/how-to-cicd/create-new-job.jpg"::: ++ 1. Select the **+** to add a task to the job. + 1. Search for the **Azure Spring Apps** template, then select **Add** to add the task to the job. + 1. Select **Azure Spring Apps Deploy:** to edit the task. + 1. Fill this task with your app's information, then disable **Use Staging Deployment**. + 1. Enable **Create a new staging deployment if one does not exist**, then enter a name in **Deployment**. + 1. Select **Save** to save this task. + 1. Select **OK**. +1. Select **Pipeline**, then select **Add an artifact**. + 1. Under **Source (build pipeline)** select the pipeline created previously. + 1. Select **Add**, then **Save**. +1. Select **1 job, 1 task** under **Stages**. +1. Navigate to the **Azure Spring Apps Deploy** task in **Stage 1**, then select the ellipsis next to **Package or folder**. +1. Select *spring-boot-complete-0.0.1-SNAPSHOT.jar* in the dialog, then select **OK**. ++ :::image type="content" source="media/how-to-cicd/change-artifact-path.jpg" alt-text="Screenshot of the 'Select a file or folder' dialog box." lightbox="media/how-to-cicd/change-artifact-path.jpg"::: ++1. Select the **+** to add another **Azure Spring Apps** task to the job. +1. Change the action to **Set Production Deployment**. +1. Select **Save**, then **Create release** to automatically start the deployment. ++To verify your app's current release status, select **View release**. After this task is finished, visit the Azure portal to verify your app status. ++### Deploy from source ++To deploy directly to Azure without a separate build step, use the following pipeline template. ++```yaml +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<your service connection name>' + Action: 'Deploy' + AzureSpringCloud: <your Azure Spring Apps service> + AppName: <app-name> + DeploymentType: 'Artifacts' + UseStagingDeployment: false + DeploymentName: 'default' + Package: $(Build.SourcesDirectory) +``` ++### Deploy from custom image ++To deploy directly from an existing container image, use the following pipeline template. ++```yaml +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<your service connection name>' + Action: 'Deploy' + AzureSpringCloud: '<your Azure Spring Apps service>' + AppName: '<app-name>' + DeploymentType: 'CustomContainer' + UseStagingDeployment: false + DeploymentName: 'default' + ContainerRegistry: 'docker.io' # or your Azure Container Registry, e.g: 'contoso.azurecr.io' + RegistryUsername: '$(username)' + RegistryPassword: '$(password)' + ContainerImage: '<your image tag>' +``` ++### Deploy and specify a builder (Enterprise plan only) ++If you're using the Azure Spring Apps Enterprise plan, you can also specify which builder to use for deploy actions using the `builder` option, as shown in the following example. For more information, see [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++```yaml +- task: AzureSpringCloud@0 + inputs: + azureSubscription: '<your-service-connection-name>' + Action: 'Deploy' + AzureSpringCloud: '<your-Azure-Spring-Apps-service-instance-name>' + AppName: '<app-name>' + UseStagingDeployment: false + DeploymentName: 'default' + Package: './target/your-result-jar.jar' + Builder: '<your-Tanzu-Build-Service-Builder-resource>' +``` +++## Next steps ++* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md) |
spring-apps | How To Circuit Breaker Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-circuit-breaker-metrics.md | + + Title: Collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer +description: How to collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer in Azure Spring Apps. ++++ Last updated : 12/15/2020++++# Collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer (Preview) ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to collect Spring Cloud Resilience4j Circuit Breaker Metrics with Application Insights Java in-process agent. With this feature, you can monitor the metrics of Resilience4j circuit breaker from Application Insights with Micrometer. ++The demo [spring-cloud-circuit-breaker-demo](https://github.com/spring-cloud-samples/spring-cloud-circuitbreaker-demo) shows how the monitoring works. ++## Prerequisites ++* Enable Java In-Process agent from the [Java In-Process Agent for Application Insights guide](./how-to-application-insights.md#manage-application-insights-using-the-azure-portal). +* Enable dimension collection for resilience4j metrics from the [Application Insights guide](../../azure-monitor/app/pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation). +* Install Git, Maven, and Java, if not already installed on the development computer. ++## Build and deploy apps ++Use the following steps to build and deploy the sample applications. ++1. Clone and build the demo repository. ++ ```bash + git clone https://github.com/spring-cloud-samples/spring-cloud-circuitbreaker-demo.git + cd spring-cloud-circuitbreaker-demo && mvn clean package -DskipTests + ``` ++1. Create applications with endpoints. ++ ```azurecli + az spring app create \ + --resource-group ${resource-group-name} \ + --service ${Azure-Spring-Apps-instance-name} \ + --name resilience4j \ + --assign-endpoint + az spring app create \ + --resource-group ${resource-group-name} \ + --service ${Azure-Spring-Apps-instance-name} \ + --name reactive-resilience4j \ + --assign-endpoint + ``` ++1. Deploy applications. ++ ```azurecli + az spring app deploy \ + --resource-group ${resource-group-name} \ + --service ${Azure-Spring-Apps-instance-name} \ + --name resilience4j \ + --artifact-path ./spring-cloud-circuitbreaker-demo-resilience4j/target/spring-cloud-circuitbreaker-demo-resilience4j-0.0.1-SNAPSHOT.jar + az spring app deploy \ + --resource-group ${resource-group-name} \ + --service ${Azure-Spring-Apps-instance-name} \ + --name reactive-resilience4j \ + --artifact-path ./spring-cloud-circuitbreaker-demo-reactive-resilience4j/target/spring-cloud-circuitbreaker-demo-reactive-resilience4j-0.0.1-SNAPSHOT.jar + ``` ++> [!NOTE] +> +> * Include the required dependency for Resilience4j: +> +> ```xml +> <dependency> +> <groupId>io.github.resilience4j</groupId> +> <artifactId>resilience4j-micrometer</artifactId> +> </dependency> +> <dependency> +> <groupId>org.springframework.cloud</groupId> +> <artifactId>spring-cloud-starter-circuitbreaker-resilience4j</artifactId> +> </dependency> +> ``` +> +> * Your code must use the `CircuitBreakerFactory` API, which is implemented as a `bean` automatically created when you include a Spring Cloud Circuit Breaker starter. For more information, see [Spring Cloud Circuit Breaker](https://spring.io/projects/spring-cloud-circuitbreaker#overview). +> +> * The following two dependencies have conflicts with Resilient4j packages. Be sure you don't include them. +> +> ```xml +> <dependency> +> <groupId>org.springframework.cloud</groupId> +> <artifactId>spring-cloud-starter-sleuth</artifactId> +> </dependency> +> <dependency> +> <groupId>org.springframework.cloud</groupId> +> <artifactId>spring-cloud-starter-zipkin</artifactId> +> </dependency> +> ``` +> +> +> Navigate to the URL provided by gateway applications, and access the endpoint from [spring-cloud-circuit-breaker-demo](https://github.com/spring-cloud-samples/spring-cloud-circuitbreaker-demo) as follows: +> +> ```console +> /get +> /delay/{seconds} +> /fluxdelay/{seconds} +> ``` ++## Locate Resilence4j Metrics on the Azure portal ++1. In your Azure Spring Apps instance, select **Application Insights** in the navigation pane and then select **Application Insights** on the page. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/application-insights.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps Application Insights page with the Application Insights on the button bar highlighted." lightbox="media/how-to-circuit-breaker-metrics/application-insights.png"::: ++1. Select **Metrics** in the navigation pane. The **Metrics** page provides dropdown menus and options to define the charts in this procedure. For all charts, set **Metric Namespace** to **azure.applicationinsights**. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/chart-menus.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page, with Metrics highlighted in the navigation pane, and with azure-applicationinsights highlighted in the Metric Namespace dropdown menu." lightbox="media/how-to-circuit-breaker-metrics/chart-menus.png"::: ++1. Set **Metric** to **resilience4j_circuitbreaker_buffered_calls**, and then set **Aggregation** to **Avg**. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/buffered-calls.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker buffered calls and Aggregation set to Average." lightbox="media/how-to-circuit-breaker-metrics/buffered-calls.png"::: ++1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/calls.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker calls and Aggregation set to Average." lightbox="media/how-to-circuit-breaker-metrics/calls.png"::: ++1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. Select **Add filter** and set **Name** to **Delay**. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/calls-filter.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker calls and Aggregation set to Average, and with Filter set to the name Delay." lightbox="media/how-to-circuit-breaker-metrics/calls-filter.png"::: ++1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. Select **Apply splitting** and set **Split by** to **kind**. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/calls-splitting.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker calls and Aggregation set to Average, and with Apply splitting selected with Split by set to kind." lightbox="media/how-to-circuit-breaker-metrics/calls-splitting.png"::: ++1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. Select **Add metric** and set **Metric** to **resilience4j_circuitbreaker_buffered_calls**, and then set **Aggregation** to **Avg**. Select **Add metric** again and set **Metric** to **resilience4j_circuitbreaker_slow_calls**, and then set **Aggregation** set to **Avg**. ++ :::image type="content" source="media/how-to-circuit-breaker-metrics/slow-calls.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing three charts: A chart with Metric set to circuit breaker calls and Aggregation set to Average. A chart with Metric set to circuit breaker calls buffered and Aggregation set to Average. A chart with Metric set to circuit breaker slow calls and Aggregation set to Average." lightbox="media/how-to-circuit-breaker-metrics/slow-calls.png"::: ++## Next steps ++* [Application insights](./how-to-application-insights.md) +* [Circuit breaker dashboard](./tutorial-circuit-breaker.md) |
spring-apps | How To Configure Enterprise Spring Cloud Gateway Filters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-configure-enterprise-spring-cloud-gateway-filters.md | + + Title: How to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan +description: Shows you how to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan to route requests to your applications. +++ Last updated : 07/12/2023+++++# How to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article explains how to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan to route requests to your applications. ++[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/https://docsupdatetracker.net/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. Spring Cloud Gateway handles cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate-limiting, resiliency, security, and more. You can accelerate API delivery using modern cloud native patterns, and any programming language you choose for API development. ++VMware Spring Cloud Gateway includes the following features: ++- Dynamic routing configuration, independent of individual applications that can be applied and changed without recompilation. +- Commercial API route filters for transporting authorized JSON Web Token (JWT) claim to application services. +- Client certificate authorization. +- Rate-limiting approaches. +- Circuit breaker configuration. +- Support for accessing application services via HTTP Basic Authentication credentials. ++To integrate with API Portal for VMware Tanzu, VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any route configuration additions or changes. For more information, see [Use API Portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md). ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan service instance with Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ++## Use filters ++You use filters in your Spring Cloud Gateway configuration to act on the incoming request or outgoing response to a route configuration. ++For example, you can use a filter to add an HTTP header or to deny access based on an authorization token. ++## Use open source filters ++Spring Cloud Gateway OSS includes several `GatewayFilter` factories used to create filters for routes. The following sections describe these factories. ++### AddRequestHeader ++The `AddRequestHeader` factory adds a header to the downstream request's headers for all matching requests. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following example configures an `AddRequestHeader` factory that adds the header `X-Request-red:blue` to the downstream request's headers for all matching requests: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddRequestHeader=X-Request-red, blue" + ] + } +] +``` ++The `AddRequestHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `AddRequestHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "AddRequestHeader=X-Request-red, blue-{segment}" + ] + } +] +``` ++### AddRequestHeadersIfNotPresent ++The `AddRequestHeadersIfNotPresent` factory adds headers if they aren't present in the original request. ++This factory accepts the following configuration parameter: ++- `headers`: A comma-separated list of key-value pairs (header name, header value). ++The following example configures an `AddRequestHeadersIfNotPresent` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddRequestHeadersIfNotPresent=Content-Type:application/json,Connection:keep-alive" + ] + } +] +``` ++### AddRequestParameter ++The `AddRequestParameter` factory adds a parameter to the downstream request's query string for all matching requests. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following example configures an `AddRequestParameter` factory that adds a `red=blue` parameter to the downstream request's query string for all matching requests: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddRequestParameter=red, blue" + ] + } +] +``` ++The `AddRequestParameter` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `AddRequestParameter` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "AddRequestParameter=foo, bar-{segment}" + ] + } +] +``` ++### AddResponseHeader ++The `AddResponseHeader` factory adds a header to the downstream response's headers for all matching requests. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following example configures an `AddResponseHeader` factory that adds a `X-Response-Red:Blue` header to the downstream response's headers for all matching requests: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddResponseHeader=X-Response-Red, Blue" + ] + } +] +``` ++The `AddResponseHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `AddResponseHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "AddResponseHeader=foo, bar-{segment}" + ] + } +] +``` ++### CircuitBreaker ++The `CircuitBreaker` factory wraps routes in a circuit breaker. ++This factory accepts the following configuration parameters: ++- `name`: The circuit breaker name. +- `fallbackUri`: The reroute URI, which can be a local route or external handler. +- `status codes` (optional): The colon-separated list of status codes to match, in number or text format. +- `failure rate` (optional): The threshold above which the circuit breaker opens. The default value is 50%. +- `duration` (optional): The time to wait before closing again. The default value is 60 seconds. ++The following example configures a `CircuitBreaker` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "CircuitBreaker=myCircuitBreaker,forward:/inCaseOfFailureUseThis,401:NOT_FOUND:500,10,30s" + ] + } +] +``` ++### DeDupeResponseHeader ++The `DeDupeResponseHeader` factory removes duplicate values of response headers. ++This factory accepts the following configuration parameters: ++- `name`: A space-separated list of header names. +- `strategy` (optional): The accepted values are `RETAIN_FIRST`, `RETAIN_LAST`, and `RETAIN_UNIQUE`. The default value is `RETAIN_FIRST`. ++The following example configures a `DeDupeResponseHeader` factory that removes duplicate values of `Access-Control-Allow-Credentials` and `Access-Control-Allow-Origin` response headers when both values are added by the gateway CORS logic and the downstream logic: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "DeDupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin" + ] + } +] +``` ++### FallbackHeaders ++The `FallbackHeaders` factory adds any circuit breaker exception to a header. This filter requires the use of the `CircuitBreaker` filter in another route. ++There are no parameters for this factory. ++The following example configures a `FallbackHeaders` factory with the exception type, message, and (if available) root cause exception type and message that the `FallbackHeaders` filter adds to the request: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "CircuitBreaker=myCircuitBreaker,forward:/inCaseOfFailureUseThis,401:NOT_FOUND:500,10,30s" + ] + }, + { + "predicates": [ + "Path=/inCaseOfFailureUseThis" + ], + "filters": [ + "FallbackHeaders" + ] + } +] +``` ++You can overwrite the names of the headers in the configuration by setting the values of the following parameters (mentioned with their default values): ++- `executionExceptionTypeHeaderName` ("Execution-Exception-Type") +- `executionExceptionMessageHeaderName` ("Execution-Exception-Message") +- `rootCauseExceptionTypeHeaderName` ("Root-Cause-Exception-Type") +- `rootCauseExceptionMessageHeaderName` ("Root-Cause-Exception-Message") ++### JSONToGRPC ++The `JSONToGRPCFilter` factory converts a JSON payload to a gRPC request. ++This factory accepts the following configuration parameter: ++- `protoDescriptor`: A proto descriptor file. ++You can generate this file by using `protoc` and specifying the `--descriptor_set_out` flag, as shown in the following example: ++```bash +protoc --proto_path=src/main/resources/proto/ \ + --descriptor_set_out=src/main/resources/proto/hello.pb \ + src/main/resources/proto/hello.proto +``` ++> [!NOTE] +> The `streaming` parameter isn't supported. ++The following example configures a `JSONToGRPCFilter` factory using the output from `protoc`: ++```json +[ + { + "predicates": [ + "Path=/json/**" + ], + "filters": [ + "JsonToGrpc=file:proto/hello.pb,file:proto/hello.proto,HelloService,hello" + ] + } +] +``` ++### LocalResponseCache ++The `LocalResponseCache` factory overrides the local response cache configuration for specific routes when the global cache is activated. ++This factory accepts the following configuration parameters: ++- `size`: The maximum allowed size of the cache entries for this route before cache eviction begins (in KB, MB, and GB). +- `timeToLive`: The allowed lifespan of a cache entry before expiration. Use the duration suffix `s` for seconds, `m` for minutes, or `h` for hours. ++The following example configures a `LocalResponseCache` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "LocalResponseCache=3m,1MB" + ] + } +] +``` ++### MapRequestHeader ++The `MapRequestHeader` factory adds a header to the downstream request with updated values from the incoming HTTP request's header. ++This factory accepts the following configuration parameters: ++- `fromHeader` +- `toHeader` ++This factory creates a new named header (`toHeader`), and the value is extracted out of an existing named header (`fromHeader`) from the incoming HTTP request. If the input header doesn't exist, the filter has no effect. If the new named header already exists, its values are augmented with the new values. ++The following example configures a `MapRequestHeader` factory that adds the `X-Request-Red:<values>` header to the downstream request with updated values from the incoming HTTP request's `Blue` header: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "MapRequestHeader=Blue, X-Request-Red" + ] + } +] +``` ++### PrefixPath ++The `PrefixPath` factory adds a prefix to the path of all requests. ++This factory accepts the following configuration parameter: ++- `prefix` ++The following example configures a `PrefixPath` factory that adds the prefix `/api` to the path of all requests, so that a request to `/catalog` is sent to `/api/catalog`: ++```json +[ + { + "predicates": [ + "Path=/catalog/**" + ], + "filters": [ + "PrefixPath=/api" + ] + } +] +``` ++### PreserveHostHeader ++The `PreserveHostHeader` factory sets a request attribute that the routing filter inspects to determine whether to send the original host header or the host header determined by the HTTP client. ++There are no parameters for this factory. ++The following example configures a `PreserveHostHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "PreserveHostHeader" + ] + } +] +``` ++### RedirectTo ++The `RedirectTo` factory adds a redirect to the original URL. ++This factory accepts the following configuration parameters: ++- `status`: A 300 series redirect HTTP code, such as `301`. +- `url`: The value of the `Location` header. Must be a valid URI. For relative redirects, you should use `uri: no://op` as the URI of your route definition. ++The following example configures a `RedirectTo` factory that sends a status `302` with a `Location:https://acme.org` header to perform a redirect: ++```json +[ + { + "uri": "https://example.org", + "filters": [ + "RedirectTo=302, https://acme.org" + ] + } +] +``` ++### RemoveJsonAttributesResponseBody ++The `RemoveJsonAttributesResponseBody` factory removes the JSON attributes and their values from JSON response bodies. ++This factory accepts the following configuration parameters: ++- `attribute names`: A comma-separated list of the names of attributes to remove from a JSON response. +- `delete recursively` (optional, boolean): A configuration that removes the attributes only at root level (`false`), or recursively (`true`). The default value is `false`. ++The following example configures a `RemoveJsonAttributesResponseBody` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveJsonAttributesResponseBody=origin,foo,true" + ] + } +] +``` ++### RemoveRequestHeader ++The `RemoveRequestHeader` factory removes a header from the downstream request. ++This factory accepts the following configuration parameter: ++- `name`: The name of the header to be removed. ++The following listing configures a `RemoveRequestHeader` factory that removes the `X-Request-Foo` header before it's sent downstream: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveRequestHeader=X-Request-Foo" + ] + } +] +``` ++### RemoveRequestParameter ++The `RemoveRequestParameter` factory removes a parameter before it's sent downstream. ++This factory accepts the following configuration parameter: ++- `name`: The name of the query parameter to be removed. ++The following example configures a `RemoveRequestParameter` factory that removes the `red` parameter before it's sent downstream: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveRequestParameter=red" + ] + } +] +``` ++### RemoveResponseHeader ++The `RemoveResponseHeader` factory removes a header from the response before it's returned to the gateway client. ++This factory accepts the following configuration parameter: ++- `name`: The name of the header to be removed. ++The following listing configures a `RemoveResponseHeader` factory that removes the `X-Response-Foo` header from the response before it's returned to the gateway client: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveResponseHeader=X-Response-Foo" + ] + } +] +``` ++### RequestHeaderSize ++The `RequestHeaderSize` factory determines the size of the request header. ++This factory accepts the following configuration parameters: ++- `maxSize`: The maximum data size allowed by the request header, including key and value. +- `errorHeaderName`: The name of the response header containing an error message. By default, the name of the response header is `errorMessage`. ++The following listing configures a `RequestHeaderSize` factory that sends a status `431` if the size of any request header is greater than 1000 bytes: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RequestHeaderSize=1000B" + ] + } +] +``` ++### RewriteLocationResponseHeader ++The `RewriteLocationResponseHeader` factory modifies the value of the `Location` response header, usually to get rid of backend-specific details. ++This factory accepts the following configuration parameters: ++- `stripVersionMode`: This parameter has the following possible values: `NEVER_STRIP`, `AS_IN_REQUEST`, and `ALWAYS_STRIP`. The default value is `AS_IN_REQUEST`. ++ - `NEVER_STRIP`: The version isn't stripped, even if the original request path contains no version. + - `AS_IN_REQUEST`: The version is stripped only if the original request path contains no version. + - `ALWAYS_STRIP`: The version is always stripped, even if the original request path contains version. ++- `hostValue`: This parameter is used to replace the `host:port` portion of the response `Location` header when provided. If it isn't provided, the value of the `Host` request header is used. +- `protocolsRegex`: A valid regex `String`, against which the protocol name is matched. If it isn't matched, the filter doesn't work. The default value is `http|https|ftp|ftps`. +- `locationHeaderName` ++The following listing configures a `RewriteLocationResponseHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteLocationResponseHeader=AS_IN_REQUEST, Location, ," + ] + } +] +``` ++In this example, for a request value of `POST` `api.example.com/some/object/name`, the `Location` response header value of `object-service.prod.example.net/v2/some/object/id` is rewritten as `api.example.com/some/object/id`. ++### RewritePath ++The `RewritePath` factory uses Java regular expressions for a flexible way to rewrite the request path. ++This factory accepts the following configuration parameters: ++- `regexp` +- `replacement` ++The following listing configures a `RewritePath` factory: ++```json +[ + { + "predicates": [ + "Path=/red/**" + ], + "filters": [ + "RewritePath=/red/?(?<segment>.*), /$\\{segment}" + ] + } +] +``` ++In this example, for a request path of `/red/blue`, this configuration sets the path to `/blue` before making the downstream request. ++### RewriteResponseHeader ++The `RewriteResponseHeader` factory uses Java regular expressions for a flexible way to rewrite the response header value. ++This factory accepts the following configuration parameters: ++- `name` +- `regexp` +- `replacement` ++The following example configures a `RewriteResponseHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/red/**" + ], + "filters": [ + "RewriteResponseHeader=X-Response-Red, , password=[^&]+, password=***" + ] + } +] +``` ++In this example, for a header value of `/42?user=ford&password=omg!what&flag=true`, the configuration is set to `/42?user=ford&password=***&flag=true` after making the downstream request. ++### SetPath ++The `SetPath` factory offers a simple way to manipulate the request path by allowing templated segments of the path. This filter uses the URI templates from Spring Framework and allows multiple matching segments. ++This factory accepts the following configuration parameter: ++- `template` ++The following example configures a `SetPath` factory: ++```json +[ + { + "predicates": [ + "Path=/red/{segment}" + ], + "filters": [ + "SetPath=/{segment}" + ] + } +] +``` ++In this example, for a request path of `/red/blue`, this configuration sets the path to `/blue` before making the downstream request. ++### SetRequestHeader ++The `SetRequestHeader` factory replaces (rather than adding) all headers with the given name. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following listing configures a `SetRequestHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "SetRequestHeader=X-Request-Red, Blue" + ] + } +] +``` ++In this example, the downstream server responded with `X-Request-Red:1234`, and it's replaced with `X-Request-Red:Blue`. ++The `SetRequestHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `SetRequestHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "SetRequestHeader=foo, bar-{segment}" + ] + } +] +``` ++### SetResponseHeader ++The `SetResponseHeader` factory replaces (rather than adding) all headers with the given name. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following listing configures a `SetResponseHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "SetResponseHeader=X-Response-Red, Blue" + ] + } +] +``` ++In this example, the downstream server responded with `X-Response-Red:1234`, and it's replaced with `X-Response-Red:Blue`. ++The `SetResponseHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `SetResponseHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "SetResponseHeader=foo, bar-{segment}" + ] + } +] +``` ++### SetStatus ++The `SetStatus` factory configures the response status of the server request. ++This factory accepts the following configuration parameter: ++- `status`: A valid Spring `HttpStatus` value, which can an integer value such as `404`, or the string representation of the enumeration, such as `NOT_FOUND`. ++The following listing configures a `SetStatus` factory: ++```json +[ + { + "predicates": [ + "Path=/experimental/**" + ], + "filters": [ + "SetStatus=UNAUTHORIZED" + ] + }, + { + "predicates": [ + "Path=/unknown/**" + ], + "filters": [ + "SetStatus=401" + ] + } +] +``` ++### StripPrefix ++The `StripPrefix` factory removes the prefix from the request before sending it downstream. ++This factory accepts the following configuration parameter: ++- `parts`: The number of parts in the path to strip from the request before sending it downstream. The default value is 1. ++The following example configures a `StripPrefix` factory: ++```json +[ + { + "predicates": [ + "Path=/name/**" + ], + "filters": [ + "StripPrefix=2" + ] + } +] +``` ++In this example, a request is made through the gateway to `/name/blue/red`. The request made to `nameservice` appears as `nameservice/red`. ++### Retry ++The `Retry` factory determines the number of retries attempted. ++This factory accepts the following configuration parameters: ++- `retries`: The number of retries that should be attempted. +- `statuses`: The HTTP status codes that should be retried, represented by using `org.springframework.http.HttpStatus`. +- `methods`: The HTTP methods that should be retried, represented by using `org.springframework.http.HttpMethod`. +- `series`: The series of status codes to be retried, represented by using `org.springframework.http.HttpStatus.Series`. +- `exceptions`: The list of thrown exceptions that should be retried. +- `backoff`: The configured exponential backoff for the retries. Retries are performed after a backoff interval of `firstBackoff * (factor ^ n)`, where `n` is the iteration. If `maxBackoff` is configured, the maximum backoff applied is limited to `maxBackoff`. If `basedOnPreviousValue` is true, the `backoff` is calculated by using `prevBackoff * factor`. ++The following defaults are configured for the `Retry` filter, when enabled: ++- `retries`: three times. +- `series`: 5XX series. +- `methods`: GET method. +- `exceptions`: `IOException` and `TimeoutException`. +- `backoff`: disabled. ++The following example configures a `Retry` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Retry=3,INTERNAL_SERVER_ERROR,GET,10ms,50ms,2,false" + ] + } +] +``` ++### RequestSize ++The `RequestSize` factory can restrict a request from reaching the downstream service when the request size is greater than the permissible limit. ++This factory accepts the following configuration parameter: ++- `maxSize`: A `DataSize` type where values are defined as a number followed by an optional `DataUnit` suffix such as `KB` or `MB`. The default suffix value is `B` for bytes. It's the permissible size limit of the request defined in bytes. ++The following example configures a `RequestSize` factory: ++```json +[ + { + "predicates": [ + "Path=/upload" + ], + "filters": [ + "RequestSize=5000000" + ] + } +] +``` ++In this example, when the request is rejected due to size, the `RequestSize` factory sets the response status to `413 Payload Too Large` with another header `errorMessage`. ++The following example shows an `errorMessage`: ++```output +errorMessage : Request size is larger than permissible limit. Request size is 6.0 MB where permissible limit is 5.0 MB +``` ++### TokenRelay ++The `TokenRelay` factory forwards an `OAuth2` access token to downstream resources. This filter is configured as a `boolean` value in the route definition rather than an explicit filter. ++The following example configures a `TokenRelay` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "tokenRelay": true + } +] +``` ++## Use commercial filters ++Spring Cloud Gateway for Kubernetes also provides many custom `GatewayFilter` factories. The following sections describe these factories. ++### AllowedRequestCookieCount ++The `AllowedRequestCookieCount` factory determines whether a matching request is allowed to proceed based on the number of cookies. ++This factory accepts the following configuration parameter: ++- `amount`: The number of allowed cookies. ++The following example configures a `AllowedRequestCookieCount` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AllowedRequestCookieCount=2" + ] + } +] +``` ++### AllowedRequestHeadersCount ++The `AllowedRequestHeadersCount` factory determines whether a matching request is allowed to proceed based on the number of headers. ++This factory accepts the following configuration parameter: ++- `amount`: The number of allowed headers. ++The following example configures a `AllowedRequestHeadersCount` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AllowedRequestHeadersCount=4" + ] + } +] +``` ++### AllowedRequestQueryParamsCount ++The `AllowedRequestQueryParamsCount` factory determines whether a matching request is allowed to proceed based on the number query parameters. ++This factory accepts the following configuration parameter: ++- `amount`: The number of allowed parameters. ++The following example configures a `AllowedRequestQueryParamsCount` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AllowedRequestQueryParamsCount=3" + ] + } +] +``` ++### BasicAuth ++The `BasicAuth` factory adds a `BasicAuth` `Authorization` header to requests. ++There are no parameters for this factory. ++The following example configures a `BasicAuth` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "BasicAuth" + ] + } +] +``` ++### ClaimHeader ++The `ClaimHeader` factory copies data from a JWT claim into an HTTP header. ++This factory accepts the following configuration parameters: ++- `Claim name`: The case sensitive name of the claim to pass. +- `Header name`: The name of the HTTP header. ++The following example configures a `ClaimHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "ClaimHeader=sub,X-Claim-Sub" + ] + } +] +``` ++### ClientCertificateHeader ++The `ClientCertificateHeader` factory validates the `X-Forwarded-Client-Cert` header certificate. ++This factory accepts the following configuration parameters: ++- `domain pattern`: The `X-Forwarded-Client-Cert` value according to Kubernetes's ability to recognize the client certificate's CA. +- `certificate fingerprint`(optional): The TLS/SSL certificate fingerprint. ++The following example configures a `ClientCertificateHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99" + ] + } +] +``` ++### Cors ++The `Cors` factory activates the CORS validations on a route. ++This factory accepts the following configuration parameters that are organized as key-value pairs for CORS options: ++- `allowedOrigins` +- `allowedMethods` +- `allowedHeaders` +- `maxAge` +- `allowCredentials` +- `allowedOriginPatterns` ++The following example configures a `Cors` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Cors=[allowedOrigins:https://origin-1,allowedMethods:GET;POST;DELETE,allowedHeaders:*,maxAge:400,allowCredentials:true,allowedOriginPatterns:https://*.test.com:8080]" + ] + } +] +``` ++### JsonToXml ++The `JsonToXml` factory transforms JSON response body into XML response body. ++This factory accepts the following configuration parameter: ++- `wrapper`: The root tag name for the XML response if another root tag is required to generate valid XML. The default value is `response`. ++The following example configures a `JsonToXml` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "JsonToXml=custom-response" + ] + } +] +``` ++### RateLimit ++The `RateLimit` factory determines whether a matching request is allowed to proceed based on request volume. ++This factory accepts the following configuration parameters: ++- `request limit`: The maximum number of requests accepted during the window. +- `window duration`: The window duration in milliseconds. Alternatively, you can use the `s`, `m` or `h` suffixes to specify the duration in seconds, minutes, or hours. +- `partition source` (optional): The location of the partition key (`claim`, `header`, or `IPs`). +- `partition key` (optional): The value used to partition request counters. ++The following example configures a `RateLimit` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RateLimit=1,10s" + ] + } +] +``` ++The following examples show other `RateLimit` configurations: ++``` +RateLimit=1,10s +RateLimit=1,10s,{claim:client_id} +RateLimit=1,10s,{header:client_id} +RateLimit=2,10s,{IPs:2;127.0.0.1;192.168.0.1} +``` ++### RestrictRequestHeaders ++The `RestrictRequestHeaders` factory determines whether a matching request is allowed to proceed based on the headers. ++If there are any HTTP headers that aren't in the case-insensitive `headerList` configuration, then a response of `431 Forbidden error` is returned to the client. ++This factory accepts the following configuration parameter: ++- `headerList`: The case-insensitive list of names of allowed headers. ++The following example configures a `RestrictRequestHeaders` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RestrictRequestHeaders=Content-Type,x-request-temp" + ] + } +] +``` ++### RewriteAllResponseHeaders ++The `RewriteAllResponseHeaders` factory rewrites multiple response headers at once. ++This factory accepts the following configuration parameters: ++- `pattern to match`: The regular expression to match against header values. +- `replacement`: The replacement value. ++The following example configures a `RewriteAllResponseHeaders` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteAllResponseHeaders=\\d,0" + ] + } +] +``` ++### RewriteResponseBody ++The `RewriteResponseBody` factory modifies the body of a response. ++This factory accepts the following configuration parameters that are organized as a comma-separated list of key-value pairs, where each pair accepts the form `pattern to match:replacement`: ++- `pattern to match`: The regular expression to match against text in the response body. +- `replacement`: The replacement value. ++The following example configures a `RewriteResponseBody` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteResponseBody=foo:bar,/path-one/:/path-two/" + ] + } +] +``` ++### RewriteJsonAttributesResponseBody ++The `RewriteJsonAttributesResponseBody` factory rewrites JSON attributes using `JSONPath` notation. ++This factory accepts the following configuration parameters that are organized as a comma-separated list of key-value pairs, where each pair accepts the form `jsonpath:replacement`: ++- `jsonpath`: The `JSONPath` expression to match against the response body. +- `replacement`: The replacement value. ++The following example configures a `RewriteJsonAttributesResponseBody` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteJsonAttributesResponseBody=slides[1]. Title: Welcome,date:11-11-2022" + ] + } +] +``` ++### Roles ++The `Roles` factory authorizes requests that contain one of the configured roles. ++This factory accepts the following configuration parameter: ++- `roles`: A comma-separated list of authorized roles. ++The following example configures a `Roles` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Roles=role_01,role_02" + ] + } +] +``` ++### Scopes ++The `Scopes` factory authorizes requests that contain one of the configured `OAuth` scopes. ++This factory accepts the following configuration parameter: ++- `scopes`: A comma-separated list of authorized `OAuth` scopes. ++The following example configures a `Scopes` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Scopes=api.read,api.write,user" + ] + } +] +``` ++### StoreIpAddress ++The `StoreIPAddress` factory is used for extension development only and in the context of the application. ++This factory accepts the following configuration parameter: ++- `attribute name`: The name used to store the IP as an exchange attribute. ++The following example configures a `StoreIPAddress` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "StoreIpAddress=ip" + ] + } +] +``` ++### SSO login ++The `SSO login` factory redirects to authenticate if there's no valid authorization token. This factory is configured as a `boolean` value in the route definition rather than an explicit filter. ++The following example configures a `SSO login` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "ssoEnabled": true + } +] +``` ++### StoreHeader ++The `StoreHeader` factory stores a header value in the context of the application. This filter is used for extension development only. ++This factory accepts the following configuration parameters: ++- `headers`: A list of headers to check. The first one found is used. +- `attribute name`: The name used to store the header value as an exchange attribute. ++The following example configures a `StoreHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "StoreHeader=x-tracing-header,custom-id,x-custom-id,tracingParam" + ] + } +] +``` ++### XmlToJson ++The `XmlToJson` factory transforms XML response body into JSON response body. ++There are no parameters for this factory. ++The following example configures a `XmlToJson` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "XmlToJson" + ] + } +] +``` ++## Next steps ++- [Azure Spring Apps](index.yml) +- [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](./quickstart-deploy-apps-enterprise.md) |
spring-apps | How To Configure Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-configure-enterprise-spring-cloud-gateway.md | + + Title: Configure VMware Spring Cloud Gateway +description: Learn how to configure VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan. ++++ Last updated : 11/04/2022++++# Configure VMware Spring Cloud Gateway ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to configure VMware Spring Cloud Gateway for VMware Tanzu with the Azure Spring Apps Enterprise plan. ++[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/https://docsupdatetracker.net/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. VMware Spring Cloud Gateway for Tanzu handles the cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate limiting, resiliency, and security. You can accelerate API delivery by using modern cloud-native patterns in your choice of programming language for API development. ++A VMware Spring Cloud Gateway instance routes traffic according to rules. It supports scaling *in/out* and *up/down* to meet a dynamic traffic load. ++VMware Spring Cloud Gateway includes the following features: ++- Dynamic routing configuration, independent of individual applications, that you can apply and change without recompiling +- Commercial API route filters for transporting authorized JSON Web Token (JWT) claims to application services +- Client certificate authorization +- Rate-limiting approaches +- Circuit breaker configuration +- Support for accessing application services via HTTP Basic Authentication credentials ++To integrate with API portal for VMware Tanzu, VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any additions or changes to route configuration. For more information, see [Use API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md). ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ++## Enable or disable VMware Spring Cloud Gateway ++You can enable or disable VMware Spring Cloud Gateway after creation of the service instance by using the Azure portal or the Azure CLI. Before you disable VMware Spring Cloud Gateway, you must unassign its endpoint and remove all route configurations. ++### [Azure portal](#tab/Azure-portal) ++Use the following steps to enable or disable VMware Spring Cloud Gateway by using the Azure portal: ++1. Go to your service resource, and then select **Spring Cloud Gateway**. +1. Select **Manage**. +1. Select or clear the **Enable Spring Cloud Gateway** checkbox, and then select **Save**. ++You can now view the state of the Spring Cloud Gateway on the **Spring Cloud Gateway** page. +++### [Azure CLI](#tab/Azure-CLI) ++Use the following Azure CLI commands to enable or disable VMware Spring Cloud Gateway: ++```azurecli +az spring gateway create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++```azurecli +az spring gateway delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> +``` ++++## Restart VMware Spring Cloud Gateway ++After you complete the restart action, VMware Spring Cloud Gateway instances are restarted on a rolling basis. ++### [Azure portal](#tab/Azure-portal) ++Use the following steps to restart VMware Spring Cloud Gateway by using the Azure portal: ++1. Go to your service resource, and then select **Spring Cloud Gateway**. +1. Select **Restart**. +1. Select **OK** to confirm the restart. +++### [Azure CLI](#tab/Azure-CLI) ++Use the following Azure CLI command to restart the gateway: ++```azurecli +az spring gateway restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++++## Assign a public endpoint to VMware Spring Cloud Gateway ++This section describes how to assign a public endpoint to VMware Spring Cloud Gateway and configure its properties. ++#### [Azure portal](#tab/Azure-portal) ++To assign an endpoint in the Azure portal, use the following steps: ++1. Open your Azure Spring Apps instance. +1. Select **Spring Cloud Gateway** on the navigation pane, and then select **Overview**. +1. Set **Assign endpoint** to **Yes**. ++After a few minutes, **URL** shows the configured endpoint URL. Save the URL to use later. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to assign the endpoint: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --assign-endpoint true +``` ++++## Configure VMware Spring Cloud Gateway metadata ++VMware Spring Cloud Gateway metadata automatically generates OpenAPI version 3 documentation. You can configure VMware Spring Cloud Gateway metadata to display route groups in API portal for VMware Tanzu. For more information, see [Use API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md). ++The following table describes the available metadata options: ++| Property | Description | +|--|-| +| `title` | A title that describes the context of the APIs available on the VMware Spring Cloud Gateway instance. The default value is `Spring Cloud Gateway for K8S`. | +| `description` | A detailed description of the APIs available on the VMware Spring Cloud Gateway instance. The default value is `Generated OpenAPI 3 document that describes the API routes configured for '[Gateway instance name]' Spring Cloud Gateway instance deployed under '[namespace]' namespace.*.` | +| `documentation` | The location of API documentation that's available on the VMware Spring Cloud Gateway instance. | +| `version` | The version of APIs available on this VMware Spring Cloud Gateway instance. The default value is `unspecified`. | +| `serverUrl` | The base URL to access APIs on the VMware Spring Cloud Gateway instance. This property is mandatory if you want to integrate with the [API portal](./how-to-use-enterprise-api-portal.md). | ++You can use the Azure portal or the Azure CLI to edit metadata properties. ++#### [Azure portal](#tab/Azure-portal) ++To edit metadata in the Azure portal, use the following steps: ++1. Open your Azure Spring Apps instance. +1. Select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. +1. Specify values for the properties listed for **API**. +1. Select **Save**. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure metadata properties for VMware Spring Cloud Gateway. You need the endpoint URL that you obtained when you completed the [Assign a public endpoint to VMware Spring Cloud Gateway](#assign-a-public-endpoint-to-vmware-spring-cloud-gateway) section. ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --api-description "<api-description>" \ + --api-title "<api-title>" \ + --api-version "v0.1" \ + --server-url "<gateway-endpoint-URL>" \ + --allowed-origins "*" +``` ++++## Configure single sign-on ++VMware Spring Cloud Gateway supports authentication and authorization through single sign-on (SSO) with an OpenID identity provider. The provider supports the OpenID Connect Discovery protocol. The following table describes the SSO properties: ++| Property | Required? | Description | +|-|--|-| +| `issuerUri` | Yes | The URI that is asserted as its issuer identifier. For example, if `issuerUri` is `https://example.com`, an OpenID Provider Configuration Request is made to `https://example.com/.well-known/openid-configuration`. The result is expected to be an OpenID Provider Configuration Response. | +| `clientId` | Yes | The OpenID Connect client ID from your identity provider. | +| `clientSecret` | Yes | The OpenID Connect client secret from your identity provider. | +| `scope` | Yes | A list of scopes to include in JWT identity tokens. This list should be based on the scopes that your identity provider allows. | ++To set up SSO with Microsoft Entra ID, see [Set up single sign-on using Microsoft Entra ID for Spring Cloud Gateway and API Portal](./how-to-set-up-sso-with-azure-ad.md). ++You can use the Azure portal or the Azure CLI to edit SSO properties. ++#### [Azure portal](#tab/Azure-portal) ++To edit SSO properties in the Azure portal, use the following steps: ++1. Open your Azure Spring Apps instance. +1. Select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. +1. Specify values for the properties listed for **SSO**. +1. Select **Save**. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure SSO properties for VMware Spring Cloud Gateway: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --client-id <client-id> \ + --client-secret <client-secret> \ + --issuer-uri <issuer-uri> \ + --scope <scope> +``` ++++VMware Spring Cloud Gateway supports only the authorization servers that support the OpenID Connect Discovery protocol. Also, be sure to configure the external authorization server to allow redirects back to the gateway. Refer to your authorization server's documentation and add `https://<gateway-external-url>/login/oauth2/code/sso` to the list of allowed redirect URIs. ++If you configure the wrong SSO property, such as the wrong password, you should remove the entire SSO property and then add the correct configuration. ++After you configure SSO, remember to set `ssoEnabled: true` for the VMware Spring Cloud Gateway routes. ++## Configure SSO logout ++VMware Spring Cloud Gateway service instances provide a default API endpoint to log out of the current SSO session. The path to this endpoint is `/scg-logout`. The logout results in one of the following outcomes, depending on how you call the logout endpoint: ++- Log out of the session and redirect to the identity provider (IdP) logout. +- Log out of the service instance session. ++### Log out of the IdP and SSO session ++If you send a `GET` request to the `/scg-logout` endpoint, the endpoint sends a `302` redirect response to the IdP logout URL. To get the endpoint to return the user to a path on the gateway service instance, add a redirect parameter to the `GET` request with the `/scg-logout` endpoint. For example, you can use `${server-url}/scg-logout?redirect=/home`. ++The value of the redirect parameter must be a valid path on the VMware Spring Cloud Gateway service instance. You can't redirect to an external URL. ++The following steps describe an example of how to implement the function in your micro ++1. Get a route configuration to route the logout request to your application. For an example, see the route configuration in the [animal-rescue](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/azure/api-route-config.json#L32) repository on GitHub. ++1. Add whatever logout logic you need to the application. At the end, you need a `GET` request to the gateway's `/scg-logout` endpoint, as shown in the `return` value for the `getActionButton` method in the [animal-rescue](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/src/App.js#L84) repository. ++### Log out of just the SSO session ++If you send the `GET` request to the `/scg-logout` endpoint by using `XMLHttpRequest`, the `302` redirect could be swallowed and not handled in the response handler. In this case, the user would only be logged out of the SSO session on the VMware Spring Cloud Gateway service instance. The user would still have a valid IdP session. Typically, if the user tries to log in again, they're automatically sent back to the gateway as authenticated from IdP. ++You need to have a route configuration to route the logout request to your application, as shown in the following example. This code makes a gateway-only logout SSO session. ++```java +const req = new XMLHttpRequest(); +req.open("GET", "/scg-logout); +req.send(); +``` ++## Configure cross-origin resource sharing ++Cross-origin resource sharing (CORS) allows restricted resources on a webpage to be requested from another domain outside the domain from which the first resource was served. The following table describes the available CORS configuration options. ++| Property | Description | +|-|| +| `allowedOrigins` | Allowed origins to make cross-site requests | +| `allowedOriginPatterns` | Allowed origin patterns to make cross-site requests | +| `allowedMethods` | Allowed HTTP methods on cross-site requests | +| `allowedHeaders` | Allowed headers in cross-site requests | +| `maxAge` | How long, in seconds, clients cache the response from a preflight request | +| `allowCredentials` | Whether user credentials are supported on cross-site requests | +| `exposedHeaders` | HTTP response headers to expose for cross-site requests | ++Be sure that you have the correct CORS configuration if you want to integrate with the API portal. For more information, see the [Assign a public endpoint to VMware Spring Cloud Gateway](#assign-a-public-endpoint-to-vmware-spring-cloud-gateway) section. ++## Use service scaling ++You can customize resource allocation for VMware Spring Cloud Gateway instances, including vCPU, memory, and instance count. ++For high availability, we don't recommend using a single replica. ++The following table describes the default resource usage. ++| Component name | Instance count | vCPU per instance | Memory per instance | +|-|-|-|| +| VMware Spring Cloud Gateway | 2 | 1 core | 2 GiB | +| VMware Spring Cloud Gateway operator | 2 | 1 core | 2 GiB | ++## Configure TLS between the gateway and applications ++To enhance security and help protect sensitive information from interception by unauthorized parties, you can enable Transport Layer Security (TLS) between VMware Spring Cloud Gateway and your applications. ++Before you configure TLS, you need to have a TLS-enabled application and a TLS certificate. To prepare a TLS certificate, generate a certificate from a trusted certificate authority (CA). The certificate verifies the identity of the server and establishes a secure connection. ++After you have a TLS-enabled application running in Azure Spring Apps, upload the certificate to Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). ++With the certificate updated to Azure Spring Apps, you can configure the TLS certificate for the gateway and enable certificate verification. You can configure the certificate in the Azure portal or by using the Azure CLI. ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to configure the certificate in the Azure portal: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. +1. On the **Spring Cloud Gateway** page, select **Certificate management**. +1. Select **Enable cert verification**. +1. Select the TLS certificate in **Certificates**. +1. Select **Save**. ++Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable or disable certificate verification by using the Azure CLI. Replace the `<value>` placeholder with `true` to enable or `false` to disable verification. ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --enable-cert-verify <value> \ + --certificate-names <certificate-name-in-Azure-Spring-Apps> +``` ++++### Prepare the route configuration ++You must specify the protocol as HTTPS in the route configuration. The following JSON object instructs VMware Spring Cloud Gateway to use the HTTPS protocol for all traffic between the gateway and the app. ++1. Create a file named *test-tls-route.json* with the following content: ++ ```json + { + "routes": [ + { + "title": "Test TLS app", + "predicates": [ + "Path=/path/to/your/app", + "Method=GET" + ] + } + ], + "uri": "https://<app-custom-domain-name>" + } + ``` ++1. Use the following command to apply the rule to the application: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name test-tls-app \ + --routes-file test-tls-route.json + ``` ++You can now test whether the application is TLS enabled with the endpoint of the gateway. For more information, see the [Configure routes](how-to-use-enterprise-spring-cloud-gateway.md#configure-routes) section of [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md). ++### Rotate certificates ++As certificates expire, you need to rotate certificates in VMware Spring Cloud Gateway by using the following steps: ++1. Generate new certificates from a trusted CA. +1. Import the certificates into Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). +1. Synchronize the certificates by using the Azure portal or the Azure CLI. ++VMware Spring Cloud Gateway restarts to ensure that the gateway uses the new certificate for all connections. ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to synchronize certificates: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. +1. On the **Spring Cloud Gateway** page, select **Restart**, and then confirm the operation. ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following restart command to synchronize a certificate for VMware Spring Cloud Gateway: ++```azurecli +az spring gateway restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> +``` ++++### Set up autoscale settings ++You can set autoscale modes for VMware Spring Cloud Gateway. ++#### [Azure portal](#tab/Azure-portal) ++The following list shows the options available for Autoscale demand management: ++* The **Manual scale** option maintains a fixed instance count. You can scale out to a maximum of 10 instances. This value changes the number of separate running instances of the Spring Cloud Gateway. +* The **Custom autoscale** option scales on any schedule, based on any metrics. ++On the Azure portal, choose how you want to scale. The following screenshot shows the **Custom autoscale** option and mode settings: +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to create an autoscale setting: ++```azurecli +az monitor autoscale create \ + --resource-group <resource-group-name> \ + --name <autoscale-setting-name> \ + --resource /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.AppPlatform/Spring/<service-instance-name>/gateways/default \ + --min-count 1 \ + --max-count 5 \ + --count 1 +``` ++Use the following command to create an autoscale rule: ++```azurecli +az monitor autoscale rule create \ + --resource-group <resource-group-name> \ + --autoscale-name <autoscale-setting-name> \ + --scale out 1 \ + --cooldown 1 \ + --condition "GatewayHttpServerRequestsSecondsCount > 100 avg 1m" +``` ++++For more information on the available metrics, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](./concept-metrics.md). ++## Configure the response cache ++Response cache configuration provides a way to define an HTTP response cache that you can apply globally or at the route level. ++### Enable the response cache globally ++After you enable the response cache globally, the response cache is automatically enabled for all applicable routes. ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to enable the response cache globally: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. +1. On the **Spring Cloud Gateway** page, select **Configuration**. +1. In the **Response Cache** section, select **Enable response cache** and then set **Scope** to **Instance**. +1. Set **Size** and **Time to live** for the response cache. +1. Select **Save**. ++Use the following steps to disable the response cache: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. +1. On the **Spring Cloud Gateway** page, select **Configuration**. +1. In the **Response Cache** section, clear **Enable response cache**. +1. Select **Save**. ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable the response cache globally: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> + --enable-response-cache \ + --response-cache-scope Instance \ + --response-cache-size {Examples are 1GB, 100MB, 100KB} \ + --response-cache-ttl {Examples are 1h, 30m, 50s} +``` ++Use the following command to disable the response cache: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --enable-response-cache false +``` ++++### Enable the response cache at the route level ++To enable the response cache for any route, use the `LocalResponseCache` filter. The following example shows you how to use the `LocalResponseCache` filter in the routing rule configuration: ++```json +{ + "filters": [ + "<other-app-level-filter-of-route>", + ], + "routes": [ + { + "predicates": [ + "Path=/api/**", + "Method=GET" + ], + "filters": [ + "<other-filter-of-route>", + "LocalResponseCache=3m, 1MB" + ], + } + ] +} +``` ++For more information, see the [LocalResponseCache](./how-to-configure-enterprise-spring-cloud-gateway-filters.md#localresponsecache) section of [How to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan](./how-to-configure-enterprise-spring-cloud-gateway-filters.md) and [LocalResponseCache](https://aka.ms/vmware/scg/filters/localresponsecache) in the VMware documentation. ++Instead of configuring `size` and `timeToLive` for each `LocalResponseCache` filter individually, you can set these parameters at the Spring Cloud Gateway level. This option enables you to use the `LocalResponseCache` filter without specifying these values initially, while retaining the flexibility to override them later. ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to enable the response cache at the route level and set `size` and `timeToLive`: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. +1. On the **Spring Cloud Gateway** page, select **Configuration**. +1. In the **Response Cache** section, select **Enable response cache** and then set **Scope** to **Route**. +1. Set **Size** and **Time to live** for the response cache. +1. Select **Save**. ++Use the following steps to disable the response cache at the route level, which clears `size` and `timeToLive`: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. +1. On the **Spring Cloud Gateway** page, select **Configuration**. +1. In the **Response Cache** section, clear **Enable response cache**. +1. Select **Save**. ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable the response cache at the route level and set `size` and `timeToLive`: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --enable-response-cache \ + --response-cache-scope Route \ + --response-cache-size {Examples are 1GB, 100MB, 100KB} \ + --response-cache-ttl {Examples are 1h, 30m, 50s} +``` ++Use the following command to disable the response cache at the route level, which clears `size` and `timeToLive`: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --enable-response-cache false +``` ++++The following example shows you how to use the `LocalResponseCache` filter when `size` and `timeToLive` are set at the Spring Cloud Gateway level: ++```json +{ + "filters": [ + "<other-app-level-filter-of-route>", + ], + "routes": [ + { + "predicates": [ + "Path=/api/path1/**", + "Method=GET" + ], + "filters": [ + "<other-filter-of-route>", + "LocalResponseCache" + ], + }, + { + "predicates": [ + "Path=/api/path2/**", + "Method=GET" + ], + "filters": [ + "<other-filter-of-route>", + "LocalResponseCache=3m, 1MB" + ], + } + ] +} +``` ++## Configure environment variables ++The Azure Spring Apps service manages and tunes VMware Spring Cloud Gateway. Except for the use cases that configure application performance monitoring (APM) and the log level, you don't normally need to configure VMware Spring Cloud Gateway with environment variables. ++If you have requirements that you can't fulfill by other configurations described in this article, you can try to configure the environment variables shown in the [Common application properties](https://cloud.spring.io/spring-cloud-gateway/reference/html/appendix.html#common-application-properties) list. Be sure to verify your configuration in your test environment before applying it to your production environment. ++#### [Azure portal](#tab/Azure-portal) ++To configure environment variables in the Azure portal, use the following steps: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. +1. Fill in the key/value pairs for the environment variables in the **Properties** and **Secrets** sections. You can include variables with sensitive information in the **Secrets** section. +1. Select **Save** to save your changes. ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure environment variables by using the Azure CLI. You can include variables with sensitive information by using the `--secrets` parameter. ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --properties <key=value> \ + --secrets <key=value> +``` ++++After you update environment variables, VMware Spring Cloud Gateway restarts. ++### Configure application performance monitoring ++To monitor VMware Spring Cloud Gateway, you can configure APM. The following table lists the five types of APM Java agents that VMware Spring Cloud Gateway provides, along with their required environment variables. ++| Java agent | Required environment variables | +|-|| +| Application Insights | `APPLICATIONINSIGHTS_CONNECTION_STRING` | +| Dynatrace | `DT_TENANT`<br>`DT_TENANTTOKEN`<br>`DT_CONNECTION_POINT` | +| New Relic | `NEW_RELIC_LICENSE_KEY`<br>`NEW_RELIC_APP_NAME` | +| AppDynamics | `APPDYNAMICS_AGENT_APPLICATION_NAME`<br>`APPDYNAMICS_AGENT_TIER_NAME`<br>`APPDYNAMICS_AGENT_NODE_NAME`<br> `APPDYNAMICS_AGENT_ACCOUNT_NAME`<br>`APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY`<br>`APPDYNAMICS_CONTROLLER_HOST_NAME`<br>`APPDYNAMICS_CONTROLLER_SSL_ENABLED`<br>`APPDYNAMICS_CONTROLLER_PORT` | +| Elastic APM | `ELASTIC_APM_SERVICE_NAME`<br>`ELASTIC_APM_APPLICATION_PACKAGES`<br>`ELASTIC_APM_SERVER_URL` | ++For other supported environment variables, see the following sources: ++- [Application Insights overview](../../azure-monitor/app/app-insights-overview.md?tabs=net) +- [Dynatrace environment variables](https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-cloud-platforms/microsoft-azure-services/azure-integrations/azure-spring#envvar) +- [New Relic environment variables](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables) +- [AppDynamics environment variables](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent#MonitorAzureSpringCloudwithJavaAgent-ConfigureUsingtheEnvironmentVariablesorSystemProperties) +- [Elastic environment variables](https://www.elastic.co/guide/en/apm/agent/java/master/configuration.html) ++#### Configure APM integration on the service instance level (recommended) ++To enable APM monitoring in your VMware Spring Cloud Gateway, you can create APM configuration on the service instance level and bind it to Spring Cloud Gateway. In this way, you can conveniently configure the APM only once and bind the same APM to Spring Cloud Gateway and to your apps. ++##### [Azure portal](#tab/Azure-portal) ++Use the following steps to set up APM by using the Azure portal: ++1. Configure APM on the service instance level with the APM name, type, and properties. For more information, see the [Manage APMs on the service instance level (recommended)](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#manage-apms-on-the-service-instance-level-recommended) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++ :::image type="content" source="media/how-to-configure-enterprise-spring-cloud-gateway/service-level-apm-configure.png" alt-text="Screenshot of Azure portal that shows the Azure Spring Apps APM editor page." lightbox="media/how-to-configure-enterprise-spring-cloud-gateway/service-level-apm-configure.png"::: ++1. Select **Spring Cloud Gateway** on the navigation pane, then select **APM**. ++1. Choose the APM name in the **APM reference names** list. The list includes all the APM names configured in step 1. ++1. Select **Save** to bind APM reference names to Spring Cloud Gateway. Your gateway restarts to enable APM monitoring. ++##### [Azure CLI](#tab/Azure-CLI) ++Use the following steps to set up APM in Spring Cloud Gateway by using the Azure CLI: ++1. Configure APM on the service instance level with the APM name, type, and properties. For more information, see the [Manage APMs on the service instance level (recommended)](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#manage-apms-on-the-service-instance-level-recommended) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++1. Use the following command to update gateway with APM reference names: ++ ```azurecli + az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --apms <APM-reference-name> + ``` ++ The value for `--apms` is a space-separated list of APM reference names, which you created in step 1. ++ > [!NOTE] + > Spring Cloud Gateway is deprecating APM types. Use APM reference names to configure APM in a gateway. ++++#### Manage APM in VMware Spring Cloud Gateway (deprecated) ++You can use the Azure portal or the Azure CLI to set up APM in VMware Spring Cloud Gateway. You can also specify the types of APM Java agents to use and the corresponding APM environment variables that they support. ++##### [Azure portal](#tab/Azure-portal) ++Use the following steps to set up APM by using the Azure portal: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. +1. Choose the APM type in the **APM** list to monitor a gateway. +1. Fill in the key/value pairs for the APM environment variables in the **Properties** and **Secrets** sections. You can put variables with sensitive information in **Secrets**. +1. Select **Save** to save your changes. ++Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. ++##### [Azure CLI](#tab/Azure-CLI) ++Use the following command to set up APM by using the Azure CLI: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --apm-types <APM-type> \ + --properties <key=value> \ + --secrets <key=value> +``` ++The allowed values for `--apm-types` are `ApplicationInsights`, `AppDynamics`, `Dynatrace`, `NewRelic`, and `ElasticAPM`. The following command shows the usage for Application Insights as an example: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --apm-types ApplicationInsights \ + --properties APPLICATIONINSIGHTS_CONNECTION_STRING=<your-Application-Insights-connection-string> APPLICATIONINSIGHTS_SAMPLE_RATE=10 +``` ++You can also put environment variables in the `--secrets` parameter instead of `--properties`. It makes the environment variable more secure in network transmission and data storage in the back end. ++++> [!NOTE] +> Azure Spring Apps upgrades the APM agent and deployed apps with the same cadence to keep compatibility of agents between VMware Spring Cloud Gateway and Azure Spring Apps. +> +> By default, Azure Spring Apps prints the logs of the APM Java agent to `STDOUT`. These logs are included with the VMware Spring Cloud Gateway logs. You can check the version of the APM agent used in the logs. You can query these logs in Log Analytics to troubleshoot. +> +> To make the APM agents work correctly, increase the CPU and memory of VMware Spring Cloud Gateway. ++### Configure log levels ++You can configure the log levels of VMware Spring Cloud Gateway in the following ways to get more details or to reduce logs: ++- You can set log levels to `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, or `OFF`. The default log level for VMware Spring Cloud Gateway is `INFO`. +- You can turn off logs by setting log levels to `OFF`. +- When the log level is set to `WARN`, `ERROR`, or `OFF`, you might be required to adjust it to `INFO` when requesting support from the Azure Spring Apps team. This change causes a restart of VMware Spring Cloud Gateway. +- When the log level is set to `TRACE` or `DEBUG`, it might affect the performance of VMware Spring Cloud Gateway. Try avoid these settings in your production environment. +- You can set log levels for the `root` logger or for specific loggers like `io.pivotal.spring.cloud.gateway`. ++The following loggers might contain valuable troubleshooting information at the `TRACE` and `DEBUG` levels: ++| Logger | Description | +|-|--| +| `io.pivotal.spring.cloud.gateway` | Filters and predicates, including custom extensions | +| `org.springframework.cloud.gateway` | API gateway | +| `org.springframework.http.server.reactive` | HTTP server interactions | +| `org.springframework.web.reactive` | API gateway reactive flows | +| `org.springframework.boot.autoconfigure.web` | API gateway autoconfiguration | +| `org.springframework.security.web` | Authentication and authorization information | +| `reactor.netty` | Reactor Netty | ++To get environment variable keys, add the `logging.level.` prefix, and then set the log level by configuring environment `logging.level.{loggerName}={logLevel}`. The following examples show the steps for the Azure portal and the Azure CLI. ++#### [Azure portal](#tab/Azure-portal) ++To configure log levels in the Azure portal, use the following steps: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. +1. Fill in the key/value pairs for the log levels' environment variables in the **Properties** and **Secrets** sections. If the log level is sensitive information in your case, you can include it by using the **Secrets** section. +1. Select **Save** to save your changes. +++#### [Azure CLI](#tab/Azure-CLI) ++For a general CLI command for specifying environment variables, see the [Configure environment variables](#configure-environment-variables) section. The following example shows you how to configure log levels by using the Azure CLI: ++```azurecli +az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --properties \ + logging.level.root=INFO \ + logging.level.io.pivotal.spring.cloud.gateway=DEBUG \ + logging.level.org.springframework.cloud.gateway=DEBUG \ + logging.level.org.springframework.boot.autoconfigure.web=TRACE \ + logging.level.org.springframework.security.web=ERROR +``` ++If the log level is sensitive information in your case, you can include it by using the `--secrets` parameter. ++++## Update add-on configuration ++The add-on configuration feature enables you to customize certain properties of VMware Spring Cloud Gateway by using a JSON format string. The feature is useful when you need to configure properties that aren't exposed through the REST API. ++The add-on configuration is a JSON object with key/value pairs that represent the desired configuration. The following example shows the structure of the JSON format: ++```json +{ + "<addon-key-name>": { + "<addon-key-name>": "<addon-value>" + ... + }, + "<addon-key-name>": "<addon-value>", + ... +} +``` ++The following list shows the supported add-on configurations for the add-on key names and value types. This list is subject to change as we upgrade the VMware Spring Cloud Gateway version. ++- SSO configuration: + - Key name: `sso` + - Value type: Object + - Properties: + - `RolesAttributeName` (String): Specifies the name of the attribute that contains the roles associated with the SSO session. + - `InactiveSessionExpirationInMinutes` (Integer): Specifies the expiration time, in minutes, for inactive SSO sessions. A value of `0` means the session never expires. + - Example: + + ```json + { + "sso": { + "rolesAttributeName": "roles", + "inactiveSessionExpirationInMinutes": 1 + } + } + ``` ++- Metadata configuration: + - Key name: `api` + - Value type: Object + - Properties + - `groupId` (String): A unique identifier for the group of APIs available on the VMware Spring Cloud Gateway instance. The value can contain only lowercase letters and numbers. + - Example: ++ ```json + { + "api": { + "groupId": "id1" + } + } + ``` ++Use the following steps to update the add-on configuration. ++### [Azure portal](#tab/Azure-portal) ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. +1. Specify the JSON value for **Addon Configs**. +1. Select **Save**. ++### [Azure CLI](#tab/Azure-CLI) ++1. Prepare the JSON file for add-on configurations (*\<file-name-of-addon-configs-json\>.json*) with the following content: ++ ```json + { + "sso": { + "rolesAttributeName": "roles", + "inactiveSessionExpirationInMinutes": 1 + }, + "api": { + "groupId": "id1" + } + } + ``` ++1. Use the following command to update the add-on configurations for VMware Spring Cloud Gateway: ++ ```azurecli + az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --addon-configs-file <file-name-of-addon-configs-json>.json + ``` ++++## Next steps ++- [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md) |
spring-apps | How To Configure Health Probes Graceful Termination | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-configure-health-probes-graceful-termination.md | + + Title: How to configure health probes and graceful termination period for apps hosted in Azure Spring Apps +description: Learn how to customize apps running in Azure Spring Apps with health probes and graceful termination period. +++ Last updated : 07/02/2022+++++# How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to customize apps running in Azure Spring Apps with health probes and graceful termination periods. ++A probe is a diagnostic activity performed periodically by Azure Spring Apps on an app instance. To perform a diagnostic, Azure Spring Apps takes one of the following actions: ++- Executes an arbitrary command of your choice within the app instance. +- Establishes a TCP socket connection. +- Makes an HTTP request. ++Azure Spring Apps offers default health probe rules for every application. This article shows you how to customize your application with three kinds of health probes: ++- *Liveness probes* determine when to restart an application. For example, liveness probes can identify a deadlock, such as when an application is running but unable to make progress. Restarting the application in a deadlock state can make the application available despite errors. ++- *Readiness probes* determine when an app instance is ready to start accepting traffic. For example, readiness probes can control which app instances are used as backends for the application. When an app instance isn't ready, it's removed from Kubernetes service discovery. For more information, see [Discover and register your Spring Boot applications](../basic-standard/how-to-service-registration.md). For more information about service discovery with the Enterprise plan, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md). ++- *Startup probes* determine when an application has started. A startup probe disables liveness and readiness checks until startup succeeds, ensuring that liveness and readiness probes don't interfere with application startup. You can use startup probes to perform liveness checks on slow starting applications, preventing the app from terminating before it's up and running. ++## Prerequisites ++- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the spring-cloud extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++## Configure health probes and graceful termination for applications ++The following sections describe how to configure health probes and graceful termination using the Azure CLI. ++### Graceful termination ++The following table describes the `terminationGracePeriodSeconds` property, which you can use to configure graceful termination. ++| Property name | Description | +|-|| +| `terminationGracePeriodSeconds` | The duration in seconds after processes running in the app instance are sent a termination signal before they're forcibly halted. Set this value longer than the expected cleanup time for your process. The value must be a non-negative integer. Setting the grace period to *0* stops the app instance immediately via the kill signal, with no opportunity to shut down. If the value is *nil*, Azure Spring Apps uses the default grace period. The default value is *90*. | ++### Health probe properties ++The following table describes the properties you can use to configure health probes. ++| Property name | Description | +||--| +| `initialDelaySeconds` | The number of seconds after the app instance has started before probes are initiated. The default value is *0*, the minimum value. | +| `periodSeconds` | The frequency in seconds to perform the probe. The default value is *10*. The minimum value is *1*. | +| `timeoutSeconds` | The number of seconds until the probe times out. The default value is *1*, the minimum value. | +| `failureThreshold` | The minimum number of consecutive failures for the probe to be considered failed after having succeeded. The default value is *3*. The minimum value is *1*. | +| `successThreshold` | The minimum number of consecutive successes for the probe to be considered successful after having failed. The default value is *1*. The value must be *1* for liveness and startup. The minimum value is *1*. | ++### Probe action properties ++There are three ways you can check an app instance using a probe. Each probe must define one of the following probe actions: ++- `HTTPGetAction` ++ Performs an HTTP GET request against the app instance on a specified path. The diagnostic is considered successful if the response has a status code greater than or equal to 200 and less than 400. ++ | Property name | Description | + |-|| + | `scheme` | The scheme to use for connecting to the host. The default is *HTTP*. | + | `path` | The path to access on the HTTP server of the app instance, such as */healthz*. | ++- `ExecAction` ++ Executes a specified command inside the app instance. The diagnostic is considered successful if the command exits with a status code of 0. ++ | Property name | Description | + |-|--| + | `command` | The command to execute inside the app instance. The working directory for the command is the root directory (*/*) in the app instance's file system. Because the command is run using `exec` rather than inside a shell, shell instructions won't work. To use a shell, explicitly call out to the shell. An exit status of *0* is treated as live/healthy, and non-zero is unhealthy. | ++- `TCPSocketAction` ++ Performs a TCP check against the app instance. ++ There are no available properties for the `TCPSocketAction` action. ++### Customize your application ++#### [Azure portal](#tab/azure-portal) ++Use the following steps to customize your application using Azure portal. ++1. Under **Settings**, select **Apps**, and then select the application from the list. ++ :::image type="content" source="media/how-to-configure-health-probes-graceful-termination/select-app.jpg" lightbox="media/how-to-configure-health-probes-graceful-termination/select-app.jpg" alt-text="Screenshot of Azure portal showing the Apps page."::: ++1. Select **Configuration** in the left navigation pane, select **Health probes**, and then specify Health probe properties. ++ :::image type="content" source="media/how-to-configure-health-probes-graceful-termination/probe-config.jpg" lightbox="media/how-to-configure-health-probes-graceful-termination/probe-config.jpg" alt-text="Screenshot of the Azure portal Configuration page showing the Health probes tab."::: ++1. To set the termination grace period, select **General settings**, and specify a value in the **Termination grace period** box. ++ :::image type="content" source="media/how-to-configure-health-probes-graceful-termination/termination-grace-period-config.jpg" lightbox="media/how-to-configure-health-probes-graceful-termination/termination-grace-period-config.jpg" alt-text="Screenshot of the Azure portal Configuration page showing the General settings tab."::: ++#### [Azure CLI](#tab/azure-cli) ++Use the following steps to customize your application using Azure CLI. ++1. Use the following command to create an application with a liveness probe and readiness probe: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <application-name> \ + --enable-liveness-probe true \ + --liveness-probe-config <path-to-liveness-probe-json-file> \ + --enable-readiness-probe true \ + --readiness-probe-config <path-to-readiness-probe-json-file> + ``` ++ The following example shows the contents of a sample JSON file passed to the `--liveness-probe-config` parameter in the create command: ++ ```json + { + "probe": { + "initialDelaySeconds": 30, + "periodSeconds": 10, + "timeoutSeconds": 1, + "failureThreshold": 30, + "successThreshold": 1, + "probeAction": { + "type": "TCPSocketAction", + } + } + } + ``` ++ The following example shows an `HTTPGetAction` action: ++ ```json + "probeAction": { + "type": "HTTPGetAction", + "scheme": "HTTP", + "path": "/anyPath" + } + ``` ++ The following example shows an `ExecAction` action: ++ ```json + "probeAction": { + "type": "ExecAction", + "command": ["cat", "/tmp/healthy"] + } + ``` ++1. Optionally, use the following command to protect slow starting containers with a startup probe: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <application-name> \ + --enable-startup-probe true \ + --startup-probe-config <path-to-startup-probe-json-file> + ``` ++1. Optionally, use the following command to disable a health probe: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <application-name> \ + --enable-liveness-probe false + ``` ++1. Optionally, use the following command to set the termination grace period: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <application-name> \ + --grace-period <termination-grace-period-seconds> + ``` ++++## Best practices ++Use the following best practices when adding health probes to Azure Spring Apps: ++- Use liveness and readiness probes together. Azure Spring Apps provides two approaches for service discovery at the same time. When the readiness probe fails, the app instance is removed only from Kubernetes service discovery. A properly configured liveness probe can remove the issued app instance from Eureka service discovery to avoid unexpected cases. For more information about service discovery, see [Discover and register your Spring Boot applications](../basic-standard/how-to-service-registration.md). For more information about service discovery with the Enterprise plan, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md). ++- When an app instance starts, the first check occurs after the delay specified by `initialDelaySeconds`. Subsequent checks occur periodically, according to the period length specified by `periodSeconds`. If the app fails to respond to the requests for several times as specified by `failureThreshold`, the app instance is restarted. Make sure your application can start fast enough, or update these parameters, so that the total timeout `initialDelaySeconds + periodSeconds * failureThreshold` is longer than the start time of your application. ++- For Spring Boot applications, Spring Boot is shipped with the [Health Groups](https://docs.spring.io/spring-boot/docs/3.0.x/reference/html/actuator.html#actuator.endpoints.health.groups) support, allowing developers to select a subset of health indicators and group them under a single, correlated health status. For more information, see [Liveness and Readiness Probes with Spring Boot](https://spring.io/blog/2020/03/25/liveness-and-readiness-probes-with-spring-boot) on the Spring Blog. ++ The following example shows a liveness probe with Spring Boot: ++ ```json + "probe": { + "initialDelaySeconds": 30, + "periodSeconds": 10, + "timeoutSeconds": 1, + "failureThreshold": 30, + "successThreshold": 1, + "probeAction": { + "type": "HTTPGetAction", + "scheme": "HTTP", + "path": "/actuator/health/liveness" + } + } + ``` ++ The following example shows a readiness probe with Spring Boot: ++ ```json + "probe": { + "initialDelaySeconds": 0, + "periodSeconds": 10, + "timeoutSeconds": 1, + "failureThreshold": 3, + "successThreshold": 1, + "probeAction": { + "type": "HTTPGetAction", + "scheme": "HTTP", + "path": "/actuator/health/readiness" + } + } + ``` ++## Frequently asked questions ++This section provides answers to frequently asked questions about using health probes with Azure Spring Apps. ++- I received a 400 response when I created applications with customized health probes. What does this mean? ++ *The error message points out which probe is responsible for the provision failure. Make sure that the health probe rules are correct and that the timeout is long enough for the application to be in the running state.* ++- What are the default probe settings for an existing application? ++ *The following example shows the default settings:* ++ ```json + "startupProbe": null, + "livenessProbe": { + "disableProbe": false, + "failureThreshold": 3, + "initialDelaySeconds": 300, + "periodSeconds": 10, + "probeAction": { + "type": "TCPSocketAction" + }, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "readinessProbe": { + "disableProbe": false, + "failureThreshold": 3, + "initialDelaySeconds": 0, + "periodSeconds": 5, + "probeAction": { + "type": "TCPSocketAction" + }, + "successThreshold": 1, + "timeoutSeconds": 3 + } + ``` ++## Next steps ++- [Scale an application in Azure Spring Apps](how-to-scale-manual.md). |
spring-apps | How To Configure Ingress | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-configure-ingress.md | + + Title: Customize the ingress configuration in Azure Spring Apps +description: Learn how to customize the ingress configuration in Azure Spring Apps. ++++ Last updated : 09/29/2022++++# Customize the ingress configuration in Azure Spring Apps ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to set and update an application's ingress settings in Azure Spring Apps by using the Azure portal and Azure CLI. ++The Azure Spring Apps service uses an underlying ingress controller to handle application traffic management. The following ingress settings are supported for customization. ++| Name | Ingress setting | Default value | Valid range | Description | +|-|||-|--| +| `ingress-read-timeout` | `proxy-read-timeout` | 300 | \[1,1800\] | The timeout in seconds for reading a response from a proxied server. | +| `ingress-send-timeout` | `proxy-send-timeout` | 60 | \[1,1800\] | The timeout in seconds for transmitting a request to the proxied server. | +| `session-affinity` | `affinity` | None | Session, None | The type of the affinity that will make the request come to the same pod replica that was responding to the previous request. Set `session-affinity` to Cookie to enable session affinity. In the portal only, you must choose the enable session affinity box. | +| `session-max-age` | `session-cookie-max-age` | 0 | \[0, 604800\] | The time in seconds until the cookie expires, corresponding to the `Max-Age` cookie directive. If you set `session-max-age` to 0, the expiration period is equal to the browser session period. | +| `backend-protocol` | `backend-protocol` | Default | Default, GRPC | Sets the backend protocol to indicate how NGINX should communicate with the backend service. Default means HTTP/HTTPS/WebSocket. The `backend-protocol` setting only applies to client-to-app traffic. For app-to-app traffic within the same service instance, choose any protocol for app-to-app traffic without modifying the `backend-protocol` setting. The protocol doesn't restrict your choice of protocol for app-to-app traffic within the same service instance. | ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the spring-cloud extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++## Set the ingress configuration ++Use the following Azure CLI command to set the ingress configuration when you create. ++```azurecli +az spring app create \ + --resource-group <resource-group-name> \ + --service <service-name> \ + --name <service-name> \ + --ingress-read-timeout 300 \ + --ingress-send-timeout 60 \ + --session-affinity Cookie \ + --session-max-age 1800 \ + --backend-protocol Default \ +``` ++This command creates an app with the following settings: ++- Ingress read timeout: 300 seconds +- Ingress send timeout: 60 seconds +- Session affinity: Cookie +- Session cookie max age: 1800 seconds +- Backend protocol: Default ++## Update the ingress settings for an existing app ++### [Azure portal](#tab/azure-portal) ++Use the following steps to update the ingress settings for an application hosted by an existing service instance. ++1. Sign in to the portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance. +1. Navigate to the **Apps** pane, and then select the app you want to configure. +1. Navigate to the **Configuration** pane, and then select the **Ingress settings** tab. +1. Update the ingress settings, and then select **Save**. ++ :::image type="content" source="media/how-to-configure-ingress/ingress-settings.jpg" lightbox="media/how-to-configure-ingress/ingress-settings.jpg" alt-text="Screenshot of Azure portal Configuration page showing the Ingress settings tab."::: ++### [Azure CLI](#tab/azure-cli) ++Use the following command to update the ingress settings for an existing app. ++```azurecli +az spring app update \ + --resource-group <resource-group-name> \ + --service <service-name> \ + --name <service-name> \ + --ingress-read-timeout 600 \ + --ingress-send-timeout 600 \ + --session-affinity None \ + --session-max-age 0 \ + --backend-protocol GRPC \ +``` ++This command updates the app with the following settings: ++- Ingress read timeout: 600 seconds +- Ingress send timeout: 600 seconds +- Session affinity: None +- Session cookie max age: 0 +- Backend protocol: GRPC ++++## FAQ ++- How do you enable gRPC? ++ Set the backend protocol to *GRPC*. ++- How do you enable WebSocket? ++ WebSocket is enabled by default if you set the backend protocol to *Default*. The WebSocket connection limit is 20000. When you reach that limit, the connection will fail. ++ You can also use RSocket based on WebSocket. ++- What is the difference between ingress config and ingress settings? ++ Ingress config can still be used in the Azure CLI and SDK, and that setting will apply to all apps within the service instance. Once an app has been configured by ingress settings, the Ingress config won't affect it. We don't recommend that new scripts use ingress config since we plan to stop supporting it in the future. ++- When ingress settings are used together with App Gateway/APIM, what happens when you set the timeout in both Azure Spring Apps ingress and the App Gateway/APIM? ++ The shorter timeout is used. ++- Do you need extra config in App Gateway/APIM if you need to have end-to-end support for gRPC or WebSocket? ++ You don't need extra config as long as the App Gateway supports gRPC. ++- Is configurable port supported? ++ Configurable port isn't currently supported (80/443). ++## Next steps ++- [Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers) +- [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx) |
spring-apps | How To Configure Palo Alto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-configure-palo-alto.md | + + Title: How to configure Palo Alto for Azure Spring Apps +description: How to configure Palo Alto for Azure Spring Apps ++++ Last updated : 09/17/2021++++# How to configure Palo Alto for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to use Azure Spring Apps with a Palo Alto firewall. ++If your current deployments include a Palo Alto firewall, you can omit the Azure Firewall from the Azure Spring Apps deployment and use Palo Alto instead, as described in this article. ++You should keep configuration information, such as rules and address wildcards, in CSV files in a Git repository. This article shows you how to use automation to apply these files to Palo Alto. To understand the configuration to be applied to Palo Alto, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). ++> [!NOTE] +> In describing the use of REST APIs, this article uses the PowerShell variable syntax to indicate names and values that are left to your discretion. Be sure to use the same values in all the steps. +> +> After you've configured the TLS/SSL certificate in Palo Alto, remove the `-SkipCertificateCheck` argument from all Palo Alto REST API calls in the examples below. +> +> You should not use this article as a reference for Palo Alto REST APIs. All examples are for demonstration purposes only. For authoritative API details, see [PAN-OS REST API](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/pan-os-rest-api.html) in the Palo Alto documentation. ++## Prerequisites ++* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* A Palo Alto deployment. If you don't have a deployment, you can provision [Palo Alto from Azure Marketplace](https://portal.azure.com/#create/paloaltonetworks.vmseries-ngfwbundle2). +* [PowerShell](/powershell/scripting/install/installing-powershell) +* [Azure CLI](/cli/azure/install-azure-cli) ++## Configure Palo Alto ++First, configure the Palo Alto VM-Series Firewall. For detailed instructions, see [Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-firewall-on-azure-solution-template.html). These instructions will help you provision a VM-Series Firewall and configure both the `Trust` and `UnTrust` subnets and the associated network interface cards. To stay consistent, you should create this firewall in the address space of the `Hub` virtual network in the reference architecture. ++The [Reference Architecture Guide for Azure](https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide) explores several technical design models for deploying the Firewall on Azure. ++The rest of this article assumes you have the following two pre-configured network zones: ++* `Trust`, containing the interface connected to a virtual network peered with the Azure Spring Apps virtual network. +* `UnTrust`, containing the interface to the public internet created earlier in the VM-Series deployment guide. ++## Prepare CSV files ++Next, create three CSV files. ++Name the first file *AzureSpringAppsServices.csv*. This file should contain ingress ports for Azure Spring Apps. The values in the following example are for demonstration purposes only. For all of the required values, see the [Azure Global required network rules](./vnet-customer-responsibilities.md#azure-global-required-network-rules) section of [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). ++```CSV +name,protocol,port,tag +ASC_1194,udp,1194,AzureSpringApps +ASC_443,tcp,443,AzureSpringApps +ASC_9000,tcp,9000,AzureSpringApps +ASC_445,tcp,445,AzureSpringApps +ASC_123,udp,123,AzureSpringApps +``` ++Name the second file *AzureSpringAppsUrlCategories.csv*. This file should contain the addresses (with wildcards) that should be available for egress from Azure Spring Apps. The values in the following example are for demonstration purposes only. For up-to-date values, see the [Azure Global required FQDN / application rules](./vnet-customer-responsibilities.md#azure-global-required-fqdn--application-rules) section of [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). ++```CSV +name,description +*.azmk8s.io, +mcr.microsoft.com, +*.cdn.mscr.io, +*.data.mcr.microsoft.com, +management.azure.com, +*.microsoftonline.com, +*.microsoft.com, +packages.microsoft.com, +acs-mirror.azureedge.net, +mscrl.microsoft.com, +crl.microsoft.com, +crl3.digicert.com +``` ++Name the third file *AzureMonitorAddresses.csv*. This file should contain all addresses and IP ranges to be made available for metrics and monitoring via Azure Monitor, if you're using Azure monitor. The values in the following example are for demonstration purposes only. For up-to-date values, see [IP addresses used by Azure Monitor](../../azure-monitor/ip-addresses.md). ++```CSV +name,type,address,tag +40.114.241.141,ip-netmask,40.114.241.141/32,AzureMonitor +104.45.136.42,ip-netmask,104.45.136.42/32,AzureMonitor +40.84.189.107,ip-netmask,40.84.189.107/32,AzureMonitor +168.63.242.221,ip-netmask,168.63.242.221/32,AzureMonitor +52.167.221.184,ip-netmask,52.167.221.184/32,AzureMonitor +live.applicationinsights.azure.com,fqdn,live.applicationinsights.azure.com,AzureMonitor +rt.applicationinsights.microsoft.com,fqdn,rt.applicationinsights.microsoft.com,AzureMonitor +rt.services.visualstudio.com,fqdn,rt.services.visualstudio.com,AzureMonitor ++``` ++## Authenticate into Palo Alto ++Next you'll need to authenticate into Palo Alto and obtain an API key. For more information, see [Get Your API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key.html) in the Palo Alto documentation. ++The following example uses PowerShell to authenticate and generate request headers that will be used later in this article: ++```powershell +$username=<username for PaloAlto> +$password=<password for PaloAlto> +$authResponse = irm "https://${PaloAltoIpAddress}/api/?type=keygen&user=${username}&password=${password}" -SkipCertificateCheck +$paloAltoHeaders = @{'X-PAN-KEY' = $authResponse.response.result.key; 'Content-Type' = 'application/json' } +``` ++## Delete existing service group ++If you've made prior configuration attempts, you should reset these configurations and delete any security rule and service group. ++Delete the security rule using the [Security Rule REST API](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/create-security-policy-rule-rest-api.html), as shown in the following example: ++```powershell +$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Policies/SecurityRules?location=vsys&vsys=vsys1&name=${paloAltoSecurityPolicyName}" +Invoke-RestMethod -Method Delete -Uri $url -Headers $paloAltoHeaders -SkipCertificateCheck +``` ++Delete the service group as shown in the following example: ++```powershell +$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/ServiceGroups?location=vsys&vsys=vsys1&name=${paloAltoServiceGroupName}" +Invoke-RestMethod -Method Delete -Uri $url -Headers $paloAltoHeaders -SkipCertificateCheck +``` ++Delete each Palo Alto service (as defined in *AzureSpringAppsServices.csv*) as shown in the following example: ++```powershell +Get-Content .\AzureSpringAppsServices.csv | ConvertFrom-Csv | select name | ForEach-Object { + $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/Services?location=vsys&vsys=vsys1&name=${_}" + Invoke-RestMethod -Method Delete -Uri $url -Headers $paloAltoHeaders -SkipCertificateCheck +} +``` ++## Create a service and service group ++To automate the creation of services based on the *AzureSpringAppsServices.csv* file you created earlier, use the following example. ++```powershell +# Define a function to create and submit a Palo Alto service creation request +function New-PaloAltoService { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [PSCustomObject] + $ServiceObject + ) + PROCESS { + $requestBody = @{ + 'entry' = @{ + '@name' = $ServiceObject.name + 'protocol' = @{ + $ServiceObject.protocol = @{ + 'port' = $ServiceObject.port + 'override' = @{ + 'no' = @{} + } ++ } + } + 'tag' = @{ + 'member' = @($ServiceObject.tag) + } + } + } ++ # Some rules in the CSV may need to conain source ports or descriptions. If these are present, populate them in the request + if ($ServiceObject.description) { + $requestBody.entry.description = $ServiceObject.description + } + if ($ServiceObject.'source-port') { + $requestBody.entry.protocol."$($ServiceObject.protocol)".'source-port' = $ServiceObject.'source-port' + } ++ # Send the request + $name = $requestBody.entry.'@name' + $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/Services?location=vsys&vsys=vsys1&name=${name}" + Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body (ConvertTo-Json -WarningAction Ignore $requestBody -Depth 9) -Verbose + } +} ++# Now invoke that function for every row in AzureSpringAppsServices.csv +Get-Content ./AzureSpringAppsServices.csv | ConvertFrom-Csv | New-PaloAltoService +``` ++Next, create a Service Group for these services, as shown in the following example: ++```powershell +# Create a function to consume service definitions and submit a service group creation request +function New-PaloAltoServiceGroup { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [PSCustomObject[]] + $RuleData, ++ [Parameter(Mandatory = $true)] + [string] + $ServiceGroupName + ) + begin { + [array] $names = @() + } ++ process { + $names += $RuleData.name + } ++ end { + $requestBody = @{ 'entry' = [ordered] @{ + '@name' = $ServiceGroupName + 'members' = @{ 'member' = $names } + 'tag' = @{ 'member' = 'AzureSpringApps' } + } + } ++ $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/ServiceGroups?location=vsys&vsys=vsys1&name=${ServiceGroupName}" ++ Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body (ConvertTo-Json $requestBody) -Verbose + } +} ++# Run that function for all services in AzureSpringAppsServices.csv. +Get-Content ./AzureSpringAppsServices.csv | ConvertFrom-Csv | New-PaloAltoServiceGroup -ServiceGroupName 'AzureSpringApps_SG' +``` ++## Create custom URL categories ++Next, define custom URL categories for the service group to enable egress from Azure Spring Apps, as shown in the following example. ++```powershell +# Read Service entries from CSV to enter into Palo Alto +$csvImport = Get-Content ${PSScriptRoot}/AzureSpringAppsUrls.csv | ConvertFrom-Csv ++# Convert name column of CSV to add to the Custom URL Group in Palo Alto +$requestBody = @{ 'entry' = [ordered] @{ + '@name' = 'AzureSpringApps_SG' + 'list' = @{ 'member' = $csvImport.name } + 'type' = 'URL List' + } +} | ConvertTo-Json -Depth 9 ++$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/CustomURLCategories?location=vsys&vsys=vsys1&name=AzureSpringApps_SG" ++try { + $existingObject = Invoke-RestMethod -Method Get -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders + Invoke-RestMethod -Method Delete -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders +} +catch { +} ++Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body $requestBody -Verbose +``` ++## Create a security rule ++Next, create a JSON file to contain a security rule. Name the file *SecurityRule.json* and add the following content. The names of the two zones `Trust` and `UnTrust` match the zone names described earlier in the [Configure Palo Alto](#configure-palo-alto) section. The `service/member` entry contains the name of the service group created in the previous steps. ++```json +{ + "entry": [ + { + "@name": "AzureSpringAppsRule", + "@location": "vsys", + "@vsys": "vsys1", + "to": { + "member": [ + "UnTrust" + ] + }, + "from": { + "member": [ + "Trust" + ] + }, + "source-user": { + "member": [ + "any" + ] + }, + "application": { + "member": [ + "any" + ] + }, + "service": { + "member": [ + "AzureSpringApps_SG" + ] + }, + "hip-profiles": { + "member": [ + "any" + ] + }, + "action": "allow", + "category": { + "member": [ + "any" + ] + }, + "source": { + "member": [ + "any" + ] + }, + "destination": { + "member": [ + "any" + ] + } + } + ] +} +``` ++Now, apply this rule to Palo Alto, as shown in the following example. ++```powershell +$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Policies/SecurityRules?location=vsys&vsys=vsys1&name=AzureSpringAppsRule" ++# Delete the rule if it already exists +try { + $getResult = Invoke-RestMethod -Headers $paloAltoHeaders -Method Get -SkipCertificateCheck -Uri $url -Verbose + if ($getResult.'@status' -eq 'success') { + Invoke-RestMethod -Method Delete -Headers $paloAltoHeaders -SkipCertificateCheck -Uri $url + } +} +catch {} ++# Create the rule from the JSON file +Invoke-WebRequest -Uri $url -Method Post -Headers $paloAltoHeaders -Body (Get-Content SecurityRule.json) -SkipCertificateCheck +``` ++## Create Azure Monitor addresses ++Next, use the *AzureMonitorAddresses.csv* file to define Address objects in Palo Alto. The following example code shows you how to automate this task. ++```powershell +Get-Content ./AzureMonitorAddresses.csv | ConvertFrom-Csv | ForEach-Object { + $requestBody = @{ 'entry' = [ordered]@{ + '@name' = $_.name + $_.type = $_.address + 'tag' = @{ 'member' = @($_.tag) } + } + } ++ $name = $requestBody.entry.'@name' + $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/Addresses?location=vsys&vsys=vsys1&name=${name}" ++ # Delete the address if it already exists + try { + Invoke-RestMethod -Method Delete -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders + } + catch { + } ++ # Create the address + Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body (ConvertTo-Json -WarningAction Ignore $requestBody -Depth 3) -Verbose +} +``` ++## Commit changes to Palo Alto ++You must commit some of the changes above so they'll become active. You can do this with the following REST API call. ++```powershell +$url = "https://${PaloAltoIpAddress}/api/?type=commit&cmd=<commit></commit>" +Invoke-RestMethod -Method Get -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders +``` ++## Configure the Security Rules for Azure Spring Apps subnets ++Next, add network security rules to enable traffic from Palo Alto to access Azure Spring Apps. The following examples reference the spoke Network Security Groups (NSGs) created by the Reference Architecture: `nsg-spokeapp` and `nsg-spokeruntime`. ++Run the following Azure CLI commands in a PowerShell window to create the necessary network security rule for each of these NSGs, where `$PaloAltoAddressPrefix` is the Classless Inter-Domain Routing (CIDR) address of Palo Alto's private IPs. ++```azurecli +az network nsg rule create ` + --resource-group $ResourceGroupName ` + --name 'allow-palo-alto' ` + --nsg-name 'nsg-spokeapp' ` + --access Allow ` + --source-address-prefixes $PaloAltoAddressPrefix ` + --priority 1000 +az network nsg rule create ` + --resource-group $ResourceGroupName ` + --name 'allow-palo-alto' ` + --nsg-name 'nsg-spokeruntime' ` + --access Allow ` + --source-address-prefixes $PaloAltoAddressPrefix ` + --priority 1000 +``` ++## Configure the next hop ++After you've configured Palo Alto, configure Azure Spring Apps to have Palo Alto as its next hop for outbound internet access. You can use the following Azure CLI commands in a PowerShell window for this configuration. Be sure to provide values for the following variables: ++* `$AppResourceGroupName`: The name of the resource group containing your Azure Spring Apps. +* `$AzureSpringAppsServiceSubnetRouteTableName`: The name of the Azure Spring Apps service/runtime subnet route table. In the reference architecture, this is set to `rt-spokeruntime`. +* `$AzureSpringAppsAppSubnetRouteTableName`: The name of the Azure Spring Apps app subnet route table. In the reference architecture, this is set to `rt-spokeapp`. ++```azurecli +az network route-table route create ` + --resource-group ${AppResourceGroupName} ` + --name default ` + --route-table-name ${AzureSpringAppsServiceSubnetRouteTableName} ` + --address-prefix 0.0.0.0/0 ` + --next-hop-type VirtualAppliance ` + --next-hop-ip-address ${PaloAltoIpAddress} ` + --verbose ++az network route-table route create ` + --resource-group ${AppResourceGroupName} ` + --name default ` + --route-table-name ${AzureSpringAppsAppSubnetRouteTableName} ` + --address-prefix 0.0.0.0/0 ` + --next-hop-type VirtualAppliance ` + --next-hop-ip-address ${PaloAltoIpAddress} ` + --verbose +``` ++Your configuration is now complete. ++## Next steps ++* [Stream Azure Spring Apps app logs in real-time](./how-to-log-streaming.md) +* [Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md) +* [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) |
spring-apps | How To Configure Planned Maintenance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-configure-planned-maintenance.md | + + Title: How to configure planned maintenance for Azure Spring Apps +description: Describes how to configure planned maintenance for Azure Spring Apps. ++++ Last updated : 11/07/2023+++# How to configure planned maintenance (preview) ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to configure planned maintenance in Azure Spring Apps. ++Routine maintenance is necessary to keep the Azure Spring Apps platform up-to-date and secure. The maintenance, also called auto patching, includes security updates, bug fixes, new features, or performance improvements. Auto patching can be performed on components managed by Azure Spring Apps to support your Java applications, including JDK, APM, base OS image, managed middleware, and runtime infrastructure. For the maintenance to take effect, your applications restart within the maintenance window you specify, but the service quality and uptime guarantees continue to apply during this time. ++## Configure maintenance for Azure Spring Apps ++### [Azure portal](#tab/Azure-portal) ++Use the following steps to configure planned maintenance in Azure Spring Apps: ++1. Go to the service **Overview** page and select **Planned Maintenance**. ++ :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-section.png" alt-text="Screenshot of Azure portal that shows the Azure Spring Apps sidebar with Planned Maintenance highlighted."::: ++1. Select **Choose your preferred time** to specify detailed configuration for the maintenance window. ++ :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-checkbox.png" alt-text="Screenshot of the Azure portal that shows the Planned maintenance page with the Choose your preferred time checkbox highlighted."::: ++1. Select **Day of the week** to schedule the maintenance. ++ :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-week.png" alt-text="Screenshot of Azure portal that shows the Planned maintenance page with the Day of week option highlighted."::: ++1. Select **Start time of upgrade**. ++ :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-time.png" alt-text="Screenshot of Azure portal that shows the Planned maintenance page with the Start time of upgrade option highlighted."::: ++1. Select **Apply** to submit your configuration for planned maintenance. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to configure planned maintenance: ++```azurecli +az spring update \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-instance-name> \ + --enable-planned-maintenance \ + --planned-maintenance-day $DAY_OF_WEEK \ + --planned-maintenance-start-hour $START_HOUR +``` ++++Updating the configuration can take a few minutes. You get a notification when the configuration is complete. ++> [!NOTE] +> If you don't configure planned maintenance, the maintenance takes place at a time chosen by the service team, with the best effort to minimize business risks for most customers. ++## Manage maintenance notification ++Notifications and messages are sent out before and during the maintenance. The following table describes the message types and time details: ++| Sequence number | Message type | Channel | Time the message is sent out | +|--|--||--| +| 1 | Release note | Activity Log | At the end of the release rollout. | +| 2 | Maintenance announcement | Planned Maintenance | Two weeks before the first available maintenance window. | +| 3 | Start of maintenance window | Activity Log | At the start of the execution of the entire maintenance. | +| 4 | Changelog of components | Activity Log | At the end of upgrade for each managed component. | +| 5 | End of maintenance window | Activity Log | At the end of the execution of the entire maintenance. | +| 6 | Feature update | What's New article | After the new feature becomes available to the customers. | ++## Manage maintenance frequency ++Currently, Azure Spring Apps performs one regular planned maintenance to upgrade the underlying infrastructure every three months. For a detailed maintenance timeline, check the notifications on the [Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health) page. ++## Best practices ++- When you configure planned maintenance for multiple service instances in the same region, the maintenance takes place within the same week. For example, if maintenance for cluster A is set on Monday and cluster B on Sunday, then cluster A is maintained before cluster B, in the same week. +- If you have two service instances that span across [Azure paired regions](../../availability-zones/cross-region-replication-azure.md#azure-paired-regions), the maintenance takes place in different weeks for such service instances, but there's no guarantee which region is maintained first. Follow each maintenance announcement for the exact information. +- The length of the time window for the planned maintenance is fixed to 8 hours. For example, if the start time is set to 10:00, then the maintenance job is executed at any time between 10:00 and 18:00. The service team tries its best to finish the maintenance within this time window, but sometimes it might take longer. +- You can't exempt a maintenance job regardless of how or whether planned maintenance is configured. If you have special requests for a maintenance time that can't be met with this feature, open a support ticket. ++## Next steps ++- [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md) |
spring-apps | How To Connect To App Instance For Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-connect-to-app-instance-for-troubleshooting.md | + + Title: Connect to an app instance for troubleshooting +description: Learn how to connect to an app instance in Azure Spring Apps for troubleshooting. ++++ Last updated : 12/06/2022++++# Connect to an app instance for troubleshooting ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to access the shell environment inside your application instances to do advanced troubleshooting. ++Although Azure Spring Apps offers various managed troubleshooting approaches, you may want to do advanced troubleshooting using the shell environment. For example, you may want to accomplish the following troubleshooting tasks: ++- Directly use Java Development Kit (JDK) tools. +- Diagnose against an app’s back-end services for network connection and API call latency for both virtual-network and non-virtual-network instances. +- Diagnose storage capacity, performance, and CPU/memory issues. ++## Prerequisites ++- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++- A deployed application in Azure Spring Apps. +- If you've deployed a custom container, a shell program. The default is `/bin/sh`. ++## Assign an Azure role ++Before connecting to an app instance, you must be granted the role *Azure Spring Apps Connect Role*. Connecting to an app instance requires the data action permission `Microsoft.AppPlatform/Spring/apps/deployments/connect/action`. ++You can assign an Azure role using the Azure portal or Azure CLI. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to assign an Azure role using the Azure portal. ++1. Open the [Azure portal](https://portal.azure.com). +1. Open your existing Azure Spring Apps service instance. +1. Select **Access Control (IAM)** from the left menu. +1. Select **Add** in the command bar, and then select **Add role assignment**. ++ :::image type="content" source="media/how-to-connect-to-app-instance-for-troubleshooting/add-role-assignment.png" alt-text="Screenshot of the Access Control(IAM) page showing the Add role assignment command." lightbox="media/how-to-connect-to-app-instance-for-troubleshooting/add-role-assignment.png"::: ++1. Search for **Azure Spring Apps Connect Role** in the list, and then select **Next**. ++ :::image type="content" source="media/how-to-connect-to-app-instance-for-troubleshooting/connect-role.png" alt-text="Screenshot of the Add role assignment page showing the Azure Spring Apps Connect Role." lightbox="media/how-to-connect-to-app-instance-for-troubleshooting/connect-role.png"::: ++1. Select **Select members**, and then search for your username. ++1. Select **Review + assign**. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to assign the *Azure Spring Apps Connect Role* role using the Azure CLI: ++```azurecli +az role assignment create \ + --role 'Azure Spring Apps Connect Role' \ + --scope '<service-instance-resource-id>' \ + --assignee '<your-identity>' +``` ++> [!NOTE] +> The role assignment may take several minutes. ++++## Connect to an app instance ++You can connect to an app instance using the Azure portal or Azure CLI. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to connect to an app instance using the Azure portal. ++1. Open the [Azure portal](https://portal.azure.com). +1. Open your existing Azure Spring Apps service instance. +1. Select **Apps** from left the menu, then select one of your apps. +1. Select **Console** from the left menu. +1. Select an application instance. ++ :::image type="content" source="media/how-to-connect-to-app-instance-for-troubleshooting/console-instance.png" alt-text="Screenshot of the Azure portal Console page showing an app instance." lightbox="media/how-to-connect-to-app-instance-for-troubleshooting/console-instance.png"::: ++1. Select or input a shell to run in the container. ++ :::image type="content" source="media/how-to-connect-to-app-instance-for-troubleshooting/console-shell.png" alt-text="Screenshot of the Azure portal Console page showing a Custom Shell entry." lightbox="media/how-to-connect-to-app-instance-for-troubleshooting/console-shell.png"::: ++1. Select **Connect**. ++ :::image type="content" source="media/how-to-connect-to-app-instance-for-troubleshooting/console-connect.png" alt-text="Screenshot of the Azure portal Console page showing the Connect command." lightbox="media/how-to-connect-to-app-instance-for-troubleshooting/console-connect.png"::: ++### [Azure CLI](#tab/azure-cli) ++If your app contains only one instance, use the following command to connect to the instance using the Azure CLI: ++```azurecli +az spring app connect \ + --service <your-service-instance> \ + --resource-group <your-resource-group> \ + --name <app-name> +``` ++Otherwise, use the following command to specify the instance: ++```azurecli +az spring app connect \ + --service <your-service-instance> \ + --resource-group <your-resource-group> \ + --name <app-name> \ + --instance <instance_name> +``` ++Use the following command to specify another deployment of the app: ++```azurecli +az spring app connect \ + --service <your-service-instance> \ + --resource-group <your-resource-group> \ + --name <app-name> \ + --deployment green +``` ++By default, Azure Spring Apps launches the app instance with `/bin/sh` bundled in the base image of the container. Use the following command to switch to another bundled shell such as `/bin/bash`: ++```azurecli +az spring app connect \ + --service <your-service-instance> \ + --resource-group <your-resource-group> \ + --name <app-name> \ + --shell-cmd /bin/bash +``` ++If your app is deployed with a custom image and shell, you can also use the `--shell-cmd` parameter to specify your shell. ++++## Troubleshoot your app instance ++After you connect to an app instance, you can check the status of the heap memory. ++Use the following command to find the Java process ID, which is usually `1`: ++```azurecli +jps +``` ++The output should look like the following example: +++Then use the following command to run the JDK tool to check the result: ++```azurecli +jstat -gc 1 +``` ++The output should look like the following example: +++## Disconnect from your app instance ++When you're done troubleshooting, use the `exit` command to disconnect from the app instance, or press `Ctrl+d`. ++## Troubleshooting tools ++The following list describes some of the pre-installed tools that you can use for troubleshooting: ++- `lsof` - Lists open files. +- `top` - Displays system summary information and current utilization. +- `ps` - Gets a snapshot of the running process. +- `netstat` - Prints network connections and interface statistics. +- `nslookup` - Queries internet name servers interactively. +- `ping` - Tests whether a network host can be reached. +- `nc` - Reads from and writes to network connections using TCP or UDP. +- `wget` - Lets you download files and interact with REST APIs. +- `df` - Displays the amount of available disk space. ++You can also use JDK-bundled tools such as `jps`, `jcmd`, and `jstat`. ++The following list shows the tools available, which depend on your service plan and type of app deployment: ++- Source Code, JAR, and artifacts deployment: + - Basic, Standard, and Standard Consumption & Dedicated Plan: + - Common tools - Yes + - JDK tools - Yes, for Java workloads only. + - Enterprise Plan: + - Common tools - Depends on which OS Stack you've chosen in your [builder](./how-to-enterprise-build-service.md#builders). Yes, for full OS Stack. No, for base OS Stack. + - JDK tools - Yes, for Java workloads only. +- Custom image deployment: Depends on the installed tool set in your image. ++> [!NOTE] +> JDK tools aren't included in the path for the *source code* deployment type. Run `export PATH="$PATH:/layers/tanzu-buildpacks_microsoft-openjdk/jdk/bin"` before running any JDK commands. ++## Limitations ++Using the shell environment inside your application instances has the following limitations: ++- Because the app is running as a non-root user, you can't execute some actions requiring root permission. For example, you can't install new tools by using the system package manager `apt / yum`. ++- Because some Linux capabilities are prohibited, tools that require special privileges, such as `tcpdump`, don't work. ++## Next steps ++- [Self-diagnose and solve problems in Azure Spring Apps](./how-to-self-diagnose-solve.md) |
spring-apps | How To Create User Defined Route Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-create-user-defined-route-instance.md | + + Title: Control egress traffic for an Azure Spring Apps instance +description: Learn how to control egress traffic for an Azure Spring Apps instance. ++++ Last updated : 01/17/2023++++# Control egress traffic for an Azure Spring Apps instance ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to secure outbound traffic from your applications hosted in Azure Spring Apps. The article provides an example of a user-defined route. A user-defined route is an advanced feature that lets you fully control egress traffic. You can use a user-defined route in scenarios such as disallowing an Azure Spring Apps autogenerated public IP address. ++## Prerequisites ++- All prerequisites for [deploying Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md) +- An API version of `2022-09-01 preview` or later +- [Azure CLI version 1.1.7 or later](/cli/azure/install-azure-cli) +- Familiarity with information in the following articles: + - [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md) + - [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md) + - [Customize Azure Spring Apps egress with a user-defined route](concept-outbound-type.md) ++## Create a virtual network by using a user-defined route ++The following illustration shows an example of an Azure Spring Apps virtual network that uses a user-defined route (UDR). +++This diagram illustrates the following features of the architecture: ++- Public ingress traffic must flow through firewall filters. +- Each Azure Spring Apps instance is isolated within a dedicated subnet. +- Customers own and manage the firewall. +- This structure ensures that the firewall enables a healthy environment for all the functions you need. +- Azure Spring Apps doesn't automatically generate public IP resources. ++### Define environment variables ++The following example shows how to define a set of environment variables to be used in resource creation: ++```bash +export PREFIX="asa-egress" +export RG="${PREFIX}-rg" +export LOC="eastus" +export ASANAME="${PREFIX}" +export VNET_NAME="${PREFIX}-vnet" +export ASA_APP_SUBNET_NAME="asa-app-subnet" +export ASA_SERVICE_RUNTIME_SUBNET_NAME="asa-service-runtime-subnet" +# Do not change FWSUBNET_NAME. This is currently a requirement for Azure Firewall. +export FWSUBNET_NAME="AzureFirewallSubnet" +export FWNAME="${PREFIX}-fw" +export FWPUBLICIP_NAME="${PREFIX}-fwpublicip" +export FWIPCONFIG_NAME="${PREFIX}-fwconfig" +export APP_ROUTE_TABLE_NAME="${PREFIX}-app-rt" +export SERVICE_RUNTIME_ROUTE_TABLE_NAME="${PREFIX}-service-runtime-rt" +export FWROUTE_NAME="${PREFIX}-fwrn" +export ASA_NAME="${PREFIX}-instance" +``` ++### Create a virtual network with multiple subnets ++This section shows you how to provision a virtual network with three separate subnets: one for the user apps, one for the service runtime, and one for the firewall. ++First create a resource group, as shown in the following example: ++```azurecli +# Create a resource group. ++az group create --name $RG --location $LOC +``` ++Then create a virtual network with three subnets to host the Azure Spring Apps and Azure Firewall instances, as shown in the following example: ++```azurecli +# Dedicated virtual network with an Azure Spring Apps app subnet. ++az network vnet create \ + --resource-group $RG \ + --name $VNET_NAME \ + --location $LOC \ + --address-prefixes 10.42.0.0/16 \ + --subnet-name $ASA_APP_SUBNET_NAME \ + --subnet-prefix 10.42.1.0/24 ++# Dedicated subnet for the Azure Spring Apps service runtime subnet. ++az network vnet subnet create \ + --resource-group $RG \ + --vnet-name $VNET_NAME \ + --name $ASA_SERVICE_RUNTIME_SUBNET_NAME\ + --address-prefix 10.42.2.0/24 ++# Dedicated subnet for Azure Firewall. (Firewall name can't be changed.) ++az network vnet subnet create \ + --resource-group $RG \ + --vnet-name $VNET_NAME \ + --name $FWSUBNET_NAME \ + --address-prefix 10.42.3.0/24 +``` ++### Set up an Azure Firewall instance with a user-defined route ++Use the following command to create and set up an Azure Firewall instance with a user-defined route, and to configure Azure Firewall outbound rules. The firewall lets you configure granular egress traffic rules from Azure Spring Apps. ++> [!IMPORTANT] +> If your cluster or application creates a large number of outbound connections directed to the same destination or to a small subset of destinations, you might require more firewall front-end IP addresses to avoid reaching the maximum ports per front-end IP address. For more information on how to create an Azure Firewall instance with multiple IP addresses, see [Quickstart: Create an Azure Firewall instance with multiple public IP addresses - ARM template](../../firewall/quick-create-multiple-ip-template.md). Create a Standard SKU public IP resource for use as the Azure Firewall front-end address. ++```azurecli +az network public-ip create \ + --resource-group $RG \ + --name $FWPUBLICIP_NAME -l $LOC \ + --sku "Standard" +``` ++The following example shows how to install the Azure Firewall preview CLI extension and deploy Azure Firewall: ++```azurecli +# Install the Azure Firewall preview CLI extension. ++az extension add --name azure-firewall ++# Deploy Azure Firewall. ++az network firewall create \ + --resource-group $RG \ + --name $FWNAME -l $LOC \ + --enable-dns-proxy true +``` ++The following example shows how to assign the IP address that you created to the firewall front end. ++> [!NOTE] +> Setting up the public IP address to the Azure Firewall instance might take a few minutes. To use a fully qualified domain name (FQDN) on network rules, enable a DNS proxy. After you enable the proxy, the firewall listens on port 53 and forwards DNS requests to the specified DNS server. The firewall can then translate the FQDN automatically. ++```azurecli +# Configure the firewall IP address. ++az network firewall ip-config create \ + --resource-group $RG \ + --firewall-name $FWNAME \ + --name $FWIPCONFIG_NAME \ + --public-ip-address $FWPUBLICIP_NAME \ + --vnet-name $VNET_NAME +``` ++When the operation is finished, save the firewall's front-end IP address for configuration later, as shown in the following example: ++```azurecli +# Capture the firewall IP address for later use. ++export FWPUBLIC_IP=$(az network public-ip show \ + --resource-group $RG \ + --name $FWPUBLICIP_NAME \ + --query "ipAddress" \ + --output tsv) +export FWPRIVATE_IP=$(az network firewall show \ + --resource-group $RG \ + --name $FWNAME \ + --query "ipConfigurations[0].privateIPAddress" \ + --output tsv | tr -d '[:space:]') +``` ++### Create a user-defined route with a hop to Azure Firewall ++Azure automatically routes traffic between Azure subnets, virtual networks, and on-premises networks. If you want to change the default routing in Azure, create a route table. ++The following example shows how to create a route table to be associated with a specified subnet. The route table defines the next hop, as in the Azure Firewall instance that you created. Each subnet can have one route table associated with it, or it might have no associated route table. ++```azurecli +# Create a user-defined route and add a route for Azure Firewall. ++az network route-table create \ + --resource-group $RG -l $LOC \ + --name $APP_ROUTE_TABLE_NAME +az network route-table route create \ + --resource-group $RG \ + --name $FWROUTE_NAME \ + --route-table-name $APP_ROUTE_TABLE_NAME \ + --address-prefix 0.0.0.0/0 \ + --next-hop-type VirtualAppliance \ + --next-hop-ip-address $FWPRIVATE_IP +az network route-table create \ + --resource-group $RG -l $LOC \ + --name $SERVICE_RUNTIME_ROUTE_TABLE_NAME +az network route-table route create \ + --resource-group $RG \ + --name $FWROUTE_NAME \ + --route-table-name $SERVICE_RUNTIME_ROUTE_TABLE_NAME \ + --address-prefix 0.0.0.0/0 \ + --next-hop-type VirtualAppliance \ + --next-hop-ip-address $FWPRIVATE_IP +``` ++### Add firewall rules ++The following example shows how to add rules to your firewall. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). ++```azurecli +# Add firewall network rules. ++az network firewall network-rule create \ + --resource-group $RG \ + --firewall-name $FWNAME \ + --collection-name 'asafwnr' \ + --name 'springcloudtcp' \ + --protocols 'TCP' \ + --source-addresses '*' \ + --destination-addresses "AzureCloud" \ + --destination-ports 443 445 \ + --action allow \ + --priority 100 ++# Add firewall application rules. ++az network firewall application-rule create \ + --resource-group $RG \ + --firewall-name $FWNAME \ + --collection-name 'aksfwar'\ + --name 'fqdn' \ + --source-addresses '*' \ + --protocols 'https=443' \ + --fqdn-tags "AzureKubernetesService" \ + --action allow \ + --priority 100 +``` ++### Associate route tables with subnets ++To associate the cluster with the firewall, make sure that the dedicated subnet for the cluster references the route table that you created. App and service runtime subnets must be associated with corresponding route tables. The following example shows how to associate a route table with a subnet: ++```azurecli +# Associate the route table with a next hop to the firewall for the Azure Spring Apps subnet. ++az network vnet subnet update \ + --resource-group $RG \ + --vnet-name $VNET_NAME \ + --name $ASA_APP_SUBNET_NAME \ + --route-table $APP_ROUTE_TABLE_NAME ++az network vnet subnet update + --resource-group $RG \ + --vnet-name $VNET_NAME \ + --name $ASA_SERVICE_RUNTIME_SUBNET_NAME \ + --route-table $SERVICE_RUNTIME_ROUTE_TABLE_NAME +``` ++### Add a role for an Azure Spring Apps resource provider ++The following example shows how to add a role for the Azure Spring Apps resource provider. The role is assigned to all users identified by the string `e8de9221-a19c-4c81-b814-fd37c6caf9d2`: ++```azurecli +export VIRTUAL_NETWORK_RESOURCE_ID=$(az network vnet show \ + --name $VNET_NAME \ + --resource-group $RG \ + --query "id" \ + --output tsv) ++az role assignment create \ + --role "Owner" \ + --scope ${VIRTUAL_NETWORK_RESOURCE_ID} \ + --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 ++export APP_ROUTE_TABLE_RESOURCE_ID=$(az network route-table show \ + --name $APP_ROUTE_TABLE_NAME \ + --resource-group $RG \ + --query "id" \ + --output tsv) + +az role assignment create \ + --role "Owner" \ + --scope ${APP_ROUTE_TABLE_RESOURCE_ID} \ + --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 + +export SERVICE_RUNTIME_ROUTE_TABLE_RESOURCE_ID=$(az network route-table show \ + --name $SERVICE_RUNTIME_ROUTE_TABLE_NAME \ + --resource-group $RG \ + --query "id" \ + --output tsv) + +az role assignment create \ + --role "Owner" \ + --scope ${SERVICE_RUNTIME_ROUTE_TABLE_RESOURCE_ID} \ + --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 +``` ++### Create an Azure Spring Apps instance with user-defined routing ++The following example shows how to create an Azure Spring Apps instance with user-defined routing: ++```azurecli +az spring create \ + --name $ASA_NAME \ + --resource-group $RG \ + --vnet $VNET_NAME \ + --app-subnet $ASA_APP_SUBNET_NAME \ + --service-runtime-subnet $ASA_SERVICE_RUNTIME_SUBNET_NAME \ + --outbound-type userDefinedRouting +``` ++You can now access the public IP address of the firewall from the internet. The firewall routes traffic into Azure Spring Apps subnets according to your routing rules. ++## Next steps ++- [Troubleshooting Azure Spring Apps in virtual networks](troubleshooting-vnet.md) +- [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md) |
spring-apps | How To Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-custom-domain.md | + + Title: Map an existing custom domain to Azure Spring Apps +description: Learn how to map an existing custom Distributed Name Service (DNS) name to Azure Spring Apps +++ Last updated : 03/19/2020+++++# Map an existing custom domain to Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Standard ✔️ Enterprise ++Domain Name Service (DNS) is a technique for storing network node names throughout a network. This article maps a domain, such as `www.contoso.com`, using a CNAME record. It secures the custom domain with a certificate and shows how to enforce Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL). ++Certificates encrypt web traffic. These TLS/SSL certificates can be stored in Azure Key Vault. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` +- An application deployed to Azure Spring Apps (see [Quickstart: Launch an existing application in Azure Spring Apps using the Azure portal](./quickstart.md), or use an existing app). If your application is deployed using the Basic plan, be sure to upgrade to the Standard plan. +- A domain name with access to the DNS registry for a domain provider, such as GoDaddy. +- A private certificate (that is, your self-signed certificate) from a third-party provider. The certificate must match the domain. +- A deployed instance of Azure Key Vault. For more information, see [About Azure Key Vault](../../key-vault/general/overview.md). ++## Key Vault private link considerations ++The IP addresses for Azure Spring Apps management aren't yet part of the Azure Trusted Microsoft services. Therefore, to enable Azure Spring Apps to load certificates from a Key Vault protected with private endpoint connections, you must add the following IP addresses to Azure Key Vault firewall: ++- `20.99.204.111` +- `20.201.9.97` +- `20.74.97.5` +- `52.235.25.35` +- `20.194.10.0` +- `20.59.204.46` +- `104.214.186.86` +- `52.153.221.222` +- `52.160.137.39` +- `20.39.142.56` +- `20.199.190.222` +- `20.79.64.6` +- `20.211.128.96` +- `52.149.104.144` +- `20.197.121.209` +- `40.119.175.77` +- `20.108.108.22` +- `102.133.143.38` +- `52.226.244.150` +- `20.84.171.169` +- `20.93.48.108` +- `20.75.4.46` +- `20.78.29.213` +- `20.106.86.34` +- `20.193.151.132` ++## Import certificate ++### Prepare your certificate file in PFX (optional) ++Azure Key Vault supports importing private certificate in PEM and PFX format. If the PEM file you obtained from your certificate provider doesn't work in the [Save certificate in Key Vault](#save-certificate-in-key-vault) section, follow the steps here to generate a PFX for Azure Key Vault. ++#### Merge intermediate certificates ++If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order. ++To do this task, open each certificate you received in a text editor. ++Create a file for the merged certificate, called _mergedcertificate.crt_. In a text editor, copy the content of each certificate into this file. The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. It looks like the following example: ++```crt +--BEGIN CERTIFICATE-- +<your entire Base64 encoded SSL certificate> +--END CERTIFICATE-- ++--BEGIN CERTIFICATE-- +<The entire Base64 encoded intermediate certificate 1> +--END CERTIFICATE-- ++--BEGIN CERTIFICATE-- +<The entire Base64 encoded intermediate certificate 2> +--END CERTIFICATE-- ++--BEGIN CERTIFICATE-- +<The entire Base64 encoded root certificate> +--END CERTIFICATE-- +``` ++#### Export certificate to PFX ++Export your merged TLS/SSL certificate with the private key that your certificate request was generated with. ++If you generated your certificate request using OpenSSL, then you have created a private key file. To export your certificate to PFX, run the following command. Replace the placeholders _<private-key-file>_ and _<merged-certificate-file>_ with the paths to your private key and your merged certificate file. ++```bash +openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file> +``` ++When prompted, define an export password. Use this password when uploading your TLS/SSL certificate to Azure Key Vault later. ++If you used IIS or _Certreq.exe_ to generate your certificate request, install the certificate to your local machine, and then [export the certificate to PFX](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754329(v=ws.11)). ++### Save certificate in Key Vault ++The procedure to import a certificate requires the PEM or PFX encoded file to be on disk and you must have the private key. ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to upload your certificate to key vault: ++1. Go to your key vault instance. +1. In the navigation pane, select **Certificates**. +1. On the upper menu, select **Generate/import**. +1. On the **Create a certificate** page, select **Import** for **Method of Certificate Creation**, and then provide a value for **Certificate Name**. +1. Under **Upload Certificate File**, navigate to certificate location and select it. +1. Under **Password**, if you're uploading a password protected certificate file, provide that password here. Otherwise, leave it blank. Once the certificate file is successfully imported, key vault removes that password. +1. Select **Create**. ++ :::image type="content" source="./media/how-to-custom-domain/import-certificate-a.png" alt-text="Screenshot of the Create a certificate pane." lightbox="./media/how-to-custom-domain/import-certificate-a.png"::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to import a certificate: ++```azurecli +az keyvault certificate import \ + --file <path-to-pfx-or-pem-file> \ + --name <certificate-name> \ + --vault-name <key-vault-name> \ + --password <password-if-needed> +``` ++++### Grant Azure Spring Apps access to your key vault ++You need to grant Azure Spring Apps access to your key vault before you import the certificate. ++#### [Azure portal](#tab/Azure-portal) ++use the following steps to grant access using the Azure portal: ++1. Go to your key vault instance. +1. In the navigation pane, select **Access policies**. +1. On the upper menu, select **Create**. +1. Fill in the info, and select **Add** button, then **Create** access police. ++| Secret permission | Certificate permission | Select principal | +|-||--| +| Get, List | Get, List | Azure Spring Apps Domain-Management | ++ > [!NOTE] + > If you don't find the "Azure Spring Apps Domain-Management", search for "Azure Spring Cloud Domain-Management". ++ :::image type="content" source="./media/how-to-custom-domain/import-certificate-b.png" alt-text="Screenshot of the Azure portal showing the Add Access Policy page for a key vault with Get and List selected from Secret permissions and from Certificate permissions." lightbox="./media/how-to-custom-domain/import-certificate-b.png"::: ++ :::image type="content" source="./media/how-to-custom-domain/import-certificate-c.png" alt-text="Screenshot of the Azure portal showing the Create Access Policy page for a key vault with Azure Spring Apps Domain-management selected from the Select a principal dropdown." lightbox="./media/how-to-custom-domain/import-certificate-c.png"::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to grant Azure Spring Apps read access to key vault: ++```azurecli +az keyvault set-policy \ + --resource-group <key-vault-resource-group-name> \ + --name <key-vault-name> \ + --object-id 938df8e2-2b9d-40b1-940c-c75c33494239 \ + --certificate-permissions get list \ + --secret-permissions get list +``` ++++### Import certificate to Azure Spring Apps ++#### [Azure portal](#tab/Azure-portal) ++1. Go to your Azure Spring Apps instance. +1. From the navigation pane, select **TLS/SSL settings**. +1. Select **Import key vault certificate**. ++ :::image type="content" source="./media/how-to-custom-domain/import-certificate.png" alt-text="Screenshot of the Azure portal showing the TLS/SSL settings page for an Azure Spring Apps instance, with the Import key vault certificate button highlighted." lightbox="./media/how-to-custom-domain/import-certificate.png"::: ++1. On the **Select certificate from Azure** page, select the **Subscription**, **Key Vault**, and **Certificate** from the drop-down options, and then choose **Select**. ++ :::image type="content" source="./media/how-to-custom-domain/select-certificate-from-key-vault.png" alt-text="Screenshot of the Azure portal showing the Select certificate from Azure page." lightbox="./media/how-to-custom-domain/select-certificate-from-key-vault.png"::: ++1. On the opened **Set certificate name** page, enter your certificate name, select **Enable auto sync** if needed, and then select **Apply**. For more information, see the [Auto sync certificate](#auto-sync-certificate) section. ++ :::image type="content" source="./media/how-to-custom-domain/set-certificate-name.png" alt-text="Screenshot of the Set certificate name dialog box."::: ++1. When you have successfully imported your certificate, it displays in the list of **Private Key Certificates**. ++ :::image type="content" source="./media/how-to-custom-domain/key-certificates.png" alt-text="Screenshot of a private key certificate."::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to add a certificate: ++```azurecli +az spring certificate add \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <cert-name> \ + --vault-uri <key-vault-uri> \ + --vault-certificate-name <key-vault-cert-name> \ + --enable-auto-sync false +``` ++To enable certificate auto sync, include the `--enable-auto-sync true` setting when you add the certificate, as shown in the following example. For more information, see the [Auto sync certificate](#auto-sync-certificate) section. ++```azurecli +az spring certificate add \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <cert-name> \ + --vault-uri <key-vault-uri> \ + --vault-certificate-name <key-vault-cert-name> \ + --enable-auto-sync true +``` ++Use the following command to show a list of imported certificates: ++```azurecli +az spring certificate list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> +``` ++++> [!IMPORTANT] +> To secure a custom domain with this certificate, be sure to bind the certificate to the specific domain. For more information, see the [Add SSL binding](#add-ssl-binding) section. ++### Auto sync certificate ++A certificate stored in Azure Key Vault sometimes gets renewed before it expires. Similarly, your organization's security policies for certificate management might require your DevOps team to replace certificates with new ones regularly. After you enable auto sync for a certificate, Azure Spring Apps starts to sync your key vault for a new version regularly - usually every 24 hours. If a new version is available, Azure Spring Apps imports it, and then reloads it for various components using the certificate without causing any downtime. The following list shows the affected components and relevant scenarios: ++- App + - Custom domain +- [VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md) + - Custom domain +- [API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md) + - Custom domain +- [VMware Tanzu Application Accelerator](./how-to-use-accelerator.md) + - Connecting to a Git repository with a self-signed certificate. +- [Application Configuration Service for Tanzu](./how-to-enterprise-application-configuration-service.md) + - Connecting to a Git repository with a self-signed certificate. ++When Azure Spring Apps imports or reloads a certificate, an activity log is generated. To see the activity logs, navigate to your Azure Spring Apps instance in the Azure portal and select **Activity log** in the navigation pane. ++> [!NOTE] +> The certificate auto sync feature works with private certificates and public certificates imported from Azure Key Vault. This feature is unavailable for content certificates, which the customer uploads. ++You can enable or disable the certificate auto sync feature when you import a certificate from your key vault to Azure Spring Apps. For more information, see the [Import certificate to Azure Spring Apps](#import-certificate-to-azure-spring-apps) section. ++You can also enable or disable this feature for a certificate that has already been imported to Azure Spring Apps. ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to enable or disable auto sync for an imported certificate: ++1. Go to the list of **Private Key Certificates** or **Public Key Certificates**. ++1. Select the ellipsis (**...**) button after the **Auto sync** column, and then select either **Enable auto sync** or **Disable auto sync**. ++ :::image type="content" source="./media/how-to-custom-domain/edit-auto-sync.png" alt-text="Screenshot of the Azure portal that shows a certificate list with the ellipsis button menu open and the Enable auto sync option selected." lightbox="./media/how-to-custom-domain/edit-auto-sync.png"::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable auto sync for an imported certificate: ++```azurecli +az spring certificate update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <cert-name> \ + --enable-auto-sync true +``` ++Use the following command to disable auto sync for an imported certificate: ++```azurecli +az spring certificate update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <cert-name> \ + --enable-auto-sync false +``` ++++## Add Custom Domain ++You can use a CNAME record to map a custom DNS name to Azure Spring Apps. ++> [!NOTE] +> The A record isn't supported. ++### Create the CNAME record ++Go to your DNS provider and add a CNAME record to map your domain to the `<service-name>.azuremicroservices.io`. Here, `<service-name>` is the name of your Azure Spring Apps instance. We support wildcard domain and sub domain. +After you add the CNAME, the DNS records page resembles the following example: +++## Map your custom domain to Azure Spring Apps app ++If you don't have an application in Azure Spring Apps, follow the instructions in [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). ++#### [Azure portal](#tab/Azure-portal) ++Go to application page. ++1. Select **Custom Domain**. +2. Then **Add Custom Domain**. ++ :::image type="content" source="./media/how-to-custom-domain/custom-domain.png" alt-text="Screenshot of a custom domain page." lightbox="./media/how-to-custom-domain/custom-domain.png"::: ++3. Type the fully qualified domain name for which you added a CNAME record, such as www.contoso.com. Make sure that Hostname record type is set to CNAME (`<service-name>.azuremicroservices.io`) +4. Select **Validate** to enable the **Add** button. +5. Select **Add**. ++ :::image type="content" source="./media/how-to-custom-domain/add-custom-domain.png" alt-text="Screenshot of the Add custom domain pane."::: ++One app can have multiple domains, but one domain can only map to one app. When you successfully mapped your custom domain to the app, it displays on the custom domain table. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to bind a custom domain with the app: ++```azurecli +az spring app custom-domain bind \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --domain-name <domain-name> \ + --app <app-name> ++``` ++Use the following command to show the list of custom domains: ++```azurecli +az spring app custom-domain list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> +``` ++++> [!NOTE] +> A **Not Secure** label for your custom domain means that it's not yet bound to an SSL certificate. Any HTTPS request from a browser to your custom domain receives an error or warning. ++## Add SSL binding ++#### [Azure portal](#tab/Azure-portal) ++In the custom domain table, select **Add ssl binding** as shown in the previous figure. ++1. Select your **Certificate** or import it. +1. Select **Save**. ++ :::image type="content" source="./media/how-to-custom-domain/add-ssl-binding.png" alt-text="Screenshot of the SSL Binding pane."::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to update a custom domain of the app. ++```azurecli +az spring app custom-domain update \ + --resource-group <resource-group-name> \ + --service <service-name> \ + --domain-name <domain-name> \ + --certificate <cert-name> \ + --app <app-name> ++``` ++++After you successfully add SSL binding, the domain state is secure: **Healthy**. +++## Enforce HTTPS ++By default, anyone can still access your app using HTTP, but you can redirect all HTTP requests to the HTTPS port. ++#### [Azure portal](#tab/Azure-portal) ++In your app page, in the navigation, select **Custom Domain**. Then, set **HTTPS Only** to `Yes`. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to update the configurations of an app. ++```azurecli +az spring app update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --https-only +``` ++++When the operation is complete, navigate to any of the HTTPS URLs that point to your app. Note that HTTP URLs don't work. ++## Next steps ++- [What is Azure Key Vault?](../../key-vault/general/overview.md) +- [Import a certificate](../../key-vault/certificates/certificate-scenarios.md#import-a-certificate) +- [Use TLS/SSL certificates](./how-to-use-tls-certificate.md) |
spring-apps | How To Custom Persistent Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-custom-persistent-storage.md | + + Title: How to enable your own persistent storage in Azure Spring Apps | Microsoft Docs +description: Learn how to bring your own storage as persistent storages in Azure Spring Apps +++ Last updated : 2/18/2022+++++# How to enable your own persistent storage in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to enable your own persistent storage in Azure Spring Apps. ++When you use the built-in persistent storage in Azure Spring Apps, artifacts generated by your application are uploaded into Azure Storage Accounts. Microsoft controls the encryption-at-rest and lifetime management policies for those artifacts. ++When you use your own persistent storage, artifacts generated by your application are uploaded into a storage account that you control. You control the encryption-at-rest policy, the lifetime management policy, and network access. You're responsible for the costs associated with that storage account. ++## Prerequisites ++- An existing Azure Storage Account and an existing Azure File Share. If you need to create a storage account and file share in Azure, see [Create an SMB Azure file share](../../storage/files/storage-how-to-create-file-share.md). +- [Azure CLI](/cli/azure/install-azure-cli), version 2.45.0 or higher. ++> [!IMPORTANT] +> If you deployed your Azure Spring Apps in your own virtual network and you want the storage account to be accessed only from the virtual network, see [Use private endpoints for Azure Storage](../../storage/common/storage-private-endpoints.md) and the [Grant access from a virtual network](../../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) section of [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md). ++## Mount your own extra persistent storage to applications ++> [!NOTE] +> Updating persistent storage restarts your applications. +> +> When you use virtual network integration, ensure that ports 80 and 445 are open. ++### [Azure portal](#tab/Azure-portal) ++Use the following steps to bind an Azure Storage account as a storage resource in your Azure Spring Apps and create an app with your own persistent storage. ++1. Go to the service **Overview** page, and then select **Storage** in the left-hand navigation pane. ++1. On the **Storage** page, select **Add storage**. ++ :::image type="content" source="media/how-to-custom-persistent-storage/add-storage.png" alt-text="Screenshot of Azure portal showing the Storage page." lightbox="media/how-to-custom-persistent-storage/add-storage.png"::: ++1. Enter the following information on the **Add storage** page, and then select **Apply**. ++ | Setting | Value | + |--|--| + | Storage name | The name of the storage resource, which is a service-level resource in Azure Spring Apps. | + | Account name | The name of the storage account. | + | Account key | The storage account key. | ++ :::image type="content" source="media/how-to-custom-persistent-storage/add-storage-resource.png" alt-text="Screenshot of Azure portal showing the Add storage page." lightbox="media/how-to-custom-persistent-storage/add-storage-resource.png"::: ++1. Go to the **Apps** page, and then select an application to mount the persistent storage. ++ :::image type="content" source="media/how-to-custom-persistent-storage/select-app-mount-persistent-storage.png" alt-text="Screenshot of Azure portal Apps page." lightbox="media/how-to-custom-persistent-storage/select-app-mount-persistent-storage.png"::: ++1. Select **Configuration**, and then select **Persistent Storage**. ++1. Select **Add persistent storage**. Add the values in the following table, and then select **Apply**. ++ | Setting | Value | + |-|-| + | Storage name | The name of the storage resource that you entered earlier. | + | Persistent storage type | **AzureFileVolume** | + | Share name | The name of the Azure File share in the Azure Storage account. | + | Mount path | A unique mount path. | + | Mount options | Optional | + | Read only | Optional | ++ :::image type="content" source="media/how-to-custom-persistent-storage/add-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Add persistent storage page." lightbox="media/how-to-custom-persistent-storage/add-persistent-storage.png"::: ++1. Select **Save** to apply the configuration changes. ++ :::image type="content" source="media/how-to-custom-persistent-storage/save-persistent-storage-changes.png" alt-text="Screenshot of Azure portal showing the Persistent Storage tab of the Configuration page." lightbox="media/how-to-custom-persistent-storage/save-persistent-storage-changes.png"::: ++### [Azure CLI](#tab/Azure-CLI) ++Use the following steps to enable your own storage with the Azure CLI. ++1. Use the following command to bind your Azure Storage account as a storage resource in your Azure Spring Apps instance. ++ ```azurecli + az spring storage add \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <storage-resource-name> \ + --storage-type StorageAccount \ + --account-name <account-name> \ + --account-key <account-key> + ``` ++1. Use the following command to create an app with your own persistent storage. ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --persistent-storage <path-to-JSON-file> + ``` ++ The following example shows a JSON file that is passed to the `--persistent-storage` parameter. ++ ```json + { + "customPersistentDisks": [ + { + "storageName": "<storage-resource-name>", + "customPersistentDiskProperties": { + "type": "AzureFileVolume", + "shareName": "<Azure-file-share-name>", + "mountPath": "<unique-mount-path>", + "mountOptions": [ + "uid=0", + "gid=0" + ], + "readOnly": false + } + }, + { + "storageName": "<storage-resource-name>", + "customPersistentDiskProperties": { + "type": "AzureFileVolume", + "shareName": "<Azure-file-share-name>", + "mountPath": "<unique-mount-path>", + "readOnly": true + } + } + ] + } + ``` ++1. Optionally, use the following command to add extra persistent storage to an existing app. ++ ```azurecli + az spring app append-persistent-storage \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --persistent-storage-type AzureFileVolume \ + --share-name <Azure-file-share-name> \ + --mount-path <unique-mount-path> \ + --storage-name <storage-resource-name> + ``` ++1. Optionally, use the following command to list the existing persistent storage of a specific storage resource. ++ ```azurecli + az spring storage list-persistent-storage \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <storage-resource-name> + ``` ++++## Best practices ++Use the following best practices when you add your own persistent storage to Azure Spring Apps. ++- To avoid potential latency issues, place the Azure Spring Apps instance and the Azure Storage Account in the same Azure region. ++- In the Azure Storage Account, avoid regenerating the account key that you're using. The storage account contains two different keys. Use a step-by-step approach to ensure that the persistent storage remains available to applications during key regeneration. ++ For example, use the following steps to ensure that the persistent storage remains available if you used *key1* to bind a storage account to Azure Spring Apps. ++ 1. Regenerate *key2*. + 1. Update the account key of the storage resource to use the regenerated *key2*. + 1. Restart the applications that mount the persistent storage from this storage resource. Use the `az spring storage list-persistent-storage` command to list all related applications. + 1. Regenerate *key1*. ++- If you delete an Azure Storage account or Azure file share, avoid possible errors by removing the corresponding storage resource or persistent storage in the applications. ++- If you'd like to write files to the same path for every individual application instance, but keep them in separate subdirectories from the perspective of the file share, you could use the *SubPath* option. Note that the *SubPath* option is incompatible with *Read only* because *SubPath* is used for writing new files and *Read only* is used for reading existing files. ++## FAQ ++This section addresses frequently asked questions about using your own persistent storage with Azure Spring Apps. ++- If I have built-in persistent storage enabled, and then I enabled my own storage as extra persistent storage, is my data migrated into my Azure Storage account? ++ *No. But we're going to provide a document to help you do the migration yourself soon.* ++- What are the reserved mount paths? ++ *Azure Spring Apps reserves the following mount paths:* ++ - */tmp* + - */persistent* + - */secrets* + - */app-insights/agents* + - */etc/azure-spring-cloud/certs* + - */app-insights/agents/settings* + - */app-lifecycle/settings* ++- What are the available mount options? ++ *We currently support the following mount options:* ++ - `uid` + - `gid` + - `file_mode` + - `dir_mode` ++ *The `mountOptions` property is optional. The default values for these mount options are: ["uid=0", "gid=0", "file_mode=0777", "dir_mode=0777"]* ++- I'm using the service endpoint to configure the storage account to allow access only from my own virtual network. Why did I receive a *Permission Denied* error when I tried to mount custom persistent storage to my applications? ++ *A service endpoint provides network access on a subnet level only. Make sure you've added both subnets used by the Azure Spring Apps instance to the scope of the service endpoint.* ++## Next steps ++- [How to use Logback to write logs to custom persistent storage](how-to-write-log-to-custom-persistent-storage.md). +- [Scale an application in Azure Spring Apps](how-to-scale-manual.md). |
spring-apps | How To Deploy In Azure Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-deploy-in-azure-virtual-network.md | + + Title: "Deploy Azure Spring Apps in a virtual network" +description: Deploy Azure Spring Apps in a virtual network (VNet injection). ++++ Last updated : 07/21/2020++++# Deploy Azure Spring Apps in a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise ++This tutorial explains how to deploy an Azure Spring Apps instance in your virtual network. This deployment is sometimes called VNet injection. ++The deployment enables: ++* Isolation of Azure Spring Apps apps and service runtime from the internet on your corporate network. +* Azure Spring Apps interaction with systems in on-premises data centers or Azure services in other virtual networks. +* Empowerment of customers to control inbound and outbound network communications for Azure Spring Apps. ++The following video describes how to secure Spring Boot applications using managed virtual networks. ++<br> ++> [!VIDEO https://www.youtube.com/embed/LbHD0jd8DTQ?list=PLPeZXlCR7ew8LlhnSH63KcM0XhMKxT1k_] ++> [!NOTE] +> You can select your Azure virtual network only when you create a new Azure Spring Apps service instance. You can't change to use another virtual network after Azure Spring Apps has been created. ++## Prerequisites ++Register the Azure Spring Apps resource provider `Microsoft.AppPlatform` and `Microsoft.ContainerService` according to the instructions in [Register resource provider on Azure portal](../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal) or by running the following Azure CLI command: ++```azurecli +az provider register --namespace Microsoft.AppPlatform +az provider register --namespace Microsoft.ContainerService +``` ++## Virtual network requirements ++The virtual network to which you deploy your Azure Spring Apps instance must meet the following requirements: ++* Location: The virtual network must reside in the same location as the Azure Spring Apps instance. +* Subscription: The virtual network must be in the same subscription as the Azure Spring Apps instance. +* Subnets: The virtual network must include two subnets dedicated to an Azure Spring Apps instance: + * One for the service runtime. + * One for your Spring applications. + * There's a one-to-one relationship between these subnets and an Azure Spring Apps instance. Use a new subnet for each service instance you deploy. Each subnet can only include a single service instance. +* Address space: CIDR blocks up to */28* for both the service runtime subnet and the Spring applications subnet. +* Route table: By default the subnets don't need existing route tables associated. You can [bring your own route table](#bring-your-own-route-table). ++Use the following steps to set up the virtual network to contain the Azure Spring Apps instance. ++## Create a virtual network ++### [Azure portal](#tab/azure-portal) ++If you already have a virtual network to host an Azure Spring Apps instance, skip steps 1, 2, and 3. You can start from step 4 to prepare subnets for the virtual network. ++1. On the Azure portal menu, select **Create a resource**. From Azure Marketplace, select **Networking** > **Virtual network**. ++1. In the **Create virtual network** dialog box, enter or select the following information: ++ | Setting | Value | + |--|--| + | Subscription | Select your subscription. | + | Resource group | Select your resource group, or create a new one. | + | Name | Enter *azure-spring-apps-vnet*. | + | Location | Select **East US**. | ++1. Select **Next: IP Addresses**. ++1. For the IPv4 address space, enter *10.1.0.0/16*. ++1. Select **Add subnet**. Then enter *service-runtime-subnet* for **Subnet name** and enter *10.1.0.0/24* for **Subnet address range**. Then select **Add**. ++1. Select **Add subnet** again, and then enter the subnet name and subnet address range. For example, enter *apps-subnet* and *10.1.1.0/24*. Then select **Add**. ++1. Select **Review + create**. Leave the rest as defaults, and select **Create**. ++### [Azure CLI](#tab/azure-CLI) ++If you already have a virtual network to host an Azure Spring Apps instance, skip steps 1, 2, 3 and 4. You can start from step 5 to prepare subnets for the virtual network. ++1. Use the following command to define variables for your subscription, resource group, and Azure Spring Apps instance. Customize the values based on your real environment. ++ ```azurecli + export SUBSCRIPTION='<subscription-id>' + export RESOURCE_GROUP='<resource-group-name>' + export LOCATION='eastus' + export AZURE_SPRING_APPS_INSTANCE_NAME='<Azure-Spring-Apps-Instance-name>' + export VIRTUAL_NETWORK_NAME='azure-spring-apps-vnet' + ``` ++1. Use the following command to sign in to the Azure CLI and choose your active subscription. ++ ```azurecli + az login + az account set --subscription ${SUBSCRIPTION} + ``` ++1. Use the following command to create a resource group for your resources: ++ ```azurecli + az group create --name $RESOURCE_GROUP --location $LOCATION + ``` ++1. Use the following command to create the virtual network: ++ ```azurecli + az network vnet create \ + --resource-group $RESOURCE_GROUP \ + --name $VIRTUAL_NETWORK_NAME \ + --location $LOCATION \ + --address-prefix 10.1.0.0/16 + ``` ++1. Use the following command to create two subnets in this virtual network: ++ ```azurecli + az network vnet subnet create \ + --resource-group $RESOURCE_GROUP \ + --vnet-name $VIRTUAL_NETWORK_NAME \ + --address-prefixes 10.1.0.0/24 \ + --name service-runtime-subnet + az network vnet subnet create \ + --resource-group $RESOURCE_GROUP \ + --vnet-name $VIRTUAL_NETWORK_NAME \ + --address-prefixes 10.1.1.0/24 \ + --name apps-subnet + ``` ++++## Grant service permission to the virtual network ++This section shows you to grant Azure Spring Apps the [Owner](../../role-based-access-control/built-in-roles.md#owner) permission on your virtual network. This permission enables you to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. ++> [!NOTE] +> The minimal required permissions are [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) and [Network Contributor](../../role-based-access-control/built-in-roles.md#network-contributor). You can grant role assignments to both of them if you can't grant `Owner` permission. +> +> If you're using your own route table or a user defined route feature, you also need to grant Azure Spring Apps the same role assignments to your route tables. For more information, see the [Bring your own route table](#bring-your-own-route-table) section and [Control egress traffic for an Azure Spring Apps instance](how-to-create-user-defined-route-instance.md). ++### [Azure portal](#tab/azure-portal) ++Use the following steps to grant permission: ++1. Select the virtual network `azure-spring-apps-vnet` you previously created. ++1. Select **Access control (IAM)**, and then select **Add** > **Add role assignment**. ++ :::image type="content" source="media/how-to-deploy-in-azure-virtual-network/access-control.png" alt-text="Screenshot of the Azure portal Access Control (IAM) page showing the Check access tab with the Add role assignment button highlighted." lightbox="media/how-to-deploy-in-azure-virtual-network/access-control.png"::: ++1. Assign the `Owner` role to the Azure Spring Apps Resource Provider. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). ++ > [!NOTE] + > If you don't find Azure Spring Apps Resource Provider, search for *Azure Spring Cloud Resource Provider*. ++ :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/assign-owner-resource-provider.png" alt-text="Screenshot of the Azure portal showing the Access Control (IAM) page, with the Add Role Assignment pane open and search results displaying the Azure Spring Apps Resource Provider." lightbox="./media/how-to-deploy-in-azure-virtual-network/assign-owner-resource-provider.png"::: ++### [Azure CLI](#tab/azure-CLI) ++Use the following commands to grant permission: ++```azurecli +export VIRTUAL_NETWORK_RESOURCE_ID=$(az network vnet show \ + --resource-group $RESOURCE_GROUP \ + --name $VIRTUAL_NETWORK_NAME \ + --query "id" \ + --output tsv) ++az role assignment create \ + --role "Owner" \ + --scope ${VIRTUAL_NETWORK_RESOURCE_ID} \ + --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 +``` ++The `--assignee` argument represents the service principal Azure Spring Apps uses to interact with the customer's virtual network. ++++## Deploy an Azure Spring Apps instance ++### [Azure portal](#tab/azure-portal) ++Use the following steps to deploy an Azure Spring Apps instance in the virtual network: ++1. Open the [Azure portal](https://portal.azure.com). ++1. In the top search box, search for **Azure Spring Apps**. Select **Azure Spring Apps** from the result. ++1. On the **Azure Spring Apps** page, select **Add**. ++1. Fill out the form on the Azure Spring Apps **Create** page. ++1. Select the same resource group and region as the virtual network. ++1. For **Name** under **Service Details**, select **azure-spring-apps-vnet**. ++1. Select the **Networking** tab, and select the following values: ++ | Setting | Value | + |--|-| + | Deploy in your own virtual network | Select **Yes**. | + | Virtual network | Select **azure-spring-apps-vnet**. | + | Service runtime subnet | Select **service-runtime-subnet**. | + | Spring Boot microservice apps subnet | Select **apps-subnet**. | ++ :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/creation-blade-networking-tab.png" alt-text="Screenshot of the Azure portal Azure Spring Apps Create page showing the Networking tab."::: ++1. Select **Review and create**. ++1. Verify your specifications, and select **Create**. ++ :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/verify-specifications.png" alt-text="Screenshot of the Azure portal Azure Spring Apps Create page showing the Networking section of the Review and create tab."::: ++### [Azure CLI](#tab/azure-CLI) ++To deploy an Azure Spring Apps instance in the virtual network: ++Use the following command to create your Azure Spring Apps instance, specifying the virtual network and subnets you created previously: ++```azurecli +az spring create \ + --resource-group "$RESOURCE_GROUP" \ + --name "$AZURE_SPRING_APPS_INSTANCE_NAME" \ + --vnet $VIRTUAL_NETWORK_NAME \ + --service-runtime-subnet service-runtime-subnet \ + --app-subnet apps-subnet \ + --enable-java-agent \ + --sku standard \ + --location $LOCATION +``` ++++After the deployment, two more resource groups are created in your subscription to host the network resources for the Azure Spring Apps instance. Go to **Home**, and then select **Resource groups** from the top menu items to find the following new resource groups. ++The resource group named as `ap-svc-rt_{service instance name}_{service instance region}` contains network resources for the service runtime of the service instance. +++The resource group named as `ap-app_{service instance name}_{service instance region}` contains network resources for your Spring applications of the service instance. +++Those network resources are connected to your virtual network created in the preceding image. +++> [!IMPORTANT] +> The resource groups are fully managed by the Azure Spring Apps service. Do *not* manually delete or modify any resource inside. ++## Using smaller subnet ranges ++This table shows the maximum number of app instances Azure Spring Apps supports using smaller subnet ranges. ++| App subnet CIDR | Total IPs | Available IPs | Maximum app instances | +|--|--||--| +| /28 | 16 | 8 | <p>App with 0.5 core: 192 <br/> App with one core: 96 <br/> App with two cores: 48<br/> App with three cores: 32<br/> App with four cores: 24</p> | +| /27 | 32 | 24 | <p>App with 0.5 core: 456 <br/> App with one core: 228<br/> App with two cores: 144<br/> App with three cores: 96<br/> App with four cores: 72</p> | +| /26 | 64 | 56 | <p>App with 0.5 core: 500 <br/> App with one core: 500<br/> App with two cores: 336<br/> App with three cores: 224<br/> App with four cores: 168</p> | +| /25 | 128 | 120 | <p>App with 0.5 core: 500 <br/> App with one core: 500<br/> App with two cores: 500<br/> App with three cores: 480<br> App with four cores: 360</p> | +| /24 | 256 | 248 | <p>App with 0.5 core: 500 <br/> App with one core: 500<br/> App with two cores: 500<br/> App with three cores: 500<br/> App with four cores: 500</p> | ++For subnets, Azure reserves five IP addresses, and Azure Spring Apps requires at least three IP addresses. At least eight IP addresses are required, so /29 and /30 are nonoperational. ++For a service runtime subnet, the minimum size is /28. ++> [!NOTE] +> A small subnet range impacts the underlying resource you can use for system components like ingress controller. Azure Spring Apps uses an underlying ingress controller to handle application traffic management. The number of ingress controller instances automatically increases as application traffic increases. Reserve a larger virtual network subnet IP range if application traffic could increase in the future. You typically reserve one IP addresses for traffic of 10000 requests per second. ++## Bring your own route table ++Azure Spring Apps supports using existing subnets and route tables. ++If your custom subnets don't contain route tables, Azure Spring Apps creates them for each of the subnets and adds rules to them throughout the instance lifecycle. If your custom subnets contain route tables, Azure Spring Apps acknowledges the existing route tables during instance operations and adds/updates and/or rules accordingly for operations. ++> [!WARNING] +> Custom rules can be added to the custom route tables and updated. However, rules are added by Azure Spring Apps and these must not be updated or removed. Rules such as 0.0.0.0/0 must always exist on a given route table and map to the target of your internet gateway, such as an NVA or other egress gateway. Use caution when updating rules when only your custom rules are being modified. ++### Route table requirements ++The route tables to which your custom vnet is associated must meet the following requirements: ++* You can associate your Azure route tables with your vnet only when you create a new Azure Spring Apps service instance. You can't change to use another route table after Azure Spring Apps has been created. +* Both the Spring application subnet and the service runtime subnet must associate with different route tables or neither of them. +* Permissions must be assigned before instance creation. Be sure to grant Azure Spring Apps Resource Provider the `Owner` permission (or `User Access Administrator` and `Network Contributor` permissions) on your route tables. +* You can't update the associated route table resource after cluster creation. While you can't update the route table resource, you can modify custom rules on the route table. +* You can't reuse a route table with multiple instances due to potential conflicting routing rules. ++## Using Custom DNS Servers ++Azure Spring Apps supports using custom DNS servers in your virtual network. ++If you don't specify custom DNS servers in your DNS Server Virtual Network setting, Azure Spring Apps will, by default, use the Azure DNS to resolve IP addresses. If your virtual network is configured with custom DNS settings, add Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server. Azure DNS can resolve IP addresses for all the public FQDNs mentioned in [Customer responsibilities running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). It can also resolve IP address for `*.svc.private.azuremicroservices.io` in your virtual network. ++If your custom DNS server can't add Azure DNS IP `168.63.129.16` as the upstream DNS server, use the following steps: ++* Ensure that your custom DNS server can resolve IP addresses for all the public FQDNs. For more information, see [Customer responsibilities running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). +* Add the DNS record `*.svc.private.azuremicroservices.io` to the IP of your application. For more information, see the [Find the IP for your application](access-app-virtual-network.md#find-the-ip-for-your-application) section of [Access an app in Azure Spring Apps in a virtual network](access-app-virtual-network.md). ++## Next steps ++* [Troubleshooting Azure Spring Apps in VNET](troubleshooting-vnet.md) +* [Customer Responsibilities for Running Azure Spring Apps in VNET](vnet-customer-responsibilities.md) |
spring-apps | How To Deploy Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-deploy-powershell.md | + + Title: Create and deploy applications in Azure Spring Apps by using PowerShell +description: How to create and deploy applications in Azure Spring Apps by using PowerShell +++++ms.devlang: azurepowershell Last updated : 2/15/2022++++# Create and deploy applications by using PowerShell ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how you can create an instance of Azure Spring Apps by using the [Az.SpringCloud](/powershell/module/Az.SpringCloud) PowerShell module. ++## Requirements ++The requirements for completing the steps in this article depend on your Azure subscription: ++* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +++ > [!IMPORTANT] + > While the **Az.SpringCloud** PowerShell module is in preview, you must install it by using + > the `Install-Module` cmdlet. See the following command. After this PowerShell module becomes generally available, it will be part of future Az PowerShell releases and available by default from within Azure Cloud Shell. ++ ```azurepowershell-interactive + Install-Module -Name Az.SpringCloud + ``` ++* If you have multiple Azure subscriptions, choose the appropriate subscription in which the + resources should be billed. Select a specific subscription by using the [Set-AzContext](/powershell/module/az.accounts/set-azcontext) cmdlet: ++ ```azurepowershell-interactive + Set-AzContext -SubscriptionId 00000000-0000-0000-0000-000000000000 + ``` ++## Create a resource group ++A resource group is a logical container in which Azure resources are deployed and managed as +a group. Create an [Azure resource group](../../azure-resource-manager/management/overview.md) +by using the [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) +cmdlet. The following example creates a resource group with a specified name and location. ++```azurepowershell-interactive +New-AzResourceGroup -Name <resource group name> -Location eastus +``` ++## Provision a new instance ++To create a new instance of Azure Spring Apps, you use the +[New-AzSpringCloud](/powershell/module/az.springcloud/new-azspringcloud) cmdlet. The following +example creates an Azure Spring Apps service, with the name that you specified in the resource group you created previously. ++```azurepowershell-interactive +New-AzSpringCloud -ResourceGroupName <resource group name> -name <service instance name> -Location eastus +``` ++## Create a new application ++To create a new app, you use the +[New-AzSpringCloudApp](/powershell/module/az.springcloud/new-azspringcloudapp) cmdlet. The following example creates an app in Azure Spring Apps named `gateway`. ++```azurepowershell-interactive +New-AzSpringCloudApp -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway +``` ++## Create a new app deployment ++To create a new app Deployment, you use the +[New-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/new-azspringcloudappdeployment) +cmdlet. The following example creates an app deployment in Azure Spring Apps named `default` with an empty welcome application, for the `gateway` app. ++```azurepowershell-interactive +$welcomeApplication = New-AzSpringCloudAppDeploymentJarUploadedObject -RuntimeVersion "Java_11" +New-AzSpringCloudAppDeployment -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -Name default -Source $welcomeApplication +``` ++## Get a service and its properties ++To get an Azure Spring Apps service and its properties, you use the +[Get-AzSpringCloud](/powershell/module/az.springcloud/get-azspringcloud) cmdlet. The following +example retrieves information about the specified Azure Spring Apps service. ++```azurepowershell-interactive +Get-AzSpringCloud -ResourceGroupName <resource group name> -ServiceName <service instance name> +``` ++## Get an application ++To get an app and its properties in Azure Spring Apps, you use the +[Get-AzSpringCloudApp](/powershell/module/az.springcloud/get-azspringcloudapp) cmdlet. The following example retrieves information about the app `gateway`. ++```azurepowershell-interactive +Get-AzSpringCloudApp -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway +``` ++## Get an app deployment ++To get an app deployment and its properties in Azure Spring Apps, you use the +[Get-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/get-azspringcloudappdeployment) cmdlet. The following example retrieves information about the `default` Azure Spring Apps deployment. ++```azurepowershell-interactive +Get-AzSpringCloudAppDeployment -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -DeploymentName default +``` ++## Clean up resources ++If the resources created in this article aren't needed, you can delete them by running the examples shown in the following sections. ++### Delete an app deployment ++To remove an app deployment in Azure Spring Apps, you use the +[Remove-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/remove-azspringcloudappdeployment) cmdlet. The following example deletes an app deployed in Azure Spring Apps named `default`, for the specified service and app. ++```azurepowershell-interactive +Remove-AzSpringCloudAppDeployment -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -DeploymentName default +``` ++### Delete an app ++To remove an app in Azure Spring Apps, you use the +[Remove-AzSpringCloudApp](/powershell/module/Az.SpringCloud/remove-azspringcloudapp) cmdlet. The following example deletes the `gateway` app in the specified service and resource group. ++```azurepowershell +Remove-AzSpringCloudApp -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway +``` ++### Delete a service ++To remove an Azure Spring Apps service, you use the +[Remove-AzSpringCloud](/powershell/module/Az.SpringCloud/remove-azspringcloud) cmdlet. The following example deletes the specified Azure Spring Apps service. ++```azurepowershell +Remove-AzSpringCloud -ResourceGroupName <resource group name> -ServiceName <service instance name> +``` ++### Delete the resource group ++> [!CAUTION] +> The following example deletes the specified resource group and all resources contained within it. If resources outside the scope of this article exist in the specified resource group, they will also be deleted. ++```azurepowershell-interactive +Remove-AzResourceGroup -Name <resource group name> +``` ++## Next steps ++[Azure Spring Apps developer resources](./resources.md) |
spring-apps | How To Deploy With Custom Container Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-deploy-with-custom-container-image.md | + + Title: How to deploy applications in Azure Spring Apps with a custom container image +description: How to deploy applications in Azure Spring Apps with a custom container image +++++ Last updated : 4/28/2022+++# Deploy an application with a custom container image ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard ✔️ Enterprise ++This article explains how to deploy Spring Boot applications in Azure Spring Apps using a custom container image. Deploying an application with a custom container supports most features as when deploying a JAR application. Other Java and non-Java applications can also be deployed with the container image. ++## Prerequisites ++* A container image containing the application. +* The image is pushed to an image registry. For more information, see [Azure Container Registry](../../container-instances/container-instances-tutorial-prepare-acr.md). ++> [!NOTE] +> The web application must listen on port `1025` for the Standard plan and on port `8080` for the Enterprise plan. The way to change the port depends on the framework of the application. For example, specify `SERVER_PORT=1025` for Spring Boot applications or `ASPNETCORE_URLS=http://+:1025/` for ASP.NET Core applications. You can disable the probe for applications that don't listen on any port. For more information, see [How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps](how-to-configure-health-probes-graceful-termination.md). ++## Deploy your application ++To deploy an application to a custom container image, use the following steps: ++### [Azure CLI](#tab/azure-cli) ++To deploy a container image, use one of the following commands: ++* To deploy a container image to the public Docker Hub to an app, use the following command: ++ ```azurecli + az spring app deploy \ + --resource-group <your-resource-group> \ + --name <your-app-name> \ + --container-image <your-container-image> \ + --service <your-service-name> + ``` ++* To deploy a container image from ACR to an app, or from another private registry to an app, use the following command: ++ ```azurecli + az spring app deploy \ + --resource-group <your-resource-group> \ + --name <your-app-name> \ + --container-image <your-container-image> \ + --service <your-service-name> + --container-registry <your-container-registry> \ + --registry-password <your-password> | + --registry-username <your-username> + ``` ++To overwrite the entry point of the image, add the following two arguments to any of the above commands: ++```azurecli + --container-command "java" \ + --container-args "-jar /app.jar -Dkey=value" +``` ++To disable listening on a port for images that aren't web applications, add the following argument to the above commands: ++```azurecli + --disable-probe true +``` ++### [Portal](#tab/azure-portal) ++1. Open the [Azure portal](https://portal.azure.com). +1. Open your existing Azure Spring Apps service instance. +1. Select **Apps** from left the menu, then select **Create App**. +1. Name your app, and in the **Runtime platform** pulldown list, select **Custom Container**. ++ :::image type="content" source="media/how-to-deploy-with-custom-container-image/create-app-custom-container.png" alt-text="Screenshot of Azure portal Create App page with Runtime platform dropdown showing and Custom Container selected." lightbox="media/how-to-deploy-with-custom-container-image/create-app-custom-container.png"::: ++1. Select **Edit** under *Image*, then fill in the fields as shown in the following image: ++ :::image type="content" source="media/how-to-deploy-with-custom-container-image/custom-image-settings.png" alt-text="Screenshot of Azure portal showing the Custom Image Settings pane." lightbox="media/how-to-deploy-with-custom-container-image/custom-image-settings.png"::: ++ > [!NOTE] + > The **Commands** and **Arguments** field are optional, which are used to overwrite the `cmd` and `entrypoint` of the image. + > + > You need to also specify the **Language Framework**, which is the web framework of the container image used. Currently, only **Spring Boot** is supported. For other Java applications or non-Java (polyglot) applications, select **Polyglot**. ++1. Select **Save**, then select **Create** to deploy your application. ++++## Feature Support matrix ++The following matrix shows what features are supported in each application type. ++| Feature | Spring Boot Apps - container deployment | Polyglot Apps - container deployment | Notes | +|--|--|--|--| +| App lifecycle management | ✔️ | ✔️ | | +| Support for container registries | ✔️ | ✔️ | | +| Assign endpoint | ✔️ | ✔️ | | +| Azure Monitor | ✔️ | ✔️ | | +| APM integration | ✔️ | ✔️ | Supported by [manual installation](#install-an-apm-into-the-image-manually). | +| Blue/green deployment | ✔️ | ✔️ | | +| Custom domain | ✔️ | ✔️ | | +| Scaling - auto scaling | ✔️ | ✔️ | | +| Scaling - manual scaling (in/out, up/down) | ✔️ | ✔️ | | +| Managed identity | ✔️ | ✔️ | | +| Spring Cloud Eureka & Config Server | ✔️ | ❌ | | +| API portal for VMware Tanzu | ✔️ | ✔️ | Enterprise plan only. | +| Spring Cloud Gateway for VMware Tanzu | ✔️ | ✔️ | Enterprise plan only. | +| Application Configuration Service for VMware Tanzu | ✔️ | ❌ | Enterprise plan only. +| Application Live View for VMware Tanzu | ✔️ | ❌ | Enterprise plan only. | +| VMware Tanzu Service Registry | ✔️ | ❌ | Enterprise plan only. | +| VNET | ✔️ | ✔️ | Add registry to [allowlist in NSG or Azure Firewall](#avoid-not-being-able-to-connect-to-the-container-registry-in-a-vnet). | +| Outgoing IP Address | ✔️ | ✔️ | | +| E2E TLS | ✔️ | ✔️ | [Trust a self-signed CA](#trust-a-certificate-authority). | +| Liveness and readiness settings | ✔️ | ✔️ | | +| Advanced troubleshooting - thread/heap/JFR dump | ✔️ | ❌ | The image must include Bash and the JDK with `PATH` specified. | +| Bring your own storage | ✔️ | ✔️ | | +| Integrate service binding with Resource Connector | ✔️ | ❌ | | +| Availability Zone | ✔️ | ✔️ | | +| App Lifecycle events | ✔️ | ✔️ | | +| Reduced app size - 0.5 vCPU and 512 MB | ✔️ | ✔️ | | +| Automate app deployments with Terraform | ✔️ | ✔️ | | +| Soft Deletion | ✔️ | ✔️ | | +| Interactive diagnostic experience (AppLens-based) | ✔️ | ✔️ | | +| SLA | ✔️ | ✔️ | | ++> [!NOTE] +> Polyglot apps include non-Spring Boot Java, NodeJS, AngularJS, Python, and .NET apps. ++## Common points to be aware of when deploying with a custom container ++The following points will help you address common situations when deploying with a custom image. ++### Trust a Certificate Authority ++There are two options to trust a Certificate Authority: ++**Option 1: Upload via Azure Spring Apps** ++To load the CA certs into your apps, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). Then the certs will be mounted into the location */etc/azure-spring-cloud/certs/public/*. ++**Option 2: Manual installation in the image** ++To trust a CA in the image, set the following variables depending on your environment: ++* You must import Java applications into the trust store by adding the following lines into your *Dockerfile*: ++ ```dockerfile + ADD EnterpriseRootCA.crt /opt/ + RUN keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias EnterpriseRootCA -file /opt/EnterpriseRootCA.crt + ``` ++* For Node.js applications, set the `NODE_EXTRA_CA_CERTS` environment variable: ++ ```dockerfile + ADD EnterpriseRootCA.crt /opt/ + ENV NODE_EXTRA_CA_CERTS="/opt/EnterpriseRootCA.crt" + ``` ++* For Python, or other languages relying on the system CA store, on Debian or Ubuntu images, add the following environment variables: ++ ```dockerfile + ADD EnterpriseRootCA.crt /usr/local/share/ca-certificates/ + RUN /usr/sbin/update-ca-certificates + ``` ++* For Python, or other languages relying on the system CA store, on CentOS or Fedora based images, add the following environment variables: ++ ```dockerfile + ADD EnterpriseRootCA.crt /etc/pki/ca-trust/source/anchors/ + RUN /usr/bin/update-ca-trust + ``` ++### Avoid unexpected behavior when images change ++When your application is restarted or scaled out, the latest image will always be pulled. If the image has been changed, the newly started application instances will use the new image while the old instances will continue to use the old image. ++> [!NOTE] +> Avoid using the `latest` tag or overwrite the image without a tag change to avoid unexpected application behavior. ++### Avoid not being able to connect to the container registry in a VNet ++If you deployed the instance to a VNet, make sure you allow the network traffic to your container registry in the NSG or Azure Firewall (if used). For more information, see [Customer responsibilities for running in VNet](./vnet-customer-responsibilities.md) to add the needed security rules. ++### Install an APM into the image manually ++The installation steps vary on different application performance monitors (APMs) and languages. The following steps are for New Relic with Java applications. You must modify the *Dockerfile* using the following steps: ++1. Download and install the agent file into the image by adding the following to the *Dockerfile*: ++ ```dockerfile + ADD newrelic-agent.jar /opt/agents/newrelic/java/newrelic-agent.jar + ``` ++1. Add the environment variables required by the APM: ++ ```dockerfile + ENV NEW_RELIC_APP_NAME=appName + ENV NEW_RELIC_LICENSE_KEY=newRelicLicenseKey + ``` ++1. Modify the image entry point by adding: `java -javaagent:/opt/agents/newrelic/java/newrelic-agent.jar` ++To install the agents for other languages, refer to the official documentation for the other agents: ++New Relic: ++* Python: [Standard Python agent install](https://docs.newrelic.com/docs/apm/agents/python-agent/installation/standard-python-agent-install/) +* Node.js: [Install the Node.js agent](https://docs.newrelic.com/docs/apm/agents/nodejs-agent/installation-configuration/install-nodejs-agent/) ++Dynatrace: ++* Python: [Instrument Python applications with OpenTelemetry](https://www.dynatrace.com/support/help/extend-dynatrace/opentelemetry/opentelemetry-traces/opentelemetry-ingest/opent-python) +* Node.js: [Instrument Node.js applications with OpenTelemetry](https://www.dynatrace.com/support/help/extend-dynatrace/opentelemetry/opentelemetry-traces/opentelemetry-ingest/opent-nodejs) ++AppDynamics: ++* Python: [Install the Python Agent](https://docs.appdynamics.com/appd/21.x/21.12/en/application-monitoring/install-app-server-agents/python-agent/install-the-python-agent) +* Node.js: [Installing the Node.js Agent](https://docs.appdynamics.com/appd/21.x/21.12/en/application-monitoring/install-app-server-agents/node-js-agent/install-the-node-js-agent#InstalltheNode.jsAgent-install_nodejsInstallingtheNode.jsAgent) ++### View the container logs ++To view the console logs of your container application, the following CLI command can be used: ++```azurecli +az spring app logs \ + --resource-group <your-resource-group> \ + --name <your-app-name> \ + --service <your-service-name> \ + --instance <your-instance-name> +``` ++To view the container events logs from the Azure Monitor, enter the query: ++```query +AppPlatformContainerEventLogs +| where App == "hw-20220317-1b" +``` +++### Scan your image for vulnerabilities ++We recommend that you use Microsoft Defender for Cloud with ACR to prevent your images from being vulnerable. For more information, see [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-containers-introduction.md?tabs=defender-for-container-arch-aks) ++### Switch between JAR deployment and container deployment ++You can switch the deployment type from JAR deployment to container deployment directly by redeploying using the following command: ++```azurecli +az spring app deploy \ + --resource-group <your-resource-group> \ + --name <your-app-name> \ + --container-image <your-container-image> \ + --service <your-service-name> +``` ++Or reversely: ++```azurecli +az spring app deploy \ + --resource-group <your-resource-group> \ + --name <your-app-name> \ + --artifact-path <your-jar-file> \ + --service <your-service-name> +``` ++### Create another deployment with an existing JAR deployment ++You can create another deployment using an existing JAR deployment using the following command: ++```azurecli +az spring app deployment create \ + --resource-group <your-resource-group> \ + --name <your-deployment-name> \ + --app <your-app-name> \ + --container-image <your-container-image> \ + --service <your-service-name> +``` ++### CI/CD ++Automating deployments using Azure Pipelines Tasks or GitHub Actions are supported now. For more information, see [Automate application deployments to Azure Spring Apps](how-to-cicd.md) and [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++## Next steps ++* [How to capture dumps](./how-to-capture-dumps.md) |
spring-apps | How To Dump Jvm Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-dump-jvm-options.md | + + Title: Use the diagnostic settings of JVM options for advanced troubleshooting in Azure Spring Apps +description: Describes several best practices with JVM configuration to set heap dump, JFR, and GC logs. ++++ Last updated : 01/21/2022++++# Use the diagnostic settings of JVM options for advanced troubleshooting in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use diagnostic settings through JVM options to conduct advanced troubleshooting in Azure Spring Apps. ++There are several JVM-based application startup parameters related to heap dump, Java Flight Recorder (JFR), and garbage collection (GC) logs. In Azure Spring Apps, we support JVM configuration using JVM options. ++For more information on configuring JVM-based application startup parameters, see [az spring app deployment](/cli/azure/spring/app/deployment) in the Azure CLI reference documentation. The following sections provide several examples of useful values for the `--jvm-options` parameter. ++## Prerequisites ++* A deployed Azure Spring Apps service instance. Follow our [quickstart on deploying an app via the Azure CLI](./quickstart.md) to get started. +* At least one application already created in your service instance. +* Your own persistent storage as described in [How to enable your own persistent storage in Azure Spring Apps](how-to-custom-persistent-storage.md). This storage is used to save generated diagnostic files. The paths you provide in the parameter values below should be under the mount path of the persistent storage bound to your app. If you want to use a path under the mount path, be sure to create the subpath beforehand. ++## Generate a heap dump when out of memory ++Use the following `--jvm-options` parameter to generate a heap dump when you encounter an out-of-memory error. ++```azurecli +--jvm-options="-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=<path-to-heap-dump-folder>" +``` ++As alternative to specifying the path to the heap dump folder, you can provide a specific file name. However, we highly recommend that you provide a folder path instead. If you provide a file name, the command will generate a heap dump for the first out-of-memory error only, due to the limitations of the HPROF file format. If you provide a folder path, you'll get a heap dump in a file with an autogenerated name for each out-of-memory error. ++## Generate GC logs ++Use the following `--jvm-options` parameter to generate GC logs. For more information, see the official JVM documentation. ++```azurecli +--jvm-options="-XX:+PrintGCDetails -Xloggc:<path-to-GC-log-file>" +``` ++## Generate a JFR file on exit ++Use the following `--jvm-options` parameter to generate a JFR file. For more information, see the official JVM documentation. ++```azurecli +--jvm-options="-XX:StartFlightRecording=dumponexit=true,filename=<path-to-JFR-file>" +``` ++## Configure the path for generated files ++To ensure that you can access your files, be sure that the target path of your generated file is in the persistent storage bound to your app. For example, you can use JSON similar to the following example when you create your persistent storage in Azure Spring Apps. ++```json + { + "customPersistentDisks": [ + { + "storageName": "<storage-resource-name>", + "customPersistentDiskProperties": { + "type": "AzureFileVolume", + "shareName": "<azure-file-share-name>", + "mountPath": "<unique-mount-path>", + "mountOptions": [ + "uid=0", + "gid=0" + ], + "readOnly": false + } + }, + { + "storageName": "<storage-resource-name>", + "customPersistentDiskProperties": { + "type": "AzureFileVolume", + "shareName": "<azure-file-share-name>", + "mountPath": "<unique-mount-path>", + "readOnly": true + } + } + ] + } +``` ++Alternatively, you can use the following command to append to persistent storage. ++```azurecli +az spring app append-persistent-storage \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --persistent-storage-type AzureFileVolume \ + --storage-name <storage-resource-name> \ + --share-name <azure-file-share-name> \ + --mount-path <unique-mount-path> +``` ++## Next steps ++* [Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps](how-to-capture-dumps.md) |
spring-apps | How To Elastic Diagnostic Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-elastic-diagnostic-settings.md | + + Title: Analyze logs with Elastic Cloud from Azure Spring Apps +description: Learn how to analyze diagnostics logs in Azure Spring Apps using Elastic +++ Last updated : 12/07/2021+++++# Analyze logs with Elastic (ELK) using diagnostics settings ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use the diagnostics functionality of Azure Spring Apps to analyze logs with Elastic (ELK). ++The following video introduces unified observability for Spring Boot applications using Elastic. ++<br> ++> [!VIDEO https://www.youtube.com/embed/KjmQX1SxZdA] ++## Configure diagnostics settings ++To configure diagnostics settings, use the following steps: ++1. In the Azure portal, go to your Azure Spring Apps instance. +1. Select **diagnostics settings** option, then select **Add diagnostics setting**. +1. Enter a name for the setting, choose **Send to partner solution**, then select **Elastic** and an Elastic deployment where you want to send the logs. +1. Select **Save**. +++> [!NOTE] +> There might be a gap of up to 15 minutes between when logs are emitted and when they appear in your Elastic deployment. +> If the Azure Spring Apps instance is deleted or moved, the operation won't cascade to the diagnostics settings resources. You have to manually delete the diagnostics settings resources before you perform the operation against its parent, the Azure Spring Apps instance. Otherwise, if you provision a new Azure Spring Apps instance with the same resource ID as the deleted one, or if you move the Azure Spring Apps instance back, the previous diagnostics settings resources will continue to extend it. ++## Analyze the logs with Elastic ++To learn more about deploying Elastic on Azure, see [How to deploy and manage Elastic on Microsoft Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement). ++Use the following steps to analyze the logs: ++1. From the Elastic deployment overview page in the Azure portal, open **Kibana**. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-on-azure-native-microsoft-azure.png" alt-text="Screenshot of Azure portal showing 'Elasticsearch (Elastic Cloud)' page with Deployment U R L / Kibana highlighted." lightbox="media/how-to-elastic-diagnostic-settings/elastic-on-azure-native-microsoft-azure.png"::: ++1. In Kibana, in the **Search** bar at top, type *Spring Cloud type:dashboard*. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-kibana-spring-cloud-dashboard.png" alt-text="Elastic / Kibana screenshot showing 'Spring Cloud type:dashboard' search results." lightbox="media/how-to-elastic-diagnostic-settings/elastic-kibana-spring-cloud-dashboard.png"::: ++1. Select **[Logs Azure] Azure Spring Apps logs Overview** from the results. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-kibana-asc-dashboard-full.png" alt-text="Elastic / Kibana screenshot showing Azure Spring Apps Application Console Logs." lightbox="media/how-to-elastic-diagnostic-settings/elastic-kibana-asc-dashboard-full.png"::: ++1. Search on out-of-the-box Azure Spring Apps dashboards by using the queries such as the following: ++ ```query + azure.springcloudlogs.properties.app_name : "visits-service" + ``` ++## Analyze the logs with Kibana Query Language in Discover ++Application logs provide critical information and verbose logs about your application's health, performance, and more. Use the following steps to analyze the logs: ++1. In Kibana, in the **Search** bar at top, type *Discover*, then select the result. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-kibana-go-discover.png" alt-text="Elastic / Kibana screenshot showing 'Discover' search results." lightbox="media/how-to-elastic-diagnostic-settings/elastic-kibana-go-discover.png"::: ++1. In the **Discover** app, select the **logs-** index pattern if it's not already selected. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-kibana-index-pattern.png" alt-text="Elastic / Kibana screenshot showing logs in the Discover app." lightbox="media/how-to-elastic-diagnostic-settings/elastic-kibana-index-pattern.png"::: ++1. Use queries such as the ones in the following sections to help you understand your application's current and past states. ++For more information about different queries, see [Guide to Kibana Query Language](https://www.elastic.co/guide/en/kibana/current/kuery-query.html). ++### Show all logs from Azure Spring Apps ++To review a list of application logs from Azure Spring Apps, sorted by time with the most recent logs shown first, run the following query in the **Search** box: ++```query +azure_log_forwarder.resource_type : "Microsoft.AppPlatform/Spring" +``` +++### Show specific log types from Azure Spring Apps ++To review a list of application logs from Azure Spring Apps, sorted by time with the most recent logs shown first, run the following query in the **Search** box: ++```query +azure.springcloudlogs.category : "ApplicationConsole" +``` +++### Show log entries containing errors or exceptions ++To review unsorted log entries that mention an error or exception, run the following query: ++```query +azure_log_forwarder.resource_type : "Microsoft.AppPlatform/Spring" and (log.level : "ERROR" or log.level : "EXCEPTION") +``` +++The Kibana Query Language helps you form queries by providing autocomplete and suggestions to help you gain insights from the logs. Use your query to find errors, or modify the query terms to find specific error codes or exceptions. ++### Show log entries from a specific service ++To review log entries that are generated by a specific service, run the following query: ++```query +azure.springcloudlogs.properties.service_name : "sa-petclinic-service" +``` +++### Show Config Server logs containing warnings or errors ++To review logs from Config Server, run the following query: ++```query +azure.springcloudlogs.properties.type : "ConfigServer" and (log.level : "ERROR" or log.level : "WARN") +``` +++### Show Service Registry logs ++To review logs from Service Registry, run the following query: ++```query +azure.springcloudlogs.properties.type : "ServiceRegistry" +``` +++## Visualizing logs from Azure Spring Apps with Elastic ++Kibana allows you to visualize data with Dashboards and a rich ecosystem of visualizations. For more information, see [Dashboard and Visualization](https://www.elastic.co/guide/en/kibana/current/dashboard.html). ++Use the following steps to show the various log levels in your logs so you can assess the overall health of the services. ++1. From the available fields list on left in **Discover**, search for *log.level* in the search box under the **logs-** index pattern. ++1. Select the **log.level** field. From the floating informational panel about **log.level**, select **Visualize**. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-kibana-asc-visualize.png" alt-text="Elastic / Kibana screenshot showing Discover app showing log levels." lightbox="media/how-to-elastic-diagnostic-settings/elastic-kibana-asc-visualize.png"::: ++1. From here, you can choose to add more data from the left pane, or choose from multiple suggestions how you would like to visualize your data. ++ :::image type="content" source="media/how-to-elastic-diagnostic-settings/elastic-kibana-visualize-lens.png" alt-text="Elastic / Kibana screenshot showing Discover app showing visualization options." lightbox="media/how-to-elastic-diagnostic-settings/elastic-kibana-visualize-lens.png"::: ++## Next steps ++* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](quickstart.md) +* [Deploy Elastic on Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement) |
spring-apps | How To Enable Ingress To App Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enable-ingress-to-app-tls.md | + + Title: Enable ingress-to-app Transport Layer Security in Azure Spring Apps ++description: How to enable ingress-to-app Transport Layer Security for an application. ++++ Last updated : 04/12/2022+++# Enable ingress-to-app TLS for an application ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise ++> [!NOTE] +> This feature is not available in the Basic plan. ++This article describes secure communications in Azure Spring Apps. The article also explains how to enable ingress-to-app SSL/TLS to secure traffic from an ingress controller to applications that support HTTPS. ++The following picture shows the overall secure communication support in Azure Spring Apps. +++## Secure communication model within Azure Spring Apps ++This section explains the secure communication model shown in the overview diagram above. ++1. The client request from the client to the application in Azure Spring Apps comes into the ingress controller. The request can be either HTTP or HTTPS. The TLS certificate returned by the ingress controller is issued by the Microsoft Azure TLS issuing CA. ++ If the app has been mapped to an existing custom domain and is configured as HTTPS only, the request to the ingress controller can only be HTTPS. The TLS certificate returned by the ingress controller is the SSL binding certificate for that custom domain. The server side SSL/TLS verification for the custom domain is done in the ingress controller. ++1. The secure communication between the ingress controller and the applications in Azure Spring Apps are controlled by the ingress-to-app TLS. You can also control the communication through the portal or CLI, which will be explained later in this article. If ingress-to-app TLS is disabled, the communication between the ingress controller and the apps in Azure Spring Apps is HTTP. If ingress-to-app TLS is enabled, the communication will be HTTPS and has no relation to the communication between the clients and the ingress controller. The ingress controller won't verify the certificate returned from the apps because the ingress-to-app TLS encrypts the communication. ++1. Communication between the apps and the Azure Spring Apps services is always HTTPS and handled by Azure Spring Apps. Such services include config server, service registry, and Eureka server. ++1. You manage the communication between the applications. You can also take advantage of Azure Spring Apps features to load certificates into the application's trust store. For more information, see [Use TLS/SSL certificates in an application](./how-to-use-tls-certificate.md). ++1. You manage the communication between applications and external services. To reduce your development effort, Azure Spring Apps helps you manage your public certificates and loads them into your application's trust store. For more information, see [Use TLS/SSL certificates in an application](./how-to-use-tls-certificate.md). ++## Enable ingress-to-app TLS for an application ++The following section shows you how to enable ingress-to-app SSL/TLS to secure traffic from an ingress controller to applications that support HTTPS. ++### Prerequisites ++- A deployed Azure Spring Apps instance. Follow our [quickstart on deploying via the Azure CLI](./quickstart.md) to get started. +- If you're unfamiliar with ingress-to-app TLS, see the [end-to-end TLS sample](https://github.com/Azure-Samples/spring-boot-secure-communications-using-end-to-end-tls-ssl). +- To securely load the required certificates into Spring Boot apps, you can use [spring-cloud-azure-starter-keyvault-certificates](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring/spring-cloud-azure-starter-keyvault-certificates). ++### Enable ingress-to-app TLS on an existing app ++Use the command `az spring app update --enable-ingress-to-app-tls` to enable or disable ingress-to-app TLS for an app. ++```azurecli +az spring app update --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name +az spring app update --enable-ingress-to-app-tls false -n app_name -s service_name -g resource_group_name +``` ++### Enable ingress-to-app TLS when you bind a custom domain ++Use the command `az spring app custom-domain update --enable-ingress-to-app-tls` or `az spring app custom-domain bind --enable-ingress-to-app-tls` to enable or disable ingress-to-app TLS for an app. ++```azurecli +az spring app custom-domain update --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name +az spring app custom-domain bind --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name +``` ++### Enable ingress-to-app TLS using the Azure portal ++To enable ingress-to-app TLS in the [Azure portal](https://portal.azure.com/), first create an app, and then enable the feature. ++1. Create an app in the portal as you normally would. Navigate to it in the portal. +2. Scroll down to the **Settings** group in the left navigation pane. +3. Select **Ingress-to-app TLS**. +4. Switch **Ingress-to-app TLS** to *Yes*. +++### Verify ingress-to-app TLS status ++Use the command `az spring app show` to check the value of `enableEndToEndTls`. ++```azurecli +az spring app show -n app_name -s service_name -g resource_group_name +``` ++## Next steps ++[Access Config Server and Service Registry](../basic-standard/how-to-access-data-plane-azure-ad-rbac.md) |
spring-apps | How To Enable System Assigned Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enable-system-assigned-managed-identity.md | + + Title: Enable system-assigned managed identity for applications in Azure Spring Apps ++description: How to enable system-assigned managed identity for applications. ++++ Last updated : 04/15/2022++zone_pivot_groups: spring-apps-tier-selection +++# Enable system-assigned managed identity for an application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to enable and disable system-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and CLI. ++Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code. ++## Prerequisites ++If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +++- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)] ++++- An already provisioned Azure Spring Apps instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +- [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)] +++## Add a system-assigned identity ++Creating an app with a system-assigned identity requires setting another property on the application. ++### [Portal](#tab/azure-portal) ++To set up a managed identity in the portal, first create an app, and then enable the feature. ++1. Create an app in the portal as you normally would. Navigate to it in the portal. +2. Scroll down to the **Settings** group in the left navigation pane. +3. Select **Identity**. +4. Within the **System assigned** tab, switch **Status** to *On*. Select **Save**. +++### [Azure CLI](#tab/azure-cli) ++You can enable system-assigned managed identity during app creation or on an existing app. ++### Enable system-assigned managed identity during creation of an app ++The following example creates an app named *app_name* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. ++```azurecli +az spring app create \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --system-assigned +``` ++### Enable system-assigned managed identity on an existing app** ++Use `az spring app identity assign` command to enable the system-assigned identity on an existing app. ++```azurecli +az spring app identity assign \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --system-assigned +``` ++++## Obtain tokens for Azure resources ++An app can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. ++You may need to [configure the target resource to allow access from your application](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that can use managed identities to access other services](/entra/identity/managed-identities-azure-resources/managed-identities-status). ++Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token). ++## Disable system-assigned identity from an app ++Removing a system-assigned identity also deletes it from Microsoft Entra ID. Deleting the app resource automatically removes system-assigned identities from Microsoft Entra ID. ++### [Portal](#tab/azure-portal) ++Use the following steps to remove system-assigned managed identity from an app that no longer needs it: ++1. Sign in to the portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance. +1. Navigate to the desired application and select **Identity**. +1. Under **System assigned**/**Status**, select **Off** and then select **Save**: +++### [Azure CLI](#tab/azure-cli) ++To remove system-assigned managed identity from an app that no longer needs it, use the following command: ++```azurecli +az spring app identity remove \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --system-assigned +``` ++++## Get the client ID from the object ID (principal ID) ++Use the following command to get the client ID from the object/principal ID value: ++```azurecli +az ad sp show --id <object-ID> --query appId +``` ++++## Next steps ++* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +* [How to use managed identities with Java SDK](https://github.com/Azure-Samples/azure-spring-apps-samples) |
spring-apps | How To Enterprise Application Configuration Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-application-configuration-service.md | + + Title: Use Application Configuration Service for Tanzu with the Azure Spring Apps Enterprise plan ++description: Learn how to use Application Configuration Service for Tanzu with the Azure Spring Apps Enterprise plan. ++++ Last updated : 02/09/2022++++# Use Application Configuration Service for Tanzu ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use Application Configuration Service for VMware Tanzu with the Azure Spring Apps Enterprise plan. ++[Application Configuration Service for VMware Tanzu](https://docs.vmware.com/en/Application-Configuration-Service-for-VMware-Tanzu/2.0/acs/GUID-overview.html) is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native `ConfigMap` resources that are populated from properties defined in one or more Git repositories. ++With Application Configuration Service, you have a central place to manage external properties for applications across all environments. To understand the differences from Spring Cloud Config Server in the Basic and Standard plans, see the [Use Application Configuration Service for external configuration](./how-to-migrate-standard-tier-to-enterprise-tier.md#use-application-configuration-service-for-external-configuration) section of [Migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan](./how-to-migrate-standard-tier-to-enterprise-tier.md). ++Application Configuration Service is offered in two versions: Gen1 and Gen2. The Gen1 version mainly serves existing customers for backward compatibility purposes, and is supported only until April 30, 2024. New service instances should use Gen2. The Gen2 version uses [flux](https://fluxcd.io/) as the backend to communicate with Git repositories, and provides better performance compared to Gen1. ++The following table shows the subcomponent relationships: ++| Application Configuration Service generation | Subcomponents | +| -- | | +| Gen1 | `application-configuration-service` | +| Gen2 | `application-configuration-service` <br/> `flux-source-controller` | ++The following table shows some benchmark data for your reference. However, the Git repository size is a key factor with significant impact on the performance data. We recommend that you store only the necessary configuration files in the Git repository in order to keep it small. ++| Application Configuration Service generation | Duration to refresh under 100 patterns | Duration to refresh under 250 patterns | Duration to refresh under 500 patterns | +|-|-|-|-| +| Gen1 | 330 s | 840 s | 1500 s | +| Gen2 | 13 s | 100 s | 378 s | ++Gen2 also provides more security verifications when you connect to a remote Git repository. Gen2 requires a secure connection if you're using HTTPS, and verifies the correct host key and host algorithm when using an SSH connection. ++You can choose the version of Application Configuration Service when you create an Azure Spring Apps Enterprise service instance. The default version is Gen1. You can also upgrade to Gen2 after the instance is created, but downgrade isn't supported. The upgrade is zero downtime, but we still recommend that you to test in a staging environment before moving to a production environment. ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan instance with Application Configuration Service enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). ++## Manage Application Configuration Service settings ++Application Configuration Service supports Azure DevOps, GitHub, GitLab, and Bitbucket for storing your configuration files. ++To manage the service settings, open the **Settings** section and add a new entry under the **Repositories** section. +++The following table describes the properties for each entry. ++| Property | Required? | Description | +||--|-| +| `Name` | Yes | A unique name to label each Git repository. | +| `Patterns` | Yes | Patterns to search in Git repositories. For each pattern, use a format such as *{application}* or *{application}/{profile}* rather than *{application}-{profile}.yml*. Separate the patterns with commas. For more information, see the [Pattern](./how-to-enterprise-application-configuration-service.md#pattern) section of this article. | +| `URI` | Yes | A Git URI (for example, `https://github.com/Azure-Samples/piggymetrics-config` or `git@github.com:Azure-Samples/piggymetrics-config`) | +| `Label` | Yes | The branch name to search in the Git repository. | +| `Search path` | No | Optional search paths, separated by commas, for searching subdirectories of the Git repository. | ++### Pattern ++Configuration is pulled from Git backends using what you define in a pattern. A pattern is a combination of *{application}/{profile}* as described in the following guidelines. ++- *{application}* - The name of an application whose configuration you're retrieving. The value `application` is considered the default application and includes configuration information shared across multiple applications. Any other value refers to a specific application and includes properties for both the specific application and shared properties for the default application. +- *{profile}* - Optional. The name of a profile whose properties you may be retrieving. An empty value, or the value `default`, includes properties that are shared across profiles. Non-default values include properties for the specified profile and properties for the default profile. ++### Authentication ++The following screenshot shows the three types of repository authentication supported by Application Configuration Service. +++The following list describes the three authentication types: ++- Public repository. ++ You don't need any extra authentication configuration when you use a public repository. Select **Public** in the **Authentication** form. ++ The following table shows the configurable property you can use to set up a public Git repository: ++ | Property | Required? | Description | + ||--|| + | `CA certificate` | No | Required only when a self-signed cert is used for the Git repo URL. | ++- Private repository with basic authentication. ++ The following table shows the configurable properties you can use to set up a private Git repository with basic authentication: ++ | Property | Required? | Description | + ||--|| + | `username` | Yes | The username used to access the repository. | + | `password` | Yes | The password used to access the repository. | + | `CA certificate` | No | Required only when a self-signed cert is used for the Git repo URL. | ++- Private repository with SSH authentication. ++ The following table shows the configurable properties you can use to set up a private Git repository with SSH: ++ | Property | Required? | Description | + |-|-|-| + | `Private key` | Yes | The private key that identifies the Git user. Passphrase-encrypted private keys aren't supported. | + | `Host key` | No for Gen1 <br> Yes for Gen2 | The host key of the Git server. If you connect to the server via Git on the command line, the host key is in your *.ssh/known_hosts* file. Don't include the algorithm prefix, because it's specified in `Host key algorithm`. | + | `Host key algorithm` | No for Gen1 <br> Yes for Gen2 | The algorithm for `hostKey`: one of `ssh-dss`, `ssh-rsa`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, and `ecdsa-sha2-nistp521`. (Required if supplying `Host key`). | + | `Strict host key checking` | No | Optional value that indicates whether the backend should be ignored if it encounters an error when using the provided `Host key`. Valid values are `true` and `false`. The default value is `true`. | ++To validate access to the target URI, select **Validate**. After validation completes successfully, select **Apply** to update the configuration settings. ++## Upgrade from Gen1 to Gen2 ++Application Configuration Service Gen2 provides better performance compared to Gen1, especially when you have a large number of configuration files. We recommend using Gen2, especially because Gen1 is being retired soon. The upgrade from Gen1 to Gen2 is zero downtime, but we still recommend that you test in a staging environment before moving to a production environment. ++Gen2 requires more configuration properties than Gen1 when using SSH authentication. You need to update the configuration properties in your application to make it work with Gen2. The following table shows the required properties for Gen2 when using SSH authentication: ++| Property | Description | +|-|-| +| `Host key` | The host key of the Git server. If you connect to the server via Git on the command line, the host key is in your *.ssh/known_hosts* file. Don't include the algorithm prefix, because it's specified in `Host key algorithm`. | +| `Host key algorithm` | The algorithm for `hostKey`: one of `ssh-dss`, `ssh-rsa`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, or `ecdsa-sha2-nistp521`. | ++Use the following steps to upgrade from Gen1 to Gen2: ++1. In the Azure portal, navigate to the Application Configuration Service page for your Azure Spring Apps service instance. ++1. Select the **Settings** section and then select **Gen 2** in the **Generation** dropdown menu. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-server-upgrade-gen2.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page with the Settings tab showing and the Generation menu open." lightbox="media/how-to-enterprise-application-configuration-service/configuration-server-upgrade-gen2.png"::: ++1. Select **Validate** to validate access to the target URI. After validation completes successfully, select **Apply** to update the configuration settings. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-server-upgrade-gen2-settings.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page with the Settings tab showing and the Validate button highlighted." lightbox="media/how-to-enterprise-application-configuration-service/configuration-server-upgrade-gen2-settings.png"::: ++## Polyglot support ++The Application Configuration Service works seamlessly with Spring Boot applications. The properties generated by the service are imported as external configurations by Spring Boot and injected into the beans. You don't need to write extra code. You can consume the values by using the `@Value` annotation, accessed through Spring's Environment abstraction, or you can bind them to structured objects by using the `@ConfigurationProperties` annotation. ++The Application Configuration Service also supports polyglot apps like dotNET, Go, Python, and so on. To access config files that you specify to load during polyglot app deployment in the apps, try to access a file path that you can retrieve through an environment variable with a name such as `AZURE_SPRING_APPS_CONFIG_FILE_PATH`. You can access all your intended config files under that path. To access the property values in the config files, use the existing read/write file libraries for your app. ++## Refresh strategies ++Use the following steps to refresh your Java Spring Boot application configuration after you update the configuration file in the Git repository. ++1. Load the configuration to Application Configuration Service. ++ Azure Spring Apps manages the refresh frequency, which is set to 60 seconds. ++1. Load the configuration to your application. ++A Spring application holds the properties as the beans of the Spring Application Context via the Environment interface. The following list shows several ways to load the new configurations: ++- Restart the application. Restarting the application always loads the new configuration. ++- Call the `/actuator/refresh` endpoint exposed on the config client via the Spring Actuator. ++ To use this method, add the following dependency to your configuration client’s *pom.xml* file. ++ ``` xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> + </dependency> + ``` ++ You can also enable the actuator endpoint by adding the following configurations: ++ ```properties + management.endpoints.web.exposure.include=refresh, bus-refresh, beans, env + ``` ++ After you reload the property sources by calling the `/actuator/refresh` endpoint, the attributes bound with `@Value` in the beans having the annotation `@RefreshScope` are refreshed. ++ ``` java + @Service + @Getter @Setter + @RefreshScope + public class MyService { + @Value + private Boolean activated; + } + ``` ++ Use curl with the application endpoint to refresh the new configuration. ++ ``` bash + curl -X POST http://{app-endpoint}/actuator/refresh + ``` ++## Configure Application Configuration Service settings ++### [Azure portal](#tab/Portal) ++Use the following steps to configure Application Configuration Service: ++1. Select **Application Configuration Service**. +1. Select **Overview** to view the running state and resources allocated to Application Configuration Service. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-service-overview.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page with Overview tab highlighted." lightbox="media/how-to-enterprise-application-configuration-service/configuration-service-overview.png"::: ++1. Select **Settings** and add a new entry in the **Repositories** section with the Git backend information. ++1. Select **Validate** to validate access to the target URI. After validation completes successfully, select **Apply** to update the configuration settings. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-service-settings-validate.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page with the Settings tab and Validate button highlighted." lightbox="media/how-to-enterprise-application-configuration-service/configuration-service-settings-validate.png"::: ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure Application Configuration Service: ++```azurecli +az spring application-configuration-service git repo add \ + --name <entry-name> \ + --patterns <patterns> \ + --uri <git-backend-uri> \ + --label <git-branch-name> +``` ++++## Configure the TLS certificate to access the Git backend with a self-signed certificate for Gen2 ++This step is optional. If you use a self-signed certificate for the Git backend, you must configure the TLS certificate to access the Git backend. ++You need to upload the certificate to Azure Spring Apps first. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). ++### [Azure portal](#tab/Portal) ++Use the following steps to configure the TLS certificate: ++1. Navigate to your service resource and then select **Application Configuration Service**. +1. Select **Settings** and add or update a new entry in the **Repositories** section with the Git backend information. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/ca-certificate.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page with the Settings tab showing." lightbox="media/how-to-enterprise-application-configuration-service/ca-certificate.png"::: ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure the TLS certificate: ++```azurecli +az spring application-configuration-service git repo add \ + --name <entry-name> \ + --patterns <patterns> \ + --uri <git-backend-uri> \ + --label <git-branch-name> \ + --ca-cert-name <ca-certificate-name> +``` ++++## Use Application Configuration Service with applications ++When you use Application Configuration Service with a Git back end and use the centralized configurations, you must bind the app to Application Configuration Service. ++### [Azure portal](#tab/Portal) ++Use the following steps to use Application Configuration Service with applications: ++1. Open the **App binding** tab. ++1. Select **Bind app** and choose one app in the dropdown. Select **Apply** to bind. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-service-app-bind-dropdown.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page with the App binding tab highlighted." lightbox="media/how-to-enterprise-application-configuration-service/configuration-service-app-bind-dropdown.png"::: ++ > [!NOTE] + > When you change the bind/unbind status, you must restart or redeploy the app to for the binding to take effect. ++1. In the navigation menu, select **Apps** to view the list all the apps. ++1. Select the target app to configure patterns for from the `name` column. ++1. In the navigation pane, select **Configuration** and then select **General settings**. ++1. In the **Config file patterns** dropdown, choose one or more patterns from the list. For more information, see the [Pattern](./how-to-enterprise-application-configuration-service.md#pattern) section. ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-service-pattern.png" alt-text="Screenshot of the Azure portal that shows the App Configuration page with the General settings tab and api-gateway options highlighted." lightbox="media/how-to-enterprise-application-configuration-service/configuration-service-pattern.png"::: ++1. Select **Save** ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to use Application Configuration Service with applications: ++```azurecli +az spring application-configuration-service bind --app <app-name> +az spring app deploy \ + --name <app-name> \ + --artifact-path <path-to-your-JAR-file> \ + --config-file-pattern <config-file-pattern> +``` ++++## Enable/disable Application Configuration Service after service creation ++You can enable and disable Application Configuration Service after service creation using the Azure portal or the Azure CLI. Before disabling Application Configuration Service, you're required to unbind all of your apps from it. ++### [Azure portal](#tab/Portal) ++Use the following steps to enable or disable Application Configuration Service: ++1. Navigate to your service resource and then select **Application Configuration Service**. +1. Select **Manage**. +1. Select or unselect **Enable Application Configuration Service** and then select **Save**. +1. You can now view the state of Application Configuration Service on the **Application Configuration Service** page. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following commands to enable or disable Application Configuration Service: ++```azurecli +az spring application-configuration-service create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++```azurecli +az spring application-configuration-service delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++++## Check logs ++The following sections show you how to view application logs by using either the Azure CLI or the Azure portal. ++### Use real-time log streaming ++You can stream logs in real time with the Azure CLI. For more information, see [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md). The following examples show how you can use Azure CLI commands to continuously stream new logs for `application-configuration-service` and `flux-source-controller` subcomponents. ++Use the following command to stream logs for `application-configuration-service`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name application-configuration-service \ + --all-instances \ + --follow +``` ++Use the following command to stream logs for `flux-source-controller`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name flux-source-controller \ + --all-instances \ + --follow +``` ++### Use Log Analytics ++The following sections show you how to turn on and view System Logs using Log Analytics. ++#### Diagnostic settings for Log Analytics ++You must turn on System Logs and send the logs to your Log Analytics instance before you query the logs for Application Configuration Service. To enable System Logs in the Azure portal, use the following steps: ++1. Open your Azure Spring Apps instance. ++1. In the navigation pane, select **Diagnostics settings**. ++1. Select **Add diagnostic setting** or select **Edit setting** for an existing setting. ++1. In the **Logs** section, select the **System Logs** category. ++1. In the **Destination details** section, select **Send to Log Analytics workspace** and then select your workspace. ++1. Select **Save** to update the setting. ++#### Check logs in Log Analytics ++To check the logs of `application-configuration-service` and `flux-source-controller` using the Azure portal, use the following steps: ++1. Make sure you turned on **System Logs**. For more information, see the [Diagnostic settings for Log Analytics](#diagnostic-settings-for-log-analytics) section. ++1. Open your Azure Spring Apps instance. ++1. In the navigation menu, select **Logs** and then select **Overview**. ++1. Use the following sample queries in the query edit pane. Adjust the time range then select **Run** to search for logs. ++ - To view the logs for `application-configuration-service`, use the following query: ++ ```kusto + AppPlatformSystemLogs + | where LogType in ("ApplicationConfigurationService") + | project TimeGenerated , ServiceName , LogType, Log , _ResourceId + | limit 100 + ``` ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/query-logs-application-configuration-service.png" alt-text="Screenshot of the Azure portal that shows the query result of logs for application-configuration-service." lightbox="media/how-to-enterprise-application-configuration-service/query-logs-application-configuration-service.png"::: ++ - To view the logs for `flux-source-controller`, use the following query: ++ ```kusto + AppPlatformSystemLogs + | where LogType in ("Flux") + | project TimeGenerated , ServiceName , LogType, Log , _ResourceId + | limit 100 + ``` ++ :::image type="content" source="media/how-to-enterprise-application-configuration-service/query-logs-flux-source-controller.png" alt-text="Screenshot of the Azure portal that shows the query result of logs for flux-source-controller." lightbox="media/how-to-enterprise-application-configuration-service/query-logs-flux-source-controller.png"::: ++> [!NOTE] +> There could be a few minutes delay before the logs are available in Log Analytics. ++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | How To Enterprise Build Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-build-service.md | + + Title: How to use Tanzu Build Service in the Azure Spring Apps Enterprise plan +description: Learn how to use Tanzu Build Service in the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/25/2023++++# Use Tanzu Build Service ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use VMware Tanzu Build Service with the Azure Spring Apps Enterprise plan. ++VMware Tanzu Build Service automates container creation, management, and governance at enterprise scale. Tanzu Build Service uses the open-source [Cloud Native Buildpacks](https://buildpacks.io/) project to turn application source code into container images. It executes reproducible builds aligned with modern container standards and keeps images up to date. ++## Buildpacks ++VMware Tanzu Buildpacks provide framework and runtime support for applications. Buildpacks typically examine your applications to determine what dependencies to download and how to configure applications to communicate with bound services. ++The [language family buildpacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-https://docsupdatetracker.net/index.html) are [composite buildpacks](https://paketo.io/docs/concepts/buildpacks/#composite-buildpacks) that provide easy out-of-the-box support for the most popular language runtimes and app configurations. These buildpacks combine multiple component buildpacks into ordered groupings. The groupings satisfy each buildpack's requirements. ++## Builders ++A [Builder](https://docs.vmware.com/en/Tanzu-Build-Service/1.6/vmware-tanzu-build-service/GUID-https://docsupdatetracker.net/index.html#builder) is a Tanzu Build Service resource. A Builder contains a set of buildpacks and a [stack](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-stacks.html) used in the process of building source code. ++## Build agent pool ++Tanzu Build Service in the Enterprise plan is the entry point to containerize user applications from both source code and artifacts. There's a dedicated build agent pool that reserves compute resources for a given number of concurrent build tasks. The build agent pool prevents resource contention with your running apps. ++The following table shows the sizes available for build agent pool scale sets: ++| Scale set | CPU/Gi | +|--|--| +| S1 | 2 vCPU, 4 Gi | +| S2 | 3 vCPU, 6 Gi | +| S3 | 4 vCPU, 8 Gi | +| S4 | 5 vCPU, 10 Gi | +| S5 | 6 vCPU, 12 Gi | +| S6 | 8 vCPU, 16 Gi | +| S7 | 16 vCPU, 32 Gi | +| S8 | 32 vCPU, 64 Gi | +| S9 | 64 vCPU, 128 Gi | ++Tanzu Build Service allows at most one pool-sized build task to build and twice the pool-sized build tasks to queue. If the quota of the agent pool is insufficient for the build task, the request for this build gets the following error: `The usage of build results in Building or Queuing status are (cpu: xxx, memory: xxxMi) and the remained quota is insufficient for this build. please retry with smaller size of build resourceRequests, retry after the previous build process completed or increased your build agent pool size`. ++## Configure the build agent pool ++When you create a new Azure Spring Apps Enterprise service instance using the Azure portal, you can use the **VMware Tanzu settings** tab to configure the number of resources given to the build agent pool. +++The following image shows the resources given to the Tanzu Build Service Agent Pool after you successfully provision the service instance. You can also update the configured agent pool size here after you create the service instance. +++## Build service on demand ++You can enable or disable the build service when you create an Azure Spring Apps Enterprise plan instance. ++### Build and deployment characteristics ++By default, Tanzu Build Service is enabled so that you can use a container registry. If you disable the build service, you can deploy an application only with a custom container image. You have the following options: ++- Enable the build service and use the Azure Spring Apps managed container registry. ++ Azure Spring Apps provides a managed Azure Container Registry to store built images for your applications. You can execute build and deployment together only as one command, but not separately. You can use the built container images to deploy applications in the same service instance only. The images aren't accessible by other Azure Spring Apps Enterprise service instances. ++- Enable the build service and use your own container registry. ++ This scenario separates build from deployment. You can execute builds from an application's source code or artifacts to a container image separately from the application deployment. You can deploy the container images stored in your own container registry to multiple Azure Spring Apps Enterprise service instances. ++- Disable the build service. ++ When you disable the build service, you can deploy applications only with container images, which you can build from any Azure Spring Apps Enterprise service instance. ++### Configure build service settings ++You can configure Tanzu Build Service and container registry settings using the Azure portal or the Azure CLI. ++#### [Azure portal](#tab/azure-portal) ++Use the following steps to enable Tanzu Build Service when provisioning an Azure Spring Apps service instance: ++1. Open the [Azure portal](https://portal.azure.com). +1. On the **Basics** tab, select **Enterprise tier** in the **Pricing** section, and then specify the required information. +1. Select **Next: VMware Tanzu settings**. +1. On the **VMware Tanzu settings** tab, select **Enable Build Service**. For **Container registry**, the default setting is **Use a managed Azure Container Registry to store built images**. ++ :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png" alt-text="Screenshot of the Azure portal that shows the V M ware Tanzu Settings for the Azure Spring Apps Create page with default Build Service settings highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png"::: ++1. If you select **Use your own container registry to store built images (preview)** for **Container registry**, provide your container registry's server, username, and password. ++ :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png" alt-text="Screenshot of the Azure portal that shows V M ware Tanzu Settings for the Azure Spring Apps Create page with use your own container registry highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png"::: ++1. If you disable **Enable Build Service**, the container registry options aren't provided but you can deploy applications with container images. ++ :::image type="content" source="media/how-to-enterprise-build-service/disable-build-service.png" alt-text="Screenshot of the Azure portal that shows V M ware Tanzu Settings for the Azure Spring Apps Create page with the Enable Build Service not selected." lightbox="media/how-to-enterprise-build-service/disable-build-service.png"::: ++1. Select **Review and create**. ++#### [Azure CLI](#tab/azure-cli) ++Use the following steps to enable Tanzu Build Service when provisioning an Azure Spring Apps service instance: ++1. Use the following commands to sign in to the Azure CLI, list available subscriptions, and set your active subscription: ++ ```azurecli + az login + az account list --output table + az account set --subscription <subscription-id> + ``` ++1. Use the following command to register the `Microsoft.Saas` namespace. ++ ```azurecli + az provider register --namespace Microsoft.SaaS + ``` ++1. Use the following command to accept the legal terms and privacy statements for the Azure Spring Apps Enterprise plan. This step is necessary only if you never used your subscription to create an Enterprise plan instance. ++ ```azurecli + az term accept \ + --plan asa-ent-hr-mtr \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --publisher vmware-inc + ``` ++1. Select a location. The location must support the Azure Spring Apps Enterprise plan. For more information, see [Azure Spring Apps FAQ](faq.md). ++1. Use the following command to create a resource group: ++ ```azurecli + az group create \ + --name <resource-group-name> \ + --location <location> + ``` ++ For more information about resource groups, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md) ++1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++1. Use one of the following commands to create an Azure Spring Apps service instance: ++ - Use the following command to create an Azure Spring Apps service instance with the build service enabled and using a managed Azure Container Registry. The build service is enabled by default. ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise + ``` ++ - Use the following command to create an Azure Spring Apps service instance with the build service enabled and using your own container registry. The build service is enabled by default. ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise \ + --registry-server <your-container-registry-login-server> \ + --registry-username <your-container-registry-username> \ + --registry-password <your-container-registry-password> + ``` ++ - Use the following command to create an Azure Spring Apps service instance with the build service disabled. ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise \ + --disable-build-service + ``` ++++## Deploy polyglot applications ++You can deploy polyglot applications in an Azure Spring Apps Enterprise service instance with Tanzu Build Service either enabled or disabled. For more information, see [How to deploy polyglot apps in Azure Spring Apps Enterprise](how-to-enterprise-deploy-polyglot-apps.md). ++## Configure APM integration and CA certificates ++By using Tanzu Partner Buildpacks and CA Certificates Buildpack, the Azure Spring Apps Enterprise plan provides a simplified configuration experience to support application performance monitor (APM) integration. This integration includes certificate authority (CA) certificates integration scenarios for polyglot applications. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++## Real-time build logs ++A build task is triggered when an application is deployed from an Azure CLI command. Build logs are streamed in real time as part of the CLI command output. For information about using build logs to diagnose problems, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). ++## Build history ++You can see all the build resources in the **Builds** section of the Azure Spring Apps Build Service page. +++The table in the **Builds** section contains the following columns: ++- **Build Name**: The name of the build. +- **Provisioning State**: The provisioning state of the build. The values are `Succeeded`, `Failed`, `Updating`, and `Creating`. Provisioning states `Updating` and `Creating` mean the build can't be updated until the current build finishes. Provisioning state `Failed` means your latest source code build has failed to generate a new build result. +- **Resource Quota**: The resource quota in build pod of the build. +- **Builder**: The builder used in the build. +- **Latest Build Result**: The latest build result image tag of the build. +- **Latest Build Result Provisioning State**: The latest build result provisioning state of the build. The values are `Queuing`, `Building`, `Succeeded`, and `Failed`. +- **Latest Build Result Last Transition Time**: The last transition time for the latest build result of the build. +- **Latest Build Result Last Transition Reason**: The last transition reason for the latest build result of the build. The values are `CONFIG`, `STACK`, and `BUILDPACK`. `CONFIG` means the build result is changed by builder updates or by a new source code deploy operation. `STACK` means the build result is changed by a stack upgrade. `BUILDPACK` means the build result is changed by a buildpack upgrade. +- **Latest Build Result Last Transition Status**: The last transition status for the latest build result of the build. The values are `True` and `False`. ++For **Provisioning State**, when the value is `Failed`, deploy the source code again. If the error persists, create a support ticket. ++For **Latest Build Result Provisioning State**, when the value is `Failed`, check the build logs. For more information, see [Troubleshoot common build issues in Azure Spring Apps](troubleshoot-build-exit-code.md). ++For **Latest Build Result Last Transition Status**, when the value is `Failed`, see the **Latest Build Result Last Transition Reason** column. If the reason is `BUILDPACK` or `STACK`, no action is necessary. If the reason is `CONFIG`, deploy the source code again. If the error persists, create a support ticket. ++## Next steps ++- [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md) |
spring-apps | How To Enterprise Configure Apm Integration And Ca Certificates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-configure-apm-integration-and-ca-certificates.md | + + Title: How to configure APM integration and CA certificates ++description: Shows you how to configure APM integration and CA certificates in the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/25/2023++++# How to configure APM integration and CA certificates ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to configure application performance monitor (APM) integration and certificate authority (CA) certificates in the Azure Spring Apps Enterprise plan. ++You can enable or disable Tanzu Build Service on an Azure Springs Apps Enterprise plan instance. For more information, see the [Build service on demand](how-to-enterprise-build-service.md#build-service-on-demand) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.49.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` ++## Supported scenarios - APM and CA certificates integration ++Tanzu Build Service uses buildpack binding to integrate with [Tanzu Partner Buildpacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-partner-integrations-partner-integration-buildpacks.html) and other cloud native buildpacks such as the [ca-certificates](https://github.com/paketo-buildpacks/ca-certificates) buildpack on GitHub. ++Currently, Azure Spring Apps supports the following APM types: ++- ApplicationInsights +- Dynatrace +- AppDynamics +- New Relic +- ElasticAPM ++Azure Spring Apps supports CA certificates for all language family buildpacks, but not all supported APMs. The following table shows the binding types supported by Tanzu language family buildpacks. ++| Buildpack | ApplicationInsights | New Relic | AppDynamics | Dynatrace | ElasticAPM | +|-||--|-|--|| +| Java | ✔ | ✔ | ✔ | ✔ | ✔ | +| .NET | | ✔ | | ✔ | | +| Go | | | | ✔ | | +| Python | | | | | | +| NodeJS | | ✔ | ✔ | ✔ | ✔ | +| Web servers | | | | ✔ | | +| Java Native Image | | | | | | +| PHP | | ✔ | ✔ | ✔ | | ++For information about using Web servers, see [Deploy web static files](how-to-enterprise-deploy-static-file.md). ++Tanzu Build Service is enabled by default in Azure Spring Apps Enterprise. If you choose to disable the build service, you can deploy applications but only by using a custom container image. This section provides guidance for both build service enabled and disabled scenarios. ++### Supported APM types ++This section lists the supported languages and required environment variables for the APMs that you can use for your integrations. ++- **Application Insights** ++ Supported languages: + - Java ++ Environment variables required for buildpack binding: + - `connection-string` ++ For other supported environment variables, see [Application Insights Overview](../../azure-monitor/app/app-insights-overview.md?tabs=java). ++- **DynaTrace** ++ Supported languages: + - Java + - .NET + - Go + - Node.js + - WebServers + - PHP ++ Environment variables required for buildpack binding: + - `api-url` or `environment-id` (used in build step) + - `api-token` (used in build step) + - `TENANT` + - `TENANTTOKEN` + - `CONNECTION_POINT` ++ For other supported environment variables, see [Dynatrace](https://www.dynatrace.com/support/help/shortlink/azure-spring#envvar) ++- **New Relic** ++ Supported languages: + - Java + - .NET + - Node.js + - PHP ++ Environment variables required for buildpack binding: + - `license_key` + - `app_name` ++ For other supported environment variables, see [New Relic](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables) ++- **Elastic** ++ Supported languages: + - Java + - Node.js + - PHP ++ Environment variables required for buildpack binding: + - `service_name` + - `application_packages` + - `server_url` ++ For other supported environment variables, see [Elastic](https://www.elastic.co/guide/en/apm/agent/java/master/configuration.html) ++- **AppDynamics** ++ Supported languages: + - Java + - Node.js ++ Environment variables required for buildpack binding: + - `agent_application_name` + - `agent_tier_name` + - `agent_node_name` + - `agent_account_name` + - `agent_account_access_key` + - `controller_host_name` + - `controller_ssl_enabled` + - `controller_port` ++ For other supported environment variables, see [AppDynamics](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent#MonitorAzureSpringCloudwithJavaAgent-ConfigureUsingtheEnvironmentVariablesorSystemProperties) ++## Bindings in builder is deprecated ++> [!NOTE] +> Previously, you would manage APM integration and CA certificates via bindings in the builder. The bindings in builder feature is deprecated and is being removed in the future. We recommend that you migrate the APM configured in bindings. For more information, see the [Migrate the APM configured in bindings](#migrate-the-apm-configured-in-bindings) section. +> +> When you use your own container registry for the build service or disable the build service, the bindings feature in builder is not available. +> +> When you use a managed Azure Container Registry for the build service, the registry is still available for backward compatibility, but is being removed in the future. ++When you use the Azure CLI to create a service instance, you might get the error message `Buildpack bindings feature is deprecated, it's not available when your own container registry is used for build service or build service is disabled`. This message indicates that you're using an old version of the Azure CLI. To fix this issue, upgrade the Azure CLI. For more information, see [How to update the Azure CLI](/cli/azure/update-azure-cli). ++## Configure APM integration for app builds and deployments ++You can configure APM in Azure Spring Apps in the following two ways: ++- Manage APM configurations on the service instance level and bind to app builds and deployments by referring to them. This approach is the recommended way to configure APM. ++- Manage APM configurations via bindings in the builder and bind to app builds and deployments by referring to the builder. ++> [!NOTE] +> This approach is the old way to configure APM, and it's now deprecated. We recommend that you migrate the APM configured in bindings. For more information, see the [Migrate the APM configured in bindings](#migrate-the-apm-configured-in-bindings) section. ++You can now configure APM in Azure Spring Apps by managing APM configurations on the service instance level and bind to app builds and deployments by referring to them. This approach is the recommended way to configure APM. ++The following sections provide guidance for both of these approaches. ++### Manage APMs on the service instance level (recommended) ++You can create an APM configuration and bind to app builds and deployments, as explained in the following sections. ++#### Manage APM configuration in Azure Spring Apps ++You can manage APM integration by configuring properties or secrets in the APM configuration using the Azure portal or the Azure CLI. ++> [!NOTE] +> When configuring properties or secrets via APM configurations, use key names without the APM name as prefix. For example, don't use a `DT_` prefix for Dynatrace or `APPLICATIONINSIGHTS_` for Application Insights. Tanzu APM buildpacks transform the key name to the original environment variable name with a prefix. +> +> If you intend to override or configure some properties or secrets, such as app name or app level, you need to set environment variables when deploying an app with the original environment variables with the APM name as prefix. ++##### [Azure portal](#tab/azure-portal) ++Use the following steps to show, add, edit, or delete an APM configuration: ++1. Open the [Azure portal](https://portal.azure.com). +1. In the navigation pane, select **APM**. +1. To create an APM configuration, select **Add**. If you want to enable the APM configuration globally, select **Enable globally**. All the subsequent builds and deployments use the APM configuration automatically. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/add-apm.png" alt-text="Screenshot of the Azure portal showing the APM configuration page with the Add button highlighted." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/add-apm.png"::: ++1. To view or edit an APM configuration, select the ellipsis (**...**) button for the configuration, then select **Edit APM**. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-apm.png" alt-text="Screenshot of the Azure portal showing the APM configuration page with the Edit APM option selected." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-apm.png"::: ++1. To delete an APM configuration, select the ellipsis (**...**) button for the configuration and then select **Delete**. If the APM configuration is used by any build or deployment, you aren't able to delete it. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/delete-apm.png" alt-text="Screenshot of the Azure portal showing the APM configuration page with the Delete button highlighted." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/delete-apm.png"::: ++Use the following steps to view the APM configurations bound to the build: ++1. Navigate to the **Build Service** page for your Azure Spring Apps instance. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png" alt-text="Screenshot of the Azure portal showing the build service page with the current build in the list." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png"::: ++1. On the navigation pane, in the **Settings** section, select **APM bindings**. ++1. On the **APM bindings** page, view the APM configurations bound to the build. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-apm-bindings.png" alt-text="Screenshot of the APM bindings page showing the APM configurations bound to the build." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-apm-bindings.png"::: ++Use the following steps to view the APM configurations bound to the deployment: ++1. Navigate to your application page. ++1. On the navigation pane, in the **Settings** section, select **APM bindings**. ++1. On the **APM bindings** page, view the APM configurations bound to the deployment. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/deployment-apm-bindings.png" alt-text="Screenshot of the APM bindings page showing the APM configurations bound to the deployment." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/deployment-apm-bindings.png"::: ++##### [Azure CLI](#tab/azure-cli) ++The following list shows you the Azure CLI commands you can use to manage APM configuration: ++- Use the following command to list all the APM configurations: ++ ```azurecli + az spring apm list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> + ``` ++- Use the following command to list all the supported APM types: ++ ```azurecli + az spring apm list-support-types \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> + ``` ++- Use the following command to create an APM configuration: ++ ```azurecli + az spring apm create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + --type <your-APM-type> \ + --properties a=b c=d \ + --secrets e=f g=h + ``` ++- Use the following command to view the details of an APM configuration: ++ ```azurecli + az spring apm show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> + ``` ++- Use the following command to change an APM's properties: ++ ```azurecli + az spring apm update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + --type <your-APM-type> \ + --properties a=b c=d \ + --secrets e=f2 g=h + ``` ++- Use the following command to enable an APM configuration globally. When you enable an APM configuration globally, all the subsequent builds and deployments use it automatically. ++ ```azurecli + az spring apm enable-globally \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + ``` ++- Use the following command to disable an APM configuration globally. When you disable an APM configuration globally, all the subsequent builds and deployments don't use it. ++ ```azurecli + az spring apm disable-globally \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + ``` ++- Use the following command to list all the APM configurations enabled globally: ++ ```azurecli + az spring apm list-enabled-globally \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> + ``` ++- Use the following command to delete an APM configuration. ++ ```azurecli + az spring apm delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + ``` ++++For more information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section. ++#### Bind to app builds and deployments ++For a build service that uses a managed Azure Container Registry, use the following command to integrate APM into your deployments: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --apms <APM-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++When you enable an APM configuration globally, all the subsequent builds and deployments use it automatically, and it's unnecessary to specify the `--apms` parameter. If you want to override the APM configuration enabled globally for a deployment, specify the APM configurations via `--apms` parameter. ++For a build service that uses your own container registry, you can build an application into a container image and deploy the image to the current or other Azure Spring Apps Enterprise service instances. ++Providing your own container registry separates building from deployment. You can use the build command to create or update a build with a builder, then use the deploy command to deploy the container image to the service. ++Use the following command to build an image and configure APM: ++```azurecli +az spring build-service build <create|update> \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --apms <APM-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++When you enable an APM configuration globally, all the subsequent builds and deployments use it automatically, and it's unnecessary to specify the `--apms` parameter. If you want to override the APM configuration enabled globally for a build, specify the APM configurations via the `--apms` parameter. ++Use the following command to deploy the application with the container image built previously and configure APM. You can use the APM configuration enabled globally or use the `--apms` parameter to specify APM configuration. ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --container-image <your-container-image> \ + --container-registry <your-container-registry> \ + --registry-password <your-password> \ + --registry-username <your-username> \ + --apms <your-APM> +``` ++When you disable the build service, you can only deploy an application with a container image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++You can use multiple instances of Azure Spring Apps Enterprise, where some instances build and deploy images and others only deploy images. Consider the following scenario: ++For one instance, you enable the build service with a user container registry. Then, you build from an artifact file or source code with APM or a CA certificate into a container image. You can then deploy to the current Azure Spring Apps instance or other service instances. For more information, see the [Build and deploy polyglot applications](how-to-enterprise-deploy-polyglot-apps.md#build-and-deploy-polyglot-applications) section of [How to deploy polyglot apps in Azure Spring Apps Enterprise](How-to-enterprise-deploy-polyglot-apps.md). ++In another instance with the build service disabled, you deploy an application with the container image in your registry and also make use of APM. ++In this scenario, you can use the APM configuration enabled globally or use the `--apms` parameter to specify the APM configuration, as shown in the following example: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --container-image <your-container-image> \ + --container-registry <your-container-registry> \ + --registry-password <your-password> \ + --registry-username <your-username> \ + --apms <your-APM> +``` ++### Manage APMs via bindings in builder (deprecated) ++When the build service uses the Azure Spring Apps managed container registry, you can build an application to an image and then deploy it, but only within the current Azure Spring Apps service instance. ++#### Manage APM configurations via bindings in builder ++You can manage APM configurations via bindings in builder. For more information, see the [Manage bindings in builder in Azure Spring Apps (deprecated)](#manage-bindings-in-builder-in-azure-spring-apps-deprecated) section. ++#### Bind to app builds and deployments ++Use the following command to integrate APM into your deployments. The APM is configured via bindings in the builder: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++### Enable Application Insights when creating the service instance ++If you enable Application Insights when creating a service instance, the following conditions apply: ++- If you use a managed Azure Container Registry for the build service, Application Insights is bound to bindings in the default builder. +- If you use your own container registry for the build service or you disable the build service, a default APM configuration is created for Application Insights. The default APM is enabled globally and all the subsequent builds and deployments use it automatically. ++## Configure CA certificates for app builds and deployments ++You can configure CA certificates in Azure Spring Apps in the following two ways: ++- You can manage public certificates in the TLS/SSL settings and bind to app builds and deployments by referring to them. This approach is the recommended way to configure CA certificates. +- You can manage public certificates in the TLS/SSL settings and bind CA certificates via bindings in the builder. For more information, see the [Manage bindings in builder in Azure Spring Apps (deprecated)](#manage-bindings-in-builder-in-azure-spring-apps-deprecated) section. ++> [!NOTE] +> This approach is the old way to configure CA certificates and it has been deprecated. We recommend that you migrate the CA certificate configured in bindings. For more information, see the [Migrate CA certificate configured in bindings](#migrate-ca-certificate-configured-in-bindings) section. ++You can now manage public certificates in the TLS/SSL settings and bind to app builds and deployments by referring to them. This approach is the recommended way to configure CA certificates. ++To manage public certificates on the service instance level, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). then, follow one of the approaches described in the following sections to bind CA certificates to app builds and deployments. ++### Bind CA certificates to app builds and deployments ++For information on how to bind CA certificates to deployments, see the [Load a certificate](how-to-use-tls-certificate.md#load-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). Then, use the following instructions to bind to app builds. ++When you enable the build service and use a managed Azure Container Registry, use the following command to integrate CA certificates into your deployment: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --build-certificates <CA certificate-name> \ + --artifact-path <path-to-your-JAR-file> + ``` ++When you use your own container registry for the build service or disable the build service, use the following command to integrate CA certificates into your build: ++```azurecli +az spring build-service build <create|update> \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --certificates <CA certificate-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++### View CA certificates bound to app builds ++Use the following steps to view the CA certificates bound to the build: ++1. Navigate to your build page. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png" alt-text="Screenshot of the Azure portal showing the build service page with the current build in the list." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png"::: ++1. On the navigation pane, in the **Settings** section, select **Certificate bindings**. ++1. On the **Certificate bindings** page, view the CA certificates bound to the build. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-certificate-bindings.png" alt-text="Screenshot of the certificate bindings page showing CA certificates bound to the build." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-certificate-bindings.png"::: ++### Bind CA certificates via bindings in builder (deprecated) ++CA certificates use the [ca-certificates](https://github.com/paketo-buildpacks/ca-certificates) buildpack to support providing CA certificates to the system trust store at build and runtime. ++In the Azure Spring Apps Enterprise plan, the CA certificates use the **Public Key Certificates** tab on the **TLS/SSL settings** page in the Azure portal, as shown in the following screenshot: +++You can configure the CA certificates on the **Edit binding** page. The `succeeded` certificates are shown in the **CA Certificates** list. +++## Manage bindings in builder in Azure Spring Apps (deprecated) ++This section applies only to an Azure Spring Apps Enterprise service instance with the build service enabled. With the build service enabled, one buildpack binding means either credential configuration against one APM type, or CA certificates configuration against the CA certificates type. For APM integration, follow the earlier instructions to configure the necessary environment variables or secrets for your APM. ++> [!NOTE] +> When configuring environment variables for APM bindings, use key names without a prefix. For example, do not use a `DT_` prefix for a Dynatrace binding or `APPLICATIONINSIGHTS_` for Application Insights. Tanzu APM buildpacks transform the key name to the original environment variable name with a prefix. ++You can manage buildpack bindings with the Azure portal or the Azure CLI. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to view the buildpack bindings: ++1. In the Azure portal, go to your Azure Spring Apps Enterprise service instance. +1. In the navigation pane, select **Build Service**. +1. Select **Edit** under the **Bindings** column to view the bindings configured for a builder. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/edit-binding.png" alt-text="Screenshot of Azure portal showing the Build Service page with the Bindings Edit link highlighted for a selected builder." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/edit-binding.png"::: ++1. Review the bindings on the **Edit binding for default builder** page. ++ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-service-binding.png" alt-text="Screenshot of Azure portal showing the Edit bindings for default builder page with the binding types and their status listed."::: ++### Create a buildpack binding ++To create a buildpack binding, select **Unbound** on the **Edit Bindings** page, specify the binding properties, and then select **Save**. ++### Unbind a buildpack binding ++You can unbind a buildpack binding by using the **Unbind binding** command, or by editing the binding properties. ++To use the **Unbind binding** command, select the **Bound** hyperlink, and then select **Unbind binding**. +++To unbind a buildpack binding by editing binding properties, select **Edit Binding**, and then select **Unbind**. +++When you unbind a binding, the bind status changes from **Bound** to **Unbound**. ++### [Azure CLI](#tab/azure-cli) ++### View buildpack bindings using the Azure CLI ++View the current buildpack bindings by using the following command: ++```azurecli +az spring build-service builder buildpack-binding list \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --builder-name <your-builder-name> +``` ++### Create a binding ++Use this command to change the binding from *Unbound* to *Bound* status: ++```azurecli +az spring build-service builder buildpack-binding create \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-buildpack-binding-name> \ + --builder-name <your-builder-name> \ + --type <your-binding-type> \ + --properties a=b c=d \ + --secrets e=f g=h +``` ++For information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section. ++### Show the details for a specific binding ++You can view the details of a specific binding by using the following command: ++```azurecli +az spring build-service builder buildpack-binding show \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-buildpack-binding-name> \ + --builder-name <your-builder-name> +``` ++### Edit the properties of a binding ++You can change a binding's properties by using the following command: ++```azurecli +az spring build-service builder buildpack-binding set \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-buildpack-binding-name> \ + --builder-name <your-builder-name> \ + --type <your-binding-type> \ + --properties a=b c=d \ + --secrets e=f2 g=h +``` ++For more information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section. ++### Delete a binding ++Use the following command to change the binding status from *Bound* to *Unbound*. ++```azurecli +az spring build-service builder buildpack-binding delete \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-buildpack-binding-name> \ + --builder-name <your-builder-name> +``` ++++## Migrate APM and CA certificates from bindings in builder ++The bindings feature in builder is deprecated and is being removed in the future. We recommend that you migrate bindings in builder. ++You can configure APM and CA certificates in bindings and you can migrate them by using the following sections. ++### Migrate the APM configured in bindings ++In most use cases, there's only one APM configured in bindings in the default builder. You can create a new APM configuration with the same configuration in bindings and enable this APM configuration globally. All the subsequent builds and deployments use this configuration automatically. Use the following steps to migrate: ++1. Use the following command to create an APM configuration: ++ ```azurecli + az spring apm create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + --type <your-APM-type> \ + --properties a=b c=d \ + --secrets e=f g=h + ``` ++1. Use the following command to enable the APM configuration globally: ++ ```azurecli + az spring apm enable-globally \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-name> \ + ``` ++1. Use the following command to redeploy all the applications to use the new APM configuration enabled globally: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> + ``` ++1. Verify that the new APM configuration works for all the applications. If everything works fine, use the following command to remove the APM bindings in builder: ++ ```azurecli + az spring build-service builder buildpack-binding delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-APM-buildpack-binding-name> \ + --builder-name <your-builder-name> + ``` ++If there are several APMs configured in bindings, you can create several APM configurations with the same configuration in bindings and enable the APM configuration globally if it's applicable. Use the `--apms` parameter to specify an APM configuration for a deployment if you want to override the APM enabled globally, as shown in the following command: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --apms <APM-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++During the migration process, APM is configured in both bindings and APM configuration. In this case, the APM configuration takes effect and the binding is ignored. ++### Migrate CA certificate configured in bindings ++Use the following steps to migrate a CA certificate: ++1. For a CA certificate configured in binding, if it's used in runtime, you can load the certificate into your application. For more information, see [Load a certificate](how-to-use-tls-certificate.md#load-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). ++1. Use the following command to redeploy all the applications using the CA certificate. If you use the certificate at build time, use the `--build-certificates` parameter to specify the CA certificate to use at build time for a deployment: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --build-certificates <CA certificate-name> \ + --artifact-path <path-to-your-JAR-file> + ``` ++1. Verify if the CA certificate works for all the applications using it. If everything works fine, use the following command to remove the CA certificate bindings in the builder: ++ ```azurecli + az spring build-service builder buildpack-binding delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-CA-certificate-buildpack-binding-name> \ + --builder-name <your-builder-name> + ``` ++## Next steps ++- [How to deploy polyglot apps in Azure Spring Apps Enterprise](how-to-enterprise-deploy-polyglot-apps.md) |
spring-apps | How To Enterprise Deploy App At Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-deploy-app-at-scale.md | + + Title: Scale out to deploy over 500 and up to 1000 application instances using Azure Spring Apps Enterprise +description: Learn how to deploy applications at scale in the Enterprise plan for Azure Spring Apps and learn about the restrictions. ++++ Last updated : 07/05/2023+++# Scale out to deploy over 500 and up to 1000 application instances using Azure Spring Apps Enterprise ++This article applies to ❌ Basic/Standard ✔️ Enterprise ++This article guides you on deploying up to 1000 application instances in Azure Spring Apps Enterprise. The feature supporting deployment of more than 500 instances is currently in Preview. This article outlines the limitations during the Preview stage. The Enterprise plan, crafted for handling substantial production workloads, supports a maximum of 1000 application instances per service. However, we recommend using a maximum of 500 instances in your production environment. ++## Definition ++The Azure Spring Apps Enterprise plan supports up to 1000 application instances per service instance. The number of application instances is the sum of all the application instances in the service instance. For example, if you have 100 applications in the service instance and each application has 10 replicas, then the total number of application instances is 1000. ++## Configure proper subnet ranges ++When you deploy Azure Spring Apps in an Azure virtual network, you need to configure the proper subnet ranges for your apps and services. The subnet ranges determine how many IP addresses are available for your apps and services to use. If the subnet ranges are too small, you might run out of IP addresses and encounter errors or failures. ++To avoid this problem, you should reserve subnet ranges that are large enough to support the number of application instances. For subnets, Azure reserves five IP addresses, and Azure Spring Apps requires at least three IP addresses. We recommend that you reserve at least the `/24` subnet ranges for the apps subnet. ++For more information about how to deploy an Azure Spring Apps instance in your virtual network, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). ++## Restrictions ++Support for 1000 app instances is currently in the preview stage. The following sections describe the restrictions that you should understand when you try this feature. ++### VMware Tanzu Build Service ++VMware Tanzu Build Service automates container creation, management, and governance at enterprise scale. Tanzu Build Service uses the buildpacks project to turn application source code into container images. ++The builder is a Tanzu Build Service resource, which contains a set of buildpacks and a stack used in the process of building source code. The build number using the same builder should be less than 200. Otherwise, it's hard to reconcile all builds when the builder updates. ++The builds are generated when you deploy apps. We recommend that you create multiple customized builders to deploy apps when you have more than 200 apps or deployments. ++### Application Configuration Service for Tanzu ++Application Configuration Service for Tanzu is a central place to manage external properties for applications across all environments. This service is offered in two versions: Gen1 and Gen2. The Gen1 version mainly serves existing customers for backward compatibility purpose. Gen2 uses flux as the back end to communicate with Git repositories. Gen2 provides better performance compared to Gen1. ++The following table shows the benchmark for refresh times under different numbers of patterns. Be sure to carefully control the configuration pattern number based on these values to avoid unacceptable refresh performance. ++| Application Configuration Service generation | Duration to refresh under 100 patterns | Duration to refresh under 250 patterns | Duration to refresh under 500 patterns | +|-|-|-|-| +| Gen1 | 330s | 840s | 1500s | +| Gen2 | 13s | 100s | 378s | ++### Spring Cloud Gateway for VMware Tanzu ++Spring Cloud Gateway for VMware Tanzu handles the cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate-limiting, resiliency, security, and more. You can accelerate API delivery using modern cloud native patterns using your choice of programming language for API development. Spring Cloud Gateway is a critical component for a microservices architecture. ++The performance of the gateway is closely related to the number of routes. In general, we recommend that you don't exceed 500 routes. When the gateway can't handle some requests with reasonably low latency or without errors, it can stress a gateway instance's performance. ++Spring Cloud Gateway is able to handle a high volume of traffic. To support the traffic, you should consider increasing the memory requested for API gateway instances so that each pod can handle more requests per second. To configure autoscale rules for the gateway to perform best when demand changes, see the [Set up autoscale settings for VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md#set-up-autoscale-settings) section in [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++Spring Cloud Gateway supports rolling restarts to ensure zero downtime and disruption. However, the current version of the gateway has a limitation that when it's rolling restarted, it may take longer to synchronize a large number of routes. This situation can cause incomplete route updates during the process. We're actively working on fixing this limitation and will provide an update through our documentation. ++## Next steps ++- [Scale an application in Azure Spring Apps](how-to-scale-manual.md) |
spring-apps | How To Enterprise Deploy Polyglot Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-deploy-polyglot-apps.md | + + Title: How to deploy polyglot apps in the Azure Spring Apps Enterprise plan +description: Shows you how to deploy polyglot apps in the Azure Spring Apps Enterprise plan. ++++ Last updated : 07/05/2023++++# How to deploy polyglot apps in the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to deploy polyglot apps in the Azure Spring Apps Enterprise plan, and how these polyglot apps can use the build service features provided by buildpacks. ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` ++## Deploy polyglot applications in a service instance ++This section applies to building and deploying polyglot applications when the build service is enabled. If you disable the build service, you can deploy applications only with a custom container image. You can create your own image or use one built by an Azure Spring Apps Enterprise instance. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++### Manage builders ++When you create an instance of Azure Spring Apps Enterprise, you must choose a default builder from one of the following supported language family buildpacks: ++- [Java Azure Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-java-azure-buildpack) +- [.NET Core Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-dotnet-core-buildpack) +- [Go Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-go-buildpack) +- [Web Servers Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-web-servers-buildpack/) +- [Node.js Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-nodejs-buildpack) +- [Python Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-python-buildpack/) +- [Java Native Image Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-java-native-image-buildpack/) +- [PHP Buildpack for VMware Tanzu](https://network.tanzu.vmware.com/products/tbs-dependencies/#/releases/1335849/artifact_references) ++For more information, see [Language Family Buildpacks for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-https://docsupdatetracker.net/index.html). ++These buildpacks support building with source code or artifacts for Java, .NET Core, Go, web static files, Node.js, and Python apps. You can also create a custom builder by specifying buildpacks and a stack. ++All the builders configured in an Azure Spring Apps service instance are listed on the **Build Service** page, as shown in the following screenshot: +++Select **Add** to create a new builder. The following screenshot shows the resources you should use to create the custom builder. The [OS Stack](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-stacks.html) includes `Bionic Base`, `Bionic Full`, `Jammy Tiny`, `Jammy Base`, and `Jammy Full`. Bionic is based on `Ubuntu 18.04 (Bionic Beaver)` and Jammy is based on `Ubuntu 22.04 (Jammy Jellyfish)`. For more information, see the [OS stack recommendations](#os-stack-recommendations) section. ++We recommend using `Jammy OS Stack` to create your builder because VMware is deprecating `Bionic OS Stack`. +++You can also edit a custom builder when the builder isn't used in a deployment. You can update the buildpacks or the OS Stack, but the builder name is read only. +++The builder is a resource that continuously contributes to your deployments. It provides the latest runtime images and latest buildpacks. ++You can't delete a builder when existing active deployments are being built with the builder. To delete a builder in this state, use the following steps: ++1. Save the configuration as a new builder. +1. Deploy apps with the new builder. The deployments are linked to the new builder. +1. Migrate the deployments under the previous builder to the new builder. +1. Delete the original builder. ++#### OS stack recommendations ++In Azure Spring Apps, we recommend using `Jammy OS Stack` to create your builder because `Bioinic OS Stack` is in line for deprecation by VMware. The following list describes the options available: ++- Jammy Tiny: Suitable for building a minimal image for the smallest possible size and security footprint. Like building a Java Native Image, it can make the final container image smaller. The integrated libraries are limited. For example, you can't [connect to an app instance for troubleshooting](how-to-connect-to-app-instance-for-troubleshooting.md) because there's no `shell` library. + - Most Go apps. + - Java apps. Some Apache Tomcat configuration options, such as setting *bin/setenv.sh*, aren't available because Tiny has no shell. ++- Jammy Base: Suitable for most apps without native extensions. + - Java apps and .NET Core apps. + - Go apps that require some C libraries. + - Node.js, Python, or Web Servers apps without native extensions. ++- Jammy Full: Includes most libraries, and is suitable for apps with native extensions. For example, it includes a more complete library of fonts. If your app relies on the native extension, then use the `Full` stack. + - Node.js or Python apps with native extensions. ++For more information, see [Ubuntu Stacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-stacks.html#ubuntu-stacks) in the VMware documentation. ++### Manage the container registry ++This section shows you how to manage the container registry used by the build service if you enable the build service with your own container registry. If you enable the build service with an Azure Spring Apps managed container registry, you can skip this section. ++After you enable a user container registry with the build service, you can show and configure the registry using the Azure portal or the Azure CLI. ++#### [Azure portal](#tab/Portal) ++Use the following steps to show, add, edit, and delete the container registry: ++1. Open the [Azure portal](https://portal.azure.com/?AppPlatformExtension=entdf#home). +1. Select **Container registry** in the navigation pane. +1. Select **Add** to create a container registry. ++ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/add-container-registry.png" alt-text="Screenshot of Azure portal that shows the Container registry page with Add container registry button." lightbox="media/how-to-enterprise-deploy-polyglot-apps/add-container-registry.png"::: ++1. For a container registry, select the ellipsis (**...**) button, then select **Edit** to view the registry configuration. ++ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/show-container-registry.png" alt-text="Screenshot of the Azure portal that shows the Container registry page." lightbox="media/how-to-enterprise-deploy-polyglot-apps/show-container-registry.png"::: ++1. Review the values on the **Edit container registry** page. ++ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/edit-container-registry.png" alt-text="Screenshot of the Azure portal that shows the Container registry page with Edit container registry pane open for the current container registry in the list." lightbox="media/how-to-enterprise-deploy-polyglot-apps/edit-container-registry.png"::: ++1. To delete a container registry, select the ellipsis (**...**) button, then select **Delete** to delete the registry. If the container registry is used by build service, it can't be deleted. ++ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/delete-container-registry.png" alt-text="Screenshot of Azure portal that shows the Container registry page with Delete container registry pane open for the current container registry in the list." lightbox="media/how-to-enterprise-deploy-polyglot-apps/delete-container-registry.png"::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to list all container registries for the service instance: ++```azurecli +az spring container-registry list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> +``` ++Use the following command to show the container registry: ++```azurecli +az spring container-registry show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-container-registry-name> +``` ++Use the following command to update the container registry: ++```azurecli +az spring container-registry update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-container-registry-name> \ + --server <your-container-registry-login-server> \ + --username <your-container-registry-username> \ + --password <your-container-registry-password> +``` ++Use the following command to delete the container registry: ++```azurecli +az spring container-registry delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-container-registry-name> +``` ++If the build service is using the container registry, then you can't delete it. ++++The build service can use a container registry, and can also change the associated container registry. This process is time consuming. When the change happens, all the builder and build resources under the build service rebuild, and then the final container images get pushed to the new container registry. ++#### [Azure portal](#tab/Portal) ++Use the following steps to switch the container registry associated with the build service: ++1. Open the [Azure portal](https://portal.azure.com/?AppPlatformExtension=entdf#home). +1. Select **Build Service** in the navigation pane. +1. Select **Referenced container registry** to update the container registry for the build service. ++ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/switch-build-service-container-registry.png" alt-text="Screenshot of the Azure portal that shows the Build Service page with referenced container registry highlighted." lightbox="media/how-to-enterprise-deploy-polyglot-apps/switch-build-service-container-registry.png"::: ++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to show the build service: ++```azurecli +az spring build-service show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> +``` ++Use the following command to update the build service with a specific container registry: ++```azurecli +az spring build-service update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --registry-name <your-container-registry-name> +``` ++++### Build and deploy polyglot applications ++You can build and deploy polyglot applications in the following ways using the container registry: ++- For the build service using the Azure Spring Apps managed container registry, you can build an application to an image and then deploy it to the current Azure Spring Apps service instance. The build and deployment are executed together by using the `az spring app deploy` command. ++- For the build service using a user-managed container registry, you can build an application into a container image and then deploy the image to the current Azure Spring Apps Enterprise instance and other instances. The build and deploy commands are separate. You can use the build command to create or update a build, then use the deploy command to deploy the container image to the service instance. ++For more information, see the [Build service on demand](how-to-enterprise-build-service.md#build-service-on-demand) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++The following examples show some helpful build commands to use. ++```azurecli +az configure --defaults group=<resource-group-name> spring=<service-name> ++az spring build-service build list +az spring build-service build show --name <build-name> +az spring build-service build create --name <build-name> --artifact-path <artifact-path> +az spring build-service build update --name <build-name> --artifact-path <artifact-path> +az spring build-service build delete --name <build-name> +``` ++The following Azure CLI examples show building and deploying an artifact file for two container registry scenarios: ++- Azure Spring Apps managed container registry. +- User-managed container registry. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry) ++This example builds and deploys in one command. The following command specifies a builder to build an application to a container image, and then deploys the application directly into the Azure Springs Apps Enterprise service instance. ++If you don't specify the builder, a `default` builder is used. ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++#### [User-managed container registry](#tab/user-managed-container-registry) ++This example builds or updates an application and deploys it using two commands. With a user-managed container registry, you can deploy an application only from a custom container image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++The following command builds an application: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++The following command deploys an application. ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --container-image <your-container-image> \ + --container-registry <your-container-registry> \ + --registry-password <your-password> \ + --registry-username <your-username> +``` ++++If you deploy the app with an artifact file, use `--artifact-path` to specify the file path. Both JAR and WAR files are acceptable. ++If the Azure CLI detects the WAR package as a thin JAR, use `--disable-validation` to disable validation. ++The following example deploys the source code folder to an active deployment by using the `--source-path` parameter to specify the folder. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry) ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --builder <builder-name> \ + --source-path <path-to-source-code> +``` ++#### [User-managed container registry](#tab/user-managed-container-registry) ++The following command builds an application: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --builder <builder-name> \ + --source-path <path-to-source-code> +``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --builder <builder-name> \ + --source-path <path-to-source-code> +``` ++To deploy the application, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++++You can also configure the build environment to build the app. For example, in a Java application, you can specify the JDK version using the `BP_JVM_VERSION` build environment. ++To specify build environments, use `--build-env`, as shown in the following example. The available build environment variables are described later in this article. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry) ++The following command deploys an application: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --build-env <key1=value1> <key2=value2> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++#### [User-managed container registry](#tab/user-managed-container-registry) ++The following command builds an application: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --build-env <key1=value1> <key2=value2> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --build-env <key1=value1> <key2=value2> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++To deploy the application, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++++For each build, you can also specify the build resources, as shown in the following example. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry) ++The following command deploys an application: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --build-env <key1=value1> <key2=value2> \ + --build-cpu <build-cpu-size> \ + --build-memory <build-memory-size> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++#### [User-managed container registry](#tab/user-managed-container-registry) ++The following command builds an application: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --build-env <key1=value1> <key2=value2> \ + --build-cpu <build-cpu-size> \ + --build-memory <build-memory-size> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> + ``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --build-env <key1=value1> <key2=value2> \ + --build-cpu <build-cpu-size> \ + --build-memory <build-memory-size> \ + --builder <builder-name> \ + --artifact-path <path-to-your-JAR-file> +``` ++To deploy the application, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++++The default build CPU/memory resource is `1 vCPU, 2 Gi`. If your application needs a smaller or larger amount of memory, then use `--build-memory` to specify the memory resources - for example, `500Mi`, `1Gi`, `2Gi`, and so on. If your application needs a smaller or larger amount of CPU resources, then use `--build-cpu` to specify the CPU resources - for example, `500m`, `1`, `2`, and so on. The maximum CPU/memory resource limit for a build is `8 vCPU, 16Gi`. ++The CPU and memory resources are limited by the build service agent pool size. For more information, see the [Build agent pool](how-to-enterprise-build-service.md#build-agent-pool) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). The sum of the processing build resource quota can't exceed the agent pool size. ++The parallel number of build tasks depends on the agent pool size and each build resource. For example, if the build resource is the default `1 vCPU, 2 Gi` and the agent pool size is `6 vCPU, 12 Gi`, then the parallel build number is 6. ++Other build tasks are blocked for a while because of resource quota limitations. ++Your application must listen on port 8080. Spring Boot applications override the `SERVER_PORT` to use 8080 automatically. ++## Supported languages for deployments ++The following table indicates the features supported for each language. ++| Feature | Java | Python | Node | .NET Core | Go | [Static Files](how-to-enterprise-deploy-static-file.md) | Java Native Image | PHP | +|--||--||--|-||-|--| +| App lifecycle management | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Assign endpoint | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Azure Monitor | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | ✔️ | +| Out of box APM integration | ✔️ | | | | | | | | +| Blue/green deployment | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Custom domain | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Scaling - auto scaling | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | ✔️ | +| Scaling - manual scaling (in/out, up/down) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Managed identity | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ️ | ✔️ | +| API portal for VMware Tanzu | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Spring Cloud Gateway for VMware Tanzu | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Application Configuration Service for VMware Tanzu | ✔️ | | | | | | ✔️ | | +| VMware Tanzu Service Registry | ✔️ | | | | | | ✔️ | | +| App Live View for VMware Tanzu | ✔️ | | | | | | ✔️ | | +| Virtual network | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Outgoing IP Address | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| E2E TLS | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Advanced troubleshooting - thread/heap/JFR dump | ✔️ | | | | | | | | +| Bring your own storage | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Integrate service binding with Resource Connector | ✔️ | | | | | | ✔️ | | +| Availability Zone | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| App Lifecycle events | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Reduced app size - 0.5 vCPU and 512 MB | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Automate app deployments with Terraform and Azure Pipeline Task | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Soft Deletion | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Interactive diagnostic experience (AppLens-based) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| SLA | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Customize health probes | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Web shell connect for troubleshooting | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ️ ✔️ | ✔️ | +| Remote debugging | ✔️ | | | | ️ | ️ | ️ | | ++For more information about the supported configurations for different language apps, see the corresponding section later in this article. ++### Java Native Image limitations ++[Native Image](https://www.graalvm.org/latest/reference-manual/native-image/) is a technology to compile Java code ahead of time to a native executable. Native images provide various advantages, like an instant startup and reduced memory consumption. You can package native images into a lightweight container image for faster and more efficient deployment. Because of the Closed World Optimization, the following [limitations](https://www.graalvm.org/22.1/reference-manual/native-image/Limitations/) apply: ++- The following Java features require configuration at executable build time: + - Dynamic Class Loading + - Reflection + - Dynamic Proxy + - JNI (Java Native Interface) + - Serialization +- Bytecode isn't available at runtime anymore, so debugging and monitoring with tools targeted to the JVMTI isn't possible. ++The following features aren't supported in Azure Spring Apps due to the limitation of Java Native Image. Azure Spring Apps will support them when the Java Native Image and the community overcomes the limitation. ++| Feature | Why it isn't supported | +||-| +| Azure Monitor | GraalVM built native images doesn't support JVM metrics. | +| Scaling – autoscaling | GraalVM built native images doesn't support JVM metrics. | +| Out-of-box APM integration | APM Vendor & Buildpack doesn't support native image. | +| Managed identity | Azure SDKs doesn't support native image. | +| Advanced troubleshooting – thread/heap/JFR dump | GraalVM built native images doesn't support thread/heap/JFR dump. | +| Remote debugging | GraalVM Native Image doesn't support Remote Debugging. | +| Passwordless connection using Service Connector | Azure Java SDK doesn't support native image. | ++> [!NOTE] +> In the following different language build and deploy configuration sections, `--build-env` means the environment is used in the build phase. `--env` means the environment is used in the runtime phase. +> +> We recommend that you specify the language version in case the default version changes. For example, use `--build-env BP_JVM_VERSION=11.*` to specify Java 11 as the JDK version. For other languages, you can get the environment variable name in the following descriptions for each language. ++### Deploy Java applications ++The buildpack for deploying Java applications is [tanzu-buildpacks/java-azure](https://network.tanzu.vmware.com/products/tanzu-java-azure-buildpack). ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +|--|--|--|-| +| Provides the Microsoft OpenJDK. | Configures the JVM version. The default JDK version is 11. Currently supported: JDK 8, 11, 17, and 21. | `BP_JVM_VERSION` | `--build-env BP_JVM_VERSION=11.*` | +| | Runtime env. Configures whether Java Native Memory Tracking (NMT) is enabled. The default value is *true*. Not supported in JDK 8. | `BPL_JAVA_NMT_ENABLED` | `--env BPL_JAVA_NMT_ENABLED=true` | +| | Configures the level of detail for Java Native Memory Tracking (NMT) output. The default value is *summary*. Set to *detail* for detailed NMT output. | `BPL_JAVA_NMT_LEVEL` | `--env BPL_JAVA_NMT_ENABLED=summary` | +| Add CA certificates to the system trust store at build and runtime. | See the [Configure CA certificates for app builds and deployments](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#configure-ca-certificates-for-app-builds-and-deployments) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Integrate with Application Insights, Dynatrace, Elastic, New Relic, App Dynamic APM agent. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Deploy WAR package with Apache Tomcat or TomEE. | Set the application server to use. Set to *tomcat* to use Tomcat and *tomee* to use TomEE. The default value is *tomcat*. | `BP_JAVA_APP_SERVER` | `--build-env BP_JAVA_APP_SERVER=tomee` | +| Support Spring Boot applications. | Indicates whether to contribute Spring Cloud Bindings support for the image at build time. The default value is *false*. | `BP_SPRING_CLOUD_BINDINGS_DISABLED` | `--build-env BP_SPRING_CLOUD_BINDINGS_DISABLED=false` | +| | Indicates whether to autoconfigure Spring Boot environment properties from bindings at runtime. This feature requires Spring Cloud Bindings to have already been installed at build time or it does nothing. The default value is *false*. | `BPL_SPRING_CLOUD_BINDINGS_DISABLED` | `--env BPL_SPRING_CLOUD_BINDINGS_DISABLED=false` | +| Support building Maven-based applications from source. | Used for a multi-module project. Indicates the module to find the application artifact in. Defaults to the root module (empty). | `BP_MAVEN_BUILT_MODULE` | `--build-env BP_MAVEN_BUILT_MODULE=./gateway` | +| Support building Gradle-based applications from source. | Used for a multi-module project. Indicates the module to find the application artifact in. Defaults to the root module (empty). | `BP_GRADLE_BUILT_MODULE` | `--build-env BP_GRADLE_BUILT_MODULE=./gateway` | +| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` | +| Integrate JProfiler agent. | Indicates whether to integrate JProfiler support. The default value is *false*. | `BP_JPROFILER_ENABLED` | build phase: <br>`--build-env BP_JPROFILER_ENABLED=true` <br> runtime phase: <br> `--env BPL_JPROFILER_ENABLED=true` <br> `BPL_JPROFILER_PORT=<port>` (optional, defaults to *8849*) <br> `BPL_JPROFILER_NOWAIT=true` (optional. Indicates whether the JVM executes before JProfiler gets attached. The default value is *true*.) | +| | Indicates whether to enable JProfiler support at runtime. The default value is *false*. | `BPL_JPROFILER_ENABLED` | `--env BPL_JPROFILER_ENABLED=false` | +| | Indicates which port the JProfiler agent listens on. The default value is *8849*. | `BPL_JPROFILER_PORT` | `--env BPL_JPROFILER_PORT=8849` | +| | Indicates whether the JVM executes before JProfiler gets attached. The default value is *true*. | `BPL_JPROFILER_NOWAIT` | `--env BPL_JPROFILER_NOWAIT=true` | +| Integrate [JRebel](https://www.jrebel.com/) agent. | The application should contain a *rebel-remote.xml* file. | N/A | N/A | +| AES encrypts an application at build time and then decrypts it at launch time. | The AES key to use at build time. | `BP_EAR_KEY` | `--build-env BP_EAR_KEY=<value>` | +| | The AES key to use at run time. | `BPL_EAR_KEY` | `--env BPL_EAR_KEY=<value>` | +| Integrate [AspectJ Weaver](https://www.eclipse.org/aspectj/) agent. | `<APPLICATION_ROOT>`/*aop.xml* exists and *aspectj-weaver.\*.jar* exists. | N/A | N/A | ++### Deploy .NET applications ++The buildpack for deploying .NET applications is [tanzu-buildpacks/dotnet-core](https://network.tanzu.vmware.com/products/tanzu-dotnet-core-buildpack). ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +||--|--|--| +| Configure the .NET Core runtime version. | Supports *Net6.0*, *Net7.0*, and *Net8.0*. <br> You can configure through a *runtimeconfig.json* or MSBuild Project file. <br> The default runtime is *6.0.\**. | N/A | N/A | +| Add CA certificates to the system trust store at build and runtime. | See the [Configure CA certificates for app builds and deployments](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#configure-ca-certificates-for-app-builds-and-deployments) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Integrate with the Dynatrace and New Relic APM agents. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` | ++### Deploy Python applications ++The buildpack for deploying Python applications is [tanzu-buildpacks/python](https://network.tanzu.vmware.com/products/tanzu-python-buildpack/). ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +||--|--|-| +| Specify a Python version. | Supports *3.8.\**, *3.9.\**, *3.10.\**, *3.11.\**, *3.12.\**. The default value is *3.10.\**<br> You can specify the version via the `BP_CPYTHON_VERSION` environment variable during build. | `BP_CPYTHON_VERSION` | `--build-env BP_CPYTHON_VERSION=3.8.*` | +| Add CA certificates to the system trust store at build and runtime. | See the [Configure CA certificates for app builds and deployments](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#configure-ca-certificates-for-app-builds-and-deployments) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` | ++### Deploy Go applications ++The buildpack for deploying Go applications is [tanzu-buildpacks/go](https://network.tanzu.vmware.com/products/tanzu-go-buildpack). ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +||--|--|-| +| Specify a Go version. | Supports *1.20.\**, *1.21.\**. The default value is *1.20.\**.<br> The Go version is automatically detected from the app’s *go.mod* file. You can override this version by setting the `BP_GO_VERSION` environment variable at build time. | `BP_GO_VERSION` | `--build-env BP_GO_VERSION=1.20.*` | +| Configure multiple targets. | Specifies multiple targets for a Go build. | `BP_GO_TARGETS` | `--build-env BP_GO_TARGETS=./some-target:./other-target` | +| Add CA certificates to the system trust store at build and runtime. | See the [Configure CA certificates for app builds and deployments](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#configure-ca-certificates-for-app-builds-and-deployments) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Integrate with Dynatrace APM agent. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` | ++### Deploy Node.js applications ++The buildpack for deploying Node.js applications is [tanzu-buildpacks/nodejs](https://network.tanzu.vmware.com/products/tanzu-nodejs-buildpack). ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +|-|--|--|--| +| Specify a Node version. | Supports *16.\**, *18.\**, *19.\**, *20.\**. The default value is *20.\**. <br>You can specify the Node version via an *.nvmrc* or *.node-version* file at the application directory root. `BP_NODE_VERSION` overrides the settings. | `BP_NODE_VERSION` | `--build-env BP_NODE_VERSION=19.*` | +| Add CA certificates to the system trust store at build and runtime. | See the [Configure CA certificates for app builds and deployments](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#configure-ca-certificates-for-app-builds-and-deployments) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Integrate with Dynatrace, Elastic, New Relic, App Dynamic APM agent. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` | +| Deploy an Angular application with Angular Live Development Server. | Specify the host before running `ng serve` in the [package.json](https://github.com/paketo-buildpacks/samples/blob/main/nodejs/angular-npm/package.json): `ng serve --host 0.0.0.0 --port 8080 --public-host <your application domain name>`. The domain name of the application is available in the application **Overview** page, in the **URL** section. Remove the protocol `https://` before proceeding. | `BP_NODE_RUN_SCRIPTS` <br> `NODE_ENV` | `--build-env BP_NODE_RUN_SCRIPTS=build NODE_ENV=development` | ++### Deploy WebServer applications ++The buildpack for deploying WebServer applications is [tanzu-buildpacks/web-servers](https://network.tanzu.vmware.com/products/tanzu-web-servers-buildpack/). ++For more information, see [Deploy web static files](how-to-enterprise-deploy-static-file.md). ++### Deploy Java Native Image applications (preview) ++The buildpack for deploying Java Native Image applications is [tanzu-buildpacks/java-native-image](https://network.tanzu.vmware.com/products/tanzu-java-native-image-buildpack/). ++You can deploy Spring Boot native image applications using the `tanzu-buildpacks/java-native-image` buildpack. [Spring Native](https://docs.spring.io/spring-boot/docs/current/reference/html/native-image.html) provides support for compiling Spring Boot applications into native executables. The buildpack uses [Liberica Native Image Kit (NIK)](https://tanzu.vmware.com/content/blog/vmware-tanzu-enterprise-support-spring-boot-native-applications-bellsoft-liberica-nik) to create native images of Spring Boot applications and these applications are fully supported. ++When you build a Java Native Image, you must set the build environment `BP_NATIVE_IMAGE` to `true` and the build memory resource shouldn't be less than 8Gi. The build service agent pool size shouldn't be less than `4 vCPU, 8 Gi`. For more information, see the [Build agent pool](how-to-enterprise-build-service.md#build-agent-pool) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++If you want to build the native image into a smaller size container image, then we recommend using a builder with the `Jammy Tiny` OS stack. For more information, see the [OS stack recommendations](#os-stack-recommendations) section. ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +|||-|| +| Integrate with Bellsoft OpenJDK. | Configures the JDK version. Currently supported: JDK 8, 11, 17, and 20. | `BP_JVM_VERSION` | `--build-env BP_JVM_VERSION=17` | +| Configure arguments for the `native-image` command. | Arguments to pass directly to the native-image command. These arguments must be valid and correctly formed or the native-image command fails. | `BP_NATIVE_IMAGE_BUILD_ARGUMENTS` | `--build-env BP_NATIVE_IMAGE_BUILD_ARGUMENTS="--no-fallback"` | +| Add CA certificates to the system trust store at build and runtime. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | Not applicable. | Not applicable. | +| Enable configuration of labels on the created image | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` | +| Support building Maven-based applications from source. | Used for a multi-module project. Indicates the module to find the application artifact in. Defaults to the root module (empty). | `BP_MAVEN_BUILT_MODULE` | `--build-env BP_MAVEN_BUILT_MODULE=./gateway` | ++There are some limitations for Java Native Image. For more information, see the [Java Native Image limitations](#java-native-image-limitations) section. ++### Deploy PHP applications ++The buildpack for deploying PHP applications is [tanzu-buildpacks/php](https://network.tanzu.vmware.com/products/tbs-dependencies/#/releases/1335849/artifact_references). ++The Tanzu PHP buildpack is only compatible with the Full OS Stack. We recommend using a builder with the `Jammy Full` OS stack. For more information, see the [OS stack recommendations](#os-stack-recommendations) section. ++The following table lists the features supported in Azure Spring Apps: ++| Feature description | Comment | Environment variable | Usage | +||--|-|-| +| Specify the PHP version. | Configures the PHP version. Currently supported: PHP *8.0.\**, *8.1.\**, and *8.2.\**. The default value is *8.1.\** | `BP_PHP_VERSION` | `--build-env BP_PHP_VERSION=8.0.*` | +| Add CA certificates to the system trust store at build and runtime. | See the [Configure CA certificates for app builds and deployments](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#configure-ca-certificates-for-app-builds-and-deployments) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Integrate with Dynatrace, New Relic, App Dynamic APM agent. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A | +| Select a Web Server. | The setting options are *php-server*, *httpd*, and *nginx*. The default value is *php-server*. | `BP_PHP_SERVER` | `--build-env BP_PHP_SERVER=httpd` | +| Configure Web Directory. | When the web server is HTTPD or NGINX, the web directory defaults to *htdocs*. When the web server is the PHP built-in server, the web directory defaults to */workspace*. | `BP_PHP_WEB_DIR` | `--build-env BP_PHP_WEB_DIR=htdocs` | ++## Next steps ++- [Deploy web static files](how-to-enterprise-deploy-static-file.md) |
spring-apps | How To Enterprise Deploy Static File | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-deploy-static-file.md | + + Title: Deploy web static files ++description: Learn how to deploy web static files. ++++ Last updated : 5/25/2023++++# Deploy web static files ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to deploy your static files to an Azure Spring Apps Enterprise plan instance using the Tanzu Web Servers buildpack. This approach is useful if you have applications that are purely for holding static files like HTML, CSS, or front-end applications built with the JavaScript framework of your choice. You can directly deploy these applications with an automatically configured web server (HTTPD and NGINX) to serve those assets. ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- One or more applications running in Azure Spring Apps. +- [Azure CLI](/cli/azure/install-azure-cli), version 2.45.0 or higher. +- Your static files or dynamic front-end application - for example, a React app. ++## Deploy your static files ++> [!NOTE] +> This article focuses on describing deployment configurations and troubleshooting specific to web static file deployment. To understand the general build and deployment scenarios for the Azure Springs Apps Enterprise plan, see the [Build service on demand](how-to-enterprise-build-service.md#build-service-on-demand) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md) and [How to deploy polyglot apps](how-to-enterprise-deploy-polyglot-apps.md). ++You can deploy static files to Azure Spring Apps using NGINX or HTTPD web servers in the following ways: ++- You can deploy static files directly. Azure Spring Apps automatically configures the specified web server to serve the static files. +- You can create your front-end application in the JavaScript framework of your choice, and then deploy your dynamic front-end application from source code. Azure Spring Apps builds your app into static content and uses your configured web server to serve the static files. ++You can also create a server configuration file to customize the web server. ++## Deployment examples ++The Azure CLI examples in this section show building and deploying static files for two container registry scenarios: ++- Azure Spring Apps managed container registry. +- User managed container registry. ++### Build and deploy static files directly ++This example deploys static files directly using an autogenerated default server configuration file. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry1) ++The following command deploys a static file: ++```azurecli +az spring app deploy + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> \ + --build-env BP_WEB_SERVER=nginx +``` ++#### [User managed container registry](#tab/user-managed-container-registry1) ++In this example, build and deploy are separate commands. A user managed container registry supports deployment only with a custom image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++The following command creates a new build: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --source-path <path-to-source-code> \ + --build-env BP_WEB_SERVER=nginx +``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <build-name> \ + --source-path <path-to-source-code> \ + --build-env BP_WEB_SERVER=nginx +``` ++The following command deploys an application. ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> + --name <app-name> \ + --container-image <your-container-image> \ + --container-registry <your-container-registry> \ + --registry-password <your-password> \ + --registry-username <your-username> +``` ++++For information about using environment variables, see the [Configure an autogenerated server configuration file](#configure-an-autogenerated-server-configuration-file) section. ++### Build and deploy your front-end application as static content ++This example deploys a dynamic front-end application from source code. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry2) ++The following command deploys an application: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> \ + --build-env BP_WEB_SERVER=nginx BP_NODE_RUN_SCRIPTS=build BP_WEB_SERVER_ROOT=build +``` ++#### [User managed container registry](#tab/user-managed-container-registry2) ++In this example, build and deploy are separate commands. A user managed container registry supports deployment only with a custom image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++The following command creates a new build: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> \ + --build-env BP_WEB_SERVER=nginx BP_NODE_RUN_SCRIPTS=build BP_WEB_SERVER_ROOT=build +``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> \ + --build-env BP_WEB_SERVER=nginx BP_NODE_RUN_SCRIPTS=build BP_WEB_SERVER_ROOT=build +``` ++The following command deploys the application: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --container-image <your-container-image> \ + --container-registry <your-container-registry> \ + --registry-password <your-password> \ + --registry-username <your-username> +``` ++++### Build and deploy static files using a customized configuration file ++This example deploys static files using a customized server configuration file. ++#### [Azure Spring Apps managed container registry](#tab/asa-managed-container-registry3) ++The following command deploys an application: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> +``` ++#### [User managed container registry](#tab/user-managed-container-registry3) ++In this example, build and deploy are separate commands. A user managed container registry supports deployment only with a custom image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). ++The following command creates a new build: ++```azurecli +az spring build-service build create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> +``` ++The following command updates an existing build: ++```azurecli +az spring build-service build update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --source-path <path-to-source-code> +``` ++The following command deploys an application: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --container-image <your-container-image> \ + --container-registry <your-container-registry> \ + --registry-password <your-password> \ + --registry-username <your-username> +``` ++++For more information, see the [Use a customized server configuration file](#use-a-customized-server-configuration-file) section of this article. ++## Sample code ++> [!NOTE] +> The sample code is maintained by the Paketo open source community. ++The [Paketo buildpacks samples](https://github.com/paketo-buildpacks/samples/tree/main/web-servers) demonstrate common use cases for several different application types, including the following use cases: ++- Serving static files with a default server configuration file using `BP_WEB_SERVER` to select either [HTTPD](https://github.com/paketo-buildpacks/samples/blob/main/web-servers/no-config-file-sample/HTTPD.md) or [NGINX](https://github.com/paketo-buildpacks/samples/blob/main/web-servers/no-config-file-sample/NGINX.md). +- Using Node Package Manager to build a [React app](https://github.com/paketo-buildpacks/samples/tree/main/web-servers/react-frontend-sample) into static files that a web server can serve. Use the following steps: + 1. Define a script under the `scripts` property of the *package.json* file that builds your production-ready static assets. For React, it's `build`. + 1. Find out where static assets are stored after the build script runs. For React, static assets are stored in `./build` by default. + 1. Set `BP_NODE_RUN_SCRIPTS` to the name of the build script. + 1. Set `BP_WEB_SERVER_ROOT` to the build output directory. +- Serving static files with your own server configuration file, using either [HTTPD](https://github.com/paketo-buildpacks/samples/tree/main/web-servers/httpd-sample) or [NGINX](https://github.com/paketo-buildpacks/samples/tree/main/web-servers/nginx-sample). ++## Configure an autogenerated server configuration file ++You can use environment variables to modify the autogenerated server configuration file. The following table shows supported environment variables. ++| Environment Variable | Supported Value | Description | +|--|-|| +| `BP_WEB_SERVER` | *nginx* or *httpd* | Specifies the web server type, either *nginx* for Nginx or *httpd* for Apache HTTP server. Required when using the autogenerated server configuration file. | +| `BP_WEB_SERVER_ROOT` | An absolute file path or a file path relative to */workspace*. | Sets the root directory for the static files. The default is `public`. | +| `BP_WEB_SERVER_ENABLE_PUSH_STATE` | *true* or *false* | Enables push state routing for your application. Regardless of the route that is requested, *https://docsupdatetracker.net/index.html* is always served. Useful for single-page web applications. | +| `BP_WEB_SERVER_FORCE_HTTPS` | *true* or *false* | Enforces HTTPS for server connections by redirecting all requests to use the HTTPS protocol. | ++The following environment variables aren't supported. ++- `BP_LIVE_RELOAD_ENABLED` +- `BP_NGINX_VERSION` +- `BP_HTTPD_VERSION` ++## Use a customized server configuration file ++You can configure web server by using a customized server configuration file. The following table shows the configuration file path: ++| Web server | Default configuration file path | How to customize server configuration file path | +|-|--|| +| nginx | *nginx.conf* under the root path of your source code. | Use environment variable `BP_NGINX_CONF_LOCATION` to specify the configuration file name. Place the file under the root path of your source code. | +| httpd | *httpd.conf* under the root path of your source code. | Not supported. | +++Your configuration file must conform to the restrictions described in the following table. ++| Configuration | Description | Nginx Configuration | Httpd Configuration | +|-|-||--| +| Listening port | Web server must listen on port 8080. The service checks the port on TCP for readiness and whether it's live. You must use the templated variable `PORT` in the configuration file. The appropriate port number is injected when the web server is launched. | `listen {{PORT}}` | `Listen "${PORT}"` | +| Log path | Config log path to the console. | `access_log /dev/stdout`, `error_log stderr` | `ErrorLog /proc/self/fd/2` | +| File path with write permission | Web server is granted write permission to the */tmp* directory. Configuring the full path requires write permission under the */tmp* directory. | For example: *client_body_temp_path /tmp/client_body_temp* | | +| Maximum accepted body size of client request | Web server is behind the gateway. The maximum accepted body size of the client request is set to 500 m in the gateway and the value for web server must be less than 500 m. | `client_max_body_size` should be less than 500 m. | `LimitRequestBody` should be less than 500 m. | ++## Buildpack bindings ++Deploying static files to the Azure Spring Apps Enterprise plan supports the Dynatrace buildpack binding. The `htpasswd` buildpack binding isn't supported. ++For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++## Common build and deployment errors ++Your deployment of static files to an Azure Spring Apps Enterprise instance may generate the following common build errors: ++- `ERROR: No buildpack groups passed detection.` +- `ERROR: Please check that you're running against the correct path.` +- `ERROR: failed to detect: no buildpacks participating` ++The root cause of these errors is that the web server type isn't specified. To resolve these errors, set the environment variable `BP_WEB_SERVER` to *nginx* or *httpd*. ++The following table describes common deployment errors when you deploy static files to Azure Spring Apps Enterprise. ++| Error message | Root cause | Solution | +|--||--| +| `112404: Exit code 0: purposely stopped, please refer to https://aka.ms/exitcode` | The web server failed to start. | Validate your server configuration file to see if there's a configuration error. Then, check whether your configuration file conforms to the restrictions described in the [Use a customized server configuration file](#use-a-customized-server-configuration-file) section. | +| `mkdir() "/var/client_body_temp" failed (13: Permission denied)` | The web server doesn't have write permission to the specified path. | Configure the path under the directory */tmp*; for example: */tmp/client_body_temp*. | ++## Next steps ++- [Use Tanzu Build Service](how-to-enterprise-build-service.md) |
spring-apps | How To Enterprise Large Cpu Memory Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-large-cpu-memory-applications.md | + + Title: How to deploy large CPU and memory applications in Azure Spring Apps in the Enterprise plan +description: Learn how to deploy large CPU and memory applications in the Enterprise plan for Azure Spring Apps. ++++ Last updated : 03/17/2023++++# Deploy large CPU and memory applications in Azure Spring Apps in the Enterprise plan ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows how to deploy large CPU and memory applications in Azure Spring Apps to support CPU intensive or memory intensive workloads. Support for large applications is currently available only in the Enterprise plan, which supports the CPU and memory combinations as shown in the following table. ++| CPU (cores) | Memory (GB) | +| -- | -- | +| 4 | 16 | +| 6 | 24 | +| 8 | 32 | ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- An Azure Spring Apps service instance. +- The [Azure CLI](/cli/azure/install-azure-cli). Install the Azure Spring Apps extension with the following command: `az extension add --name spring`. ++## Create a large CPU and memory application ++You can use the Azure portal or the Azure CLI to create applications. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to create a large CPU and memory application using the Azure portal. ++1. Go to your Azure Spring Apps service instance. ++1. In the navigation pane, select **Apps**, and then select **Create app**. ++1. On the **Create App** page, provide a name for **App name** and select the desired **vCpu** and **Memory** values for your application. ++1. Select **Create**. ++ :::image type="content" source="media/how-to-enterprise-large-cpu-memory-applications/create-large-application.png" lightbox="media/how-to-enterprise-large-cpu-memory-applications/create-large-application.png" alt-text="Screenshot of the Azure portal Create App page in Azure Spring Apps showing configuration settings for a new app."::: ++### [Azure CLI](#tab/azure-cli) ++The following command creates an application with the CPU set to eight core processors and memory set to 32 gigabytes. ++```azurecli +az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <Spring-app-name> \ + --cpu 8 \ + --memory 32Gi +``` ++++## Scale up and down for large CPU and memory applications ++To adjust your application's CPU and memory settings, you can use the Azure portal or Azure CLI commands. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to scale up or down a large CPU and memory application. ++1. On the overview page of your app, select **Scale up** in the navigation pane. ++1. Select the preferred **vCpu** and **Memory** values. ++ :::image type="content" source="media/how-to-enterprise-large-cpu-memory-applications/scale-large-application.png" lightbox="media/how-to-enterprise-large-cpu-memory-applications/scale-large-application.png" alt-text="Screenshot of Azure portal Configuration page showing how to scale large app."::: ++1. Select **Save**. ++### [Azure CLI](#tab/azure-cli) ++The following command scales up an app to have high CPU and memory values. ++```azurecli +az spring app scale \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <Spring-app-name> \ + --cpu 8 \ + --memory 32Gi +``` ++The following command scales down an app to have low CPU and memory values. ++```azurecli +az spring app scale \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <Spring-app-name> \ + --cpu 1 \ + --memory 2Gi +``` ++++## Next steps ++- [Scale an application in Azure Spring Apps](how-to-scale-manual.md) |
spring-apps | How To Enterprise Marketplace Offer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-marketplace-offer.md | + + Title: Enterprise plan in Azure Marketplace +description: Learn about the Azure Spring Apps Enterprise plan offering available in Azure Marketplace. ++++ Last updated : 03/24/2023++++# Enterprise plan in Azure Marketplace ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article describes the Azure Marketplace offer and license requirements for the VMware Taznu components in the Enterprise plan in Azure Spring Apps. ++## Enterprise plan and VMware Tanzu components ++The Azure Spring Apps Enterprise plan is optimized for the needs of enterprise Spring developers and provides advanced configurability, flexibility, and portability. Azure Spring Apps also provides the enterprise-ready VMware Spring Runtime with 24/7 support in a strong partnership with VMware. You can learn more about the plan's value propositions in the [Enterprise plan](overview.md#enterprise-plan) section of [What is Azure Spring Apps?](overview.md) ++Because the Enterprise plan provides feature parity with the Standard plan, it provides a rich set of features that include app lifecycle management, monitoring, and troubleshooting. ++The Enterprise plan provides the following managed [VMware Tanzu components](./vmware-tanzu-components.md) that empower enterprises to ship faster: ++- Tanzu Build Service +- Application Configuration Service for Tanzu +- Tanzu Service Registry +- Spring Cloud Gateway for Tanzu +- API portal for VMware Tanzu +- Application Live View for VMware Tanzu +- Application Accelerator for VMware Tanzu ++The pricing for Azure Spring Apps Enterprise plan is composed of the following two parts: ++- Infrastructure pricing, set by Microsoft, based on vCPU and memory usage of apps and managed Tanzu components. +- Tanzu component licensing pricing, set by VMware, based on vCPU usage of apps. ++For more information about pricing, see [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). ++To provide the best customer experience to manage the Tanzu component license purchasing and metering, VMware creates an [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer in Azure Marketplace. This offer represents a Tanzu component license that's automatically purchased on behalf of customers during the creation of an Azure Spring Apps Enterprise plan instance. ++Under this implicit Azure Marketplace third-party offer purchase from VMware, your personal data and application vCPU usage data is shared with VMware. You agree to this data sharing when you agree to the marketplace terms upon creating the service instance. ++To purchase the Tanzu component license successfully, the [billing account](../../cost-management-billing/manage/view-all-accounts.md) of your subscription must be included in one of the locations listed in the [Supported geographic locations of billing account](#supported-geographic-locations-of-billing-account) section. Because of tax management restrictions from VMware in some countries/regions, not all countries/regions are supported. ++The extra license fees apply only to the Enterprise plan. In the Azure Spring Apps Standard plan, there are no extra license fees because the managed Spring components use the OSS config server and Eureka server. No other third-party license fees are required. ++On the [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer page in Azure Marketplace, you can review the Tanzu component license pricing. ++You can use the Azure portal or the Azure CLI to provision an Azure Spring Apps Enterprise plan service instance. You can also select **Subscribe** on the Azure Marketplace offer page to create the service instance. Azure Marketplace redirects you to the Azure Spring Apps creation page. ++## Requirements ++You must understand and fulfill the following requirements to successfully create an instance of the Azure Spring Apps Enterprise plan when purchasing the Azure Marketplace offer. ++- Your Azure subscription must be registered to the `Microsoft.SaaS` resource provider. For more information, see the [Register resource provider](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) section of [Azure resource providers and types](../../azure-resource-manager/management/resource-providers-and-types.md). ++- Your Azure subscription must have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) ++- Your Azure subscription must belong to a [billing account](../../cost-management-billing/manage/view-all-accounts.md) in a supported geographic location defined in the [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer in Azure Marketplace. For more information, see the [Supported geographic locations of billing account](#supported-geographic-locations-of-billing-account) section. ++- Your region must be available. Choose an Azure region currently available. For more information, see [In which regions is the Azure Spring Apps Enterprise plan available?](./faq.md#in-which-regions-is-the-azure-spring-apps-enterprise-plan-available) in the [Azure Spring Apps FAQ](faq.md). ++- Your organization must allow Azure Marketplace purchases. For more information, see the [Enabling Azure Marketplace purchases](../../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../../cost-management-billing/manage/ea-azure-marketplace.md). ++- Your organization must allow acquisition of any Azure Marketplace software application as described in the [Purchase policy management](/marketplace/azure-purchasing-invoicing#purchase-policy-management) section of [Azure Marketplace purchasing](/marketplace/azure-purchasing-invoicing). ++- You must accept the marketplace legal terms and privacy statements while provisioning the plan on the Azure portal, or you can use the following commands to do so in advance. ++ ```azurecli + az term accept \ + --publisher vmware-inc \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --plan asa-ent-hr-mtr + ``` ++## Supported geographic locations of billing account ++To successfully purchase the [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer on Azure Marketplace, your Azure subscription must belong to a [billing account](../../cost-management-billing/manage/view-all-accounts.md) in a supported geographic location defined in the offer. ++The following table lists each supported geographic location and its [ISO 3166 two-digit alpha code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). ++| Country/Region Name |ISO-2| +|-|--| +| Argentina | AR | +| Armenia | AM | +| Australia | AU | +| Austria | AT | +| Belarus | BY | +| Belgium | BE | +| Brazil | BR | +| Bulgaria | BG | +| Canada | CA | +| Chile | CL | +| Colombia | CO | +| Croatia | HR | +| Cyprus | CY | +| Czechia | CZ | +| Denmark | DK | +| Estonia | EE | +| Finland | FI | +| France | FR | +| Germany | DE | +| Greece | GR | +| Hong Kong SAR | HK | +| Hungary | HU | +| Iceland | IS | +| India | IN | +| Indonesia | ID | +| Ireland | IE | +| Israel<sup>1</sup> | IL | +| Italy | IT | +| Korea | KE | +| Latvia | LV | +| Liechtenstein | LI | +| Lithuania | LT | +| Luxembourg | LU | +| Malaysia | MY | +| Malta | MT | +| Mexico | MX | +| Monaco | MC | +| Netherlands | NL | +| New Zealand | NZ | +| Nigeria | NG | +| Norway | NO | +| Poland | PL | +| Portugal | PT | +| Puerto Rico | PR | +| Qatar | QA | +| Romania | RO | +| Saudi Arabia | SA | +| Serbia | RS | +| Singapore | SG | +| Slovakia | SK | +| Slovenia | SI | +| South Africa | ZA | +| Spain | ES | +| Sweden | SE | +| Switzerland | CH | +| Taiwan | TW | +| Thailand | TH | +| Türkiye | TR | +| United Arab Emirates | AE | +| United Kingdom | GB | +| United States | US | ++<sup>1</sup> Israel requires reaching out to asa-e-contact@vmware.com with Tax ID (TIN) information to unlock. ++## Troubleshoot errors ++The following list shows the errors you might encounter when you create an Azure Spring Apps Enterprise plan instance, and the actions to take to resolve the errors: ++- `Failed to purchase on Azure Marketplace because the Microsoft.SaaS RP is not registered on the Azure subscription.` ++ Register your Azure subscription with the `Microsoft.SaaS` resource provider. For more information, see the [Register resource provider](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) section of [Azure resource providers and types](../../azure-resource-manager/management/resource-providers-and-types.md). ++- `Failed to load catalog product vmware-inc.azure-spring-cloud-vmware-tanzu-2 in the Azure subscription market.` ++ The billing account for your subscription doesn't contain a valid billing address in the scope of the supported geographic locations. Use the following steps to fix this problem: ++ 1. Find the billing address of the billing account for your subscription by following the steps in the [Check the type of your account](../../cost-management-billing/manage/view-all-accounts.md#check-the-type-of-your-account) section of [Billing accounts and scopes in the Azure portal](../../cost-management-billing/manage/view-all-accounts.md). If you can't view or manage billing accounts, you probably don't have permission to access them. Ask your billing account administrator for help. ++ 1. Determine whether the billing address is in the scope of the [supported geographic locations](#supported-geographic-locations-of-billing-account). If it isn't, try one of the following approaches: ++ - If possible, use another billing account with a supported billing address and then try again. ++ - If you want to use the current subscription, raise a support ticket with us with the subject "Unsupported market in billing address when creating Azure Spring Apps enterprise". ++- `Failed to purchase on Azure Marketplace due to signature verification on Marketplace legal agreement.` ++ You haven't accepted the marketplace legal terms and privacy statements while provisioning the plan. Use the following command to accept the terms: ++ ```azurecli + az term accept \ + --publisher vmware-inc \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --plan asa-ent-hr-mtr + ``` ++- `Purchase has failed because we couldn't find a valid credit card nor a payment method associated with your Azure subscription.` ++ Your Azure subscription doesn't have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) ++- `Plan can not be purchased on a free subscription.` ++ Your Azure subscription doesn't have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) ++- `Your Azure subscription which is associated with a deleted organization. The billing account is not valid to purchase the SaaS.` ++ Your Azure subscription doesn't have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) ++- `Failed to check if marketplace is enabled for your Azure subscription.` ++ Your organization doesn't allow Azure Marketplace purchases. To allow the purchase, see the [Enabling Azure Marketplace purchases](../../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../../cost-management-billing/manage/ea-azure-marketplace.md). ++- `Purchase for Azure product azure-spring-cloud-vmware-tanzu-2 and plan Azure Spring Apps Enterprise (Public) is not allowed.` ++ Your organization doesn't allow Azure Marketplace purchases. To allow the purchase, see the [Enabling Azure Marketplace purchases](../../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../../cost-management-billing/manage/ea-azure-marketplace.md). ++- `Failed to process eligibility check with error Plan 'Azure Spring Apps Enterprise (Public)' of offer 'Azure Spring Apps Enterprise' by publisher 'VMware Inc.' is not available to you for purchase due to private marketplace settings made by your tenant's IT admin.` ++ Your organization doesn't allow Azure Marketplace purchases or acquisition of any Azure Marketplace software application. To allow the purchase, see the [Enabling Azure Marketplace purchases](../../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../../cost-management-billing/manage/ea-azure-marketplace.md) and the [Purchase policy management](/marketplace/azure-purchasing-invoicing#purchase-policy-management) section of [Azure Marketplace purchasing](/marketplace/azure-purchasing-invoicing). ++- `This offer 'vmware-inc.azure-spring-cloud-vmware-tanzu-2' is not available for purchasing by subscriptions belonging to Microsoft Azure Cloud Solution Providers.` ++ There's currently no support for Azure Cloud Solution Providers to purchase Azure Spring Apps Enterprise yet. We're working on enabling this support. ++## Next steps ++- [Launch your first app](./quickstart.md) |
spring-apps | How To Enterprise Service Registry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-enterprise-service-registry.md | + + Title: How to Use Tanzu Service Registry with the Azure Spring Apps Enterprise plan +description: How to use Tanzu Service Registry with the Azure Spring Apps Enterprise plan. ++++ Last updated : 06/17/2022++++# Use Tanzu Service Registry ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use VMware Tanzu Service Registry with the Azure Spring Apps Enterprise plan. ++Tanzu Service Registry is one of the commercial VMware Tanzu components. This component helps you apply the *service discovery* design pattern to your applications. ++Service discovery is one of the main ideas of the microservices architecture. Without service discovery, you'd have to hand-configure each client of a service or adopt some form of access convention. This process can be difficult, and the configurations and conventions can be brittle in production. Instead, you can use the Tanzu Service Registry to dynamically discover and invoke registered services in your application. ++with the Azure Spring Apps Enterprise plan, you don't have to create or start the Service Registry yourself. You can use the Tanzu Service Registry by selecting it when you create your Azure Spring Apps Enterprise plan instance. ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan instance with Tanzu Service Registry enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] ++## Create applications that use Service Registry ++In this article, you'll create two services and register them with Azure Spring Apps Service Registry. After registration, one service will be able to use Service Registry to discover and invoke the other service. The following diagram summarizes the required steps: +++These steps are described in more detail in the following sections. ++1. Create Service A. +2. Deploy Service A to Azure Spring Apps and register it with Service Registry. +3. Create Service B and implement it to call Service A. +4. Deploy Service B and register it with Service Registry. +5. Invoke Service A through Service B. ++## Create environment variables ++This article uses the following environment variables. Set these variables to the values you used when you created your Azure Spring Apps Enterprise plan instance. ++| Variable | Description | +|--|--| +| $RESOURCE_GROUP | Resource group name. | +| $AZURE_SPRING_APPS_NAME | Azure Spring Apps instance name. | ++## Create Service A with Spring Boot ++Navigate to [Spring Initializr](https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=Sample%20Service%20A&name=Sample%20Service%20A&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.Sample%20Service%20A&dependencies=web,cloud-eureka) to create sample Service A. This link uses the following URL to initialize the settings. ++```URL +https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=Sample%20Service%20A&name=Sample%20Service%20A&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.Sample%20Service%20A&dependencies=web,cloud-eureka +``` ++The following screenshot shows Spring Initializr with the required settings. +++Next, select **GENERATE** to get a sample project for Spring Boot with the following directory structure. ++```text +├── HELP.md +├── mvnw +├── mvnw.cmd +├── pom.xml +└── src + ├── main + │   ├── java + │   │   └── com + │   │   └── example + │   │   └── Sample + │   │   └── Service + │   │   └── A + │   │   └── SampleServiceAApplication.java + │   └── resources + │   ├── application.properties + │   ├── static + │   └── templates + └── test + └── java + └── com + └── example + └── Sample + └── Service + └── A + └── SampleServiceAApplicationTests.java +``` ++### Confirm the configuration of dependent libraries for the Service Registry client (Eureka client) ++Next, confirm that the *pom.xml* file for the project contains the following dependency. Add the dependency if it's missing. ++```xml +<dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> +</dependency> +``` ++### Implement the Service Registry client ++Add an `@EnableEurekaClient` annotation to the *SampleServiceAApplication.java* file to configure it as a Eureka Client. ++```java +package com.example.Sample.Service.A; ++import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.cloud.netflix.eureka.EnableEurekaClient; ++@SpringBootApplication +@EnableEurekaClient +public class SampleServiceAApplication { ++ public static void main(String[] args) { + SpringApplication.run(SampleServiceAApplication.class, args); + } +} +``` ++### Create a REST endpoint for testing ++You can now register the service to Service Registry, but you can't verify it until you implement a service endpoint. To create RESTful endpoints that external services can call, add a *ServiceAEndpoint.java* file to your project with the following code. ++```java +package com.example.Sample.Service.A; +import java.util.Map; ++import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; ++@RestController +public class ServiceAEndpoint { ++ @GetMapping("/serviceA") + public String getServiceA(){ + return "This is a result of Service A"; + } ++ @GetMapping("/env") + public Map<String, String> getEnv(){ + Map<String, String> env = System.getenv(); + return env; + } +} +``` ++### Build a Spring Boot application ++Now that you have a simple service, compile and build the source code by running the following command: ++```bash +mvn clean package +``` ++## Deploy Service A and register with Service Registry ++This section explains how to deploy Service A to an Azure Spring Apps Enterprise plan instance and register it with Service Registry. ++### Create an Azure Spring Apps application ++First, create an application in Azure Spring Apps by using the following command: ++```azurecli +az spring app create \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --name serviceA \ + --instance-count 1 \ + --memory 2Gi \ + --assign-endpoint +``` ++The `--assign-endpoint` argument grants a public IP for validation and enables access from the external network. ++### Connect to the Service Registry from the app ++You've now created a service with Spring Boot and created an application in Azure Spring Apps. The next task is to deploy the application and confirm the operation. Before that, however, you must bind your application to the Service Registry so that it can get connection information from the registry. ++Typically, a Eureka client needs to write the following connection information settings in the *application.properties* configuration file of a Spring Boot application so that you can connect to the server: ++```properties +eureka.client.service-url.defaultZone=http://eureka:8761/eureka/ +``` ++However, if you write these settings directly in your application, you'll need to re-edit and rebuild the project again each time the Service Registry server changes. To avoid this effort, Azure Spring Apps enables your applications to get connection information from the service registry by binding to it. Specifically, after binding the application to the Service Registry, you can get the service registry connection information (`eureka.client.service-url.defaultZone`) from the Java environment variable. In this way, you can connect to the Service Registry by loading the contents of the environment variables when the application starts. ++In practice, the following environment variables are added to the `JAVA_TOOL_OPTIONS` variable: ++```options +-Deureka.client.service-url.defaultZone=https://$AZURE_SPRING_APPS_NAME.svc.azuremicroservices.io/eureka/default/eureka +``` ++### Bind a service to the Service Registry ++Use the following command to bind the service to Azure Service Registry, enabling it to connect to the server. ++```azurecli +az spring service-registry bind \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --app serviceA +``` ++You can also set up the application bindings from the Azure portal, as shown in the following screenshot. +++> [!NOTE] +> These changes will take a few minutes to propagate to all applications when the service registry status changes. +> +> If you change the binding/unbinding status, you'll need to restart or redeploy the application. ++### Deploy an application to Azure Spring Apps ++Now that you've bound your application, you'll deploy the Spring Boot artifact file *Sample-Service-A-A-0.0.1-SNAPSHOT.jar* to Azure Spring Apps. To deploy, use the following command: ++```azurecli +az spring app deploy \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --name serviceA \ + --artifact-path ./target/Sample-Service-A-0.0.1-SNAPSHOT.jar \ + --jvm-options="-Xms1024m -Xmx1024m" +``` ++Use the following command to see if your deployment is successful. ++```azurecli +az spring app list \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --output table +``` ++This command produces output similar to the following example. ++```output +Name Location ResourceGroup Public Url Production Deployment Provisioning State CPU Memory Running Instance Registered Instance Persistent Storage Bind Service Registry Bind Application Configuration Service + - - - -- -- -- -- -- -- - +servicea southeastasia $RESOURCE_GROUP https://$AZURE_SPRING_APPS_NAME-servicea.azuremicroservices.io default Succeeded 1 2Gi 1/1 N/A - default - +``` ++### Confirm that the Service A application is running ++The output of the previous command includes the public URL for the service. To access the RESTful endpoint, append `/serviceA` to the URL, as shown in the following command: ++```bash +curl https://$AZURE_SPRING_APPS_NAME-servicea.azuremicroservices.io/serviceA +``` ++This command produces the following output. ++```output +This is a result of Service A +``` ++Service A includes a RESTful endpoint that displays a list of environment variables. Access the endpoint with `/env` to see the environment variables, as shown in the following command: ++```bash +curl https://$AZURE_SPRING_APPS_NAME-servicea.azuremicroservices.io/env +``` ++This command produces the following output. ++```output +"JAVA_TOOL_OPTIONS":"-Deureka.client.service-url.defaultZone=https://$AZURE_SPRING_APPS_NAME.svc.azuremicroservices.io/eureka/default/eureka +``` ++As you can see, `eureka.client.service-url.defaultZone` has been added to `JAVA_TOOL_OPTIONS`. In this way, the application can register the service to the Service Registry and make it available from other services. ++You can now register the service to the Service Registry (Eureka Server) in Azure Spring Apps. Other services can now access the service by using service registry. ++## Implement a new Service B that accesses Service A through Service Registry ++### Implement Service B with Spring Boot ++Navigate to [Spring Initializr](https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=Sample%20Service%20B&name=Sample%20Service%20B&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.Sample%20Service%20B&dependencies=web,cloud-eureka) to create a new project for Service B. This link uses the following URL to initialize the settings: ++```URL +https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=Sample%20Service%20B&name=Sample%20Service%20B&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.Sample%20Service%20B&dependencies=web,cloud-eureka +``` ++Then, select **GENERATE** to get the new project. ++### Implement Service B as a Service Registry client (Eureka client) ++Like Service A, add the `@EnableEurekaClient` annotation to Service B to configure it as a Eureka client. ++```java +package com.example.Sample.Service.B; ++import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.cloud.netflix.eureka.EnableEurekaClient; ++@SpringBootApplication +@EnableEurekaClient +public class SampleServiceBApplication { ++ public static void main(String[] args) { + SpringApplication.run(SampleServiceBApplication.class, args); + } +} +``` ++### Implement service endpoints in Service B ++Next, implement a new service endpoint (`/invoke-serviceA`) that invokes Service A. Add a *ServiceBEndpoint.java* file to your project with the following code. ++```java +package com.example.Sample.Service.B; +import java.util.List; +import java.util.stream.Collectors; +import com.netflix.discovery.EurekaClient; +import com.netflix.discovery.shared.Application; +import com.netflix.discovery.shared.Applications; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; +import org.springframework.web.client.RestTemplate; ++@RestController +public class ServiceBEndpoint { + @Autowired + private EurekaClient discoveryClient; ++ @GetMapping(value = "/invoke-serviceA") + public String invokeServiceA() + { + RestTemplate restTemplate = new RestTemplate(); + String response = restTemplate.getForObject("http://servicea/serviceA",String.class); + return "INVOKE SERVICE A FROM SERVICE B: " + response; + } ++ @GetMapping(value = "/list-all") + public List<String> listsAllServices() { + Applications applications = discoveryClient.getApplications(); + List<Application> registeredApplications = applications.getRegisteredApplications(); + List<String> appNames = registeredApplications.stream().map(app -> app.getName()).collect(Collectors.toList()); + return appNames; + } +} +``` ++This example uses `RestTemplate` for simplicity. The endpoint returns the response string with another string (`INVOKE SERVICE A FROM SERVICE B: "`) to indicate that it was called by Service B. ++This example also implements another endpoint (`/list-all`) for validation. This implementation ensures that the service is communicating correctly with the Service Registry. You can call this endpoint to get the list of applications registered in the Service Registry. ++This example invokes Service A as `http://servicea`. The service name is the name that you specified during the creation of the Azure Spring Apps application. (For example: `az spring app create --name ServiceA`.) The application name matches the service name you registered with the service registry, making it easier to manage the service name. ++### Build Service B ++Use the following command to build your project. ++```bash +mvn clean package +``` ++## Deploy Service B to Azure Spring Apps ++Use the following command to create an application in Azure Spring Apps to deploy Service B. ++```azurecli +az spring app create \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --name serviceB \ + --instance-count 1 \ + --memory 2Gi \ + --assign-endpoint +``` ++Next, use the following command to bind the application to the Service Registry. ++```azurecli +az spring service-registry bind \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --app serviceB +``` ++Next, use the following command to deploy the service. ++```azurecli +az spring app deploy \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --name serviceB \ + --artifact-path ./target/Sample-Service-B-0.0.1-SNAPSHOT.jar \ + --jvm-options="-Xms1024m -Xmx1024m" +``` ++Next, use the following command to check the status of the application. ++```azurecli +az spring app list \ + --resource-group $RESOURCE_GROUP \ + --service $AZURE_SPRING_APPS_NAME \ + --output table +``` ++If Service A and Service B are deployed correctly, this command will produce output similar to the following example. ++```output +Name Location ResourceGroup Public Url Production Deployment Provisioning State CPU Memory Running Instance Registered Instance Persistent Storage Bind Service Registry Bind Application Configuration Service +-- - - -- -- -- -- -- -- - +servicea southeastasia SpringCloud-Enterprise https://$AZURE_SPRING_APPS_NAME-servicea.azuremicroservices.io default Succeeded 1 2Gi 1/1 1/1 - default - +serviceb southeastasia SpringCloud-Enterprise https://$AZURE_SPRING_APPS_NAME-serviceb.azuremicroservices.io default Succeeded 1 2Gi 1/1 1/1 - default - +``` ++## Invoke Service A from Service B ++The output of the previous command includes the public URL for the service. To access the RESTful endpoint, append `/invoke-serviceA` to the URL, as shown in the following command: ++```bash +curl https://$AZURE_SPRING_APPS_NAME-serviceb.azuremicroservices.io/invoke-serviceA +``` ++This command produces the following output: ++```output +INVOKE SERVICE A FROM SERVICE B: This is a result of Service A +``` ++### Get some information from Service Registry ++Finally, access the `/list-all` endpoint and retrieve some information from the Service Registry. The following command retrieves a list of services registered in the Service Registry. ++```bash +curl https://$AZURE_SPRING_APPS_NAME-serviceb.azuremicroservices.io/list-all +``` ++This command produces the following output. ++```output +["SERVICEA","EUREKA-SERVER","SERVICEB"] +``` ++In this way, you can obtain detailed information from the program as needed. ++## Enable/disable Service Registry after service creation ++You can enable and disable Service Registry after service creation using the Azure portal or Azure CLI. Before disabling Service Registry, you're required to unbind all of your apps from it. ++### [Azure portal](#tab/Portal) ++Use the following steps to enable or disable Service Registry using the Azure portal: ++1. Navigate to your service resource, and then select **Service Registry**. +1. Select **Manage**. +1. Select or unselect the **Enable Service Registry**, and then select **Save**. +1. You can now view the state of Service Registry on the **Service Registry** page. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following Azure CLI commands to enable or disable Service Registry: ++```azurecli +az spring service-registry create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++```azurecli +az spring service-registry delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++++## Next steps ++- [Create Roles and Permissions](./how-to-permissions.md) |
spring-apps | How To Fix App Restart Issues Caused By Out Of Memory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-fix-app-restart-issues-caused-by-out-of-memory.md | + + Title: App restart issues caused by out-of-memory issues ++description: Explains how to understand out-of-memory (OOM) issues for Java applications in Azure Spring Apps. ++++ Last updated : 07/15/2022++++# App restart issues caused by out-of-memory issues ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes out-of-memory (OOM) issues for Java applications in Azure Spring Apps. ++## Types of out-of-memory issues ++There are two types of out-of-memory issues: container OOM and JVM OOM. ++- Container OOM, also called *system OOM*, occurs when the available app memory has run out. Container OOM issue causes app restart events, which are reported in the **Resource Health** section of the Azure portal. Normally, container OOM is caused by incorrect memory size configurations. ++- JVM OOM occurs when the amount of used memory has reached the maximum size set in JVM options. JVM OOM won't cause an app to restart. Normally, JVM OOM is a result of bad code, which you can find by looking for `java.lang.OutOfMemoryError` exceptions in the application log. JVM OOM has a negative effect on application and Java Profiling tools, such as Java Flight Recorder. ++This article focuses on how to fix container OOM issues. To fix JVM OOM issues, check tools such as heap dump, thread dump, and Java Flight Recorder. For more information, see [Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps](how-to-capture-dumps.md). ++## Fix app restart issues due to OOM ++The following sections describe the tools, metrics, and JVM options that you can use to diagnose and fix container OOM issues. ++### View alerts on the Resource health page ++The **Resource health** page on the Azure portal shows app restart events due to container OOM, as shown in the following screenshot: +++### Configure memory size ++The metrics *App memory Usage*, `jvm.memory.used`, and `jvm.memory.committed` provide a view of memory usage. For more information, see the [Metrics](tools-to-troubleshoot-memory-issues.md#metrics) section of [Tools to troubleshoot memory issues](tools-to-troubleshoot-memory-issues.md). Configure the maximum memory sizes in JVM options to ensure that memory is under the limit. ++The sum of the maximum memory sizes of all the parts in the [Java memory model](concepts-for-java-memory-management.md#java-memory-model) should be less than the real available app memory. To set your maximum memory sizes, see the typical memory layout described in the [Memory usage layout](concepts-for-java-memory-management.md#memory-usage-layout) section of [Java memory management](concepts-for-java-memory-management.md). ++Find a balance when you set the maximum memory size. When you set the maximum memory size too high, there's a risk of container OOM. When you set the maximum memory size too low, there's a risk of JVM OOM, and garbage collection will be of and will slow down the app. ++#### Control heap memory ++You can set the maximum heap size by using the `-Xms`, `-Xmx`, `-XX:InitialRAMPercentage`, and `-XX:MaxRAMPercentage` JVM options. ++You may need to adjust the maximum heap size settings when the value of `jvm.memory.used` is too high in the metrics. For more information, see the [jvm.memory.used/committed/max](tools-to-troubleshoot-memory-issues.md#jvmmemoryusedcommittedmax) section of [Tools to troubleshoot memory issues](tools-to-troubleshoot-memory-issues.md). ++#### Control direct memory ++It's important to set the `-XX:MaxDirectMemorySize` JVM option for the following reasons: ++- You may not notice when frameworks such as nio and gzip use direct memory. +- Garbage collection of direct memory is only handled during full garbage collection, and full garbage collection occurs only when the heap is near full. ++Normally, you can set `MaxDirectMemorySize` to a value less than the app memory size minus the heap memory minus the non-heap memory. ++#### Control metaspace ++You can set the maximum metaspace size by setting the `-XX:MaxMetaspaceSize` JVM option. The `-XX:MetaspaceSize` option sets the threshold value to trigger full garbage collection. ++Metaspace memory is usually stable. ++## See also ++- [Java memory management](concepts-for-java-memory-management.md) +- [Tools to troubleshoot memory issues](tools-to-troubleshoot-memory-issues.md) |
spring-apps | How To Github Actions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-github-actions.md | + + Title: Use Azure Spring Apps CI/CD with GitHub Actions +description: How to build up a CI/CD workflow for Azure Spring Apps with GitHub Actions ++++ Last updated : 09/08/2020++zone_pivot_groups: programming-languages-spring-apps +++# Use Azure Spring Apps CI/CD with GitHub Actions ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to build up a CI/CD workflow for Azure Spring Apps with GitHub Actions. ++GitHub Actions support an automated software development lifecycle workflow. With GitHub Actions for Azure Spring Apps you can create workflows in your repository to build, test, package, release, and deploy to Azure. ++## Prerequisites ++This example requires the [Azure CLI](/cli/azure/install-azure-cli). +++## Set up GitHub repository and authenticate ++You need an Azure service principal credential to authorize Azure login action. To get an Azure credential, execute the following commands on your local machine: ++```azurecli +az login +az ad sp create-for-rbac \ + --role contributor \ + --scopes /subscriptions/<SUBSCRIPTION_ID> \ + --json-auth +``` ++To access to a specific resource group, you can reduce the scope: ++```azurecli +az ad sp create-for-rbac \ + --role contributor \ + --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP> \ + --json-auth +``` ++The command should output a JSON object: ++```json +{ + "clientId": "<GUID>", + "clientSecret": "<GUID>", + "subscriptionId": "<GUID>", + "tenantId": "<GUID>", + ... +} +``` ++This example uses the [steeltoe sample on GitHub](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/steeltoe-sample). Fork the repository, open the GitHub repository page for the fork, and select the **Settings** tab. Open the **Secrets** menu, and select **New secret**: +++Set the secret name to `AZURE_CREDENTIALS` and its value to the JSON string that you found under the heading *Set up your GitHub repository and authenticate*. +++You can also get the Azure login credential from Key Vault in GitHub Actions as explained in [Authenticate Azure Spring with Key Vault in GitHub Actions](./github-actions-key-vault.md). ++## Provision service instance ++To provision your Azure Spring Apps service instance, run the following commands using the Azure CLI. ++```azurecli +az extension add --name spring +az group create \ + --name <resource-group-name> \ + --location eastus +az spring create \ + --resource-group <resource-group-name> \ + --name <service-instance-name> +az spring config-server git set \ + --name <service-instance-name> \ + --uri https://github.com/Azure-Samples/azure-spring-apps-samples \ + --label main \ + --search-paths steeltoe-sample/config +``` ++## Build the workflow ++The workflow is defined using the following options. ++### Prepare for deployment with Azure CLI ++The command `az spring app create` is currently not idempotent. After you run it once, you get an error if you run the same command again. We recommend this workflow on existing Azure Spring Apps apps and instances. ++Use the following Azure CLI commands for preparation: ++```azurecli +az config set defaults.group=<service-group-name> +az config set defaults.spring=<service-instance-name> +az spring app create --name planet-weather-provider +az spring app create --name solar-system-weather +``` ++### Deploy with Azure CLI directly ++Create the *.github/workflows/main.yml* file in the repository with the following content. Replace *\<your resource group name>* and *\<your service name>* with the correct values. ++```yaml +name: Steeltoe-CD ++# Controls when the action runs. Triggers the workflow on push or pull request +# events but only for the main branch +on: + push: + branches: [ main] ++# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job runs on + runs-on: ubuntu-latest + env: + working-directory: ./steeltoe-sample + resource-group-name: <your resource group name> + service-name: <your service name> ++ # Supported .NET Core version matrix. + strategy: + matrix: + dotnet: [ '3.1.x' ] ++ # Steps represent a sequence of tasks that is executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 ++ # Set up .NET Core 3.1 SDK + - uses: actions/setup-dotnet@v1 + with: + dotnet-version: ${{ matrix.dotnet }} ++ # Set credential for az login + - uses: azure/login@v1.1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} ++ - name: install Azure CLI extension + run: | + az extension add --name spring --yes ++ - name: Build and package planet-weather-provider app + working-directory: ${{env.working-directory}}/src/planet-weather-provider + run: | + dotnet publish + az spring app deploy -n planet-weather-provider --runtime-version NetCore_31 --main-entry Microsoft.Azure.SpringCloud.Sample.PlanetWeatherProvider.dll --artifact-path ./publish-deploy-planet.zip -s ${{ env.service-name }} -g ${{ env.resource-group-name }} + - name: Build solar-system-weather app + working-directory: ${{env.working-directory}}/src/solar-system-weather + run: | + dotnet publish + az spring app deploy -n solar-system-weather --runtime-version NetCore_31 --main-entry Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.dll --artifact-path ./publish-deploy-solar.zip -s ${{ env.service-name }} -g ${{ env.resource-group-name }} +``` ++++## Set up GitHub repository and authenticate ++You need an Azure service principal credential to authorize Azure login action. To get an Azure credential, execute the following commands on your local machine: ++```azurecli +az login +az ad sp create-for-rbac \ + --role contributor \ + --scopes /subscriptions/<SUBSCRIPTION_ID> \ + --json-auth +``` ++To access to a specific resource group, you can reduce the scope: ++```azurecli +az ad sp create-for-rbac \ + --role contributor \ + --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP> \ + --json-auth +``` ++The command should output a JSON object: ++```JSON +{ + "clientId": "<GUID>", + "clientSecret": "<GUID>", + "subscriptionId": "<GUID>", + "tenantId": "<GUID>", + ... +} +``` ++This example uses the [PiggyMetrics](https://github.com/Azure-Samples/piggymetrics) sample on GitHub. Fork the sample, uncheck **Copy the Azure branch only**, open the GitHub repository page, and select the **Settings** tab. Open **Secrets** menu, and select **Add a new secret**: +++Set the secret name to `AZURE_CREDENTIALS` and its value to the JSON string that you found under the heading *Set up your GitHub repository and authenticate*. +++You can also get the Azure login credential from Key Vault in GitHub Actions as explained in [Authenticate Azure Spring with Key Vault in GitHub Actions](./github-actions-key-vault.md). ++## Provision service instance ++To provision your Azure Spring Apps service instance, run the following commands using the Azure CLI. ++```azurecli +az extension add --name spring +az group create --location eastus --name <resource group name> +az spring create -n <service instance name> -g <resource group name> +az spring config-server git set -n <service instance name> --uri https://github.com/xxx/piggymetrics --label config +``` ++## End-to-end sample workflows ++The following examples demonstrate common usage scenarios. ++### Deploying ++The following sections show you various options for deploying your app. ++#### To production ++Azure Spring Apps supports deploying to deployments with built artifacts (for example, JAR or .NET Core ZIP) or source code archive. ++The following example deploys to the default production deployment in Azure Spring Apps using JAR file built by Maven. This example is the only possible deployment scenario when using the Basic SKU: ++> [!NOTE] +> The package search pattern should only return exactly one package. If the build task produces multiple JAR packages such as *sources.jar* and *javadoc.jar*, you need to refine the search pattern so that it only matches the application binary artifact. ++```yml +name: AzureSpringApps +on: push +env: + ASC_PACKAGE_PATH: ${{ github.workspace }} + AZURE_SUBSCRIPTION: <azure subscription name> ++jobs: + deploy_to_production: + runs-on: ubuntu-latest + name: deploy to production with artifact + steps: + - name: Checkout GitHub Action + uses: actions/checkout@v2 + + - name: Set up Java 11 + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '11' ++ - name: maven build, clean + run: | + mvn clean package ++ - name: Login via Azure CLI + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} ++ - name: deploy to production with artifact + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: Deploy + service-name: <service instance name> + app-name: <app name> + use-staging-deployment: false + package: ${{ env.ASC_PACKAGE_PATH }}/**/*.jar +``` ++The following example deploys to the default production deployment in Azure Spring Apps using source code. ++```yml +name: AzureSpringApps +on: push +env: + ASC_PACKAGE_PATH: ${{ github.workspace }} + AZURE_SUBSCRIPTION: <azure subscription name> ++jobs: + deploy_to_production: + runs-on: ubuntu-latest + name: deploy to production with source code + steps: + - name: Checkout GitHub Action + uses: actions/checkout@v2 ++ - name: Login via Azure CLI + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} ++ - name: deploy to production step with source code + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: deploy + service-name: <service instance name> + app-name: <app name> + use-staging-deployment: false + package: ${{ env.ASC_PACKAGE_PATH }} +``` ++The following example deploys to the default production deployment in Azure Spring Apps using source code in the Enterprise plan. You can specify which builder to use for deploy actions using the `builder` option. ++```yml +name: AzureSpringApps +on: push +env: + ASC_PACKAGE_PATH: ${{ github.workspace }} + AZURE_SUBSCRIPTION: <azure subscription name> ++jobs: + deploy_to_production: + runs-on: ubuntu-latest + name: deploy to production with source code + steps: + - name: Checkout GitHub Action + uses: actions/checkout@v2 ++ - name: Login via Azure CLI + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} ++ - name: deploy to production step with source code in the Enterprise plan + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: deploy + service-name: <service instance name> + app-name: <app name> + use-staging-deployment: false + package: ${{ env.ASC_PACKAGE_PATH }} + builder: <builder> +``` ++The following example deploys to the default production deployment in Azure Spring Apps with an existing container image. ++```yml +name: AzureSpringApps +on: push +env: + ASC_PACKAGE_PATH: ${{ github.workspace }} + AZURE_SUBSCRIPTION: <azure subscription name> ++jobs: + deploy_to_production: + runs-on: ubuntu-latest + name: deploy to production with source code + steps: + - name: Checkout GitHub Action + uses: actions/checkout@v2 ++ - name: Login via Azure CLI + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} ++ - name: Deploy Custom Image + uses: Azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: deploy + service-name: <service instance name> + app-name: <app name> + deployment-name: <deployment name> + container-registry: <your container image registry> + registry-username: ${{ env.REGISTRY_USERNAME }} + registry-password: ${{ secrets.REGISTRY_PASSWORD }} + container-image: <your image tag> +``` ++During deployment, you can achieve more functionality by using more arguments. For more information, see the [Arguments](https://github.com/Azure/spring-apps-deploy#arguments) section of [GitHub Action for deploying to Azure Spring Apps](https://github.com/Azure/spring-apps-deploy). ++#### Blue-green ++The following examples deploy to an existing staging deployment. This deployment doesn't receive production traffic until it's set as a production deployment. You can set use-staging-deployment true to find the staging deployment automatically or just allocate specific deployment-name. We only focus on the `spring-apps-deploy` action and leave out the preparatory jobs in the rest of the article. ++```yml +# environment preparation configurations omitted + steps: + - name: blue green deploy step use-staging-deployment + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: deploy + service-name: <service instance name> + app-name: <app name> + use-staging-deployment: true + package: ${{ env.ASC_PACKAGE_PATH }}/**/*.jar +``` ++```yml +# environment preparation configurations omitted + steps: + - name: blue green deploy step with deployment-name + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: deploy + service-name: <service instance name> + app-name: <app name> + deployment-name: staging + package: ${{ env.ASC_PACKAGE_PATH }}/**/*.jar +``` ++For more information on blue-green deployments, including an alternative approach, see [Blue-green deployment strategies](./concepts-blue-green-deployment-strategies.md). ++### Setting production deployment ++The following example sets the current staging deployment as production, effectively swapping which deployment receives production traffic. ++```yml +# environment preparation configurations omitted + steps: + - name: set production deployment step + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: set-production + service-name: <service instance name> + app-name: <app name> + use-staging-deployment: true +``` ++### Deleting a staging deployment ++The `Delete Staging Deployment` action allows you to delete the deployment not receiving production traffic. This deletion frees up resources used by that deployment and makes room for a new staging deployment: ++```yml +# environment preparation configurations omitted + steps: + - name: Delete staging deployment step + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: delete-staging-deployment + service-name: <service instance name> + app-name: <app name> +``` ++### Create or update build (Enterprise plan only) ++The following example creates or updates a build resource in the Enterprise plan: ++```yml +# environment preparation configurations omitted + steps: + - name: Create or update build + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: build + service-name: <service instance name> + build-name: <build name> + package: ${{ env.ASC_PACKAGE_PATH }} + builder: <builder> +``` ++### Delete build (Enterprise plan only) ++The following example deletes a build resource in the Enterprise plan: ++```yml +# environment preparation configurations omitted + steps: + - name: Delete build + uses: azure/spring-apps-deploy@v1 + with: + azure-subscription: ${{ env.AZURE_SUBSCRIPTION }} + action: delete-build + service-name: <service instance name> + build-name: <build name> +``` ++## Deploy with Maven Plugin ++Another option is to use the [Maven Plugin](./how-to-maven-deploy-apps.md) for deploying the Jar and updating App settings. The command `mvn azure-spring-apps:deploy` is idempotent and automatically creates Apps if needed. You don't need to create corresponding apps in advance. ++```yaml +name: AzureSpringApps +on: push ++jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: ++ - uses: actions/checkout@main ++ - name: Set up Java 11 + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '11' ++ - name: maven build, clean + run: | + mvn clean package -DskipTests ++ # Maven plugin can cosume this authentication method automatically + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} ++ # Maven deploy, make sure you have correct configurations in your pom.xml + - name: deploy to Azure Spring Apps using Maven + run: | + mvn azure-spring-apps:deploy +``` +++## Run the workflow ++GitHub **Actions** should be enabled automatically after you push *.github/workflow/main.yml* to GitHub. The action is triggered when you push a new commit. If you create this file in the browser, your action should have already run. ++To verify that the action has been enabled, select the **Actions** tab on the GitHub repository page: +++If your action runs in error, for example, if you haven't set the Azure credential, you can rerun checks after fixing the error. On the GitHub repository page, select **Actions**, select the specific workflow task, and then select the **Rerun checks** button to rerun checks: +++## Next steps ++* [Authenticate Azure Spring Apps with Azure Key Vault in GitHub Actions](./github-actions-key-vault.md) +* [Microsoft Entra service principals](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) +* [GitHub Actions for Azure](https://github.com/Azure/actions/) +* [GitHub Action for deploying to Azure Spring Apps](https://github.com/Azure/spring-apps-deploy) |
spring-apps | How To Integrate Azure Load Balancers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-integrate-azure-load-balancers.md | + + Title: Tutorial - Integrate Azure Spring Apps with Azure Load Balance Solutions +description: How to integrate Azure Spring Apps with Azure Load Balance Solutions ++++ Last updated : 04/20/2020++++# Integrate Azure Spring Apps with Azure Load Balance Solutions ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++Azure Spring Apps supports Spring applications on Azure. Increasing business can require multiple data centers with management of multiple instances of Azure Spring Apps. ++Azure already provides [different load-balance solutions](/azure/architecture/guide/technology-choices/load-balancing-overview). There are three common options to integrate Azure Spring Apps with Azure load-balance solutions: ++1. Integrate Azure Spring Apps with Azure Traffic Manager +1. Integrate Azure Spring Apps with Azure App Gateway +1. Integrate Azure Spring Apps with Azure Front Door ++In the examples below, we will load balance requests for a custom domain of `www.contoso.com` towards two deployments of Azure Spring Apps in two different regions: `eastus.azuremicroservices.io` and `westus.azuremicroservices.io`. ++We recommend that the domain name, as seen by the browser, is the same as the host name which the load balancer uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using a load balancer to expose applications hosted in Azure Spring Apps. If the domain exposed by the load balancer is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation). ++## Prerequisites ++* A custom domain to be used to access the application: [Tutorial: Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) +* Azure Spring Apps: [How to create an Azure Spring Apps service](./quickstart.md) +* Azure Traffic +* Azure App Gateway: [How to create an application gateway](../../application-gateway/quick-create-portal.md) +* Azure Front Door: [How to create a front door](../../frontdoor/quickstart-create-front-door.md) ++## Integrate Azure Spring Apps with Azure Traffic Manager ++To integrate Azure Spring Apps with Traffic Manager, add its public endpoints as traffic manager’s endpoints and then configure custom domain for both traffic manager and Azure Spring Apps. ++### Add Endpoint in Traffic Manager ++Add endpoints in traffic ++1. Specify **Type** to be *External endpoint*. +1. Input fully qualified domain name (FQDN) of each Azure Spring Apps public endpoint. +1. Select **OK**. ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/traffic-manager-1.png" alt-text="Screenshot of the Azure portal that shows the Add endpoint page with an eastus FQDN with Priority 1." lightbox="media/how-to-integrate-azure-load-balancers/traffic-manager-1.png"::: ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/traffic-manager-2.png" alt-text="Screenshot of the Azure portal that shows the Add endpoint page with a westus FQDN with Priority 2." lightbox="media/how-to-integrate-azure-load-balancers/traffic-manager-2.png"::: ++### Configure Custom Domain ++To finish the configuration: ++1. Sign in to the website of your domain provider, and create a CNAME record mapping from your custom domain to traffic manager’s Azure default domain name. ++## Integrate Azure Spring Apps with Azure App Gateway ++To integrate with Azure Spring Apps service, complete the following configurations: ++### Configure Backend Pool ++1. Specify **Target type** as *IP address* or *FQDN*. +1. Enter your Azure Spring Apps public endpoints. ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-1.png" alt-text="Screenshot of the Azure portal that shows the Add backend pool page with the Backend targets values highlighted." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-1.png"::: ++### Add Custom Probe ++1. Select **Health Probes** then **Add** to open custom **Probe** dialog. +1. The key point is to select **No** for **Pick host name from backend HTTP settings** option and explicitly specify the host name. For more information, see [Application Gateway configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation#application-gateway). ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-2.png" alt-text="Screenshot of the Azure portal that shows the probe page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-2.png"::: ++### Configure Backend Setting ++1. Select **Backend settings** then **Add** to add a backend setting. +1. **Override with new host name:** select **No**. +1. **Use custom probe**: select **Yes** and pick the custom probe created above. ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-3.png" alt-text="Screenshot of the Azure portal that shows the Add Backend setting page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-3.png"::: ++## Integrate Azure Spring Apps with Azure Front Door ++To integrate with Azure Spring Apps service and configure an origin group, use the following steps: ++1. **Add origin group**. +1. Specify the backend endpoints by adding origins for the different Azure Spring Apps instances. ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-1.png" alt-text="Screenshot of the Azure portal that shows the Add an origin group page with the Add an origin button highlighted." lightbox="media/how-to-integrate-azure-load-balancers/front-door-1.png"::: ++1. Specify **origin type** as *Azure Spring Apps*. +1. Select your Azure Spring Apps instance for the **host name**. +1. Keep the **origin host header** empty, so that the incoming host header will be used towards the backend. For more information, see [Azure Front Door configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation#azure-front-door). ++ :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-2.png" alt-text="Screenshot of the Azure portal that shows the Add an origin page." lightbox="media/how-to-integrate-azure-load-balancers/front-door-2.png"::: ++## Next steps ++* [How to create a traffic manager](../../traffic-manager/quickstart-create-traffic-manager-profile.md) +* [How to create an application gateway](../../application-gateway/quick-create-portal.md) +* [How to create a front door](../../frontdoor/quickstart-create-front-door.md) |
spring-apps | How To Intellij Deploy Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-intellij-deploy-apps.md | + + Title: "Tutorial: Deploy Spring Boot applications using IntelliJ" ++description: Use IntelliJ to deploy applications to Azure Spring Apps. ++++ Last updated : 06/24/2022++++# Deploy Spring Boot applications using IntelliJ ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++The IntelliJ plug-in for Azure Spring Apps supports application deployment from IntelliJ IDEA. ++Before running this example, you can try the [basic quickstart](./quickstart.md). ++## Prerequisites ++* [IntelliJ IDEA, Community/Ultimate Edition, version 2020.x or higher](https://www.jetbrains.com/idea/download/#section=windows) ++## Install the plug-in ++You can add the Azure Toolkit for IntelliJ IDEA 3.51.0 from the IntelliJ **Plugins** UI. ++1. Start IntelliJ. If you have opened a project previously, close the project to show the welcome dialog. Select **Configure** from link lower right, and then select **Plugins** to open the plug-in configuration dialog, and select **Install Plugins from disk**. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/configure-plugin.png" alt-text="Screenshot of IntelliJ IDEA Welcome dialog box with Configure element highlighted."::: ++1. Search for Azure Toolkit for IntelliJ. Select **Install**. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/install-plugin.png" alt-text="Screenshot of IntelliJ IDEA Plugins dialog box with Install button highlighted."::: ++1. Select **Restart IDE**. ++## Tutorial procedures ++The following procedures deploy a Hello World application using IntelliJ IDEA. ++* Open the gs-spring-boot project +* Deploy to Azure Spring Apps +* Show streaming logs ++## Open gs-spring-boot project ++1. Download and unzip the source repository for this tutorial, or clone it using the following Git command: `git clone https://github.com/spring-guides/gs-spring-boot.git` +1. Navigate to the *gs-spring-boot\complete* folder. +1. Open IntelliJ **Welcome** dialog, select **Import Project** to open the import wizard. +1. Select the *gs-spring-boot\complete* folder. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/import-project.png" alt-text="Screenshot of IntelliJ IDEA Open File or Project dialog box with complete folder highlighted." lightbox="media/how-to-intellij-deploy-apps/import-project.png"::: ++## Deploy to Azure Spring Apps ++In order to deploy to Azure you must sign-in with your Azure account, and choose your subscription. For sign-in details, see [Install and sign-in](/azure/developer/java/toolkit-for-intellij/create-hello-world-web-app#install-and-sign-in). ++1. Right-click your project in IntelliJ project explorer, and select **Azure** -> **Deploy to Azure Spring Apps**. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/deploy-to-azure-menu-option.png" alt-text="Screenshot of IntelliJ IDEA context menu with Deploy to Azure Spring Apps option highlighted." lightbox="media/how-to-intellij-deploy-apps/deploy-to-azure-menu-option.png"::: ++1. Accept the name for app in the **Name** field. **Name** refers to the configuration, not app name. Users don't usually need to change it. +1. Accept the identifier from the project for the **Artifact**. +1. Select **App:** then click **+** to create an Azure Spring Apps instance. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/deploy-to-azure-dialog-box.png" alt-text="Screenshot of IntelliJ IDEA Deploy Azure Spring app dialog box with plus button highlighted." lightbox="media/how-to-intellij-deploy-apps/deploy-to-azure-dialog-box.png"::: ++1. Enter **App name**, then select **OK**. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/create-azure-spring-app-dialog-box.png" alt-text="Screenshot of IntelliJ IDEA Create Azure Spring App dialog box with App name field in focus."::: ++1. Start the deployment by selecting the **Run** button. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/run-button.png" alt-text="Screenshot of IntelliJ IDEA showing Run button." lightbox="media/how-to-intellij-deploy-apps/run-button.png"::: ++1. The plug-in will run the command `mvn package` on the project and then create the new app and deploy the jar generated by the `package` command. ++1. If the app URL is not shown in the output window, get it from the Azure portal. Navigate from your resource group to the instance of Azure Spring Apps. Then select **Apps**. The running app will be listed. Select the app, then copy the **URL** or **Test Endpoint**. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/get-test-url.png" alt-text="Screenshot of Azure portal showing the app overview page with the URL and Test Endpoint fields highlighted." lightbox="media/how-to-intellij-deploy-apps/get-test-url.png"::: ++1. Navigate to the URL or Test Endpoint in the browser. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/navigate-in-browser.png" alt-text="Screenshot of the app running in a browser displaying the message Greetings from Spring Boot."::: ++## Show streaming logs ++To get the logs: ++1. Select **Azure Explorer**, then **Spring Apps**. +1. Right-click the running app. +1. Select **Streaming Log** from the drop-down list. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/streaming-logs.png" alt-text="Screenshot of IntelliJ IDEA context menu with the Streaming Log option highlighted."::: ++1. Select instance. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/select-instance.png" alt-text="Screenshot of the IntelliJ IDEA Select Instance dialog box."::: ++1. The streaming log will be visible in the output window. ++ :::image type="content" source="media/how-to-intellij-deploy-apps/streaming-log-output.png" alt-text="Screenshot of the IntelliJ IDEA showing the streaming log in the output window." lightbox="media/how-to-intellij-deploy-apps/streaming-log-output.png"::: ++## Next steps ++* [Prepare Spring application for Azure Spring Apps](how-to-prepare-app-deployment.md) +* [Learn more about Azure Toolkit for IntelliJ](/azure/developer/java/toolkit-for-intellij/) |
spring-apps | How To Log Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-log-streaming.md | + + Title: Stream Azure Spring Apps application console logs in real time +description: Describes how to use log streaming to view application logs in real time ++++ Last updated : 08/10/2022++++# Stream Azure Spring Apps application console logs in real time ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to enable log streaming in the Azure CLI to get real-time application console logs for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). ++For streaming logs of managed components in Azure Spring Apps, see [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md). ++## Prerequisites ++- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, version 1.0.0 or higher. You can install the extension by using the following command: `az extension add --name spring` +- An instance of Azure Spring Apps with a running application. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). ++## Use the Azure CLI to produce tail logs ++This section provides examples of using the Azure CLI to produce tail logs. To avoid repeatedly specifying your resource group and service instance name, use the following commands to set your default resource group name and cluster name: ++```azurecli +az config set defaults.group=<service-group-name> +az config set defaults.spring=<service-instance-name> +``` ++The resource group and service name are omitted in the following examples. ++### View the tail log for an app with a single instance ++If an app named `auth-service` has only one instance, you can view the log of the app instance with the following command: ++```azurecli +az spring app logs --name <application-name> +``` ++The command returns logs similar to the following examples, where `auth-service` is the application name. ++```output +... +2020-01-15 01:54:40.481 INFO [auth-service,,,] 1 [main] o.apache.catalina.core.StandardService : Starting service [Tomcat] +2020-01-15 01:54:40.482 INFO [auth-service,,,] 1 [main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.22] +2020-01-15 01:54:40.760 INFO [auth-service,,,] 1 [main] o.a.c.c.C.[Tomcat].[localhost].[/uaa] : Initializing Spring embedded WebApplicationContext +2020-01-15 01:54:40.760 INFO [auth-service,,,] 1 [main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 7203 ms ++... +``` ++### View the tail log for an app with multiple instances ++If multiple instances exist for the app named `auth-service`, you can view the instance log by using the `-i/--instance` option. ++First, run the following command to get the app instance names: ++```azurecli +az spring app show --name auth-service --query properties.activeDeployment.properties.instances --output table +``` ++The command produces results similar to the following output: ++```output +Name Status DiscoveryStatus +- -- -- +auth-service-default-12-75cc4577fc-pw7hb Running UP +auth-service-default-12-75cc4577fc-8nt4m Running UP +auth-service-default-12-75cc4577fc-n25mh Running UP +``` ++Then, you can stream logs of an app instance using the `-i/--instance` option, as follows: ++```azurecli +az spring app logs --name auth-service --instance auth-service-default-12-75cc4577fc-pw7hb +``` ++You can also get details of app instances from the Azure portal. After selecting **Apps** in the left navigation pane of your Azure Spring Apps service, select **App Instances**. ++### Continuously stream new logs ++By default, `az spring app logs` prints only existing logs streamed to the app console and then exits. If you want to stream new logs, add the `-f/--follow` argument, as shown in the following example: ++```azurecli +az spring app logs --name auth-service --follow +``` ++When you use the `--follow` argument to tail instant logs, the Azure Spring Apps log streaming service sends heartbeat logs to the client every minute unless your application is writing logs constantly. Heartbeat log messages use the following format: `2020-01-15 04:27:13.473: No log from server`. ++Use the following command to check all the logging options that are supported: ++```azurecli +az spring app logs --help +``` ++### Format JSON structured logs ++> [!NOTE] +> Formatting JSON structured logs requires spring extension version 2.4.0 or later. ++Structured application logs are displayed in JSON format, which can be difficult to read. You can use the `--format-json` argument to format logs in JSON format into a more readable format. For more information, see [Structured application log for Azure Spring Apps](./structured-app-log.md). ++The following example shows how to use the `--format-json` argument: ++```azurecli +# Raw JSON log +$ az spring app logs --name auth-service +{"timestamp":"2021-05-26T03:35:27.533Z","logger":"com.netflix.discovery.DiscoveryClient","level":"INFO","thread":"main","mdc":{},"message":"Disable delta property : false"} +{"timestamp":"2021-05-26T03:35:27.533Z","logger":"com.netflix.discovery.DiscoveryClient","level":"INFO","thread":"main","mdc":{},"message":"Single vip registry refresh property : null"} ++# Formatted JSON log +$ az spring app logs --name auth-service --format-json +2021-05-26T03:35:27.533Z INFO [ main] com.netflix.discovery.DiscoveryClient : Disable delta property : false +2021-05-26T03:35:27.533Z INFO [ main] com.netflix.discovery.DiscoveryClient : Single vip registry refresh property : null +``` ++The `--format-json` argument also accepts an optional customized format using format string syntax. For more information, see [Format String Syntax](https://docs.python.org/3/library/string.html#format-string-syntax). ++The following example shows how to use format string syntax: ++```azurecli +# Custom format +$ az spring app logs --name auth-service --format-json="{message}{n}" +Disable delta property : false +Single vip registry refresh property : null +``` ++> The default format being used is: +> +> ```format +> {timestamp} {level:>5} [{thread:>15.15}] {logger{39}:<40.40}: {message}{n}{stackTrace} +> ``` ++## Stream an Azure Spring Apps app log in a virtual network injection instance ++For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md) ++Azure Spring Apps also enables you to access real-time app logs from a public network using Azure portal or the Azure CLI. ++> [!NOTE] +> Enabling the log streaming endpoint on the public network adds a public inbound IP to your virtual network. Be sure to use caution if this is a concern for you. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to enable a log streaming endpoint on the public network: ++1. Select the Azure Spring Apps service instance deployed in your virtual network and then select **Networking** in the navigation menu. ++1. Select the **Vnet injection** tab. ++1. Switch the status of **Dataplane resources on public network** to **enable** to enable a log streaming endpoint on the public network. This process takes a few minutes. ++ :::image type="content" source="media/how-to-log-streaming/dataplane-public-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Networking page with the Vnet injection tab selected and the Troubleshooting section highlighted." lightbox="media/how-to-log-streaming/dataplane-public-endpoint.png"::: ++#### [Azure CLI](#tab/azure-CLI) ++Use the following command to enable the log stream public endpoint: ++```azurecli +az spring update \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --enable-dataplane-public-endpoint true +``` ++++After you enable the log stream public endpoint, you can access the app log from a public network just like you would access a normal instance. ++## Secure traffic to the log streaming public endpoint ++Log streaming uses the same key as the test endpoint described in [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md) to authenticate the connections to your deployments. As a result, only users who have read access to the test keys can access log streaming. ++To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. ++> [!NOTE] +> If you can't access app logs in the virtual network injection instance from the internet after you enable a log stream public endpoint, check your network security group to see whether you allowed such inbound traffic. ++The following table shows an example of a basic rule that we recommend. You can use commands like `nslookup` with the endpoint `<service-name>.private.azuremicroservices.io` to get the target IP address of a service. ++| Priority | Name | Port | Protocol | Source | Destination | Action | +|-|--||-|-|--|--| +| 100 | Rule name | 80 | TCP | Internet | Service IP address | Allow | +| 110 | Rule name | 443 | TCP | Internet | Service IP address | Allow | ++## Next steps ++- [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](../basic-standard/quickstart-logs-metrics-tracing.md) +- [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md) +- [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md) |
spring-apps | How To Manage User Assigned Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-manage-user-assigned-managed-identities.md | + + Title: Manage user-assigned managed identities for an application in Azure Spring Apps +description: How to manage user-assigned managed identities for applications. ++++ Last updated : 03/31/2022++zone_pivot_groups: spring-apps-tier-selection +++# Manage user-assigned managed identities for an application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to assign or remove user-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and Azure CLI. ++Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code. ++## Prerequisites ++- If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +++- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)] +- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). ++++- An already provisioned Azure Spring Apps instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +- [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)] +- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). +++## Assign user-assigned managed identities when creating an application ++Create an application and assign user-assigned managed identity at the same time by using the following command: ++```azurecli +az spring app create \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --user-assigned <space-separated user identity resource IDs to assign> +``` ++## Assign user-assigned managed identities to an existing application ++Assigning user-assigned managed identity requires setting another property on the application. ++### [Azure portal](#tab/azure-portal) ++To assign user-assigned managed identity to an existing application in the Azure portal, follow these steps: ++1. Navigate to an application in the Azure portal as you normally would. +2. Scroll down to the **Settings** group in the left navigation pane. +3. Select **Identity**. +4. Within the **User assigned** tab, select **Add**. +5. Choose one or more user-assigned managed identities from right panel and then select **Add** from this panel. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to assign one or more user-assigned managed identities on an existing app: ++```azurecli +az spring app identity assign \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --user-assigned <space-separated user identity resource IDs to assign> +``` ++++## Obtain tokens for Azure resources ++An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. ++You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support) ++Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token). ++## Remove user-assigned managed identities from an existing app ++Removing user-assigned managed identities removes the assignment between the identities and the application, and doesn't delete the identities themselves. ++### [Azure portal](#tab/azure-portal) ++To remove user-assigned managed identities from an application that no longer needs it, follow these steps: ++1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance. +1. Navigate to the desired application and select **Identity**. +1. Under **User assigned**, select target identities and then select **Remove**. ++### [Azure CLI](#tab/azure-cli) ++To remove user-assigned managed identities from an application that no longer needs it, use the following command: ++```azurecli +az spring app identity remove \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <service-instance-name> \ + --user-assigned <space-separated user identity resource IDs to remove> +``` ++++## Limitations ++For user-assigned managed identity limitations, see [Quotas and service plans for Azure Spring Apps](./quotas.md). ++## Next steps ++- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +- [How to use managed identities with Java SDK](https://github.com/Azure-Samples/azure-spring-apps-samples) |
spring-apps | How To Managed Component Log Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-managed-component-log-streaming.md | + + Title: Stream Azure Spring Apps managed component logs in real time +description: Learn how to use log streaming to view managed component logs in real time. ++++ Last updated : 01/10/2024++++# Stream Azure Spring Apps managed component logs in real time ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article describes how to use the Azure CLI to get real-time logs of managed components for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). ++For streaming logs of applications in Azure Spring Apps, see [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md). ++## Prerequisites ++- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, version 1.19.0 or higher. You can install the extension by using the following command: `az extension add --name spring`. ++## Supported managed components ++The following table lists the managed components that are currently supported, along with their subcomponents: ++| Managed component | Subcomponents | +|--|-| +| Application Configuration Service | `application-configuration-service` <br/> `flux-source-controller` (Supported in ACS Gen2 version) | +| Spring Cloud Gateway | `spring-cloud-gateway` <br/> `spring-cloud-gateway-operator` | ++You can use the following command to list all subcomponents: ++```azurecli +az spring component list + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> +``` ++## Assign an Azure role ++To stream logs of managed components, you must have the relevant Azure roles assigned to you. The following table lists the required roles and the operations for which these roles are granted permissions: ++| Managed component | Required role | Operations | +|--||| +| Application Configuration Service | Azure Spring Apps Application Configuration Service Log Reader Role | `Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action` | +| Spring Cloud Gateway | Azure Spring Apps Spring Cloud Gateway Log Reader Role | `Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action` | ++### [Azure portal](#tab/azure-Portal) ++Use the following steps to assign an Azure role using the Azure portal: ++1. Open the [Azure portal](https://portal.azure.com). ++1. Open your Azure Spring Apps service instance. ++1. In the navigation pane, select **Access Control (IAM)**. ++1. On the **Access Control (IAM)** page, select **Add** and then select **Add role assignment**. ++ :::image type="content" source="media/how-to-managed-component-log-streaming/add-role-assignment.png" alt-text="Screenshot of the Azure portal that shows the Access Control (IAM) page for an Azure Spring Apps instance with the Add role assignment option highlighted." lightbox="media/how-to-managed-component-log-streaming/add-role-assignment.png"::: ++1. On the **Add role assignment** page, in the **Name** list, search for and select the target role and then select **Next**. ++ :::image type="content" source="media/how-to-managed-component-log-streaming/application-configuration-service-log-reader-role.png" alt-text="Screenshot of the Azure portal that shows the Add role assignment page for an Azure Spring Apps instance with the Azure Spring Apps Application Configuration Service Log Reader Role name highlighted." lightbox="media/how-to-managed-component-log-streaming/application-configuration-service-log-reader-role.png"::: ++1. Select **Members** and then search for and select your username. ++1. Select **Review + assign**. ++### [Azure CLI](#tab/azure-CLI) ++Use the following command to assign an Azure role: ++ ```azurecli + az role assignment create \ + --role "<Log-reader-role-for-managed-component>" \ + --scope "<service-instance-resource-id>" \ + --assignee "<your-identity>" + ``` ++++## List all instances in a component ++Use the following command to list all instances in a component: ++```azurecli +az spring component instance list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --component <component-name> +``` ++For example, to list all instances for `flux-source-controller` in ACS Gen2 version, use the following command: ++```azurecli +az spring component instance list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --component flux-source-controller +``` ++## View tail logs ++This section provides examples of using the Azure CLI to produce tail logs. ++### View tail logs for a specific instance ++To view the tail logs for a specific instance, use the `az spring component logs` command with the `-i/--instance` argument, as shown in the next section. ++#### View tail logs for an instance of application-configuration-service ++Use the following command to view the tail logs for `application-configuration-service`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name application-configuration-service \ + --instance <instance-name> +``` ++For ACS Gen2, the command returns logs similar to the following example: ++```output +... +2023-12-18T07:09:54.020Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8090 (https) +2023-12-18T07:09:54.116Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting service [Tomcat] +2023-12-18T07:09:54.117Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting Servlet engine: [Apache Tomcat/10.1.12] +2023-12-18T07:09:54.522Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Initializing Spring embedded WebApplicationContext +2023-12-18T07:09:54.524Z INFO 16715 [main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 14100 ms +2023-12-18T07:09:56.920Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8090 (https) with context path '' +2023-12-18T07:09:57.528Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8081 (http) +2023-12-18T07:09:57.529Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting service [Tomcat] +2023-12-18T07:09:57.529Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting Servlet engine: [Apache Tomcat/10.1.12] +2023-12-18T07:09:57.629Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Initializing Spring embedded WebApplicationContext +2023-12-18T07:09:57.629Z INFO 16715 [main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 603 ms +2023-12-18T07:09:57.824Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8081 (http) with context path '' +2023-12-18T07:09:58.127Z INFO 16715 [main] o.springframework.boot.StartupInfoLogger : Started ReconcilerApplication in 21.005 seconds (process running for 22.875) +... +``` ++#### View tail logs for an instance of flux-source-controller ++Use the following command to view the tail logs for `flux-source-controller`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name flux-source-controller \ + --instance <instance-name> +``` ++The command returns logs similar to the following example: ++```output +... +{"level":"info","ts":"2023-12-18T07:07:54.615Z","logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"} +{"level":"info","ts":"2023-12-18T07:07:54.615Z","logger":"setup","msg":"starting manager"} +{"level":"info","ts":"2023-12-18T07:07:54.615Z","msg":"Starting server","path":"/metrics","kind":"metrics","addr":"[::]:8080"} +{"level":"info","ts":"2023-12-18T07:07:54.615Z","msg":"Starting server","kind":"health probe","addr":"[::]:9440"} +{"level":"info","ts":"2023-12-18T07:07:54.817Z","logger":"runtime","msg":"attempting to acquire leader lease flux-system/source-controller-leader-election...\n"} +{"level":"info","ts":"2023-12-18T07:07:54.830Z","logger":"runtime","msg":"successfully acquired lease flux-system/source-controller-leader-election\n"} +... +``` ++#### View tail logs for an instance of spring-cloud-gateway ++Use the following command to view the tail logs for `spring-cloud-gateway`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name spring-cloud-gateway \ + --instance <instance-name> +``` ++The command returns logs similar to the following example: ++```output +... +2023-12-11T14:13:40.310Z INFO 1 [ main] i.p.s.c.g.s.SsoDeactivatedConfiguration : SSO is deactivated, setting up default security filters +2023-12-11T14:13:40.506Z INFO 1 [ main] .h.HazelcastReactiveSessionConfiguration : Configuring Hazelcast as a session management storage +2023-12-11T14:13:51.008Z INFO 1 [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8443 +2023-12-11T14:13:51.810Z INFO 1 [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 7 endpoint(s) beneath base path '/actuator' +2023-12-11T14:13:52.410Z INFO 1 [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8090 +2023-12-11T14:13:52.907Z INFO 1 [ main] i.p.s.c.g.r.h.HazelcastRateLimitsRemover : Removing Hazelcast map 'GLOBAL_RATE_LIMIT' with rate limit information +2023-12-11T14:13:52.912Z INFO 1 [ main] i.p.s.cloud.gateway.GatewayApplication : Started GatewayApplication in 36.084 seconds (process running for 38.651) +... +``` ++#### View tail logs for an instance of spring-cloud-gateway-operator ++Use the following command to view the tail logs for `spring-cloud-gateway-operator`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name spring-cloud-gateway-operator \ + --instance <instance-name> +``` ++The command returns logs similar to the following example: ++```output +... +2023-12-01T08:37:05.080Z INFO 1 [ main] c.v.t.s.OperatorApplication : Starting OperatorApplication v2.0.6 using Java 17.0.7 with PID 1 (/workspace/BOOT-INF/classes started by cnb in /workspace) +2023-12-01T08:37:05.157Z INFO 1 [ main] c.v.t.s.OperatorApplication : No active profile set, falling back to 1 default profile: "default" +2023-12-01T08:37:14.379Z INFO 1 [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 1 endpoint(s) beneath base path '/actuator' +2023-12-01T08:37:15.274Z INFO 1 [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8080 +2023-12-01T08:37:15.366Z INFO 1 [ main] c.v.t.s.OperatorApplication : Started OperatorApplication in 11.489 seconds (process running for 12.467) +... +``` ++++### View tail logs for all instances in one command ++To view the tail logs for all instances, use the `--all-instances` argument, as shown in the following command. The instance name is the prefix of each log line. When there are multiple instances, logs are printed in batch for each instance, so logs of one instance aren't interleaved with the logs of another instance. ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <component-name> \ + --all-instances +``` ++## Stream new logs continuously ++By default, `az spring component logs` prints only existing logs streamed to the console and then exits. If you want to stream new logs, add the `-f/--follow` argument. ++When you use the `-f/--follow` option to tail instant logs, the Azure Spring Apps log streaming service sends heartbeat logs to the client every minute unless the component is writing logs constantly. Heartbeat log messages use the following format: `2023-12-18 09:12:17.745: No log from server`. ++### Stream logs for a specific instance ++Use the following command to stream logs for a specific instance: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <component-name> \ + --instance <instance-name> \ + --follow +``` ++### Stream logs for all instances ++Use the following command to stream logs for all instances: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <component-name> \ + --all-instances \ + --follow +``` ++When you stream logs for multiple instances in a component, the logs of one instance interleave with logs of others. ++## Stream logs in a virtual network injection instance ++For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md) ++Azure Spring Apps also enables you to access real-time managed component logs from a public network. ++> [!NOTE] +> Enabling the log streaming endpoint on the public network adds a public inbound IP to your virtual network. Be sure to use caution if this is a concern for you. ++### [Azure portal](#tab/azure-Portal) ++Use the following steps to enable a log streaming endpoint on the public network: ++1. Select the Azure Spring Apps service instance deployed in your virtual network and then select **Networking** in the navigation menu. ++1. Select the **Vnet injection** tab. ++1. Switch the status of **Dataplane resources on public network** to **Enable** to enable a log streaming endpoint on the public network. This process takes a few minutes. ++ :::image type="content" source="media/how-to-managed-component-log-streaming/dataplane-public-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Networking page with the Vnet injection tab selected and the Troubleshooting section highlighted." lightbox="media/how-to-log-streaming/dataplane-public-endpoint.png"::: ++#### [Azure CLI](#tab/azure-CLI) ++Use the following command to enable the log stream public endpoint. ++```azurecli +az spring update \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --enable-dataplane-public-endpoint true +``` ++++After you enable the log stream public endpoint, you can access the managed component logs from a public network just like you would access a normal instance. ++## Secure traffic to the log streaming public endpoint ++Log streaming for managed components uses Azure RBAC to authenticate the connections to the components. As a result, only users who have the proper roles can access the logs. ++To ensure the security of your managed components when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. ++> [!NOTE] +> If you can't access managed component logs in the virtual network injection instance from the internet after you enable a log stream public endpoint, check your network security group to see whether you've allowed such inbound traffic. ++The following table shows an example of a basic rule that we recommend. You can use commands like `nslookup` with the endpoint `<service-name>.private.azuremicroservices.io` to get the target IP address of a service. ++| Priority | Name | Port | Protocol | Source | Destination | Action | +|-|--||-|-|--|--| +| 100 | Rule name | 80 | TCP | Internet | Service IP address | Allow | +| 110 | Rule name | 443 | TCP | Internet | Service IP address | Allow | ++## Next steps ++- [Troubleshoot VMware Spring Cloud Gateway](./how-to-troubleshoot-enterprise-spring-cloud-gateway.md) +- [Use Application Configuration Service](./how-to-enterprise-application-configuration-service.md) +- [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md) |
spring-apps | How To Map Dns Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-map-dns-virtual-network.md | + + Title: Map DNS names to applications in multiple Azure Spring Apps service instances in the same virtual network +description: Learn how to map DNS names to applications in multiple Azure Spring Apps service instances in the same virtual network. ++++ Last updated : 6/29/2023++++# Map DNS names to applications in multiple Azure Spring Apps service instances in the same virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows how to map Domain Name System (DNS) names to applications to access multiple Azure Spring Apps service instances in the same virtual network. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` +- A virtual network deployed in an instance of Azure Spring Apps. For more information, see [Deploy Azure Spring Apps in your Azure virtual network (VNet injection)](./how-to-deploy-in-azure-virtual-network.md). ++## Overview ++This article describes the following two approaches for mapping DNS names to applications: ++- Using the Microsoft-provided fully qualified domain name (FQDN). ++ This approach is a relatively simple and lightweight way to map DNS names compared to the custom domain approach. This approach is recommended if you don't need a wildcard approach in your DNS zone. ++ This approach requires a DNS record for each application. ++- Using a custom domain. ++ If you already have a custom domain or you want a wildcard approach to work in a multi-instance scenario, use this approach. ++ This approach requires a DNS record for each Azure Spring Apps service instance, and a custom domain configured for each application. ++As an example, this article uses `azure-spring-apps-1` and `azure-spring-apps-2` as the names of two Azure Spring Apps instances in the same virtual network. ++Begin with the [Preliminary steps for DNS mapping](#preliminary-steps-for-dns-mapping) section and then proceed with your preferred approach: ++- [DNS mapping with Microsoft-provided FQDN](#dns-mapping-with-a-microsoft-provided-fqdn) +- [DNS mapping with a custom domain](#dns-mapping-with-a-custom-domain) ++End by testing the mapping as described in the [Access private FQDN URLs for private applications](#access-private-fqdn-for-applications) section. ++## Preliminary steps for DNS mapping ++Complete the steps in this section for both the FQDN and the custom domain approaches to mapping DNS names. ++### Find application IP addresses ++Both approaches require the IP address for each application in the Azure Spring Apps instance you want to map. Use the following steps to find the IP addresses: ++#### [Azure portal](#tab/azure-portal) ++1. Navigate to the virtual network you created for an Azure Spring Apps instance, and then select **Connected devices** in the navigation pane. ++1. On the **Connected devices** page, search for *kubernetes-internal*. ++1. In the search results, find each **Device** connected to a service runtime **Subnet** of an Azure Spring Apps service instance, and copy its **IP Address**. In the following screenshot example, the IP address of `azure-spring-apps-1` is `10.1.0.6`, and the IP address of `azure-spring-apps-2` is `10.1.2.6`. ++ :::image type="content" source="media/how-to-map-dns-virtual-network/create-dns-record.png" alt-text="Screenshot of the Azure portal showing the Connected devices page for a virtual network, highlighting the devices with a service runtime subnet." lightbox="media/how-to-map-dns-virtual-network/create-dns-record.png"::: ++#### [Azure CLI](#tab/azure-CLI) ++1. Use the following commands to define variables for your subscription, resource group, Azure Spring Apps instance, and virtual network. Customize the values based on your environment. ++ ```azurecli + export SUBSCRIPTION='<subscription-ID>' + export RESOURCE_GROUP='<resource-group-name>' + export AZURE_SPRING_APPS_NAME='<Azure-Spring-Apps-instance-name>' + export VIRTUAL_NETWORK_NAME='<Azure-Spring-Apps-VNET-name>' + ``` ++1. Use the following commands to set the variables for the service runtime network resource group and the IP address: ++ ```azurecli + export SERVICE_RUNTIME_RG=$(az spring show \ + --resource-group $RESOURCE_GROUP \ + --name $AZURE_SPRING_APPS_NAME \ + --query "properties.networkProfile.serviceRuntimeNetworkResourceGroup" \ + --output tsv) + export IP_ADDRESS=$(az network lb frontend-ip list \ + --lb-name kubernetes-internal \ + --resource-group $SERVICE_RUNTIME_RG \ + --query "[0].privateIpAddress" \ + --output tsv) + ``` ++++### Create a private DNS zone ++Use the following steps to create a private DNS zone for an application in the private network. ++> [!NOTE] +> If you're using Microsoft Azure operated by 21Vianet, replace `private.azuremicroservices.io` with `private.microservices.azure.cn` in this article. For more information, see [Check Endpoints in Azure](/azure/china/resources-developer-guide#check-endpoints-in-azure). ++#### [Azure portal](#tab/azure-portal) ++1. On the Azure Home page, search for *Private DNS zones*. ++1. On the **Private DNS zones** page, select **Create**. ++1. Fill out the form on the **Create Private DNS zone** page. In **Instance details** for **Name**, specify `private.azuremicroservices.io` as the name of the private DNS zone. ++1. Select **Review create**. ++1. Select **Create**. ++#### [Azure CLI](#tab/azure-CLI) ++1. Use the following commands to sign in to the Azure CLI and set your active subscription: ++ ```azurecli + az login + az account set --subscription ${SUBSCRIPTION} + ``` ++1. Use the following command to create the private DNS zone. ++ ```azurecli + az network private-dns zone create \ + --resource-group $RESOURCE_GROUP \ + --name private.azuremicroservices.io + ``` ++++It may take a few minutes to create the zone. ++### Link the virtual network ++To link the private DNS zone you created to the virtual network, you must create a virtual network link. ++#### [Azure portal](#tab/azure-portal) ++Use the following steps to create this link: ++1. Navigate to the private DNS zone you created named `private.azuremicroservices.io`. There might be several with that name, so determine the correct one by its resource group and subscription. ++1. On the navigation pane, select **Virtual network links**, then select **Add**. ++1. For the **Link name**, enter *azure-spring-apps-dns-link*. ++1. For **Virtual network**, select the virtual network you created for [Prerequisites](#prerequisites). ++ :::image type="content" source="media/how-to-map-dns-virtual-network/add-virtual-network-link.png" alt-text="Screenshot of the Azure portal showing the Add virtual network link page for a private DNS zone." lightbox="media/how-to-map-dns-virtual-network/add-virtual-network-link.png"::: ++1. Select **OK**. ++#### [Azure CLI](#tab/azure-CLI) ++Use the following command to create this link: ++ ```azurecli + az network private-dns link vnet create \ + --resource-group $RESOURCE_GROUP \ + --name azure-spring-apps-dns-link \ + --zone-name private.azuremicroservices.io \ + --virtual-network $VIRTUAL_NETWORK_NAME \ + --registration-enabled false + ``` ++++### Assign a private FQDN for your applications ++Assign a private FQDN for your application. ++#### [Azure portal](#tab/azure-portal) ++Use the following steps to update your app with an assigned endpoint: ++1. Navigate to the Azure Spring Apps instance deployed in your virtual network, and then select **Apps** in the navigation pane. ++1. Select an application. ++1. Select **Assign Endpoint** to assign a private FQDN to your application. Assigning an FQDN can take a few minutes. ++ :::image type="content" source="media/how-to-map-dns-virtual-network/assign-private-endpoint.png" alt-text="Screenshot of the Azure portal showing the Overview page for an app with Assign endpoint highlighted." lightbox="media/how-to-map-dns-virtual-network/assign-private-endpoint.png"::: ++1. Repeat these steps for each application you want to map. ++#### [Azure CLI](#tab/azure-CLI) ++Use the following command to update your app with an assigned endpoint. Customize the value of your app name based on your real environment. ++```azurecli +export SPRING_CLOUD_APP='<app-name>' +az spring app update \ + --resource-group $RESOURCE_GROUP \ + --name $SPRING_CLOUD_APP \ + --service $SPRING_CLOUD_NAME \ + --assign-endpoint true +``` ++++## DNS mapping with a Microsoft-provided FQDN ++Using this approach, you must create a DNS record for each application as a requirement when using the Microsoft-provided fully qualified domain name (FQDN). For a core understanding of this process, see [Access your application in a private network](access-app-virtual-network.md). ++When an application in an Azure Spring Apps service instance with assigned endpoint is deployed in the virtual network, the endpoint is a private FQDN. By default, the fully qualified domain name is unique for each app across service instances. The FQDN format is `<service-name>-<app-name>.private.azuremicroservices.io`. ++### Create DNS records for all the applications ++To use the private DNS zone to translate and resolve DNS names, you must create an "A" type record in the zone for each of your applications. In this example, the app name is `hello-vnet` and the Azure Springs Apps service instance name is `azure-spring-apps-1`. ++You need the IP address for each application. Copy it as described in the [Find the IP for your application](access-app-virtual-network.md#find-the-ip-for-your-application) section of [Access your application in a private network](access-app-virtual-network.md). In this example, the IP address is `10.1.0.6`. ++#### [Azure portal](#tab/azure-portal) ++Use the following steps to create a DNS record: ++1. Navigate to the private DNS zone you created earlier: `private.azuremicroservices.io` ++1. Select **Record set**. ++1. In the **Add record set** pane, enter the values from the following table. ++ | Setting | Value | + ||-| + | Name | *azure-spring-apps-1-hello-vnet* | + | Type | **A** | + | TTL | 1 | + | TTL unit | **Hours** | + | IP address | (paste from the clipboard) | ++1. Select **OK**. ++ :::image type="content" source="media/how-to-map-dns-virtual-network/private-dns-zone-add-record-fqdn.png" alt-text="Screenshot of the Azure portal showing the Add record set pane in a Private DNS zone." lightbox="media/how-to-map-dns-virtual-network/private-dns-zone-add-record-fqdn.png"::: ++#### [Azure CLI](#tab/azure-CLI) ++Use the following command to create a DNS record: ++```azurecli +az network private-dns record-set a add-record \ + --resource-group $RESOURCE_GROUP \ + --zone-name private.azuremicroservices.io \ + --record-set-name 'azure-spring-apps-1-hello-vnet' \ + --ipv4-address $IP_ADDRESS +``` ++++Repeat these steps as needed to add a DNS record for other applications. ++## DNS mapping with a custom domain ++Using this approach, you only need to add a DNS record for each Azure Spring Apps instance, but you must configure the custom domain for each application. For a core understanding of this process, see [Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). ++This example reuses the private DNS zone `private.azuremicroservices.io` to add a custom domain related DNS record. The private FQDN has the format `<app-name>.<service-name>.private.azuremicroservices.io`. ++Technically, you can use any private fully qualified domain name you want. In that case, you have to create a new private DNS zone corresponding to the fully qualified domain name you choose. ++### Map your custom domain to an app in an Azure Spring Apps instance ++Use the following steps to map your custom domain to each of the applications in the Azure Spring Apps instance: ++#### [Azure portal](#tab/Azure-portal) ++1. Open the Azure Spring Apps instance and select **Apps** in the navigation pane. +1. On the **Apps** page, select an application. +1. Select **Custom domain** in the navigation pane. +1. Select **Add Custom domain**. +1. On the **Add custom domain** pane, enter the FQDN you want to use and make sure it corresponds to the certificate to use for TLS/SSL binding later. This example uses `hello-vnet.azure-spring-apps-1.private.azuremicroservices.io`. You can disregard the CNAME part. +1. Select **Validate**. +1. If validated, select **Add**. ++ :::image type="content" source="./media/how-to-map-dns-virtual-network/add-custom-domain.png" alt-text="Screenshot of the Azure portal showing the Add custom domain pane for an app in an Azure Spring Apps instance." lightbox="./media/how-to-map-dns-virtual-network/add-custom-domain.png"::: ++When the custom domain is successfully mapped to the app, it appears in the custom domain table. ++ :::image type="content" source="./media/how-to-map-dns-virtual-network/custom-domain-table.png" alt-text="Screenshot of the Azure portal showing the custom domain table in the Custom domain page for an app." lightbox="./media/how-to-map-dns-virtual-network/custom-domain-table.png"::: ++#### [Azure CLI](#tab/Azure-CLI) ++1. Use the following command to bind a custom domain to an app: ++ ```azurecli + az spring app custom-domain bind \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --domain-name <fqdn-domain-name> \ + --app <app-name> + ``` ++1. Use the following command to list all custom domains of an app: ++ ```azurecli + az spring app custom-domain list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> \ + ``` ++++> [!NOTE] +> A **TLS/SSL state** value of **Not Secure** for your custom domain means that it's not yet bound to a TLS/SSL certificate. Any HTTPS request from a browser to your custom domain will receive an error or warning. ++### Add TLS/SSL binding ++Before doing this step, make sure you've prepared your certificates and imported them into Azure Spring Apps. For more information, see [Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). ++#### [Azure portal](#tab/Azure-portal) ++Use the following steps to update the custom domain of an app with a certificate: ++1. Open the Azure Spring Apps instance and select **Apps** in the navigation pane. +1. On the **Apps** page, select an application. +1. Select **Custom domain** in the navigation pane. +1. Select the ellipsis (**...**) button for a custom domain and then select **Bind TLS/SSL**. +1. On the **TLS/SSL binding pane**, select **Certificate** and then select or import the certificate. +1. Select **Save**. ++ :::image type="content" source="./media/how-to-map-dns-virtual-network/add-ssl-binding.png" alt-text="Screenshot of the Azure portal showing the TLS/SSL binding pane on the Custom domain page for an app." lightbox="./media/how-to-map-dns-virtual-network/add-ssl-binding.png"::: ++After you successfully add TLS/SSL binding, the domain state will be secure, as shown by a **TLS/SSL state** value of **Healthy**. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to update the custom domain of an app with a certificate: ++```azurecli +az spring app custom-domain update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --domain-name <domain-name> \ + --certificate <cert-name> \ + --app <app-name> +``` ++++### Configure the custom domain for all applications ++To use the private DNS zone to translate and resolve DNS names, you must create an "A" type record in the zone for each of your Azure Spring Apps service instances. In this example, the app name is `hello-vnet` and the Azure Springs Apps service instance name is `azure-spring-apps-1`. ++You need the IP address for each application. Copy it as described in the [Find the IP for your application](access-app-virtual-network.md#find-the-ip-for-your-application) section of [Access your application in a private network](access-app-virtual-network.md). In this example, the IP address is `10.1.0.6`. ++#### [Azure portal](#tab/azure-portal) ++Use the following steps to create the A record in your DNS zone: ++1. Navigate to the private DNS zone you created earlier: `private.azuremicroservices.io` ++1. Select **Record set**. ++1. In the **Add record set** pane, enter the values from the following table. ++ | Setting | Value | + ||-| + | Name | *\*.azure-spring-apps-1* | + | Type | **A** | + | TTL | 1 | + | TTL unit | **Hours** | + | IP address | (paste from the clipboard) | ++1. Select **OK**. ++ :::image type="content" source="media/how-to-map-dns-virtual-network/private-dns-zone-add-record-custom-domain.png" alt-text="Screenshot of the Azure portal showing Overview page for a private DNS zone with the add record set pane open." lightbox="media/how-to-map-dns-virtual-network/private-dns-zone-add-record-custom-domain.png"::: ++#### [Azure CLI](#tab/azure-CLI) ++Use the following command to create the A record in your DNS zone: ++```azurecli +az network private-dns record-set a add-record \ + --resource-group $RESOURCE_GROUP \ + --zone-name private.azuremicroservices.io \ + --record-set-name '*.azure-spring-apps-1' \ + --ipv4-address $IP_ADDRESS +``` ++++Repeat as needed to configure the custom domain for other applications. ++## Access private FQDN for applications ++After the FQDN assignments and DNS mappings for both approaches, you can access all the applications' private FQDN in the private network. For example, you can create a jumpbox or virtual machine in the same virtual network or in a peered virtual network and have access to all the private FQDNs of the applications. ++The following examples show the FQDN approach: ++- `https://hello-vnet.azure-spring-apps-1.private.azuremicroservices.io` +- `https://hello-vnet.azure-spring-apps-2.private.azuremicroservices.io` ++The following examples show the custom domain approach: ++- `https://azure-spring-apps-1-hello-vnet.private.azuremicroservices.io` +- `https://azure-spring-apps-2-hello-vnet.private.azuremicroservices.io` ++The following screenshot shows the URL for a Spring application using an FQDN: +++The following screenshot shows the URL for a Spring application using a custom domain: +++## Clean up resources ++If you plan to continue working with subsequent articles, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following command: ++```azurecli +az group delete --name $RESOURCE_GROUP +``` ++## Next steps ++- [Deploy Azure Spring Apps in your Azure virtual network (VNet injection)](./how-to-deploy-in-azure-virtual-network.md) +- [Access your application in a private network](access-app-virtual-network.md) |
spring-apps | How To Maven Deploy Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-maven-deploy-apps.md | + + Title: "Tutorial: Deploy Spring Boot applications using Maven" ++description: Use Maven to deploy applications to Azure Spring Apps. ++++ Last updated : 04/07/2022++++# Deploy Spring Boot applications using Maven ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use the Azure Spring Apps Maven plugin to configure and deploy applications to Azure Spring Apps. ++## Prerequisites ++* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* An already provisioned Azure Spring Apps instance. +* [JDK 8 or JDK 11](/azure/developer/java/fundamentals/java-jdk-install) +* [Apache Maven](https://maven.apache.org/download.cgi) +* [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. You can install the extension by using the following command: `az extension add --name spring` ++## Generate a Spring project ++To create a Spring project for use in this article, use the following steps: ++1. Navigate to [Spring Initializr](https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.5.7&packaging=jar&jvmVersion=1.8&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client) to generate a sample project with the recommended dependencies for Azure Spring Apps. This link uses the following URL to provide default settings for you. ++ ```url + https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.5.7&packaging=jar&jvmVersion=1.8&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client + ``` ++ The following image shows the recommended Spring Initializr setup for this sample project. ++ :::image type="content" source="media/how-to-maven-deploy-apps/initializr-page.png" alt-text="Screenshot of Spring Initializr."::: ++ This example uses Java version 8. If you want to use Java version 11, change the option under **Project Metadata**. ++1. Select **Generate** when all the dependencies are set. +1. Download and unpack the package, then create a web controller for a web application. Add the file *src/main/java/com/example/hellospring/HelloController.java* with the following contents: ++ ```java + package com.example.hellospring; ++ import org.springframework.web.bind.annotation.RestController; + import org.springframework.web.bind.annotation.RequestMapping; ++ @RestController + public class HelloController { ++ @RequestMapping("/") + public String index() { + return "Greetings from Azure Spring Apps!"; + } ++ } + ``` ++## Build the Spring applications locally ++To build the project by using Maven, run the following commands: ++```azurecli +cd hellospring +mvn clean package -DskipTests -Denv=cloud +``` ++Compiling the project takes several minutes. After it's completed, you should have individual JAR files for each service in their respective folders. ++## Provision an instance of Azure Spring Apps ++The following procedure creates an instance of Azure Spring Apps using the Azure portal. ++1. In a new tab, open the [Azure portal](https://portal.azure.com/). ++1. From the top search box, search for **Azure Spring Apps**. ++1. Select **Azure Spring Apps** from the results. ++ :::image type="content" source="media/how-to-maven-deploy-apps/spring-apps-start.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps service in search results." lightbox="media/how-to-maven-deploy-apps/spring-apps-start.png"::: ++1. On the Azure Spring Apps page, select **Create**. ++ :::image type="content" source="media/how-to-maven-deploy-apps/spring-apps-create.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps resource with Create button highlighted." lightbox="media/how-to-maven-deploy-apps/spring-apps-start.png"::: ++1. Fill out the form on the Azure Spring Apps **Create** page. Consider the following guidelines: ++ - **Subscription**: Select the subscription you want to be billed for this resource. + - **Resource group**: Creating new resource groups for new resources is a best practice. You will use this resource group in later steps as **\<resource group name\>**. + - **Service Details/Name**: Specify the **\<service instance name\>**. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. + - **Location**: Select the region for your service instance. ++ :::image type="content" source="media/how-to-maven-deploy-apps/portal-start.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps Create page." lightbox="media/how-to-maven-deploy-apps/portal-start.png"::: ++1. Select **Review and create**. +++## Generate configurations and deploy to the Azure Spring Apps ++To generate configurations and deploy the app, follow these steps: ++1. Run the following command from the *hellospring* root folder, which contains the POM file. If you've already signed-in with Azure CLI, the command will automatically pick up the credentials. Otherwise, the command will prompt you with sign-in instructions. For more information, see [Authentication](https://github.com/microsoft/azure-maven-plugins/wiki/Authentication) in the [azure-maven-plugins](https://github.com/microsoft/azure-maven-plugins) repository on GitHub. ++ ```azurecli + mvn com.microsoft.azure:azure-spring-apps-maven-plugin:1.10.0:config + ``` ++ You'll be asked to select: ++ * **Subscription ID** - the subscription you used to create an Azure Spring Apps instance. + * **Service instance** - the name of your Azure Spring Apps instance. + * **App name** - an app name of your choice, or use the default value `artifactId`. + * **Public endpoint** - *true* to expose the app to public access; otherwise, *false*. ++1. Verify that the `appName` element in the POM file has the correct value. The relevant portion of the POM file should look similar to the following example. ++ ```xml + <build> + <plugins> + <plugin> + <groupId>com.microsoft.azure</groupId> + <artifactId>azure-spring-apps-maven-plugin</artifactId> + <version>1.10.0</version> + <configuration> + <subscriptionId>xxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx</subscriptionId> + <clusterName>v-spr-cld</clusterName> + <appName>hellospring</appName> + ``` ++ The POM file now contains the plugin dependencies and configurations. ++1. Deploy the app using the following command. ++ ```azurecli + mvn azure-spring-apps:deploy + ``` ++## Verify the services ++After deployment has completed, you can access the app at `https://<service instance name>-hellospring.azuremicroservices.io/`. +++## Clean up resources ++If you plan to continue working with the example application, you might want to leave the resources in place. When no longer needed, delete the resource group containing your Azure Spring Apps instance. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++* [Prepare Spring application for Azure Spring Apps](how-to-prepare-app-deployment.md) +* [Learn more about Azure Spring Apps Maven Plugin](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Spring-Apps) |
spring-apps | How To Migrate Standard Tier To Enterprise Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-migrate-standard-tier-to-enterprise-tier.md | + + Title: How to migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan ++description: Shows you how to migrate an Azure Spring Apps Basic or Standard plan instance to Enterprise plan. ++++ Last updated : 6/20/2023++++# Migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to migrate an existing application in the Basic or Standard plan to the Enterprise plan. When you migrate from the Basic or Standard plan to the Enterprise plan, VMware Tanzu components replace the open-source software (OSS) Spring Cloud components to provide more feature support. ++This article uses the Pet Clinic sample apps as examples of how to migrate. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- [Git](https://git-scm.com/downloads). ++## Provision a service instance ++In the Azure Spring Apps Enterprise plan, VMware Tanzu components replace the OSS Spring Cloud components to provide more feature support. Tanzu components are enabled on demand according to your needs. You must enable the components you need before creating the Azure Spring Apps service instance. ++> [!NOTE] +> To use Tanzu Components, you must enable them when you provision your Azure Spring Apps service instance. You can't enable them after provisioning at this time. ++Use the following steps to provision an Azure Spring Apps service instance: ++### [Azure portal](#tab/azure-portal) ++1. Open the [Azure portal](https://portal.azure.com/). +1. In the top search box, search for *Azure Spring Apps*. +1. Select **Azure Spring Apps** from the results and then select **Create**. +1. On the **Create Azure Spring Apps** page, set your **Subscription**, **Resource group**, and **Name** for the instance. +1. For **Plan** in **Service Details**, select **Change**. ++ :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/change-plan.png" alt-text="Screenshot of the Azure portal Azure Spring Apps creation page with the Change button highlighted in the plan section." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/change-plan.png"::: ++1. On the **Choose your plan** page, select the **Enterprise** row in the table, and then select **Select**. ++ :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/choose-enterprise-tier.png" alt-text="Screenshot of the Azure portal Azure Spring Apps creation page with Basics section and 'Choose your pricing tier' pane showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/choose-enterprise-tier.png"::: ++1. Back on the **Create Azure Spring Apps** page, select **Terms** to agree to the legal terms and privacy statements of the Enterprise plan offering in the Azure Marketplace. ++1. Select **Next: VMware Tanzu settings**. ++1. On the **VMWare Tanzu settings** tab, scroll through the list to review the Tanzu components. All components are enabled by default. ++ :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/create-instance-tanzu-settings-public-preview.png" alt-text="Screenshot of the Azure portal Azure Spring Apps creation page with V M ware Tanzu Settings section showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/create-instance-tanzu-settings-public-preview.png"::: ++ > [!NOTE] + > Carefully consider which Tanzu components you want to use or enable during the provisioning phase. After provisioning the Azure Spring Apps instance, you can't enable or disable Tanzu components. ++1. Select the **Application Insights** tab and then select **Enable Application Insights**. Review the following settings: ++ - **Enable Application Insights** should be selected. + - Choose an existing Application Insights instance or create a new Application Insights instance. + - Enter a **Sampling rate** in the range of 0-100, or use the default value 10. ++ You can also enable Application Insights after you provision the Azure Spring Apps instance. For more information about Application Insights pricing, see the [Application Insights billing](../../azure-monitor/logs/cost-logs.md#application-insights-billing) section of [Azure Monitor Logs cost calculations and options](../../azure-monitor/logs/cost-logs.md). ++ > [!NOTE] + > You'll pay for the usage of Application Insights when integrated with Azure Spring Apps. ++1. Select **Review and create** and wait for validation to complete, then select **Create** to start provisioning the service instance. ++It takes about 5 minutes to finish the resource provisioning. ++### [Azure CLI](#tab/azure-cli) ++1. Use the following command to update Azure CLI with the Azure Spring Apps extension: ++ ```azurecli + az extension add --upgrade --name spring + ``` ++1. Use the following commands to sign in to the Azure CLI and choose your active subscription: ++ ```azurecli + az login + az account list --output table + az account set --subscription <subscription-ID> + ``` ++1. Use the following command to accept the legal terms and privacy statements for the Enterprise plan. This step is required only the first time you create an Azure Spring Apps instance on the Enterprise plan. ++ ```azurecli + az provider register --namespace Microsoft.SaaS + az term accept --publisher vmware-inc --product azure-spring-cloud-vmware-tanzu-2 --plan asa-ent-hr-mtr + ``` ++1. Create a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can only contain lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++1. Use the following command to create a resource group and an Azure Spring Apps service instance: ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise + ``` ++ For more information about resource groups, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md). ++++## Create and configure apps ++The app creation steps are the same as Standard plan. ++1. Use the following command to set Azure CLI defaults. Be sure to replace the placeholders with your own values. ++ ```azurecli + az config set defaults.group=<resource-group-name> + az config set defaults.spring=<Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following commands to create the two core applications for PetClinic, `api-gateway` and `customers-service`: ++ ```azurecli + az spring app create --name api-gateway --instance-count 1 --memory 2Gi --assign-endpoint + az spring app create --name customers-service --instance-count 1 --memory 2Gi + ``` ++## Use Application Configuration Service for external configuration ++For externalized configuration in a distributed system, managed Spring Cloud Config Server (OSS) is available only in the Basic and Standard plans. In the Enterprise plan, Application Configuration Service for Tanzu provides similar functions for your apps. The following table describes some differences in usage between the OSS config server and Application Configuration Service. ++| Component | Support plans | Enabled | Bind to app | Profile | +||-|-|-|--| +| Spring Cloud Config Server | Basic/Standard | Always enabled. | Auto bound | Configured in app's source code. | +| Application Configuration Service for Tanzu | Enterprise | Enable on demand. | Manual bind | Provided as `config-file-pattern` in an Azure Spring Apps deployment. | ++Unlike the client-server mode in the OSS config server, Application Configuration Service manages configuration by using the Kubernetes-native `ConfigMap`, which is populated from properties defined in backend Git repositories. Application Configuration Service can't get the active profile configured in the app's source code to match the right configuration, so the explicit configuration `config-file-pattern` should be specified at the Azure Spring Apps deployment level. ++## Configure Application Configuration Service for Tanzu ++Follow these steps to use Application Configuration Service for Tanzu as a centralized configuration service. ++### [Azure portal](#tab/azure-portal) ++1. In your Azure Spring Apps Enterprise instance, select **Application Configuration Service** in the navigation pane. View the running state and resources allocated to Application Configuration Service for Tanzu. ++ :::image type="content" source="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-overview.png" alt-text="Screenshot of the Azure portal showing the Overview tab of the Application Configuration Service page." lightbox="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-overview.png"::: ++1. Select **Settings** and complete the form in **Repositories** to add a new entry with the following information: ++ - Name: `default` + - Patterns: `api-gateway,customers-service` + - URI: `https://github.com/Azure-Samples/spring-petclinic-microservices-config` + - Label: `master` ++ :::image type="content" source="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-settings.png" alt-text="Screenshot of the Azure portal showing the Settings tab of the Application Configuration Service page." lightbox="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-settings.png"::: ++1. Select **Validate** to validate access to the target URI. ++1. After validation completes successfully, select **Apply** to update the configuration settings. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to set the default repository: ++```azurecli +az spring application-configuration-service git repo add \ + --name default \ + --patterns api-gateway,customers-service \ + --uri https://github.com/Azure-Samples/spring-petclinic-microservices-config.git \ + --label master +``` ++++## Bind applications to Application Configuration Service for Tanzu ++When you use Application Configuration Service for Tanzu with a Git backend, you must bind the app to Application Configuration Service for Tanzu. After binding the app, you'll need to configure which pattern is used by the app. Use the following steps to bind and configure the pattern for the app. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to bind apps to Application Configuration Service for VMware Tanzu. ++1. In your Azure Spring Apps Enterprise instance, select **Application Configuration Service** in the navigation pane. ++1. Select **App binding** and then select **Bind app**. ++ :::image type="content" source="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-bind-app.png" alt-text="Screenshot of the Azure portal showing the App binding tab of the Application Configuration Service page and the Bind app dropdown menu showing." lightbox="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-bind-app.png"::: ++1. Select an app in the dropdown menu and then select **Apply** to bind the application to Application Configuration Service for Tanzu. ++### [Azure CLI](#tab/azure-cli) ++Use the following commands to bind apps to Application Configuration Service for VMware Tanzu and VMware Tanzu Service Registry: ++```azurecli +az spring application-configuration-service bind --app api-gateway +az spring application-configuration-service bind --app customers-service +``` ++++For more information, see [Use Application Configuration Service for Tanzu](./how-to-enterprise-application-configuration-service.md). ++## Using Service Registry for Tanzu ++[Service Registry](https://docs.vmware.com/en/Spring-Cloud-Services-for-VMware-Tanzu/3.1/spring-cloud-services/GUID-service-registry-https://docsupdatetracker.net/index.html) is one of the proprietary VMware Tanzu components. It provides your apps with an implementation of the Service Discovery pattern, one of the key concepts of a microservice-based architecture. In the Enterprise plan, Service Registry for Tanzu provides service registry and discover support for your apps. Managed Spring Cloud Eureka is available only in the Basic and Standard plan and isn't available in the Enterprise plan. ++| Component | Standard plan | Enterprise plan | +||-|--| +| Service Registry | OSS eureka <br> Auto bound (always injection) <br>Always provisioned | Service Registry for Tanzu <br> Needs manual binding to app <br> Enable on demand | ++## Bind an application to Tanzu Service Registry ++To bind apps to Application Configuration Service for VMware Tanzu, follow these steps. ++### [Azure portal](#tab/azure-portal) ++1. In your Azure Spring Apps Enterprise instance, select **Service Registry**. ++1. Select **App binding**. Currently bound apps appear under **App name**. ++1. Select **Bind app**. ++1. Select an app in the dropdown menu and then select **Apply** to bind the application to Tanzu Service Registry. ++ :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/service-reg-app-bind-dropdown.png" alt-text="Screenshot of the Azure portal Azure Spring Apps with Service Registry page and 'Bind app' dialog showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/service-reg-app-bind-dropdown.png"::: ++### [Azure CLI](#tab/azure-cli) ++Use the following commands to bind apps to Application Configuration Service for VMware Tanzu and VMware Tanzu Service Registry: ++```azurecli +az spring service-registry bind --app api-gateway +az spring service-registry bind --app customers-service +``` ++++> [!NOTE] +> When you change the bind/unbind status, you must restart or redeploy the app to make the change take effect. ++For more information, see [Use Tanzu Service Registry](./how-to-enterprise-service-registry.md). ++## Build and deploy applications ++In the Enterprise plan, Tanzu Build Service is used to build apps. It provides more features like polyglot apps to deploy from artifacts such as source code and zip files. ++To use Tanzu Build Service, you need to specify a resource for build task and builder to use. You can also specify the `--build-env` parameter to set build environments. ++If the app binds with Application Configuration Service for Tanzu, you need specify an extra argument `—config-file-pattern`. ++For more information, see [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++## Build applications locally ++Use the following steps to build locally: ++1. Use the following commands to clone the sample app repository in your Azure account, change the directory, and build the project: ++ ```bash + git clone -b enterprise https://github.com/azure-samples/spring-petclinic-microservices + cd spring-petclinic-microservices + mvn clean package -DskipTests + ``` ++ Compiling the project can take several minutes. When complete, you have individual JAR files for each service in its respective folder. ++1. Use the following commands to deploy the JAR files built in the previous step: ++ ```azurecli + az spring app deploy \ + --name api-gateway \ + --artifact-path spring-petclinic-api-gateway/target/spring-petclinic-api-gateway-2.3.6.jar \ + --config-file-patterns api-gateway + az spring app deploy \ + --name customers-service \ + --artifact-path spring-petclinic-customers-service/target/spring-petclinic-customers-service-2.3.6.jar \ + --config-file-patterns customers-service + ``` ++1. Use the following command to query the application status after deployment: ++ ```azurecli + az spring app list --output table + ``` ++ This command produces output similar to the following example: ++ ```output + Name Location ResourceGroup Public Url Production Deployment Provisioning State CPU Memory Running Instance Registered Instance Persistent Storage Bind Service Registry Bind Application Configuration Service + -- - -- -- -- -- -- -- - + api-gateway eastus <resource group> https://<service_name>-api-gateway.asc-test.net default Succeeded 1 2Gi 1/1 1/1 - True True + customers-service eastus <resource group> default Succeeded 1 2Gi 1/1 1/1 - True True + ``` ++## Use Application Insights ++The Azure Spring Apps Enterprise plan uses buildpack bindings to integrate [Application Insights](../../azure-monitor/app/app-insights-overview.md) with the type `ApplicationInsights` instead of In-Process Agent. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++The following table lists the APM providers available the plans. ++| Standard plan | Enterprise plan | +|--|| +| Application insight <br> New Relic <br> Dynatrace <br> AppDynamics | Application insight <br> New Relic <br> Dynatrace <br> AppDynamics <br> ElasticAPM | ++### [Azure portal](#tab/azure-portal) ++To check or update the current settings in Application Insights, use the following steps: ++1. In your Azure Spring Apps Enterprise instance, select **Application Insights**. +1. Enable or disable Application Insights by selecting **Edit binding** or **Unbind binding**. ++ :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-binding-enable.png" alt-text="Screenshot of the Azure portal Application Insights page with the Edit binding option dropdown menu showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-binding-enable.png"::: ++1. Select **Edit binding**. Edit the binding settings and then select **Save**. ++ :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-edit-binding.png" alt-text="Screenshot of the Azure portal 'Edit binding' pane." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-edit-binding.png"::: ++### [Azure CLI](#tab/azure-cli) ++The following commands show you how to check or update the current settings in Application Insights. ++Use the following command to create an Application Insights buildpack binding: ++```azurecli +az spring build-service builder buildpack-binding create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ + --type ApplicationInsights \ + --properties sampling-percentage=<your-sampling-percentage> \ + connection-string=<your-connection-string> +``` ++Use the following command to list all buildpack bindings, and find Application Insights bindings for the type `ApplicationInsights`: ++```azurecli +az spring build-service builder buildpack-binding list \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --builder-name <your-builder-name> +``` ++Use the following command to replace an Application Insights buildpack binding: ++```azurecli +az spring build-service builder buildpack-binding set \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ + --type ApplicationInsights \ + --properties sampling-percentage=<your-sampling-percentage> \ + connection-string=<your-connection-string> +``` ++Use the following command to get an Application Insights buildpack binding: ++```azurecli +az spring build-service builder buildpack-binding show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ +``` ++Use the following command to delete an Application Insights buildpack binding: ++```azurecli +az spring build-service builder buildpack-binding delete \ + --resource-group <your-resource-group-name> \ + --service <your-service-instance-name> \ + --name <your-binding-name> \ + --builder-name <your-builder-name> \ +``` ++For more information, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md). ++++## Next steps ++- [Azure Spring Apps](index.yml) +- [Use API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md) +- [Use Spring Cloud Gateway](./how-to-use-enterprise-spring-cloud-gateway.md) |
spring-apps | How To Move Across Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-move-across-regions.md | + + Title: Move an Azure Spring Apps service instance to another region +description: Learn how to move an Azure Spring Apps service instance to another region. ++++ Last updated : 01/27/2022++++# Move an Azure Spring Apps service instance to another region ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to move your Azure Spring Apps service instance to another region. Moving your instance is useful, for example, as part of a disaster recovery plan or to create a duplicate testing environment. ++You can't move an Azure Spring Apps instance from one region to another directly, but you can use an Azure Resource Manager template (ARM template) to deploy your instance to a new region. For more information about using Azure Resource Manager and templates, see [Quickstart: Create and deploy ARM templates by using the Azure portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md). ++Before you move your service instance, consider the following limitations: ++- Different feature sets are supported by different pricing plans (SKUs). If you change the SKU, you may need to change the template to include only features supported by the target SKU. +- You might not be able to move all subresources in Azure Spring Apps using the template. Your move may require extra setup after the template is deployed. For more information, see the [Configure the new Azure Spring Apps service instance](#configure-the-new-azure-spring-apps-service-instance) section of this article. +- When you move a virtual network (VNet) instance, you must create new network resources. For more information, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). ++## Prerequisites ++- An existing Azure Spring Apps service instance. To create a new service instance, see [Quickstart: Deploy your first application in Azure Spring Apps](./quickstart.md). +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.11.2 or later. ++## Export the template ++### [Portal](#tab/azure-portal) ++Use the following steps to export the template: ++1. Sign in to the [Azure portal](https://portal.azure.com). +1. Select **All resources** in the left menu, and then select your Azure Spring Apps instance. +1. Under **Automation**, select **Export template**. +1. Select **Download** on the **Export template** pane. +1. Locate the *.zip* file, unzip it, and get the *template.json* file. This file contains the resource template. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to export the template: ++```azurecli +az login +az account set --subscription <resource-subscription-id> +az group export \ + --resource-group <resource-group> \ + --resource-ids <resource-id> +``` ++++## Modify the template ++Use the following steps to modify the *template.json* file. In the following examples, the new Azure Spring Apps instance name is *new-service-name*. The previous instance name is *old-service-name*. ++1. The following example shows how to change all `name` instances in the template from *old-service-name* to *new-service-name*: ++ ```json + { + "type": "Microsoft.AppPlatform/Spring", + "apiVersion": "{api-version}", + "_comment": "the following line was changed from 'old-service-name'", + "name": "[parameters('new-service-name')]", + …. + } + ``` ++1. The following example shows how to change the `location` instances in the template to the new target location: ++ ```json + { + "type": "Microsoft.AppPlatform/Spring", + "apiVersion": "{api-version}", + "name": "[parameters('new_service_name')]", + "_comment": "the following line was changed from 'old-region'", + "location": "{new-region}", + ….. + } + ``` ++1. If the instance you're moving is a virtual network instance, the following example shows how to update the target virtual network resource `parameters` instances in the template: ++ ```json + "parameters": { + … + "virtualNetworks_service_vnet_externalid": { + "_comment": "the following line was changed from 'old-vnet-resource-id'", + "defaultValue": "{new-vnet-resource-id}", + "type": "String" + } + }, + ``` ++ The following example shows how to make sure the `serviceRuntimeSubnetId` and `appSubnetId` subnets exist. The subnets are defined in the `networkProfile` service: ++ ```json + { + "type": "Microsoft.AppPlatform/Spring", + "apiVersion": "{api-version}", + "name": "[parameters('Spring_new_service_name')]", + … + "properties": { + "networkProfile": { + "serviceRuntimeSubnetId": "[concat(parameters('virtualNetworks_service_vnet_externalid'), '/subnets/apps-subnet')]", + "appSubnetId": "[concat(parameters('virtualNetworks_service_vnet_externalid'), '/subnets/service-runtime-subnet')]", + } + } + } + ``` ++1. If any custom domain resources are configured, create the CNAME records as described in [Tutorial: Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). Make sure the record name is expected for the new service name. ++1. The following example shows how to change all `relativePath` instances in the template `properties` for all app resources to `<default>`: ++ ```json + { + "type": "Microsoft.AppPlatform/Spring/apps/deployments", + "apiVersion": "{api-version}", + "name": "[concat(parameters('Spring_new_service_name'), '/api-gateway/default')]", + … + "properties": { + "active": true, + "source": { + "type": "Jar", + "_comment": "the following line was changed to 'default'", + "relativePath": "<default>" + }, + … + } + } + ``` ++ After the app is created, it uses a default banner application. Deploy the JAR files again using the Azure CLI. For more information, see the [Configure the new Azure Spring Apps service instance](#configure-the-new-azure-spring-apps-service-instance) section of this article. ++1. If service binding was used and you want to import it to the new service instance, add the `key` property for the target bound resource. In the following example, a bound MySQL database is included: ++ ```json + { + "type": "Microsoft.AppPlatform/Spring/apps/bindings", + "apiVersion": "{api-version}", + "name": "[concat(parameters('Spring_new_service_name'), '/api-gateway/mysql')]", + … + "_comment": "the following line imports a mysql binding", + "properties": { + "resourceId": "[parameters('servers_test_mysql_name_externalid')]", + "key": "{mysql-password}", + "bindingParameters": { + "databaseName": "mysql", + "username": "{mysql-user-name}" + } + } + } + ``` ++## Deploy the template ++### [Portal](#tab/azure-portal) ++After you modify the template, use the following steps to deploy the template and create the new resource. ++1. Sign in to the [Azure portal](https://portal.azure.com). +1. In the top search box, search for *Deploy a custom template*. ++ :::image type="content" source="media/how-to-move-across-regions/search-deploy-template.png" alt-text="Screenshot of Azure portal showing search results." lightbox="media/how-to-move-across-regions/search-deploy-template.png" border="true"::: ++1. Under **Services**, select **Deploy a custom template**. +1. Go to the **Select a template** tab, and then select **Build your own template in the editor**. +1. In the template editor, paste in the *template.json* file you modified earlier, and then select **Save**. +1. In the **Basics** tab, fill in the following information: ++ - The target subscription. + - The target resource group. + - The target region. + - Any other parameters required for the template. ++ :::image type="content" source="media/how-to-move-across-regions/deploy-template.png" alt-text="Screenshot of Azure portal showing the Custom deployment pane." lightbox="media/how-to-move-across-regions/deploy-template.png" ::: ++1. Select **Review + create** to create the target service instance. +1. Wait until the template has deployed successfully. If the deployment fails, select **Deployment details** to view the reason it failed, and then update the template or configurations accordingly. ++### [Azure CLI](#tab/azure-cli) ++After you modify the template, use the following command to deploy the custom template and create the new resource: ++```azurecli +az login +az account set --subscription <resource-subscription-id> +az deployment group create \ + --name <custom-deployment-name> \ + --resource-group <resource-group> \ + --template-file <path-to-template> \ + --parameters <param-name-1>=<param-value-1> +``` ++Wait until the template has deployed successfully. If the deployment fails, view the deployment details with the command `az deployment group list`, and then update the template or configurations accordingly. ++++## Configure the new Azure Spring Apps service instance ++Some features aren't exported to the template, or can't be imported with a template. You must manually set up some Azure Spring Apps items on the new instance after the template deployment completes successfully. The following guidelines describe these requirements: ++- The JAR files for the previous service aren't deployed directly to the new service instance. To deploy all apps, follow the instructions in [Quickstart: Build and deploy apps to Azure Spring Apps](../basic-standard/quickstart-deploy-apps.md). If there's no active deployment configured automatically, you must configure a production deployment. For more information, see [Set up a staging environment in Azure Spring Apps](how-to-staging-environment.md). +- Config Server won't be imported automatically. To set up Config Server on your new instance, see [Configure a managed Spring Cloud Config Server in Azure Spring Apps](../basic-standard/how-to-config-server.md). +- Managed identity is created automatically for the new service instance, but the object ID will be different from the previous instance. For managed identity to work in the new service instance, follow the instructions in [Enable system-assigned managed identity for an application in Azure Spring Apps](how-to-enable-system-assigned-managed-identity.md). +- For Monitoring -> Metrics, see [Metrics for Azure Spring Apps](concept-metrics.md). To avoid mixing the data, create a new Log Analytics instance to collect the new data. You should also create a new instance for other monitoring configurations. +- For Monitoring -> Diagnostic settings and logs, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). +- For Monitoring -> Application Insights, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). ++## Next steps ++- [Quickstart: Build and deploy apps to Azure Spring Apps](../basic-standard/quickstart-deploy-apps.md) +- [Quickstart: Set up Azure Spring Apps Config Server](../basic-standard/quickstart-setup-config-server.md) +- [Quickstart: Set up a Log Analytics workspace](../basic-standard/quickstart-setup-log-analytics.md) |
spring-apps | How To Outbound Public Ip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-outbound-public-ip.md | + + Title: How - to identify outbound public IP addresses in Azure Spring Apps +description: How to view the static outbound public IP addresses to communicate with external resources, such as Database, Storage, Key Vault, etc. ++++ Last updated : 09/17/2020++++# How to identify outbound public IP addresses in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article explains how to view static outbound public IP addresses of applications in Azure Spring Apps. Public IPs are used to communicate with external resources, such as databases, storage, and key vaults. ++> [!IMPORTANT] +> If the Azure Spring Apps instance is deployed in your own virtual network, you can leverage either Network Security Group or Azure Firewall to fully control the egress traffic. ++## How IP addresses work in Azure Spring Apps ++An Azure Spring Apps service has one or more outbound public IP addresses. The number of outbound public IP addresses may vary according to the plan and other factors. ++The outbound public IP addresses are usually constant and remain the same, but there are exceptions. ++> [!IMPORTANT] +> If the Azure Spring Apps instance is deployed in your own virtual network, the static outbound IP might be changed after the Start/Stop Azure Spring Apps service instance operation. ++## When outbound IPs change ++Each Azure Spring Apps instance has a set number of outbound public IP addresses at any given time. Any outbound connection from the applications, such as to a back-end database, uses one of the outbound public IP addresses as the origin IP address. The IP address is selected randomly at runtime, so your back-end service must open its firewall to all the outbound IP addresses. ++The number of outbound public IPs changes when you perform one of the following actions: ++- Upgrade your Azure Spring Apps instance between plans. +- Raise a support ticket for more outbound public IPs for business needs. ++## Find outbound IPs ++To find the outbound public IP addresses currently used by your service instance in the Azure portal, select **Networking** in your instance's left-hand navigation pane. They are listed in the **Outbound IP addresses** field. ++You can find the same information by running the following command in the Cloud Shell ++```azurecli +az spring show --resource-group <group_name> --name <service_name> --query properties.networkProfile.outboundIPs.publicIPs --output tsv +``` ++## Next steps ++* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +* [Learn more about key vault in Azure Spring Apps](./tutorial-managed-identities-key-vault.md) |
spring-apps | How To Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-permissions.md | + + Title: "Use permissions in Azure Spring Apps" +description: This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. ++++ Last updated : 09/04/2020++++# How to use permissions in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. Custom roles extend [Azure built-in roles](../../role-based-access-control/built-in-roles.md) with various stock permissions. ++We'll implement the following custom roles. ++* **Developer role**: ++ * Deploy + * Test + * Restart apps + * Apply and make changes to app configurations in the Git repository + * Get log streams ++* **DevOps Engineer role**: ++ * Create, read, update, and delete everything in Azure Spring Apps ++* **Ops - Site Reliability Engineering role**: ++ * Restart apps + * Get log streams + * Can't make changes to apps or configurations ++* **Azure Pipelines / Jenkins / GitHub Actions role**: ++ * Perform create, read, update, and delete operations + * Use Terraform or ARM templates to create and configure everything in Azure Spring Apps and apps within a service instance: Azure Pipelines, Jenkins, and GitHub Actions ++## Define the Developer role ++The Developer role includes permissions to restart apps and see their log streams. This role can't make changes to apps or configurations. ++### [Portal](#tab/Azure-portal) ++1. In the Azure portal, open the subscription where you want to assign the custom role. ++1. Open **Access control (IAM)**. ++1. Select **Add**. ++1. Select **Add custom role**. ++1. Select **Next**: ++ :::image type="content" source="media/how-to-permissions/create-custom-role.png" alt-text="Screenshot that shows the Basics tab of the Create a custom role window." lightbox="media/how-to-permissions/create-custom-role.png"::: ++1. Select **Add permissions**: ++ :::image type="content" source="media/how-to-permissions/add-permissions.png" alt-text="Screenshot that shows the Add permissions button." lightbox="media/how-to-permissions/add-permissions.png"::: ++1. In the search box, search for **Microsoft.app**. Select **Microsoft Azure Spring Apps**: ++ :::image type="content" source="media/how-to-permissions/permissions.png" alt-text="Screenshot that shows the results of searching for Microsoft.app." lightbox="media/how-to-permissions/permissions.png"::: ++1. Select the permissions for the Developer role. ++ Under **Microsoft.AppPlatform/Spring**, select: ++ * **Write : Create or Update Azure Spring Apps service instance** + * **Read : Get Azure Spring Apps service instance** + * **Other : List Azure Spring Apps service instance test keys** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices**, select: ++ * **Read : Read Microsoft Azure Spring Apps Build Services** + * **Other : Get an Upload URL in Azure Spring Apps** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builds** + * **Write : Write Microsoft Azure Spring Apps Builds** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds/results**, select: ++ * **Read : Read Microsoft Azure Spring Apps Build Results** + * **Other : Get an Log File URL in Azure Spring Apps** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builders** + * **Write : Write Microsoft Azure Spring Apps Builders** + * **Delete : Delete Microsoft Azure Spring Apps Builders** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding** + * **Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding** + * **Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks**, select: ++ * **Read : Read Microsoft Azure Spring Apps Supported Buildpacks** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedStacks**, select: ++ * **Read : Read Microsoft Azure Spring Apps Supported Stacks** ++ Under **Microsoft.AppPlatform/Spring/apps**, select: ++ * **Read : Read Microsoft Azure Spring Apps application** + * **Other : Get Microsoft Azure Spring Apps application resource upload URL** ++ Under **Microsoft.AppPlatform/Spring/apps/bindings**, select: ++ * **Read : Read Microsoft Azure Spring Apps application binding** ++ Under **Microsoft.AppPlatform/Spring/apps/deployments**, select: ++ * **Write : Write Microsoft Azure Spring Apps application deployment** + * **Read : Read Microsoft Azure Spring Apps application deployment** + * **Other : Start Microsoft Azure Spring Apps application deployment** + * **Other : Stop Microsoft Azure Spring Apps application deployment** + * **Other : Restart Microsoft Azure Spring Apps application deployment** + * **Other : Get Microsoft Azure Spring Apps application deployment log file URL** ++ Under **Microsoft.AppPlatform/Spring/apps/domains**, select: ++ * **Read : Read Microsoft Azure Spring Apps application custom domain** ++ Under **Microsoft.AppPlatform/Spring/certificates**, select: ++ * **Read : Read Microsoft Azure Spring Apps certificate** ++ Under **Microsoft.AppPlatform/locations/operationResults/Spring**, select: ++ * **Read : Read operation result** ++ Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: ++ * **Read : Read operation status** ++ :::image type="content" source="media/how-to-permissions/developer-permissions-box.png" alt-text="Screenshot of Azure portal that shows the selections for Developer permissions." lightbox="media/how-to-permissions/developer-permissions-box.png"::: ++1. Select **Add**. ++1. Review the permissions. ++1. Select **Review and create**. ++### [JSON](#tab/JSON) ++1. In the Azure portal, open the subscription where you want to assign the custom role. ++1. Open **Access control (IAM)**. ++1. Select **Add**. ++1. Select **Add custom role**. ++1. Select **Next**. ++1. Select the **JSON** tab. ++1. Select **Edit**, and then delete the default text: ++ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: ++1. Paste in the following JSON to define the Developer role: ++ * Basic/Standard plan ++ ```json + { + "properties": { + "roleName": "Developer", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/write", + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/apps/bindings/read", + "Microsoft.AppPlatform/Spring/apps/domains/read", + "Microsoft.AppPlatform/Spring/apps/deployments/write", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/certificates/read", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++ * Enterprise plan ++ ```json + { + "properties": { + "roleName": "Developer", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/write", + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/buildServices/read", + "Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/buildServices/builds/read", + "Microsoft.AppPlatform/Spring/buildServices/builds/write", + "Microsoft.AppPlatform/Spring/buildServices/builds/results/read", + "Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/buildServices/builders/read", + "Microsoft.AppPlatform/Spring/buildServices/builders/write", + "Microsoft.AppPlatform/Spring/buildServices/builders/delete", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete", + "Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read", + "Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/apps/bindings/read", + "Microsoft.AppPlatform/Spring/apps/domains/read", + "Microsoft.AppPlatform/Spring/apps/deployments/write", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/certificates/read", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++ :::image type="content" source="media/how-to-permissions/create-custom-role-json.png" alt-text="Screenshot that shows the JSON for the Developer role." lightbox="media/how-to-permissions/create-custom-role-json.png"::: ++1. Select **Save**. ++1. Review the permissions. ++1. Select **Review and create**. ++++## Define the DevOps Engineer role ++This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps. ++### [Portal](#tab/Azure-portal) ++1. Repeat steps 1 through 4 in the procedure for adding the Developer role. ++1. Select the permissions for the DevOps Engineer role: ++ Under **Microsoft.AppPlatform/Spring**, select: ++ * **Write : Create or Update Azure Spring Apps service instance** + * **Delete : Delete Azure Spring Apps service instance** + * **Read : Get Azure Spring Apps service instance** + * **Other : Enable Azure Spring Apps service instance test endpoint** + * **Other : Disable Azure Spring Apps service instance test endpoint** + * **Other : List Azure Spring Apps service instance test keys** + * **Other : Regenerate Azure Spring Apps service instance test key** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices**, select: ++ * **Read : Read Microsoft Azure Spring Apps Build Services** + * **Other : Get an Upload URL in Azure Spring Apps** + + (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/agentPools**, select: ++ * **Read : Read Microsoft Azure Spring Apps Agent Pools** + * **Write : Write Microsoft Azure Spring Apps Agent Pools** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builds** + * **Write : Write Microsoft Azure Spring Apps Builds** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds/results**, select: ++ * **Read : Read Microsoft Azure Spring Apps Build Results** + * **Other : Get an Log File URL in Azure Spring Apps** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builders** + * **Write : Write Microsoft Azure Spring Apps Builders** + * **Delete : Delete Microsoft Azure Spring Apps Builders** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding** + * **Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding** + * **Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks**, select: ++ * **Read : Read Microsoft Azure Spring Apps Supported Buildpacks** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedStacks**, select: ++ * **Read : Read Microsoft Azure Spring Apps Supported Stacks** ++ Under **Microsoft.AppPlatform/Spring/apps**, select: ++ * **Write : Write Microsoft Azure Spring Apps application** + * **Delete : Delete Microsoft Azure Spring Apps application** + * **Read : Read Microsoft Azure Spring Apps application** + * **Other : Get Microsoft Azure Spring Apps application resource upload URL** + * **Other : Validate Microsoft Azure Spring Apps application custom domain** ++ Under **Microsoft.AppPlatform/Spring/apps/bindings**, select: ++ * **Write : Write Microsoft Azure Spring Apps application binding** + * **Delete : Delete Microsoft Azure Spring Apps application binding** + * **Read : Read Microsoft Azure Spring Apps application binding** ++ Under **Microsoft.AppPlatform/Spring/apps/deployments**, select: ++ * **Write : Write Microsoft Azure Spring Apps application deployment** + * **Delete : Delete Azure Spring Apps application deployment** + * **Read : Read Microsoft Azure Spring Apps application deployment** + * **Other : Start Microsoft Azure Spring Apps application deployment** + * **Other : Stop Microsoft Azure Spring Apps application deployment** + * **Other : Restart Microsoft Azure Spring Apps application deployment** + * **Other : Get Microsoft Azure Spring Apps application deployment log file URL** ++ Under **Microsoft.AppPlatform/Spring/apps/deployments/skus**, select: ++ * **Read : List application deployment available skus** ++ Under **Microsoft.AppPlatform/locations**, select: ++ * **Other : Check name availability** ++ Under **Microsoft.AppPlatform/locations/operationResults/Spring** select: ++ * **Read : Read operation result** ++ Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: ++ * **Read : Read operation status** ++ Under **Microsoft.AppPlatform/skus**, select: ++ * **Read : List available skus** ++ :::image type="content" source="media/how-to-permissions/dev-ops-permissions.png" alt-text="Screenshot of Azure portal that shows the selections for DevOps permissions." lightbox="media/how-to-permissions/dev-ops-permissions.png"::: ++1. Select **Add**. ++1. Review the permissions. ++1. Select **Review and create**. ++### [JSON](#tab/JSON) ++1. Repeat steps 1 through 4 from the procedure for adding the Developer role. ++1. Select **Next**. ++1. Select the **JSON** tab. ++1. Select **Edit**, and then delete the default text: ++ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: ++1. Paste in the following JSON to define the DevOps Engineer role: ++ * Basic/Standard plan ++ ```json + { + "properties": { + "roleName": "DevOps engineer", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/write", + "Microsoft.AppPlatform/Spring/delete", + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/regenerateTestKey/action", + "Microsoft.AppPlatform/Spring/apps/write", + "Microsoft.AppPlatform/Spring/apps/delete", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/apps/validateDomain/action", + "Microsoft.AppPlatform/Spring/apps/bindings/write", + "Microsoft.AppPlatform/Spring/apps/bindings/delete", + "Microsoft.AppPlatform/Spring/apps/bindings/read", + "Microsoft.AppPlatform/Spring/apps/deployments/write", + "Microsoft.AppPlatform/Spring/apps/deployments/delete", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/apps/deployments/skus/read", + "Microsoft.AppPlatform/locations/checkNameAvailability/action", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read", + "Microsoft.AppPlatform/skus/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++ * Enterprise plan ++ ```json + { + "properties": { + "roleName": "DevOps engineer", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/write", + "Microsoft.AppPlatform/Spring/delete", + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/regenerateTestKey/action", + "Microsoft.AppPlatform/Spring/buildServices/read", + "Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/buildServices/agentPools/read", + "Microsoft.AppPlatform/Spring/buildServices/agentPools/write", + "Microsoft.AppPlatform/Spring/buildServices/builds/read", + "Microsoft.AppPlatform/Spring/buildServices/builds/write", + "Microsoft.AppPlatform/Spring/buildServices/builds/results/read", + "Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/buildServices/builders/read", + "Microsoft.AppPlatform/Spring/buildServices/builders/write", + "Microsoft.AppPlatform/Spring/buildServices/builders/delete", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete", + "Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read", + "Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read", + "Microsoft.AppPlatform/Spring/apps/write", + "Microsoft.AppPlatform/Spring/apps/delete", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/apps/validateDomain/action", + "Microsoft.AppPlatform/Spring/apps/bindings/write", + "Microsoft.AppPlatform/Spring/apps/bindings/delete", + "Microsoft.AppPlatform/Spring/apps/bindings/read", + "Microsoft.AppPlatform/Spring/apps/deployments/write", + "Microsoft.AppPlatform/Spring/apps/deployments/delete", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/apps/deployments/skus/read", + "Microsoft.AppPlatform/locations/checkNameAvailability/action", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read", + "Microsoft.AppPlatform/skus/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++1. Review the permissions. ++1. Select **Review and create**. ++++## Define the Ops - Site Reliability Engineering role ++This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps. ++### [Portal](#tab/Azure-portal) ++1. Repeat steps 1 through 4 from the procedure for adding the Developer role. ++1. Select the permissions for the Ops - Site Reliability Engineering role: ++ Under **Microsoft.AppPlatform/Spring**, select: ++ * **Read : Get Azure Spring Apps service instance** + * **Other : List Azure Spring Apps service instance test keys** ++ Under **Microsoft.AppPlatform/Spring/apps**, select: ++ * **Read : Read Microsoft Azure Spring Apps application** ++ Under **Microsoft.AppPlatform/apps/deployments**, select: ++ * **Read : Read Microsoft Azure Spring Apps application deployment** + * **Other : Start Microsoft Azure Spring Apps application deployment** + * **Other : Stop Microsoft Azure Spring Apps application deployment** + * **Other : Restart Microsoft Azure Spring Apps application deployment** ++ Under **Microsoft.AppPlatform/locations/operationResults/Spring**, select: ++ * **Read : Read operation result** ++ Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: ++ * **Read : Read operation status** ++ :::image type="content" source="media/how-to-permissions/ops-sre-permissions.png" alt-text="Screenshot of Azure portal that shows the selections for Ops - Site Reliability Engineering permissions." lightbox="media/how-to-permissions/ops-sre-permissions.png"::: ++1. Select **Add**. ++1. Review the permissions. ++1. Select **Review and create**. ++### [JSON](#tab/JSON) ++1. Repeat steps 1 through 4 from the procedure for adding the Developer role. ++1. Select **Next**. ++1. Select the **JSON** tab. ++1. Select **Edit**, and then delete the default text: ++ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: ++1. Paste in the following JSON to define the Ops - Site Reliability Engineering role: ++ * Enterprise/Basic/Standard plan ++ ```json + { + "properties": { + "roleName": "Ops - Site Reliability Engineering", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++1. Review the permissions. ++1. Select **Review and create**. ++++## Define the Azure Pipelines / Jenkins / GitHub Actions role ++This role can create and configure everything in Azure Spring Apps and apps with a service instance. This role is for releasing or deploying code. ++### [Portal](#tab/Azure-portal) ++1. Repeat steps 1 through 4 from the procedure for adding the Developer role. ++1. Open the **Permissions** options. ++1. Select the permissions for the Azure Pipelines / Jenkins / GitHub Actions role: ++ Under **Microsoft.AppPlatform/Spring**, select: ++ * **Write : Create or Update Azure Spring Apps service instance** + * **Delete : Delete Azure Spring Apps service instance** + * **Read : Get Azure Spring Apps service instance** + * **Other : Enable Azure Spring Apps service instance test endpoint** + * **Other : Disable Azure Spring Apps service instance test endpoint** + * **Other : List Azure Spring Apps service instance test keys** + * **Other : Regenerate Azure Spring Apps service instance test key** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices**, select: ++ * **Read : Read Microsoft Azure Spring Apps Build Services** + * **Other : Get an Upload URL in Azure Spring Apps** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builds** + * **Write : Write Microsoft Azure Spring Apps Builds** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds/results**, select: ++ * **Read : Read Microsoft Azure Spring Apps Build Results** + * **Other : Get an Log File URL in Azure Spring Apps** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builders** + * **Write : Write Microsoft Azure Spring Apps Builders** + * **Delete : Delete Microsoft Azure Spring Apps Builders** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings**, select: ++ * **Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding** + * **Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding** + * **Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks**, select: ++ * **Read : Read Microsoft Azure Spring Apps Supported Buildpacks** ++ (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedStacks**, select: ++ * **Read : Read Microsoft Azure Spring Apps Supported Stacks** ++ Under **Microsoft.AppPlatform/Spring/apps**, select: ++ * **Write : Write Microsoft Azure Spring Apps application** + * **Delete : Delete Microsoft Azure Spring Apps application** + * **Read : Read Microsoft Azure Spring Apps application** + * **Other : Get Microsoft Azure Spring Apps application resource upload URL** + * **Other : Validate Microsoft Azure Spring Apps application custom domain** ++ Under **Microsoft.AppPlatform/Spring/apps/bindings**, select: ++ * **Write : Write Microsoft Azure Spring Apps application binding** + * **Delete : Delete Microsoft Azure Spring Apps application binding** + * **Read : Read Microsoft Azure Spring Apps application binding** ++ Under **Microsoft.AppPlatform/Spring/apps/deployments**, select: ++ * **Write : Write Microsoft Azure Spring Apps application deployment** + * **Delete : Delete Azure Spring Apps application deployment** + * **Read : Read Microsoft Azure Spring Apps application deployment** + * **Other : Start Microsoft Azure Spring Apps application deployment** + * **Other : Stop Microsoft Azure Spring Apps application deployment** + * **Other : Restart Microsoft Azure Spring Apps application deployment** + * **Other : Get Microsoft Azure Spring Apps application deployment log file URL** ++ Under **Microsoft.AppPlatform/Spring/apps/deployments/skus**, select: ++ * **Read : List application deployment available skus** ++ Under **Microsoft.AppPlatform/locations**, select: ++ * **Other : Check name availability** ++ Under **Microsoft.AppPlatform/locations/operationResults/Spring**, select: ++ * **Read : Read operation result** ++ Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: ++ * **Read : Read operation status** ++ Under **Microsoft.AppPlatform/skus**, select: ++ * **Read : List available skus** ++ :::image type="content" source="media/how-to-permissions/pipelines-permissions-box.png" alt-text="Screenshot of Azure portal that shows the selections for Azure Pipelines / Jenkins / GitHub Actions permissions." lightbox="media/how-to-permissions/pipelines-permissions-box.png"::: ++1. Select **Add**. ++1. Review the permissions. ++1. Select **Review and create**. ++### [JSON](#tab/JSON) ++1. Repeat steps 1 through 4 from the procedure for adding the Developer role. ++1. Select **Next**. ++1. Select the **JSON** tab. ++1. Select **Edit**, and then delete the default text: ++ :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: ++1. Paste in the following JSON to define the Azure Pipelines / Jenkins / GitHub Actions role: ++ * Basic/Standard plan ++ ```json + { + "properties": { + "roleName": "Azure Pipelines/Provisioning", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/write", + "Microsoft.AppPlatform/Spring/delete", + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/regenerateTestKey/action", + "Microsoft.AppPlatform/Spring/apps/write", + "Microsoft.AppPlatform/Spring/apps/delete", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/apps/validateDomain/action", + "Microsoft.AppPlatform/Spring/apps/bindings/write", + "Microsoft.AppPlatform/Spring/apps/bindings/delete", + "Microsoft.AppPlatform/Spring/apps/bindings/read", + "Microsoft.AppPlatform/Spring/apps/deployments/write", + "Microsoft.AppPlatform/Spring/apps/deployments/delete", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/skus/read", + "Microsoft.AppPlatform/locations/checkNameAvailability/action", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++ * Enterprise plan ++ ```json + { + "properties": { + "roleName": "Azure Pipelines/Provisioning", + "description": "", + "assignableScopes": [ + "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ], + "permissions": [ + { + "actions": [ + "Microsoft.AppPlatform/Spring/write", + "Microsoft.AppPlatform/Spring/delete", + "Microsoft.AppPlatform/Spring/read", + "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", + "Microsoft.AppPlatform/Spring/listTestKeys/action", + "Microsoft.AppPlatform/Spring/regenerateTestKey/action", + "Microsoft.AppPlatform/Spring/buildServices/read", + "Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/buildServices/builds/read", + "Microsoft.AppPlatform/Spring/buildServices/builds/write", + "Microsoft.AppPlatform/Spring/buildServices/builds/results/read", + "Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action", + "Microsoft.AppPlatform/Spring/buildServices/builders/read", + "Microsoft.AppPlatform/Spring/buildServices/builders/write", + "Microsoft.AppPlatform/Spring/buildServices/builders/delete", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write", + "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete", + "Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read", + "Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read", + "Microsoft.AppPlatform/Spring/apps/write", + "Microsoft.AppPlatform/Spring/apps/delete", + "Microsoft.AppPlatform/Spring/apps/read", + "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", + "Microsoft.AppPlatform/Spring/apps/validateDomain/action", + "Microsoft.AppPlatform/Spring/apps/bindings/write", + "Microsoft.AppPlatform/Spring/apps/bindings/delete", + "Microsoft.AppPlatform/Spring/apps/bindings/read", + "Microsoft.AppPlatform/Spring/apps/deployments/write", + "Microsoft.AppPlatform/Spring/apps/deployments/delete", + "Microsoft.AppPlatform/Spring/apps/deployments/read", + "Microsoft.AppPlatform/Spring/apps/deployments/start/action", + "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", + "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", + "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", + "Microsoft.AppPlatform/skus/read", + "Microsoft.AppPlatform/locations/checkNameAvailability/action", + "Microsoft.AppPlatform/locations/operationResults/Spring/read", + "Microsoft.AppPlatform/locations/operationStatus/operationId/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ``` ++1. Select **Add**. ++1. Review the permissions. ++++## Next steps ++* [Create or update Azure custom roles using the Azure portal](../../role-based-access-control/custom-roles-portal.md) ++For more information about three methods that define custom permissions, see: ++* [Clone a role](../../role-based-access-control/custom-roles-portal.md#clone-a-role) +* [Start from scratch](../../role-based-access-control/custom-roles-portal.md#start-from-scratch) +* [Start from JSON](../../role-based-access-control/custom-roles-portal.md#start-from-json) |
spring-apps | How To Prepare App Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-prepare-app-deployment.md | + + Title: How to prepare an application for deployment in Azure Spring Apps +description: Learn how to prepare an application for deployment to Azure Spring Apps. +++ Last updated : 07/06/2021+++zone_pivot_groups: programming-languages-spring-apps +++# Prepare an application for deployment in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows how to prepare an existing Steeltoe application for deployment to Azure Spring Apps. Azure Spring Apps provides robust services to host, monitor, scale, and update a Steeltoe app. ++This article explains the dependencies, configuration, and code that are required to run a .NET Core Steeltoe app in Azure Spring Apps. For information about how to deploy an application to Azure Spring Apps, see [Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md). ++> [!NOTE] +> Steeltoe support for Azure Spring Apps is currently offered as a public preview. Public preview offerings allow customers to experiment with new features prior to their official release. Public preview features and services are not meant for production use. For more information about support during previews, see the [FAQ](https://azure.microsoft.com/support/faq/) or file a [Support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). ++## Supported versions ++Azure Spring Apps supports: ++* .NET Core 3.1 +* Steeltoe 2.4 and 3.0 ++## Dependencies ++For Steeltoe 2.4, add the latest [Microsoft.Azure.SpringCloud.Client 1.x.x](https://www.nuget.org/packages/Microsoft.Azure.SpringCloud.Client/) package to the project file: ++```xml +<ItemGroup> + <PackageReference Include="Microsoft.Azure.SpringCloud.Client" Version="1.0.0-preview.1" /> + <PackageReference Include="Steeltoe.Discovery.ClientCore" Version="2.4.4" /> + <PackageReference Include="Steeltoe.Extensions.Configuration.ConfigServerCore" Version="2.4.4" /> + <PackageReference Include="Steeltoe.Management.TracingCore" Version="2.4.4" /> + <PackageReference Include="Steeltoe.Management.ExporterCore" Version="2.4.4" /> +</ItemGroup> +``` ++For Steeltoe 3.0, add the latest [Microsoft.Azure.SpringCloud.Client 2.x.x](https://www.nuget.org/packages/Microsoft.Azure.SpringCloud.Client/) package to the project file: ++```xml +<ItemGroup> + <PackageReference Include="Microsoft.Azure.SpringCloud.Client" Version="2.0.0-preview.1" /> + <PackageReference Include="Steeltoe.Discovery.ClientCore" Version="3.0.0" /> + <PackageReference Include="Steeltoe.Extensions.Configuration.ConfigServerCore" Version="3.0.0" /> + <PackageReference Include="Steeltoe.Management.TracingCore" Version="3.0.0" /> +</ItemGroup> +``` ++## Update Program.cs ++In the `Program.Main` method, call the `UseAzureSpringCloudService` method. ++For Steeltoe 2.4.4, call `UseAzureSpringCloudService` after `ConfigureWebHostDefaults` and after `AddConfigServer` if it's called: ++```csharp +public static IHostBuilder CreateHostBuilder(string[] args) => + Host.CreateDefaultBuilder(args) + .ConfigureWebHostDefaults(webBuilder => + { + webBuilder.UseStartup<Startup>(); + }) + .AddConfigServer() + .UseAzureSpringCloudService(); +``` ++For Steeltoe 3.0.0, call `UseAzureSpringCloudService` before `ConfigureWebHostDefaults` and before any Steeltoe configuration code: ++```csharp +public static IHostBuilder CreateHostBuilder(string[] args) => + Host.CreateDefaultBuilder(args) + .UseAzureSpringCloudService() + .ConfigureWebHostDefaults(webBuilder => + { + webBuilder.UseStartup<Startup>(); + }) + .AddConfigServer(); +``` ++## Enable Eureka Server service discovery ++> [!NOTE] +> Eureka is not applicable to the Enterprise plan. If you're using the Enterprise plan, see [Use Service Registry](how-to-enterprise-service-registry.md). ++In the configuration source that's used when the app runs in Azure Spring Apps, set `spring.application.name` to the same name as the Azure Spring Apps app to which the project is deployed. ++For example, if you deploy a .NET project named `EurekaDataProvider` to an Azure Spring Apps app named `planet-weather-provider` the *appSettings.json* file should include the following JSON: ++```json +"spring": { + "application": { + "name": "planet-weather-provider" + } +} +``` ++## Use service discovery ++To call a service by using the Eureka Server service discovery, make HTTP requests to `http://<app_name>` where `app_name` is the value of `spring.application.name` of the target app. For example, the following code calls the `planet-weather-provider` service: ++```csharp +using (var client = new HttpClient(discoveryHandler, false)) +{ + var responses = await Task.WhenAll( + client.GetAsync("http://planet-weather-provider/weatherforecast/mercury"), + client.GetAsync("http://planet-weather-provider/weatherforecast/saturn")); + var weathers = await Task.WhenAll(from res in responses select res.Content.ReadAsStringAsync()); + return new[] + { + new KeyValuePair<string, string>("Mercury", weathers[0]), + new KeyValuePair<string, string>("Saturn", weathers[1]), + }; +} +``` +++This article shows how to prepare an existing Java Spring application for deployment to Azure Spring Apps. If configured properly, Azure Spring Apps provides robust services to monitor, scale, and update your Java Spring application. ++Before running this example, you can try the [basic quickstart](./quickstart.md). ++Other examples explain how to deploy an application to Azure Spring Apps when the POM file is configured. ++* [Launch your first App](./quickstart.md) +* [Introduction to the sample app](./quickstart-sample-app-introduction.md) ++This article explains the required dependencies and how to add them to the POM file. ++## Java Runtime version ++For details, see the [Java runtime and OS versions](./faq.md?pivots=programming-language-java#java-runtime-and-os-versions) section of the [Azure Spring Apps FAQ](./faq.md). ++## Spring Boot and Spring Cloud versions ++To prepare an existing Spring Boot application for deployment to Azure Spring Apps, include the Spring Boot and Spring Cloud dependencies in the application POM file as shown in the following sections. ++Azure Spring Apps supports the latest Spring Boot or Spring Cloud major version starting from 30 days after its release. Azure Spring Apps supports the latest minor version as soon as it's released. You can get supported Spring Boot versions from [Spring Boot Releases](https://github.com/spring-projects/spring-boot/wiki/Supported-Versions#releases) and Spring Cloud versions from [Spring Cloud Releases](https://github.com/spring-cloud/spring-cloud-release/wiki). ++The following table lists the supported Spring Boot and Spring Cloud combinations: ++### [Enterprise plan](#tab/enterprise-plan) ++| Spring Boot version | Spring Cloud version | End of commercial support | +|||| +| 3.2.x | 2022.0.3+ also known as Kilburn | 2026-02-23 | +| 3.1.x | 2022.0.3+ also known as Kilburn | 2025-08-18 | +| 3.0.x | 2022.0.3+ also known as Kilburn | 2025-02-24 | +| 2.7.x | 2021.0.3+ also known as Jubilee | 2025-08-24 | +| 2.6.x | 2021.0.3+ also known as Jubilee | 2024-02-24 | ++### [Basic/Standard plan](#tab/basic-standard-plan) ++| Spring Boot version | Spring Cloud version | End of support | +|||-| +| 3.2.x | 2022.0.3+ also known as Kilburn | 2024-11-23 | +| 3.1.x | 2022.0.3+ also known as Kilburn | 2024-05-18 | +| 3.0.x | 2022.0.3+ also known as Kilburn | 2023-11-24 | +| 2.7.x | 2021.0.3+ also known as Jubilee | 2023-11-24 | ++++For more information, see the following pages: ++* [Spring Boot support](https://spring.io/projects/spring-boot#support) +* [Spring Cloud Config support](https://spring.io/projects/spring-cloud-config#support) +* [Spring Cloud Netflix support](https://spring.io/projects/spring-cloud-netflix#support) +* [Adding Spring Cloud To An Existing Spring Boot Application](https://spring.io/projects/spring-cloud#overview:~:text=Adding%20Spring%20Cloud%20To%20An%20Existing%20Spring%20Boot%20Application) ++## Other recommended dependencies to enable Azure Spring Apps features ++To enable the built-in features of Azure Spring Apps from service registry to distributed tracing, you need to also include the following dependencies in your application. You can drop some of these dependencies if you don't need corresponding features for the specific apps. ++### Service Registry ++To use the managed Azure Service Registry service, include the `spring-cloud-starter-netflix-eureka-client` dependency in the *pom.xml* file as shown here: ++```xml +<dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> +</dependency> +``` ++The endpoint of the Service Registry server is automatically injected as environment variables with your app. Applications can register themselves with the Service Registry server and discover other dependent applications. ++#### EnableDiscoveryClient annotation ++Add the following annotation to the application source code. ++```java +@EnableDiscoveryClient +``` ++For example, see the piggymetrics application from earlier examples: ++```java +package com.piggymetrics.gateway; ++import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.cloud.client.discovery.EnableDiscoveryClient; +import org.springframework.cloud.netflix.zuul.EnableZuulProxy; ++@SpringBootApplication +@EnableDiscoveryClient +@EnableZuulProxy ++public class GatewayApplication { + public static void main(String[] args) { + SpringApplication.run(GatewayApplication.class, args); + } +} +``` ++### Distributed configuration ++#### [Enterprise plan](#tab/enterprise-plan) ++To enable distributed configuration in the Enterprise plan, use [Application Configuration Service for VMware Tanzu](https://docs.vmware.com/en/Application-Configuration-Service-for-VMware-Tanzu/2.0/acs/GUID-overview.html), which is one of the proprietary VMware Tanzu components. Application Configuration Service for Tanzu is Kubernetes-native, and different from Spring Cloud Config Server. Application Configuration Service for Tanzu enables the management of Kubernetes-native ConfigMap resources that are populated from properties defined in one or more Git repositories. ++In the Enterprise plan, there's no Spring Cloud Config Server, but you can use Application Configuration Service for Tanzu to manage centralized configurations. For more information, see [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md) ++To use Application Configuration Service for Tanzu, do the following steps for each of your apps: ++1. Add an explicit app binding to declare that your app needs to use Application Configuration Service for Tanzu. ++ > [!NOTE] + > When you change the bind/unbind status, you must restart or redeploy the app to make the change take effect. ++1. Set config file patterns. Config file patterns enable you to choose which application and profile the app uses. For more information, see the [Pattern](how-to-enterprise-application-configuration-service.md#pattern) section of [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md). ++ Another option is to set the config file patterns at the same time as your app deployment, as shown in the following example: ++ ```azurecli + az spring app deploy \ + --name <app-name> \ + --artifact-path <path-to-your-JAR-file> \ + --config-file-pattern <config-file-pattern> + ``` ++#### [Basic/Standard plan](#tab/basic-standard-plan) ++To enable distributed configuration, include the following `spring-cloud-config-client` dependency in the dependencies section of your *pom.xml* file: ++```xml +<dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-config-client</artifactId> +</dependency> +<dependency> + <groupId>org.springframework.cloud</groupId> + <artifactId>spring-cloud-starter-bootstrap</artifactId> +</dependency> +``` ++> [!WARNING] +> Don't specify `spring.cloud.config.enabled=false` in your bootstrap configuration. Otherwise, your application stops working with Config Server. ++++### Metrics ++Include the `spring-boot-starter-actuator` dependency in the dependencies section of your *pom.xml* file as shown here: ++```xml +<dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> +</dependency> +``` ++ Metrics are periodically pulled from the JMX endpoints. You can visualize the metrics by using the Azure portal. ++ > [!WARNING] + > You must specify `spring.jmx.enabled=true` in your configuration property. Otherwise, metrics can't be visualized in the Azure portal. ++## See also ++* [Analyze application logs and metrics](./diagnostic-services.md) +* [Set up your Config Server](../basic-standard/how-to-config-server.md) +* [Spring Quickstart Guide](https://spring.io/quickstart) +* [Spring Boot documentation](https://spring.io/projects/spring-boot) ++## Next steps ++In this article, you learned how to configure your Java Spring application for deployment to Azure Spring Apps. To learn how to set up a Config Server instance, see [Set up a Config Server instance](../basic-standard/how-to-config-server.md). ++More samples are available on GitHub: [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). |
spring-apps | How To Remote Debugging App Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-remote-debugging-app-instance.md | + + Title: Debug your apps remotely in Azure Spring Apps +description: Learn how to debug your apps remotely in Azure Spring Apps. ++++ Last updated : 4/18/2023++++# Debug your apps remotely in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This feature describes how to enable remote debugging of your applications in Azure Spring Apps. ++## Prerequisites ++- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the spring-cloud extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++- A deployed application in Azure Spring Apps. ++## Enable or disable remote debugging ++For security reasons, Azure Spring Apps disables remote debugging by default. Based on your company policy, you can enable remote debugging for your app yourself or see an admin to enable it for you. You can enable or disable remote debugging using Azure CLI, Azure portal, or the VS Code extension. ++### [Azure portal](#tab/portal) ++Use the following steps to enable remote debugging for your application using the Azure portal: ++1. Navigate to your application page. +1. Under **Settings** in the left navigation pane, select **Remote debugging**. +1. On the **Remote debugging** page, enable remote debugging and specify the debugging port. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/portal-enable-remote-debugging.png" alt-text="Screenshot of the Remote debugging page showing the Remote debugging option selected." lightbox="media/how-to-remote-debugging-app-instance/portal-enable-remote-debugging.png"::: ++### [Azure CLI](#tab/cli) ++Use the following command to enable remote debugging for your application using the Azure CLI: ++```azurecli +az spring app enable-remote-debugging \ + --name <application-name> \ + --deployment <deployment-name> \ + --resource-group <resource-group-name> \ + --service <service-name> \ + --port <port> +``` ++Use the following command to disable remote debugging for your application: ++```azurecli +az spring app disable-remote-debugging \ + --name <application-name> \ + --deployment <deployment-name> \ + --resource-group <resource-group-name> \ + --service <service-name> \ +``` ++Use the following command to display the remote debugging configuration: ++```azurecli +az spring app get-remote-debugging-config \ + --name <application-name> \ + --deployment <deployment-name> \ + --resource-group <resource-group-name> \ + --service <service-name> \ +``` ++++## Assign an Azure role ++To remotely debug an app instance, you must be granted the role `Azure Spring Apps Remote Debugging Role`, which includes the `Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action` data action permission. ++You can assign an Azure role using the Azure portal or Azure CLI. ++### [Azure portal](#tab/azure-portal) ++Use the following steps to assign an Azure role using the Azure portal. ++1. Open the [Azure portal](https://portal.azure.com). +1. Open your Azure Spring Apps service instance. +1. In the navigation pane, select **Access Control (IAM)**. +1. On the **Access Control (IAM)** page, select **Add**, and then select **Add role assignment**. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/add-role-assignment.png" alt-text="Screenshot of the Azure portal showing the Access Control (IAM) page for an Azure Spring Apps instance with the Add role assignment option highlighted." lightbox="media/how-to-remote-debugging-app-instance/add-role-assignment.png"::: ++1. On the **Add role assignment** page, in the **Name** list, search for and select *Azure Spring Apps Remote Debugging Role*, and then select **Next**. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/remote-debugging-role.png" alt-text="Screenshot of the Azure portal showing the Add role assignment page for an Azure Spring Apps instance with the Azure Spring Apps Remote Debugging Role name highlighted." lightbox="media/how-to-remote-debugging-app-instance/remote-debugging-role.png"::: ++1. Select **Members**, and then search for and select your username. ++1. Select **Review + assign**. ++### [Azure CLI](#tab/azure-cli) ++Use the following command to obtain the Azure Spring Apps Remote Debugging Role. ++ ```azurecli + az role assignment create \ + --role "Azure Spring Apps Remote Debugging Role" \ + --scope "<service-instance-resource-id>" \ + --assignee "<your-identity>" + ``` ++++## Debug an app instance remotely ++You can debug an app instance remotely using the Azure Toolkit for IntelliJ or the Azure Spring Apps for VS Code extension. ++### [Azure Toolkit for IntelliJ](#tab/Intellij-extension) ++This section describes how to debug an app instance remotely using the Azure Toolkit for IntelliJ. ++### Prerequisites ++- [Azure Toolkit for IntelliJ](/azure/developer/java/toolkit-for-intellij/install-toolkit). +- [IntelliJ IDEA](https://www.jetbrains.com/idea/download), Ultimate or Community edition. ++### Enable or disable remote debugging ++Use the following steps to enable or disable remote debugging: ++1. Sign in to your Azure account in Azure Explorer. +1. Select an app instance, and then select **Enable Remote Debugging**. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/intellij-enable-remote.png" alt-text="Screenshot showing the Enable Remote Debugging option." lightbox="media/how-to-remote-debugging-app-instance/intellij-enable-remote.png"::: ++### Attach debugger ++Use the following steps to attach debugger. ++1. Select an app instance, and then select **Attach Debugger**. IntelliJ connects to the app instance and starts remote debugging. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/intellij-remote-debugging-instance.png" alt-text="Screenshot showing the Attach Debugger option." lightbox="media/how-to-remote-debugging-app-instance/intellij-remote-debugging-instance.png"::: ++1. Azure Toolkit for IntelliJ creates the remote debugging configuration. You can find it under **Remote Jvm Debug"** Configure the module class path to the source code that you use for remote debugging. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/intellij-remote-debugging-configuration.png" alt-text="Screenshot of the Run/Debug Configurations page." lightbox="media/how-to-remote-debugging-app-instance/intellij-remote-debugging-configuration.png"::: ++### Troubleshooting ++This section provides troubleshooting information. ++- Take the following actions if you fail to attach debugger and receive an error similar to `java.net.SocketException, connection reset` or `Failed to attach to remote debugger, ClosedConnectionException`: ++ - Check the RBAC role to make sure that you're authorized to remotely debug an app instance. + - Make sure that you're connecting to a valid instance. Refresh the deployment to get the latest instances. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/refresh-instance.png" alt-text="Screenshot showing the Refresh command." lightbox="media/how-to-remote-debugging-app-instance/refresh-instance.png"::: ++- Take the following actions if you successfully attach debugger but can't remotely debug the app instance: ++ - Make sure that your IDE contains the source code you want to debug. + - Make sure that the debug configuration has the correct module class path. ++### [VS Code extension](#tab/Vscode-extension) ++This section describes how to debug an app instance remotely using the VS Code extension. ++### Prerequisites ++- [Azure Spring Apps for VS Code Plugin](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-azurespringcloud). +- [Visual Studio Code](https://code.visualstudio.com). ++### Enable or disable remote debugging ++Use the following steps to enable or disable remote debugging: ++1. Sign in to your Azure subscription. +1. Select an app instance, and then select **Enable Remote Debugging**. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/visual-studio-code-enable-remote-debugging.png" alt-text="Screenshot showing the Enable Remote Debugging option." lightbox="media/how-to-remote-debugging-app-instance/visual-studio-code-enable-remote-debugging.png"::: ++### Attach debugger ++Use the following steps to attach debugger. ++1. Select an app instance, and then select **Attach Debugger**. VS Code connects to the app instance and starts remote debugging. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/visual-studio-code-remote-debugging-instance.png" alt-text="Screenshot showing the Attach Debugger option." lightbox="media/how-to-remote-debugging-app-instance/visual-studio-code-remote-debugging-instance.png"::: ++### Troubleshooting ++This section provides troubleshooting information. ++- Take the following actions if you fail to attach debugger and receive an error similar to `java.net.SocketException, connection reset` or `Failed to attach to remote debugger, ClosedConnectionException`: ++ - Check the RBAC role to make sure that you're authorized to remotely debug an app instance. + - Make sure that you're connecting to a valid instance. Refresh the deployment to get the latest instances. ++ :::image type="content" source="media/how-to-remote-debugging-app-instance/refresh-instance.png" alt-text="Screenshot showing the Refresh command." lightbox="media/how-to-remote-debugging-app-instance/refresh-instance.png"::: ++- Take the following action if you successfully attach debugger but can't remotely debug the app instance: ++ - Make sure that your IDE contains the source code you want to debug. ++++## Limitations ++Remote debugging is only supported for Java applications. ++| Plan | Deployment type | Supported | +|-|-|--| +| Standard and basic plan | Jar | Yes | +| Standard and basic plan | Source code(Java) | Yes | +| Standard and basic plan | Custom Image | No | +| Enterprise plan | Java Application | Yes | +| Enterprise plan | Source code(Java) | Yes | +| Enterprise plan | Custom Image | No | ++## Tips ++- Java remote debugging is dangerous because it allows remote code execution. Azure Spring Apps helps you secure the communication between your client IDE and the remote application. However, you should disable remote debugging and remove the RBAC role after you're finished. +- You should scale in the app instance to one to ensure that traffic can go to the instance. ++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | How To Scale Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-scale-manual.md | + + Title: "Scale an application in Azure Spring Apps | Microsoft Docs" +description: Learn how to scale an application with Azure Spring Apps in the Azure portal ++++ Last updated : 10/06/2019++++# Scale an application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article demonstrates how to scale a Spring application using Azure Spring Apps in the Azure portal. ++You can scale your app up and down by modifying its number of virtual CPUs (vCPUs) and amount of memory. Scale your app in and out by modifying the number of application instances. ++After you finish, you'll know how to make quick manual changes to each application in your service. Scaling takes effect within seconds and doesn't require any code changes or redeployment. ++## Prerequisites ++* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* A deployed Azure Spring Apps service instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md) to get started. +* At least one application already created in your service instance. ++## Navigate to the Scale page in the Azure portal ++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. Go to your Azure Spring Apps instance. ++1. Select **Apps** under **Settings** in the navigation pane. ++1. Select the app you want to scale and then select **Scale up** in the navigation pane. Specify the **vCPU** and **Memory** settings using the guidelines as described in the following section. ++1. Select **Scale out** in the navigation pane. Specify the **instance count** setting as described in the following section. ++## Scale your application ++As you modify the scaling attributes, keep the following notes in mind: ++* **vCPU**: The total number of CPUs for an application is the value set here multiplied by the number of application instances. ++* **Memory**: The total amount of memory for an application is the value set here multiplied by the number of application instances. ++* **instance count**: This value changes the number of separate running instances of the Spring application. ++Be sure to select **Save** to apply your scaling settings. +++After a few seconds, the scaling changes you make are reflected on the **Overview** page of the app. Select **App instance** in the navigation pane for details about the instance of the app. ++> [!NOTE] +> For more information about the maximum number of CPUs, the amount of memory, and the instance count, see [Quotas and service plans for Azure Spring Apps](./quotas.md). ++## Next steps ++This example explained how to manually scale an application in Azure Spring Apps. To learn how to monitor an application by setting up alerts, see [Set-up autoscale](./how-to-setup-autoscale.md). ++> [!div class="nextstepaction"] +> [Learn how to set up alerts](./tutorial-alerts-action-groups.md) |
spring-apps | How To Self Diagnose Running In Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-self-diagnose-running-in-vnet.md | + + Title: "How to self-diagnose Azure Spring Apps with virtual networks" +description: Learn how to self-diagnose and solve problems in Azure Spring Apps running in virtual networks. ++++ Last updated : 04/28/2023++++# Self-diagnose running Azure Spring Apps in virtual networks ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use Azure Spring Apps diagnostics to diagnose and solve problems in Azure Spring Apps running in virtual networks. ++Azure Spring Apps diagnostics supports interactive troubleshooting applications running in virtual networks without configuration. Azure Spring Apps diagnostics identifies problems and guides you to information that helps troubleshoot issues and resolve them. ++## Navigate to the diagnostics page ++Use the following steps to start diagnostics for networked applications. ++1. Sign in to the Azure portal. +1. Go to your Azure Spring Apps instance. +1. Select **Diagnose and solve problems** in the navigation pane. +1. Select **Networking**. ++ :::image type="content" source="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-title.png" alt-text="Screenshot of the Azure portal showing the Diagnose and solve problems page with the Networking troubleshooting category highlighted." lightbox="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-title.png"::: ++## View a diagnostic report ++After you select the **Networking** category, you can view two issues related to networking specific to your virtual-network injected Azure Spring Apps instances: **DNS Resolution** and **Required Outbound Traffic**. ++ :::image type="content" source="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-dns-req-outbound-options.png" alt-text="Screenshot of the Azure portal showing the Network troubleshooting page for diagnose and solve problems." lightbox="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-dns-req-outbound-options.png"::: ++Select your target issue to view the diagnostic report. A summary of diagnostics displays, such as: ++* *Resource has been removed.* +* *Resource isn't deployed in your own virtual network*. ++Some results contain related documentation. Different subnets display the results separately. ++## DNS resolution ++If you select **DNS Resolution**, results indicate whether there are DNS issues with applications. Examples of healthy applications are shown the following examples: ++* *DNS issues resolved with no issues in subnet 'subnet01'*. +* *DNS issues resolved with no issues in subnet 'subnet02'*. ++The following diagnostic report example indicates that the health of the application is unknown. The reporting time frame doesn't include the time when the health status was reported. Assume that the context end time is `2021-03-03T04:20:00Z`. The latest TIMESTAMP in the **DNS Resolution Table Renderings** is `2021-03-03T03:39:00Z`, the previous day. The health check log may not have been sent out because of a blocked network. ++The unknown health status results contain related documentation. You can select the left angle bracket to see the drop-down display. +++If you misconfigured your Private DNS Zone record set, a critical result appears such as: `Failed to resolve the Private DNS in subnet xxx`. ++In **DNS Resolution Table Renderings**, detailed message information displays from which you can check your configurations. ++If your VNET uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to `168.63.129.16`. Azure recursive resolvers uses this IP address to resolve requests. If you don't use the Azure recursive resolvers, the Azure Spring Apps environment won't function as expected. For more information, see the [Name resolution that uses your own DNS server](../../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) section of [Name resolution for resources in Azure virtual networks](../../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md) ++## Required Outbound Traffic ++If you select **Required Outbound Traffic**, results indicate whether there are outbound traffic issues with applications. The following examples are results for healthy applications: ++* *Required outbound traffic resolved with no issues in subnet 'subnet01'. +* *Required outbound traffic resolved with no issues in subnet 'subnet02'. ++If any subnet is blocked because of NSG or firewall rules, and if you haven't blocked the log, endpoint check failures display in the summary for the issue. The following destination endpoints fail because no rule is matched: ++* `http://clr3.gigicert.com` +* `http://mscrl.microsoft.com` +* `http://crl.microsoft.com` ++You can check whether you overlooked any customer responsibilities. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). ++If there's no data displayed for **Required Outbound Traffic Table Renderings** within 30 minutes, the result is `health status unknown`. +Your network may be blocked or the log service is down. ++## Next steps ++* [How to self diagnose Azure Spring Apps](./how-to-self-diagnose-solve.md) |
spring-apps | How To Self Diagnose Solve | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-self-diagnose-solve.md | + + Title: "How to self-diagnose and solve problems in Azure Spring Apps" +description: Learn how to self-diagnose and solve problems in Azure Spring Apps. ++++ Last updated : 6/1/2023++++# Self-diagnose and solve problems in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use Azure Spring Apps diagnostics. ++Azure Spring Apps diagnostics is an interactive experience to troubleshoot your app without configuration. Azure Spring Apps diagnostics identifies problems and guides you to information that helps troubleshoot and resolve issues. ++## Prerequisites ++To complete this exercise, you need: ++* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* A deployed Azure Spring Apps service instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). +* At least one application already created in your service instance. ++## Navigate to the diagnostics page ++1. Sign in to the Azure portal. +2. Go to your Azure Spring Apps **Overview** page. +3. Select **Diagnose and solve problems** in the navigation pane. ++ :::image type="content" source="media/how-to-self-diagnose-solve/diagnose-solve-dialog.png" alt-text="Screenshot of the Azure portal showing the Diagnose and Solve problems page." lightbox="media/how-to-self-diagnose-solve/diagnose-solve-dialog.png"::: ++## Search logged issues ++To find an issue, you can either search by typing a keyword or select the solution group to explore all in that category. +++Selection of **Config Server Health Check**, **Config Server Health Status**, or **Config Server Update History** displays various results. ++> [!NOTE] +> Spring Cloud Config Server is not applicable to the Azure Spring Apps Enterprise plan. +++Find your target detector and select it to execute. A summary of diagnostics is shown after you execute the detector. Select **View details** to check diagnostic details. +++You can change the diagnostic time range with the controller for **CPU Usage**. There can be a 15-minute delay for metrics and logs. +++Some results contain related documentation. +++## Next steps ++* [Monitor Spring app resources using alerts and action groups](./tutorial-alerts-action-groups.md) +* [Security controls for Azure Spring Apps Service](./concept-security-controls.md) |
spring-apps | How To Set Up Sso With Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-set-up-sso-with-azure-ad.md | + + Title: How to set up single sign-on with Microsoft Entra ID for Spring Cloud Gateway and API Portal for Tanzu ++description: How to set up single sign-on with Microsoft Entra ID for Spring Cloud Gateway and API Portal for Tanzu with the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/20/2022++++# Set up single sign-on using Microsoft Entra ID for Spring Cloud Gateway and API Portal ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to configure single sign-on (SSO) for Spring Cloud Gateway or API Portal using the Microsoft Entra ID as an OpenID identify provider. ++## Prerequisites ++- An Enterprise plan instance with Spring Cloud Gateway or API portal enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- Sufficient permissions to manage Microsoft Entra applications. ++To enable SSO for Spring Cloud Gateway or API Portal, you need the following four properties configured: ++| SSO Property | Microsoft Entra Configuration | +| - | - | +| clientId | See [Register App](#create-an-azure-ad-application-registration) | +| clientSecret | See [Create Client Secret](#add-a-client-secret) | +| scope | See [Configure Scope](#configure-scope) | +| issuerUri | See [Generate Issuer URI](#configure-issuer-uri) | ++You'll configure the properties in Microsoft Entra ID in the following steps. ++## Assign an endpoint for Spring Cloud Gateway or API Portal ++First, you must get the assigned public endpoint for Spring Cloud Gateway and API portal by following these steps: ++1. Open your Enterprise plan service instance in the [Azure portal](https://portal.azure.com). +1. Select **Spring Cloud Gateway** or **API portal** under *VMware Tanzu components* in the left menu. +1. Select **Yes** next to *Assign endpoint*. +1. Copy the URL for use in the next section of this article. ++<a name='create-an-azure-ad-application-registration'></a> ++## Create a Microsoft Entra application registration ++Register your application to establish a trust relationship between your app and the Microsoft identity platform using the following steps: ++1. From the *Home* screen, select **Microsoft Entra ID** from the left menu. +1. Select **App Registrations** under *Manage*, then select **New registration**. +1. Enter a display name for your application under *Name*, then select an account type to register under *Supported account types*. +1. In *Redirect URI (optional)* select **Web**, then enter the URL from the above section in the text box. The redirect URI is the location where Microsoft Entra ID redirects your client and sends security tokens after authentication. +1. Select **Register** to finish registering the application. +++When registration finishes, you'll see the *Application (client) ID* on the **Overview** screen of the *App registrations** page. ++## Add a redirect URI after app registration ++You can also add redirect URIs after app registration by following these steps: ++1. From your application overview, under *Manage* in the left menu, select **Authentication**. +1. Select **Web**, then select **Add URI** under *Redirect URIs*. +1. Add a new redirect URI, then select **Save**. +++For more information on Application Registration, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app). ++## Add a client secret ++The application uses a client secret to authenticate itself in SSO workflow. You can add a client secret using the following steps: ++1. From your application overview, under *Manage* in the left menu, select **Certificates & secrets**. +1. Select **Client secrets**, then select **New client secret**. +1. Enter a description for the client secret, then set an expiration date. +1. Select **Add**. ++> [!WARNING] +> Remember to save the client secret in a secure place. You can't retrieve it after you leave this page. The client secret should be provided with the client ID when you sign in as the application. ++## Configure scope ++The `scope` property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to as permissions. Identity platform supports several OpenID Connect scopes, such as `openid`, `email`, and `profile`. For more information, see the [OpenID Connect scopes](/entra/identity-platform/scopes-oidc#openid-connect-scopes) section of [Scopes and permissions in the Microsoft identity platform](/entra/identity-platform/scopes-oidc). ++## Configure issuer URI ++The issuer URI is the URI that is asserted as its Issuer Identifier. For example, if the issuer-uri provided is `https://example.com`, then an OpenID Provider Configuration Request will be made to `https://example.com/.well-known/openid-configuration`. ++The issuer URI of Microsoft Entra ID is like `<authentication-endpoint>/<Your-TenantID>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint for your cloud environment (for example, `https://login.microsoftonline.com` for global Azure), and replace `<Your-TenantID>` with the Directory (tenant) ID where the application was registered. ++## Configure SSO ++After configuring your Microsoft Entra application, you can set up the SSO properties of Spring Cloud Gateway or API Portal following these steps: ++1. Select **Spring Cloud Gateway** or **API portal** under *VMware Tanzu components* in the left menu, then select **Configuration**. +1. Enter the `Scope`, `Client Id`, `Client Secret`, and `Issuer URI` in the appropriate fields. Separate multiple scopes with a comma. +1. Select **Save** to enable the SSO configuration. ++> [!NOTE] +> After configuring SSO properties, remember to enable SSO for the Spring Cloud Gateway routes by setting `ssoEnabled=true`. For more information, see [route configuration](./how-to-use-enterprise-spring-cloud-gateway.md#configure-routes). ++## Next steps +- [Configure routes](./how-to-use-enterprise-spring-cloud-gateway.md#configure-routes) |
spring-apps | How To Setup Autoscale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-setup-autoscale.md | + + Title: "Set up autoscale for applications" +description: This article describes how to set up Autoscale settings for your applications using the Microsoft Azure portal or the Azure CLI. ++++ Last updated : 11/03/2021++++# Set up autoscale for applications ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to set up Autoscale settings for your applications using the Microsoft Azure portal or the Azure CLI. ++Autoscale is a built-in feature of Azure Spring Apps that helps applications perform their best when demand changes. Azure Spring Apps supports scale-out and scale-in, which includes modifying the number of app instances and load balancing. ++## Prerequisites ++To follow these procedures, you need: ++* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* A deployed Azure Spring Apps service instance. Follow the [quickstart on deploying an app via the Azure CLI](./quickstart.md) to get started. +* At least one application already created in your service instance. ++## Navigate to the Autoscale page in the Azure portal ++1. Sign in to the [Azure portal](https://portal.azure.com/). +1. Go to the Azure Spring Apps **Overview** page. +1. Select the **Apps** tab under **Settings** in the menu on the left navigation pane. +1. Select the application for which you want to set up Autoscale. In this example, select the application named **demo**. You should then see the application's **Overview** page. +1. Go to the **Scale out** tab under **Settings** in the menu on the left navigation pane. ++## Set up Autoscale settings for your application in the Azure portal ++There are two options for Autoscale demand management: ++* Manual scale: Maintains a fixed instance count. In the Standard plan, you can scale out to a maximum of 500 instances. This value changes the number of separate running instances of the application. +* Custom autoscale: Scales on any schedule, based on any metrics. ++In the Azure portal, choose how you want to scale. The following figure shows the **Custom autoscale** option and mode settings. +++## Set up Autoscale settings for your application in Azure CLI ++You can also set Autoscale modes using the Azure CLI. The following commands create an Autoscale setting and an Autoscale rule. ++* Create Autoscale setting: ++ ```azurecli + az monitor autoscale create \ + --resource-group <resource-group-name> \ + --name <autoscale-setting-name> \ + --resource /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.AppPlatform/Spring/<service-instance-name>/apps/<app-name>/deployments/<deployment-name> \ + --min-count 1 \ + --max-count 5 \ + --count 1 + ``` ++* Create Autoscale rule: ++ ```azurecli + az monitor autoscale rule create \ + --resource-group <resource-group-name> \ + --autoscale-name <autoscale-setting-name> \ + --scale out 1 \ + --cooldown 1 \ + --condition "tomcat.global.request.total.count > 100 avg 1m where AppName == <app-name> and Deployment == <deployment-name>" + ``` ++For information on the available metrics, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](./concept-metrics.md). ++## Upgrade to the Standard plan ++If you're on the Basic plan and constrained by one or more of these limits, you can upgrade to the Standard plan. To upgrade, go to the **Pricing** plan menu by first selecting the **Standard tier** column and then selecting the **Upgrade** button. ++## Next steps ++* [Overview of autoscale in Microsoft Azure](../../azure-monitor/autoscale/autoscale-overview.md) +* [Azure CLI Monitoring autoscale](/cli/azure/monitor/autoscale) |
spring-apps | How To Staging Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-staging-environment.md | + + Title: Set up a staging environment in Azure Spring Apps +description: Learn how to use blue-green deployment with Azure Spring Apps +++ Last updated : 01/14/2021+++++# Set up a staging environment in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise ++This article explains how to set up a staging deployment by using the blue-green deployment pattern in Azure Spring Apps. Blue-green deployment is an Azure DevOps continuous delivery pattern that relies on keeping an existing (blue) version live while a new (green) one is deployed. This article shows you how to put that staging deployment into production without changing the production deployment. ++## Prerequisites ++- An existing Azure Spring Apps instance on the Standard plan. +- [Azure CLI](/cli/azure/install-azure-cli). ++This article uses an application built from Spring Initializr. If you want to use a different application for this example, make a change in a public-facing portion of the application to differentiate your staging deployment from the production deployment. ++> [!TIP] +> [Azure Cloud Shell](https://shell.azure.com) is a free interactive shell that you can use to run the instructions in this article. It has common, preinstalled Azure tools, including the latest versions of Git, JDK, Maven, and the Azure CLI. If you're signed in to your Azure subscription, start your Cloud Shell instance. To learn more, see [Overview of Azure Cloud Shell](../../cloud-shell/overview.md). ++To set up blue-green deployment in Azure Spring Apps, follow the instructions in the next sections. ++## Install the Azure CLI extension ++Install the [Azure Spring Apps extension](/cli/azure/azure-cli-extensions-overview) for the Azure CLI by using the following command: ++```azurecli +az extension add --name spring +``` ++## Prepare the app and deployments ++To build the application, follow these steps: ++1. Generate the code for the sample app by using Spring Initializr with [this configuration](https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client). ++1. Download the code. +1. Add the following *HelloController.java* source file to the folder *\src\main\java\com\example\hellospring\*: ++ ```java + package com.example.hellospring; + import org.springframework.web.bind.annotation.RestController; + import org.springframework.web.bind.annotation.RequestMapping; ++ @RestController ++ public class HelloController { ++ @RequestMapping("/") ++ public String index() { + return "Greetings from Azure Spring Apps!"; + } ++ } + ``` ++1. Build the *.jar* file: ++ ```azurecli + mvn clean package -DskipTests + ``` ++1. Create the app in your Azure Spring Apps instance: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name demo \ + --runtime-version Java_17 \ + --assign-endpoint + ``` ++1. Deploy the app to Azure Spring Apps: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name demo \ + --artifact-path target\hellospring-0.0.1-SNAPSHOT.jar + ``` ++1. Modify the code for your staging deployment: ++ ```java + package com.example.hellospring; + import org.springframework.web.bind.annotation.RestController; + import org.springframework.web.bind.annotation.RequestMapping; ++ @RestController ++ public class HelloController { ++ @RequestMapping("/") ++ public String index() { + return "Greetings from Azure Spring Apps! THIS IS THE GREEN DEPLOYMENT"; + } ++ } + ``` ++1. Rebuild the *.jar* file: ++ ```azurecli + mvn clean package -DskipTests + ``` ++1. Create the green deployment: ++ ```azurecli + az spring app deployment create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app demo \ + --name green \ + --runtime-version Java_17 \ + --artifact-path target\hellospring-0.0.1-SNAPSHOT.jar + ``` ++## View apps and deployments ++Use the following steps to view deployed apps. ++1. Go to your Azure Spring Apps instance in the Azure portal. ++1. From the navigation pane, open the **Apps** pane to view apps for your service instance. ++ :::image type="content" source="media/how-to-staging-environment/app-dashboard.png" lightbox="media/how-to-staging-environment/app-dashboard.png" alt-text="Screenshot of the Apps pane showing apps for your service instance."::: ++1. Select an app to view details. ++ :::image type="content" source="media/how-to-staging-environment/app-overview.png" lightbox="media/how-to-staging-environment/app-overview.png" alt-text="Screenshot of details for an app."::: ++1. Open **Deployments** to see all deployments of the app. The grid shows both production and staging deployments. ++ :::image type="content" source="media/how-to-staging-environment/deployments-dashboard.png" lightbox="media/how-to-staging-environment/deployments-dashboard.png" alt-text="Screenshot that shows listed app deployments."::: ++1. Select the URL to open the currently deployed application. ++ :::image type="content" source="media/how-to-staging-environment/running-blue-app.png" lightbox="media/how-to-staging-environment/running-blue-app.png" alt-text="Screenshot that shows the URL of the deployed application."::: ++1. Select **Production** in the **State** column to see the default app. ++ :::image type="content" source="media/how-to-staging-environment/running-default-app.png" lightbox="media/how-to-staging-environment/running-default-app.png" alt-text="Screenshot that shows the URL of the default app."::: ++1. Select **Staging** in the **State** column to see the staging app. ++ :::image type="content" source="media/how-to-staging-environment/running-staging-app.png" lightbox="media/how-to-staging-environment/running-staging-app.png" alt-text="Screenshot that shows the URL of the staging app."::: ++>[!TIP] +> Confirm that your test endpoint ends with a slash (/) to ensure that the CSS file is loaded correctly. If your browser requires you to enter login credentials to view the page, use [URL decode](https://www.urldecoder.org/) to decode your test endpoint. URL decode returns a URL in the format `https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/demo/green`. Use this format to access your endpoint. ++>[!NOTE] +> Configuration server settings apply to both your staging environment and your production environment. For example, if you set the context path (*server.servlet.context-path*) for your app demo in the configuration server as *somepath*, the path to your green deployment changes to `https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/demo/green/somepath/...`. ++If you visit your public-facing app demo at this point, you should see the old page without your new change. ++## Set the green deployment as the production environment ++1. After you've verified your change in your staging environment, you can push it to production. On the **Apps** > **Deployments** page, select the application currently in **Production**. ++1. Select the ellipsis after **Registration status** of the green deployment, and then select **Set as production**. ++ :::image type="content" source="media/how-to-staging-environment/set-staging-deployment.png" lightbox="media/how-to-staging-environment/set-staging-deployment.png" alt-text="Screenshot that shows selections for setting the staging build to production."::: ++1. Confirm that the URL of the app displays your changes. ++ :::image type="content" source="media/how-to-staging-environment/new-production-deployment.png" lightbox="media/how-to-staging-environment/new-production-deployment.png" alt-text="Screenshot that shows the URL of the app now in production."::: ++>[!NOTE] +> After you've set the green deployment as the production environment, the previous deployment becomes the staging deployment. ++## Modify the staging deployment ++If you're not satisfied with your change, you can modify your application code, build a new .jar package, and upload it to your green deployment by using the Azure CLI: ++```azurecli +az spring app deploy \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name demo \ + --deployment green \ + --artifact-path demo.jar +``` ++## Delete the staging deployment ++To delete your staging deployment from the Azure portal, go to the page for your staging deployment and select the **Delete** button. ++Alternatively, delete your staging deployment from the Azure CLI by running the following command: ++```azurecli +az spring app deployment delete \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <staging-deployment-name> \ + --app demo +``` ++## Next steps ++- [CI/CD for Azure Spring Apps](./how-to-cicd.md?pivots=programming-language-java) |
spring-apps | How To Start Stop Delete | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-start-stop-delete.md | + + Title: Start, stop, and delete an application in Azure Spring Apps +description: Need to start, stop, or delete your Azure Spring Apps application? Learn how to manage the state of an Azure Spring Apps application. +++ Last updated : 01/10/2023+++++# Start, stop, and delete an application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This guide explains how to change an application's state in Azure Spring Apps by using either the Azure portal or the Azure CLI. ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- A deployed Azure Spring Apps service instance. Follow the [quickstart on deploying an app via the Azure CLI](./quickstart.md) to get started. +- At least one application already created in your service instance. ++## Application state ++Your applications running in Azure Spring Apps may not need to run continuously. For example, an application may not always need to run if it's only used during business hours. ++There may be times where you wish to stop or start an application. You can also restart an application as part of general troubleshooting steps or delete an application you no longer require. ++## Manage application state ++After you deploy an application, you can start, stop, and delete it by using the [Azure portal](https://portal.azure.com) or [Azure CLI](/cli/azure/). ++### [Azure portal](#tab/azure-portal) ++1. Go to your Azure Spring Apps service instance in the [Azure portal](https://portal.azure.com). ++1. Select **Application Dashboard**. ++1. Select the application whose state you want to change. ++1. On the **Overview** page for that application, select **Start/Stop**, **Restart**, or **Delete**. ++ :::image type="content" source="media/how-to-start-stop-delete/how-to-start-stop-delete.png" alt-text="Screenshot of Azure portal showing the Overview page of the demo app." lightbox="media/how-to-start-stop-delete/how-to-start-stop-delete.png"::: ++### [Azure CLI](#tab/azure-cli) ++> [!NOTE] +> You can use optional parameters and configure defaults with the Azure CLI. Learn more about the Azure CLI by reading the [az spring](/cli/azure/spring) reference documentation. ++1. First, use the following command to install the Azure Spring Apps extension for Azure CLI: ++ ```azurecli-interactive + az extension add --name spring + ``` ++1. Next, perform any of the following Azure CLI operations: ++ - Start your application: ++ ```azurecli-interactive + az spring app start \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <application-name> + ``` ++ - Stop your application: ++ ```azurecli + az spring app stop \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <application-name> + ``` ++ - Restart your application: ++ ```azurecli + az spring app restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <application-name> + ``` ++ - Delete your application: ++ ```azurecli + az spring app delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <application-name> + ``` ++++## Next steps ++> [!div class="nextstepaction"] +> [Start or stop your Azure Spring Apps service instance](how-to-start-stop-service.md) |
spring-apps | How To Start Stop Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-start-stop-service.md | + + Title: How to start or stop an Azure Spring Apps service instance +description: Describes how to start or stop an Azure Spring Apps service instance ++++ Last updated : 11/04/2021++++# Start or stop your Azure Spring Apps service instance ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to start or stop your Azure Spring Apps service instance. ++Your applications running in Azure Spring Apps may not need to run continuously. For example, an application may not need to run continuously if you have a service instance that's used only during business hours. There may be times when Azure Spring Apps is idle and running only the system components. ++You can reduce the active footprint of Azure Spring Apps by reducing the running instances, which reduces costs for compute resources. For more information, see [Start, stop, and delete an application in Azure Spring Apps](./how-to-start-stop-delete.md) and [Scale an application in Azure Spring Apps](./how-to-scale-manual.md). ++To reduce your costs further, you can completely stop your Azure Spring Apps service instance. All user apps and system components are stopped. However, all your objects and network settings are saved so you can restart your service instance and pick up right where you left off. ++## Limitations ++The ability to stop and start your Azure Spring Apps service instance has the following limitations: ++- You can stop and start your Azure Spring Apps service instance to help you save costs. However, you shouldn't stop and start a running instance for service recovery - for example, to recover from an invalid virtual network configuration. +- The state of a stopped Azure Spring Apps service instance is preserved for up to 90 days. If your cluster is stopped for more than 90 days, you can't recover the cluster state. +- You can only start, view, or delete a stopped Azure Spring Apps service instance. You must start your service instance before performing any update operation, such as creating or scaling an app. +- If an Azure Spring Apps service instance has been stopped or started successfully, you have to wait for at least 30 minutes to start or stop the instance again. However, if your last operation failed, you can try again to start or stop without having to wait. +- For virtual network instances, the start operation may fail due to invalid virtual network configurations. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). ++## Prerequisites ++- An existing service instance in Azure Spring Apps. To create a new service instance, see [Quickstart: Provision an Azure Spring Apps service instance](../basic-standard/quickstart-provision-service-instance.md). +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or later. ++## [Portal](#tab/azure-portal) ++## Stop a running instance ++In the Azure portal, use the following steps to stop a running Azure Spring Apps instance: ++1. Go to the Azure Spring Apps service overview page. ++1. Select **Stop** to stop a running instance. ++ :::image type="content" source="media/how-to-start-stop-service/spring-cloud-stop-service.png" alt-text="Screenshot of Azure portal showing the Azure Spring Apps Overview page with the Stop button and Status value highlighted."::: ++1. After the instance stops, the status shows **Succeeded (Stopped)**. ++## Start a stopped instance ++In the Azure portal, use the following steps to start a stopped Azure Spring Apps instance: ++1. Go to Azure Spring Apps service overview page. ++1. Select **Start** to start a stopped instance. ++ :::image type="content" source="media/how-to-start-stop-service/spring-cloud-start-service.png" alt-text="Screenshot of Azure portal showing the Azure Spring Apps Overview page with the Start button and Status value highlighted."::: ++1. After the instance starts, the status shows **Succeeded (Running)**. ++## [Azure CLI](#tab/azure-cli) ++## Stop a running instance ++With the Azure CLI, use the following command to stop a running Azure Spring Apps instance: ++```azurecli +az spring stop \ + --name <service-instance-name> \ + --resource-group <resource-group-name> +``` ++## Start a stopped instance ++With the Azure CLI, use the following command to start a stopped Azure Spring Apps instance: ++```azurecli +az spring start \ + --name <service-instance-name> \ + --resource-group <resource-group-name> +``` ++## Check the power state ++After the instance stops or starts, use the following command to check the power state: ++```azurecli +az spring show \ + --name <service-instance-name> \ + --resource-group <resource-group-name> +``` ++++## Troubleshoot failed resource provisioning during startup ++When you start a service instance, you might get an error message even if the `ProvisioningState` is `Succeeded`. This error message helps you identify the resources that failed to start or the settings that weren't applied. ++You might receive an error message similar to the following example: `Failed to start the following resource(s) or apply setting(s): [<failed resource list>]. Please check and update them accordingly.` ++The following list describes some common actions you can take to recover from these failures: ++- Identify the failed resources: Refer to the `<failed resource list>` section in the error message to identify the resources that failed to start or the settings that failed to apply. +- Investigate and mitigate: Examine each listed resource, check failure logs if available, and make necessary mitigations. These mitigations could involve updating the specific resources that failed to start or reapplying the affected settings. ++## Next steps ++- [Monitor app lifecycle events using Azure Activity log and Azure Service Health](./monitor-app-lifecycle-events.md) +- [Azure Monitor cost and usage](../../azure-monitor/cost-usage.md) |
spring-apps | How To Troubleshoot Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-troubleshoot-enterprise-spring-cloud-gateway.md | + + Title: How to troubleshoot VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan +description: Shows you how to troubleshoot VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan. ++++ Last updated : 06/26/2023++++# Troubleshoot VMware Spring Cloud Gateway ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to troubleshoot Spring Cloud Gateway for VMware Tanzu with the Azure Spring Apps Enterprise plan. To learn more about VMware Spring Cloud Gateway, see [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md). ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ++## Check Gateway metrics ++For more information on how to check metrics on the Azure portal, see the [Common metrics page](./concept-metrics.md#common-metrics-page) section of [Metrics for Azure Spring Apps](concept-metrics.md). ++For more information on each supported metric, see the [Gateway](./concept-metrics.md#gateway) section of [Metrics for Azure Spring Apps](./concept-metrics.md). ++## Check Gateway logs ++Spring Cloud Gateway is composed of following subcomponents: ++- `spring-cloud-gateway-operator` is for managing the Gateway. +- `spring-cloud-gateway` fulfills the features. ++The logs of both subcomponents are available. The following sections describe how to check these logs. ++### Use real-time log streaming ++You can stream logs in real time with the Azure CLI. For more information, see [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md). The following examples show how you can use Azure CLI commands to continuously stream new logs for `spring-cloud-gateway` and `spring-cloud-gateway-operator` subcomponents. ++Use the following command to stream logs for `spring-cloud-gateway`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name spring-cloud-gateway \ + --all-instances \ + --follow +``` ++Use the following command to stream logs for `spring-cloud-gateway-operator`: ++```azurecli +az spring component logs \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name spring-cloud-gateway-operator \ + --all-instances \ + --follow +``` ++### Use Log Analytics ++The following sections show you how to view System Logs using Log Analytics. ++#### Diagnostic settings for Log Analytics ++You must turn on System Logs and send to your Log Analytics before you query the logs for VMware Spring Cloud Gateway. To enable System Logs in the Azure portal, use the following steps: ++1. Open your Azure Spring Apps instance. ++1. In the navigation menu, select **Diagnostics settings**. ++1. Select **Add diagnostic setting** or select **Edit setting** for an existing setting. ++1. In the **Logs** section, select the **System Logs** category. ++1. In the **Destination details** section, select **Send to Log Analytics workspace** and then select your workspace. ++1. Select **Save** to update the setting. ++#### Check logs in Log Analytics ++To check the logs of `spring-cloud-gateway` and `spring-cloud-gateway-operator` using the Azure portal, use the following steps: ++1. Make sure you turned on **System Logs**. For more information, see the [Diagnostic settings for Log Analytics](#diagnostic-settings-for-log-analytics) section. ++1. Open your Azure Spring Apps instance. ++1. Select **Logs** in the navigation pane and then select **Overview**. ++1. Use the following sample queries in the query edit pane. Adjust the time range then select **Run** to search for logs. ++ - To view the logs for `spring-cloud-gateway`, use the following query: ++ ```kusto + AppPlatformSystemLogs + | where LogType in ("SpringCloudGateway") + | project TimeGenerated , ServiceName , LogType, Log , _ResourceId + | limit 100 + ``` ++ :::image type="content" source="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway.png" alt-text="Screenshot of the Azure portal that shows the query result of logs for VMware Spring Cloud Gateway." lightbox="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway.png"::: ++ - To view the logs for `spring-cloud-gateway-operator`, use the following query: ++ ```kusto + AppPlatformSystemLogs + | where LogType in ("SpringCloudGatewayOperator") + | project TimeGenerated , ServiceName , LogType, Log , _ResourceId + | limit 100 + ``` ++ :::image type="content" source="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway-operator.png" alt-text="Screenshot of the Azure portal that shows the query result of logs for VMware Spring Cloud Gateway operator." lightbox="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway-operator.png"::: ++> [!NOTE] +> There could be a few minutes delay before the logs are available in Log Analytics. ++### Adjust log levels ++This section describes how to adjust the log levels for VMware Spring Cloud Gateway and offers one logger as an example. ++> [!IMPORTANT] +> Before you get started, be sure to understand the details and impacts of adjusting the log levels by reading the [Configure log levels](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-log-levels) section of [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-log-levels). ++Use the following steps to adjust the log levels: ++1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** in the navigation pane and then select **Configuration**. +1. In the **Properties** sections, fill in the key/value pair `logging.level.org.springframework.cloud.gateway=DEBUG`. +1. Select **Save** to save your changes. +1. After the change is successful, you can find more detailed logs for troubleshooting, such as information about how requests are routed. ++## Setup alert rules ++You can create alert rules based on logs and metrics. For more information, see [Create or edit an alert rule](../../azure-monitor/alerts/alerts-create-new-alert-rule.md). ++Use the following steps to directly create alert rules from the Azure portal for Azure Spring Apps: ++1. Open your Azure Spring Apps instance. +1. Navigate to **Logs** or **Metrics**. +1. Write the log query in the **Logs** pane, or add a metrics chart. +1. Select **New alert rule**. This action takes you to the **Create an alert rule** pane, and the log query or the metrics is filled out automatically. ++You can now configure the alert rule details. ++## Monitor Gateway with application performance monitor ++ For more information on supported application performance monitors and how to configure them, see the [Configure application performance monitoring](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-application-performance-monitoring) section of [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md). ++## Restart Gateway ++For some errors, a restart might help solve the issue. For more information, see the [Restart Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md#restart-vmware-spring-cloud-gateway) section of [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md). ++## Next steps ++- [How to Configure Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md) +- [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md) |
spring-apps | How To Use Accelerator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-accelerator.md | + + Title: Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan +description: Learn how to use VMware Tanzu App Accelerator with the Azure Spring Apps Enterprise plan. +++ Last updated : 11/29/2022+++++# Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use [Application Accelerator for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-about-application-accelerator.html) (App Accelerator) with the Azure Spring Apps Enterprise plan to bootstrap developing your applications in a discoverable and repeatable way. ++App Accelerator helps you bootstrap developing your applications and deploying them in a discoverable and repeatable way. You can use App Accelerator to create new projects based on published accelerator projects. For more information, see [Application Accelerator for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-about-application-accelerator.html) in the VMware documentation. ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- Understand and fulfill the requirements listed in the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++- To use App Accelerator in VS Code, you'll also need to satisfy the following prerequisites: ++ - [Visual Studio Code](https://code.visualstudio.com/Download) + - [Azure Spring Apps extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-spring-cloud) ++## Enable App Accelerator ++You can enable App Accelerator when you provision an Azure Spring Apps Enterprise plan instance. If you already have an Azure Spring Apps Enterprise plan resource, see the [Manage App Accelerator in an existing Enterprise plan instance](#manage-app-accelerator-in-an-existing-enterprise-plan-instance) section to enable it. ++You can enable App Accelerator using the Azure portal or Azure CLI. ++### [Azure portal](#tab/Portal) ++Use the following steps to enable App Accelerator using the Azure portal: ++1. Open the [Azure portal](https://portal.azure.com). +1. On the **Basics** tab, select **Enterprise tier** in the **Pricing** section and specify the required information. Then select **Next: VMware Tanzu settings**. +1. On the **VMware Tanzu settings** tab, select **Enable App Accelerator**. ++ :::image type="content" source="media/how-to-use-accelerator/create-instance.png" alt-text="Screenshot of the Azure portal that shows the VMware Tanzu settings tab of the Azure Spring Apps Create screen, with the Enable App Accelerator checkbox highlighted." lightbox="media/how-to-use-accelerator/create-instance.png"::: ++1. Specify other settings, and then select **Review and Create**. +1. On the **Review an create** tab, make sure that **Enable App Accelerator** and **Enable Dev Tools Portal** are set to **Yes**. Select **Create** to create the Enterprise plan instance. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following steps to provision an Azure Spring Apps service instance with App Accelerator enabled using the Azure CLI. ++1. Use the following command to sign in to the Azure CLI and choose your active subscription: ++ ```azurecli + az login + az account list --output table + az account set --subscription <subscription-ID> + ``` ++1. Use the following command to accept the legal terms and privacy statements for the Azure Spring Apps Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance. ++ ```azurecli + az provider register --namespace Microsoft.SaaS + az term accept \ + --publisher vmware-inc \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --plan asa-ent-hr-mtr + ``` ++1. Select a location. The location must support the Azure Spring Apps Enterprise plan. For more information, see the [Azure Spring Apps FAQ](faq.md). ++1. Use the following command to create a resource group: ++ ```azurecli + az group create \ + --name <resource-group-name> \ + --location <location> + ``` ++ For more information about resource groups, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md) ++1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++1. Use the following command to create an Azure Spring Apps service instance with App Accelerator enabled: ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise \ + --enable-application-accelerator + ``` ++++## Monitor App Accelerator ++Application Accelerator lets you generate new projects from files in Git repositories. The following table describes Application Accelerator's components: ++| Component name | Instance count | vCPU per instance | Memory per instance | Description | +||-|-||-| +| `accelerator-server` | 2 | 0.4 core | 0.5Gi | Serves API used by Dev Tools Portal to list available accelerators and options. | +| `accelerator-engine` | 1 | 1 core | 3Gi | Processes the input values and files (pulled from a snapshot of a Git repository) and applies dynamic transformations to generate projects. | +| `accelerator-controller` | 1 | 0.2 core | 0.25Gi | Reconciles Application Accelerator resources. | +| `source-controller` | 1 | 0.2 core | 0.25Gi | Registers a controller to reconcile the `ImageRepositories` and `MavenArtifacts` resources used by Application Accelerator. | +| `flux-source-controller` | 1 | 0.2 core | 0.25Gi | Registers a controller to reconcile `GithubRepository` resources used by Application Accelerator. Supports managing Git repository sources for Application Accelerator. | ++You can see the running instances and resource usage of all the components using the Azure portal and Azure CLI. ++### [Azure portal](#tab/Portal) ++You can view the state of Application Accelerator in the Azure portal on the **Developer Tools** page, as shown in the following screenshot: +++### [Azure CLI](#tab/Azure-CLI) ++Use the following command in the Azure CLI to view Application Accelerator. ++```azurecli +az spring application-accelerator show \ + --service <Azure-Spring-Apps-service-instance-name> \ + --resource-group <resource-group-name> +``` ++++## Configure Dev Tools to access Application Accelerator ++To access Application Accelerator, you must configure Tanzu Dev Tools. For more information, see [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](./how-to-use-dev-tool-portal.md). ++## Use Application Accelerator to bootstrap your new projects ++To use Application Accelerator to bootstrap your new projects, you must get permissions to manage accelerators. You can then manage predefined accelerators or your own accelerators. ++### Get permissions to manage accelerators ++Managing your accelerators requires the following permissions: ++- Read: Get Azure Spring Apps Predefined Accelerator +- Other: Disable Azure Spring Apps Predefined Accelerator +- Other: Enable Azure Spring Apps Predefined Accelerator +- Write: Create or Update Microsoft Azure Spring Apps Customized Accelerator +- Read: Get Azure Spring Apps Customized Accelerator ++For more information, see [How to use permissions in Azure Spring Apps](./how-to-permissions.md). ++### Manage predefined accelerators ++You can start with several predefined accelerators to bootstrap your new projects. You can disable or enable the built-in accelerators according to your own preference. ++You can manage predefined accelerators using the Azure portal or Azure CLI. ++#### [Azure portal](#tab/Portal) ++You can view the built-in accelerators in the Azure portal on the **Accelerators** tab, as shown in the following screenshot: +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command in the Azure CLI to view a list of built-in accelerators: ++```azurecli +az spring application-accelerator predefined-accelerator list \ + --service <service-instance-name> \ + --resource-group <resource-group-name> +``` ++Use the following command to disable a built-in predefined accelerator: ++```azurecli +az spring application-accelerator predefined-accelerator disable \ + --name <predefined-accelerator-name> \ + --service <service-instance-name> \ + --resource-group <resource-group-name> +``` ++Use the following command to enable a built-in predefined accelerator: ++```azurecli +az spring application-accelerator predefined-accelerator enable \ + --name <predefined-accelerator-name> \ + --service <service-instance-name> \ + --resource-group <resource-group-name> +``` ++++### Manage your own accelerators ++In addition to using the predefined accelerators, you can create your own accelerators. You can use any Git repository in Azure Devops, GitHub, GitLab, or BitBucket. ++Use the following steps to create and maintain your own accelerators: ++First, create a file named *accelerator.yaml* in the root directory of your Git repository. ++You can use the *accelerator.yaml* file to declare input options that users fill in using a form in the UI. These option values control processing by the template engine before it returns the zipped output files. If you don't include an *accelerator.yaml* file, the repository still works as an accelerator, but the files are passed unmodified to users. For more information, see [Creating an accelerator.yaml file](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-creating-accelerators-accelerator-yaml.html). ++Next, publish the new accelerator. ++After you create your *accelerator.yaml* file, you can create your accelerator. You can then view it in the Azure portal or the Application Accelerator page in Dev Tools Portal. You can publish the new accelerator using the Azure portal or Azure CLI. ++#### [Azure portal](#tab/Portal) ++To create your own accelerator, open the **Accelerators** section and then select **Add Accelerator** under the Customized Accelerators section. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to create your own accelerator in Azure CLI: ++```azurecli +az spring application-accelerator customized-accelerator create \ + --name <customized-accelerator-name> \ + --service <service-instance-name> \ + --resource-group <resource-group-name> \ + --display-name <display-name> \ + --git-url <git-repo-url> \ + [--description <description>] \ + [--icon-url <icon-url>] \ + [--accelerator-tags <tags-on-accelerator>] \ + [--git-interval <git-repository-refresh-interval-in-seconds>] \ + [--git-branch <git-branch-name>] \ + [--git-commit <git-commit-ID>] \ + [--git-tag <git-tag>] \ + [--ca-cert-name <ca-cert-name>] \ + [--username] \ + [--password] \ + [--private-key] \ + [--host-key] \ + [--host-key-algorithm] +``` ++++The following table describes the customizable accelerator fields. ++| Portal | CLI | Description | Required/Optional | +|||--|-| +| **Name** | `name` | A unique name for the accelerator. The name can't change after you create it. | Required | +| **Description** | `display-name` | A longer description of the accelerator. | Optional | +| **Icon url** | `icon-url` | A URL for an image to represent the accelerator in the UI. | Optional | +| **Tags** | `accelerator-tags` | An array of strings defining attributes of the accelerator that can be used in a search in the UI. | Optional | +| **Git url** | `git-url` | The repository URL of the accelerator source Git repository. The URL can be an HTTP/S or SSH address. The [scp-like syntax](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_ssh_protocol) isn't supported for SSH addresses (for example, `user@example.com:repository.git`). Instead, the valid URL format is `ssh://user@example.com:22/repository.git`. | Required | +| **Git interval** | `git-interval-in-seconds` | The interval at which to check for repository updates. If not specified, the interval defaults to 10 minutes. There's also a refresh interval (currently 10 seconds) before accelerators may appear in the UI. There could be a 10-second delay before changes are reflected in the UI. | Optional | +| **Git branch** | `git-branch` | The Git branch to check out and monitor for changes. You should specify only the Git branch, Git commit, or Git tag. | Optional | +| **Git commit** | `git-commit` | The Git commit SHA to check out. You should specify only the Git branch, Git commit, or Git tag. | Optional | +| **Git tag** | `git-tag` | The Git commit tag to check out. You should specify only the Git branch, Git commit, or Git tag. | Optional | +| **Git sub path** | `git-sub-path` | The folder path inside the Git repository to consider as the root of the accelerator or fragment. | Optional | +| **Authentication type** | `N/A` | The authentication type of the accelerator source repository. The type can be `Public`, `Basic auth`, or `SSH`. | Required | +| **User name** | `username` | The user name to access the accelerator source repository whose authentication type is `Basic auth`. | Required when the authentication type is `Basic auth`. | +| **Password/Personal access token** | `password` | The password to access the accelerator source repository whose authentication type is `Basic auth`. | Required when the authentication type is `Basic auth`. | +| **Private key** | `private-key` | The private key to access the accelerator source repository whose authentication type is `SSH`. Only OpenSSH private key is supported. | Required when authentication type is `SSH`. | +| **Host key** | `host-key` | The host key to access the accelerator source repository whose authentication type is `SSH`. | Required when the authentication type is `SSH`. | +| **Host key algorithm** | `host-key-algorithm` | The host key algorithm to access the accelerator source repository whose authentication type is `SSH`. Can be `ecdsa-sha2-nistp256` or `ssh-rsa`. | Required when authentication type is `SSH`. | +| **CA certificate name** | `ca-cert-name` | The CA certificate name to access the accelerator source repository with self-signed certificate whose authentication type is `Public` or `Basic auth`. | Required when a self-signed cert is used for the Git repo URL. | +| **Type** | `type` | The type of customized accelerator. The type can be `Accelerator` or `Fragment`. The default value is `Accelerator`. | Optional | ++To view all published accelerators, see the App Accelerators section of the **Developer Tools** page. Select the App Accelerator URL to view the published accelerators in Dev Tools Portal: +++To view the newly published accelerator, refresh Dev Tools Portal. +++> [!NOTE] +> It might take a few seconds for Dev Tools Portal to refresh the catalog and add an entry for your new accelerator. The refresh interval is configured as `git-interval` when you create the accelerator. After you change the accelerator, it also takes time to be reflected in Dev Tools Portal. The best practice is to change the `git-interval` to speed up for verification after you apply changes to the Git repo. ++### Reference a fragment in your own accelerators ++Writing and maintaining accelerators can become repetitive and verbose as new accelerators are added. Some people create new projects by copying existing ones and making modifications, but this process can be tedious and error prone. To make the creation and maintenance of accelerators easier, Application Accelerator supports a feature named Composition that allows the reuse of parts of an accelerator, called *fragments*. ++Use the following steps to reference a fragment in your accelerator: ++1. Publish the new accelerator of type `Fragment` using the Azure portal or the Azure CLI. ++ #### [Azure portal](#tab/Portal) ++ To create a fragment accelerator, open the **Accelerators** section, select **Add Accelerator** under the **Customized Accelerators** section, and then select **Fragment**. ++ :::image type="content" source="media/how-to-use-accelerator/add-fragment.png" alt-text="Screenshot of the Azure portal that shows the Customized Accelerators of type `Fragment`." lightbox="media/how-to-use-accelerator/add-fragment.png"::: ++ #### [Azure CLI](#tab/Azure-CLI) ++ Use the following command to create a customized accelerator of type `Fragment`: ++ ```azurecli + az spring application-accelerator customized-accelerator create \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <fragment-accelerator-name> \ + --display-name <display-name> \ + --type Fragment \ + [--git-sub-path <sub project path>] \ + --git-url <git-repo-URL> + ``` ++1. Change the *accelerator.yaml* file in your accelerator project. Use the `imports` instruction in the `accelerator` section and the `InvokeFragment` instruction in the `engine` section to reference the fragment in the accelerator, as shown in the following example: ++ ```yaml + accelerator: + ... + # options for the UI + options: + ... + imports: + - name: <fragment-accelerator-name> + ... ++ engine: + chain: + ... + - merge: + - include: [ "**" ] + - type: InvokeFragment + reference: <fragment-accelerator-name> + ``` ++1. Synchronize the change with the Dev Tools Portal. ++ To reflect the changes on the Dev Tools Portal more quickly, you can provide a value for the **Git interval** field of your customized accelerator. The **Git interval** value indicates how frequently the system checks for updates in the Git repository. ++1. Synchronize the change with your customized accelerator on the Azure portal by using the Azure portal or the Azure CLI. ++ #### [Azure portal](#tab/Portal) ++ The following list shows the two ways you can sync changes: ++ - Create or update your customized accelerator. + - Open the **Accelerators** section, and then select **Sync certificate**. ++ #### [Azure CLI](#tab/Azure-CLI) ++ Use the following command to sync changes for an accelerator: ++ ```azurecli + az spring application-accelerator customized-accelerator sync-cert \ + --name <customized-accelerator-name> \ + --service <service-instance-name> \ + --resource-group <resource-group-name> + ``` ++For more information, see [Use fragments in Application Accelerator](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-creating-accelerators-composition.html) in the VMware documentation. ++### Use accelerators to bootstrap a new project ++Use the following steps to bootstrap a new project using accelerators: ++1. On the **Developer Tools** page, select the App Accelerator URL to open the Dev Tools Portal. ++ :::image type="content" source="media/how-to-use-accelerator/tap-gui-url.png" alt-text="Screenshot of the Azure portal that shows the Developer Tools page with the App Accelerator URL highlighted." lightbox="media/how-to-use-accelerator/tap-gui-url.png"::: ++1. On the Dev Tools Portal, select an accelerator. ++1. Specify input options in the **Configure accelerator** section of the **Generate Accelerators** page. ++ :::image type="content" source="media/how-to-use-accelerator/configure-accelerator.png" alt-text="Screenshot of the VMware Tanzu Dev Tools for Azure Spring Apps Generate Accelerators page that shows the Configure accelerator section." lightbox="media/how-to-use-accelerator/configure-accelerator.png"::: ++1. Select **EXPLORE FILE** to view the project structure and source code. ++ :::image type="content" source="media/how-to-use-accelerator/explore-accelerator-project.png" alt-text="Screenshot of the VMware Tanzu Dev Tools for Azure Spring Apps Explore project pane." lightbox="media/how-to-use-accelerator/explore-accelerator-project.png"::: ++1. Select **Review and generate** to review the specified parameters, and then select **Generate accelerator**. ++ :::image type="content" source="media/how-to-use-accelerator/generate-accelerator.png" alt-text="Screenshot of the VMware Tanzu Dev Tools for Azure Spring Apps Generate Accelerators page that shows the Review and generate section." lightbox="media/how-to-use-accelerator/generate-accelerator.png"::: ++1. You can then view or download the project as a zip file. ++ :::image type="content" source="media/how-to-use-accelerator/download-file.png" alt-text="Screenshot the VMware Tanzu Dev Tools for Azure Spring Apps that shows the Task Activity pane." lightbox="media/how-to-use-accelerator/download-file.png"::: ++### Configure accelerators with a self-signed certificate ++When you set up a private Git repository and enable HTTPS with a self-signed certificate, you should configure the CA certificate name to the accelerator for client certificate verification from the accelerator to the Git repository. ++Use the following steps to configure accelerators with a self-signed certificate: ++1. Import the certificates into Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). +1. Configure the certificate for the accelerator by using the Azure portal or the Azure CLI. ++#### [Azure portal](#tab/Portal) ++To configure a certificate for an accelerator, open the **Accelerators** section and then select **Add Accelerator** under the **Customized Accelerators** section. Then, select the certificate from the dropdown list. +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure a certificate for the accelerator: ++```azurecli +az spring application-accelerator customized-accelerator create \ + --resource-group <resource-group-name> \ + --service <service-instance-name> \ + --name <customized-accelerator-name> \ + --git-url <git-repo-URL> \ + --ca-cert-name <ca-cert-name> +``` ++++### Rotate certificates ++As certificates expire, you need to rotate certificates in Spring Cloud Apps by using the following steps: ++1. Generate new certificates from a trusted CA. +1. Import the certificates into Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). +1. Synchronize the certificates using the Azure portal or the Azure CLI. ++The accelerators won't automatically use the latest certificate. You should sync one or all certificates by using the Azure portal or the Azure CLI. ++#### [Azure portal](#tab/Portal) ++To sync certificates for all accelerators, open the **Accelerators** section and then select **Sync certificate**, as shown in the following screenshot: +++To sync a certificate for a single accelerator, open the **Accelerators** section and then select **Sync certificate** from the context menu of an accelerator, as shown in the following screenshot: +++#### [Azure CLI](#tab/Azure-CLI) ++Use the following command to sync certificates for an accelerator: ++```azurecli +az spring application-accelerator customized-accelerator sync-cert \ + --name <customized-accelerator-name> \ + --service <service-instance-name> \ + --resource-group <resource-group-name> +``` ++++## Manage App Accelerator in an existing Enterprise plan instance ++You can enable App Accelerator under an existing Azure Spring Apps Enterprise plan instance using the Azure portal or Azure CLI. ++### [Azure portal](#tab/Portal) ++If a Dev tools public endpoint has already been exposed, you can enable App Accelerator, and then press <kbd>Ctrl</kbd>+<kbd>F5</kbd> to deactivate the browser cache to view it on the Dev Tools Portal. ++Use the following steps to enable App Accelerator under an existing Azure Spring Apps Enterprise plan instance using the Azure portal: ++1. Navigate to your service resource, and then select **Developer Tools**. +1. Select **Manage tools**. +1. Select **Enable App Accelerator**, and then select **Apply**. ++ :::image type="content" source="media/how-to-use-accelerator/enable-app-accelerator.png" alt-text="Screenshot of the Azure portal that shows the Manage tools pane with the Enable App Accelerator option highlighted." lightbox="media/how-to-use-accelerator/enable-app-accelerator.png"::: ++You can view whether App Accelerator is enabled or disabled on the **Developer Tools** page. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable App Accelerator for an Azure Spring Apps service instance using the Azure CLI: ++```azurecli +az spring application-accelerator create \ + --service <Azure-Spring-Apps-service-instance-name> \ + --resource-group <resource-group-name> +``` ++Use the following command to disable App Accelerator for an Azure Spring Apps service instance: ++```azurecli +az spring application-accelerator delete \ + --service <Azure-Spring-Apps-service-instance-name> \ + --resource-group <resource-group-name> +``` ++To access the Dev Tools Portal, make sure it's enabled with an assigned public endpoint. Use the following command to enable the Dev Tools Portal: ++```azurecli +az spring dev-tool create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --assign-endpoint +``` ++++## Use App Accelerator in VS Code ++You can bootstrap your project from any accelerator of App Accelerator in an Azure Spring Apps Enterprise plan service instance in VS Code directly. ++### View the list of App Accelerators ++Use the following steps to view the list of App Accelerators in an Azure Spring Apps Enterprise plan service instance: ++1. In Visual Studio Code, open the Azure Spring Apps extension, and then sign in to your Azure account. ++1. Expand the service instance that you want and right-click to select the service instance. ++1. From the menu, select **Open Application Accelerator** to open the list of App Accelerators. The system prompts you to install the [Tanzu Application Accelerator Visual Studio Code extension](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.6/tap/application-accelerator-vscode.html) if it isn't installed. ++ :::image type="content" source="media/how-to-use-accelerator/visual-studio-code-open-accelerator.png" alt-text="Screenshot of the VS Code extension showing the Open Application Accelerator option for a service instance." lightbox="media/how-to-use-accelerator/visual-studio-code-open-accelerator.png"::: ++1. Select any accelerator to bootstrap your project. ++ :::image type="content" source="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png" alt-text="Screenshot of VS Code that shows the list of App Accelerator extensions." lightbox="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png"::: ++> [!NOTE] +> When using the extension, if you experience any issues that you can't fix, log out of your account from the extension. ++### Troubleshoot App Accelerator issues ++If you try to open App Accelerator for a service instance that hasn't enabled App Accelerator or exposed a public endpoint, you see the following error message: `Application Accelerator of Spring Apps <instance-name> is not enabled or publically accessible`. ++To enable App Accelerator and expose public endpoints, use the following steps. For more information, see the [Manage App Accelerator in an existing Enterprise plan instance](#manage-app-accelerator-in-an-existing-enterprise-plan-instance) section. ++1. If you enabled single sign-on in the Dev Tools Portal, you see the following message when you access the extension: `The extension 'Tanzu App Accelerator' wants to sign in using VMware Tanzu.` For more information, see the [Configure Dev Tools Portal](./how-to-use-dev-tool-portal.md#configure-dev-tools-portal) section of [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](how-to-use-dev-tool-portal.md). ++1. Select **Allow**, select **Open**, and then select **Open** again to open the list of VS Code extensions. ++ :::image type="content" source="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png" alt-text="Screenshot of VS Code that shows the list of App Accelerator extensions." lightbox="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png"::: ++Sometimes, you might get an error message similar to the following example: `AADSTS50011: The redirect URI 'vscode://VMware.tanzu-app-accelerator' specified in the request does not match the redirect URIs configured for the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.` ++To address this issue, add the redirect URI `vscode://VMware.tanzu-app-accelerator` to the relevant identity provider (IdP). In Microsoft Entra ID, go to the **Authentication** menu and add redirect URIs to mobile and desktop applications in the platform configurations. ++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | How To Use Application Live View | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-application-live-view.md | + + Title: Use Application Live View with the Azure Spring Apps Enterprise plan +description: Learn how to use Application Live View for VMware Tanzu. ++++ Last updated : 12/01/2022++++# Use Application Live View with the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use Application Live View for VMware Tanzu with the Azure Spring Apps Enterprise plan. ++[Application Live View for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.4/tap/app-live-view-about-app-live-view.html) is a lightweight insights and troubleshooting tool that helps app developers and app operators look inside running apps. ++Application Live View only supports Spring Boot applications. ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++## Enable Application Live View ++You can enable Application Live View when you provision an Azure Spring Apps Enterprise plan instance. If you already have a provisioned Azure Spring Apps Enterprise resource, see the [Manage Application Live View in existing Enterprise plan instances](#manage-application-live-view-in-existing-enterprise-plan-instances) section of this article. ++You can enable Application Live View using the Azure portal or Azure CLI. ++### [Azure portal](#tab/Portal) ++Use the following steps to enable Application Live View using the Azure portal: ++1. Navigate to the [Azure portal](https://portal.azure.com/#create/vmware-inc.azure-spring-cloud-vmware-tanzu-2). +1. On the **Basics** tab, select **Enterprise tier** in pricing, specify other input fields, and then select **Next**. +1. On the **VMware Tanzu settings** tab, select **Enable App Live View**. ++ :::image type="content" source="media/how-to-use-application-live-view/create.png" alt-text="Screenshot of the VMware Tanzu settings tab with the Enable App Live View checkbox selected." lightbox="media/how-to-use-application-live-view/create.png"::: ++1. Specify other settings, and then select **Review and Create**. +1. Make sure that **Enable Application Live View** and **Enable Dev Tools Portal** are set to *Yes* on the **Review and Create** tab, and then select **Create** to create the Enterprise plan instance. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following steps to provision an Azure Spring Apps service instance using the Azure CLI. ++1. Use the following command to sign in to the Azure CLI and specify your active subscription: ++ ```azurecli + az login + az account list --output table + az account set --subscription <subscription-ID> + ``` ++1. Use the following command to accept the legal terms and privacy statements for the Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance of Azure Spring Apps. ++ ```azurecli + az provider register --namespace Microsoft.SaaS + az term accept \ + --publisher vmware-inc \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --plan asa-ent-hr-mtr + ``` ++1. Select a location. This location must be a location supporting the Azure Spring Apps Enterprise plan. For more information, see the [Azure Spring Apps FAQ](faq.md). ++1. Use the following command to create a resource group: ++ ```azurecli + az group create \ + --name <resource-group-name> \ + --location <location> + ``` ++ For more information about resource groups, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md) ++1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++1. Use the following command to create an Azure Spring Apps service instance: ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise \ + --enable-application-live-view + ``` ++++## Monitor Application Live View ++Azure Spring Apps runs the Application Live View in connector mode. ++| Component | Description | +||-| +| Application Live View Server | The central server component that contains a list of registered apps. Application Live View Server is responsible for proxying the request to fetch the actuator information related to the app. | +| Application Live View Connector | The component responsible for discovering the running app and registering the instances to the Application Live View Server for it to be observed. The Application Live View Connector is also responsible for proxying the actuator queries to the app. | ++After you provision the Azure Spring Apps Enterprise plan instance, you can obtain its running state and resource consumption, or manage Application Live View. ++You can monitor Application Live View using the Azure portal or Azure CLI. ++### [Azure portal](#tab/Portal) ++You can view the state of Application Live View in the Azure portal on the **Overview** tab of the **Developer Tools** page. +++### [Azure CLI](#tab/Azure-CLI) ++Use the following command in the Azure CLI to view Application Live View: ++```azurecli +az spring application-live-view show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++++## Configure Dev Tools to access Application Live View ++To access Application Live View, you need to configure Tanzu Dev Tools. For more information, see [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](./how-to-use-dev-tool-portal.md). ++## Use Application Live View to monitor your apps ++Application Live View lets you view live metrics for Spring Boot applications and Spring Native applications. The Application Live View is based on the concept of Spring Boot Actuators. ++Use the following steps to deploy an app and monitor it in Application Live View: ++1. Add the following dependency to your application's *pom.xml* file. ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> + </dependency> + ``` ++1. Add the following execution goal to your Maven plugin in the *pom.xml* file to expose build information: ++ ```xml + <plugin> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-maven-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>build-info</goal> + </goals> + <configuration> + <additionalProperties> + <spring.boot.version>${project.parent.version}</spring.boot.version> + </additionalProperties> + </configuration> + </execution> + </executions> + </plugin> + ``` ++1. Enable the actuator endpoint by adding the following configuration in *application.properties*: ++ ```properties + management.endpoints.web.exposure.include=info,health + ``` ++1. Use the following command to build your package locally: ++ ```bash + mvn clean package -DskipTests + ``` ++1. Use the following command to deploy the binary: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <app-name> + az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name <app-name> \ + --artifact-path <jar-file-in-target-folder> + ``` ++1. After the app is successfully deployed, you can monitor it using the Application Live View dashboard on Dev Tools Portal. For more information, see [Monitor apps by Application Live View](./monitor-apps-by-application-live-view.md). ++ If you've already enabled Dev Tools Portal and exposed a public endpoint, use the following command to get the Dev Tools Portal dashboard URL. Add the suffix `/app-live-view` to compose the endpoint to access Application Live View. ++ ```azurecli + az spring dev-tool show --service <Azure-Spring-Apps-service-instance-name> \ + --resource-group <resource-group-name> \ + --query properties.url \ + --output tsv + ``` ++ You can also access the Application Live View using Visual Studio Code (VS Code). For more information, see the [Use Application Live View in VS Code](#use-application-live-view-in-vs-code) section. ++## Manage Application Live View in existing Enterprise plan instances ++You can enable Application Live View in an existing Azure Spring Apps Enterprise plan instance using the Azure portal or Azure CLI. ++If you have already enabled Dev Tools Portal and exposed a public endpoint, use <kbd>Ctrl</kbd>+<kbd>F5</kbd> to deactivate the browser cache after you enable Application Live View. ++### [Azure portal](#tab/Portal) ++Use the following steps to manage Application Live View using the Azure portal: ++1. Navigate to your service resource, and then select **Developer Tools**. +1. Select **Manage tools**. ++ :::image type="content" source="media/how-to-use-application-live-view/manage.png" alt-text="Screenshot of the Developer Tools page." lightbox="media/how-to-use-application-live-view/manage.png"::: ++1. Select the **Enable App Live View** checkbox, and then select **Save**. ++ :::image type="content" source="media/how-to-use-application-live-view/check-enable.png" alt-text="Screenshot of the Developer Tools section showing the Enable App Live View checkbox." lightbox="media/how-to-use-application-live-view/check-enable.png"::: ++1. You can then view the state of Application Live View on the **Developer Tools**. ++ :::image type="content" source="media/how-to-use-application-live-view/check-enable.png" alt-text="Screenshot of the Developer Tools section showing the Enable App Live View checkbox." lightbox="media/how-to-use-application-live-view/check-enable.png"::: ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable Application Live View using the Azure CLI: ++```azurecli +az spring application-live-view create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++To access the Application Live View dashboard, you must enable Dev Tools Portal and assign a public endpoint. Use the following command to enable Dev Tools Portal and assign a public endpoint: ++```azurecli +az spring dev-tool create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --assign-endpoint +``` ++++## Use Application Live View in VS Code ++You can access Application Live View directly in VS Code to monitor your apps in the Azure Spring Apps Enterprise plan. ++### Prerequisites ++- [Visual Studio Code](https://code.visualstudio.com/Download) +- [Azure Spring Apps extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-spring-cloud) ++### View Application Live View dashboard ++Use the following steps to view the Application Live View dashboard for a service instance: ++1. In Visual Studio Code, open the Azure Spring Apps extension, and then sign in to your Azure account. +1. Expand the service instance that you want to monitor and right-click to select the service instance. +1. Select **Open Application Live View** from the menu to open the Application Live View dashboard in your default browser. ++ :::image type="content" source="media/how-to-use-application-live-view/visual-studio-code-open-service.png" alt-text="Screenshot of the VS Code extension showing the Open Application Live View option for a service instance." lightbox="media/how-to-use-application-live-view/visual-studio-code-open-service.png"::: ++### View Application Live View page for an app ++Use the following steps to view the Application Live View page for an app: ++1. In Visual Studio Code, open the Azure Spring Apps extension, and then sign in to your Azure account. +1. Expand the service instance and the app that you want to monitor. Right-click the app. +1. Select **Open Application Live View** from the menu to open the Application Live View page for the app in your default browser. ++ :::image type="content" source="media/how-to-use-application-live-view/visual-studio-code-open-app.png" alt-text="Screenshot of the VS Code extension showing the Open Application Live View option for an app." lightbox="media/how-to-use-application-live-view/visual-studio-code-open-app.png"::: ++### Troubleshoot Application Live View issues ++If you try to open Application Live View for a service instance or an app that hasn't enabled Application Live View or exposed a public endpoint, you see an error message. ++ :::image type="content" source="media/how-to-use-application-live-view/visual-studio-code-not-enabled.png" alt-text="Screenshot of the error message showing Application Live View not enabled and public endpoint not accessible." lightbox="media/how-to-use-application-live-view/visual-studio-code-not-enabled.png"::: ++To enable Application Live View and expose public endpoint, use either the Azure portal or the Azure CLI. For more information, see the [Manage Application Live View in existing Enterprise plan instances](#manage-application-live-view-in-existing-enterprise-plan-instances) section. ++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | How To Use Dev Tool Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-dev-tool-portal.md | + + Title: Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan +description: Learn how to use Tanzu Dev Tools in the Azure Spring Apps Enterprise plan. ++++ Last updated : 11/28/2022++++# Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article describes how to configure VMware Tanzu Dev Tools. Dev Tools includes a set of developer tools to help make the development experience easier for both the inner and outer loop. Currently, Dev Tools includes Application Live View and Application Accelerator for use with the Azure Spring Apps Enterprise plan. ++[Dev Tools Portal](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-tap-gui-https://docsupdatetracker.net/about.html) is a centralized portal that you can use to access any Dev Tools. You can use Dev Tools Portal to view the applications and services running for your organization. In this article, you learn how to use Dev Tools Portal to configure single sign-on (SSO) and endpoint exposure so that you can get access to any Dev Tools. ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` ++- Custom roles that delegate permissions to Azure Spring Apps resources. For more information, see [How to use permissions in Azure Spring Apps](how-to-permissions.md). ++## Configure Dev Tools Portal ++Dev Tools Portal supports authentication and authorization using single sign-on (SSO) with an OpenID identity provider (IdP) that supports the OpenID Connect Discovery protocol. ++> [!NOTE] +> Azure Spring Apps supports only authorization servers that support the OpenID Connect Discovery protocol. Make sure to configure the external authorization server to allow redirects back to the Dev Tools Portal. See your authorization server's documentation and add `https://dev-tool-portal-external-url/oauth2/callback` to the list of allowed redirect URIs. ++The following table describes SSO properties: ++| Property | Required? | Description | +|-|--|-| +| `metadataUri` | Yes | The URI of a JSON file with generic OIDC provider configuration. The result is expected to be an OpenID Provider Configuration Response. | +| `clientId` | Yes | The OpenID Connect client ID provided by your IdP. | +| `clientSecret` | Yes | The OpenID Connect client secret provided by your IdP. | +| `scopes` | Yes | A list of scopes to include in JSON Web Token (JWT) identity tokens. This list should be based on the scopes allowed by your identity provider. | ++> [!NOTE] +> If you configure an SSO property incorrectly, such as providing the wrong password, remove the property and add it again with the correct configuration. ++You can configure Dev Tools Portal using the Azure portal or Azure CLI. ++### [Azure portal](#tab/Portal) ++Use the following steps to configure Dev Tools Portal using the Azure portal: ++1. Open the [Azure portal](https://portal.azure.com). +1. Select **Developer Tools**. +1. Select the **Configuration** tab. +1. On the **Configuration** page, update **Scope**, **Client ID**, **Client Secret**, and **Metadata Url**, and then select **Save**. +1. Select **Assign endpoint** to expose the public endpoint. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to update the SSO configuration using the Azure CLI: ++```azurecli +az spring dev-tool update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --client-id "<client-id>" \ + --scopes "scope1,scope2" \ + --client-secret "<client-secret>" \ + --metadata-url "https://example.com/.well-known/openid-configuration" + --assign-endpoint +``` ++++## Assign public endpoint ++You can assign a public endpoint using the Azure portal or Azure CLI. ++### [Azure portal](#tab/Portal) ++Use the following steps to access Dev Tools Portal and assign a public endpoint: ++1. Select **Developer Tools**. +1. Select **Assign endpoint** to assign a public endpoint. Azure Spring Apps generates a URL within a few minutes. +1. Save the URL for use later. Application Live View and Application Accelerator will then get their corresponding endpoints. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to assign a public endpoint using the Azure CLI: ++```azurecli +az spring dev-tool update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --assign-endpoint +``` ++++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | How To Use Enterprise Api Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-enterprise-api-portal.md | + + Title: How to use API portal for VMware Tanzu with the Azure Spring Apps Enterprise plan ++description: How to use API portal for VMware Tanzu with the Azure Spring Apps Enterprise plan. ++++ Last updated : 02/09/2022++++# Use API portal for VMware Tanzu ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use API portal for VMware Tanzu with the Azure Spring Apps Enterprise plan. ++[API portal](https://docs.vmware.com/en/API-portal-for-VMware-Tanzu/1.1/api-portal/GUID-https://docsupdatetracker.net/index.html) is one of the commercial VMware Tanzu components. API portal supports viewing API definitions from [Spring Cloud Gateway for VMware Tanzu](./how-to-use-enterprise-spring-cloud-gateway.md) and testing of specific API routes from the browser. It also supports enabling single sign-on (SSO) authentication via configuration. ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan instance with API portal enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Spring Cloud Gateway for Tanzu](./how-to-use-enterprise-spring-cloud-gateway.md) is enabled during provisioning and the corresponding API metadata is configured. ++## Configure single sign-on (SSO) ++API portal supports authentication and authorization using single sign-on (SSO) with an OpenID identity provider (IdP) that supports the OpenID Connect Discovery protocol. ++> [!NOTE] +> Only authorization servers supporting the OpenID Connect Discovery protocol are supported. Be sure to configure the external authorization server to allow redirects back to the API portal. Refer to your authorization server's documentation and add `https://<api-portal-external-url>/login/oauth2/code/sso` to the list of allowed redirect URIs. ++| Property | Required? | Description | +| - | - | - | +| issuerUri | Yes | The URI that the app asserts as its Issuer Identifier. For example, if the issuer-uri provided is "https://example.com", then an OpenID Provider Configuration Request is made to "https://example.com/.well-known/openid-configuration". The result is expected to be an OpenID Provider Configuration Response. | +| clientId | Yes | The OpenID Connect client ID provided by your IdP | +| clientSecret | Yes | The OpenID Connect client secret provided by your IdP | +| scope | Yes | A list of scopes to include in JWT identity tokens. This list should be based on the scopes allowed by your identity provider | ++To set up SSO with Microsoft Entra ID, see [How to set up single sign-on with Microsoft Entra ID for Spring Cloud Gateway and API Portal for Tanzu](./how-to-set-up-sso-with-azure-ad.md). ++> [!NOTE] +> If you configure the wrong SSO property, such as the wrong password, you should remove the entire SSO property and re-add the correct configuration. ++## Configure the instance count ++### [Azure portal](#tab/Portal) ++Use the following steps to configure the instance count using API portal: ++1. Navigate to your service instance and select **API portal**. +1. Select **Scale out**. +1. Configure **Instance count** and then select **Save**. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to configure the instance count using API portal. Be sure to replace the placeholder with your actual value. ++```azurecli +az spring api-portal update --instance-count <number> +``` ++++## Assign a public endpoint for API portal ++### [Azure portal](#tab/Portal) ++Use the following steps to assign a public endpoint to API portal: ++1. Select **API portal**. +1. Select **Overview** to view the running state and resources allocated to API portal. +1. Select **Yes** next to *Assign endpoint* to assign a public endpoint. A URL is generated within a few minutes. +1. Save the URL for use later. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to assign a public endpoint to API portal: ++```azurecli +az spring api-portal update --assign-endpoint +``` ++++## Configure the API try-out feature ++API portal enables you to view APIs centrally and try them out using the API try-out feature. API try-out is enabled by default and this configuration helps you turn it off across the whole API portal instance. For more information, see the [Try out APIs in API portal](#try-out-apis-in-api-portal) section. ++### [Azure portal](#tab/Portal) ++Use the following steps to enable or disable API try-out: ++1. Navigate to your service instance and select **API portal**. +1. Select **Configuration**. +1. Select or clear **Enable API try-out** and then select **Save**. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to enable API try-out: ++```azurecli +az spring api-portal update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --enable-api-try-out +``` ++Use following command to disable API try-out: ++```azurecli +az spring api-portal update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --enable-api-try-out false +``` ++++## Configure API routing with OpenAPI Spec on Spring Cloud Gateway for Tanzu ++This section describes how to view and try out APIs with schema definitions in API portal. Use the following steps to configure API routing with an OpenAPI spec URL on Spring Cloud Gateway for Tanzu. ++1. Create an app in Azure Spring Apps that the gateway routes traffic to. ++1. Generate the OpenAPI definition and get the URI to access it. The following two URI options are accepted: ++ - The first option is to use a publicly accessible endpoint like the URI `https://petstore3.swagger.io/api/v3/openapi.json`, which includes the OpenAPI specification. + - The second option is to put the OpenAPI definition in the relative path of the app in Azure Spring Apps, and construct the URI in the format `http://<app-name>/<relative-path-to-OpenAPI-spec>`. You can choose tools like `SpringDocs` to generate the OpenAPI specification automatically, so the URI can be like `http://<app-name>/v3/api-docs`. ++1. Use the following command to assign a public endpoint to the gateway to access it. ++ ```azurecli + az spring gateway update --assign-endpoint + ``` ++1. Use the following command to configure Spring Cloud Gateway for Tanzu properties: ++ ```azurecli + az spring gateway update \ + --api-description "<api-description>" \ + --api-title "<api-title>" \ + --api-version "v0.1" \ + --server-url "<endpoint-in-the-previous-step>" \ + --allowed-origins "*" + ``` ++1. Configure routing rules to apps. ++ To create rules to access the app in Spring Cloud Gateway for Tanzu route configuration, save the following contents to the *sample.json* file. ++ ```json + { + "open_api": { + "uri": "https://petstore3.swagger.io/api/v3/openapi.json" + }, + "routes": [ + { + "title": "Petstore", + "description": "Route to application", + "predicates": [ + "Path=/pet", + "Method=PUT" + ], + "filters": [ + "StripPrefix=0" + ] + } + ] + } + ``` ++ The `open_api.uri` value is the public endpoint or URI constructed in the second step above. You can add predicates and filters for paths defined in your OpenAPI specification. ++ Use the following command to apply the rule to the app created in the first step: ++ ```azurecli + az spring gateway route-config create \ + --name sample \ + --app-name <app-name> \ + --routes-file sample.json + ``` ++1. Check the response of the created routes. You can also view the routes in the portal. ++## View exposed APIs in API portal ++> [!NOTE] +> It takes several minutes to sync between Spring Cloud Gateway for Tanzu and API portal. ++Select the `endpoint URL` to go to API portal. You see all the routes configured in Spring Cloud Gateway for Tanzu. +++## Try out APIs in API portal ++Use the following steps to try out APIs: ++1. Select the API you would like to try. +1. Select **EXECUTE**, and the response appears. ++ :::image type="content" source="media/how-to-use-enterprise-api-portal/api-portal-tryout.png" alt-text="Screenshot of API portal."::: ++## Enable/disable API portal after service creation ++You can enable and disable API portal after service creation using the Azure portal or Azure CLI. Before disabling API portal, you're required to unassign its endpoint. ++### [Azure portal](#tab/Portal) ++Use the following steps to enable or disable API portal using the Azure portal: ++1. Navigate to your service resource, and then select **API portal**. +1. Select **Manage**. +1. Select or unselect the **Enable API portal**, and then select **Save**. +1. You can now view the state of API portal on the **API portal** page. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following Azure CLI commands to enable or disable API portal: ++```azurecli +az spring api-portal create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++```azurecli +az spring api-portal delete \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | How To Use Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-enterprise-spring-cloud-gateway.md | + + Title: How to use VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan +description: Shows you how to use VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan to route requests to your applications. ++++ Last updated : 11/04/2022++++# Use Spring Cloud Gateway ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article shows you how to use VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan to route requests to your applications. ++[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/https://docsupdatetracker.net/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. Spring Cloud Gateway handles cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate-limiting, resiliency, security, and more. You can accelerate API delivery using modern cloud native patterns, and any programming language you choose for API development. ++Spring Cloud Gateway includes the following features: ++- Dynamic routing configuration, independent of individual applications that can be applied and changed without recompilation. +- Commercial API route filters for transporting authorized JSON Web Token (JWT) claims to application services. +- Client certificate authorization. +- Rate-limiting approaches. +- Circuit breaker configuration. +- Support for accessing application services via HTTP Basic Authentication credentials. ++To integrate with [API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md), VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any route configuration additions or changes. ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan service instance with Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`. ++## Configure routes ++This section describes how to add, update, and manage API routes for apps that use Spring Cloud Gateway. ++The route configuration definition includes the following parts: ++- OpenAPI URI: This URI references an OpenAPI specification. You can use a public URI endpoint such as `https://petstore3.swagger.io/api/v3/openapi.json` or a constructed URI such as `http://<app-name>/{relative-path-to-OpenAPI-spec}`, where *`<app-name>`* is the name of an application in Azure Spring Apps that includes the API definition. Both OpenAPI 2.0 and OpenAPI 3.0 specs are supported. The specification displays in the API portal if enabled. +- routes: A list of route rules to direct traffic to apps and apply filters. +- protocol: The backend protocol of the application to which Spring Cloud Gateway routes traffic. The protocol's supported values are `HTTP` or `HTTPS`, and the default is `HTTP`. To secure traffic from Spring Cloud Gateway to your HTTPS-enabled application, you need to set the protocol to `HTTPS` in your route configuration. +- app level routes: There are three route properties that you can configure at the app level to avoid repetition across all or most of the routes in the route configuration. The concrete routing rule overrides the app level routing rule for the same property. You can define the following properties at the app level: `predicates`, `filters`, and `ssoEnabled`. If you use the `OpenAPI URI` feature to define routes, the only app level routing property to support is `filters`. ++Use the following command to create a route config. The `--app-name` value should be the name of an app hosted in Azure Spring Apps that the requests route to. ++```azurecli +az spring gateway route-config create \ + --name <route-config-name> \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app-name <app-name> \ + --routes-file <routes-file.json> +``` ++The following example shows a JSON file that's passed to the `--routes-file` parameter in the create command: ++```json +{ + "predicates": [ + "<app-level-predicate-of-route>", + ], + "ssoEnabled": false, + "filters": [ + "<app-level-filter-of-route>", + ], + "openApi": { + "uri": "<OpenAPI-URI>" + }, + "protocol": "<protocol-of-routed-app>", + "routes": [ + { + "title": "<title-of-route>", + "description": "<description-of-route>", + "predicates": [ + "<predicate-of-route>", + ], + "ssoEnabled": true, + "filters": [ + "<filter-of-route>", + ], + "tags": [ + "<tag-of-route>" + ], + "order": 0 + } + ] +} +``` ++The following table lists the route definitions. All the properties are optional. ++| Property | Description | +|-|-| +| title | A title to apply to methods in the generated OpenAPI documentation. | +| description | A description to apply to methods in the generated OpenAPI documentation. | +| uri | The full URI, which overrides the name of app that the requests route to. | +| ssoEnabled | A value that indicates whether to enable SSO validation. See [Configure single sign-on](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-single-sign-on). | +| tokenRelay | Passes the currently authenticated user's identity token to the application. | +| predicates | A list of predicates. See [Available Predicates](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-configuring-routes.html#available-predicates). | +| filters | A list of filters. See [Available Filters](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-configuring-routes.html#available-filters). | +| order | The route processing order. A lower order is processed with higher precedence, as in [Spring Cloud Gateway](https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/). | +| tags | Classification tags that are applied to methods in the generated OpenAPI documentation. | ++> [!NOTE] +> Because of security or compatibility reasons, not all the filters/predicates are supported in Azure Spring Apps. The following aren't supported: +> +> - BasicAuth +> - JWTKey ++## Use routes for Spring Cloud Gateway ++Use the following steps to create a sample application using Spring Cloud Gateway. ++1. Use the following command to create a test application named *test-app* in Azure Spring Apps: ++ ```azurecli + az spring app create \ + name test-app \ + resource-group <resource-group-name> \ + service <Azure-Spring-Apps-instance-name> + ``` ++1. Assign a public endpoint to the gateway to access it. ++ To view the running state and resources given to Spring Cloud Gateway, open your Azure Spring Apps instance in the Azure portal, select the **Spring Cloud Gateway** section, then select **Overview**. ++ To assign a public endpoint, select **Yes** next to **Assign endpoint**. A URL appears in a few minutes. Save the URL to use later. ++ :::image type="content" source="media/how-to-use-enterprise-spring-cloud-gateway/gateway-overview.png" alt-text="Screenshot of Azure portal Azure Spring Apps overview page with 'Assign endpoint' highlighted." lightbox="media/how-to-use-enterprise-spring-cloud-gateway/gateway-overview.png"::: ++ You can also use Azure CLI to assign the endpoint. Use the following command to assign the endpoint. ++ ```azurecli + az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --assign-endpoint true + ``` ++1. Create a rule to access the health check endpoint of the test app through Spring Cloud Gateway. ++ Save the following content to a *test-api.json* file. This configuration includes a RateLimit filter, which allows 20 requests every 10 seconds, and a RewritePath filter, which allows the request endpoint to reach the standard Spring Boot health check endpoint. ++ ```json + { + "protocol": "HTTP", + "routes": [ + { + "title": "Test API", + "description": "Retrieve a health check from our application", + "predicates": [ + "Path=/test/api/healthcheck", + "Method=GET" + ], + "filters": [ + "RateLimit=20,10s", + "RewritePath=/api/healthcheck,/actuator/health" + ], + "tags": [ + "test" + ] + } + ] + } + ``` ++ Then, use the following command to apply the rule to the app `test-app`: ++ ```azurecli + az spring gateway route-config create \ + --name test-api-routes \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app-name test-app \ + --routes-file test-api.json + ``` ++ You can also view the routes in the portal, as shown in the following screenshot: ++ :::image type="content" source="media/how-to-use-enterprise-spring-cloud-gateway/gateway-route.png" alt-text="Screenshot of Azure portal Azure Spring Apps Spring Cloud Gateway page showing 'Routing rules' pane." lightbox="media/how-to-use-enterprise-spring-cloud-gateway/gateway-route.png"::: ++1. Use the following command to access the `test health check` API through the gateway endpoint: ++ ```bash + curl https://<endpoint-url>/test/api/healthcheck + ``` ++1. Use the following commands to query the routing rules: ++ ```azurecli + az spring gateway route-config show \ + --name test-api-routes \ + --query '{appResourceId:properties.appResourceId, routes:properties.routes}' + + az spring gateway route-config list \ + --query '[].{name:name, appResourceId:properties.appResourceId, routes:properties.routes}' + ``` ++## Use filters ++The open-source [Spring Cloud Gateway](https://spring.io/projects/spring-cloud-gateway) project includes many built-in filters for use in Gateway routes. Spring Cloud Gateway provides many custom filters in addition to the filters included in the OSS project. ++The following example shows how to apply the `AddRequestHeadersIfNotPresent` filter to a route: ++```json +[ + { + "predicates": [ + "Path=/api/**", + "Method=GET" + ], + "filters": [ + "AddRequestHeadersIfNotPresent=Content-Type:application/json,Connection:keep-alive" + ] + } +] +``` ++Then, apply the route definition using the following Azure CLI command: ++```azurecli +az spring gateway route-config create \ + --name <route-config-name> \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> + --routes-file <json-file-with-routes> +``` ++For more information on available route filters, see [How to use VMware Spring Cloud Gateway Route Filters with the Azure Spring Apps Enterprise plan](./how-to-configure-enterprise-spring-cloud-gateway-filters.md). ++## Next steps ++- [Azure Spring Apps](index.yml) +- [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](./quickstart-deploy-apps-enterprise.md) |
spring-apps | How To Use Flush Dns Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-flush-dns-settings.md | + + Title: How to flush DNS settings changes in Azure Spring Apps ++description: How to update DNS settings in a virtual-network-injected Azure Spring Apps service. ++++ Last updated : 01/22/2024++++# Flush DNS settings changes in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise ++> [!NOTE] +> This feature is only available for virtual-network-injected Azure Spring Apps service instances. ++This article explains how to update your DNS settings in a virtual-network-injected Azure Spring Apps service instance. ++Changes to the custom DNS servers in the virtual network settings won't take effect until the network service is restarted in all the underlying nodes. This restart is required so that the nodes can load the new settings. Previously, you had to reboot the whole Azure Spring Apps instance to apply any changes to the DNS settings. With the new *flush DNS settings* feature, you can avoid this time-consuming operation. ++Flushing the DNS settings doesn't restart any underlying nodes or running applications within your service instance, but it does restart the network infrastructure to load the DNS setting changes. This restart can interrupt the network services and affect application availability for a few seconds. ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/) before you begin. +- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.52.0 or higher. Use the following commands to remove the previous version and install the latest extension. If you previously installed the Spring Cloud extension, uninstall it before you begin. ++ ```azurecli + az extension remove --name spring + az extension add --name spring + az extension remove --name spring-cloud + ``` + +- An application deployed to Azure Spring Apps with virtual network injection enabled. +- A configured custom DNS server in the virtual network setting. ++## Flush the DNS settings for an existing Azure Spring Apps instance ++### [Azure portal](#tab/azure-portal) ++Use the following steps to flush the DNS settings for an existing Azure Spring Apps instance: ++1. Sign in to the [Azure portal](https://portal.azure.com/). ++1. On the Navigation menu, select **Overview**. ++1. Select **Flush DNS settings (preview)**. +++### [Azure CLI](#tab/azure-cli) ++Use the following command to flush the DNS settings for an existing Azure Spring Apps instance: ++```azurecli +az spring flush-virtualnetwork-dns-settings \ + --resource-group <resource-group-name> \ + --name <service-name> +``` ++++## Troubleshoot known issues ++The following list describes some errors you might encounter when connecting to your DNS server: ++- Error: `Failed to connect DNS server, connection timed out.` ++ If you get this error, check whether a network routing rule, or a firewall is blocking traffic from your service runtime or app subnets to your custom DNS server IP on port 53 or your custom DNS server listening port. ++- Error: `Failed to resolve IP.` ++ If you get this error, check whether the upstream DNS server is correctly configured in your DNS server. To solve this issue, add Azure DNS IP `168.63.129.16` as the upstream DNS server in your custom DNS server. If you can't use Azure DNS as the upstream server, use other valid upstream servers to ensure that all required domains can be resolved. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). ++- Error: `Not all the VM instances in the cluster are in succeeded running state.` ++ This error usually indicates that there are some incorrect DNS or other networking settings blocking the underlying nodes provisioning. To mitigate this issue, fix the networking settings and restart the Azure Spring Apps service instance. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md) and [Troubleshooting Azure Spring Apps in virtual networks](troubleshooting-vnet.md). ++## Next steps ++- [Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md) +- [Map DNS names to applications in multiple Azure Spring Apps service instances in the same virtual network](how-to-map-dns-virtual-network.md) |
spring-apps | How To Use Grpc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-grpc.md | + + Title: How to use gRPC in Azure Spring Apps +description: Shows you how to use gRPC in Azure Spring Apps. ++++ Last updated : 5/24/2023++++# How to use gRPC in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use gRPC in Azure Spring Apps. ++In this article, you modify and redeploy the [Spring Boot Pet Clinic](https://github.com/Azure-Samples/spring-petclinic-microservices) sample application. From your local environment, you create a gRPC service by modifying the `customers-service` microservice, deploy the modified sample to Azure Spring Apps, and then use `grpcurl` commands to test the service by making calls to gRPC methods. ++For a demonstration of this process, see the following video: ++<br> ++> [!VIDEO https://www.youtube.com/embed/yNvoQ4YIDCI title="Video that shows how to use gRPC in Spring Apps."] ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli). + - Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` +- [Git](https://git-scm.com/downloads). +- [Microsoft Build of OpenJDK](/java/openjdk/download#openjdk-17) Version 17. +- [Maven](https://maven.apache.org/download.cgi). +- An Azure Spring Apps instance. For more information, see [Quickstart: Provision an Azure Spring Apps service instance](../basic-standard/quickstart-provision-service-instance.md). +- A built and deployed Pet Clinic sample application. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps](../basic-standard/quickstart-deploy-apps.md). ++## Assign a public endpoint ++To facilitate testing, assign a public endpoint. The public endpoint is used in the `grpcurl` commands as the hostname. For more information, see [fullstorydev/grpcurl](https://github.com/fullstorydev/grpcurl). ++Use the following command to assign a public endpoint. Be sure to replace the placeholders with the resource group name, service instance name, and app name that you used when you fulfilled the prerequisites. ++```azurecli +az spring app update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name <app-name> \ + --assign-public-endpoint true +``` ++You can also use the Azure portal to assign a public endpoint. For more information, see [Expose applications on Azure Spring Apps to the internet from a public network](how-to-access-app-from-internet-virtual-network.md). ++## Modify an existing service to be a gRPC service ++Before the service is changed into a gRPC server, look at the Owners page of the deployed PetClinic instance application to examine the current pet owners data. You can also list all owners by adding `/owners` to the URL path, which you can get from the Overview page for the `customers-service` page in the Azure portal. ++Use the following steps to change `customers-service` into a gRPC server: ++1. Locate *pom.xml* in the *spring-petclinic-customers-service* folder. ++1. In the *pom.xml* file, delete the following element that defines the `spring-boot-starter-web` dependency: ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-web</artifactId> + </dependency> + ``` ++ If you don't remove this dependency, the application starts both a web server and a gRPC server. Azure Spring Apps then rewrites the server port to `1025` for the Basic/Standard plan or to `8080` for the Enterprise plan, which prevents gRPC from being routed correctly with a static server address. ++1. Add the following elements to the *pom.xml* file. These elements define the dependency and build plugins required for gRPC. ++ ```xml + <dependencies> + <!-- For both gRPC server and client --> + <dependency> + <groupId>net.devh</groupId> + <artifactId>grpc-spring-boot-starter</artifactId> + <version>2.5.1.RELEASE</version> + <exclusions> + <exclusion> + <groupId>io.grpc</groupId> + <artifactId>grpc-netty-shaded</artifactId> + </exclusion> + </exclusions> + </dependency> + <!-- For the gRPC server (only) --> + <dependency> + <groupId>net.devh</groupId> + <artifactId>grpc-server-spring-boot-starter</artifactId> + <version>2.5.1.RELEASE</version> + <exclusions> + <exclusion> + <groupId>io.grpc</groupId> + <artifactId>grpc-netty-shaded</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>net.devh</groupId> + <artifactId>grpc-client-spring-boot-autoconfigure</artifactId> + <version>2.5.1.RELEASE</version> + <type>pom</type> + </dependency> + </dependencies> + <build> + <extensions> + <extension> + <groupId>kr.motd.maven</groupId> + <artifactId>os-maven-plugin</artifactId> + <version>1.6.1</version> + </extension> + </extensions> + <plugins> + <plugin> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-maven-plugin</artifactId> + </plugin> + <plugin> + <groupId>org.xolstice.maven.plugins</groupId> + <artifactId>protobuf-maven-plugin</artifactId> + <version>0.6.1</version> + <configuration> + <protocArtifact> + com.google.protobuf:protoc:3.3.0:exe:${os.detected.lassifier} + </protocArtifact> + <pluginId>grpc-java</pluginId> + <pluginArtifact> + io.grpc:protoc-gen-grpc-java:1.4.0:exe:${os.detected.classifier} + </pluginArtifact> + </configuration> + <executions> + <execution> + <goals> + <goal>compile</goal> + <goal>compile-custom</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + ``` ++## Build the gRPC service ++Use the following steps to create and run a *.proto* file that defines the message types and RPC interface methods: ++1. Create a new file with the *.proto* extension in the source code folder that has the following content: ++ ```protobuf + syntax = "proto3"; + option java_multiple_files = true; + package org.springframework.samples.petclinic.customers.grpc; + import "google/protobuf/empty.proto"; ++ message OwnerRequest { + int32 ownerId = 1; + } ++ message PetRequest { + int32 petId = 1; + } ++ message OwnerResponse { + int32 id = 1; + string firstName = 2; + string lastName = 3; + string address = 4; + string city = 5; + string telephone = 6; + repeated PetResponse pets = 7; + } ++ message PetResponse { + int32 id = 1; + string name = 2; + string birthDate = 3; + PetType type = 4; + OwnerResponse owner = 5; + } ++ message PetType { + int32 id = 1; + string name = 2; + } ++ message PetTypes { + repeated PetType ele = 1; + } ++ message Owners { + repeated OwnerResponse ele = 1; + } ++ service CustomersService { + rpc createOwner(OwnerResponse) returns (OwnerResponse); + rpc findOwner(OwnerRequest) returns (OwnerResponse); + rpc findAll(google.protobuf.Empty) returns (Owners); + rpc updateOwner(OwnerResponse) returns (google.protobuf.Empty); + rpc getPetTypes(google.protobuf.Empty) returns (PetTypes); + rpc createPet(PetResponse) returns (PetResponse); + rpc updatePet(PetResponse) returns (google.protobuf.Empty); + rpc findPet(PetRequest) returns (PetResponse); + } + ``` ++1. Use the following command to generate the gRPC service files: ++ ```bash + mvn package + ``` ++ You can implement the gRPC service with the RPC methods defined in the *.proto* file. In the sample application, the generated files include *CustomersServiceGrpc.java*, as defined by the gRPC `proto` plugin. ++## Implement the gRPC service ++In your development environment, create a Java class file for the project with the following content that implements the RPC methods defined in the *.proto* file. Use the annotation `@GrpcService` to extend the autogenerated gRPC service base class to implement its methods. The following example shows an implementation of some of the methods: ++```java +@GrpcService +@Slf4j +public class CustomersServiceImpl extends CustomersServiceGrpc.CustomersServiceImplBase { + @Autowired + private OwnerRepository ownerRepository; ++ @Autowired + private PetRepository petRepository; ++ @Override + public void createOwner(OwnerResponse request, StreamObserver<OwnerResponse> responseObserver) { + Owner owner = new Owner(); + BeanUtils.copyProperties(request, owner); + ownerRepository.save(owner); ++ responseObserver.onNext(request); + responseObserver.onCompleted(); + } +} +``` ++## Configure the server port ++Next, configure the server port to `1025` for the Basic/Standard plan or to `8080` for the Enterprise plan so that the ingress rule works correctly. Add the following line to the *application.properties* file in the *spring-petclinic-customers-service/src/main/resources* folder. ++```properties +grpc.server.port=1025 +``` ++## Build the service JAR file ++Use the following command to build the gRPC server JAR file: ++```bash +mvn package +``` ++The modification of `customers-service` is now complete, and it's now a gRPC service. ++## Deploy the application to Azure Spring Apps ++You can now configure the server and deploy the application. ++Use the following command to deploy the newly built JAR file to your Azure Spring Apps instance. ++```azurecli +az spring app deploy \ + --name ${CUSTOMERS_SERVICE} \ + --artifact-path ${CUSTOMERS_SERVICE_JAR} \ + --jvm-options='-Xms2048m -Xmx2048m -Dspring.profiles.active=mysql' \ + --env MYSQL_SERVER_FULL_NAME=${MYSQL_SERVER_FULL_NAME} \ + MYSQL_DATABASE_NAME=${MYSQL_DATABASE_NAME} \ + MYSQL_SERVER_ADMIN_LOGIN_NAME=${MYSQL_SERVER_ADMIN_LOGIN_NAME} \ + MYSQL_SERVER_ADMIN_PASSWORD=${MYSQL_SERVER_ADMIN_PASSWORD} +``` ++The deployment can take a few minutes to complete. ++Now that the application is deployed in Azure Spring Apps, call a gRPC service from outside the Azure Spring Apps service instance. As you did earlier, test the `customers-service` endpoint to attempt to list all pet owners by adding `/owners` to the URL path. This time, the test fails as expected because a gRPC service can't be accessed using the HTTP protocol. ++## Set the ingress configuration ++Set the backend protocol to use gRPC so that you can use `grpcurl` commands to test the gRPC server. Update your application's ingress settings. For more information, see [Customize the ingress configuration in Azure Spring Apps](how-to-configure-ingress.md). ++## Call the sample application from a local environment ++You can use `grpcurl` to test the gRPC server. The only port supported for gRPC calls from outside Azure Spring Apps is port `443`. The traffic is automatically routed to port `1025` or to `8080` on the backend. ++Use the following `grpcurl` commands to check the gRPC server by listing all the pet owners. ++```bash +grpcurl <service-instance-name>-customers-service.azuremicroservices.io:443 list +grpcurl <service-instance-name>-customers-service.azuremicroservices.io:443 org.springframework.samples.petclinic.customers.grpc.CustomersService.findAll +grpcurl -d "{\"ownerId\":7}" <service-instance-name>-customers-service.azuremicroservices.io:443 org.springframework.samples.petclinic.customers.grpc.CustomersService.findOwner +``` ++## Frequently asked questions ++- How do I use the test endpoint? ++ Use the following `curl` and HTTP commands to use the test endpoint of the gRPC server: ++ ```bash + echo -n '0000000000' | xxd -r -p - frame.bin + curl -v --insecure --raw -X POST -H "Content-Type: application/grpc" -H "TE: trailers" --data-binary @frame.bin <test-endpoint/org. springframework.samples.petclinic.customers.grpc.CustomersService/findAll + ``` ++ For more information, see the [View apps and deployments](how-to-staging-environment.md#view-apps-and-deployments) section of [Set up a staging environment in Azure Spring Apps](how-to-staging-environment.md). ++## Next steps ++- [Customize the ingress configuration in Azure Spring Apps](how-to-configure-ingress.md) |
spring-apps | How To Use Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-managed-identities.md | + + Title: Managed identities for applications in Azure Spring Apps ++description: Home page for managed identities for applications. ++++ Last updated : 04/15/2022++zone_pivot_groups: spring-apps-tier-selection +++# Use managed identities for applications in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use system-assigned and user-assigned managed identities for applications in Azure Spring Apps. ++Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code. ++## Feature status ++| System-assigned | User-assigned | +| - | - | +| GA | GA | ++## Manage managed identity for an application ++For system-assigned managed identities, see [How to enable and disable system-assigned managed identity](./how-to-enable-system-assigned-managed-identity.md). ++For user-assigned managed identities, see [How to assign and remove user-assigned managed identities](./how-to-manage-user-assigned-managed-identities.md). ++## Obtain tokens for Azure resources ++An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. ++You can configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support). ++Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, as well as guidance on important topics like handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token). ++## Examples of connecting Azure services in application code ++The following table provides links to articles that contain examples: ++| Azure service | tutorial | +|--|| +| Key Vault | [Tutorial: Use a managed identity to connect Key Vault to an Azure Spring Apps app](tutorial-managed-identities-key-vault.md) | +| Azure Functions | [Tutorial: Use a managed identity to invoke Azure Functions from an Azure Spring Apps app](tutorial-managed-identities-functions.md) | +| Azure SQL | [Use a managed identity to connect Azure SQL Database to an Azure Spring Apps app](connect-managed-identity-to-azure-sql.md) | ++## Best practices when using managed identities ++We highly recommend that you use system-assigned and user-assigned managed identities separately unless you have a valid use case. If you use both kinds of managed identity together, failure might happen if an application is using system-assigned managed identity and the application gets the token without specifying the client ID of that identity. This scenario might work fine until one or more user-assigned managed identities are assigned to that application, then the application might fail to get the correct token. ++## Limitations ++### Maximum number of user-assigned managed identities per application ++For the maximum number of user-assigned managed identities per application, see [Quotas and Service Plans for Azure Spring Apps](./quotas.md). ++++## Concept mapping ++The following table shows the mappings between concepts in Managed Identity scope and Microsoft Entra scope: ++| Managed Identity scope | Microsoft Entra scope | +||-| +| Principal ID | Object ID | +| Client ID | Application ID | ++## Next steps ++- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +- [How to use managed identities with Java SDK](https://github.com/Azure-Samples/azure-spring-apps-samples) |
spring-apps | How To Use Tls Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-use-tls-certificate.md | + + Title: Use TLS/SSL certificates in your application in Azure Spring Apps ++description: Use TLS/SSL certificates in an application. ++++ Last updated : 10/08/2021++++# Use TLS/SSL certificates in your application in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use public certificates in Azure Spring Apps for your application. Your app might act as a client and access an external service that requires certificate authentication, or it might need to perform cryptographic tasks. ++When you let Azure Spring Apps manage your TLS/SSL certificates, you can maintain the certificates and your application code separately to safeguard your sensitive data. Your app code can access the public certificates you add to your Azure Spring Apps instance. ++## Prerequisites ++- An application deployed to Azure Spring Apps. See [Quickstart: Deploy your first application in Azure Spring Apps](./quickstart.md), or use an existing app. +- Either a certificate file with *.crt*, *.cer*, *.pem*, or *.der* extension, or a deployed instance of Azure Key Vault with a private certificate. ++## Import a certificate ++You can choose to import your certificate into your Azure Spring Apps instance from either Key Vault or use a local certificate file. ++### Import a certificate from Key Vault ++You need to grant Azure Spring Apps access to your key vault before you import your certificate using these steps: ++1. Sign in to the [Azure portal](https://portal.azure.com). +1. Select **Key vaults**, then select the Key Vault you import your certificate from. +1. In the left navigation pane, select **Access policies**, then select **Create**. +1. Select **Certificate permissions**, then select **Get** and **List**. ++ :::image type="content" source="media/how-to-use-tls-certificate/grant-key-vault-permission.png" alt-text="Screenshot of the Azure portal that shows the Create an access policy page with Permission pane showing and Get and List permissions highlighted." lightbox="media/how-to-use-tls-certificate/grant-key-vault-permission.png"::: ++1. Under **Principal**, select your **Azure Spring Cloud Resource Provider**. ++ :::image type="content" source="media/how-to-use-tls-certificate/select-service-principal.png" alt-text="Screenshot of the Azure portal that shows the Create an access policy page with Principal pane showing and Azure Spring Apps Resource Provider highlighted." lightbox="media/how-to-use-tls-certificate/select-service-principal.png"::: ++1. Select **Review + Create**, then select **Create**. ++After you grant access to your key vault, you can import your certificate using these steps: ++1. Go to your service instance. ++1. From the left navigation pane of your instance, select **TLS/SSL settings**. ++1. Select **Import Key Vault Certificate** in the **Public Key Certificates** section. ++1. Select your key vault in the **Key vaults** section, select your certificate in the **Certificate** section, and then select **Select**. ++1. Provide a value for **Certificate name**, select **Enable auto sync** if needed, and then select **Apply**. For more information, see the [Auto sync certificate](./how-to-custom-domain.md#auto-sync-certificate) section of [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md). ++After you've successfully imported your certificate, you see it in the list of Public Key Certificates. ++> [!NOTE] +> The Azure Key Vault and Azure Spring Apps instances should be in the same tenant. ++### Import a local certificate file ++You can import a certificate file stored locally using these steps: ++1. Go to your service instance. +1. From the left navigation pane of your instance, select **TLS/SSL settings**. +1. Select **Upload public certificate** in the **Public Key Certificates** section. ++After you've successfully imported your certificate, you see it in the list of Public Key Certificates. ++## Load a certificate ++To load a certificate into your application in Azure Spring Apps, start with these steps: ++1. Go to your application instance. +1. From the left navigation pane of your app, select **Certificate management**. +1. Select **Add certificate** to choose certificates accessible for the app. +++### Load a certificate from code ++Your loaded certificates are available in the */etc/azure-spring-cloud/certs/public* folder. Use the following Java code to load a public certificate in an application in Azure Spring Apps. ++```java +CertificateFactory factory = CertificateFactory.getInstance("X509"); +FileInputStream is = new FileInputStream("/etc/azure-spring-cloud/certs/public/<certificate name>"); +X509Certificate cert = (X509Certificate) factory.generateCertificate(is); ++// use the loaded certificate +``` ++### Load a certificate into the trust store ++For a Java application, you can choose **Load into trust store** for the selected certificate. The certificate is automatically added to the Java default TrustStores to authenticate a server in SSL authentication. ++The following log from your app shows that the certificate is successfully loaded. ++```output +Load certificate from specific path. alias = <certificate alias>, thumbprint = <certificate thumbprint>, file = <certificate name> +``` ++## Next steps ++- [Enable ingress-to-app Transport Layer Security](./how-to-enable-ingress-to-app-tls.md) +- [Access Config Server and Service Registry](../basic-standard/how-to-access-data-plane-azure-ad-rbac.md) |
spring-apps | How To Write Log To Custom Persistent Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/how-to-write-log-to-custom-persistent-storage.md | + + Title: How to use Logback to write logs to custom persistent storage in Azure Spring Apps | Microsoft Docs +description: How to use Logback to write logs to custom persistent storage in Azure Spring Apps. ++++ Last updated : 11/17/2021++++# How to use Logback to write logs to custom persistent storage ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to load Logback and write logs to custom persistent storage in Azure Spring Apps. ++> [!NOTE] +> When a file in the application's classpath has one of the following names, Spring Boot will automatically load it over the default configuration for Logback: +> - *logback-spring.xml* +> - *logback.xml* +> - *logback-spring.groovy* +> - *logback.groovy* ++## Prerequisites ++* An existing storage resource bound to an Azure Spring Apps instance. If you need to bind a storage resource, see [How to enable your own persistent storage in Azure Spring Apps](./how-to-custom-persistent-storage.md). +* The Logback dependency included in your application. For more information on Logback, see [A Guide To Logback](https://www.baeldung.com/logback). +* The [Azure Spring Apps extension](/cli/azure/azure-cli-extensions-overview) for the Azure CLI ++## Edit the Logback configuration to write logs into a specific path ++You can set the path to where logs will be written by using the logback-spring.xml example file. ++```xml +<?xml version="1.0" encoding="UTF-8"?> +<configuration> + <appender name="Console" + class="ch.qos.logback.core.ConsoleAppender"> + <!-- please feel free to customize the log layout --> + <layout class="ch.qos.logback.classic.PatternLayout"> + <Pattern> + %black(%d{ISO8601}) %highlight(%-5level) [%blue(%t)] %yellow(%C{1.}): %msg%n%throwable + </Pattern> + </layout> + </appender> ++ <appender name="RollingFile" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <!-- 'LOGS' here is a value to be read from the application's environment variable --> + <file>${LOGS}/spring-boot-logger.log</file> + <!-- please feel free to customize the log layout pattern --> + <encoder + class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <Pattern>%d %p %C{1.} [%t] %m%n</Pattern> + </encoder> ++ <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <!-- rollover daily and when the file reaches 10 MegaBytes --> + <fileNamePattern>${LOGS}/archived/spring-boot-logger-%d{yyyy-MM-dd}.%i.log + </fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy + class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>10MB</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + </rollingPolicy> + </appender> ++ <!-- LOG everything at the INFO level --> + <root level="info"> + <appender-ref ref="RollingFile" /> + <appender-ref ref="Console" /> + </root> ++ <!-- LOG "com.baeldung*" at the TRACE level --> + <logger name="com.baeldung" level="trace" additivity="false"> + <appender-ref ref="RollingFile" /> + <appender-ref ref="Console" /> + </logger> ++</configuration> +``` ++In the preceding example, there are two placeholders named `{LOGS}` in the path for writing the application's logs to. A value needs to be assigned to the environment variable `LOGS` to have the log write to both the console and your persistent storage. ++## Use the Azure CLI to create and deploy a new app with Logback on persistent storage ++1. Use the following command to create an application in Azure Spring Apps with persistent storage enabled and the environment variable set: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <spring-instance-name> \ + --persistent-storage <path-to-json-file> \ + --env LOGS=/byos/logs + ``` + > [!NOTE] + > The value of the `LOGS` environment variable can be the same as, or a subdirectory of the `mountPath`. + + Here's an example of the JSON file that is passed to the `--persistent-storage` parameter in the create command. In this example, the same value is passed for the environment variable in the CLI command above and in the `mountPath` property below: ++ ```json + { + "customPersistentDisks": [ + { + "storageName": "<Storage-Resource-Name>", + "customPersistentDiskProperties": { + "type": "AzureFileVolume", + "shareName": "<Azure-File-Share-Name>", + "mountPath": "/byos/logs", + "readOnly": false + } + } + ] + } + ``` + +1. Use the following command to deploy your application: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <spring-instance-name> \ + --artifact-path <path-to-jar-file> + ``` ++1. Use the following command to check your application's console log: ++ ```azurecli + az spring app logs \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <spring-instance-name> + ``` ++ Go to the Azure Storage Account resource you bound and find the Azure file share that was attached as persistent storage. In this example, the logs will be written to the *spring-boot-logger.log* file at the root of your Azure file share. All of the rotated log files will be stored in the */archived* folder in your Azure file share. ++1. Optionally, use the following command to update the path or persistent storage of an existing app: ++ The path or persistent storage where the logs are saved can be changed at any time. The application will restart when changes are made to either environment variables or persistent storage. ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name <app-name> \ + --service <spring-instance-name> \ + --persistent-storage <path-to-new-json-file> \ + --env LOGS=<new-path> + ``` ++## Next steps ++* [Structured application log for Azure Spring Apps](./structured-app-log.md) +* [Analyzing logs and metrics with diagnostic settings](./diagnostic-services.md) |
spring-apps | Monitor App Lifecycle Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/monitor-app-lifecycle-events.md | + + Title: Monitor app lifecycle events using Azure Activity log and Azure Service Health +description: Monitor app lifecycle events and set up alerts with Azure Activity log and Azure Service Health. ++++ Last updated : 08/19/2021++++# Monitor app lifecycle events using Azure Activity log and Azure Service Health ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to monitor app lifecycle events and set up alerts with Azure Activity log and Azure Service Health. ++Azure Spring Apps provides built-in tools to monitor the status and health of your applications. App lifecycle events help you understand any changes that were made to your applications so you can take action as necessary. ++## Prerequisites ++- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- A deployed Azure Spring Apps service instance and at least one application already created in your service instance. For more information, see [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](quickstart.md). ++## Monitor app lifecycle events triggered by users in Azure Activity logs ++[Azure Activity logs](../../azure-monitor/essentials/activity-log.md) contain resource events emitted by operations taken on the resources in your subscription. The following details for application lifecycle events (such as start, stop, and restart) are added into Azure Activity Logs: ++- The time the operation occurred. +- The status of the operation. +- Which instance(s) are created when you start your app. +- Which instance(s) are deleted when you stop your app. +- Which instance(s) are deleted and created when you restart your app. ++To see the affected instances when you restart your app, navigate to your Azure Spring Apps instance in the Azure portal and select **Activity log** in the navigation pane. +++## Monitor app lifecycle events in Azure Service Health ++[Azure Resource Health](../../service-health/resource-health-overview.md) helps you diagnose and get support for issues that may affect the availability of your service. These issues include service incidents, planned maintenance periods, and regional outages. Application restarting events are added into Azure Service Health. They include both unexpected incidents (for example, an unplanned app crash) and scheduled actions (for example, planned maintenance). ++### Monitor unplanned app lifecycle events ++When your app is restarted because of unplanned events, your Azure Spring Apps instance shows a status of **degraded** in the **Resource health** section of the Azure portal. Degraded means that your resource detected a potential loss in performance, although it's still available for use. Examples of unplanned events include app crash, health check failure, and system outage. ++On the Azure Home page, select **Service Health** and then select **Resource Health**. ++In **Health history**, you can find the latest status, the root cause, and affected instances. +++### Monitor planned app lifecycle events ++Your app may be restarted during platform maintenance. You can receive a maintenance notification in advance from the **Planned maintenance** page of Azure Service Health. +++When platform maintenance happens, your Azure Spring Apps instance shows a status of **degraded**. If restarting is needed during platform maintenance, Azure Spring Apps performs a rolling update to incrementally update your applications. Rolling updates are designed to update your workloads without downtime. You can find the latest status in the health history page. +++>[!NOTE] +> Currently, Azure Spring Apps performs one regular planned maintenance to upgrade the underlying Kubernetes version every 2-4 months. For a detailed maintenance timeline, check the notifications on the Azure Service Health page. ++## Set up alerts ++You can set up alerts for app lifecycle events. Service health notifications are also stored in the Azure activity log. The activity log stores a large volume of information, so there's a separate user interface to make it easier to view and set up alerts on service health notifications. ++The following list describes the key steps needed to set up an alert: ++1. Set up an action group with the actions to take when an alert is triggered. Example action types include sending a voice call, SMS, email; or triggering various types of automated actions. Various alerts may use the same action group or different action groups depending on the user's requirements. +2. Set up alert rules. The alerts use action groups to notify users that an alert for some specific app lifecycle event has been triggered. ++### Set up alerts on Activity log ++Use the following steps to create an activity log alert rule in the Azure portal: ++1. Navigate to your Azure Spring Apps instance and select **Activity log** in the navigation pane. ++1. Select any log to open its detail pane and then select **New alert rule**. ++ :::image type="content" source="media/monitor-app-lifecycle-events/activity-log-alert.png" alt-text="Screenshot of the Azure portal showing the Activity log page and the New Alert rule button highlighted for a selected log." lightbox="media/monitor-app-lifecycle-events/activity-log-alert.png" ::: ++1. By default, alerts are scoped to the current subscription. Select the **Scope** tab to select a different subscription. ++1. Select the **Condition** tab. Select **Signal name** to configure the criteria for the condition. ++ :::image type="content" source="media/monitor-app-lifecycle-events/activity-log-alert-condition.png" alt-text="Screenshot of Azure portal activity log alert condition." lightbox="media/monitor-app-lifecycle-events/activity-log-alert-condition.png"::: ++1. Select the **Actions** tab. Add action groups to be applied to the alert rule. ++1. Select **Review + create** and then select **Create**. ++### Set up alerts to monitor app lifecycle events in Azure Service Health ++Use the following steps to create an alert rule for service health notifications in the Azure portal. ++1. On the Azure Home page, select **Service Health** and then select **Resource health** in the navigation pane. +1. Select **Add resource health alert**. ++ :::image type="content" source="media/monitor-app-lifecycle-events/add-resource-health-alert.png" alt-text="Screenshot of Azure portal Resource health page with the 'Add resource health alert' button highlighted." lightbox="media/monitor-app-lifecycle-events/add-resource-health-alert.png"::: ++1. Select the **Scope** tab. Specify the resources to be applied to the alert rule. ++ :::image type="content" source="media/monitor-app-lifecycle-events/resource-health-alert-target.png" alt-text="Screenshot of the Azure portal showing the Scope tab for Create an alert rule dialog when selected from the Resource health page." lightbox="media/monitor-app-lifecycle-events/resource-health-alert-target.png"::: ++1. Select the **Condition** tab. Define the criteria to trigger the alert rule. ++ :::image type="content" source="media/monitor-app-lifecycle-events/resource-health-alert-condition.png" alt-text="Screenshot of the Azure portal showing the Condition tab for Create an alert rule dialog when selected from the Resource health page." lightbox="media/monitor-app-lifecycle-events/resource-health-alert-condition.png"::: ++1. Select the **Actions** tab. Add action groups to be applied to the alert rule. ++1. Select **Review + create** and then select **Create**. ++### Set up alerts to monitor the planned maintenance notification ++Use the following steps to create an alert rule for planned maintenance notifications in the Azure portal: ++1. On the Azure Home page, select **Service Health** and then select **Health alerts** in the navigation pane. +1. Select **Add service health alert**. ++ :::image type="content" source="media/monitor-app-lifecycle-events/add-service-health-alert.png" alt-text="Screenshot of Azure portal Health alerts page the 'Add service health alert' button highlighted." lightbox="media/monitor-app-lifecycle-events/add-service-health-alert.png"::: ++1. Provide values for settings on the **Scope**, **Condition**, and **Actions** tabs. ++ :::image type="content" source="media/monitor-app-lifecycle-events/add-service-health-alert-details.png" lightbox="media/monitor-app-lifecycle-events/add-service-health-alert-details.png" alt-text="Screenshot of the Azure portal showing the Scope tab for Create an alert rule dialog when selected from the Health alerts page."::: ++1. Select **Review + create** and then select **Create**. ++## Next steps ++[Self-diagnose and solve problems in Azure Spring Apps](how-to-self-diagnose-solve.md) |
spring-apps | Monitor Apps By Application Live View | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/monitor-apps-by-application-live-view.md | + + Title: Monitor apps using Application Live View with the Azure Spring Apps Enterprise plan +description: Learn how to monitor apps using Application Live View with the Azure Spring Apps Enterprise plan. ++++ Last updated : 12/01/2022++++# Monitor apps using Application Live View with the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++[Application Live View for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.4/tap/app-live-view-about-app-live-view.html) is a lightweight insights and troubleshooting tool that helps app developers and app operators look inside running apps. ++Application Live View provides visual insights into running apps by inspecting Spring Boot Actuator information. It provides a live view of the data from inside the app only. Application Live View doesn't store any of the app data for further analysis or historical views. The easy-to-use interface lets you troubleshoot, learn, and maintain an overview of certain aspects of the apps. It provides a certain level of control to users to let them change some parameters such as log levels and environment properties of running apps. ++This article describes the Application Live View UI features, and the pages and views included in the Application Live View user interface. ++## Prerequisites ++- Application Live View for VMware Tanzu. For more information, see [Use Application Live View](./how-to-use-application-live-view.md). ++## Details page ++The **Details** page is the default page loaded in the **Live View** section. This page gives a tabular overview containing the following properties: ++- App name +- Instance ID +- Location +- Actuator location +- Health endpoint +- Direct actuator access +- Framework +- Version +- New patch version +- New major version +- Build version ++You can navigate between information categories by selecting from the drop-down at the top right corner of the page. +++## Health page ++To navigate to the **Health** page, select the **Health** option from the **Information Category** drop-down. The health page provides detailed information about the health of the app. ++The **Health** page includes the following features: ++- View a list of all the components that make up the health of the app, such as readiness, liveness, and disk space. +- View a display of the status and details associated with each of the components. +++## Environment page ++To navigate to the **Environment** page, select the **Environment** option from the **Information Category** drop-down. The environment page contains details of the app's environment. It contains properties including, but not limited to, system properties, environment variables, and configuration properties such as `application.properties` in a Spring Boot app. ++The **Environment** page includes the following features: ++- Search for a property or values using the search feature. +- View all occurrences of a specific property using the search icon at the right corner. You can find the property key quickly, without manually typing in the search field. Selecting this button filters the page to that property name. +- Probe the app to refresh all of the environment properties by selecting **Refresh Scope** at the top right corner of the page. +- Edit existing properties by selecting **override** in the row and editing the value. After the value is saved, you can see the updated property in the **Applied overrides** section at the top of the page. +- Reset the environment property to the original state by selecting **Reset**. +- Add new environment properties to the app, and edit or remove overridden environment variables in the **Applied Overrides** section. +++> [!NOTE] +> You must set `management.endpoint.env.post.enabled=true` in the app config properties of the app, and a corresponding, editable environment must be present in the app. ++## Log Levels page ++To navigate to the **Log Levels** page, select the **Log Levels** option from the **Information Category** drop-down. The log levels page provides access to the app's loggers and the configuration of their levels. ++The **Log Levels** page includes the following features: ++- Configure the log levels, such as `INFO`, `DEBUG`, and `TRACE`, in real-time from the UI. +- Search for a package and edit its respective log level. +- Configure the log levels at a specific class and package. +- Deactivate all the log levels by modifying the log level of root logger to `OFF`. +- Display the changed log levels using the **Changes Only** toggle. +- Search by logger name using the search feature. +- Reset the log levels to the original state by selecting **Reset**. +- Reset all the loggers to default state by selecting **Reset All** at the top right corner of the page. +++## Threads page ++To navigate to the **Threads** page, select the **Threads** option from the **Information Category** drop-down. This page displays all details related to JVM threads and running processes of the app. This tracks live threads and daemon threads real-time. It's a snapshot of different thread states. ++The **Threads** page includes the following features: ++- Navigate to a thread state to display all the information about a particular thread and its stack trace. +- Search for threads by thread ID or state using the search feature. +- Refresh to the latest state of the threads using the refresh icon. +- View more thread details by selecting the thread ID. +- Download a thread dump for analysis purposes. ++++## Memory page ++To navigate to the **Memory** page, select the **Memory** option from the **Information Category** drop-down. ++The **Memory** page highlights the memory use inside of the JVM. It displays a graphical representation of the different memory regions within heap and non-heap memory. For Spring Boot apps running on a JVM, the **Memory** page visualizes data from inside of the JVM, giving you memory insights into the app in contrast to outside information about the Kubernetes pod level. ++The **Memory** page includes the following features: ++- View real-time graphs that display a stacked overview of the different spaces in memory along with the total memory used and total memory size. +- View graphs to display the GC pauses and GC events. +- Download heap dump data using the **Heap Dump** button at the top right corner. +++> [!NOTE] +> This graphical visualization happens in real-time and shows real-time data only. As mentioned previously, the Application Live View features do not store any information. That means the graphs visualize the data over time only for as long as you stay on that page. ++## Request Mappings page ++To navigate to the **Request Mappings** page, select the **Request Mappings** option from the **Information Category** drop-down. This page provides information about the app's request mappings. For each mapping, the page displays the request handler method. ++The **Request Mappings** page includes the following features: ++- View more details about the request mapping, such as the header metadata of the app including the `produces`, `consumes`, and `HTTP` methods, by selecting the mapping. +- Search on the request mapping or the method. +- View the actuator related mappings for the app using the toggle **/actuator/\*\* Request Mappings** ++> [!NOTE] +> When the app actuator endpoint is exposed on `management.server.port`, the app does not return any actuator request mappings data in the context. In this case, a message is displayed when the actuator toggle is enabled. ++++## HTTP Requests page ++To navigate to the **HTTP Requests** page, select the **HTTP Requests** option from the **Information Category** drop-down. The HTTP Requests page provides information about HTTP request-response exchanges to the app. The graph visualizes the requests per second indicating the response status of all the requests. ++The **HTTP Requests** page includes the following features: ++- Filter on the response status, which includes `info`, `success`, `redirects`, `client-errors`, and `server-errors`. +- View the trace data in detail in a table format with metrics such as timestamp, method, path, status, content-type, length, and time. +- Filter the traces based on the search field value using the search feature on the table. +- View more details of the request such as method, headers, and response of the app by selecting the timestamp. +- Select the refresh icon above the graph to load the latest traces for the app. +- Display the actuator related traces for the app using the toggle **/actuator/\*\*** at the top right corner of the page. ++> [!NOTE] +> When the app actuator endpoint is exposed on `management.server.port`, no actuator HTTP Traces data is returned for the app. In this case, a message is displayed when the actuator toggle is enabled. ++++## Caches page ++To navigate to the **Caches** page, select the **Caches** option from the **Information Category** drop-down. The **Caches** page provides access to the app's caches. It gives the details of the cache managers associated with the app, including the fully qualified name of the native cache. ++The **Caches** page includes the following features: ++- Search for a specific cache or cache manager using the search feature. +- Remove individual caches by selecting **Evict**, which causes the cache to be cleared. +- Remove all the caches by selecting **Evict All**. If there are no cache managers for the app, a message is displayed `No cache managers available for the application`. +++## Configuration Properties page ++To navigate to the **Configuration Properties** page, select the **Configuration Properties** option from the **Information Category** drop-down. The **Configuration Properties** page provides information about the configuration properties of the app. For Spring Boot, it displays the app's `@ConfigurationProperties` beans. It gives a snapshot of all the beans and their associated configuration properties. ++The **Configuration Properties** page includes the following feature: ++- Look up a key-value for a property or bean name using the search feature. +++## Conditions page ++To navigate to the **Conditions** page, select the **Conditions** option from the **Information Category** drop-down. The conditions evaluation report provides information about the evaluation of conditions on configuration and auto-configuration classes. For Spring Boot, the conditions evaluation report gives you a clear view of all the beans configured in the app. ++The **Conditions** page includes the following features: ++- Select the bean name to view the conditions and the reason for the conditional match. If beans aren't configured, it shows both the matched and unmatched conditions of the bean, if any. In addition to conditions, it also displays names of unconditional auto configuration classes, if any. +- Filter on the beans and the conditions using the search feature. +++## Scheduled Tasks page ++To navigate to the **Scheduled Tasks** page, select the **Scheduled Tasks** option from the **Information Category** drop-down. The **Scheduled Tasks** page provides information about the app's scheduled tasks, including cron tasks, fixed delay tasks and fixed rate tasks, custom tasks and the properties associated with them. ++The **Scheduled Tasks** page includes the following feature: ++- Search for a particular property or a task in the search bar to retrieve the task or property details. +++## Beans page ++To navigate to the **Beans** page, select the **Beans** option from the **Information Category** drop-down. The **Beans** page provides information about a list of all app beans and its dependencies. It displays the information about the bean type, dependencies, and its resource. ++The **Beans** page includes the following feature: ++- Search by the bean name or its corresponding fields. +++## Metrics Page ++To navigate to the **Metrics** page, select the **Metrics** option from the **Information Category** drop-down. The **Metrics** page provides access to app metrics information. ++The **Metrics** page includes the following features: ++- Choose from the list of various metrics available for the app such as `jvm.memory.used`, `jvm.memory.max`, `http.server.request`. After you choose the metric, you can view the associated tags. +- Choose the value of each of the tags based on filtering criteria. +- Select **Add Metric** to add the metric, which is refreshed every five seconds by default. +- Pause the auto refresh feature by disabling the **Auto Refresh** toggle. +- Refresh the metrics manually by selecting **Refresh All**. +- Change the format of the metric value according to your needs. +- Delete a particular metric by selecting the minus symbol in the same row. +++## Actuator page ++To navigate to the **Actuator** page, select the **Actuator** option from the **Information Category** drop-down. The **Actuator** page provides a tree view of the actuator data. ++The **Actuator** page includes the following feature: ++- Choose from a list of actuator endpoints and parse through the raw actuator data. +++## Next steps ++- [Azure Spring Apps](index.yml) |
spring-apps | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/overview.md | + + Title: Introduction to Azure Spring Apps +description: Learn the features and benefits of Azure Spring Apps to deploy and manage Java Spring applications in Azure. +++ Last updated : 05/23/2023+++#Customer intent: As an Azure Cloud user, I want to deploy, run, and monitor Spring applications. +++# What is Azure Spring Apps? ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Enterprise ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ++Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. ++The following video shows an app composed of Spring Boot applications running on Azure using Azure Spring Apps. ++<br> ++> [!VIDEO https://www.youtube.com/embed/1jOXMFc1oRg] ++## Why use Azure Spring Apps? ++You get the following benefits when you deploy applications to Azure Spring Apps: ++* Efficiently migrate existing Spring apps and manage cloud scaling and costs. +* Modernize apps with Spring Cloud patterns to improve agility and speed of delivery. +* Run Java at cloud scale and drive higher usage without complicated infrastructure. +* Develop and deploy rapidly without containerization dependencies. +* Monitor production workloads efficiently and effortlessly. ++Azure Spring Apps supports both Java [Spring Boot](https://spring.io/projects/spring-boot) and ASP.NET Core [Steeltoe](https://steeltoe.io/) apps. Steeltoe support is currently offered as a public preview. With public preview offerings, you can experiment with new features prior to their official release. ++## Service overview ++As part of the Azure ecosystem, Azure Spring Apps allows easy binding to other Azure services including storage, databases, monitoring, and more, as shown in the following diagram: +++Azure Spring Apps provides you with the following capabilities: ++* A fully managed service for Spring Boot apps that lets you focus on building and running apps without the hassle of managing infrastructure. ++* Automatic wiring of your apps with the Spring service runtime and built-in app lifecycle support when you deploy your JARs or code for your Spring Boot app, or zip file for your Steeltoe app. ++* Ease of monitoring. After deployment, you can monitor app performance, fix errors, and rapidly improve applications. ++* Full integration to Azure's ecosystems and services. ++* Enterprise readiness with fully managed infrastructure and built-in lifecycle management. ++### Get started with Azure Spring Apps ++The following articles help you get started: ++* [Deploy your first application to Azure Spring Apps](quickstart.md) +* [Introduction to the sample app](quickstart-sample-app-introduction.md) ++The following articles help you migrate existing Spring Boot apps to Azure Spring Apps: ++* [Migrate Spring Boot applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-boot-to-azure-spring-apps) +* [Migrate Spring Cloud applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-apps?pivots=sc-standard-tier) ++The following quickstarts apply to the Basic/Standard plan only. For Enterprise quickstarts, see the [Get started with the Enterprise plan](#get-started-with-the-enterprise-plan) section. ++* [Provision an Azure Spring Apps service instance](../basic-standard/quickstart-provision-service-instance.md) +* [Set up Spring Cloud Config Server for Azure Spring Apps](../basic-standard/quickstart-setup-config-server.md) +* [Build and deploy apps to Azure Spring Apps](../basic-standard/quickstart-deploy-apps.md) ++## Enterprise plan ++The Enterprise plan provides commercially supported Tanzu components with SLA assurance. For more information, see the [SLA for Azure Spring Apps](https://azure.microsoft.com/support/legal/sla/spring-apps). This support helps enterprise customers ship faster for mission-critical workloads with peace of mind. The Enterprise plan helps unlock Spring’s full potential while including feature parity and region parity with the Standard plan. ++The following video introduces the Azure Spring Apps Enterprise plan. ++<br> ++> [!VIDEO https://www.youtube.com/embed/CLvtz8SkrMA] ++### Deploy and manage Spring and polyglot applications ++The Azure Spring Apps Enterprise plan provides the fully managed VMware® Tanzu Build Service. The Tanzu Build Service automates the creation, management, and governance of containers at enterprise scale with the following buildpack options: ++* Open-source [Cloud Native Buildpacks](https://buildpacks.io/) +* Commercial [Language Family Buildpacks for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/https://docsupdatetracker.net/index.html). ++Tanzu Build Service offers a higher-level abstraction for building applications. Tanzu Build Service also provides a balance of control that reduces the operational burden on developers, and supports enterprise IT operators who manage applications at scale. You can configure what Tanzu Buildpacks to apply and build polyglot applications that run alongside Spring applications on Azure Spring Apps. ++Tanzu Buildpacks makes it easier to build Spring, Java, NodeJS, Python, Go and .NET Core applications. You can also use Tanzu Buildpacks to configure application performance monitoring agents such as Application Insights, New Relic, Dynatrace, AppDynamics, and Elastic. ++### Route client requests to applications ++You can manage and discover request routes and APIs exposed by applications using the fully managed Spring Cloud Gateway for VMware Tanzu and API portal for VMware Tanzu. ++Spring Cloud Gateway for Tanzu effectively routes diverse client requests to applications in Azure Spring Apps, Azure, and on-premises. Spring Cloud Gateway also addresses cross-cutting considerations for applications behind the Gateway. These considerations include securing, routing, rate limiting, caching, monitoring, resiliency and hiding applications. You can make the following configurations to Spring Cloud Gateway: ++* Single sign-on integration with your preferred identity provider without any extra code or dependencies. +* Dynamic routing rules to applications without any application redeployment. +* Request throttling without any backing services. ++API Portal for VMware Tanzu provides API consumers with the ability to find and view API route details exposed by Spring Cloud Gateway for Tanzu and test API requests. ++### Use flexible and configurable VMware Tanzu components ++With the Azure Spring Apps Enterprise plan, you can use fully managed VMware Tanzu components on Azure without operational hassle. You can select which VMware Tanzu components you want to use in your environment, either during or after Enterprise instance creation. The following components are available: ++* [Tanzu Build Service](how-to-enterprise-build-service.md) +* [Spring Cloud Gateway for Tanzu](how-to-configure-enterprise-spring-cloud-gateway.md) +* [API Portal for VMware Tanzu](how-to-use-enterprise-api-portal.md) +* [Application Configuration Service for VMware Tanzu](how-to-enterprise-application-configuration-service.md) +* [VMware Tanzu Service Registry](how-to-enterprise-service-registry.md) +* [Application Live View for VMware Tanzu](how-to-use-application-live-view.md) +* [Application Accelerator for VMware Tanzu](how-to-use-accelerator.md) ++VMware Tanzu components deliver increased value so you can accomplish the following tasks: ++* Grow your enterprise grade application portfolio from a few applications to thousands with end-to-end observability while delegating operational complexity to Microsoft and VMware. +* Lift and shift Spring applications across Azure Spring Apps and any other compute environment. +* Control your build dependencies, deploy polyglot applications, and deploy Spring Cloud middleware components as needed. ++### Unlock Spring’s full potential with Long-Term Support (LTS) ++The Azure Spring Apps Enterprise plan includes VMware Spring Runtime Support for application development and deployments. This support gives you access to Spring experts, enabling you to unlock the full potential of the Spring ecosystem to develop and deploy applications faster. ++Typically, open-source Spring project minor releases receive support for a minimum of 12 months from the date of initial release. In the Azure Spring Apps Enterprise plan, Spring project minor releases receive commercial support for a minimum of 24 months from the date of initial release. This extended support is available through the VMware Spring Runtime Support entitlement and ensures the security and stability of your Spring application portfolio, even after the open source end of life dates. For more information, see [Spring Boot](https://spring.io/projects/spring-boot#support). ++### Fully integrate into the Azure and Java ecosystems ++Azure Spring Apps, including the Enterprise plan, runs on Azure in a fully managed environment. You get all the benefits of Azure and the Java ecosystem, and the experience is familiar and intuitive as described in the following table: ++| Best practice | Ecosystem | +|--|-| +| Create service instances using a provisioning tool. | Azure portal, CLI, ARM Template, Bicep, or Terraform | +| Automate environments and application deployments. | GitHub, Azure DevOps Server, GitLab, and Jenkins | +| Monitor end-to-end using any tool and platform. | Application Insights, Azure Log Analytics, Splunk, Elastic, New Relic, Dynatrace, or AppDynamics | +| Connect Spring applications and interact with cloud services. | Spring integration with Azure services for data, messaging, eventing, cache, storage, and directories | +| Securely load app secrets and certificates. | Azure Key Vault | +| Use familiar development tools. | IntelliJ, Visual Studio Code, Eclipse, Spring Tool Suite, Maven, or Gradle | ++After you create your Enterprise plan service instance and deploy your applications, you can monitor with Application Insights or any other application performance management tools of your choice. ++### Get started with the Enterprise plan ++The following articles help you get started using the Enterprise plan: ++* [The Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md) +* [Introduction to Fitness Store sample app](quickstart-sample-app-acme-fitness-store-introduction.md) +* [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md) +* [Configure single sign-on for applications using Azure Spring Apps Enterprise plan](quickstart-configure-single-sign-on-enterprise.md) +* [Integrate with Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +* [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +* [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +* [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +* [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) ++Most of the Azure Spring Apps documentation applies to all the service plans. Some articles apply only to the Enterprise plan or only to the Basic/Standard plan, as indicated at the beginning of each article. ++As a quick reference, the articles listed previously and the articles in the following list apply only to the Enterprise plan, or contain significant content that applies only to the Enterprise plan: ++* [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md) +* [Use Tanzu Build Service](how-to-enterprise-build-service.md) +* [Use Tanzu Service Registry](how-to-enterprise-service-registry.md) +* [Use API portal for VMware Tanzu](how-to-use-enterprise-api-portal.md) +* [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md) +* [Deploy polyglot apps in Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md) +* [Enable system-assigned managed identity for an application in Azure Spring Apps](how-to-enable-system-assigned-managed-identity.md?pivots=sc-enterprise-tier) +* [Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md?pivots=sc-enterprise-tier) ++## Standard consumption and dedicated plan ++The Standard consumption and dedicated plan provides a hybrid pricing solution that combines the best of pay-as-you-go and resource-based pricing. With this comprehensive package, you have the flexibility to pay only for compute time as you get started, while enjoying enhanced cost predictability and significant savings when your resources scale up. ++When you create a Standard consumption and dedicated plan, a consumption workload profile is always created by default. You can additionally add dedicated workload profiles to the same plan to fit the requirements of your workload. ++Workload profiles determine the amount of compute and memory resources available to Spring apps deployed in the Standard consumption and dedicated plan. There are different machine sizes and characteristics with different workload profiles. For more information, see [Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)](../../container-apps/workload-profiles-overview.md). ++You can run your apps in any combination of consumption or dedicated workload profiles. Consider using the consumption workload profile when your applications need to start from and scale to zero. Use the dedicated workload profile when you need dedicated hardware for single tenancy, and for customizable compute as with a memory optimized machine. You can also use the dedicated workload profile to optimize for cost savings when resources are running at scale. ++The Standard consumption and dedicated plan simplifies the virtual network experience for running polyglot applications. In the Standard consumption and dedicated plan, when you deploy frontend applications as containers in Azure Container Apps, all your applications share the same virtual network in the same Azure Container Apps environment. There's no need to create disparate subnets and Network Security Groups for frontend apps, Spring apps, and the Spring service runtime. ++The following diagram shows the architecture of a virtual network in Azure Spring Apps: +++### Get started with the Standard consumption and dedicated plan ++The following articles help you get started using the Standard consumption and dedicated plan: ++* [Provision an Azure Spring Standard consumption and dedicated plan service instance](../consumption-dedicated/quickstart-provision-standard-consumption-service-instance.md) +* [Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network](../consumption-dedicated/quickstart-provision-standard-consumption-app-environment-with-virtual-network.md) +* [Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network](../consumption-dedicated/quickstart-access-standard-consumption-within-virtual-network.md) +* [Deploy an event-driven application to Azure Spring Apps](quickstart-deploy-event-driven-app.md) +* [Set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan](../consumption-dedicated/quickstart-apps-autoscale-standard-consumption.md) +* [Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan](../consumption-dedicated/quickstart-standard-consumption-custom-domain.md) +* [Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan](../consumption-dedicated/quickstart-analyze-logs-and-metrics-standard-consumption.md) +* [Enable your own persistent storage in Azure Spring Apps with the Standard consumption and dedicated plan](../consumption-dedicated/how-to-custom-persistent-storage-with-standard-consumption.md) +* [Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network](../consumption-dedicated/standard-consumption-customer-responsibilities.md) ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Deploy your first application to Azure Spring Apps](quickstart.md) ++Samples are available on GitHub. See [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/). ++For feature updates about Azure Spring Apps, see [Azure updates](https://azure.microsoft.com/updates/?query=spring). |
spring-apps | Plan Comparison | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/plan-comparison.md | + + Title: Compare available plans in Azure Spring Apps +description: Understand and compare all plans in the Azure Spring Apps. ++++ Last updated : 01/05/2024++++# Compare available plans in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This article provides a comparison of plans available in Azure Spring Apps. Each plan is designed to cater to different customer scenarios and purposes, as described in the following list: ++- Enterprise plan: This plan is designed to expedite the development and deployment of mission-critical and large-scale enterprise applications with higher SLA and large application cluster support. This plan also addresses enterprise requirements around configuration management, service discovery, API gateway, API portal, ease of integration, portability, and flexibility with on-demand managed Tanzu commercial components and Tanzu Spring Runtime support, built on top of strong partnership between VMware and Microsoft. +- Basic plan: An entry-level plan for individual development and testing. +- Standard plan: A Spring-centric and opinionated application hosting platform with built-in and pre-configured settings for build, service registry, storage, and more. +- Standard consumption and dedicated plan: This plan is hosted in an Azure Container Apps environment and is designed to seamlessly interact with other apps running in the same environment with simplified networking and unified observability. ++The following table shows the differences between each plan: ++| Feature | Description | Enterprise | Basic | Standard | Standard consumption and dedicated | +|--|--||-|-|--| +| **Application management** | Application management with hassle-free infrastructure operations. | | | | | +| App lifecycle management | Create, deploy, stop, and restart apps easily without knowledge of the underlying infrastructure. | ✔️ | ✔️ | ✔️ | ✔️ | +| SLA | The ensured SLA for both apps and managed components. | **99.95%** | n/a | 99.90% | Not available during preview. | +| Max App instance size | The maximum application instance size. | **8 vCPU, 32 GB** | 1 vCPU, 2 GB | 4 vCPU, 8 GB | 4 vCPU, 8 GB in consumption, up to 16 vCPU, 128 GB in dedicated | +| Max App instances | The maximum number of application instances. | **1000** | 25 | 500 | 400 in consumption, 1000 in dedicated. | +| Auto and manual scaling | Automatic and manual app scaling in/out and up/down. | ✔️ | ✔️ | ✔️ | ✔️ | +| Deploy from source code, artifact and custom image | Deploy from source code, artifact, and custom image for apps. | ✔️ | ✔️ | ✔️ | Artifact and custom image. | +| Java app support | Build and deploy Java apps, mainly Spring Apps. | ✔️ | ✔️ | ✔️ | ✔️ | +| Java native image support | Build and deploy Java native image apps. | ✔️ | ❌ | ❌ | ❌ | +| .NET Core app support | Build and deploy .NET Core apps. | ✔️ | ❌ | ❌ | ❌ | +| Node.js app support | Build and deploy Node.js apps. | ✔️ | ❌ | ❌ | ❌ | +| GO app support | Build and deploy Go apps. | ✔️ | ❌ | ❌ | ❌ | +| Python app support | Build and deploy Python apps. | ✔️ | ❌ | ❌ | ❌ | +| PHP app support | Build and deploy PHP apps. | ✔️ | ❌ | ❌ | ❌ | +| Static web app support | Build and deploy static web apps with static web content, like CSS, JS, and HTML files. | ✔️ | ❌ | ❌ | ❌ | +| Zero downtime deployment | Rolling update and blue/green deployment strategies with assured zero downtime and affect for apps. | ✔️ | ✔️ | ✔️ | ✔️ | +| Custom domain | Support multiple custom domains on apps. | ✔️ | ❌ | ✔️ | ✔️ | +| Bring your own storage | Support to mount Azure storage for apps to use. | ✔️ | ✔️ | ✔️ | ✔️ | +| Custom health probes | Support to customize apps on health probes, like liveness, readiness, and startup probes, and graceful termination periods. | ✔️ | ✔️ | ✔️ | ✔️ | +| Auto patching | Automatic patching of the base OS, language runtime (such as the JDK), and APM agents in maintaining images for apps. | ✔️ | ✔️ | ✔️ | ✔️ | +| Spring Runtime Support | Built-in Tanzu Spring Runtime support with extended support period on Spring projects and 24/7 VMware support. | ✔️ | ❌ | ❌ | ❌ | +| **Troubleshooting and monitoring** | Troubleshooting and monitoring. | | | | | +| Remote debugging | Remote debugging. | ✔️ | ✔️ | ✔️ | n/a | +| Thread/heap/JFR dump | Thread/heap/JFR dump. | ✔️ | ✔️ | ✔️ | ✔️ | +| Web shell support | Use a web shell to connect to any running app instance to directly run JDK commands. | ✔️ | ✔️ | ✔️ | ✔️ | +| Out-of-box APM integration | Out-of-box APM integration (Azure Application Insights and popular third-party APMs like Dynatrace, AppDynamics, New Relic, and Elastic APM). | ✔️ | ✔️ | ✔️ | ✔️ | +| **Security** | Secure networking and identity management. | | | | | +| Secure communication along whole traffic path | Secure communication along the whole traffic path, including ingress controller to apps, app to app, and apps to backing services such as databases. | ✔️ | ✔️ | ✔️ | ✔️ | +| VNET injection | Virtual network (VNET) injection. | ✔️ | ❌ | ✔️ | ✔️ | +| Private endpoint | Support to connect with backing services like Azure databases, Key Vault, and so on using a private endpoint. | ✔️ | ❌ | ✔️ | ✔️ | +| Managed identity | Support both Azure system and user-assigned managed identity. | ✔️ | ✔️ | ✔️ | ✔️ | +| **Integration** | Integration capability with backing services, CICD, and IDEs. | | | | | +| Easy integration with any Azure services | Integration with any Azure services on top of Azure SDK and Spring Cloud Azure. | ✔️ | ✔️ | ✔️ | ✔️ | +| Out-of-box CICD integration | Out-of-box CICD integration with Azure DevOps, Jenkins, and GitHub Actions, and so forth. | ✔️ | ✔️ | ✔️ | ✔️ | +| Out-of-box integration with popular IDEs | Out-of-box integration with popular IDEs like VS Code and IntelliJ, to allow in-place interaction with Azure Spring Apps. | ✔️ | ✔️ | ✔️ | ✔️ | +| **Managed components** | Fully managed components with ensured SLA, timely maintenance, and well-tuned configuration to support app development and operation. | | | | | +| SLA | The ensured SLA for both apps and managed components. | **99.95%** | n/a | 99.90% | Not available during preview. | +| Build and maintain images from source code | A build service to centrally manage building and maintaining Open Container Initiative (OCI) images from source code. | ✔️ **(configurable build service<sup>1</sup>)** | ✔️ (default build service) | ✔️ (default build service) | ❌ | +| An API gateway to route requests to backend apps | Spring Cloud Gateway to route requests with cross-cutting concerns addressed centrally (throttling, request/response filters, authentication and authorization, and so forth). | ✔️ | ❌ | ❌ | ❌ | +| An API portal to browse and try out APIs | An API portal to view detailed API documentation, and to try out APIs. | ✔️ | ❌ | ❌ | ❌ | +| App configuration management | A configuration service to distribute app configurations from Git host repositories to apps. | ✔️ **(supports polyglot apps)** | ✔️ (supports Spring apps only) | ✔️ (supports Spring apps only) | ✔️ (supports Spring apps only) | +| Service registry and discovery | A service registry to provide service registration and discovery capabilities for microservices-based Spring applications. | ✔️ | ✔️ | ✔️ | ✔️ | +| Real-time monitoring and troubleshooting apps | A lightweight insights and troubleshooting tool that helps app developers and app operators to look inside running Spring applications. | ✔️ | ❌ | ❌ | ❌ | +| Expedite development with distributable project templates | A project bootstrapping tool to build and distribute templates/accelerators that codify enterprise-conformant code and configurations in a discoverable and repeatable way. | ✔️ | ❌ | ❌ | ❌ | ++<sup>1</sup> The configurable build service enables the following features: ++- Bring your own container registry: configure your own Azure Container Registry (ACR) to store built images instead of using the Azure Spring Apps managed ACR to deploy to other Azure Spring Apps Enterprise-plan environments with verified images. +- Configure resources for the whole build pool, up to 64 vCPU and 128 GB. +- Configure which OS stack to use as the base image for your apps. |
spring-apps | Policy Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/policy-reference.md | + + Title: Built-in policy definitions for Azure Spring Apps +description: Lists Azure Policy built-in policy definitions for Azure Spring Apps. These built-in policy definitions provide common approaches to managing your Azure resources. Last updated : 01/22/2024++++++++# Azure Policy built-in definitions for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This page is an index of [Azure Policy](../../governance/policy/overview.md) built-in policy +definitions for Azure Spring Apps. For additional Azure Policy built-ins for other services, see +[Azure Policy built-in definitions](../../governance/policy/samples/built-in-policies.md). ++The name of each built-in policy definition links to the policy definition in the Azure portal. Use +the link in the **Version** column to view the source on the +[Azure Policy GitHub repo](https://github.com/Azure/azure-policy). ++## Azure Spring Apps +++## Next steps ++- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy). +- Review the [Azure Policy definition structure](../../governance/policy/concepts/definition-structure.md). +- Review [Understanding policy effects](../../governance/policy/concepts/effects.md). |
spring-apps | Quickstart Automate Deployments Github Actions Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-automate-deployments-github-actions-enterprise.md | + + Title: "Quickstart - Automate deployments" ++description: Explains how to automate deployments to the Azure Spring Apps Enterprise plan by using GitHub Actions and Terraform. ++++ Last updated : 05/31/2022++++# Quickstart: Automate deployments ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to automate deployments to the Azure Spring Apps Enterprise plan by using GitHub Actions and Terraform. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [jq](https://stedolan.github.io/jq/download/) +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] ++## Set up a GitHub repository and authenticate ++The automation associated with the sample application requires a Storage account for maintaining Terraform state. The following steps show you how to create a Storage Account for use with GitHub Actions and Terraform. ++1. Use the following command to create a new resource group to contain the Storage Account: ++ ```azurecli + az group create \ + --name <storage-resource-group> \ + --location <location> + ``` ++1. Use the following command to create a Storage Account: ++ ```azurecli + az storage account create \ + --resource-group <storage-resource-group> \ + --name <storage-account-name> \ + --location <location> \ + --sku Standard_RAGRS \ + --kind StorageV2 + ``` ++1. Use the following command to create a Storage Container within the Storage Account: ++ ```azurecli + az storage container create \ + --resource-group <storage-resource-group> \ + --name terraform-state-container \ + --account-name <storage-account-name> \ + --auth-mode login + ``` ++1. Use the following commands to get an Azure credential. You need an Azure service principal credential to authorize Azure login action. ++ ```azurecli + az login + az ad sp create-for-rbac \ + --role contributor \ + --scopes /subscriptions/<SUBSCRIPTION_ID> \ + --json-auth + ``` ++ The command should output a JSON object: ++ ```json + { + "clientId": "<GUID>", + "clientSecret": "<GUID>", + "subscriptionId": "<GUID>", + "tenantId": "<GUID>", + ... + } + ``` ++1. This example uses the [fitness store](https://github.com/Azure-Samples/acme-fitness-store) sample on GitHub. Fork the sample, open the GitHub repository page, and then select the **Settings** tab. Open the **Secrets** menu, then select **Add a new secret**, as shown in the following screenshot. ++ :::image type="content" source="media/quickstart-automate-deployments-github-actions-enterprise/actions1.png" alt-text="Screenshot showing GitHub Settings Add new secret." lightbox="media/quickstart-automate-deployments-github-actions-enterprise/actions1.png"::: ++1. Set the secret name to `AZURE_CREDENTIALS` and set its value to the JSON string that you found under the heading **Set up your GitHub repository and authenticate**. ++ :::image type="content" source="media/quickstart-automate-deployments-github-actions-enterprise/actions2.png" alt-text="Screenshot showing GitHub Settings Set secret data." lightbox="media/quickstart-automate-deployments-github-actions-enterprise/actions2.png"::: ++1. Add the following secrets to GitHub Actions: ++ - `TF_PROJECT_NAME`: Use a value of your choosing. This value will be the name of your Terraform Project. + - `AZURE_LOCATION`: The Azure Region your resources will be created in. + - `OIDC_JWK_SET_URI`: Use the `JWK_SET_URI` defined in [Quickstart: Configure single sign-on for applications using the Azure Spring Apps Enterprise plan](quickstart-configure-single-sign-on-enterprise.md). + - `OIDC_CLIENT_ID`: Use the `CLIENT_ID` defined in [Quickstart: Configure single sign-on for applications using the Azure Spring Apps Enterprise plan](quickstart-configure-single-sign-on-enterprise.md). + - `OIDC_CLIENT_SECRET`: Use the `CLIENT_SECRET` defined in [Quickstart: Configure single sign-on for applications using the Azure Spring Apps Enterprise plan](quickstart-configure-single-sign-on-enterprise.md). + - `OIDC_ISSUER_URI`: Use the `ISSUER_URI` defined in [Quickstart: Configure single sign-on for applications using the Azure Spring Apps Enterprise plan](quickstart-configure-single-sign-on-enterprise.md). ++1. Add the secret `TF_BACKEND_CONFIG` to GitHub Actions with the following value: ++ ```text + resource_group_name = "<storage-resource-group>" + storage_account_name = "<storage-account-name>" + container_name = "terraform-state-container" + key = "dev.terraform.tfstate" + ``` ++## Automate with GitHub Actions ++Now you can run GitHub Actions in your repository. The [provision workflow](https://github.com/Azure-Samples/acme-fitness-store/blob/HEAD/.github/workflows/provision.yml) provisions all resources necessary to run the example application. The following screenshot shows an example run: +++Each application has a [deploy workflow](https://github.com/Azure-Samples/acme-fitness-store/blob/HEAD/.github/workflows/catalog.yml) that will redeploy the application when changes are made to that application. The following screenshot shows some example output from the catalog service: +++The [cleanup workflow](https://github.com/Azure-Samples/acme-fitness-store/blob/HEAD/.github/workflows/cleanup.yml) can be manually run to delete all resources created by the `provision` workflow. The following screenshot shows the output: +++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +- [Integrate Azure Open AI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Configure Single Sign On Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-configure-single-sign-on-enterprise.md | + + Title: Quickstart - Configure single sign-on for applications using the Azure Spring Apps Enterprise plan +description: Describes single sign-on configuration for the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/31/2022++++# Quickstart: Configure single sign-on for applications using the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to configure single sign-on for applications running on the Azure Spring Apps Enterprise plan. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- A license for the Azure Spring Apps Enterprise plan. For more information, see [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [jq](https://stedolan.github.io/jq/download/) +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- Complete the steps in [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). ++## Prepare single sign-on credentials ++To configure single sign-on for the application, you need to prepare credentials. The following sections describe steps for using an existing provider or provisioning an application registration with Microsoft Entra ID. ++### Use an existing provider ++Follow these steps to configure single sign-on using an existing Identity Provider. If you're provisioning a Microsoft Entra App Registration, skip ahead to the following section, [Create and configure an application registration with Microsoft Entra ID](#create-and-configure-an-application-registration-with-azure-active-directory). ++1. Configure your existing identity provider to allow redirects back to Spring Cloud Gateway for VMware Tanzu and API portal for VMware Tanzu. Spring Cloud Gateway has a single URI to allow re-entry to the gateway. API portal has two URIs for supporting the user interface and underlying API. The following commands retrieve these URIs that you add to your single sign-on provider's configuration. ++ ```azurecli + export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++ export PORTAL_URL=$(az spring api-portal show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++ echo "https://${GATEWAY_URL}/login/oauth2/code/sso" + echo "https://${PORTAL_URL}/oauth2-redirect.html" + echo "https://${PORTAL_URL}/login/oauth2/code/sso" + ``` ++1. Obtain the `Client ID` and `Client Secret` for your identity provider. ++1. Obtain the `Issuer URI` for your identity provider. You must configure the provider with an issuer URI, which is the URI that it asserts as its Issuer Identifier. For example, if the `issuer-uri` provided is `https://example.com`, then an OpenID Provider Configuration Request is made to `https://example.com/.well-known/openid-configuration`. The result is expected to be an OpenID Provider Configuration Response. ++ > [!NOTE] + > You can only use authorization servers that support OpenID Connect Discovery protocol. ++1. Obtain the `JWK URI` for your identity provider for use later. The `JWK URI` typically takes the form `${ISSUER_URI}/keys` or `${ISSUER_URI}/<version>/keys`. The Identity Service application uses the public JSON Web Keys (JWK) to verify JSON Web Tokens (JWT) issued by your single sign-on identity provider's authorization server. ++<a name='create-and-configure-an-application-registration-with-azure-active-directory'></a> ++### Create and configure an application registration with Microsoft Entra ID ++To register the application with Microsoft Entra ID, follow these steps. If you're using an existing provider's credentials, skip ahead to the following section, [Deploy the Identity Service application](#deploy-the-identity-service-application). ++1. Use the following command to create an application registration with Microsoft Entra ID and save the output: ++ ```azurecli + az ad app create --display-name <app-registration-name> > ad.json + ``` ++1. Use the following command to retrieve the application ID and collect the client secret: ++ ```azurecli + export APPLICATION_ID=$(cat ad.json | jq -r '.appId') + az ad app credential reset --id ${APPLICATION_ID} --append > sso.json + ``` ++1. Use the following command to assign a Service Principal to the application registration: ++ ```azurecli + az ad sp create --id ${APPLICATION_ID} + ``` ++1. Use the following commands to retrieve the URLs for Spring Cloud Gateway and API portal, and add the necessary Reply URLs to the Active Directory App Registration. ++ ```azurecli + export APPLICATION_ID=$(cat ad.json | jq -r '.appId') ++ export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++ export PORTAL_URL=$(az spring api-portal show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++ az ad app update \ + --id ${APPLICATION_ID} \ + --web-redirect-uris "https://${GATEWAY_URL}/login/oauth2/code/sso" "https://${PORTAL_URL}/oauth2-redirect.html" "https://${PORTAL_URL}/login/oauth2/code/sso" + ``` ++1. Use the following command to retrieve the application's `Client ID`. Save the output to use later in this quickstart. ++ ```bash + cat sso.json | jq -r '.appId' + ``` ++1. Use the following command to retrieve the application's `Client Secret`. Save the output to use later in this quickstart. ++ ```bash + cat sso.json | jq -r '.password' + ``` ++1. Use the following command to retrieve the `Issuer URI`. Save the output to use later in this quickstart. ++ ```bash + export TENANT_ID=$(cat sso.json | jq -r '.tenant') + echo "https://login.microsoftonline.com/${TENANT_ID}/v2.0" + ``` ++1. Retrieve the `JWK URI` from the output of the following command. The Identity Service application uses the public JSON Web Keys (JWK) to verify JSON Web Tokens (JWT) issued by Active Directory. ++ ```bash + export TENANT_ID=$(cat sso.json | jq -r '.tenant') + echo "https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys" + ``` ++## Deploy the Identity Service application ++To complete the single sign-on experience, use the following steps to deploy the Identity Service application. The Identity Service application provides a single route to aid in identifying the user. ++1. Navigate to the project folder. ++1. Use the following command to create the `identity-service` application: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --name identity-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following command to enable externalized configuration for the identity service by binding to Application Configuration Service: ++ ```azurecli + az spring application-configuration-service bind \ + --resource-group <resource-group-name> \ + --app identity-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following command to enable service discovery and registration for the identity service by binding to Service Registry: ++ ```azurecli + az spring service-registry bind \ + --resource-group <resource-group-name> \ + --app identity-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following command to deploy the identity service: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name identity-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --config-file-pattern identity/default \ + --source-path apps/acme-identity \ + --build-env BP_JVM_VERSION=17 \ + --env "JWK_URI=<jwk-uri>" + ``` ++1. Use the following command to route requests to the identity service: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --name identity-routes \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app-name identity-service \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/identity-service.json + ``` ++## Configure single sign-on for Spring Cloud Gateway ++You can configure Spring Cloud Gateway to authenticate requests using single sign-on. To configure Spring Cloud Gateway to use single sign-on, follow these steps: ++1. Use the following commands to configure Spring Cloud Gateway to use single sign-on: ++ ```azurecli + export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++ az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --api-description "Fitness Store API" \ + --api-title "Fitness Store" \ + --api-version "v1.0" \ + --server-url "https://${GATEWAY_URL}" \ + --allowed-origins "*" \ + --client-id <client-id> \ + --client-secret <client-secret> \ + --scope "openid,profile" \ + --issuer-uri <issuer-uri> + ``` ++1. Instruct the cart service application to use Spring Cloud Gateway for authentication. Use the following command to provide the necessary environment variables: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --env "AUTH_URL=https://${GATEWAY_URL}" "CART_PORT=8080" + ``` ++1. Instruct the order service application to use Spring Cloud Gateway for authentication. Use the following command to provide the necessary environment variables: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --env "AcmeServiceSettings__AuthUrl=https://${GATEWAY_URL}" + ``` ++1. Use the following command to retrieve the URL for Spring Cloud Gateway: ++ ```bash + echo "https://${GATEWAY_URL}" + ``` ++ You can open the output URL in a browser to explore the updated application. The Log In function is now operational, allowing you to add items to the cart and place orders. After you sign in, the customer information button displays the signed-in username. ++## Configure single sign-on for API portal ++You can configure API portal for VMware Tanzu to use single sign-on to require authentication before exploring APIs. Use the following commands to configure single sign-on for API portal: ++```azurecli +export PORTAL_URL=$(az spring api-portal show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++az spring api-portal update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --client-id <client-id> \ + --client-secret <client-secret> \ + --scope "openid,profile,email" \ + --issuer-uri <issuer-uri> +``` ++Use the following commands to retrieve the URL for API portal: ++```azurecli +export PORTAL_URL=$(az spring api-portal show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++echo "https://${PORTAL_URL}" +``` ++You can open the output URL in a browser to explore the application APIs. You're directed to sign on before exploring APIs. ++++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) |
spring-apps | Quickstart Deploy Apps Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-apps-enterprise.md | + + Title: "Quickstart - Build and deploy apps to the Azure Spring Apps Enterprise plan" +description: Describes app deployment to the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/31/2022++++# Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to build and deploy applications to Azure Spring Apps using the Enterprise plan. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] ++## Download the sample app ++Use the following commands to download the sample: ++```bash +git clone https://github.com/Azure-Samples/acme-fitness-store +cd acme-fitness-store +``` ++## Provision a service instance ++Use the following steps to provision an Azure Spring Apps service instance. ++1. Use the following command to sign in to the Azure CLI and choose your active subscription: ++ ```azurecli + az login + az account list --output table + az account set --subscription <subscription-ID> + ``` ++1. Use the following command to accept the legal terms and privacy statements for the Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance of Azure Spring Apps. ++ ```azurecli + az provider register --namespace Microsoft.SaaS + az term accept \ + --publisher vmware-inc \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --plan asa-ent-hr-mtr + ``` ++1. Select a location. This location must be a location supporting the Azure Spring Apps Enterprise plan. For more information, see the [Azure Spring Apps FAQ](faq.md). ++1. Use the following command to create a resource group: ++ ```azurecli + az group create \ + --name <resource-group-name> \ + --location <location> + ``` ++ For more information about resource groups, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md). ++1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. ++1. Use the following command to create an Azure Spring Apps service instance: ++ ```azurecli + az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --sku enterprise \ + --enable-application-configuration-service \ + --enable-service-registry \ + --enable-gateway \ + --enable-api-portal + ``` ++1. Use the following command to create a Log Analytics Workspace to be used for your Azure Spring Apps service: ++ ```azurecli + az monitor log-analytics workspace create \ + --resource-group <resource-group-name> \ + --workspace-name <workspace-name> \ + --location <location> + ``` ++1. Use the following commands to retrieve the Resource ID for your Log Analytics Workspace and Azure Spring Apps service instance: ++ ```azurecli + export LOG_ANALYTICS_RESOURCE_ID=$(az monitor log-analytics workspace show \ + --resource-group <resource-group-name> \ + --workspace-name <workspace-name> \ + --query id \ + --output tsv) ++ export AZURE_SPRING_APPS_RESOURCE_ID=$(az spring show \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-service-instance-name> \ + --query id \ + --output tsv) + ``` ++1. Use the following command to configure diagnostic settings for the Azure Spring Apps Service: ++ ```azurecli + az monitor diagnostic-settings create \ + --name "send-logs-and-metrics-to-log-analytics" \ + --resource ${AZURE_SPRING_APPS_RESOURCE_ID} \ + --workspace ${LOG_ANALYTICS_RESOURCE_ID} \ + --logs '[ + { + "category": "ApplicationConsole", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "SystemLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "IngressLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ]' \ + --metrics '[ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ]' + ``` ++1. Use the following commands to create applications for `cart-service`, `order-service`, `payment-service`, `catalog-service`, and `frontend`: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> ++ az spring app create \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> ++ az spring app create \ + --resource-group <resource-group-name> \ + --name payment-service \ + --service <Azure-Spring-Apps-service-instance-name> ++ az spring app create \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> ++ az spring app create \ + --resource-group <resource-group-name> \ + --name frontend \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++## Externalize configuration with Application Configuration Service ++Use the following steps to configure Application Configuration Service. ++1. Use the following command to create a configuration repository for Application Configuration Service: ++ ```azurecli + az spring application-configuration-service git repo add \ + --resource-group <resource-group-name> \ + --name acme-fitness-store-config \ + --service <Azure-Spring-Apps-service-instance-name> \ + --label main \ + --patterns "catalog/default,catalog/key-vault,identity/default,identity/key-vault,payment/default" \ + --uri "https://github.com/Azure-Samples/acme-fitness-store-config" + ``` ++1. Use the following commands to bind applications to Application Configuration Service: ++ ```azurecli + az spring application-configuration-service bind \ + --resource-group <resource-group-name> \ + --app payment-service \ + --service <Azure-Spring-Apps-service-instance-name> ++ az spring application-configuration-service bind \ + --resource-group <resource-group-name> \ + --app catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++## Activate service registration and discovery ++To active service registration and discovery, use the following commands to bind applications to Service Registry: ++```azurecli +az spring service-registry bind \ + --resource-group <resource-group-name> \ + --app payment-service \ + --service <Azure-Spring-Apps-service-instance-name> ++az spring service-registry bind \ + --resource-group <resource-group-name> \ + --app catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> +``` ++## Deploy polyglot applications with Tanzu Build Service ++Use the following steps to deploy and build applications. For these steps, make sure that the terminal is in the project folder before running any commands. ++1. Use the following command to create a custom builder in Tanzu Build Service: ++ ```azurecli + az spring build-service builder create \ + --resource-group <resource-group-name> \ + --name quickstart-builder \ + --service <Azure-Spring-Apps-service-instance-name> \ + --builder-file azure-spring-apps-enterprise/resources/json/tbs/builder.json + ``` ++1. Use the following command to build and deploy the payment service: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name payment-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --config-file-pattern payment/default \ + --source-path apps/acme-payment \ + --build-env BP_JVM_VERSION=17 + ``` ++1. Use the following command to build and deploy the catalog service: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --config-file-pattern catalog/default \ + --source-path apps/acme-catalog \ + --build-env BP_JVM_VERSION=17 + ``` ++1. Use the following command to build and deploy the order service: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --builder quickstart-builder \ + --source-path apps/acme-order + ``` ++1. Use the following command to build and deploy the cart service: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --builder quickstart-builder \ + --env "CART_PORT=8080" \ + --source-path apps/acme-cart + ``` ++1. Use the following command to build and deploy the frontend application: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --name frontend \ + --service <Azure-Spring-Apps-service-instance-name> \ + --source-path apps/acme-shopping + ``` ++> [!TIP] +> To troubleshot deployments, you can use the following command to get logs streaming in real time whenever the app is running: `az spring app logs --name <app name> --follow`. ++## Route requests to apps with Spring Cloud Gateway ++Use the following steps to configure Spring Cloud Gateway and configure routes to applications. ++1. Use the following command to assign an endpoint to Spring Cloud Gateway: ++ ```azurecli + az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --assign-endpoint true + ``` ++1. Use the following commands to configure Spring Cloud Gateway API information: ++ ```azurecli + export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --query properties.url \ + --output tsv) ++ az spring gateway update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --api-description "Fitness Store API" \ + --api-title "Fitness Store" \ + --api-version "v1.0" \ + --server-url "https://${GATEWAY_URL}" \ + --allowed-origins "*" + ``` ++1. Use the following command to create routes for the cart service: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --name cart-routes \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app-name cart-service \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/cart-service.json + ``` ++1. Use the following command to create routes for the order service: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --name order-routes \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app-name order-service \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/order-service.json + ``` ++1. Use the following command to create routes for the catalog service: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --name catalog-routes \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app-name catalog-service \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/catalog-service.json + ``` ++1. Use the following command to create routes for the frontend: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --name frontend-routes \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app-name frontend \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/frontend.json + ``` ++1. Use the following commands to retrieve the URL for Spring Cloud Gateway: ++ ```azurecli + export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --query properties.url \ + --output tsv) ++ echo "https://${GATEWAY_URL}" + ``` ++ You can open the output URL in a browser to explore the deployed application. ++## Browse and try APIs with API Portal ++Use the following steps to configure API Portal. ++1. Use the following command to assign an endpoint to API Portal: ++ ```azurecli + az spring api-portal update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --assign-endpoint true + ``` ++1. Use the following commands to retrieve the URL for API Portal: ++ ```azurecli + export PORTAL_URL=$(az spring api-portal show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --query properties.url \ + --output tsv) ++ echo "https://${PORTAL_URL}" + ``` ++ You can open the output URL in a browser to explore the application APIs. ++++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Now that you've successfully built and deployed your app, continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) +- [Integrate Azure Open AI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Deploy Event Driven App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-event-driven-app.md | + + Title: Quickstart - Deploy event-driven application to Azure Spring Apps +description: Learn how to deploy an event-driven application to Azure Spring Apps. +++ Last updated : 07/19/2023+++zone_pivot_groups: spring-apps-plan-selection +++# Quickstart: Deploy an event-driven application to Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise ++This article explains how to deploy a Spring Boot event-driven application to Azure Spring Apps. ++The sample project is an event-driven application that subscribes to a [Service Bus queue](../../service-bus-messaging/service-bus-queues-topics-subscriptions.md#queues) named `lower-case`, and then handles the message and sends another message to another queue named `upper-case`. To make the app simple, message processing just converts the message to uppercase. The following diagram depicts this process: +++This article provides the following options for deploying to Azure Spring Apps: ++++++- The **Azure portal** option is the easiest and fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services. +- The **Azure portal + Maven plugin** option is a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time. +- The **Azure CLI** option uses a powerful command line tool to manage Azure resources. This option is suitable for Spring developers who are familiar with Azure cloud services. ++## 1. Prerequisites +++### [Azure portal](#tab/Azure-portal) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure Developer CLI (AZD)](/azure/developer/azure-developer-cli/install-azd), version 1.2.0 or higher. ++++++### [Azure portal](#tab/Azure-portal-ent) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure CLI](#tab/Azure-CLI) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++++++++++++++## 5. Validate the app ++Use the following steps to confirm that the event-driven app works correctly. You can validate the app by sending a message to the `lower-case` queue, then confirm that there's a message in the `upper-case` queue. ++++3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++++### [Azure portal](#tab/Azure-portal-ent) +++3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) +++3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure CLI](#tab/Azure-CLI) +++3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++1. Use the following command to check the app's log to investigate any deployment issue: ++ ```azurecli + az spring app logs \ + --service ${AZURE_SPRING_APPS_INSTANCE} \ + --name ${APP_NAME} + ``` ++++++## 7. Next steps ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](./structured-app-log.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) ++> [!div class="nextstepaction"] +> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) ++> [!div class="nextstepaction"] +> [Create a service connection in Azure Spring Apps with the Azure CLI](../../service-connector/quickstart-cli-spring-cloud-connection.md) +++> [!div class="nextstepaction"] +> [Run microservice apps (Pet Clinic)](./quickstart-sample-app-introduction.md) ++++> [!div class="nextstepaction"] +> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) +++For more information, see the following articles: ++- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). +- [Spring on Azure](/azure/developer/java/spring/) +- [Spring Cloud Azure](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Infrastructure Vnet Azure Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-infrastructure-vnet-azure-cli.md | + + Title: Quickstart - Provision Azure Spring Apps using Azure CLI +description: This quickstart shows you how to use Azure CLI to deploy an Azure Spring Apps cluster into an existing virtual network. ++++++ Last updated : 05/31/2022+++# Quickstart: Provision Azure Spring Apps using Azure CLI ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** Γ¥î Basic Γ£ö∩╕Å Standard Γ£ö∩╕Å Enterprise ++This quickstart describes how to use Azure CLI to deploy an Azure Spring Apps cluster into an existing virtual network. ++Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. ++The Enterprise deployment plan includes the following Tanzu components: ++* Build Service +* Application Configuration Service +* Service Registry +* Spring Cloud Gateway +* API Portal ++## Prerequisites ++* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings and a workspace-based Application Insights resource. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) and [Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). +* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges won't be directly routable and will be used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Spring app CIDR ranges, or any IP ranges included within the cluster virtual network address range. +* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also need to satisfy the following prerequisites: + * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). + * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* [Azure CLI](/cli/azure/install-azure-cli) +* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++## Review the Azure CLI deployment script ++The deployment script used in this quickstart is from the [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture). ++### [Enterprise plan](#tab/azure-spring-apps-enterprise) +++### [Standard plan](#tab/azure-spring-apps-standard) +++++## Deploy the cluster ++To deploy the Azure Spring Apps cluster using the Azure CLI script, follow these steps: ++1. Sign in to Azure by using the following command: ++ ```azurecli + az login + ``` ++ After you sign in, this command will output information about all the subscriptions you have access to. Take note of the name and ID of the subscription you want to use. ++1. Set the target subscription. ++ ```azurecli + az account set --subscription "<your subscription name>" + ``` ++1. Register the Azure Spring Apps Resource Provider. ++ ```azurecli + az provider register --namespace 'Microsoft.AppPlatform' + ``` ++1. Add the required extensions to Azure CLI. ++ ```azurecli + az extension add --name spring + ``` ++1. Choose a deployment location from the regions where Azure Spring Apps is available, as shown in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud®ions=all). ++1. Use the following command to generate a list of Azure locations. Take note of the short **Name** value for the region you selected in the previous step. ++ ```azurecli + az account list-locations --output table + ``` ++1. Create a resource group to deploy the resource to. ++ ```azurecli + az group create --name <your-resource-group-name> --location <location-name> + ``` ++1. Save the script for Azure Spring Apps [Standard plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/CLI/brownfield-deployment/azuredeploySpringStandard.sh) or [Enterprise plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/CLI/brownfield-deployment/azuredeploySpringEnterprise.sh) locally, then run it from the Bash prompt. ++ **Standard plan:** ++ ```azurecli + ./azuredeploySpringStandard.sh + ``` ++ **Enterprise plan:** ++ ```azurecli + ./azuredeploySpringEnterprise.sh + ``` ++1. Enter the following values when prompted by the script: ++ * The Azure subscription ID that you saved earlier. + * The Azure location name that you saved earlier. + * The name of the resource group that you created earlier. + * The name of the virtual network resource group where you'll deploy your resources. + * The name of the spoke virtual network (for example, *vnet-spoke*). + * The name of the subnet to be used by the Azure Spring Apps Application Service (for example, *snet-app*). + * The name of the subnet to be used by the Azure Spring Apps Runtime Service (for example, *snet-runtime*). + * The name of the resource group for the Azure Log Analytics workspace to be used for storing diagnostic logs. + * The name of the Azure Log Analytics workspace (for example, *la-cb5sqq6574o2a*). + * The CIDR ranges from your virtual network to be used by Azure Spring Apps (for example, *XX.X.X.X/16,XX.X.X.X/16,XX.X.X.X/16*). + * The key/value pairs to be applied as tags on all resources that support tags. For more information, see [Use tags to organize your Azure resources and management hierarchy](../../azure-resource-manager/management/tag-resources.md). Use a space-separated list to apply multiple tags (for example, *environment=Dev BusinessUnit=finance*). ++After you provide this information, the script will create and deploy the Azure resources. ++## Review deployed resources ++You can either use the Azure portal to check the deployed resources, or use Azure CLI to list the deployed resources. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using Azure CLI, and then validated the deployment. To learn more about Azure Spring Apps, continue on to the resources below. ++* Deploy one of the following sample applications from the locations below: + * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) + * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI). +* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. +* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). +* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). |
spring-apps | Quickstart Deploy Infrastructure Vnet Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-infrastructure-vnet-bicep.md | + + Title: Quickstart - Provision Azure Spring Apps using Bicep +description: This quickstart shows you how to use Bicep to deploy an Azure Spring Apps cluster into an existing virtual network. +++++ Last updated : 05/31/2022+++# Quickstart: Provision Azure Spring Apps using Bicep ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise ++This quickstart describes how to use a Bicep template to deploy an Azure Spring Apps cluster into an existing virtual network. ++Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. ++The Enterprise deployment plan includes the following Tanzu components: ++* Build Service +* Application Configuration Service +* Service Registry +* Spring Cloud Gateway +* API Portal ++## Prerequisites ++* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). +* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges won't be directly routable and will be used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Spring app CIDR ranges, or any IP ranges included within the cluster virtual network address range. +* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also need to satisfy the following prerequisites: + * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). + * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* [Azure CLI](/cli/azure/install-azure-cli) +* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++## Deploy using Bicep ++To deploy the cluster, use the following steps. ++First, create an *azuredeploy.bicep* file with the following contents: ++### [Enterprise plan](#tab/azure-spring-apps-enterprise) +++### [Standard plan](#tab/azure-spring-apps-standard) +++++Next, open a Bash window and run the following Azure CLI command, replacing the *\<value>* placeholders with the following values: ++* **resource-group:** The resource group name for deploying the Azure Spring Apps instance. +* **springCloudInstanceName:** The name of the Azure Spring Apps resource. +* **appInsightsName:** The name of the Application Insights instance for Azure Spring Apps. +* **laWorkspaceResourceId:** The resource ID of the existing Log Analytics workspace (for example, */subscriptions/\<your subscription>/resourcegroups/\<your Log Analytics resource group>/providers/Microsoft.OperationalInsights/workspaces/\<your Log Analytics workspace name>*.) +* **springCloudAppSubnetID:** The resource ID of the Azure Spring Apps Application Subnet. +* **springCloudRuntimeSubnetID:** The resource ID of the Azure Spring Apps Runtime Subnet. +* **springCloudServiceCidrs:** A comma-separated list of IP address ranges (three in total) in CIDR format. The IP ranges are reserved to host underlying Azure Spring Apps infrastructure. These three ranges should be at least */16* unused IP ranges, and must not overlap with any routable subnet IP ranges used within the network. ++ ```azurecli + az deployment group create \ + --resource-group <value> \ + --name initial \ + --template-file azuredeploy.bicep \ + --parameters \ + springCloudInstanceName=<value> \ + appInsightsName=<value> \ + laWorkspaceResourceId=<value> \ + springCloudAppSubnetID=<value> \ + springCloudRuntimeSubnetID=<value> \ + springCloudServiceCidrs=<value> + ``` ++ This command uses the Bicep template to create an Azure Spring Apps instance in an existing virtual network. The command also creates a workspace-based Application Insights instance in an existing Azure Monitor Log Analytics Workspace. ++## Review deployed resources ++You can either use the Azure portal to check the deployed resources, or use Azure CLI or Azure PowerShell script to list the deployed resources. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using Bicep, and then validated the deployment. To learn more about Azure Spring Apps, continue on to the resources below. ++* Deploy one of the following sample applications from the locations below: + * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) + * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI). +* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. +* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). +* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). |
spring-apps | Quickstart Deploy Infrastructure Vnet Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-infrastructure-vnet-terraform.md | + + Title: Quickstart - Provision Azure Spring Apps using Terraform +description: This quickstart shows you how to use Terraform to deploy an Azure Spring Apps cluster into an existing virtual network. +++++ Last updated : 05/31/2022+++# Quickstart: Provision Azure Spring Apps using Terraform ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** Γ¥î Basic Γ£ö∩╕Å Standard Γ£ö∩╕Å Enterprise ++This quickstart describes how to use Terraform to deploy an Azure Spring Apps cluster into an existing virtual network. ++Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. ++The Enterprise deployment plan includes the following Tanzu components: ++* Build Service +* Application Configuration Service +* Service Registry +* Spring Cloud Gateway +* API Portal ++The API Portal component will be included when it becomes available through the AzureRM Terraform provider. ++For more customization including custom domain support, see the [Azure Spring Apps Terraform provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_service) documentation. ++## Prerequisites ++* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* [Hashicorp Terraform](https://www.terraform.io/downloads.html) +* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings and a workspace-based Application Insights resource. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) and [Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). +* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges won't be directly routable and will be used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Azure Spring Apps CIDR. Clusters also may not use any IP ranges included within the cluster virtual network address range. +* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also need to satisfy the following prerequisites: + * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). + * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++## Review the Terraform plan ++The configuration file used in this quickstart is from the [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture). ++### [Enterprise plan](#tab/azure-spring-apps-enterprise) +++### [Standard plan](#tab/azure-spring-apps-standard) +++++## Apply the Terraform plan ++To apply the Terraform plan, follow these steps: ++1. Save the *variables.tf* file for the [Standard plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/terraform/brownfield-deployment/Standard/variable.tf) or the [Enterprise plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/terraform/brownfield-deployment/Enterprise/variable.tf) locally, then open it in an editor. ++1. Edit the file to add the following values: ++ * The subscription ID of the Azure account you'll be deploying to. ++ * A deployment location from the regions where Azure Spring Apps is available, as shown in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud®ions=all). You'll need the short form of the location name. To get this value, use the following command to generate a list of Azure locations, then look up the **Name** value for the region you selected. ++ ```azurecli + az account list-locations --output table + ``` ++1. Edit the file to add the following new deployment information: ++ * The name of the resource group you'll deploy to. + * A name of your choice for the Azure Spring Apps Deployment. + * A name of your choice for the Application Insights resource. + * Three CIDR ranges (at least /16) which are used to host the Azure Spring Apps backend infrastructure. The CIDR ranges must not overlap with any existing CIDR ranges in the target Subnet + * The key/value pairs to be applied as tags on all resources that support tags. For more information, see [Use tags to organize your Azure resources and management hierarchy](../../azure-resource-manager/management/tag-resources.md) ++1. Edit the file to add the following existing infrastructure information: ++ * The name of the resource group where the existing virtual network resides. + * The name of the existing scope virtual network. + * The name of the existing subnet to be used by the Azure Spring Apps Application Service. + * The name of the existing subnet to be used by the Azure Spring Apps Runtime Service. + * The name of the Azure Log Analytics workspace. ++1. Run the following command to initialize the Terraform modules: ++ ```bash + terraform init + ``` ++1. Run the following command to create the Terraform deployment plan: ++ ```bash + terraform plan -out=springcloud.plan + ``` ++1. Run the following command to apply the Terraform deployment plan: ++ ```bash + terraform apply springcloud.plan + ``` ++## Review deployed resources ++You can either use the Azure portal to check the deployed resources, or use Azure CLI or Azure PowerShell script to list the deployed resources. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resources created in this article by using the following command. ++```bash +terraform destroy -auto-approve +``` ++## Next steps ++In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using Terraform, and then validated the deployment. To learn more about Azure Spring Apps, continue on to the resources below. ++* Deploy one of the following sample applications from the locations below: + * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) + * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI) +* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. +* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). +* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). |
spring-apps | Quickstart Deploy Infrastructure Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-infrastructure-vnet.md | + + Title: Quickstart - Provision Azure Spring Apps using an Azure Resource Manager template (ARM template) +description: This quickstart shows you how to use an ARM template to deploy an Azure Spring Apps cluster into an existing virtual network. ++++++ Last updated : 05/31/2022+++# Quickstart: Provision Azure Spring Apps using an ARM template ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise ++This quickstart describes how to use an Azure Resource Manager template (ARM template) to deploy an Azure Spring Apps cluster into an existing virtual network. ++Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. ++The Enterprise deployment plan includes the following Tanzu components: ++* Build Service +* Application Configuration Service +* Service Registry +* Spring Cloud Gateway +* API Portal +* Application Accelerator +* Application Live View +++## Prerequisites ++* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings and a workspace-based Application Insights resource. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) and [Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). +* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges aren't directly routable and are used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Azure Spring Apps CIDR ranges. Clusters also may not use any IP ranges included within the cluster virtual network address range. +* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you also need to satisfy the following prerequisites: ++ * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). + * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). +* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++## Review the template ++The templates used in this quickstart are from the [Azure Spring Apps Reference Architecture](/previous-versions/azure/spring-apps/reference-architecture). ++### [Enterprise plan](#tab/azure-spring-apps-enterprise) +++### [Standard plan](#tab/azure-spring-apps-standard) +++++Two Azure resources are defined in the template: ++* [Microsoft.AppPlatform/Spring](/azure/templates/microsoft.appplatform/spring) creates an Azure Spring Apps instance. +* [Microsoft.Insights/components](/azure/templates/microsoft.insights/components) creates an Application Insights workspace. ++## Deploy the template ++To deploy the template, use the following steps. ++First, select the following image to sign in to Azure and open a template. The template creates an Azure Spring Apps instance in an existing Virtual Network and a workspace-based Application Insights instance in an existing Azure Monitor Log Analytics Workspace. ++### [Enterprise plan](#tab/azure-spring-apps-enterprise) +++### [Standard plan](#tab/azure-spring-apps-standard) +++++Next, enter values for the following fields: ++* **Resource Group:** Select **Create new**, enter a unique name for the **resource group**, and then select **OK**. +* **springCloudInstanceName:** Enter the name of the Azure Spring Apps resource. +* **appInsightsName:** Enter the name of the Application Insights instance for Azure Spring Apps. +* **laWorkspaceResourceId:** Enter the resource ID of the existing Log Analytics workspace (for example, */subscriptions/\<your subscription>/resourcegroups/\<your Log Analytics resource group>/providers/Microsoft.OperationalInsights/workspaces/\<your Log Analytics workspace name>*.) +* **springCloudAppSubnetID:** Enter the resource ID of the Azure Spring Apps Application Subnet. +* **springCloudRuntimeSubnetID:** Enter the resource ID of the Azure Spring Apps Runtime Subnet. +* **springCloudServiceCidrs:** Enter a comma-separated list of IP address ranges (three in total) in CIDR format. The IP ranges are reserved to host underlying Azure Spring Apps infrastructure. These three ranges should be at least */16* unused IP ranges, and must not overlap with any routable subnet IP ranges used within the network. +* **tags:** Enter any custom tags. ++Finally, select **Review + Create** and then **Create**. ++## Review deployed resources ++You can either use the Azure portal to check the deployed resources, or use Azure CLI or Azure PowerShell script to list the deployed resources. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI or Azure PowerShell, use the following commands: ++### [Azure CLI](#tab/azure-cli) ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++### [PowerShell](#tab/azure-powershell) ++```azurepowershell-interactive +$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name" +Remove-AzResourceGroup -Name $resourceGroupName +Write-Host "Press [ENTER] to continue..." +``` ++++## Next steps ++In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using an ARM template, and then validated the deployment. To learn more about Azure Spring Apps and Azure Resource Manager, continue on to the following resources. ++* Deploy one of the following sample applications from the following locations: + * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) + * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI) +* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. +* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). +* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). +* Learn more about [Azure Resource Manager](../../azure-resource-manager/management/overview.md). |
spring-apps | Quickstart Deploy Java Native Image App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-java-native-image-app.md | + + Title: Quickstart - Deploy your first Java Native Image application to Azure Spring Apps +description: Describes how to deploy a Java Native Image application to Azure Spring Apps. +++ Last updated : 08/29/2023+++++# Quickstart: Deploy your first Java Native Image application to Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows how to deploy a Spring Boot application to Azure Spring Apps as a Native Image. ++[Native Image](https://www.graalvm.org/latest/reference-manual/native-image/) capability enables you to compile Java applications to standalone executables, known as Native Images. These executables can provide significant benefits, including faster startup times and lower runtime memory overhead compared to a traditional JVM (Java Virtual Machine). ++The sample project is the Spring Petclinic application. The following screenshot shows the application: +++## 1. Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +++## 5. Validate Native Image App ++Now you can access the deployed Native Image app to see whether it works. Use the following steps to validate: ++1. After the deployment has completed, you can run the following command to get the app URL: ++ ```azurecli + az spring app show \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${NATIVE_APP_NAME} \ + --output table + ``` ++ You can access the app with the URL shown in the output as `Public Url`. The page should appear as you saw it o localhost. ++1. Use the following command to check the app's log to investigate any deployment issue: ++ ```azurecli + az spring app logs \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${NATIVE_APP_NAME} + ``` ++## 6. Compare performance for JAR and Native Image ++The following sections describe how to compare the performance between JAR and Native Image deployment. ++### Server startup time ++Use the following command to check the app's log `Started PetClinicApplication in XXX seconds` to get the server startup time for a JAR app: ++```azurecli +az spring app logs \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${JAR_APP_NAME} +``` ++The server startup time is around 25 s for a JAR app. ++Use the following command to check the app's log to get the server startup time for a Native Image app: ++```azurecli +az spring app logs \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${NATIVE_APP_NAME} +``` ++The server startup time is less than 0.5 s for a Native Image app. ++### Memory usage ++Use the following command to scale down the memory size to 512 Mi for a Native Image app: ++```azurecli +az spring app scale \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${NATIVE_APP_NAME} \ + --memory 512Mi +``` ++The command output should show that the Native Image app started successfully. ++Use the following command to scale down the memory size to 512 Mi for the JAR app: ++```azurecli +az spring app scale \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${JAR_APP_NAME} \ + --memory 512Mi +``` ++The command output should show that the JAR app failed to start due to insufficient memory. The output message should be similar to the following example: `Terminating due to java.lang.OutOfMemoryError: Java heap space`. ++The following figure shows the optimized memory usage for the Native Image deployment for a constant workload of 400 requests per second into the Petclinic application. The memory usage is about 1/5th of the memory consumed by its equivalent JAR deployment. +++Native Images offer quicker startup times and reduced runtime memory overhead when compared to the conventional Java Virtual Machine (JVM). ++## 7. Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When you no longer need the resources, delete them by deleting the resource group. Use the following command to delete the resource group: ++```azurecli +az group delete --name ${RESOURCE_GROUP} +``` ++## 8. Next steps ++> [!div class="nextstepaction"] +> [How to deploy Java Native Image apps in the Azure Spring Apps Enterprise plan](./how-to-enterprise-deploy-polyglot-apps.md#deploy-java-native-image-applications-preview) ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](./structured-app-log.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Set up Azure Spring Apps CI/CD with Azure DevOps](./how-to-cicd.md) ++> [!div class="nextstepaction"] +> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) ++> [!div class="nextstepaction"] +> [Create a service connection in Azure Spring Apps with the Azure CLI](../../service-connector/quickstart-cli-spring-cloud-connection.md) ++> [!div class="nextstepaction"] +> [Run the polyglot ACME fitness store apps on Azure Spring Apps](./quickstart-sample-app-acme-fitness-store-introduction.md) ++> [!div class="nextstepaction"] +> [Monitor your Spring Boot Native Image application](https://aka.ms/AzMonSpringNative) ++For more information, see the following articles: ++- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). +- [Spring on Azure](/azure/developer/java/spring/) +- [Spring Cloud Azure](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Microservice Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-microservice-apps.md | + + Title: Quickstart - Deploy microservice applications to Azure Spring Apps +description: Learn how to deploy microservice applications to Azure Spring Apps. +++ Last updated : 01/10/2024+++zone_pivot_groups: spring-apps-tier-selection +++# Quickstart: Deploy microservice applications to Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This article explains how to deploy microservice applications to Azure Spring Apps using the well-known sample app [PetClinic](https://github.com/spring-petclinic/spring-petclinic-microservices). +++The Pet Clinic sample demonstrates the microservice architecture pattern. The following diagram shows the architecture of the PetClinic application on the Azure Spring Apps Enterprise plan. +++The diagram shows the following architectural flows and relationships of the Pet Clinic sample: ++- Uses Azure Spring Apps to manage the frontend and backend apps. The backend apps are built with Spring Boot and each app uses HSQLDB as the persistent store. The reforged frontend app builds upon Pet Clinic API Gateway App with Node.js serving as a standalone frontend web application. +- Uses the managed components on Azure Spring Apps, including Service Registry, Application Configuration Service, Spring Cloud Gateway, and Application Live View. The Application Configuration Service reads the Git repository configuration. +- Exposes the URL of Spring Cloud Gateway to route request to backend service apps, and exposes the URL of the Application Live View to monitor the backend apps. +- Analyzes logs using the Log Analytics workspace. +- Monitors performance with Application Insights. ++> [!NOTE] +> This article uses a simplified version of PetClinic, using an in-memory database that isn't production-ready to quickly deploy to Azure Spring Apps. +> +> The Tanzu Developer Tools exposes public access for Application Live View, which is a risk point. The production environment needs to secure the access. For more information, see the [Configure Dev Tools Portal](./how-to-use-dev-tool-portal.md#configure-dev-tools-portal) section of [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](how-to-use-dev-tool-portal.md). ++++The Pet Clinic sample demonstrates the microservice architecture pattern. The following diagram shows the architecture of the PetClinic application on the Azure Spring Apps Standard plan. +++The diagram shows the following architectural flows and relationships of the Pet Clinic sample: ++- Uses Azure Spring Apps to manage the Spring Boot apps. Each app uses HSQLDB as the persistent store. +- Uses the managed components Spring Cloud Config Server and Eureka Service Registry on Azure Spring Apps. The Config Server reads the Git repository configuration. +- Exposes the URL of API Gateway to load balance requests to service apps, and exposes the URL of the Admin Server to manage the applications. +- Analyzes logs using the Log Analytics workspace. +- Monitors performance with Application Insights. ++> [!NOTE] +> This article uses a simplified version of PetClinic, using an in-memory database that isn't production-ready to quickly deploy to Azure Spring Apps. +> +> The deployed app `admin-server` exposes public access, which is a risk point. The production environment needs to secure the Spring Boot Admin application. +++This article provides the following options for deploying to Azure Spring Apps: +++- The **Azure portal** option is the easiest and the fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services. +- The **Azure portal + Maven plugin** option is a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time. ++++- The **Azure portal + Maven plugin** option is a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time. +- The **Azure Developer CLI** option is a more efficient way to automatically create resources and deploy applications through simple commands. The Azure Developer CLI uses a template to provision the Azure resources needed and to deploy the application code. This option is suitable for Spring developers who are familiar with Azure cloud services. +++## 1. Prerequisites +++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure Developer CLI](https://aka.ms/azd-install), version 1.2.0 or higher. ++++++### [Azure portal](#tab/Azure-portal-ent) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- (Optional) [Git](https://git-scm.com/downloads). +- (Optional) [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- (Optional) [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- (Optional) [Node.js](https://nodejs.org/en/download), version 16.20 or higher. +- [Azure CLI](/cli/azure/install-azure-cli), version 2.45.0 or higher. +++++++++++## 5. Validate the apps ++The following sections describe how to validate the deployment. +++### [Azure portal](#tab/Azure-portal-ent) +++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++### 5.1. Access the applications ++Using the endpoint assigned from Spring Cloud Gateway - for example, ` +https://<your-Azure-Spring-Apps-instance-name>-gateway-xxxxx.svc.azuremicroservices.io`. The application should look similar to the following screenshot: +++### 5.2. Query the application logs ++After you browse each function of the Pet Clinic, the Log Analytics workspace collects logs of each application. You can check the logs by using custom queries, as shown in the following screenshot: +++### 5.3. Monitor the applications ++Application Insights monitors the application dependencies, as shown by the following application tracing map: +++Open the Application Live View URL exposed by the Developer Tools to monitor application runtimes, as shown in the following screenshot: +++++++++## 6. Clean up resources ++++++Be sure to delete the resources you created in this article when you no longer need them. You can delete the Azure resource group, which includes all the resources in the resource group. ++Use the following steps to delete the entire resource group, including the newly created service instance: ++1. Locate your resource group in the Azure portal. On the navigation menu, select **Resource groups** and then select the name of your resource group. ++1. On the **Resource group** page, select **Delete**. Enter the name of your resource group in the text box to confirm deletion, then select **Delete**. +++## 7. Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Integrate Azure Spring Apps with Azure Database for MySQL](../basic-standard/quickstart-integrate-azure-database-mysql.md) ++> [!div class="nextstepaction"] +> [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](./structured-app-log.md) ++> [!div class="nextstepaction"] +> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) ++> [!div class="nextstepaction"] +> [Quickstart: Set up a Log Analytics workspace](../basic-standard/quickstart-setup-log-analytics.md) ++> [!div class="nextstepaction"] +> [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](../basic-standard/quickstart-logs-metrics-tracing.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Quickstart: Introduction to the sample app](./quickstart-sample-app-introduction.md) ++> [!div class="nextstepaction"] +> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) ++For more information, see the following articles: ++- [Azure Pet Clinic microservices](https://github.com/Azure-Samples/spring-petclinic-microservices) +- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples) +- [Azure for Spring developers](/azure/developer/java/spring/) +- [Spring Cloud Azure documentation](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Restful Api App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-restful-api-app.md | + + Title: Quickstart - Deploy RESTful API application to Azure Spring Apps +description: Learn how to deploy RESTful API application to Azure Spring Apps. +++ Last updated : 10/02/2023+++zone_pivot_groups: spring-apps-enterprise-or-consumption-plan-selection +++# Quickstart: Deploy RESTful API application to Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This article describes how to deploy a RESTful API application protected by [Microsoft Entra ID](/entra/fundamentals/whatis) to Azure Spring Apps. The sample project is a simplified version based on the [Simple Todo](https://github.com/Azure-Samples/ASA-Samples-Web-Application) web application, which only provides the backend service and uses Microsoft Entra ID to protect the RESTful APIs. ++These RESTful APIs are protected by applying role-based access control (RBAC). Anonymous users can't access any data and aren't allowed to control access for different users. Anonymous users only have the following three permissions: ++- Read: With this permission, a user can read the ToDo data. +- Write: With this permission, a user can add or update the ToDo data. +- Delete: With this permission, a user can delete the ToDo data. ++After the deployment is successful, you can view and test the APIs through the Swagger UI. +++The following diagram shows the architecture of the system: ++++## 1. Prerequisites +++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++- An Azure subscription. If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/) before you begin. +- One of the following roles: + - Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. + - Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions). + - A custom directory role that includes the [permission to grant permissions to applications](/entra/identity/role-based-access-control/custom-consent-permissions), for the permissions required by the application. ++ For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). ++### [Azure CLI](#tab/Azure-CLI) ++- An Azure subscription, If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/) before you begin. +- One of the following roles: + - Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. + - Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions). + - A custom directory role that includes the [permission to grant permissions to applications](/entra/identity/role-based-access-control/custom-consent-permissions), for the permissions required by the application. ++ For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.53.1 or higher. ++++++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++- An Azure subscription, If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/) before you begin. +- One of the following roles: + - Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. + - Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions). + - A custom directory role that includes the [permission to grant permissions to applications](/entra/identity/role-based-access-control/custom-consent-permissions), for the permissions required by the application. ++ For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++- An Azure subscription, If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/) before you begin. +- One of the following roles: + - Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. + - Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions). + - A custom directory role that includes the [permission to grant permissions to applications](/entra/identity/role-based-access-control/custom-consent-permissions), for the permissions required by the application. ++ For more information, see [grant admin consent](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#prerequisites). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). +- [Azure Developer CLI (AZD)](https://aka.ms/azd-install), version 1.0.2 or higher. ++++++++++## 5. Validate the app ++++#### Obtain the access token ++Use the following steps to use [OAuth 2.0 authorization code flow](/entra/identity-platform/v2-oauth2-auth-code-flow) method to obtain an access token with Microsoft Entra ID, then access the RESTful APIs of the `ToDo` app: ++1. Open the URL exposed by the app, then select **Authorize** to prepare the OAuth2 authentication. ++1. In the **Available authorizations** window, enter the client ID of the `ToDoWeb` app in the **client_id** field, select all the scopes for **Scopes** field, ignore the **client_secret** field, and then select **Authorize** to redirect to the Microsoft Entra sign-in page. ++After completing the sign in with the previous user, you're returned to the **Available authorizations** window. ++### 5.2. Access the RESTful APIs ++Use the following steps to access the RESTful APIs of the `ToDo` app in the Swagger UI: ++1. Select the API **POST /api/simple-todo/lists** and then select **Try it out**. Enter the following request body, and then select **Execute** to create a ToDo list. ++ ```json + { + "name": "My List" + } + ``` ++ After the execution is complete, you see the following **Response body**: ++ ```json + { + "id": "<ID-of-the-ToDo-list>", + "name": "My List", + "description": null + } + ``` ++1. Select the API **POST /api/simple-todo/lists/{listId}/items** and then select **Try it out**. For **listId**, enter the ToDo list ID you created previously, enter the following request body, and then select **Execute** to create a ToDo item. ++ ```json + { + "name": "My first ToDo item", + "listId": "<ID-of-the-ToDo-list>", + "state": "todo" + } + ``` ++ This action returns the following ToDo item: ++ ```json + { + "id": "<ID-of-the-ToDo-item>", + "listId": "<ID-of-the-ToDo-list>", + "name": "My first ToDo item", + "description": null, + "state": "todo", + "dueDate": "2023-07-11T13:59:24.9033069+08:00", + "completedDate": null + } + ``` ++1. Select the API **GET /api/simple-todo/lists** and then select **Execute** to query ToDo lists. This action returns the following ToDo lists: ++ ```json + [ + { + "id": "<ID-of-the-ToDo-list>", + "name": "My List", + "description": null + } + ] + ``` ++1. Select the API **GET /api/simple-todo/lists/{listId}/items** and then select **Try it out**. For **listId**, enter the ToDo list ID you created previously, and then select **Execute** to query the ToDo items. This action returns the following ToDo item: ++ ```json + [ + { + "id": "<ID-of-the-ToDo-item>", + "listId": "<ID-of-the-ToDo-list>", + "name": "My first ToDo item", + "description": null, + "state": "todo", + "dueDate": "2023-07-11T13:59:24.903307+08:00", + "completedDate": null + } + ] + ``` ++1. Select the API **PUT /api/simple-todo/lists/{listId}/items/{itemId}** and then select **Try it out**. For **listId**, enter the ToDo list ID. For **itemId**, enter the ToDo item ID, enter the following request body, and then select **Execute** to update the ToDo item. ++ ```json + { + "id": "<ID-of-the-ToDo-item>", + "listId": "<ID-of-the-ToDo-list>", + "name": "My first ToDo item", + "description": "Updated description.", + "dueDate": "2023-07-11T13:59:24.903307+08:00", + "state": "inprogress" + } + ``` ++ This action returns the following updated ToDo item: ++ ```json + { + "id": "<ID-of-the-ToDo-item>", + "listId": "<ID-of-the-ToDo-list>", + "name": "My first ToDo item", + "description": "Updated description.", + "state": "inprogress", + "dueDate": "2023-07-11T05:59:24.903307Z", + "completedDate": null + } + ``` ++1. Select the API **DELETE /api/simple-todo/lists/{listId}/items/{itemId}** and then select **Try it out**. For **listId**, enter the ToDo list ID. For **itemId**, enter the ToDo item ID, and then select **Execute** to delete the ToDo item. You should see that the server response code is `204`. +++## 7. Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Deploy an event-driven application to Azure Spring Apps](quickstart-deploy-event-driven-app.md) ++> [!div class="nextstepaction"] +> [Quickstart: Deploy microservice applications to Azure Spring Apps](quickstart-deploy-microservice-apps.md) ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](structured-app-log.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Use Azure Spring Apps CI/CD with GitHub Actions](how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Automate application deployments to Azure Spring Apps](how-to-cicd.md) ++For more information, see the following articles: ++- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). +- [Spring on Azure](/azure/developer/java/spring/) +- [Spring Cloud Azure](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-deploy-web-app.md | + + Title: Quickstart - Deploy your first web application to Azure Spring Apps +description: Describes how to deploy a web application to Azure Spring Apps. +++ Last updated : 07/11/2023+++zone_pivot_groups: spring-apps-plan-selection +++# Quickstart: Deploy your first web application to Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This quickstart shows how to deploy a Spring Boot web application to Azure Spring Apps. The sample project is a simple ToDo application to add tasks, mark when they're complete, and then delete them. The following screenshot shows the application: +++This application is a typical three-layers web application with the following layers: ++- A frontend bounded [React](https://reactjs.org/) application. +- A backend Spring web application that uses Spring Data JPA to access a relational database. +- A relational database. For localhost, the application uses [H2 Database Engine](https://www.h2database.com/html/main.html). For Azure Spring Apps, the application uses Azure Database for PostgreSQL. For more information about Azure Database for PostgreSQL, see [Flexible Server documentation](../../postgresql/flexible-server/overview.md). ++The following diagram shows the architecture of the system: ++++This article provides the following options for deploying to Azure Spring Apps: ++- The **Azure portal** option is the easiest and the fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services. +- The **Azure portal + Maven plugin** option provides a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time. +- The **Azure Developer CLI** option is a more efficient way to automatically create resources and deploy applications through simple commands. The Azure Developer CLI uses a template to provision the Azure resources needed and to deploy the application code. This option is suitable for Spring developers who are familiar with Azure cloud services. ++++This article provides the following options for deploying to Azure Spring Apps: ++- The **Azure portal** option is the easiest and the fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services. +- The **Azure portal + Maven plugin** option provides a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time. +- The **Azure CLI** option is a powerful command line tool to manage Azure resources. This option is suitable for Spring developers who are familiar with Azure cloud services. +++## 1. Prerequisites +++### [Azure portal](#tab/Azure-portal) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure Developer CLI (AZD)](/azure/developer/azure-developer-cli/install-azd), version 1.2.0 or higher. ++++++### [Azure portal](#tab/Azure-portal-ent) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure CLI](#tab/Azure-CLI) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++++++++++++++## 5. Validate the web app ++Now you can access the deployed app to see whether it works. +++### [Azure portal](#tab/Azure-portal-ent) ++Use the following steps to validate: ++1. After the deployment finishes, you can find the application URL from the deployment outputs: ++ :::image type="content" source="media/quickstart-deploy-web-app/web-app-url-standard.png" alt-text="Diagram that shows the enterprise app URL of the ARM deployment outputs." border="false" lightbox="media/quickstart-deploy-web-app/web-app-url-standard.png"::: ++1. Access the application with the output application URL. The page should appear as you saw in localhost. ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++Access the application with the output application URL. The page should appear as you saw in localhost. ++### [Azure CLI](#tab/Azure-CLI) ++Use the following steps to validate: ++1. After the deployment finishes, you can access the app with this URL: `https://${AZURE_SPRING_APPS_NAME}-${APP_NAME}.azuremicroservices.io/`. The page should appear as you saw in localhost. ++1. To check the app's log to investigate any deployment issue, use the following command: ++ ```azurecli + az spring app logs \ + --service ${AZURE_SPRING_APPS_NAME} \ + --name ${APP_NAME} + ``` ++++++### [Azure portal](#tab/Azure-portal) ++Use the following steps to validate: ++1. After the deployment finishes, you can find the application URL from the deployment outputs: ++ :::image type="content" source="media/quickstart-deploy-web-app/web-app-url-consumption.png" alt-text="Diagram that shows the consumption app URL of the ARM deployment outputs." border="false" lightbox="media/quickstart-deploy-web-app/web-app-url-consumption.png"::: ++1. Access the application URL. The page should appear as you saw in localhost. ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++Access the application with the output application URL. The page should appear as you saw in localhost. ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++Access the application with the output endpoint. The page should appear as you saw in localhost. ++++++### [Azure portal](#tab/Azure-portal) ++Use the following steps to validate: ++1. After the deployment finishes, find the application URL from the deployment outputs: ++ :::image type="content" source="media/quickstart-deploy-web-app/web-app-url-standard.png" alt-text="Diagram that shows the standard app URL of the ARM deployment outputs." border="false" lightbox="media/quickstart-deploy-web-app/web-app-url-standard.png"::: ++1. Access the application URL. The page should appear as you saw in localhost. ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++Access the application with the output application URL. The page should appear as you saw in localhost. ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++Access the application with the output endpoint. The page should appear as you saw in localhost. +++++## 6. Clean up resources ++Be sure to delete the resources you created in this article when you no longer need them. You can delete the Azure resource group, which includes all the resources in the resource group. ++++++### [Azure portal](#tab/Azure-portal-ent) +++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) +++### [Azure CLI](#tab/Azure-CLI) ++Use the following command to delete the entire resource group, including the newly created service: ++```azurecli +az group delete --name ${RESOURCE_GROUP} +``` +++++## 7. Next steps ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](./structured-app-log.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) ++> [!div class="nextstepaction"] +> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) ++> [!div class="nextstepaction"] +> [Quickstart: Create a service connection in Azure Spring Apps with the Azure CLI](../../service-connector/quickstart-cli-spring-cloud-connection.md) +++> [!div class="nextstepaction"] +> [Introduction to the sample app](./quickstart-sample-app-introduction.md) ++++> [!div class="nextstepaction"] +> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) +++For more information, see the following articles: ++- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). +- [Azure for Spring developers](/azure/developer/java/spring/) +- [Spring Cloud Azure documentation](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Fitness Store Azure Openai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-fitness-store-azure-openai.md | + + Title: "Quickstart - Integrate Azure OpenAI" ++description: Explains how to integrate Azure OpenAI on the Azure Spring Apps Enterprise plan. ++++ Last updated : 11/02/2023++++# Quickstart: Integrate Azure OpenAI ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to integrate Azure OpenAI with applications deployed on the Azure Spring Apps Enterprise plan. ++Azure OpenAI enables your applications to take advantage of large-scale, generative AI models with deep understandings of language and code to enable new reasoning and comprehension capabilities. ++The following video shows how Azure Spring Apps uses Azure OpenAI to build intelligent applications: ++<br> ++> [!VIDEO https://www.youtube.com/embed/wxgGoLohvsg] ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Access granted to Azure OpenAI. For more information, see [Request Access to Azure OpenAI Service](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUOFA5Qk1UWDRBMjg0WFhPMkIzTzhKQ1dWNyQlQCN0PWcu). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [jq](https://stedolan.github.io/jq/download/) +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- Complete the steps in [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). ++## Provision Azure OpenAI ++To add AI to the application, create an Azure OpenAI account and deploy language models. The following steps describe how to provision an Azure OpenAI account and deploy language models using the Azure CLI: ++1. Use the following command to create an Azure OpenAI account: ++ ```azurecli + az cognitiveservices account create \ + --resource-group <resource-group-name> \ + --name <open-ai-service-name> \ + --location <region> \ + --kind OpenAI \ + --sku s0 \ + --custom-domain <open-ai-service-name> + ``` ++1. Use the following commands to create the model deployments for `text-embedding-ada-002` and `gpt-35-turbo-16k` in your Azure OpenAI service instance: ++ ```azurecli + az cognitiveservices account deployment create \ + --resource-group <resource-group-name> \ + --name <open-ai-service-name> \ + --deployment-name text-embedding-ada-002 \ + --model-name text-embedding-ada-002 \ + --model-version "2" \ + --model-format OpenAI \ + --sku-name "Standard" \ + --sku-capacity 1 ++ az cognitiveservices account deployment create \ + --resource-group <resource-group-name> \ + --name <open-ai-service-name> \ + --deployment-name gpt-35-turbo-16k \ + --model-name gpt-35-turbo-16k \ + --model-version "0613" \ + --model-format OpenAI \ + --sku-name "Standard" \ + --sku-capacity 1 + ``` ++### Deploy Assist Service to Azure Spring Apps ++Use the following steps to create, configure, and deploy the Assist Service application to Azure Spring Apps. ++1. Use the following command to create the new AI service, `assist-service`: ++ ```azurecli + az spring app create \ + --resource-group <resource-group-name> \ + --name assist-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --instance-count 1 \ + --memory 1Gi + ``` ++1. Use the following command to configure Spring Cloud Gateway with the Assist Service route: ++ ```azurecli + az spring gateway route-config create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name assist-routes \ + --app-name assist-service \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/assist-service.json + ``` ++1. Use the following command to retrieve the REST API endpoint base URL for the Azure OpenAI service: ++ ```azurecli + export SPRING_AI_AZURE_OPENAI_ENDPOINT=$(az cognitiveservices account show \ + --name <open-ai-service-name> \ + --resource-group <resource-group-name> \ + | jq -r .properties.endpoint) + ``` ++1. Use the following command to retrieve the primary API key: ++ ```azurecli + export SPRING_AI_AZURE_OPENAI_APIKEY=$(az cognitiveservices account keys list \ + --name <open-ai-service-name> \ + --resource-group <resource-group-name> \ + | jq -r .key1) + ``` ++1. Use the following command to deploy the Assist Service application: ++ ```azurecli + az spring app deploy + --resource-group <resource-group-name> \ + --name assist-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --source-path apps/acme-assist \ + --build-env BP_JVM_VERSION=17 \ + --env \ + SPRING_AI_AZURE_OPENAI_ENDPOINT=${SPRING_AI_AZURE_OPENAI_ENDPOINT} \ + SPRING_AI_AZURE_OPENAI_APIKEY=${SPRING_AI_AZURE_OPENAI_APIKEY} \ + SPRING_AI_AZURE_OPENAI_MODEL=gpt-35-turbo-16k \ + SPRING_AI_AZURE_OPENAI_EMBEDDINGMODEL=text-embedding-ada-002 + ``` ++1. Now, test the Fitness Store application in the browser. Select **ASK TO FITASSIST** to converse with the Assist Service application. ++ :::image type="content" source="media/quickstart-fitness-store-azure-openai/homepage.png" alt-text="Screenshot that shows the ASK TO FITASSIST button." lightbox="media/quickstart-fitness-store-azure-openai/homepage.png"::: ++1. In **FitAssist**, enter *I need a bike for a commute to work* and observe the output that was generated by the Assist Service application: ++ :::image type="content" source="media/quickstart-fitness-store-azure-openai/fitassist-question.png" alt-text="Screenshot that shows the 'I need a bike for a commute to work' query and the response from the Fitness Store assistant." lightbox="media/quickstart-fitness-store-azure-openai/fitassist-question.png"::: ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) |
spring-apps | Quickstart Integrate Azure Database And Redis Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-integrate-azure-database-and-redis-enterprise.md | + + Title: "Quickstart - Integrate with Azure Database for PostgreSQL and Azure Cache for Redis" ++description: Explains how to provision and prepare an Azure Database for PostgreSQL and an Azure Cache for Redis to be used with apps running the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/31/2022++++# Quickstart: Integrate with Azure Database for PostgreSQL and Azure Cache for Redis ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to provision and prepare an Azure Database for PostgreSQL and an Azure Cache for Redis to be used with apps running in the Azure Spring Apps Enterprise plan. ++This article uses these services for demonstration purposes. You can connect your application to any backing service of your choice by using instructions similar to the ones in the [Create Service Connectors](#create-service-connectors) section later in this article. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [jq](https://stedolan.github.io/jq/download/) +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- Complete the steps in [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). ++## Provision services ++To add persistence to the application, create an Azure Cache for Redis and an Azure Database for PostgreSQL Flexible Server. ++### [Azure CLI](#tab/azure-cli) ++The following steps describe how to provision an Azure Cache for Redis instance and an Azure Database for PostgreSQL Flexible Server by using the Azure CLI. ++1. Use the following command to create an instance of Azure Cache for Redis: ++ ```azurecli + az redis create \ + --resource-group <resource-group-name> \ + --name <redis-cache-name> \ + --location ${REGION} \ + --sku Basic \ + --vm-size c0 + ``` ++ > [!NOTE] + > Redis Cache creation takes approximately 20 minutes. ++1. Use the following command to create an Azure Database for PostgreSQL Flexible Server instance: ++ ```azurecli + az postgres flexible-server create \ + --resource-group <resource-group-name> \ + --name <postgres-server-name> \ + --location <location> \ + --admin-user <postgres-username> \ + --admin-password <postgres-password> \ + --yes + ``` ++1. Use the following command to allow connections from other Azure Services to the newly created Flexible Server: ++ ```azurecli + az postgres flexible-server firewall-rule create \ + --rule-name allAzureIPs \ + --name <postgres-server-name> \ + --resource-group <resource-group-name> \ + --start-ip-address 0.0.0.0 \ + --end-ip-address 0.0.0.0 + ``` ++1. Use the following command to enable the `uuid-ossp` extension for the newly created Flexible Server: ++ ```azurecli + az postgres flexible-server parameter set \ + --resource-group <resource-group-name> \ + --name azure.extensions \ + --value uuid-ossp \ + --server-name <postgres-server-name> + ``` ++1. Use the following command to create a database for the Order Service application: ++ ```azurecli + az postgres flexible-server db create \ + --resource-group <resource-group-name> \ + --server-name <postgres-server-name> \ + --database-name acmefit_order + ``` ++1. Use the following command to create a database for the Catalog Service application: ++ ```azurecli + az postgres flexible-server db create \ + --resource-group <resource-group-name> \ + --server-name <postgres-server-name> \ + --database-name acmefit_catalog + ``` ++### [ARM template](#tab/arm-template) ++The following instructions describe how to provision an Azure Cache for Redis and an Azure Database for PostgreSQL Flexible Server by using an Azure Resource Manager template (ARM template). +++You can find the template used in this quickstart in the [fitness store sample GitHub repository](https://github.com/Azure-Samples/acme-fitness-store/blob/HEAD/azure-spring-apps-enterprise/resources/json/deploy/azuredeploy.json). ++To deploy this template, follow these steps: ++1. Select the following image to sign in to Azure and open a template. The template creates an Azure Cache for Redis and an Azure Database for PostgreSQL Flexible Server. ++ :::image type="content" source="../../media/template-deployments/deploy-to-azure.svg" alt-text="Button to deploy the ARM template to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Facme-fitness-store%2FAzure%2Fazure-spring-apps-enterprise%2Fresources%2Fjson%2Fdeploy%2Fazuredeploy.json"::: ++1. Enter values for the following fields: ++ - **Resource Group:** Select **Create new**, enter a unique name for the **resource group**, and then select **OK**. + - **cacheName:** Enter the name for the Azure Cache for Redis Server. + - **dbServerName:** Enter the name for the Azure Database for PostgreSQL Flexible Server. + - **administratorLogin:** Enter the admin username for the Azure Database for PostgreSQL Flexible Server. + - **administratorLoginPassword:** Enter the admin password for the Azure Database for PostgreSQL Flexible Server. + - **tags:** Enter any custom tags. ++1. Select **Review + Create** and then **Create**. ++++## Create Service Connectors ++The following steps show how to bind applications running in the Azure Spring Apps Enterprise plan to other Azure services by using Service Connectors. ++1. Use the following command to create a service connector to Azure Database for PostgreSQL for the Order Service application: ++ ```azurecli + az spring connection create postgres-flexible \ + --resource-group <resource-group-name> \ + --target-resource-group <target-resource-group> \ + --connection order_service_db \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app order-service \ + --deployment default \ + --server <postgres-server-name> \ + --database acmefit_order \ + --secret name=<postgres-username> secret=<postgres-password> \ + --client-type dotnet + ``` ++1. Use the following command to create a service connector to Azure Database for PostgreSQL for the Catalog Service application: ++ ```azurecli + az spring connection create postgres-flexible \ + --resource-group <resource-group-name> \ + --target-resource-group <target-resource-group> \ + --connection catalog_service_db \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app catalog-service \ + --deployment default \ + --server <postgres-server-name> \ + --database acmefit_catalog \ + --secret name=<postgres-username> secret=<postgres-password> \ + --client-type springboot + ``` ++1. Use the following command to create a service connector to Azure Cache for Redis for the Cart Service application: ++ ```azurecli + az spring connection create redis \ + --resource-group <resource-group-name> \ + --target-resource-group <target-resource-group> \ + --connection cart_service_cache \ + --service <Azure-Spring-Apps-service-instance-name> \ + --app cart-service \ + --deployment default \ + --server <redis-cache-name> \ + --database 0 \ + --client-type java + ``` ++1. Use the following command to reload the Catalog Service application to load the new connection properties: ++ ```azurecli + az spring app restart \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following command to retrieve the database connection information: ++ ```azurecli + export POSTGRES_CONNECTION_STR=$(az spring connection show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --deployment default \ + --connection order_service_db \ + --app order-service \ + | jq '.configurations[0].value' -r) + ``` ++ > [!NOTE] + > If you get an SSL verification exception with Nofsql 6.0, be sure to change the SSL mode from `Require` to `VerifyFull`. For more information, see the [Npgsql 6.0 Release Notes](https://www.npgsql.org/doc/release-notes/6.0.html). ++1. Use the following command to update the Order Service application: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --env "DatabaseProvider=Postgres" "ConnectionStrings__OrderContext=${POSTGRES_CONNECTION_STR}" + ``` ++1. Use the following commands to retrieve Redis connection information and update the Cart Service application: ++ ```azurecli + export REDIS_CONN_STR=$(az spring connection show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --deployment default \ + --app cart-service \ + --connection cart_service_cache | jq -r '.configurations[0].value') ++ export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') + + az spring app update \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --env "CART_PORT=8080" "REDIS_CONNECTIONSTRING=${REDIS_CONN_STR}" "AUTH_URL=https://${GATEWAY_URL}" + ``` ++## Access the application ++Retrieve the URL for Spring Cloud Gateway and explore the updated application. You can use the output from the following command to explore the application: ++```azurecli +export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++echo "https://${GATEWAY_URL}" +``` ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) +- [Integrate Azure OpenAI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Key Vault Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-key-vault-enterprise.md | + + Title: "Quickstart - Load application secrets using Key Vault" ++description: Explains how to use Azure Key Vault to securely load secrets for apps running the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/31/2022++++# Quickstart: Load application secrets using Key Vault ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to securely load secrets using Azure Key Vault for apps running the Azure Spring Apps Enterprise plan. ++Every application has properties that connect it to its environment and supporting services. These services include resources like databases, logging and monitoring tools, messaging platforms, and so on. Each resource requires a way to locate and access it, often in the form of URLs and credentials. This information is often protected by law, and must be kept secret in order to protect customer data. In Azure Spring Apps, you can configure applications to directly load these secrets into memory from Key Vault by using managed identities and Azure role-based access control. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [jq](https://stedolan.github.io/jq/download/) +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- Complete the steps in the following quickstarts: + - [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). + - [Integrate with Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) ++## Provision Key Vault and store secrets ++The following instructions describe how to create a Key Vault and securely save application secrets. ++1. Use the following command to create a Key Vault to store application secrets: ++ ```azurecli + az keyvault create \ + --resource-group <resource-group-name> \ + --name <key-vault-name> + ``` ++1. Use the following command to store the full database server name in Key Vault: ++ ```azurecli + az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "POSTGRES-SERVER-NAME" \ + --value "<postgres-server-name>.postgres.database.azure.com" + ``` ++1. Use the following command to store the database name in Key Vault for the Catalog Service application: ++ ```azurecli + az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "CATALOG-DATABASE-NAME" \ + --value "acmefit_catalog" + ``` ++1. Use the following commands to store the database login credentials in Key Vault: ++ ```azurecli + az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "POSTGRES-LOGIN-NAME" \ + --value "<postgres-username>" ++ az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "POSTGRES-LOGIN-PASSWORD" \ + --value "<postgres-password>" + ``` ++1. Use the following command to store the database connection string in Key Vault for the Order Service application: ++ ```azurecli + az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "ConnectionStrings--OrderContext" \ + --value "Server=<postgres-server-name>;Database=acmefit_order;Port=5432;Ssl Mode=Require;User Id=<postgres-user>;Password=<postgres-password>;" + ``` ++1. Use the following commands to retrieve Redis connection properties and store them in Key Vault: ++ ```azurecli + export REDIS_HOST=$(az redis show \ + --resource-group <resource-group-name> \ + --name <redis-cache-name> | jq -r '.hostName') ++ export REDIS_PORT=$(az redis show \ + --resource-group <resource-group-name> \ + --name <redis-cache-name> | jq -r '.sslPort') ++ export REDIS_PRIMARY_KEY=$(az redis list-keys \ + --resource-group <resource-group-name> \ + --name <redis-cache-name> | jq -r '.primaryKey') ++ az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "CART-REDIS-CONNECTION-STRING" \ + --value "rediss://:${REDIS_PRIMARY_KEY}@${REDIS_HOST}:${REDIS_PORT}/0" + ``` ++1. If you've configured [single sign-on](quickstart-configure-single-sign-on-enterprise.md), use the following command to store the JSON Web Key (JWK) URI in Key Vault: ++ ```azurecli + az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "SSO-PROVIDER-JWK-URI" \ + --value <jwk-uri> + ``` ++## Grant applications access to secrets in Key Vault ++The following instructions describe how to grant access to Key Vault secrets to applications deployed to the Azure Spring Apps Enterprise plan. ++1. Use the following command to enable a System Assigned Identity for the Cart Service application: ++ ```azurecli + az spring app identity assign \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following commands to set an access policy of `get list` on Key Vault for the Cart Service application: ++ ```azurecli + export CART_SERVICE_APP_IDENTITY=$(az spring app show \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId') ++ az keyvault set-policy \ + --name <key-vault-name> \ + --object-id ${CART_SERVICE_APP_IDENTITY} \ + --secret-permissions get list + ``` ++1. Use the following command to enable a System Assigned Identity for the Order Service application: ++ ```azurecli + az spring app identity assign \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following commands to set an access policy of `get list` on Key Vault for the Order Service application: ++ ```azurecli + export ORDER_SERVICE_APP_IDENTITY=$(az spring app show \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId') ++ az keyvault set-policy \ + --name <key-vault-name> \ + --object-id ${ORDER_SERVICE_APP_IDENTITY} \ + --secret-permissions get list + ``` ++1. Use the following command to enable a System Assigned Identity for the Catalog Service application: ++ ```azurecli + az spring app identity assign \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following commands to set an access policy of `get list` on Key Vault for the Catalog Service application: ++ ```azurecli + export CATALOG_SERVICE_APP_IDENTITY=$(az spring app show \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId') ++ az keyvault set-policy \ + --name <key-vault-name> \ + --object-id ${CATALOG_SERVICE_APP_IDENTITY} \ + --secret-permissions get list + ``` ++1. If you've configured [single sign-on](quickstart-configure-single-sign-on-enterprise.md), use the following command to enable a System Assigned Identity for the Identity Service application: ++ ```azurecli + az spring app identity assign \ + --resource-group <resource-group-name> \ + --name identity-service \ + --service <Azure-Spring-Apps-service-instance-name> + ``` ++1. Use the following commands to set an access policy of `get list` on Key Vault for the Identity Service application: ++ ```azurecli + export IDENTITY_SERVICE_APP_IDENTITY=$(az spring app show \ + --resource-group <resource-group-name> \ + --name identity-service \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.identity.principalId') ++ az keyvault set-policy \ + --name <key-vault-name> \ + --object-id ${IDENTITY_SERVICE_APP_IDENTITY} \ + --secret-permissions get list + ``` ++## Update applications to load Key Vault secrets ++After granting access to read secrets from Key Vault, use the following steps to update the applications to use the new secret values in their configurations. ++1. Use the following command to retrieve the URI for Key Vault to be used in updating applications: ++ ```azurecli + export KEYVAULT_URI=$(az keyvault show --name <key-vault-name> | jq -r '.properties.vaultUri') + ``` ++1. Use the following command to retrieve the URL for Spring Cloud Gateway to be used in updating applications: ++ ```azurecli + export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') + ``` ++1. Use the following command to remove the Service Connector binding the Order Service application and the Azure Database for PostgreSQL Flexible Server: ++ ```azurecli + az spring connection delete \ + --resource-group <resource-group-name> \ + --app order-service \ + --connection order_service_db \ + --service <Azure-Spring-Apps-service-instance-name> \ + --deployment default \ + --yes + ``` ++1. Use the following command to update the Order Service environment with the URI to access Key Vault: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name order-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --env "ConnectionStrings__KeyVaultUri=${KEYVAULT_URI}" "AcmeServiceSettings__AuthUrl=https://${GATEWAY_URL}" "DatabaseProvider=Postgres" + ``` ++1. Use the following command to remove the Service Connector binding the Catalog Service application and the Azure Database for PostgreSQL Flexible Server: ++ ```azurecli + az spring connection delete \ + --resource-group <resource-group-name> \ + --app catalog-service \ + --connection catalog_service_db \ + --service <Azure-Spring-Apps-service-instance-name> \ + --deployment default \ + --yes + ``` ++1. Use the following command to update the Catalog Service environment and configuration pattern to access Key Vault: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --config-file-pattern catalog/default,catalog/key-vault \ + --env "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_ENDPOINT=${KEYVAULT_URI}" "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_NAME='acme-fitness-store-vault'" "SPRING_PROFILES_ACTIVE=default,key-vault" + ``` ++1. Use the following command to remove the Service Connector binding the Cart Service application and the Azure Cache for Redis: ++ ```azurecli + az spring connection delete \ + --resource-group <resource-group-name> \ + --app cart-service \ + --connection cart_service_cache \ + --service <Azure-Spring-Apps-service-instance-name> \ + --deployment default \ + --yes + ``` ++1. Use the following command to update the Cart Service environment to access Key Vault: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name cart-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --env "CART_PORT=8080" "KEYVAULT_URI=${KEYVAULT_URI}" "AUTH_URL=https://${GATEWAY_URL}" + ``` ++1. Use the following command to update the Identity Service environment and configuration pattern to access Key Vault: ++ ```azurecli + az spring app update \ + --resource-group <resource-group-name> \ + --name identity-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --config-file-pattern identity/default,identity/key-vault \ + --env "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_ENDPOINT=${KEYVAULT_URI}" "SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTY_SOURCES_0_NAME='acme-fitness-store-vault'" "SPRING_PROFILES_ACTIVE=default,key-vault" + ``` ++1. Use the following commands to retrieve the URL for Spring Cloud Gateway: ++ ```azurecli + export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++ echo "https://${GATEWAY_URL}" + ``` ++ You can open the output URL in a browser to explore the updated application. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) +- [Integrate Azure OpenAI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Monitor End To End Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-monitor-end-to-end-enterprise.md | + + Title: "Quickstart - Monitor applications end-to-end" ++description: Explains how to monitor apps running the Azure Spring Apps Enterprise plan by using Application Insights and Log Analytics. ++++ Last updated : 05/31/2022++++# Quickstart: Monitor applications end-to-end ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how monitor apps running the Azure Spring Apps Enterprise plan by using Application Insights and Log Analytics. ++> [!NOTE] +> You can monitor your Spring workloads end-to-end by using any tool and platform of your choice, including App Insights, Log Analytics, New Relic, Dynatrace, AppDynamics, Elastic, or Splunk. For more information, see [Working with other monitoring tools](#working-with-other-monitoring-tools) later in this article. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- Resources to monitor, such as the ones created in the following quickstarts: + - [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md) + - [Integrate with Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) + - [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) ++## Update applications ++You must manually provide the Application Insights connection string to the Order Service (ASP.NET core) and Cart Service (python) applications. The following instructions describe how to provide this connection string and increase the sampling rate to Application Insights. ++> [!NOTE] +> Currently only the buildpacks for Java and NodeJS applications support Application Insights instrumentation. ++1. Use the following commands to retrieve the Application Insights connection string and set it in Key Vault: ++ ```azurecli + export INSTRUMENTATION_KEY=$(az monitor app-insights component show \ + --resource-group <resource-group-name> \ + --app <app-insights-name> \ + --query "connectionString" \ + --output tsv) ++ az keyvault secret set \ + --vault-name <key-vault-name> \ + --name "ApplicationInsights--ConnectionString" \ + --value ${INSTRUMENTATION_KEY} + ``` ++ > [!NOTE] + > By default, the Application Insights service instance has the same name as the Azure Spring Apps service instance. ++1. Use the following command to update the sampling rate for the Application Insights binding to increase the amount of data available: ++ ```azurecli + az spring build-service builder buildpack-binding set \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --builder-name default \ + --name default \ + --type ApplicationInsights \ + --properties sampling-rate=100 connection_string=${INSTRUMENTATION_KEY} + ``` ++1. Use the following commands to restart applications to reload configuration: ++ ```azurecli + az spring app restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name cart-service ++ az spring app restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name order-service ++ az spring app restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name catalog-service ++ az spring app restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name frontend ++ az spring app restart \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name identity-service + ``` ++ For the Java and NodeJS applications, restarting will allow the new sampling rate to take effect. For the non-Java applications, restarting will allow them to access the newly added Instrumentation Key from the Key Vault. ++## View logs ++There are two ways to see logs on Azure Spring Apps: log streaming of real-time logs per app instance or **Log Analytics** for aggregated logs with advanced query capability ++### Use log streaming ++Generate traffic in the application by moving through the application, viewing the catalog, and placing orders. Use the following commands to generate traffic continuously, until canceled: ++```azurecli +export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --query "properties.url" \ + --output tsv) ++export GATEWAY_URL=https://${GATEWAY_URL} ++./gradlew -p azure-spring-apps-enterprise/load-test/traffic-generator gatlingRun-com.vmware.acme.simulation.GuestSimulation +``` ++Use the following command to get the latest 100 lines of application console logs from the Catalog Service application: ++```azurecli +az spring app logs \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --lines 100 +``` ++By adding the `--follow` option, you can get real-time log streaming from an app. Use the following command to try log streaming for the Catalog Service application: ++```azurecli +az spring app logs \ + --resource-group <resource-group-name> \ + --name catalog-service \ + --service <Azure-Spring-Apps-service-instance-name> \ + --follow +``` ++> [!TIP] +> You can use az spring app logs `--help` to explore more parameters and log stream functionalities. ++### Use Log Analytics ++Navigate to the Azure portal and open the Log Analytics instance that you created. You can find the Log Analytics instance in the same resource group where you created the Azure Spring Apps service instance. ++On the Log Analytics page, select the **Logs** pane and run any of the following sample queries for Azure Spring Apps. ++Type and run the following Kusto query to see application logs: ++```kusto +AppPlatformLogsforSpring +| where TimeGenerated > ago(24h) +| limit 500 +| sort by TimeGenerated +| project TimeGenerated, AppName, Log +``` ++This query produces results similar to the ones shown in the following screenshot: +++Type and run the following Kusto query to see `catalog-service` application logs: ++```kusto +AppPlatformLogsforSpring +| where AppName has "catalog-service" +| limit 500 +| sort by TimeGenerated +| project TimeGenerated, AppName, Log +``` ++This query produces results similar to the ones shown in the following screenshot: +++Type and run the following Kusto query to see errors and exceptions thrown by each app: ++```kusto +AppPlatformLogsforSpring +| where Log contains "error" or Log contains "exception" +| extend FullAppName = strcat(ServiceName, "/", AppName) +| summarize count_per_app = count() by FullAppName, ServiceName, AppName, _ResourceId +| sort by count_per_app desc +| render piechart +``` ++This query produces results similar to the ones shown in the following screenshot: +++Type and run the following Kusto query to see all in the inbound calls into Azure Spring Apps: ++```kusto +AppPlatformIngressLogs +| project TimeGenerated, RemoteAddr, Host, Request, Status, BodyBytesSent, RequestTime, ReqId, RequestHeaders +| sort by TimeGenerated +``` ++Type and run the following Kusto query to see all the logs from the managed Spring Cloud +Config Gateway managed by Azure Spring Apps: ++```kusto +AppPlatformSystemLogs +| where LogType contains "SpringCloudGateway" +| project TimeGenerated,Log +``` ++This query produces results similar to the ones shown in the following screenshot: +++Type and run the following Kusto query to see all the logs from the managed Spring Cloud +Service Registry managed by Azure Spring Apps: ++```kusto +AppPlatformSystemLogs +| where LogType contains "ServiceRegistry" +| project TimeGenerated, Log +``` ++This query produces results similar to the ones shown in the following screenshot: +++## Use tracing ++In the Azure portal, open the Application Insights instance created by Azure Spring Apps and start monitoring Spring Boot applications. You can find the Application Insights instance in the same resource group where you created an Azure Spring Apps service instance. ++Navigate to the **Application map** pane, which will be similar to the following screenshot: +++Navigate to the **Performance** pane, which will be similar to the following screenshot: +++Navigate to the **Performance/Dependencies** pane. Here you can see the performance number for dependencies, particularly SQL calls, similar to what's shown in the following screenshot: +++Navigate to the **Performance/Roles** pane. Here you can see the performance metrics for individual instances or roles, similar to what's shown in the following screenshot: +++Select a SQL call to see the end-to-end transaction in context, similar to what's shown in the following screenshot: +++Navigate to the **Failures/Exceptions** pane. Here you can see a collection of exceptions, similar to what's shown in the following screenshot: +++## View metrics ++Navigate to the **Metrics** pane. Here you can see metrics contributed by Spring Boot apps, Spring Cloud modules, and dependencies. The chart in the following screenshot shows **http_server_requests** and **Heap Memory Used**: +++Spring Boot registers a large number of core metrics: JVM, CPU, Tomcat, Logback, and so on. +The Spring Boot auto-configuration enables the instrumentation of requests handled by Spring MVC. +The REST controllers `ProductController` and `PaymentController` have been instrumented by the `@Timed` Micrometer annotation at the class level. ++The `acme-catalog` application has the following custom metric enabled: @Timed: `store.products` ++The `acem-payment` application has the following custom metric enabled: @Timed: `store.payment` ++You can see these custom metrics in the **Metrics** pane, as shown in the following screenshot. +++Navigate to the **Live Metrics** pane. Here you can see live metrics on screen with low latencies < 1 second, as shown in the following screenshot: +++## Working with other monitoring tools ++The Azure Spring Apps Enterprise plan also supports exporting metrics to other tools, including the following tools: ++- AppDynamics +- ApacheSkyWalking +- Dynatrace +- ElasticAPM +- NewRelic ++You can add more bindings to a builder in Tanzu Build Service by using the following command: ++```azurecli +az spring build-service builder buildpack-binding create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --builder-name <builder-name> \ + --name <binding-name> \ + --type <ApplicationInsights|AppDynamics|ApacheSkyWalking|Dynatrace|ElasticAPM|NewRelic> \ + --properties <connection-properties> + --secrets <secret-properties> +``` ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) +- [Integrate Azure OpenAI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Sample App Acme Fitness Store Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-sample-app-acme-fitness-store-introduction.md | + + Title: Introduction to the Fitness Store sample app ++description: Describes the sample app used in this series of quickstarts for deployment to the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/31/2022++++# Introduction to the Fitness Store sample app ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart describes the [fitness store](https://github.com/Azure-Samples/acme-fitness-store) sample application, which shows you how to deploy polyglot apps to an Azure Spring Apps Enterprise plan instance. You see how polyglot applications are built and deployed using Azure Spring Apps Enterprise plan capabilities. These capabilities include Tanzu Build Service, Service Discovery, externalized configuration with Application Configuration Service, application routing with Spring Cloud Gateway, logs, metrics, and distributed tracing. ++The following diagram shows a common application architecture: +++This architecture shows an application composed of smaller applications with a gateway, multiple databases, security services, monitoring, and automation. ++This quickstart applies this architecture to a Fitness Store application. This application is composed of the following services split up by domain: ++- Four Java Spring Boot applications: + - **Catalog Service** contains an API for fetching available products. + - **Payment Service** validates and processes payments for users' orders. + - **Identity Service** provides reference to the authenticated user. + - **Assist Service** provides AI functionality to the fitness store. ++- One Python application: + - **Cart Service** manages users' items that have been selected for purchase. ++- One ASP.NET Core application: + - **Order Service** places orders to buy products that are in the users' carts. ++- One NodeJS and static HTML application: + - **Frontend** is the shopping application that depends on the other services. ++## Next steps ++> [!div class="nextstepaction"] +> [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md) |
spring-apps | Quickstart Sample App Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-sample-app-introduction.md | + + Title: "Quickstart - Introduction to the sample app - Azure Spring Apps" +description: Describes the sample app used in this series of quickstarts for deployment to Azure Spring Apps. ++++ Last updated : 10/12/2021++++# Introduction to the sample app ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++In this quickstart, we use the well-known sample app [PetClinic](https://github.com/spring-petclinic/spring-petclinic-microservices) to show you how to deploy apps to the Azure Spring Apps service. The **Pet Clinic** sample demonstrates the microservice architecture pattern and highlights the services breakdown. You see how to deploy services to Azure with Azure Spring Apps capabilities such as service discovery, config server, logs, metrics, distributed tracing, and developer-friendly tooling support. ++To follow the Azure Spring Apps deployment examples, you only need the location of the source code, which is provided as needed. ++The following diagram shows the architecture of the PetClinic application. +++> [!NOTE] +> When the application is hosted in Azure Spring Apps Enterprise plan, the managed Application Configuration Service for VMware Tanzu assumes the role of Spring Cloud Config Server and the managed VMware Tanzu Service Registry assumes the role of Eureka Service Discovery without any code changes to the application. For more information, see the [Infrastructure services hosted by Azure Spring Apps](#infrastructure-services-hosted-by-azure-spring-apps) section later in this article. ++## Functional services to be deployed ++PetClinic is decomposed into four core Spring apps. All of them are independently deployable applications organized by business domains. ++* **Customers service**: Contains general user input logic and validation including pets and owners information (Name, Address, City, Telephone). +* **Visits service**: Stores and shows visits information for each pet's comments. +* **Vets service**: Stores and shows Veterinarians' information, including names and specialties. +* **API Gateway**: The API Gateway is a single entry point into the system, used to handle requests and route them to an appropriate service or to invoke multiple services, and aggregate the results. The three core services expose an external API to client. In real-world systems, the number of functions can grow quickly with system complexity. Hundreds of services might be involved in rendering one complex webpage. ++## Infrastructure services hosted by Azure Spring Apps ++There are several common patterns in distributed systems that support core services. Azure Spring Apps provides tools that enhance Spring Boot applications to implement the following patterns: ++### [Enterprise plan](#tab/enterprise-plan) ++* **Application Configuration Service for Tanzu**: Application Configuration Service for Tanzu is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native ConfigMap resources that are populated from properties defined in one or more Git repositories. +* **Tanzu Service Registry**: Tanzu Service Registry is one of the commercial VMware Tanzu components. It provides your apps with an implementation of the Service Discovery pattern, one of the key tenets of a Spring-based architecture. Your apps can use the Service Registry to dynamically discover and call registered services. ++### [Basic/Standard plan](#tab/basic-standard-plan) ++* **Config service**: Azure Spring Apps Config is a horizontally scalable centralized configuration service for distributed systems. It uses a pluggable repository that currently supports local storage, Git, and Subversion. +* **Service discovery**: It allows automatic detection of network locations for service instances, which could have dynamically assigned addresses because of autoscaling, failures, and upgrades. ++++## Database configuration ++In its default configuration, **Pet Clinic** uses an in-memory database (HSQLDB) which is populated at startup with data. A similar setup is provided for MySQL if a persistent database configuration is needed. A dependency for Connector/J, the MySQL JDBC driver, is already included in the pom.xml files. ++## Sample usage of PetClinic ++For full implementation details, see our fork of [PetClinic](https://github.com/Azure-Samples/spring-petclinic-microservices). The samples reference the source code as needed. ++## Next steps ++### [Enterprise plan](#tab/enterprise-plan) ++> [!div class="nextstepaction"] +> [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md) ++### [Basic/Standard plan](#tab/basic-standard-plan) ++> [!div class="nextstepaction"] +> [Quickstart: Provision an Azure Spring Apps service instance](../basic-standard/quickstart-provision-service-instance.md) ++ |
spring-apps | Quickstart Set Request Rate Limits Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart-set-request-rate-limits-enterprise.md | + + Title: "Quickstart - Set request rate limits" ++description: Explains how to set request rate limits by using Spring Cloud Gateway on the Azure Spring Apps Enterprise plan. ++++ Last updated : 05/31/2022++++# Quickstart: Set request rate limits ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This quickstart shows you how to set request rate limits by using Spring Cloud Gateway on the Azure Spring Apps Enterprise plan. ++Rate limiting enables you to avoid problems that arise with spikes in traffic. When you set request rate limits, your application can reject excessive requests. This configuration helps you minimize throttling errors and more accurately predict throughput. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md). +- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli). +- [Git](https://git-scm.com/). +- [jq](https://stedolan.github.io/jq/download/) +- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)] +- Complete the steps in [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). ++## Set request rate limits ++Spring Cloud Gateway includes route filters from the Open Source version and several more route filters. One of these filters is the [RateLimit: Limiting user requests filter](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-route-filters.html#ratelimit-limiting-user-requests-filter). The RateLimit filter limits the number of requests allowed per route during a time window. ++When defining a route, you can add the RateLimit filter by including it in the list of filters for the route. The filter accepts four options: ++- The number of requests accepted during the window. +- The duration of the window. This value is in milliseconds by default, but you can specify a suffix of *s*, *m*, or *h* to indicate that the value is in seconds, minutes, or hours. +- (Optional) A user partition key. You can also apply rate limiting per user. That is, different users can have their own throughput allowed based on an identifier found in the request. Indicate whether the key is in a JWT claim or HTTP header with `claim` or `header` syntax. +- (Optional) You can rate limit by IP addresses, but not in combination with rate limiting per user. ++The following example would limit all users to two requests every five seconds to the `/products` route: ++```json +{ + "predicates": [ + "Path=/products", + "Method=GET" + ], + "filters": [ + "StripPrefix=0", + "RateLimit=2,5s" + ] +} +``` ++If you want to expose a route for different sets of users, each one identified by its own `client_id` HTTP header, use the following route definition: ++```json +{ + "predicates": [ + "Path=/products", + "Method=GET" + ], + "filters": [ + "StripPrefix=0", + "RateLimit=2,5s,{header:client_id}" + ] +} +``` ++When the limit is exceeded, responses will fail with `429 Too Many Requests` status. ++Use the following command to apply the `RateLimit` filter to the `/products` route: ++```azurecli +az spring gateway route-config update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> \ + --name catalog-routes \ + --app-name catalog-service \ + --routes-file azure-spring-apps-enterprise/resources/json/routes/catalog-service_rate-limit.json +``` ++Use the following commands to retrieve the URL for the `/products` route in Spring Cloud Gateway: ++```azurecli +export GATEWAY_URL=$(az spring gateway show \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') ++echo "https://${GATEWAY_URL}/products" +``` ++Make several requests to the URL for `/products` within a five-second period to see requests fail with a status `429 Too Many Requests`. ++## Clean up resources ++If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: ++```azurecli +echo "Enter the Resource Group name:" && +read resourceGroupName && +az group delete --name $resourceGroupName && +echo "Press [ENTER] to continue ..." +``` ++## Next steps ++Continue on to any of the following optional quickstarts: ++- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md) +- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) +- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) +- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) +- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) +- [Integrate Azure OpenAI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quickstart.md | + + Title: Quickstart - Deploy your first application to Azure Spring Apps +description: Describes how to deploy an application to Azure Spring Apps. ++++ Last updated : 08/09/2023++zone_pivot_groups: spring-apps-plan-selection +++# Quickstart: Deploy your first application to Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++This article explains how to deploy a small application to run on Azure Spring Apps. ++The application code used in this tutorial is a simple app. When you complete this example, the application is accessible online, and you can manage it through the Azure portal. +++## 1. Prerequisites +++### [Azure portal](#tab/Azure-portal) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure Developer CLI (AZD)](/azure/developer/azure-developer-cli/install-azd), version 1.2.0 or higher. ++++++### [Azure portal](#tab/Azure-portal-ent) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. ++### [Azure CLI](#tab/Azure-CLI) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++### [IntelliJ](#tab/IntelliJ) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [IntelliJ IDEA](https://www.jetbrains.com/idea/). +- [Azure Toolkit for IntelliJ](/azure/developer/java/toolkit-for-intellij/install-toolkit). ++### [Visual Studio Code](#tab/visual-studio-code) ++- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] +- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- [Visual Studio Code](https://code.visualstudio.com/). ++++++++++++++## 5. Validate the app ++This section describes how to validate your application. +++### [Azure portal](#tab/Azure-portal) ++After the deployment finishes, find the application URL from the deployment outputs. Use the following steps to validate: ++1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. ++ :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++After the deployment finishes, access the application with the output application URL. Use the following steps to check the app's logs to investigate any deployment issue: ++1. Access the output application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. ++ :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: ++1. From the navigation pane of the Azure Spring Apps instance **Overview** page, select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart/logs.png"::: ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++After the deployment finishes, access the application with the output endpoint. When you open the app, you get the response `Hello World`. ++++++### [Azure portal](#tab/Azure-portal) ++After the deployment finishes, use the following steps to find the application URL from the deployment outputs: ++1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. ++ :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) ++After the deployment finishes, use the following steps to check the app's logs to investigate any deployment issue: ++1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. ++ :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: ++1. From the navigation pane of the Azure Spring Apps instance overview page, select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart/logs.png"::: ++### [Azure Developer CLI](#tab/Azure-Developer-CLI) ++After the deployment finishes, access the application with the output endpoint. When you open the app, you get the response `Hello World`. ++++++### [Azure portal](#tab/Azure-portal-ent) ++After the deployment finishes, use the following steps to find the application URL from the deployment outputs: ++1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. ++ :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ++After the deployment finishes, use the following steps to validate the app: ++1. Access the application URL. When you open the app, you get the response `Hello World`. ++1. Check the console logs, which are useful for investigating any deployment issues. ++### [Azure CLI](#tab/Azure-CLI) ++After the deployment finishes, use the following steps to check the app's logs to investigate any deployment issue: ++1. Access the application with the output application URL. When you open the app, you get the response `Hello World`. ++1. Use the following command to check the app's log to investigate any deployment issue: ++ ```azurecli + az spring app logs \ + --service ${SERVICE_NAME} \ + --name ${APP_NAME} + ``` ++### [IntelliJ](#tab/IntelliJ) ++Use the following steps to stream your application logs: ++1. Access the application with the output application URL. When you open the app, you get the response `Hello World`. ++1. Open the **Azure Explorer** window, expand the node **Azure**, expand the service node **Azure Spring Apps**, expand the Azure Spring Apps instance you created, and then select the **demo** instance of the app you created. ++1. Right-click and select **Start Streaming Logs**, then select **OK** to see real-time application logs. ++ :::image type="content" source="media/quickstart/app-stream-log.png" alt-text="Screenshot of IntelliJ that shows the Azure Streaming Log." lightbox="media/quickstart/app-stream-log.png"::: ++### [Visual Studio Code](#tab/visual-studio-code) ++Use the following steps to stream your application logs: ++1. Access the application with the output application URL. When you open the app, you get the response `Hello World`. ++1. Follow the steps in the [Stream your application logs](https://code.visualstudio.com/docs/java/java-spring-apps#_stream-your-application-logs) section of [Java on Azure Spring Apps](https://code.visualstudio.com/docs/java/java-spring-apps). ++++++## 7. Next steps ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](./structured-app-log.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) ++> [!div class="nextstepaction"] +> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) ++> [!div class="nextstepaction"] +> [Quickstart: Create a service connection in Azure Spring Apps with the Azure CLI](../../service-connector/quickstart-cli-spring-cloud-connection.md) +++> [!div class="nextstepaction"] +> [Introduction to the sample app](./quickstart-sample-app-introduction.md) ++++> [!div class="nextstepaction"] +> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) +++For more information, see the following articles: ++- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). +- [Azure for Spring developers](/azure/developer/java/spring/) +- [Spring Cloud Azure documentation](/azure/developer/java/spring-framework/) |
spring-apps | Quotas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/quotas.md | + + Title: Service plans and quotas for Azure Spring Apps +description: Learn about service quotas and service plans for Azure Spring Apps. +++ Last updated : 05/15/2023+++++# Quotas and service plans for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise ++All Azure services set default limits and quotas for resources and features. Azure Spring Apps offers four pricing plans: Basic, Standard, Enterprise, and Standard consumption. ++## Azure Spring Apps service plans and limits ++The following table defines limits for the pricing plans in Azure Spring Apps. ++| Resource | Scope | Basic | Standard | Enterprise | Standard consumption | Standard dedicated | +|-|-|--|-|-|-|-| +| vCPU | per app instance | 1 | 4 | 8 | 4 | based on workload profile (for example, 16 in D16) | +| Memory | per app instance | 2 GB | 8 GB | 32 GB | 8 GB | based on workload profile (for example, 128GB in E16) | +| Azure Spring Apps service instances | per region per subscription | 10 | 10 | 10 | 10 | 10 | +| Total app instances | per Azure Spring Apps service instance | 25 | 500 | 1000 | 400 | 1000 | +| Custom Domains for app | per Azure Spring Apps service instance | 0 | 500 | 500 | 500 | 500 | +| Custom Domains for app | per app instance | 0 | 5 | 5 | 5 | 5 | +| Custom Domains for Tanzu Component | per Tanzu Component | N/A | N/A | 5 | N/A | N/A | +| Persistent volumes | per Azure Spring Apps service instance | 1 GB/app x 10 apps | 50 GB/app x 10 apps | 50 GB/app x 10 apps | Not applicable | Not applicable | +| Inbound Public Endpoints | per Azure Spring Apps service instance | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | +| Outbound Public IPs | per Azure Spring Apps service instance | 1 <sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | +| User-assigned managed identities | per app instance | 20 | 20 | 20 | Not available during preview | Not available during preview | +| Requests per second/Throughput | per Azure Spring Apps service instance | 5000 <sup>3</sup> | 10000 <sup>3</sup> | 20000 <sup>3</sup> | Not applicable | Not applicable | ++<sup>1</sup> You can increase this limit via support request to a maximum of 1 per app. ++<sup>2</sup> You can increase this limit via support request to a maximum of 10. ++<sup>3</sup> This limit only applies to customers without an Enterprise Agreement subscription. You can increase this limit based on your workload size via raising a support ticket. For customers with an Enterprise Agreement subscription, Azure Spring Apps automatically adjusts underlying resource to support application traffic. ++> [!TIP] +> Limits listed apply for apps and deployments in any state, including apps in a stopped state. These limits include total app instances and per service instances. Be sure to delete apps and deployments that aren't being used. ++## Next steps ++Some default limits can be increased. For more information, see [create a support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). |
spring-apps | Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/resources.md | + + Title: Resources for Azure Spring Apps | Microsoft Docs +description: Azure Spring Apps resource list +++ Last updated : 09/08/2020+++++# Azure Spring Apps developer resources ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++As a developer, you might find the following Azure Spring Apps resources useful: ++* [Azure roadmap](https://azure.microsoft.com/updates) +* [Frequently asked questions](./faq.md) +* [Troubleshooting guide](./troubleshoot.md) +* [Microsoft Q&A question page](/answers/topics/azure-spring-cloud.html) +* [Service Registry with Spring Cloud Services](https://docs.vmware.com/en/Spring-Cloud-Services-for-VMware-Tanzu/3.1/spring-cloud-services/GUID-service-registry-https://docsupdatetracker.net/index.html) +* [Steeltoe](https://steeltoe.io/) +* [Spring](https://spring.io/) +* [Spring Cloud Azure](https://spring.io/projects/spring-cloud-azure) +* [Spring on Azure](/azure/developer/java/spring-framework/) |
spring-apps | Secure Communications End To End | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/secure-communications-end-to-end.md | + + Title: Secure communications end-to-end for Spring Boot apps in a Zero Trust environment ++description: Describes how to secure communications end-to-end or terminate transport-level security at any communication point for Spring Boot apps. +++ Last updated : 08/15/2022+++++# Secure communications end-to-end for Spring Boot apps in a Zero Trust environment ++This article describes how to secure communications end-to-end for Spring Boot apps in a Zero Trust environment. You can secure communications end-to-end or terminate transport-level security at any communication point for Spring Boot apps. You can also automate the provisioning and configuration for all the Azure resources needed for securing communications. ++Implementing secure communications as part of your solution architecture can be challenging. Many customers manually rotate their certificates or create their own solutions to automate provisioning and configuration. Even then, there's still data exfiltration risk, such as unauthorized copying or transfer of data from server systems. With Azure Spring Apps, these details are handled for you. Azure Spring Apps abstracts away most of the complexity, leaving secure communications as configurable and automatable options in the service. ++## Secure internet communications ++The TLS/SSL protocol establishes identity and trust, and encrypts communications of all types. TLS/SSL makes secure communications possible, particularly web traffic carrying commerce and customer data. ++You can use any type of TLS/SSL certificate. For example, you can use certificates issued by a certificate authority, extended validation certificates, wildcard certificates with support for any number of subdomains, or self-signed certificates for dev and testing environments. ++## Load certificates security with Zero Trust ++Zero Trust is based on the principle of "never trust, always verify, and credential-free". Zero Trust helps to secure all communications by eliminating unknown and unmanaged certificates. Zero Trust involves trusting only certificates that are shared by verifying identity prior to granting access to those certificates. For more information, see the [Zero Trust Guidance Center](/security/zero-trust/). ++To securely load certificates from [Azure Key Vault](../../key-vault/index.yml), Spring Boot apps use [managed identities](/entra/identity/managed-identities-azure-resources/overview) and [Azure role-based access control (RBAC)](../../role-based-access-control/index.yml). Azure Spring Apps uses a provider [service principal](/entra/identity-platform/app-objects-and-service-principals#service-principal-object) and Azure role-based access control. This secure loading is powered using the Azure Key Vault Java Cryptography Architecture (JCA) Provider. For more information, see [Azure Key Vault JCA client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca). ++With Azure Key Vault, you control the storage and distribution of certificates to reduce accidental leakage. Applications and services can securely access certificates. Key Vault uses Azure role-based access control to lock down access to only those requiring access, such as an admin, but also apps, using the principle of least privilege. Applications and services authenticate and authorize, using Microsoft Entra ID and Azure role-based access control, to access certificates. You can monitor the access and use of certificates in Key Vault through its full audit trail. ++## Secure communications end-to-end or terminate TLS at any point ++As illustrated in the diagram below, there are several segments of communications through the following components: ++- Network access points such as Azure Front Door +- Azure App Gateway +- F5 BIG-IP Local Traffic Manager +- Azure API Management +- Apigee API Management Spring Boot apps and Backend systems such as databases, messaging and eventing systems, and app cache. ++You can secure communications end-to-end or terminate transport-level security at any communication point for Spring Boot apps. +++The following sections describe this architecture in more detail. ++### Segment 1: Secure communications into Azure Spring Apps ++The first segment (segment 1 in the diagram) represents communications from consumers to the ingress controller in Azure Spring Apps. These consumers include browsers, mobile phones, desktops, kiosks, or network access points like Azure Front Door, Azure App Gateway, F5 BIG-IP Local Traffic Manager, Azure API Management, and Apigee API Management. ++By default, this segment is secured using a Microsoft-supplied TLS/SSL certificate for the `*.azuremicroservices.io` domain. You can apply your own TLS/SSL certificate in Azure Key Vault by binding a custom domain to your app in Azure Spring Apps. No code is necessary. For more information, see [Tutorial: Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). ++### Segment 2: Secure communications from ingress controller to apps ++The next segment (segment 2 in the diagram) represents communications from the Azure Spring Apps ingress controller to any app on Azure Spring Apps. You can enable TLS/SSL to secure traffic from the ingress controller to an app that supports HTTPS. For more information, see [Enable ingress-to-app TLS for an application](how-to-enable-ingress-to-app-tls.md). ++A Spring Boot app can use Spring's approach to enable HTTPS, or the app can secure communications by using the Azure Key Vault Certificates Spring Boot Starter. For more information, see [Tutorial: Secure Spring Boot apps using Azure Key Vault certificates](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates). ++You need the following three configuration steps to secure communications using a TLS/SSL certificate from an Azure Key Vault. No code is necessary. ++1. Include the following Azure Key Vault Certificates Spring Boot Starter dependency in your *pom.xml* file: ++ ```xml + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>azure-spring-boot-starter-keyvault-certificates</artifactId> + </dependency> + ``` ++1. Add the following properties to configure an app to load a TLS/SSL certificate from Azure Key Vault. Be sure to specify the URI of the Azure Key Vault and the certificate name. ++ ```properties + azure: + keyvault: + uri: ${KEY_VAULT_URI} + + server: + ssl: + key-alias: ${SERVER_SSL_CERTIFICATE_NAME} + key-store-type: AzureKeyVault + ``` ++1. Enable the app's managed identity, and then grant the managed identity with "Get" and "List" access to the Azure Key Vault. For more information, see [Enable system-assigned managed identity for an application in Azure Spring Apps](how-to-enable-system-assigned-managed-identity.md) and [Certificate Access Control](../../key-vault/certificates/certificate-access-control.md). ++### Segment 3: Secure communications from app to managed middleware ++The next segment (segment 3 in the diagram) represents communications from any app to the managed Spring Cloud Config Server and Spring Cloud Service Registry in Azure Spring Apps. By default, this segment is secured using a Microsoft-supplied TLS/SSL certificate. ++### Segment 4: Secure app to app communications ++The next segment (segment 4 in the diagram) represents communications between an app to another app in Azure Spring Apps. You can use the Azure Key Vault Certificates Spring Boot Starter to configure the caller app to trust the TLS/SSL certificate supplied by an HTTPS-enabled called app. The receiver Spring Boot app can use Spring's approach to enable HTTPS, or the app can secure communications by using the Azure Key Vault Certificates Spring Boot Starter. For more information, see [Tutorial: Secure Spring Boot apps using Azure Key Vault certificates](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates). ++### Segment 5: Secure app to external system communications ++The next segment (segment 5 in the diagram) represents communications between an app running in Azure Spring Apps and external systems. You can use the Azure Key Vault Certificates Spring Boot Starter to configure the app running in Azure Spring Apps to trust the TLS/SSL certificate supplied by any external systems. For more information, see [Tutorial: Secure Spring Boot apps using Azure Key Vault certificates](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates). ++### Implicitly load TLS/SSL certificates from Key Vault into an app ++If your Spring code, Java code, or open-source libraries, such as OpenSSL, rely on the JVM default JCA chain to implicitly load certificates into the JVM's trust store, then you can import your TLS/SSL certificates from Key Vault into Azure Spring Apps and use those certificates within the app. For more information, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). ++### Upload well known public TLS/SSL certificates for backend systems ++For an app to communicate to backend services in the cloud or in on-premises systems, it may require the use of public TLS/SSL certificates to secure communication. You can upload those TLS/SSL certificates for securing outbound communications. For more information, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). ++### Automate provisioning and configuration for securing communications ++Using an ARM Template, Bicep, or Terraform, you can automate the provisioning and configuration of all the Azure resources mentioned above for securing communications. ++## Build your solutions and secure communications ++Azure Spring Apps is a fully managed service for Spring Boot applications. Azure Spring Apps abstracts away the complexity of infrastructure and Spring Cloud middleware management from users. You can focus on building your business logic and let Azure take care of dynamic scaling, patches, security, compliance, and high availability. With a few steps, you can provision Azure Spring Apps, create applications, deploy, and scale Spring Boot applications, and start securing communications in minutes. ++Azure Spring Apps is jointly built, operated, and supported by Microsoft and VMware. ++## Next steps ++- [Deploy Spring microservices to Azure](/training/modules/azure-spring-cloud-workshop/) +- [Azure Key Vault Certificates Spring Cloud Azure Starter (GitHub.com)](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/spring/spring-cloud-azure-starter-keyvault-certificates/pom.xml) +- [Azure Spring Apps architecture design](/azure/architecture/web-apps/spring-apps?toc=/azure/spring-apps/toc.json&bc=/azure/spring-apps/breadcrumb/toc.json) +- Migrate your [Spring Boot](/azure/developer/java/migration/migrate-spring-boot-to-azure-spring-apps), [Spring Cloud](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-apps), and [Tomcat](/azure/developer/java/migration/migrate-tomcat-to-azure-spring-apps) applications to Azure Spring Apps |
spring-apps | Security Controls Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/security-controls-policy.md | + + Title: Azure Policy Regulatory Compliance controls for Azure Spring Apps +description: Lists Azure Policy Regulatory Compliance controls available for Azure Spring Apps. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Last updated : 01/22/2024+++++++# Azure Policy Regulatory Compliance controls for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++[Regulatory Compliance in Azure Policy](../../governance/policy/concepts/regulatory-compliance.md) +provides Microsoft created and managed initiative definitions, known as _built-ins_, for the +**compliance domains** and **security controls** related to different compliance standards. This +page lists the **compliance domains** and **security controls** for Azure Spring Apps. You can +assign the built-ins for a **security control** individually to help make your Azure resources +compliant with the specific standard. ++++## Next steps ++- Learn more about [Azure Policy Regulatory Compliance](../../governance/policy/concepts/regulatory-compliance.md). +- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy). |
spring-apps | Structured App Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/structured-app-log.md | + + Title: Structured application log for Azure Spring Apps | Microsoft Docs +description: This article explains how to generate and collect structured application log data in Azure Spring Apps. +++ Last updated : 02/05/2021+++++# Structured application log for Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article explains how to generate and collect structured application log data in Azure Spring Apps. With proper configuration, Azure Spring Apps provides useful application log query and analysis through Log Analytics. ++## Log schema requirements ++To improve log query experience, an application log is required to be in JSON format and conform to a schema. Azure Spring Apps uses this schema to parse your application and stream to Log Analytics. ++> [!NOTE] +> Enabling the JSON log format makes it difficult to read the log streaming output from console. To get human readable output, append the `--format-json` argument to the `az spring app logs` CLI command. See [Format JSON structured logs](./how-to-log-streaming.md#format-json-structured-logs). ++**JSON schema requirements:** ++| Json Key | Json value Type| Required | Column in Log Analytics| Description | +| --| |--|--|--| +| timestamp | string | Yes | AppTimestamp | timestamp in UTC format | +| logger | string | No | Logger | logger | +| level | string | No | CustomLevel | log level | +| thread | string | No | Thread | thread | +| message | string | No | Message | log message | +| stackTrace | string | No | StackTrace | exception stack trace | +| exceptionClass| string | No | ExceptionClass | exception class name | +| mdc | nested JSON | No | | mapped diagnostic context| +| mdc.traceId | string | No | TraceId |trace ID for distributed tracing| +| mdc.spanId | string | No | SpanId |span ID for distributed tracing | +| | | | | | ++* The "timestamp" field is required, and should be in UTC format, all other fields are optional. +* "traceId" and "spanId" in "mdc" field are used for tracing purpose. +* Log each JSON record in one line. ++**Log record sample** ++```log +{"timestamp":"2021-01-08T09:23:51.280Z","logger":"com.example.demo.HelloController","level":"ERROR","thread":"http-nio-1456-exec-4","mdc":{"traceId":"c84f8a897041f634","spanId":"c84f8a897041f634"},"stackTrace":"java.lang.RuntimeException: get an exception\r\n\tat com.example.demo.HelloController.throwEx(HelloController.java:54)\r\n\","message":"Got an exception","exceptionClass":"RuntimeException"} +``` ++## Limitations ++Each line of the JSON logs has at most 16 K bytes. If the JSON output of a single log record exceeds this limit, it's broken into multiple lines, and each raw line is collected into the `Log` column without being parsed structurally. ++Generally, this situation happens on exception logging with deep stacktrace, especially when the [AppInsights In-Process Agent](./how-to-application-insights.md) is enabled. Apply limit settings to the stacktrace output (see the below configuration samples) to ensure the final output gets parsed properly. ++## Generate schema-compliant JSON log ++For Spring applications, you can generate expected JSON log format using common [logging frameworks](https://docs.spring.io/spring-boot/docs/2.7.9/reference/html/features.html#features.logging.custom-log-configuration), such as [Logback](http://logback.qos.ch/) and [Log4j2](https://logging.apache.org/log4j/2.x/). ++### Log with logback ++When using Spring Boot starters, Logback is used by default. For Logback apps, use [logstash-encoder](https://github.com/logstash/logstash-logback-encoder) to generate JSON formatted log. This method is supported in Spring Boot version 2.1 or later. ++The procedure: ++1. Add logstash dependency in your `pom.xml` file. ++ ```xml + <dependency> + <groupId>net.logstash.logback</groupId> + <artifactId>logstash-logback-encoder</artifactId> + <version>6.5</version> + </dependency> + ``` ++1. Update your `logback-spring.xml` config file to set the JSON format. ++ ```xml + <configuration> + <appender name="stdout" class="ch.qos.logback.core.ConsoleAppender"> + <encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder"> + <providers> + <timestamp> + <fieldName>timestamp</fieldName> + <timeZone>UTC</timeZone> + </timestamp> + <loggerName> + <fieldName>logger</fieldName> + </loggerName> + <logLevel> + <fieldName>level</fieldName> + </logLevel> + <threadName> + <fieldName>thread</fieldName> + </threadName> + <nestedField> + <fieldName>mdc</fieldName> + <providers> + <mdc /> + </providers> + </nestedField> + <stackTrace> + <fieldName>stackTrace</fieldName> + <!-- maxLength - limit the length of the stack trace --> + <throwableConverter class="net.logstash.logback.stacktrace.ShortenedThrowableConverter"> + <maxDepthPerThrowable>200</maxDepthPerThrowable> + <maxLength>14000</maxLength> + <rootCauseFirst>true</rootCauseFirst> + </throwableConverter> + </stackTrace> + <message /> + <throwableClassName> + <fieldName>exceptionClass</fieldName> + </throwableClassName> + </providers> + </encoder> + </appender> + <root level="info"> + <appender-ref ref="stdout" /> + </root> + </configuration> + ``` ++1. When using the logging configuration file with `-spring` suffix like `logback-spring.xml`, you can set the logging configuration based on the Spring active profile. ++ ```xml + <configuration> + <springProfile name="dev"> + <!-- JSON appender definitions for local development, in human readable format --> + <include resource="org/springframework/boot/logging/logback/defaults.xml" /> + <include resource="org/springframework/boot/logging/logback/console-appender.xml" /> + <root level="info"> + <appender-ref ref="CONSOLE" /> + </root> + </springProfile> ++ <springProfile name="!dev"> + <!-- JSON appender configuration from previous step, used for staging / production --> + ... + </springProfile> + </configuration> + ``` ++ For local development, run the Spring application with JVM argument `-Dspring.profiles.active=dev`, then you can see human readable logs instead of JSON formatted lines. ++### Log with log4j2 ++For log4j2 apps, use [json-template-layout](https://logging.apache.org/log4j/2.x/manual/json-template-layout.html) to generate JSON formatted log. This method is supported in Spring Boot version 2.1+. ++The procedure: ++1. Exclude `spring-boot-starter-logging` from `spring-boot-starter`, add dependencies `spring-boot-starter-log4j2`, `log4j-layout-template-json` in your `pom.xml` file. ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-web</artifactId> + <exclusions> + <exclusion> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-logging</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-log4j2</artifactId> + </dependency> + <dependency> + <groupId>org.apache.logging.log4j</groupId> + <artifactId>log4j-layout-template-json</artifactId> + <version>2.14.0</version> + </dependency> + ``` ++2. Prepare a JSON layout template file `jsonTemplate.json` in your class path. ++ ```json + { + "mdc": { + "$resolver": "mdc" + }, + "exceptionClass": { + "$resolver": "exception", + "field": "className" + }, + "stackTrace": { + "$resolver": "exception", + "field": "stackTrace", + "stringified": true + }, + "message": { + "$resolver": "message", + "stringified": true + }, + "thread": { + "$resolver": "thread", + "field": "name" + }, + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "name" + }, + "logger": { + "$resolver": "logger", + "field": "name" + } + } + ``` ++3. Use this JSON layout template in your `log4j2-spring.xml` config file. ++ ```xml + <configuration> + <appenders> + <console name="Console" target="SYSTEM_OUT"> + <!-- maxStringLength - limit the length of the stack trace --> + <JsonTemplateLayout eventTemplateUri="classpath:jsonTemplate.json" maxStringLength="14000" /> + </console> + </appenders> + <loggers> + <root level="info"> + <appender-ref ref="Console" /> + </root> + </loggers> + </configuration> + ``` ++## Analyze the logs in Log Analytics ++After your application is properly set up, your application console log is streamed to Log Analytics. The structure enables efficient query in Log Analytics. ++### Check log structure in Log Analytics ++Use the following procedure: ++1. Go to service overview page of your service instance. +2. Select the **Logs** entry in the **Monitoring** section. +3. Run this query. ++ ```query + AppPlatformLogsforSpring + | where TimeGenerated > ago(1h) + | project AppTimestamp, Logger, CustomLevel, Thread, Message, ExceptionClass, StackTrace, TraceId, SpanId + ``` ++4. Application logs return as shown in the following image: ++ :::image type="content" source="media/structured-app-log/json-log-query.png" alt-text="Screenshot of the Azure portal showing the log Results pane." lightbox="media/structured-app-log/json-log-query.png"::: ++### Show log entries containing errors ++To review log entries that have an error, run the following query: ++```query +AppPlatformLogsforSpring +| where TimeGenerated > ago(1h) and CustomLevel == "ERROR" +| project AppTimestamp, Logger, ExceptionClass, StackTrace, Message, AppName +| sort by AppTimestamp +``` ++Use this query to find errors, or modify the query terms to find specific exception class or error code. ++### Show log entries for a specific traceId ++To review log entries for a specific tracing ID "trace_id", run the following query: ++```query +AppPlatformLogsforSpring +| where TimeGenerated > ago(1h) +| where TraceId == "trace_id" +| project AppTimestamp, Logger, TraceId, SpanId, StackTrace, Message, AppName +| sort by AppTimestamp +``` ++## Next steps ++* To learn more about the Log Query, see [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md) |
spring-apps | Tools To Troubleshoot Memory Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tools-to-troubleshoot-memory-issues.md | + + Title: Tools to troubleshoot memory issues ++description: Provides a list of tools for troubleshooting Java memory issues. ++++ Last updated : 07/15/2022++++# Tools to troubleshoot memory issues ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes various tools that are useful for troubleshooting Java memory issues. You can use these tools in many scenarios not limited to memory issues, but this article focuses only on the topic of memory. ++## Alerts and diagnostics ++The following sections describe resource health alerts and diagnostics available through the Azure portal. ++### Resource health ++You can monitor app lifecycle events and set up alerts with Azure Activity log and Azure Service Health. For more information, see [Monitor app lifecycle events using Azure Activity log and Azure Service Health](monitor-app-lifecycle-events.md). ++Resource health sends alerts about app restart events due to container out-of-memory (OOM) issues. For more information, see [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md). ++The following screenshot shows an app resource health alert indicating an OOM issue. +++### Diagnose and solve problems ++Azure Spring Apps diagnostics is an interactive experience to troubleshoot your app without configuration. For more information, see [Self-diagnose and solve problems in Azure Spring Apps](how-to-self-diagnose-solve.md). ++In the Azure portal, you can find **Memory Usage** under **Diagnose and solve problems**, as shown in the following screenshot. +++**Memory Usage** provides a simple diagnosis for app memory usage, as shown in the following screenshot. +++### Metrics ++The following sections describe metrics that cover issues including high memory usage, heap memory that's too large, and abnormal garbage collection abnormal (too frequent or not frequent enough). For more information, see [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](../basic-standard/quickstart-logs-metrics-tracing.md?pivots=programming-language-java). ++#### App memory usage ++App memory usage is a percentage equal to the app memory used divided by the app memory limit. This value shows the whole app memory. ++#### jvm.memory.used/committed/max ++For JVM memory, there are three metrics: `jvm.memory.used`, `jvm.memory.committed`, and `jvm.memory.max`, which are described in the following list. ++"JVM memory" isn't a clearly defined concept. Here, `jvm.memory` is the sum of [heap memory](concepts-for-java-memory-management.md#heap-memory) and former permGen part of [non-heap memory](concepts-for-java-memory-management.md#non-heap-memory). JVM memory doesn't include direct memory or other memory like the thread stack. Spring Boot Actuator gathers these three metrics and determines the scope of `jvm.memory`. ++- `jvm.memory.used` is the amount of used JVM memory, including used heap memory and used former permGen in non-heap memory. ++ `jvm.memory.used` is a major reflection of the change of heap memory, because the former permGen part is usually stable. ++ If you find `jvm.memory.used` too large, consider setting a smaller maximum heap memory size. ++- `jvm.memory.committed` is the amount of memory committed for the JVM to use. The size of `jvm.memory.committed` is basically the limit of usable JVM memory. ++- `jvm.memory.max` is the maximum amount of JVM memory, not to be confused with the real available amount. ++ The value of `jvm.memory.max` can sometimes be confusing because it can be much higher than the available app memory. To clarify, `jvm.memory.max` is the sum of all maximum sizes of heap memory and the former permGen part of [non-heap memory](concepts-for-java-memory-management.md#non-heap-memory), regardless of the real available memory. For example, if an app is set with 1 GB of memory in the Azure Spring Apps portal, then the default heap memory size is 0.5 GB. For more information, see the [Default maximum heap size](concepts-for-java-memory-management.md#default-maximum-heap-size) section of [Java memory management](concepts-for-java-memory-management.md). ++ If the default *compressed class space* size is 1 GB, then the value of `jvm.memory.max` is larger than 1.5 GB regardless of whether the app memory size 1 GB. For more information, see [Java Platform, Standard Edition HotSpot Virtual Machine Garbage Collection Tuning Guide: Other Considerations](https://docs.oracle.com/javase/9/gctuning/other-considerations.htm) in the Oracle documentation. ++#### jvm.gc.memory.allocated/promoted ++These two metrics are for observing Java garbage collection (GC). For more information, see the [Java garbage collection](concepts-for-java-memory-management.md#java-garbage-collection) section of [Java memory management](concepts-for-java-memory-management.md). The maximum heap size influences the frequency of minor GC and full GC. The maximum metaspace and maximum direct memory size influence full GC. If you want to adjust the frequency of garbage collection, consider modifying the following maximum memory sizes. ++- `jvm.gc.memory.allocated` is the amount of increase in the size of the young generation memory pool after one GC and before the next. This value reflects minor GC. ++- `jvm.gc.memory.promoted` is the amount of increase in the size of the old generation memory pool after GC. This value reflects full GC. ++You can find this feature on the Azure portal, as shown in the following screenshot. You can choose specific metrics and add filters for a specific app, deployment, or instance. You can also apply splitting. +++## Further debugging ++For further debugging, you can manually capture heap dumps and thread dumps, and use Java Flight Recorder (JFR). For more information, see [Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps](how-to-capture-dumps.md). ++Heap dumps record the state of the Java heap memory. Thread dumps record the stacks of all live threads. These tools are available through the Azure CLI and on the app page of the Azure portal, as shown in the following screenshot. +++For more information, see [Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps](how-to-capture-dumps.md). You can also use third party tools like [Memory Analyzer](https://www.eclipse.org/mat/) to analyze heap dumps. ++## Modify configurations to fix problems ++Some issues you might identify include [container OOM](how-to-fix-app-restart-issues-caused-by-out-of-memory.md#fix-app-restart-issues-due-to-oom), heap memory that's too large, and abnormal garbage collection. If you identify any of these issues, you may need to configure the maximum memory size in the JVM options. For more information, see the [Important JVM options](concepts-for-java-memory-management.md#important-jvm-options) section of [Java memory management](concepts-for-java-memory-management.md#important-jvm-options). ++You can modify the JVM options by using the Azure portal or the Azure CLI. ++### [Azure portal](#tab/azure-portal) ++In the Azure portal, navigate to your app, then select **Configuration** from the **Settings** section of the navigation menu. On the **General Settings** tab, update the **JVM options** field, as shown in the following screenshot: +++### [Azure CLI](#tab/azure-cli) ++Use the following command to update the JVM options for your app. Be sure to replace the placeholders with your actual values. For example, you can replace the *`<jvm-options>`* placeholder with a value such as `-Xms1024m -Xmx1536m`. ++```azurecli +az spring app update \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --app <app-name> \ + --deployment <deployment-name> \ + --jvm-options <jvm-options> \ +``` ++++## See also ++- [Java memory management](concepts-for-java-memory-management.md) +- [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md) |
spring-apps | Troubleshoot Build Exit Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/troubleshoot-build-exit-code.md | + + Title: Troubleshoot common build issues in Azure Spring Apps +description: Learn how to troubleshoot common build issues in Azure Spring Apps. +++ Last updated : 10/24/2022+++++# Troubleshoot common build issues in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article describes how to troubleshoot build issues with your Azure Spring Apps deployment. ++## Build exit codes ++The Azure Spring Apps Enterprise plan uses Tanzu Buildpacks to transform your application source code into images. For more information, see [Tanzu Buildpacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/https://docsupdatetracker.net/index.html). ++When you deploy your app in Azure Spring Apps using the [Azure CLI](/cli/azure/install-azure-cli), you see a build log in the Azure CLI console. If the build fails, Azure Spring Apps displays an exit code and error message in the CLI console indicating why the buildpack execution failed during different phases of the buildpack [lifecycle](https://buildpacks.io/docs/concepts/components/lifecycle/). ++The following list describes some common exit codes: ++- **20** - All buildpack groups have failed to detect. + + Consider the following possible causes of an exit code of *20*: ++ - The builder you're using doesn't support the language your project used. ++ If you're using the default builder, check the language the default builder supports. For more information, see the [Supported APM types](how-to-enterprise-configure-apm-integration-and-ca-certificates.md#supported-apm-types) section of [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++ If you're using the custom builder, check whether your custom builder's buildpack supports the language your project used. ++ - You're running against the wrong path; for example, your Maven project's *pom.xml* file isn't in the root path. ++ Set `BP_MAVEN_POM_FILE` to specify the location of the project's *pom.xml* file. ++ - There's something wrong with your application; for example, your *.jar* file doesn't have a */META-INF/MANIFEST.MF* file that contains a `Main-Class` entry. ++- **51** - Buildpack build error. + + Consider the following possible causes of an exit code of *51*: ++ - If Azure Spring Apps displays the error message `Build failed in stage build with reason OOMKilled` in the Azure CLI console, the build failed due to insufficient memory. ++ Use the following command to increase memory using the `build-memory` environment variable: ++ ```azurecli + az spring app deploy \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-name> \ + --name <your-app-name> \ + --build-memory 3Gi + ``` ++ - The build failed because of an application source code error; for example, there's a compilation error in your source code. + + Check the build log to find the root cause. ++ - The build failed because of a download dependency error; for example, a network issue caused the Maven dependency download to fail. ++ - The build failed because of an unsupported JDK version. For example, the JAR file has been compiled using non-Java LTS versions, which are not supported by the buildpack. For supported versions, see the [Deploy Java applications](how-to-enterprise-deploy-polyglot-apps.md#deploy-java-applications) section of [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md). ++- **62** - Failed to write image to Azure Container Registry. + + Consider the following possible cause of an exit code of *62*: ++ - If Azure Spring Apps displays the error message `Failed to write image to the following tags` in the build log, the build failed because of a network issue. ++ Retry to fix the issue. ++ If your application is a static file or dynamic front-end application served by a web server, see the [Common build and deployment errors](how-to-enterprise-deploy-static-file.md#common-build-and-deployment-errors) section of [Deploy web static files](how-to-enterprise-deploy-static-file.md). ++## Next steps ++- [Troubleshoot common Azure Spring Apps issues](./troubleshoot.md) |
spring-apps | Troubleshoot Exit Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/troubleshoot-exit-code.md | + + Title: Troubleshoot common exit code issues in Azure Spring Apps +description: Describes how to troubleshoot common exit codes in Azure Spring Apps +++ Last updated : 08/24/2022+++++# Troubleshoot common exit code issues in Azure Spring Apps ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Enterprise ✔️ Basic/Standard ++This article describes troubleshooting actions you can take when your application in Azure Spring Apps exits with an error code. You may receive an error code if your application deployment is unsuccessful, or if the application exits when it's running. ++## Exit codes ++The exit code indicates the reason the application terminated. The following list describes some common exit codes: ++- **0** - The application exited because it ran to completion. Update your server application so that it runs continuously. + + Deployed Azure apps in Azure Spring Apps should offer services continuously. An exit code of *0* indicates that the application isn't running continuously. Check your logs and source code. ++- **1** - If the application exits with a non-zero exit code, debug the code and related services, and then deploy the application again. + + Consider the following possible causes of a non-zero exit code: ++ - There's something wrong with your Spring Boot configuration. ++ For example, you need a *spring.db.url* parameter to connect to the database, but it's not found in your configuration file. ++ - You're disconnected from a third-party service. + + For example, you need to connect to a Redis service, but the service isn't working or available. + + - You don't have sufficient access to a third-party service. ++ For example, you need to connect to Azure Key Vault to import certificates in your application, but your application doesn't have the necessary permissions to access it. ++ - If your application is a static file or dynamic front-end application served by a web server, see the [Common build and deployment errors](how-to-enterprise-deploy-static-file.md#common-build-and-deployment-errors) section of [Deploy web static files](how-to-enterprise-deploy-static-file.md). ++- **137** - The application is terminated immediately by the hosting platform with no grace period. This exit code can be the result of one of the following scenarios: ++ - When the liveness check fails, the hosting platform immediately kills the application after attempting to terminate it and waiting for a grace period. Ensure that your application handles graceful shutdown correctly. + - The application exited because of an out-of-memory error. The application requested resources that the hosting platform failed to provide. Update your application's Java Virtual Machine (JVM) parameters to restrict resource usage or to scale up application resources. ++ If the application is a Java application, check the JVM parameter values. They may exceed the memory limit of your application. ++ For example, suppose you set the *Xmx* JVM parameter to 10 GB, but the application is using up to 5 GB of memory. Decrease the *Xmx* value or increase the application memory to make sure that the value of the *Xmx* parameter is lower or equal to the memory limit of the application. ++- **143** - The application exited because it failed to respond to a health check due to an out-of-memory error or some other error. ++ This error code is most often generated by an out-of-memory error. For more information, see [App restart issues caused by out-of-memory issues](./how-to-fix-app-restart-issues-caused-by-out-of-memory.md). ++ You can also get details from the application log by using the Azure CLI [az spring app logs](/cli/azure/spring/app#az-spring-app-logs) command. For more information, see [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md). ++## Next steps ++- [Troubleshoot common Azure Spring Apps issues](./troubleshoot.md) |
spring-apps | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/troubleshoot.md | + + Title: Troubleshooting guide for Azure Spring Apps | Microsoft Docs +description: Troubleshooting guide for Azure Spring Apps +++ Last updated : 09/08/2020+++++# Troubleshoot common Azure Spring Apps issues ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article provides instructions for troubleshooting Azure Spring Apps development issues. For more information, see [Azure Spring Apps FAQ](./faq.md). ++## Availability, performance, and application issues ++### My application can't start ++When your application can't start, you may find that its endpoint can't be connected or it returns a 502 after a few retries. ++For troubleshooting, export the logs to Azure Log Analytics. The table for Spring application logs is named *AppPlatformLogsforSpring*. To learn more, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). ++The following error message might appear in your logs: `org.springframework.context.ApplicationContextException: Unable to start web server` ++The message indicates one of two likely problems: ++* One of the beans or one of its dependencies is missing. +* One of the bean properties is missing or invalid. In this case, "java.lang.IllegalArgumentException" is displayed. ++Service bindings might also cause application start failures. To query the logs, use keywords that are related to the bound services. For instance, let's assume that your application has a binding to a MySQL instance that's set to local system time. If the application fails to start, the following error message might appear in the log: ++> "java.sql.SQLException: The server time zone value 'Coordinated Universal Time' is unrecognized or represents more than one time zone." ++To fix this error, go to the `server parameters` of your MySQL instance, and change the `time_zone` value from *SYSTEM* to *+0:00*. ++### My application crashes or throws an unexpected error ++When you're debugging application crashes, start by checking the running status and discovery status of the application. To do so, go to **Apps** in the Azure portal to ensure that the statuses of all the applications are *Running* and *UP*. ++* If the status is *Running* but the discovery status isn't *UP*, go to the ["My application can't be registered"](#my-application-cant-be-registered) section. ++* If the discovery status is *UP*, go to Metrics to check the application's health. Inspect the following metrics: ++ * `tomcat.global.error`: ++ All Spring application exceptions are counted here. If this number is large, go to Azure Log Analytics to inspect your application logs. ++ * `jvm.memory.max`: ++ The maximum amount of memory available to the application. The amount might be undefined, or it might change over time if it's defined. If it's defined, the amount of used and committed memory is always less than or equal to max. However, a memory allocation might fail with an `OutOfMemoryError` message if the allocation attempts to increase the used memory such that *used > committed*, even if *used <= max* is still true. In such a situation, try to increase the maximum heap size by using the `-Xmx` parameter. ++ * `jvm.memory.used`: ++ The amount of memory in bytes that's currently used by the application. For a normal load Java application, this metric series forms a *sawtooth* pattern, where the memory usage steadily increases and decreases in small increments and suddenly drops a lot, and then the pattern recurs. This metric series occurs because of garbage collection inside Java virtual machine, where collection actions represent drops on the sawtooth pattern. ++ This metric is important to help identify memory issues, such as: ++ * A memory explosion at the very beginning. + * The surge memory allocation for a specific logic path. + * Gradual memory leaks. ++ For more information, see [Metrics](./concept-metrics.md). ++ > [!NOTE] + > These metrics are available only for Spring Boot applications. To enable these metrics, add the `spring-boot-starter-actuator` dependency. For more information, see the [Add actuator dependency](concept-manage-monitor-app-spring-boot-actuator.md#add-actuator-dependency) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md). ++* If the application fails to start, verify that the application has valid jvm parameters. If jvm memory is set too high, the following error message might appear in your logs: ++ > "required memory 2728741K is greater than 2000M available for allocation" ++To learn more about Azure Log Analytics, see [Get started with Log Analytics in Azure Monitor](../../azure-monitor/logs/log-analytics-tutorial.md). ++### My application experiences high CPU usage or high memory usage ++If your application experiences high CPU or memory usage, one of two things is true: ++* All the app instances experience high CPU or memory usage. +* Some of the app instances experience high CPU or memory usage. ++To ascertain which situation applies, use the following steps: ++1. Go to **Metrics**, and then select either **Service CPU Usage Percentage** or **Service Memory Used**. +2. Add an **App=** filter to specify which application you want to monitor. +3. Split the metrics by **Instance**. ++If *all instances* are experiencing high CPU or memory usage, you need to either scale out the application or scale up the CPU or memory usage. For more information, see [Tutorial: Scale an application in Azure Spring Apps](./how-to-scale-manual.md). ++If *some instances* are experiencing high CPU or memory usage, check the instance status and its discovery status. ++For more information, see [Metrics for Azure Spring Apps](./concept-metrics.md). ++If all instances are up and running, go to Azure Log Analytics to query your application logs and review your code logic. This review helps you see whether any of them might affect scale partitioning. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). ++To learn more about Azure Log Analytics, see [Get started with Log Analytics in Azure Monitor](../../azure-monitor/logs/log-analytics-tutorial.md). Query the logs by using the [Kusto query language](/azure/kusto/query/). ++### Checklist for deploying your Spring application to Azure Spring Apps ++Before you onboard your application, ensure that it meets the following criteria: ++* The application can run locally with the specified Java runtime version. +* The environment config (CPU/RAM/Instances) meets the minimum requirement set by the application provider. +* The configuration items have their expected values. For more information, see [Set up a Spring Cloud Config Server instance for your service](../basic-standard/how-to-config-server.md). For the Enterprise plan, see [Use Application Configuration Service](./how-to-enterprise-application-configuration-service.md). +* The environment variables have their expected values. +* The JVM parameters have their expected values. +* We recommended that you disable or remove the embedded *Config Server* and *Spring Service Registry* services from the application package. +* If any Azure resources are to be bound via *Service Binding*, make sure the target resources are up and running. ++## Configuration and management ++### I encountered a problem with creating an Azure Spring Apps service instance ++When you set up an Azure Spring Apps service instance by using the Azure portal, Azure Spring Apps performs the validation for you. ++But if you try to set up the Azure Spring Apps service instance by using the [Azure CLI](/cli/azure/get-started-with-azure-cli) or the [Azure Resource Manager template](../../azure-resource-manager/index.yml), verify that you meet the following conditions: ++* The subscription is active. +* Azure Spring Apps is available in the region you're using. For more information, see the [Azure Spring Apps FAQ](./faq.md). +* The resource group for the instance is already created. +* The resource name conforms to the naming rule. The name must contain only lowercase letters, numbers, and hyphens. The first character must be a letter. The last character must be a letter or number. The value must contain from 2 to 32 characters. ++If you want to set up the Azure Spring Apps service instance by using the Resource Manager template, first refer to [Understand the structure and syntax of Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md). ++The name of the Azure Spring Apps service instance is used for requesting a subdomain name under `azuremicroservices.io`, so the setup fails if the name conflicts with an existing one. You might find more details in the activity logs. ++### I can't deploy a .NET Core app ++You can't upload a *.zip* file for a .NET Core Steeltoe app by using the Azure portal or the Resource Manager template. ++When you deploy your application package by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), the Azure CLI periodically polls the deployment progress and, in the end, it displays the deployment result. ++Ensure that your application is packaged in the correct *.zip* file format. If it isn't packaged correctly, the process stops responding or you receive an error message. ++### I can't deploy a JAR package ++You can't upload Java Archive file (JAR)/source package by using the Azure portal or the Resource Manager template. ++When you deploy your application package by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), the Azure CLI periodically polls the deployment progress and, in the end, it displays the deployment result. ++If the polling is interrupted, you can still use the following command to fetch the deployment logs: ++```azurecli +az spring app show-deploy-log --name <app-name> +``` ++Ensure that your application is packaged in the correct [executable JAR format](https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html). If it isn't packaged correctly, you receive an error message similar to the following example: `Error: Invalid or corrupt jarfile /jar/38bc8ea1-a6bb-4736-8e93-e8f3b52c8714` ++### I can't deploy a source package ++You can't upload JAR/source package by using the Azure portal or the Resource Manager template. ++When you deploy your application package by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), the Azure CLI periodically polls the deployment progress and, in the end, it displays the deployment result. ++If the polling is interrupted, you can still use the following command to fetch the build and deployment logs: ++```azurecli +az spring app show-deploy-log --name <app-name> +``` ++However, one Azure Spring Apps service instance can trigger only one build job for one source package at one time. For more information, see [Deploy an application](./quickstart.md) and [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md). ++### My application can't be registered ++In most cases, this situation occurs when *Required Dependencies* and *Service Discovery* aren't properly configured in your Project Object Model (POM) file. Once it's configured, the built-in Service Registry server endpoint is injected as an environment variable with your application. Applications then register themselves with the Service Registry server and discover other dependent applications. ++Wait at least two minutes before a newly registered instance starts receiving traffic. ++If you're migrating an existing Spring Cloud-based solution to Azure, be sure to remove or disable your ad-hoc *Service Registry* and *Config Server* instances to avoid conflicting with the managed instances provided by Azure Spring Apps. ++You can also check the *Service Registry* client logs in Azure Log Analytics. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) ++To learn more about Azure Log Analytics, see [Get started with Log Analytics in Azure Monitor](../../azure-monitor/logs/log-analytics-tutorial.md). Query the logs by using the [Kusto query language](/azure/kusto/query/). ++### I want to inspect my application's environment variables ++Environment variables inform the Azure Spring Apps framework, ensuring that Azure understands where and how to configure the services that make up your application. Ensuring that your environment variables are correct is a necessary first step in troubleshooting potential problems. You can use the Spring Boot Actuator endpoint to review your environment variables. ++> [!WARNING] +> This procedure exposes your environment variables by using your test endpoint. Do not proceed if your test endpoint is publicly accessible or if you've assigned a domain name to your application. ++1. Go to `https://<your-application-test-endpoint>/actuator/health`. To find the test endpoint, see the [Verify app through test endpoint](concept-manage-monitor-app-spring-boot-actuator.md#verify-app-through-test-endpoint) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md). ++ A response similar to `{"status":"UP"}` indicates that the endpoint has been enabled. If the response is negative, include the following dependency in your *POM.xml* file: ++ ```xml + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> + </dependency> + ``` ++1. With the Spring Boot Actuator endpoint enabled, go to the Azure portal and look for the configuration page of your application. Add an environment variable with the name `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE` and the value `*`. ++1. Restart your application. ++1. Go to `https://<your-application-test-endpoint>/actuator/env` and inspect the response. It should look like this: ++ ```json + { + "activeProfiles": [], + "propertySources": {, + "name": "server.ports", + "properties": { + "local.server.port": { + "value": 1025 + } + } + } + } + ``` ++Look for the child node named `systemEnvironment`. This node contains your application's environment variables. ++> [!IMPORTANT] +> Remember to reverse the exposure of your environment variables before making your application accessible to the public. Go to the Azure portal, look for the configuration page of your application, and delete this environment variable: `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE`. ++### I can't find metrics or logs for my application ++Go to **Apps** to ensure that the application statuses are *Running* and *UP*. ++Check to see whether *JMX* is enabled in your application package. This feature can be enabled with the configuration property `spring.jmx.enabled=true`. ++Check to see whether the `spring-boot-actuator` dependency is enabled in your application package and that it successfully boots up. ++```xml +<dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> +</dependency> +``` ++If your application logs can be archived to a storage account but not sent to Azure Log Analytics, check to see whether you set up your workspace correctly. For more information, see [Create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md). Also, be aware that the Basic plan doesn't provide a service-level agreement (SLA). For more information, see [Service Level Agreements (SLA) for Online Services](https://azure.microsoft.com/support/legal/sla/log-analytics/v1_3/). ++## Enterprise plan ++### Error 112039: Failed to purchase on Azure Marketplace ++Creating an Azure Spring Apps Enterprise plan instance fails with error code "112039". For more information, check the detailed error message in the following list: ++* **"Failed to purchase on Azure Marketplace because the Microsoft.SaaS RP is not registered on the Azure subscription."**: Azure Spring Apps Enterprise plan purchase a SaaS offer from VMware. ++ You must register the `Microsoft.SaaS` resource provider before creating Azure Spring Apps Enterprise instance. See how to [register a resource provider](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider). ++* **"Failed to load catalog product vmware-inc.azure-spring-cloud-vmware-tanzu-2 in the Azure subscription market."**: Your Azure subscription's billing account address isn't in the supported location. ++ For more information, see the section [No plans are available for market '\<Location>'](#no-plans-are-available-for-market-location). ++* **"Failed to purchase on Azure Marketplace due to signature verification on Marketplace legal agreement. Check the Azure subscription has agree terms vmware-inc.azure-spring-cloud-vmware-tanzu-2.asa-ent-hr-mtr"**: Your Azure subscription hasn't signed the terms for the offer and plan to be purchased. ++ Go to your Azure subscription and run the following Azure CLI command to agree to the terms: ++ ```azurecli + az term accept \ + --publisher vmware-inc \ + --product azure-spring-cloud-vmware-tanzu-2 \ + --plan asa-ent-hr-mtr + ``` ++ If that doesn't help, you can contact the support team with the following info. ++ * `AZURE_TENANT_ID`: the Azure tenant ID that hosts the Azure subscription + * `AZURE_SUBSCRIPTION_ID`: the Azure subscription ID used to create the Azure Spring Apps instance + * `SPRING_CLOUD_NAME`: the failed instance name + * `ERROR_MESSAGE`: the observed error message ++### No plans are available for market '\<Location>' ++When you visit the SaaS offer [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) in the Azure Marketplace, it may say "No plans are available for market '\<Location>'" as in the following image. ++![No plans available error image](./media/troubleshoot/no-enterprise-plans-available.png) ++The Azure Spring Apps Enterprise plan needs customers to pay for a license to Tanzu components through an Azure Marketplace offer. To purchase in the Azure Marketplace, the billing account's country or region for your Azure subscription should be in the SaaS offer's supported geographic locations. ++[Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) now supports all geographic locations that Azure Marketplace supports. See [Marketplace supported geographic location](../../marketplace/marketplace-geo-availability-currencies.md#supported-geographic-locations). ++You can view the billing account for your subscription if you have admin access. See [view billing accounts](../../cost-management-billing/manage/view-all-accounts.md#check-the-type-of-your-account). ++### I need VMware Spring Runtime Support (Enterprise plan only) ++The Enterprise plan has built-in VMware Spring Runtime Support, so you can open support tickets to [VMware](https://aka.ms/ascevsrsupport) if you think your issue is in the scope of VMware Spring Runtime Support. To better understand VMware Spring Runtime Support itself, see the [VMware Spring Runtime](https://tanzu.vmware.com/spring-runtime). For more information on registering and using this support service, see the Support section in the [Enterprise FAQ from VMware](https://aka.ms/EnterpriseTierFAQ). For any other issues, open a support ticket with Microsoft. ++## Next steps ++* [How to self-diagnose and solve problems in Azure Spring Apps](./how-to-self-diagnose-solve.md) +* [Troubleshoot common exit code issues in Azure Spring Apps](./troubleshoot-exit-code.md) |
spring-apps | Troubleshooting Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/troubleshooting-vnet.md | + + Title: Troubleshooting Azure Spring Apps in virtual network +description: Troubleshooting guide for Azure Spring Apps virtual network. +++ Last updated : 09/19/2020+++++# Troubleshooting Azure Spring Apps in virtual networks ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article helps you solve various problems that can arise when using Azure Spring Apps in virtual networks. ++## I encountered a problem with creating an Azure Spring Apps service instance ++To create an instance of Azure Spring Apps, you must have sufficient permission to deploy the instance to the virtual network. The Azure Spring Apps service instance must itself grant Azure Spring Apps service permission to the virtual network. For more information, see the [Grant service permission to the virtual network](./how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). ++If you use the Azure portal to set up the Azure Spring Apps service instance, the Azure portal validates the permissions. ++To set up the Azure Spring Apps service instance by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), verify the following requirements: ++- The subscription is active. +- The location supports Azure Spring Apps. +- The resource group for the instance is already created. +- The resource name conforms to the naming rule. It must contain only lowercase letters, numbers, and hyphens. The first character must be a letter. The last character must be a letter or number. The value must contain from 2 to 32 characters. ++To set up the Azure Spring Apps service instance by using the Resource Manager template, refer to [Understand the structure and syntax of Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md). ++### Common creation issues ++| Error message | How to fix | +||-| +| `Resources created by Azure Spring Apps were disallowed by policy.` | Network resources are created when deploying Azure Spring Apps in your own virtual network. Be sure to check whether you have [Azure Policy](../../governance/policy/overview.md) defined to block that creation. The error message lists the resources that weren't created. | +| `Required traffic is not allowlisted.` | Be sure to check [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md) to ensure that the required traffic is allowlisted. | ++## My application can't be registered or it can't get settings from the config server ++The applications running inside the Azure Spring Apps user cluster need to access the Eureka Server and the Config Server in the system runtime cluster via the `<service-instance-name>.svc.private.azuremicroservices.io` domain. ++This problem occurs if your virtual network is configured with custom DNS settings. In this case, the private DNS zone used by Azure Spring Apps is ineffective. Add the Azure DNS IP 168.63.129.16 as the upstream DNS server in the custom DNS server. ++If your custom DNS server can't add the Azure DNS IP `168.63.129.16` as the upstream DNS server, then add the DNS record `*.svc.private.azuremicroservices.io` to the IP of your application. For more information, see the [Find the IP for your application](access-app-virtual-network.md#find-the-ip-for-your-application) section of [Access an app in Azure Spring Apps in a virtual network](access-app-virtual-network.md). ++## I can't access my application's endpoint or test endpoint in a virtual network ++If your virtual network is configured with custom DNS settings, be sure to add Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server, if you haven't already. Then, proceed with the following instructions. ++If your virtual network isn't configured with custom DNS settings, or if your virtual network is configured with custom DNS settings and you've already added Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server, then complete the following steps: ++1. Create a new private DNS zone `private.azuremicroservices.io`. +1. Link the private DNS zone to the virtual network. +1. Add the following two DNS records: ++ - `*.private.azuremicroservices.io` -> the IP of your application. + - `*.test.private.azuremicroservices.io` -> the IP of your application. ++For more information, see [Access your application in a private network](./access-app-virtual-network.md) ++## I can't access my application's public endpoint from public network ++Azure Spring Apps supports exposing applications to the internet by using public endpoints. For more information, see [Expose applications on Azure Spring Apps to the internet from a public network](how-to-access-app-from-internet-virtual-network.md). ++If you're using a user defined route feature, some features aren't supported because of asymmetric routing. For unsupported features, see the following list: ++- Use the public network to access the application through the public endpoint. +- Use the public network to access the log stream. +- Use the public network to access the app console. ++For more information, see [Control egress traffic for an Azure Spring Apps instance](how-to-create-user-defined-route-instance.md). ++Similar limitations also apply to Azure Spring Apps when egress traffics are routed to a firewall. The problem occurs because both situations introduce asymmetric routing into the cluster. Packets arrive on the endpoint's public IP address but return to the firewall via the private IP address. So, the firewall must block such traffic. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). ++If you're routing egress traffics to a firewall but also need to expose the application to internet, use the expose applications to the internet with TLS Termination feature. For more information, see [Expose applications to the internet with TLS Termination at Application Gateway](expose-apps-gateway-tls-termination.md). ++## Other issues ++- [Access your application in a private network](access-app-virtual-network.md) +- [Troubleshoot common Azure Spring Apps issues](./troubleshoot.md) |
spring-apps | Tutorial Alerts Action Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tutorial-alerts-action-groups.md | + + Title: "Tutorial: Monitor Azure Spring Apps resources using alerts and action groups" +description: Learn how to monitor Spring app resources using alerts and action groups in Azure Spring Apps. ++++ Last updated : 6/15/2023++++# Tutorial: Monitor Spring app resources using alerts and action groups ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ✔️ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article describes how to monitor Spring app resources using alerts and action groups in Azure Spring Apps. ++Azure Spring Apps alerts support monitoring resources based on conditions such as available storage, rate of requests, and data usage. An alert sends a notification when rates or conditions meet the defined specifications. ++There are two steps to set up an alert pipeline: ++1. Set up an action group. ++ Action groups define actions to be taken when an alert is triggered, such as with an email, SMS, Runbook, or Webhook. You can use and reuse action groups among different alerts. ++1. Set up alert rules. ++ Rules bind metrics with action groups based on the target resource, condition, time aggregation, and other factors. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- A deployed Azure Spring Apps instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md) to get started. ++## Set up an action group ++In the Azure portal, use the following steps: ++1. Go to your Azure Spring Apps instance. +1. Select **Alerts** in the navigation pane, and then select **Action groups**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alerts-page-action-groups.png" alt-text="Screenshot of the Azure portal showing the Alerts page with the Action groups button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-page-action-groups.png"::: ++1. On the **Action groups** page, select **Create**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alerts-action-groups.png" alt-text="Screenshot of the Azure portal showing the Action groups page with the Create button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-action-groups.png"::: ++1. On the **Create action group** page on the **Basics** tab, make any needed changes in **Project details**. In **Instance details**, specify settings for **Action group name** and **Display name**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alerts-create-action-group.png" alt-text="Screenshot of the Azure portal showing the Create action group page with the Basics tab selected." lightbox="media/tutorial-alerts-action-groups/alerts-create-action-group.png"::: ++1. Select the **Notifications** tab and then select a **Notification type** from the dropdown menu. This action opens a pane to define the action that is taken upon activation. This example shows an email and messaging type. Complete the form and select **OK**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alerts-create-action-group-notifications.png" alt-text="Screenshot of the Azure portal showing the Create action group page on the Notifications tab with the pane open that defines the notification type." lightbox="media/tutorial-alerts-action-groups/alerts-create-action-group-notifications.png"::: ++1. Set **Name** to name the action group. ++1. Select **Review + create** to finish creating the action group. ++## Set up an alert ++Use the following steps configure an alert: ++1. Select **Alerts** in the navigation pane, and then select **Alert rules**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alerts-page-rules.png" alt-text="Screenshot of the Azure portal showing the Alerts page with the Alert rule button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-page-rules.png"::: ++1. Select **Create**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alerts-rules-page.png" alt-text="Screenshot of the Azure portal showing the Alert rules page with the Create button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-rules-page.png"::: ++1. On the **Create an alert rule** page on the **Condition** tab, you must select a signal to trigger the alert rule. Select **See all signals**. On the **Select a signal** pane, select **CPU Usage** and then select **Apply**. ++ :::image type="content" source="media/tutorial-alerts-action-groups/create-alert-rule.png" alt-text="Screenshot of the Azure portal showing the Create an Alert rule page with the select a signal pane open and App CPU Usage highlighted." lightbox="media/tutorial-alerts-action-groups/create-alert-rule.png"::: ++1. The signal selection determines the alert logic settings to configure. Set **Threshold value** to 75. ++ :::image type="content" source="media/tutorial-alerts-action-groups/rule-value.png" alt-text="Screenshot of the Azure portal showing the Create an Alert rule page with the alert logic setting for Threshold value highlighted." lightbox="media/tutorial-alerts-action-groups/rule-value.png"::: ++ For details of the conditions available to monitor, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](./concept-metrics.md). ++1. Select the **Actions** tab and then select **Select action group**. On the **Select action groups** pane, select the action group that should be triggered by the rule such as the action group you defined previously. ++ :::image type="content" source="media/tutorial-alerts-action-groups/select-action-group.png" alt-text="Screenshot of the Azure portal showing the Select an action group to attach to this alert rule pane with an Action group name highlighted." lightbox="media/tutorial-alerts-action-groups/select-action-group.png"::: ++1. Select **Select**. +1. Select the **Details** tab and set **Severity** and make any other needed changes. ++ :::image type="content" source="media/tutorial-alerts-action-groups/create-rule-details.png" alt-text="Screenshot of the Azure portal showing the Create rule page with Severity in Alert Details highlighted." lightbox="media/tutorial-alerts-action-groups/create-rule-details.png"::: ++ > [!TIP] + > Select the **Scope** tab to change the resource for the scope of the rule. By default the scope is current Azure Spring Apps instance. ++1. Select **Review + create** to finish creating the alert rule. ++1. On the **Alert rules** page, verify that the new alert rule is enabled. ++ :::image type="content" source="media/tutorial-alerts-action-groups/alert-rule-enabled.png" alt-text="Screenshot of the Azure portal showing the Alert rules page with the rule that was just created enabled." lightbox="media/tutorial-alerts-action-groups/alert-rule-enabled.png"::: ++## Next steps ++In this article, you learned how to set up alerts and action groups for an application in Azure Spring Apps. To learn more about action groups, see: ++> [!div class="nextstepaction"] +> [Action groups](../../azure-monitor/alerts/action-groups.md) |
spring-apps | Tutorial Authenticate Client With Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tutorial-authenticate-client-with-gateway.md | + + Title: Tutorial - Authenticate client with Spring Cloud Gateway on Azure Spring Apps +description: Learn how to authenticate client with Spring Cloud Gateway on Azure Spring Apps. +++ Last updated : 08/31/2023+++++# Tutorial: Authenticate client with Spring Cloud Gateway on Azure Spring Apps ++> [!NOTE] +> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ++This quickstart shows you how to secure communication between a client application and a microservice application that is hosted on Azure Spring Apps and shielded with a Spring Cloud Gateway app. The client application is verified as a security principal to initiate contact with the microservice deployed on Azure Spring Apps, using the app built with [Spring Cloud Gateway](https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/). This method employs Spring Cloud Gateway's Token Relay and Spring Security's Resource Server features for the processes of authentication and authorization, realized through the execution of the [OAuth 2.0 client credentials flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow). ++The following list shows the composition of the sample project: ++- Books SPA: This Single Page Application (SPA), hosted locally, interacts with the Books microservice for adding or searching for books. +- Books microservice: + - A Spring Cloud Gateway app hosted in Azure Spring Apps. This app operates as a gateway to the Books RESTful APIs. + - A Spring Boot RESTful API app hosted in Azure Spring Apps. This app stores the book information in an H2 database. The Books service exposes two REST endpoints to write and read books. ++## 1. Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Git](https://git-scm.com/downloads). +- [Java Development Kit (JDK)](/java/azure/jdk/), version 17. +- A Microsoft Entra tenant. For more information on how to create a Microsoft Entra tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. +- Install [Node.js](https://nodejs.org). +++## 5. Validate the app ++You can access the Books SPA app that communicates with the Books RESTful APIs through the `gateway-service` app. ++1. Go to `http://localhost:3000` in your browser to access the application. ++1. Enter values for **Author** and **Title**, and then select **Add Book**. You see a response similar to the following example: ++ ```output + Book added successfully: {"id":1,"author":"Jeff Black","title":"Spring In Action"} + ``` +++## 7. Next steps ++> [!div class="nextstepaction"] +> [Structured application log for Azure Spring Apps](./structured-app-log.md) ++> [!div class="nextstepaction"] +> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) ++> [!div class="nextstepaction"] +> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) ++> [!div class="nextstepaction"] +> [Set up Azure Spring Apps CI/CD with Azure DevOps](./how-to-cicd.md) ++> [!div class="nextstepaction"] +> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) ++> [!div class="nextstepaction"] +> [Run microservice apps (Pet Clinic)](./quickstart-sample-app-introduction.md) ++> [!div class="nextstepaction"] +> [Run polyglot apps on Enterprise plan (ACME Fitness Store)](./quickstart-sample-app-acme-fitness-store-introduction.md) ++For more information, see the following articles: ++- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). +- [Spring on Azure](/azure/developer/java/spring/) +- [Spring Cloud Azure](/azure/developer/java/spring-framework/) |
spring-apps | Tutorial Circuit Breaker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tutorial-circuit-breaker.md | + + Title: "Tutorial - Use Circuit Breaker Dashboard with Azure Spring Apps" +description: Learn how to use circuit Breaker Dashboard with Azure Spring Apps. ++++ Last updated : 04/06/2020++++# Tutorial: Use Circuit Breaker Dashboard with Azure Spring Apps ++> [!WARNING] +> Hystrix is no longer in active development and is currently in maintenance mode. ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to use Netflix Turbine and Netflix Hystrix on Azure Spring Apps. Spring Cloud [Netflix Turbine](https://github.com/Netflix/Turbine) is widely used to aggregate multiple [Netflix Hystrix](https://github.com/Netflix/Hystrix) metrics streams so that streams can be monitored in a single view using Hystrix dashboard. ++> [!NOTE] +> Netflix Hystrix is widely used in many existing Spring apps but it's no longer in active development. If you're developing a new project, you should use Spring Cloud Circuit Breaker implementations like [resilience4j](https://github.com/resilience4j/resilience4j) instead. Different from Turbine shown in this tutorial, the new Spring Cloud Circuit Breaker framework unifies all implementations of its metrics data pipeline into Micrometer, which is also supported by Azure Spring Apps. For more information, see [Collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer (Preview)](./how-to-circuit-breaker-metrics.md). ++## Prepare your sample applications ++The sample is forked from this [repository](https://github.com/StackAbuse/spring-cloud/tree/master/spring-turbine). ++Clone the sample repository to your develop environment: ++```bash +git clone https://github.com/Azure-Samples/azure-spring-apps-samples.git +cd azure-spring-apps-samples/hystrix-turbine-sample +``` ++Build the three applications that are in this tutorial: ++* user-service: A simple REST service that has a single endpoint of /personalized/{id} +* recommendation-service: A simple REST service that has a single endpoint of /recommendations, which is called by user-service. +* hystrix-turbine: A Hystrix dashboard service to display Hystrix streams and a Turbine service aggregating Hystrix metrics stream from other services. ++```bash +mvn clean package -D skipTests -f user-service/pom.xml +mvn clean package -D skipTests -f recommendation-service/pom.xml +mvn clean package -D skipTests -f hystrix-turbine/pom.xml +``` ++## Provision your Azure Spring Apps instance ++Follow the steps in the [Provision an instance of Azure Spring Apps](./quickstart.md#32-create-an-azure-spring-apps-instance) section of [Quickstart: Deploy your first application to Azure Spring Apps](quickstart.md). ++## Deploy your applications to Azure Spring Apps ++These apps don't use **Config Server**, so there's no need to set up **Config Server** for Azure Spring Apps. Create and deploy as follows: ++```azurecli +az configure --defaults \ + group=<resource-group-name> \ + spring=<Azure-Spring-Apps-instance-name> ++az spring app create --name user-service --assign-endpoint +az spring app create --name recommendation-service +az spring app create --name hystrix-turbine --assign-endpoint ++az spring app deploy \ + --name user-service \ + --artifact-path user-service/target/user-service.jar +az spring app deploy \ + --name recommendation-service \ + --artifact-path recommendation-service/target/recommendation-service.jar +az spring app deploy \ + --name hystrix-turbine \ + --artifact-path hystrix-turbine/target/hystrix-turbine.jar +``` ++## Verify your apps ++After all the apps are running and discoverable, access `user-service` with the path `https://<Azure-Spring-Apps-instance-name>-user-service.azuremicroservices.io/personalized/1` from your browser. If the user-service can access `recommendation-service`, you should get the following output. Refresh the web page a few times if it doesn't work. ++```json +[{"name":"Product1","description":"Description1","detailsLink":"link1"},{"name":"Product2","description":"Description2","detailsLink":"link3"},{"name":"Product3","description":"Description3","detailsLink":"link3"}] +``` ++## Access your Hystrix dashboard and metrics stream ++Verify using public endpoints or private test endpoints. ++### Using public endpoints ++Access hystrix-turbine with the path `https://<SERVICE-NAME>-hystrix-turbine.azuremicroservices.io/hystrix` from your browser. The following figure shows the Hystrix dashboard running in this app. +++Copy the Turbine stream url `https://<SERVICE-NAME>-hystrix-turbine.azuremicroservices.io/turbine.stream?cluster=default` into the text box, and select **Monitor Stream**. This action displays the dashboard. If nothing shows in the viewer, hit the `user-service` endpoints to generate streams. +++> [!NOTE] +> In production, the Hystrix dashboard and metrics stream should not be exposed to the Internet. ++### Using private test endpoints ++Hystrix metrics streams are also accessible from `test-endpoint`. As a backend service, we didn't assign a public end-point for `recommendation-service`, but we can show its metrics with test-endpoint at `https://primary:<KEY>@<SERVICE-NAME>.test.azuremicroservices.io/recommendation-service/default/actuator/hystrix.stream` +++As a web app, Hystrix dashboard should be working on `test-endpoint`. If it isn't working properly, there may be two reasons: first, using `test-endpoint` changed the base URL from `/` to `/<APP-NAME>/<DEPLOYMENT-NAME>`, or, second, the web app is using absolute path for static resource. To get it working on `test-endpoint`, you might need to manually edit the `<base>` in the front-end files. ++## Next steps ++* [Provision an instance of Azure Spring Apps](./quickstart.md#32-create-an-azure-spring-apps-instance) section of [Quickstart: Deploy your first application to Azure Spring Apps](quickstart.md). +* [Prepare a Java Spring application for deployment in Azure Spring Apps](how-to-prepare-app-deployment.md) |
spring-apps | Tutorial Managed Identities Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tutorial-managed-identities-functions.md | + + Title: "Tutorial: Managed identity to invoke Azure Functions" +description: Learn how to use a managed identity to invoke Azure Functions from an Azure Spring Apps app. +++++ Last updated : 05/07/2023+++# Tutorial: Use a managed identity to invoke Azure Functions from an Azure Spring Apps app ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to create a managed identity for an app hosted in Azure Spring Apps and use it to invoke HTTP triggered Functions. ++Both Azure Functions and App Services have built in support for Microsoft Entra authentication. By using this built-in authentication capability along with Managed Identities for Azure Spring Apps, you can invoke RESTful services using modern OAuth semantics. This method doesn't require storing secrets in code and provides more granular controls for controlling access to external resources. ++## Prerequisites ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. +- [Git](https://git-scm.com/downloads). +- [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or higher. +- [Install the Azure Functions Core Tools](../../azure-functions/functions-run-local.md#install-the-azure-functions-core-tools) version 4.x. ++## Create a resource group ++A resource group is a logical container into which Azure resources are deployed and managed. Use the following command to create a resource group to contain a Function app: ++```azurecli +az group create --name <resource-group-name> --location <location> +``` ++For more information, see the [az group create](/cli/azure/group#az-group-create) command. ++## Create a Function app ++To create a Function app, you must first create a backing storage account. You can use the [az storage account create](/cli/azure/storage/account#az-storage-account-create) command. ++> [!IMPORTANT] +> Each Function app and storage account must have a unique name. ++Use the following command to create the storage account. Replace *\<function-app-name>* with the name of your Function app and *\<storage-account-name>* with the name of your storage account. ++```azurecli +az storage account create \ + --resource-group <resource-group-name> \ + --name <storage-account-name> \ + --location <location> \ + --sku Standard_LRS +``` ++After the storage account is created, use the following command to create the Function app: ++```azurecli +az functionapp create \ + --resource-group <resource-group-name> \ + --name <function-app-name> \ + --consumption-plan-location <location> \ + --os-type windows \ + --runtime node \ + --storage-account <storage-account-name> \ + --functions-version 4 +``` ++Make a note of the returned `hostNames` value, which is in the format `https://<your-functionapp-name>.azurewebsites.net`. Use this value in the Function app's root URL for testing the Function app. ++<a name='enable-azure-active-directory-authentication'></a> ++## Enable Microsoft Entra authentication ++Use the following steps to enable Microsoft Entra authentication to access your Function app. ++1. In the Azure portal, navigate to your resource group and then open the Function app you created. +1. In the navigation pane, select **Authentication** and then select **Add identity provider** on the main pane. +1. On the **Add an identity provider** page, select **Microsoft** from the **Identity provider** dropdown menu. ++ :::image type="content" source="media/tutorial-managed-identities-functions/add-identity-provider.png" alt-text="Screenshot of the Azure portal showing the Add an identity provider page with Microsoft highlighted in the identity provider dropdown menu." lightbox="media/tutorial-managed-identities-functions/add-identity-provider.png"::: ++1. Select **Add**. +1. For the **Basics** settings on the **Add an identity provider** page, set **Supported account types** to **Any Microsoft Entra directory - Multi-tenant**. +1. Set **Unauthenticated requests** to **HTTP 401 Unauthorized: recommended for APIs**. This setting ensures that all unauthenticated requests are denied (401 response). ++ :::image type="content" source="media/tutorial-managed-identities-functions/identity-provider-settings.png" alt-text="Screenshot of the Azure portal showing the Add an identity provider page with Support account types and Unauthenticated requests highlighted." lightbox="media/tutorial-managed-identities-functions/identity-provider-settings.png"::: ++1. Select **Add**. ++After you add the settings, the Function app restarts and all subsequent requests are prompted to sign in through Microsoft Entra ID. You can test that unauthenticated requests are currently being rejected with the Function app's root URL (returned in the `hostNames` output of the `az functionapp create` command). You should then be redirected to your organization's Microsoft Entra sign-in screen. ++You need the Application ID and the Application ID URI for later use. In the Azure portal, navigate to the Function app you created. ++To get the Application ID, select **Authentication** in the navigation pane, and then copy the **App (client) ID** value for the identity provider that includes the name of the Function app. +++To get the Application ID URI, select **Expose an API** in the navigation pane, and then copy the **Application ID URI** value. +++## Create an HTTP triggered function ++In an empty local directory, use the following commands to create a new function app and add an HTTP triggered function: ++```console +func init --worker-runtime node +func new --template HttpTrigger --name HttpTrigger +``` ++By default, functions use key-based authentication to secure HTTP endpoints. To enable Microsoft Entra authentication to secure access to the functions, set the `authLevel` key to `anonymous` in the *function.json* file, as shown in the following example: ++```json +{ + "bindings": [ + { + "authLevel": "anonymous", + "type": "httpTrigger", + ... + } + ] +} +``` ++For more information, see the [Secure an HTTP endpoint in production](../../azure-functions/functions-bindings-http-webhook-trigger.md#secure-an-http-endpoint-in-production) section of [Azure Functions HTTP trigger](../../azure-functions/functions-bindings-http-webhook-trigger.md). ++Use the following command to publish the app to the instance created in the previous step: ++```console +func azure functionapp publish <function-app-name> +``` ++The output from the publish command should list the URL to your newly created function, as shown in the following output: ++```output +Deployment completed successfully. +Syncing triggers... +Functions in <your-functionapp-name>: + HttpTrigger - [httpTrigger] + Invoke url: https://<function-app-name>.azurewebsites.net/api/httptrigger +``` ++## Create an Azure Spring Apps service instance and application ++Use the following commands to add the spring extension and to create a new instance of Azure Spring Apps: ++```azurecli +az extension add --upgrade --name spring +az spring create \ + --resource-group <resource-group-name> \ + --name <Azure-Spring-Apps-instance-name> \ + --location <location> +``` ++Use the following command to create an application named `msiapp` with a system-assigned managed identity, as requested by the `--assign-identity` parameter: ++```azurecli +az spring app create \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name "msiapp" \ + --assign-endpoint true \ + --assign-identity +``` ++## Build a sample Spring Boot app to invoke the Function ++This sample invokes the HTTP triggered function by first requesting an access token from the MSI endpoint and using that token to authenticate the function HTTP request. For more information, see the [Get a token using HTTP](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) section of [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token). ++1. Use the following command clone the sample project: ++ ```bash + git clone https://github.com/Azure-Samples/azure-spring-apps-samples.git + ``` ++1. Use the following command to specify your function URI and the trigger name in your app properties: ++ ```bash + cd azure-spring-apps-samples/managed-identity-function + vim src/main/resources/application.properties + ``` ++1. To use managed identity for Azure Spring Apps apps, add the following properties with these values to *src/main/resources/application.properties*. ++ ```text + azure.function.uri=https://<function-app-name>.azurewebsites.net + azure.function.triggerPath=httptrigger + azure.function.application-id.uri=<function-app-application-ID-uri> + ``` ++1. Use the following command to package your sample app: ++ ```bash + mvn clean package + ``` ++1. Use the following command to deploy the app to Azure Spring Apps: ++ ```azurecli + az spring app deploy \ + --resource-group <resource-group-name> \ + --service <Azure-Spring-Apps-instance-name> \ + --name "msiapp" \ + --artifact-path target/asc-managed-identity-function-sample-0.1.0.jar + ``` ++1. Use the following command to access the public endpoint or test endpoint to test your app: ++ ```bash + curl https://<Azure-Spring-Apps-instance-name>-msiapp.azuremicroservices.io/func/springcloud + ``` ++ The following message is returned in the response body. ++ ```output + Function Response: Hello, springcloud. This HTTP triggered function executed successfully. + ``` ++## Next steps ++- [How to enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md) +- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +- [Configure client apps to access your App Service](../../app-service/configure-authentication-provider-aad.md#configure-client-apps-to-access-your-app-service) |
spring-apps | Tutorial Managed Identities Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/tutorial-managed-identities-key-vault.md | + + Title: Connect Azure Spring Apps to Key Vault using managed identities +description: Set up managed identity to connect Key Vault to an app deployed to Azure Spring Apps. ++++ Last updated : 05/07/2023++++# Connect Azure Spring Apps to Key Vault using managed identities ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Java ❌ C# ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article shows you how to create a managed identity for an app deployed to Azure Spring Apps and use it to access Azure Key Vault. ++Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets for your app. You can create a managed identity in Microsoft Entra ID, and authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without having to display credentials in your code. ++The following video describes how to manage secrets using Azure Key Vault. ++<br> ++> [!VIDEO https://www.youtube.com/embed/A8YQOoZncu8?list=PLPeZXlCR7ew8LlhnSH63KcM0XhMKxT1k_] ++## Prerequisites ++* [Sign up for an Azure subscription](https://azure.microsoft.com/free/) +* [Install the Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli) +* [Install Maven 3.0 or higher](https://maven.apache.org/download.cgi) ++## Create a resource group ++A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group to contain both the Key Vault and Spring Cloud using the command [az group create](/cli/azure/group#az-group-create): ++```azurecli +az group create --name "myResourceGroup" --location "EastUS" +``` ++## Set up your Key Vault ++To create a Key Vault, use the command [az keyvault create](/cli/azure/keyvault#az-keyvault-create): ++> [!Important] +> Each Key Vault must have a unique name. Replace *\<your-keyvault-name>* with the name of your Key Vault in the following examples. ++```azurecli +az keyvault create \ + --resource-group <your-resource-group-name> \ + --name "<your-keyvault-name>" +``` ++Make a note of the returned `vaultUri`, which is in the format `https://<your-keyvault-name>.vault.azure.net`. You use this value in the following step. ++You can now place a secret in your Key Vault with the command [az keyvault secret set](/cli/azure/keyvault/secret#az-keyvault-secret-set): ++```azurecli +az keyvault secret set \ + --vault-name "<your-keyvault-name>" \ + --name "connectionString" \ + --value "jdbc:sqlserver://SERVER.database.windows.net:1433;database=DATABASE;" +``` ++## Create Azure Spring Apps service and app ++After installing corresponding extension, create an Azure Spring Apps instance with the Azure CLI command `az spring create`. ++```azurecli +az extension add --upgrade --name spring +az spring create \ + --resource-group <your-resource-group-name> \ + --name <your-Azure-Spring-Apps-instance-name> +``` ++### [System-assigned managed identity](#tab/system-assigned-managed-identity) ++The following example creates an app named `springapp` with a system-assigned managed identity, as requested by the `--system-assigned` parameter. ++```azurecli +az spring app create \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-instance-name> \ + --name "springapp" \ + --assign-endpoint true \ + --runtime-version Java_17 \ + --system-assigned +export MANAGED_IDENTITY_PRINCIPAL_ID=$(az spring app show \ + --resource-group "<your-resource-group-name>" \ + --service "<your-Azure-Spring-Apps-instance-name>" \ + --name "springapp" \ + | jq -r '.identity.principalId') +``` ++### [User-assigned managed identity](#tab/user-assigned-managed-identity) ++First, create a user-assigned managed identity in advance with its resource ID set to `$USER_IDENTITY_RESOURCE_ID`. Save the client ID for the property configuration. +++```bash +export MANAGED_IDENTITY_PRINCIPAL_ID=<principal-ID-of-user-assigned-managed-identity> +export USER_IDENTITY_RESOURCE_ID=<resource-ID-of-user-assigned-managed-identity> +``` ++The following example creates an app named `springapp` with a user-assigned managed identity, as requested by the `--user-assigned` parameter. ++```azurecli +az spring app create \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-instance-name> \ + --name "springapp" \ + --user-assigned $USER_IDENTITY_RESOURCE_ID \ + --runtime-version Java_17 \ + --assign-endpoint true +az spring app show \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-instance-name> \ + --name "springapp" +``` ++++Make a note of the returned URL, which is in the format `https://<your-app-name>.azuremicroservices.io`. You use this value in the following step. ++## Grant your app access to Key Vault ++Use the following command to grant proper access in Key Vault for your app: ++```azurecli +az keyvault set-policy \ + --name "<your-keyvault-name>" \ + --object-id ${MANAGED_IDENTITY_PRINCIPAL_ID} \ + --secret-permissions set get list +``` ++> [!NOTE] +> For system-assigned managed identity case, use `az keyvault delete-policy --name "<your-keyvault-name>" --object-id ${MANAGED_IDENTITY_PRINCIPAL_ID}` to remove the access for your app after system-assigned managed identity is disabled. ++## Build a sample Spring Boot app with Spring Boot starter ++This app has access to get secrets from Azure Key Vault. Use the Azure Key Vault Secrets Spring boot starter. Azure Key Vault is added as an instance of Spring **PropertySource**. Secrets stored in Azure Key Vault can be conveniently accessed and used like any externalized configuration property, such as properties in files. ++1. Use the following command to generate a sample project from `start.spring.io` with Azure Key Vault Spring Starter. ++ ```bash + curl https://start.spring.io/starter.tgz -d dependencies=web,azure-keyvault -d baseDir=springapp -d bootVersion=3.2.1 -d javaVersion=17 -d type=maven-project | tar -xzvf - + ``` ++1. Specify your Key Vault in your app. ++ ```bash + cd springapp + vim src/main/resources/application.properties + ``` ++1. To use managed identity for an app deployed to Azure Spring Apps, add properties with the following content to the *src/main/resources/application.properties* file. ++### [System-assigned managed identity](#tab/system-assigned-managed-identity) ++```properties +spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://<your-keyvault-name>.vault.azure.net +spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true +``` ++### [User-assigned managed identity](#tab/user-assigned-managed-identity) ++```properties +spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://<your-keyvault-name>.vault.azure.net +spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true +spring.cloud.azure.keyvault.secret.property-sources[0].credential.client-id={Client ID of user-assigned managed identity} +``` ++++ > [!NOTE] + > You must add the key vault URL in the *application.properties* file as shown previously. Otherwise, the key vault URL may not be captured during runtime. ++1. Add the following code example to *src/main/java/com/example/demo/DemoApplication.java*. This code retrieves the connection string from the key vault. ++ ```Java + package com.example.demo; ++ import org.springframework.boot.SpringApplication; + import org.springframework.boot.autoconfigure.SpringBootApplication; + import org.springframework.beans.factory.annotation.Value; + import org.springframework.boot.CommandLineRunner; + import org.springframework.web.bind.annotation.GetMapping; + import org.springframework.web.bind.annotation.RestController; ++ @SpringBootApplication + @RestController + public class DemoApplication implements CommandLineRunner { ++ @Value("${connectionString}") + private String connectionString; ++ public static void main(String[] args) { + SpringApplication.run(DemoApplication.class, args); + } ++ @GetMapping("get") + public String get() { + return connectionString; + } ++ public void run(String... args) throws Exception { + System.out.println(String.format("\nConnection String stored in Azure Key Vault:\n%s\n",connectionString)); + } + } + ``` ++ If you open the *pom.xml* file, you can see the `spring-cloud-azure-starter-keyvault` dependency, as shown in the following example: ++ ```xml + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-starter-keyvault</artifactId> + </dependency> + ``` ++1. Use the following command to package your sample app. ++ ```bash + ./mvnw clean package -DskipTests + ``` ++1. Now you can deploy your app to Azure with the following command: ++ ```azurecli + az spring app deploy \ + --resource-group <your-resource-group-name> \ + --service <your-Azure-Spring-Apps-instance-name> \ + --name "springapp" \ + --artifact-path target/demo-0.0.1-SNAPSHOT.jar + ``` ++1. To test your app, access the public endpoint or test endpoint by using the following command: ++ ```bash + curl https://myspringcloud-springapp.azuremicroservices.io/get + ``` ++ You're shown the message `jdbc:sqlserver://SERVER.database.windows.net:1433;database=DATABASE;`. ++## Next steps ++* [How to access Storage blob with managed identity in Azure Spring Apps](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/managed-identity-storage-blob) +* [How to enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md) +* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) +* [Authenticate Azure Spring Apps with Key Vault in GitHub Actions](./github-actions-key-vault.md) |
spring-apps | Vmware Tanzu Components | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/vmware-tanzu-components.md | + + Title: VMware Tanzu components in the Azure Spring Apps Enterprise plan +description: Learn about VMware Tanzu components in the Azure Spring Apps Enterprise plan. ++++ Last updated : 06/01/2023++++# VMware Tanzu components in the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article describes the VMware Tanzu components offered by the Azure Spring Apps Enterprise plan. ++VMware Tanzu components are commercial products in the VMware Tanzu Application Platform, which is an application development platform with a rich set of developer tools. In the Azure Spring Apps Enterprise plan, you develop with Tanzu components as managed resources with no extra operational costs. You can use Tanzu components for a wide range of developer scenarios, including the following scenarios: ++- Routing requests. +- Managing APIs. +- Managing application configuration. +- Registering and discovering services. +- Monitoring applications in real-time. +- Accelerating development with project templates. ++The Azure Spring Apps Enterprise plan offers the following components: ++- VMware Tanzu Build Service +- Spring Cloud Gateway for VMware Tanzu +- API portal for VMware Tanzu +- Application Configuration Service for VMware Tanzu +- VMware Tanzu Service Registry +- Application Live View for VMware Tanzu +- Application Accelerator for VMware Tanzu ++You also have the flexibility to enable only the components that you need at any time. ++## Tanzu Build Service ++Tanzu Build Service uses the open-source Cloud Native Buildpacks project to turn polyglot application source code into container images. These container images facilitate quick deployment into the public cloud for your Spring, Java, NodeJS, Python, Go, and .NET Core applications. ++Tanzu Build Service provides the following benefits: ++- Automates container creation, management, and governance at enterprise scale. +- Offers a high-level abstraction and balance of control for building applications. +- Reduces the operational burden on developers. +- Supports enterprise IT operators who manage applications at scale. ++For more information, see [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++## Spring Cloud Gateway ++Spring Cloud Gateway is an API gateway solution based on the open-source Spring Cloud Gateway project. You can simplify the routing for internal or external API requests to application services that expose APIs. Spring Cloud Gateway addresses cross-cutting considerations for applications that operate behind the gateway. These considerations include securing, routing, rate limiting, caching, monitoring, resiliency, and hiding applications. You can configure the following features: ++- Single sign-on integration with your preferred identity provider without any additional code or dependencies. +- Dynamic routing rules to applications without any application redeployment. +- Request throttling without any backing services. ++For more information, see [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++## API Portal ++API portal enables you to find APIs you can use in your own applications. You can view detailed API documentation and try out an API to see if it meets your needs. API portal assembles APIs exposed by Spring Cloud Gateway. ++For more information, see [Use API portal for VMware Tanzu](how-to-use-enterprise-api-portal.md). ++## Application Configuration Service ++Application Configuration Service provides runtime configuration to Spring Boot applications and polyglot applications. Configuration management is hosted in Git repositories to generate runtime configuration properties for applications. ++For more information, see [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md). ++## Tanzu Service Registry ++Tanzu Service Registry provides service registry and discovery capabilities for microservices-based applications and is fully compatible with Eureka server. ++For more information, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md). ++## Application Live View ++Application Live View is a lightweight insight and troubleshooting tool that helps application developers and operators look inside running applications. Application Live View is based on the concept of Spring Boot Actuators. The application provides information from inside the running processes by using endpoints. Application Live View uses those endpoints to get the data from the application and interact with it. ++For more information, see [Use Application Live View with the Azure Spring Apps Enterprise plan](how-to-use-application-live-view.md). ++## Application Accelerator ++Application Accelerator helps application developers and operators create application accelerators. Accelerators are templates that codify best practices and ensure that important configurations and structures are in place. Developers can bootstrap their applications and immediately get started with feature development. Application operators can create custom accelerators that reflect their desired architectures and configurations and enable fleets of developers to use them. Application Accelerator helps ease operator concerns about whether developers are implementing their best practices. ++For more information, see [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md). ++## Next steps ++- [Launch your first app](./quickstart.md) |
spring-apps | Vnet Customer Responsibilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/vnet-customer-responsibilities.md | + + Title: "Customer responsibilities running Azure Spring Apps in a virtual network" +description: This article describes customer responsibilities running Azure Spring Apps in a virtual network. ++++ Last updated : 11/02/2021++++# Customer responsibilities for running Azure Spring Apps in a virtual network ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise ++This article includes specifications for the use of Azure Spring Apps in a virtual network. ++When Azure Spring Apps is deployed in your virtual network, it has outbound dependencies on services outside of the virtual network. For management and operational purposes, Azure Spring Apps must access certain ports and fully qualified domain names (FQDNs). Azure Spring Apps requires these endpoints to communicate with the management plane and to download and install core Kubernetes cluster components and security updates. ++By default, Azure Spring Apps has unrestricted outbound (egress) internet access. This level of network access allows applications you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible for maintenance tasks. The simplest solution to secure outbound addresses is use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses. ++## Azure Spring Apps resource requirements ++The following list shows the resource requirements for Azure Spring Apps services. As a general requirement, you shouldn't modify resource groups created by Azure Spring Apps and the underlying network resources. ++- Don't modify resource groups created and owned by Azure Spring Apps. + - By default, these resource groups are named `ap-svc-rt_<service-instance-name>_<region>*` and `ap_<service-instance-name>_<region>*`. + - Don't block Azure Spring Apps from updating resources in these resource groups. +- Don't modify subnets used by Azure Spring Apps. +- Don't create more than one Azure Spring Apps service instance in the same subnet. +- When using a firewall to control traffic, don't block the following egress traffic to Azure Spring Apps components that operate, maintain, and support the service instance. ++## Azure Global required network rules ++| Destination endpoint | Port | Use | Note | +|-||-|-| +| \*:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - AzureCloud:443 | TCP:443 | Azure Spring Apps Service Management. | For information about the service instance `requiredTraffics`, see the resource payload, under the `networkProfile` section. | +| \*.azurecr.io:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling the *Azure Container Registry* [service endpoint in the virtual network](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| \*.core.windows.net:443 and \*.core.windows.net:445 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - Storage:443 and Storage:445 | TCP:443, TCP:445 | Azure Files | Can be replaced by enabling the *Azure Storage* [service endpoint in the virtual network](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| \*.servicebus.windows.net:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - EventHub:443 | TCP:443 | Azure Event Hubs. | Can be replaced by enabling the *Azure Event Hubs* [service endpoint in the virtual network](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| \*.prod.microsoftmetrics.com:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. | ++## Azure Global required FQDN / application rules ++Azure Firewall provides the FQDN tag **AzureKubernetesService** to simplify the following configurations: ++| Destination FQDN | Port | Use | +|--|--|| +| <i>*.azmk8s.io</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | +| <i>mcr.microsoft.com</i> | HTTPS:443 | Microsoft Container Registry (MCR). | +| <i>*.data.mcr.microsoft.com</i> | HTTPS:443 | MCR storage backed by the Azure CDN. | +| <i>management.azure.com</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | +| <i>login.microsoftonline.com</i> | HTTPS:443 | Microsoft Entra authentication. | +| <i>packages.microsoft.com</i> | HTTPS:443 | Microsoft packages repository. | +| <i>acs-mirror.azureedge.net</i> | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. | ++## Microsoft Azure operated by 21Vianet required network rules ++| Destination endpoint | Port | Use | Note | +|--||-|-| +| \*:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - AzureCloud:443 | TCP:443 | Azure Spring Apps Service Management. | For information about the service instance `requiredTraffics`, see the resource payload, under the `networkProfile` section. | +| \*.azurecr.cn:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling the *Azure Container Registry* [service endpoint in the virtual network](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| \*.core.chinacloudapi.cn:443 and \*.core.chinacloudapi.cn:445 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - Storage:443 and Storage:445 | TCP:443, TCP:445 | Azure Files | Can be replaced by enabling the *Azure Storage* [service endpoint in the virtual network](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| \*.servicebus.chinacloudapi.cn:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - EventHub:443 | TCP:443 | Azure Event Hubs. | Can be replaced by enabling the *Azure Event Hubs* [service endpoint in the virtual network](../../virtual-network/virtual-network-service-endpoints-overview.md). | +| \*.prod.microsoftmetrics.com:443 *or* [ServiceTag](../../virtual-network/service-tags-overview.md#available-service-tags) - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. | ++## Microsoft Azure operated by 21Vianet required FQDN / application rules ++Azure Firewall provides the FQDN tag `AzureKubernetesService` to simplify the following configurations: ++| Destination FQDN | Port | Use | +||--|| +| <i>*.cx.prod.service.azk8s.cn</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | +| <i>mcr.microsoft.com</i> | HTTPS:443 | Microsoft Container Registry (MCR). | +| <i>*.data.mcr.microsoft.com</i> | HTTPS:443 | MCR storage backed by the Azure CDN. | +| <i>management.chinacloudapi.cn</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | +| <i>login.chinacloudapi.cn</i> | HTTPS:443 | Microsoft Entra authentication. | +| <i>packages.microsoft.com</i> | HTTPS:443 | Microsoft packages repository. | +| <i>*.azk8s.cn</i> | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. | ++## Azure Spring Apps optional FQDN for third-party application performance management ++| Destination FQDN | Port | Use | +|||| +| <i>collector*.newrelic.com</i> | TCP:443/80 | Required networks of New Relic APM agents from US region, also see [APM Agents Networks](https://docs.newrelic.com/docs/using-new-relic/cross-product-functions/install-configure/networks/#agents). | +| <i>collector*.eu01.nr-data.net</i> | TCP:443/80 | Required networks of New Relic APM agents from EU region, also see [APM Agents Networks](https://docs.newrelic.com/docs/using-new-relic/cross-product-functions/install-configure/networks/#agents). | +| <i>*.live.dynatrace.com</i> | TCP:443 | Required network of Dynatrace APM agents. | +| <i>*.live.ruxit.com</i> | TCP:443 | Required network of Dynatrace APM agents. | +| <i>*.saas.appdynamics.com</i> | TCP:443/80 | Required network of AppDynamics APM agents, also see [SaaS Domains and IP Ranges](https://docs.appdynamics.com/display/PAA/SaaS+Domains+and+IP+Ranges). | ++## Azure Spring Apps optional FQDN for Application Insights ++You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the [Outgoing ports](../../azure-monitor/ip-addresses.md#outgoing-ports) section of [IP addresses used by Azure Monitor](../../azure-monitor/ip-addresses.md). ++## Next steps ++- [Access your application in a private network](access-app-virtual-network.md) +- [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md) |
spring-apps | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/enterprise/whats-new.md | + + Title: What's new in Azure Spring Apps? +description: Learn about the new features and recent improvements in Azure Spring Apps. +++++ Last updated : 05/23/2023+++# What's new in Azure Spring Apps? ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++Azure Spring Apps is improved on an ongoing basis. To help you stay up to date with the most recent developments, this article provides you with information about the latest releases. ++This article is updated quarterly, so revisit it regularly. You can also visit [Azure updates](https://azure.microsoft.com/updates/?query=azure%20spring), where you can search for updates or browse by category. ++## Q4 2023 ++The following updates are now available in the Enterprise plan: ++- **Spring Cloud Gateway supports a response cache**: The response cache enables services and clients to efficiently store and reuse responses to HTTP requests. You can configure the memory size and the time-to-live of the cache and apply settings at the route-level or globally. For more information, see the [Configure the response cache](how-to-configure-enterprise-spring-cloud-gateway.md?tabs=Azure-portal#configure-the-response-cache) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++- **API Portal supports enable/disable of the try-out option**: The try-out feature enables you to try out APIs through the centric view of API Portal. You can now easily turn this feature off if there's any security concern. For more information, see the [Try out APIs in API portal](how-to-use-enterprise-api-portal.md?tabs=Portal#try-out-apis-in-api-portal) section of [Use API portal for VMware Tanzu](how-to-use-enterprise-api-portal.md). ++- **Service connector supports application-level settings**: This update enables you to efficiently configure common settings across deployments within one application. For more information, see the following articles: + - [Connect an Azure Cosmos DB database to your application in Azure Spring Apps](how-to-bind-cosmos.md?tabs=Java%2CService-Connector) + - [Connect Azure Cache for Redis to your application in Azure Spring Apps](how-to-bind-redis.md?tabs=Java%2CService-Connector) + - [Connect an Azure Database for MySQL instance to your application in Azure Spring Apps](how-to-bind-mysql.md?tabs=Java%2CService-Connector) + - [Bind an Azure Database for PostgreSQL to your application in Azure Spring Apps](how-to-bind-postgres.md?tabs=JavaFlex%2CPasswordlessflex%2CJavaSingle%2CPasswordlessSingle&pivots=postgresql-passwordless-single-server) ++- **Richer information in the build history**: To help you better troubleshoot build-related issues for your apps, the build history now presents richer information for all builds. For more information, see the [Build history](how-to-enterprise-build-service.md?tabs=azure-portal#build-history) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++The following update is now available in the Enterprise and Basic/Standard plans: ++- **Planned maintenance (public preview)**: Azure Spring Apps regularly patches server-side components that your applications depend on to make sure they are secure and up to date. These components include the JDK, Spring Cloud middleware, APM, base OS image, and runtime infrastructure. For such patches to take effect, you need to restart your applications. With planned maintenance, you can schedule a time on a specific day for such mandatory restarts. For more information, see [How to configure planned maintenance (preview)](how-to-configure-planned-maintenance.md). ++- **Auto sync of certificates**: Some Azure Spring Apps features secure your applications with certificates of your choice. With auto sync of certificates, you can now rotate your certificates in Azure Key Vault and they automatically sync to Azure Spring Apps. This enhancement makes it easier for you to manage features such as custom domain and TLS/SSL settings. For more information, see the [Auto sync certificate](how-to-custom-domain.md?tabs=Azure-portal#auto-sync-certificate) section of [Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). ++## Q3 2023 ++The following updates are now available in the Enterprise plan: ++- **Spring Cloud Gateway enables you to set log level per logger name**: Spring Cloud Gateway now supports precise control over the generation of log messages and their respective verbosity levels. This enhancement enables you to concentrate your attention on specific areas within the codebase that warrant closer inspection and monitoring. For more information, see the [Configure log levels](how-to-configure-enterprise-spring-cloud-gateway.md#configure-log-levels) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md) and [Troubleshoot VMware Spring Cloud Gateway](how-to-troubleshoot-enterprise-spring-cloud-gateway.md). ++- **Spring Cloud Gateway supports a restart operation using the Azure portal and the Azure CLI**: This enhancement enables you to initiate a restart of Spring Cloud Gateway conveniently, either through the Azure portal or by using Azure CLI commands, in alignment with your preferred schedule. For more information, see the [Restart VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md#restart-vmware-spring-cloud-gateway) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++- **Spring Cloud Gateway supports Cross-Origin Resource Sharing (CORS)**: Spring Cloud Gateway now enables you to restrict access to resources to specific domains by using Cross-Origin Resource Sharing (CORS). For more information, see the [Configure cross-origin resource sharing](how-to-configure-enterprise-spring-cloud-gateway.md#configure-cross-origin-resource-sharing) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++- **Spring Cloud Gateway exposes addon properties**: This update enables you to configure advanced properties of Spring Cloud Gateway that serve specific use cases that might not be universally recommended. This capability brings you the flexibility to fine-tune Spring Cloud Gateway to address particular scenarios and requirements. For more information, see the [Update add-on configuration](how-to-configure-enterprise-spring-cloud-gateway.md#update-add-on-configuration) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++- **API Portal supports single sign-on with multiple replicas**: This update removes the restriction that prevents you from getting better reliability by configuring multiple replicas of your API Portal instance when single sign-on is enabled. For more information, see the [Configure single sign-on (SSO)](how-to-use-enterprise-api-portal.md#configure-single-sign-on-sso) section of [Use API portal for VMware Tanzu](how-to-use-enterprise-api-portal.md). ++- **App Accelerator supports Git repositories in Azure DevOps**: Application Accelerator maintains ready-made, enterprise-conformant code and configurations in Git repositories. Now, Application Accelerator enables loading accelerators directly from Git repositories hosted in Azure DevOps. For more information, see the [Manage your own accelerators](how-to-use-accelerator.md#manage-your-own-accelerators) section of [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md). ++- **App Accelerator supports fragments and sub paths**: Application Accelerator supports fragments, enabling the efficient reuse of sections within an accelerator. This functionality saves you effort when you add new accelerators. For more information, see the [Reference a fragment in your own accelerators](how-to-use-accelerator.md#reference-a-fragment-in-your-own-accelerators) section of [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md). ++- **Java native image support (preview)**: Native images generally have smaller memory footprints and quicker startup times when compared to their JVM counterparts. With this feature, you can deploy Spring Boot native image applications using the `java-native-image` buildpack. For more information, see the [Deploy Java Native Image applications](how-to-enterprise-deploy-polyglot-apps.md#deploy-java-native-image-applications-preview) section of [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md). ++- **Support for the PHP Buildpack**: You can deploy PHP apps directly from source code and receive continuous maintenance (CVE fixes) for the automatic built images. For more information, see the [Deploy PHP applications](how-to-enterprise-deploy-polyglot-apps.md#deploy-php-applications) section of [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md). ++- **New Relic APM support for .NET apps**: New Relic is a software analytics tool suite to measure and monitor performance bottlenecks, throughput, service health, and more. This update enables you to bind your .NET application with New Relic Application Performance Monitoring (APM). For more information, see the [Supported APM types](how-to-enterprise-configure-apm-integration-and-ca-certificates.md#supported-apm-types) section of [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). ++The following update is now available in the Standard consumption and dedicated plan: ++- **JHipster Azure Spring Apps**: With the collaboration between the [JHipster](https://www.jhipster.tech/azure/) and Azure Spring Apps teams, JHipster Azure Spring Apps is designed to streamline your full-stack Spring application development and deployment from end to end. For more information, see [Build and deploy your full-stack Spring app with JHipster Azure Spring Apps](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-and-deploy-your-full-stack-spring-app-with-jhipster-azure/ba-p/3923268). ++## Q2 2023 ++The following update announces a new plan: ++- **Azure Spring Apps Consumption and Dedicated plan**: This plan offers you customizable compute options (including memory optimization), single tenancy, and high availability to help you achieve price predictability, cost savings, and performance for running Spring applications at scale. For more information, see [Unleash Spring apps in a flex environment with Azure Spring Apps Consumption and Dedicated plans](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/unleash-spring-apps-in-a-flex-environment-with-azure-spring-apps/ba-p/3828232). ++The following update is now available in all plans: ++- **Azure Migrate for Spring Apps**: Discover and assess your Spring workloads for cloud readiness and get a price estimate for Azure Spring Apps using Azure Migrate. For more information, see [Discover and Assess Spring Apps with Azure Migrate - Preview Sign-Up](https://aka.ms/discover-spring-apps). ++The following update is now available in the Consumption and Basic/Standard plans: ++- **Azure Developer CLI (azd) for Azure Spring Apps**: Azure Developer CLI (azd) is an open-source tool that accelerates the time it takes for you to get your application from local development environment to Azure. You can now initialize, package, provision, and deploy a Spring application to Azure Spring Apps with only a few commands. Try it out using [Quickstart: Deploy your first web application to Azure Spring Apps](quickstart-deploy-web-app.md). ++The following updates are now available in the Enterprise plan: ++- **Shareable build result among Azure Spring Apps Enterprise instances (preview)**: This update enables you to have full visibility for Azure Spring Apps built images through bring-your-own Azure Container Registry (ACR) to support the following scenarios: ++ - Build and test in a PREPROD environment and deploy to multiple PROD environments with the verified images. + - Orchestrate a secure CICD pipeline to plug in any steps between build and deploy actions. ++ For more information, see [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md) and [Use Azure Spring Apps CI/CD with GitHub Actions](how-to-github-actions.md?pivots=programming-language-java). ++- **High Availability support for App Accelerator and App Live View**: App Accelerator and App Live View now support multiple replicas to offer high availability. For more information, see [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](how-to-use-dev-tool-portal.md). ++- **Spring Cloud Gateway auto scaling**: Spring Cloud Gateway now supports auto scaling to better serve the elastic traffic without the hassle of manual scaling. For more information, see the [Set up autoscale settings](how-to-configure-enterprise-spring-cloud-gateway.md?tabs=Azure-portal#set-up-autoscale-settings) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++- **Application Configuration Service ΓÇô polyglot support**: This update enables you to use Application Configuration Service to manage external configurations for any polyglot app, such as .NET, Go, and so on. For more information, see the [Polyglot support](how-to-enterprise-application-configuration-service.md#polyglot-support) section of [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md). ++- **Application Configuration Service ΓÇô enhanced performance and security**: This update provides a dramatic performance enhancement in Git monitoring operations. This enhancement enables faster updates for configuration and certification verification over TLS between Application Configuration Service and Git repos. For more information, see [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md). ++- **1000 app instance support (preview)**: We've increased the maximum app instance count for one Azure Spring Apps Enterprise service instance to 1000 to support large-scale microservice clusters. For more information, see [Quotas and service plans for Azure Spring Apps](quotas.md). ++- **App Accelerator certificate verification**: This update provides certification verification over TLS between App Accelerator and Git repos. For more information, see the [Configure accelerators with a self-signed certificate](how-to-use-accelerator.md#configure-accelerators-with-a-self-signed-certificate) section of [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md). ++## Q1 2023 ++The following updates are now available in both the Basic/Standard and Enterprise plans: ++- **Source code assessment for migration**: Assess your existing on-premises Spring applications for their readiness to migrate to Azure Spring Apps with Cloud Suitability Analyzer. This tool provides information on what types of changes are needed for migration, and how much effort is involved. For more information, see [Assess Spring applications with Cloud Suitability Analyzer](/azure/developer/java/migration/cloud-suitability-analyzer). ++The following updates are now available in the Enterprise plan: ++- **More options for build pools and enable queueing of build jobs**: Build service now supports a large build agent pool and enables at most one pool-sized build task to build, and twice the pool-sized build tasks to queue. For more information, see the [Build agent pool](how-to-enterprise-build-service.md#build-agent-pool) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). ++- **Improved SLA support**: Improved SLA for mission-critical workloads. For more information, see [SLA for Azure Spring Apps](https://azure.microsoft.com/support/legal/sla/spring-apps). ++- **High vCPU and memory app support**: Deployment support for large CPU and memory applications to support CPU intensive or memory intensive workloads. For more information, see [Deploy large CPU and memory applications in Azure Spring Apps in the Enterprise plan](how-to-enterprise-large-cpu-memory-applications.md). ++- **SCG APM & certificate verification support**: You can enable the configuration of APM and TLS certificate verification between Spring Cloud Gateway and applications. For more information, see the [Configure application performance monitoring](how-to-configure-enterprise-spring-cloud-gateway.md#configure-application-performance-monitoring) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md). ++- **Tanzu Components on demand**: You can enable or disable Tanzu components after service provisioning. You can also learn how to do that per Tanzu component doc. For more information, see the [Enable/disable Application Configuration Service after service creation](how-to-enterprise-application-configuration-service.md#enabledisable-application-configuration-service-after-service-creation) section of [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md). ++## Q4 2022 ++The following updates are now available in both the Basic/Standard and Enterprise plans: ++- **Ingress Settings**: With ingress settings, you can manage Azure Spring Apps traffic on the application level. This capability includes protocol support for gRPC, WebSocket and RSocket-on-WebSocket, session affinity, and send/read timeout. For more information, see [Customize the ingress configuration in Azure Spring Apps](how-to-configure-ingress.md). ++- **Remote debugging**: Now, you can remotely debug your apps in Azure Spring Apps using IntelliJ or VS Code. For security reasons, by default, Azure Spring Apps disables remote debugging. You can enable remote debugging for your apps using Azure portal or Azure CLI and start debugging. For more information, see [Debug your apps remotely in Azure Spring Apps](how-to-remote-debugging-app-instance.md). ++- **Connect to app instance shell environment for troubleshooting**: Azure Spring Apps offers many ways to troubleshoot your applications. For developers who like to inspect an app instance running environment, you can connect to the app instanceΓÇÖs shell environment and troubleshoot it. For more information, see [Connect to an app instance for troubleshooting](how-to-connect-to-app-instance-for-troubleshooting.md). ++The following updates are now available in the Enterprise plan: ++- **New managed Tanzu component - Application Live View from Tanzu Application Platform**: a lightweight insight and troubleshooting tool based on Spring Boot Actuators that helps app developers and app operators look inside running apps. Applications provide information from inside the running processes using HTTP endpoints. Application Live View uses those endpoints to retrieve and interact with the data from applications. For more information, see [Use Application Live View with the Azure Spring Apps Enterprise plan](how-to-use-application-live-view.md). ++- **New managed Tanzu component ΓÇô Application Accelerators from Tanzu Application Platform**: can speed up the process of building and deploying applications. They help you to bootstrap your applications and deploy them in a discoverable and repeatable way. For more information, see [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md). ++- **Directly deploy static files**: If you have applications that have only static files such as HTML, you can directly deploy them with an automatically configured web server such as HTTPD and NGINX. This deployment capability includes front-end applications built with a JavaScript framework of your choice. You can do this deployment by using Tanzu Web Servers buildpack in behind. For more information, see [Deploy web static files](how-to-enterprise-deploy-static-file.md). ++- **Managed Spring Cloud Gateway enhancement**: We have newly added app-level routing rule support to simplify your routing rule configuration and TLS support from the gateway to apps in managed Spring Cloud Gateway. For more information, see [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md). ++## Q3 2022 ++The following updates are now available to help customers reduce adoption barriers and pricing frictions to take full advantage of the capabilities offered by Azure Spring Apps Enterprise. ++- **Price Reduction**: We have reduced the base unit of Azure Spring Apps Standard and Enterprise to 6 vCPUs and 12 GB of Memory and reduced the overage prices for vCPU and Memory. For more information, see [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/) ++- **Monthly Free Grant**: The first 50 vCPU-hours and 100 memory GB hours are free each month. For more information, see [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/) ++You can compare the price change from [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058). ++## See also ++For older updates, see [Azure updates](https://azure.microsoft.com/updates/?query=azure%20spring). |
spring-apps | Expose Apps Gateway End To End Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/expose-apps-gateway-end-to-end-tls.md | - Title: Expose applications with end-to-end TLS in a virtual network using Application Gateway- -description: How to expose applications to the internet using Application Gateway ---- Previously updated : 02/28/2022--# ms.devlang: java, azurecli ---# Expose applications with end-to-end TLS in a virtual network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article explains how to expose applications to the internet using Application Gateway. When an Azure Spring Apps service instance is deployed in your virtual network, applications on the service instance are only accessible in the private network. To make the applications accessible on the Internet, you need to integrate with Azure Application Gateway. --## Prerequisites --- [Azure CLI version 2.0.4 or later](/cli/azure/install-azure-cli).-- An Azure Spring Apps service instance deployed in a virtual network with an application accessible over the private network using the default `.private.azuremicroservices.io` domain suffix. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md)-- A custom domain to be used to access the application.-- A certificate, stored in Key Vault, which matches the custom domain to be used to establish the HTTPS listener. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../key-vault/certificates/tutorial-import-certificate.md).--## Configure Application Gateway for Azure Spring Apps --We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation). --To configure Application Gateway in front of Azure Spring Apps, use the following steps. --1. Follow the instructions in [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). -1. Follow the instructions in [Access your application in a private network](./access-app-virtual-network.md). -1. Acquire a certificate for your domain of choice and store that in Key Vault. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../key-vault/certificates/tutorial-import-certificate.md). -1. Configure a custom domain and corresponding certificate from Key Vault on an app deployed onto Azure Spring Apps. For more information, see [Tutorial: Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md). -1. Deploy Application Gateway in a virtual network configured according to the following list: - - Use Azure Spring Apps in the backend pool, referenced by the domain suffixed with `private.azuremicroservices.io`. - - Include an HTTPS listener using the same certificate from Key Vault. - - Configure the virtual network with HTTP settings that use the custom domain name configured on Azure Spring Apps instead of the domain suffixed with `private.azuremicroservices.io`. -1. Configure your public DNS to point to Application Gateway. --## Define variables --Next, use the following commands to define variables for the resource group and virtual network you created as directed in [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md). Customize the values based on your real environment. When you define `SPRING_APP_PRIVATE_FQDN`, remove `https://` from the URI. --```bash -export SUBSCRIPTION='subscription-id' -export RESOURCE_GROUP='my-resource-group' -export LOCATION='eastus' -export SPRING_CLOUD_NAME='name-of-spring-cloud-instance' -export APPNAME='name-of-app-in-azure-spring-apps' -export SPRING_APP_PRIVATE_FQDN='$APPNAME.private.azuremicroservices.io' -export VIRTUAL_NETWORK_NAME='azure-spring-apps-vnet' -export APPLICATION_GATEWAY_SUBNET_NAME='app-gw-subnet' -export APPLICATION_GATEWAY_SUBNET_CIDR='10.1.2.0/24' -``` --## Sign in to Azure --Use the following command to sign in to the Azure CLI and choose your active subscription. --```azurecli -az login -az account set --subscription $SUBSCRIPTION -``` --## Acquire a certificate --### [Use a publicly signed certificate](#tab/public-cert) --For production deployments, you'll most likely use a publicly signed certificate. In this case, import the certificate in Azure Key Vault. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../key-vault/certificates/tutorial-import-certificate.md). Make sure the certificate includes the entire certificate chain. --### [Use a self-signed certificate](#tab/self-signed-cert) --When you need a self-signed certificate for testing or development, you need to create it. You'll also need to ensure that the list of "Subject Alternative Names" in the certificate contains the domain name on which you'll expose the application. When creating a self-signed certificate through Azure Key Vault, you can do so through the Azure portal. Alternatively, when using the Azure CLI, you'll need a policy JSON file. --To request the default policy, use the following command: --```azurecli -az keyvault certificate get-default-policy -``` --Next, adapt the policy JSON as shown in the following example, indicating the `subject` and `SubjectAlternativeNames`: --```json -{ - // ... - "subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=myapp.mydomain.com", - "subjectAlternativeNames": { - "dnsNames": [ - "myapp.mydomain.com", - "*.myapp.mydomain.com" - ], - "emails": [ - "hello@contoso.com" - ], - "upns": [] - } - // ... -} -``` --After you've finished updating the policy JSON (see [Update Certificate Policy](/rest/api/keyvault/certificates/update-certificate-policy/update-certificate-policy)), you can create a self-signed certificate in Key Vault by using the following commands: --```azurecli -export KV_NAME='name-of-key-vault' -export CERT_NAME_IN_KEY_VAULT='name-of-certificate-in-key-vault' --az keyvault certificate create \ - --vault-name $KV_NAME \ - --name $CERT_NAME_IN_KEY_VAULT \ - --policy "$KV_CERT_POLICY" -``` ----## Configure the public domain name on Azure Spring Apps --Traffic will enter the application deployed on Azure Spring Apps using the public domain name. To configure your application to listen to this host name and do so over HTTPS, use the following commands to add a custom domain to your app: --```azurecli -export KV_NAME='name-of-key-vault' -export KV_RG='resource-group-name-of-key-vault' -export CERT_NAME_IN_AZURE_SPRING_APPS='name-of-certificate-in-Azure-Spring-Apps' -export CERT_NAME_IN_KEY_VAULT='name-of-certificate-with-intermediaries-in-key-vault' -export DOMAIN_NAME=myapp.mydomain.com --# provide permissions to Azure Spring Apps to read the certificate from Key Vault: -export VAULTURI=$(az keyvault show \ - --resource-group $KV_RG \ - --name $KV_NAME \ - --query properties.vaultUri \ - --output tsv) --# get the object id for the Azure Spring Apps Domain-Management Service Principal: -export ASADM_OID=$(az ad sp show \ - --id 03b39d0f-4213-4864-a245-b1476ec03169 \ - --query objectId \ - --output tsv) --# allow this Service Principal to read and list certificates and secrets from Key Vault: -az keyvault set-policy \ - --resource-group $KV_RG \ - --name $KV_NAME \ - --object-id $ASADM_OID \ - --certificate-permissions get list \ - --secret-permissions get list --# add custom domain name and configure TLS using the certificate: -az spring certificate add \ - --resource-group $RESOURCE_GROUP \ - --service $SPRING_CLOUD_NAME \ - --name $CERT_NAME_IN_AZURE_SPRING_APPS \ - --vault-certificate-name $CERT_NAME_IN_KEY_VAULT \ - --vault-uri $VAULTURI -az spring app custom-domain bind \ - --resource-group $RESOURCE_GROUP \ - --service $SPRING_CLOUD_NAME \ - --domain-name $DOMAIN_NAME \ - --certificate $CERT_NAME_IN_AZURE_SPRING_APPS \ - --app $APPNAME -``` -## Create network resources --The Azure Application Gateway to be created will join the same virtual network as--or peered virtual network to--the Azure Spring Apps service instance. First create a new subnet for the Application Gateway in the virtual network using `az network vnet subnet create`, and also create a Public IP address as the Frontend of the Application Gateway using `az network public-ip create`. --```azurecli -export APPLICATION_GATEWAY_PUBLIC_IP_NAME='app-gw-public-ip' -az network vnet subnet create \ - --name $APPLICATION_GATEWAY_SUBNET_NAME \ - --resource-group $RESOURCE_GROUP \ - --vnet-name $VIRTUAL_NETWORK_NAME \ - --address-prefix $APPLICATION_GATEWAY_SUBNET_CIDR -az network public-ip create \ - --resource-group $RESOURCE_GROUP \ - --location $LOCATION \ - --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ - --allocation-method Static \ - --sku Standard -``` --## Create a managed identity for Application Gateway --Application Gateway will need to be able to access Key Vault to read the certificate. To do so, it will use a user-assigned [managed identity](/entra/identity/managed-identities-azure-resources/overview). Create the managed identity by using the following command: --```azurecli -export APPGW_IDENTITY_NAME='name-for-appgw-managed-identity' -az identity create \ - --resource-group $RESOURCE_GROUP \ - --name $APPGW_IDENTITY_NAME -``` --Then fetch the objectId for the managed identity as it will be used later on to give rights to access the certificate in Key Vault: --```azurecli -export APPGW_IDENTITY_CLIENTID=$(az identity show \ - --resource-group $RESOURCE_GROUP \ - --name $APPGW_IDENTITY_NAME \ - --query clientId \ - --output tsv) -export APPGW_IDENTITY_OID=$(az ad sp show \ - --id $APPGW_IDENTITY_CLIENTID \ - --query objectId \ - --output tsv) -``` --## Set policy on Key Vault --Configure Key Vault using the following command so that the managed identity for Application Gateway is allowed to access the certificate stored in Key Vault: --```azurecli -az keyvault set-policy \ - --name $KV_NAME \ - --resource-group $KV_RG \ - --object-id $APPGW_IDENTITY_OID \ - --secret-permissions get list \ - --certificate-permissions get list -``` --## Create Application Gateway --Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Make sure to use the user-assigned managed identity and to point to the certificate in Key Vault using the certificate's Secret ID. Then update the HTTP setting using `az network application-gateway http-settings update` to use the public host name. --```azurecli -export APPGW_NAME='name-for-application-gateway' --export KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show \ - --name $CERT_NAME_IN_KEY_VAULT \ - --vault-name $KV_NAME \ - --query sid \ - --output tsv) --az network application-gateway create \ - --name $APPGW_NAME \ - --resource-group $RESOURCE_GROUP \ - --location $LOCATION \ - --capacity 2 \ - --sku Standard_v2 \ - --frontend-port 443 \ - --http-settings-cookie-based-affinity Disabled \ - --http-settings-port 443 \ - --http-settings-protocol Https \ - --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ - --vnet-name $VIRTUAL_NETWORK_NAME \ - --subnet $APPLICATION_GATEWAY_SUBNET_NAME \ - --servers $SPRING_APP_PRIVATE_FQDN \ - --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \ - --identity $APPGW_IDENTITY_NAME -``` --It can take up to 30 minutes for Azure to create the application gateway. --### Update HTTP Settings to use the domain name towards the backend --#### [Use a publicly signed certificate](#tab/public-cert-2) --Update the HTTP settings to use the public domain name as the hostname instead of the domain suffixed with ".private.azuremicroservices.io" to send traffic to Azure Spring Apps with. --```azurecli -az network application-gateway http-settings update \ - --resource-group $RESOURCE_GROUP \ - --gateway-name $APPGW_NAME \ - --host-name-from-backend-pool false \ - --host-name $DOMAIN_NAME \ - --name appGatewayBackendHttpSettings -``` --#### [Use a self-signed certificate](#tab/self-signed-cert-2) --Update the HTTP settings to use the public domain name as the hostname instead of the domain suffixed with ".private.azuremicroservices.io" to send traffic to Azure Spring Apps with. Given that a self-signed certificate is used, it will need to be allow-listed on the HTTP Settings of Application Gateway. --To allowlist the certificate, first fetch the public portion of it from Key Vault by using the following command: --```azurecli -az keyvault certificate download \ - --vault-name $KV_NAME \ - --name $CERT_NAME_IN_KEY_VAULT \ - --file ./selfsignedcert.crt \ - --encoding DER -``` --Then upload it to Application Gateway using this command: --```azurecli -az network application-gateway root-cert create \ - --resource-group $RG \ - --cert-file ./selfsignedcert.crt \ - --gateway-name $APPGW_NAME \ - --name MySelfSignedTrustedRootCert -``` --Now you can update the HTTP Settings to trust the new (self-signed) root certificate by using this command: --```azurecli -az network application-gateway http-settings update \ - --resource-group $RG \ - --gateway-name $APPGW_NAME \ - --host-name-from-backend-pool false \ - --host-name $DOMAIN_NAME \ - --name appGatewayBackendHttpSettings \ - --root-certs MySelfSignedTrustedRootCert -``` ----### Check the deployment of Application Gateway --After it's created, check the backend health by using the following command. The output of this command enables you to determine whether the application gateway reaches your application through its private FQDN. --```azurecli -az network application-gateway show-backend-health \ - --name $APPGW_NAME \ - --resource-group $RESOURCE_GROUP -``` --The output indicates the healthy status of backend pool, as shown in the following example: --```output -{ - "backendAddressPools": [ - { - "backendHttpSettingsCollection": [ - { - "servers": [ - { - "address": "my-azure-spring-apps-hello-vnet.private.azuremicroservices.io", - "health": "Healthy", - "healthProbeLog": "Success. Received 200 status code", - "ipConfiguration": null - } - ] - } - ] - } - ] -} -``` --## Configure DNS and access the application --Now configure the public DNS to point to Application Gateway using a CNAME or A-record. You can find the public address for Application Gateway by using the following command: --```azurecli -az network public-ip show \ - --resource-group $RESOURCE_GROUP \ - --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ - --query [ipAddress] \ - --output tsv -``` --You can now access the application using the public domain name. --## Next steps --- [Troubleshooting Azure Spring Apps in VNET](./troubleshooting-vnet.md)-- [Customer Responsibilities for Running Azure Spring Apps in VNET](./vnet-customer-responsibilities.md) |
spring-apps | Expose Apps Gateway Tls Termination | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/expose-apps-gateway-tls-termination.md | - Title: "Expose applications to the internet using Application Gateway with TLS termination"- -description: How to expose applications to internet using Application Gateway with TLS termination ---- Previously updated : 11/09/2021----# Expose applications to the internet with TLS Termination at Application Gateway --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --This article explains how to expose applications to the internet using Application Gateway. --When an Azure Spring Apps service instance is deployed in your virtual network (VNET), applications on the service instance are only accessible in the private network. To make the applications accessible on the Internet, you need to integrate with Azure Application Gateway. The incoming encrypted traffic can be decrypted at the application gateway or it can be passed to Azure Spring Apps encrypted to achieve end-to-end TLS/SSL. For dev and test purposes, you can start with SSL termination at the application gateway, which is covered in this guide. For production, we recommend end-to-end TLS/SSL with private certificate, as described in [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). --## Prerequisites --- [Azure CLI version 2.0.4 or later](/cli/azure/install-azure-cli).-- An Azure Spring Apps service instance deployed in a virtual network with an application accessible over the private network using the default `.private.azuremicroservices.io` domain suffix. For more information, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md)-- A custom domain to be used to access the application.-- A certificate, stored in Key Vault, which matches the custom domain to be used to establish the HTTPS listener. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../key-vault/certificates/tutorial-import-certificate.md).--## Configure Application Gateway for Azure Spring Apps --We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation). --To configure Application Gateway in front of Azure Spring Apps in a private VNET, use the following steps. --1. Follow the instructions in [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -1. Follow the instructions in [Access your application in a private network](access-app-virtual-network.md). -1. Acquire a certificate for your domain of choice and store that in Key Vault. For more information, see [Tutorial: Import a certificate in Azure Key Vault](../key-vault/certificates/tutorial-import-certificate.md). -1. Configure a custom domain and corresponding certificate from Key Vault on an app deployed onto Azure Spring Apps. For more information, see [Tutorial: Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). -1. Deploy Application Gateway in a virtual network configured according to the following list: - - Use Azure Spring Apps in the backend pool, referenced by the domain suffixed with `private.azuremicroservices.io`. - - Include an HTTPS listener using the same certificate from Key Vault. - - Configure the virtual network with HTTP settings that use the custom domain name configured on Azure Spring Apps instead of the domain suffixed with `private.azuremicroservices.io`. -1. Configure your public DNS to point to the application gateway. --## Define variables --Next, use the following commands to define variables for the resource group and virtual network you created as directed in [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). Replace the *\<...>* placeholders with real values based on your actual environment. When you define `SPRING_APP_PRIVATE_FQDN`, remove `https://` from the URI. --```bash -export SUBSCRIPTION='<subscription-id>' -export RESOURCE_GROUP='<resource-group-name>' -export LOCATION='eastus' -export SPRING_CLOUD_NAME='<name-of-Azure-Spring-Apps-instance>' -export APPNAME='<name-of-app-in-Azure-Spring-Apps>' -export SPRING_APP_PRIVATE_FQDN='$APPNAME.private.azuremicroservices.io' -export VIRTUAL_NETWORK_NAME='azure-spring-apps-vnet' -export APPLICATION_GATEWAY_SUBNET_NAME='app-gw-subnet' -export APPLICATION_GATEWAY_SUBNET_CIDR='10.1.2.0/24' -``` --## Sign in to Azure --Use the following command to sign in to the Azure CLI and choose your active subscription. --```azurecli -az login -az account set --subscription $SUBSCRIPTION -``` --## Configure the public domain name on Azure Spring Apps --Traffic will enter the application deployed on Azure Spring Apps using the public domain name. To configure your application to listen to this host name over HTTP, use the following commands to add a custom domain to your app, replacing the *\<...>* placeholders with real values: --```azurecli -export KV_NAME='<name-of-key-vault>' -export KV_RG='<resource-group-name-of-key-vault>' -export CERT_NAME_IN_KV='<name-of-certificate-with-intermediaries-in-key-vault>' -export DOMAIN_NAME=myapp.mydomain.com --az spring app custom-domain bind \ - --resource-group $RESOURCE_GROUP \ - --service $SPRING_CLOUD_NAME \ - --domain-name $DOMAIN_NAME \ - --app $APPNAME -``` --## Create network resources --The application gateway to be created will join the same virtual network as the Azure Spring Apps service instance. First, create a new subnet for the application gateway in the virtual network, then create a public IP address as the frontend of the application gateway, as shown in the following example. --```azurecli -export APPLICATION_GATEWAY_PUBLIC_IP_NAME='app-gw-public-ip' -az network vnet subnet create \ - --name $APPLICATION_GATEWAY_SUBNET_NAME \ - --resource-group $RESOURCE_GROUP \ - --vnet-name $VIRTUAL_NETWORK_NAME \ - --address-prefix $APPLICATION_GATEWAY_SUBNET_CIDR -az network public-ip create \ - --resource-group $RESOURCE_GROUP \ - --location $LOCATION \ - --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ - --allocation-method Static \ - --sku Standard -``` --### Create a managed identity for the application gateway --Your application gateway will need to be able to access Key Vault to read the certificate. To do this, the application gateway will use a user-assigned managed identity. For more information, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) Create the managed identity by using the following command, replacing the *\<...>* placeholder: --```azurecli -export APPGW_IDENTITY_NAME='<name-for-appgw-managed-identity>' -az identity create \ - --resource-group $RESOURCE_GROUP \ - --name $APPGW_IDENTITY_NAME -``` --Then, use the following command to fetch the `objectId` for the managed identity. This value will be used later on to give rights to access the certificate in Key Vault. --```azurecli -export APPGW_IDENTITY_CLIENTID=$(az identity show \ - --resource-group $RESOURCE_GROUP \ - --name $APPGW_IDENTITY_NAME \ - --query clientId \ - --output tsv) -export APPGW_IDENTITY_OID=$(az ad sp show \ - --id $APPGW_IDENTITY_CLIENTID \ - --query objectId \ - --output tsv) -``` --### Set policy on Key Vault --Configure Key Vault using the following command so that the managed identity for the application gateway is allowed to access the certificate stored in Key Vault: --```azurecli -az keyvault set-policy \ - --resource-group $KV_RG \ - --name $KV_NAME \ - --object-id $APPGW_IDENTITY_OID \ - --secret-permissions get list \ - --certificate-permissions get list -``` --## Create an application gateway --### [CLI](#tab/azure-cli) --Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Be sure to use the user-assigned managed identity and point to the certificate in Key Vault using the certificate's secret ID. --```azurecli -export APPGW_NAME='<name-for-application-gateway>' -export CERT_NAME_IN_KV='<name-of-certificate-in-key-vault>' -export KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show \ - --name $CERT_NAME_IN_KV \ - --vault-name $KV_NAME \ - --query sid \ - --output tsv) --az network application-gateway create \ - --name $APPGW_NAME \ - --resource-group $RESOURCE_GROUP \ - --location $LOCATION \ - --capacity 2 \ - --sku Standard_v2 \ - --frontend-port 443 \ - --http-settings-cookie-based-affinity Disabled \ - --http-settings-port 80 \ - --http-settings-protocol Http \ - --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ - --vnet-name $VIRTUAL_NETWORK_NAME \ - --subnet $APPLICATION_GATEWAY_SUBNET_NAME \ - --servers $SPRING_APP_PRIVATE_FQDN \ - --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \ - --identity $APPGW_IDENTITY_NAME -``` --It can take up to 30 minutes for Azure to create the application gateway. --### [Azure portal](#tab/azure-portal) --Create an application gateway using the following steps to enable SSL termination at the application gateway. --1. Sign in to the Azure portal and create a new Application Gateway resource. -1. Fill in the required fields for creating the application gateway. Leave the default values as they are. -1. After you provide a value for the **Virtual network** field, the **Subnet** field appears. Create a separate subnet for the application gateway in the VNET, as shown in the following screenshot. -- :::image type="content" source="media/expose-apps-gateway-tls-termination/create-application-gateway-basics.png" alt-text="Screenshot of Azure portal 'Create application gateway' page."::: --1. Create a public IP address and assign it to the frontend of the application gateway, as shown in the following screenshot. -- :::image type="content" source="media/expose-apps-gateway-tls-termination/create-frontend-ip.png" alt-text="Screenshot of Azure portal showing Frontends tab of 'Create application gateway' page."::: --1. Create a backend pool for the application gateway. Select **Target** as your FQDN of the application deployed in Azure Spring Apps. -- :::image type="content" source="media/expose-apps-gateway-tls-termination/create-backend-pool.png" alt-text="Screenshot of Azure portal 'Add a backend pool' page."::: --1. Create a routing rule with HTTP listener. - 1. Select the public IP that you created earlier. - 1. Select **HTTPS** as protocol and **443** as port. - 1. Choose a certificate from Key Vault. - 1. Select the managed identity you created earlier. - 1. Select the right key vault and certificate, which were added to the key vault earlier. -- :::image type="content" source="media/expose-apps-gateway-tls-termination/create-routingrule-with-http-listener.png" alt-text="Screenshot of Azure portal 'Add a routing rule' page."::: -- 1. Select the **Backend targets** tab. -- :::image type="content" source="media/expose-apps-gateway-tls-termination/create-backend-http-settings.png" alt-text="Screenshot of Azure portal 'Add a H T T P setting' page."::: --1. Select **Review and Create** to create the application gateway. --It can take up to 30 minutes for Azure to create the application gateway. ----### Update HTTP settings to use the domain name towards the backend --Update the HTTP settings to use the public domain name as the hostname instead of the domain suffixed with `.private.azuremicroservices.io` to send traffic to Azure Spring Apps with. --```azurecli -az network application-gateway http-settings update \ - --resource-group $RESOURCE_GROUP \ - --gateway-name $APPGW_NAME \ - --host-name-from-backend-pool false \ - --host-name $DOMAIN_NAME \ - --name appGatewayBackendHttpSettings -``` --### Check the deployment of the application gateway --After it's created, check the backend health by using the following command. The output of this command enables you to determine whether the application gateway reaches your application through its private fully qualified domain name (FQDN). --```azurecli -az network application-gateway show-backend-health \ - --name $APPGW_NAME \ - --resource-group $RESOURCE_GROUP -``` --The output indicates the healthy status of backend pool, as shown in the following example: --```output -{ - "backendAddressPools": [ - { - "backendHttpSettingsCollection": [ - { - "servers": [ - { - "address": "my-azure-spring-apps-hello-vnet.private.azuremicroservices.io", - "health": "Healthy", - "healthProbeLog": "Success. Received 200 status code", - "ipConfiguration": null - } - ] - } - ] - } - ] -} -``` --## Configure DNS and access the application --Configure the public DNS to point to the application gateway using a CNAME or A-record. You can find the public address for the application gateway by using the following command: --```azurecli -az network public-ip show \ - --resource-group $RESOURCE_GROUP \ - --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ - --query [ipAddress] \ - --output tsv -``` --You can now access the application using the public domain name. --## Clean up resources --If you plan to continue working with subsequent articles, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following command: --```azurecli -az group delete --name $RESOURCE_GROUP -``` --## Next steps --- [Exposing applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md)-- [Troubleshooting Azure Spring Apps in VNET](./troubleshooting-vnet.md)-- [Customer Responsibilities for Running Azure Spring Apps in VNET](./vnet-customer-responsibilities.md) |
spring-apps | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/faq.md | - Title: Frequently asked questions about Azure Spring Apps | Microsoft Docs -description: This article answers frequently asked questions about Azure Spring Apps. --- Previously updated : 09/08/2020---zone_pivot_groups: programming-languages-spring-apps ---# Azure Spring Apps FAQ --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article answers frequently asked questions about Azure Spring Apps. --## General --### Why Azure Spring Apps? --Azure Spring Apps provides a platform as a service (PaaS) for Spring developers. Azure Spring Apps manages your application infrastructure so that you can focus on application code and business logic. Core features built into Azure Spring Apps include Eureka, Config Server, Service Registry Server, VMware Tanzu Build Service, Blue-green deployment, and more. This service also enables developers to bind their applications with other Azure services, such as Azure Cosmos DB, Azure Database for MySQL, and Azure Cache for Redis. --Azure Spring Apps enhances the application diagnostics experience for developers and operators by integrating Azure Monitor, Application Insights, and Log Analytics. --### How secure is Azure Spring Apps? --Security and privacy are among the top priorities for Azure and Azure Spring Apps customers. Azure helps ensure that only customers have access to application data, logs, or configurations by securely encrypting all of this data. --* The service instances in Azure Spring Apps are isolated from each other. -* Azure Spring Apps provides complete TLS/SSL and certificate management. -* Critical security patches for OpenJDK and Spring runtimes are applied to Azure Spring Apps as soon as possible. --### How does Azure Spring Apps host my applications? --Each service instance in Azure Spring Apps is backed by Azure Kubernetes Service with multiple worker nodes. Azure Spring Apps manages the underlying Kubernetes cluster for you, including high availability, scalability, Kubernetes version upgrade, and so on. --Azure Spring Apps intelligently schedules your applications on the underlying Kubernetes worker nodes. To provide high availability, Azure Spring Apps distributes applications with two or more instances on different nodes. --### In which regions is the Azure Spring Apps Basic/Standard plan available? --See [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-apps). --### In which regions is the Azure Spring Apps Enterprise plan available? --While the Azure Spring Apps Basic/Standard plan is available in regions of China, the Enterprise plan is not available in all regions on Azure China. --### Is any customer data stored outside of the specified region? --Azure Spring Apps is a regional service. All customer data in Azure Spring Apps is stored to a single, specified region. To learn more about geo and region, see [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/). --### What are the known limitations of Azure Spring Apps? --Azure Spring Apps has the following known limitations: --* `spring.application.name` is overridden by the application name that's used to create each application. -* `server.port` defaults to port `1025` in the Basic/Standard plan and to port `8080` in the Enterprise plan. If you apply any other value, the default value overrides the one that you specify, so avoid specifying a server port in your code. If your code sets the server port explicitly rather than using `server.port`, ensure that the port is either `1025` or `8080` depending on the pricing plan of your Azure Spring Apps service instance. -* The Azure portal, Azure Resource Manager templates, and Terraform don't support uploading application packages. You can upload application packages by deploying the application using the Azure CLI, Azure DevOps, Maven Plugin for Azure Spring Apps, Azure Toolkit for IntelliJ, and the Visual Studio Code extension for Azure Spring Apps. --### What pricing plans are available? --Which one should I use and what are the limits within each plan? --* Azure Spring Apps offers three pricing plans: Basic, Standard, and Enterprise. The Basic plan is targeted for Dev/Test and trying out Azure Spring Apps. The Standard plan is optimized to run general purpose production traffic. The Enterprise plan is for production workloads with VMware Tanzu components. See [Azure Spring Apps pricing details](https://azure.microsoft.com/pricing/details/spring-apps/) for limits and feature level comparison. --### What's the difference between Service Binding and Service Connector? --We're not actively developing more capabilities for Service Binding. Instead, there's a new Azure-wise solution named [Service Connector](../service-connector/overview.md). On the one hand, the new solution brings you consistent integration experience across App hosting services on Azure like App Service. On the other hand, it covers your needs better by starting with supporting 10+ most used target Azure services including MySQL, SQL DB, Azure Cosmos DB, Postgres DB, Redis, Storage and more. Service Connector is currently in Public Preview, we invite you to try out the new experience. --### How can I provide feedback and report issues? --If you encounter any issues with Azure Spring Apps, create an [Azure Support Request](../azure-portal/supportability/how-to-create-azure-support-request.md). To submit a feature request or provide feedback, go to [Azure Feedback](https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4). --### How do I get VMware Spring Runtime support (Enterprise plan only) --The Enterprise plan has built-in VMware Spring Runtime Support, so you can open support tickets to [VMware](https://aka.ms/ascevsrsupport) if you think your issue is in the scope of VMware Spring Runtime Support. To better understand VMware Spring Runtime Support itself, see the [VMware Spring Runtime](https://tanzu.vmware.com/spring-runtime). To understand the details about how to register and use this support service, see the Support section in the [Enterprise plan FAQ from VMware](https://aka.ms/EnterpriseTierFAQ). For any other issues, open support tickets with Microsoft. --> [!IMPORTANT] -> After you create an Enterprise plan instance, your entitlement is ready within ten business days. If you encounter any exceptions, raise a support ticket with Microsoft to get help with it. --## Development --### I'm a Spring developer but new to Azure. What's the quickest way for me to learn how to develop an application in Azure Spring Apps? --For the quickest way to get started with Azure Spring Apps, follow the instructions in [Quickstart: Launch an application in Azure Spring Apps by using the Azure portal](./quickstart.md). --### Where can I view my Spring application logs and metrics? --Find metrics in the App Overview tab and the [Azure Monitor](../azure-monitor/essentials/data-platform-metrics.md#metrics-explorer) tab. --Azure Spring Apps supports exporting Spring application logs and metrics to Azure Storage, Event Hubs, and [Log Analytics](../azure-monitor/logs/data-platform-logs.md). The table name in Log Analytics is *AppPlatformLogsforSpring*. To learn how to enable it, see [Diagnostic services](diagnostic-services.md). --### Does Azure Spring Apps support distributed tracing? --Yes. For more information, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md). ---### What resource types does Service Binding support? --Three services are currently supported: --* Azure Cosmos DB -* Azure Database for MySQL -* Azure Cache for Redis. --### Can I view, add, or move persistent volumes from inside my applications? --Yes. --### How many outbound public IP addresses does an Azure Spring Apps instance have? --The number of outbound public IP addresses varies according to the plans and other factors. --| Azure Spring Apps instance type | Default number of outbound public IP addresses | -||| -| Basic plan instances | 1 | -| Standard/Enterprise plan instances | 2 | -| VNet injection instances | 1 | --### Can I increase the number of outbound public IP addresses? --Yes, you can open a [support ticket](https://azure.microsoft.com/support/faq/) to request for more outbound public IP addresses. --### When I delete/move an Azure Spring Apps service instance, are its extension resources deleted/moved as well? --It depends on the logic of resource providers that own the extension resources. The extension resources of a `Microsoft.AppPlatform` instance don't belong to the same namespace, so the behavior varies by resource provider. For example, the delete/move operation won't cascade to the **diagnostics settings** resources. If a new Azure Spring Apps instance is provisioned with the same resource ID as the deleted one, or if the previous Azure Spring Apps instance is moved back, the previous **diagnostics settings** resources continue extending it. --You can delete the Azure Spring Apps diagnostic settings by using Azure CLI: --```azurecli - az monitor diagnostic-settings delete --name $DIAGNOSTIC_SETTINGS_NAME --resource $AZURE_SPRING_APPS_RESOURCE_ID -``` ---## Java runtime and OS versions --### Which versions of Java runtime are supported in Azure Spring Apps? --Azure Spring Apps supports Java LTS versions with the most recent builds, currently Java 8, Java 11, and Java 17 are supported. --### How long are Java 8, Java 11, and Java 17 LTS versions supported? --See [Java long-term support for Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure). --### What is the retire policy for older Java runtimes? --Public notice is sent out at 12 months before any old runtime version is retired. You have 12 months to migrate to a later version. --* Subscription admins get email notification when we retire a Java version. -* The retirement information is published in the documentation. --### How can I get support for issues at the Java runtime level? --See [Java long-term support for Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure). --### What is the operation system to run my apps? --The most recent Ubuntu LTS version is used, currently [Ubuntu 20.04 LTS (Focal Fossa)](https://releases.ubuntu.com/focal/) is the default OS. --### How often are OS security patches applied? --Security patches applicable to Azure Spring Apps are rolled out to production on a monthly basis. -Critical security patches (CVE score >= 9) applicable to Azure Spring Apps are rolled out as soon as possible. --## Deployment --### Does Azure Spring Apps support blue-green deployment? --Yes. For more information, see [Set up a staging environment](./how-to-staging-environment.md). --### Can I access Kubernetes to manipulate my application containers? --No. Azure Spring Apps abstracts the developer from the underlying architecture, allowing you to concentrate on application code and business logic. --### Does Azure Spring Apps support building containers from source? --Yes. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). --### Does Azure Spring Apps support autoscaling in app instances? --Yes. For more information, see [Set up autoscale for applications](./how-to-setup-autoscale.md). --### How does Azure Spring Apps monitor the health status of my application? --Azure Spring Apps continuously probes port `1025` for customer's applications with the Basic/Standard pricing plan, or port `8080` with the Enterprise plan. These probes determine whether the application container is ready to start accepting traffic and whether Azure Spring Apps needs to restart the application container. Internally, Azure Spring Apps uses Kubernetes liveness and readiness probes to achieve the status monitoring. -->[!NOTE] -> Because of these probes, you currently can't launch applications in Azure Spring Apps without exposing port `1025` or `8080`. --### Whether and when is my application restarted? --Yes. For more information, see [Monitor app lifecycle events using Azure Activity log and Azure Service Health](./monitor-app-lifecycle-events.md). --### What are the best practices for migrating existing Spring applications to Azure Spring Apps? --For more information, see [Migrate Spring applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-apps). ---## .NET Core versions --### Which .NET Core versions are supported? --.NET Core 3.1 and later versions. --### How long is .NET Core 3.1 supported? --Until December 3, 2022. See [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core). --## Troubleshooting --### What are the impacts of service registry rarely unavailable? --In some rare scenarios, you can see errors from your application logs similar to the following example: --```output -RetryableEurekaHttpClient: Request execution failure with status code 401; retrying on another server if available -``` --The Spring framework raises this issue at a low rate due to network instability or other network issues. There should be no impacts to the user experience. The Eureka client has both heartbeat and retry policy to take care of this problem. You can consider it a transient error and skip it safely. --## Next steps --If you have further questions, see the [Azure Spring Apps troubleshooting guide](./troubleshoot.md). |
spring-apps | How To Access App From Internet Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-access-app-from-internet-virtual-network.md | - Title: Expose applications on Azure Spring Apps to the internet from a public network -description: Describes how to expose applications on Azure Spring Apps to the internet from a public network. ---- Previously updated : 08/09/2022----# Expose applications on Azure Spring Apps to the internet from a public network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --This article describes how to expose applications on Azure Spring Apps to the internet from a public network. --You can expose applications to the internet with TLS Termination or end-to-end TLS using Application Gateway. These approaches are described in [Expose applications to the internet with TLS Termination at Application Gateway](./expose-apps-gateway-tls-termination.md) and [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md). These approaches work well, but Application Gateway can involve a complicated setup and extra expense. --If you don't want to use Application Gateway for advanced operations, you can expose your applications to the internet with one click using the Azure portal or one command using the Azure CLI. The only extra expense is a standard public IP for one Azure Spring Apps service instance, regardless of how many apps you want to expose. --## Prerequisites --- An Azure Spring Apps service instance deployed in a virtual network and an app created in it. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md).--## Assign a public fully qualified domain name (FQDN) for your application in a virtual network injection instance ---### [Azure portal](#tab/azure-portal) --Use the following steps to assign a public FQDN for your application. --1. Select the Azure Spring Apps service instance deployed in your virtual network, and then open the **Apps** tab in the menu on the left. --1. Select the application to show the **Overview** page. --1. Select **Assign Public Endpoint** to assign a public FQDN to your application. Assigning an FQDN can take a few minutes. -- :::image type="content" source="media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png" alt-text="Screenshot of Azure portal showing how to assign a public FQDN to your application." lightbox="media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png"::: --The assigned public FQDN (labeled **URL**) is now available. It can only be accessed within the public network. --### [Azure CLI](#tab/azure-CLI) --Use the following command to assign a public endpoint to your app. Be sure to replace the placeholders with your actual values. --```azurecli -az spring app update \ - --resource-group <resource-group-name> \ - --name <app-name> \ - --service <service-instance-name> \ - --assign-public-endpoint true -``` ----## Use a public URL to access your application from both inside and outside the virtual network --You can use a public URL to access your application both inside and outside the virtual network. Follow the steps in [Access your application in a private network](./access-app-virtual-network.md) to bind the domain `.private.azuremicroservices.io` to the service runtime Subnet private IP address in your private DNS zone while keeping the **Assign Endpoint** in a disable state. You can then access the app using the **public URL** from both inside and outside the virtual network. --## Secure traffic to the public endpoint --To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. --> [!NOTE] -> If you couldn't access your application in a virtual network injection instance from internet after you have assigned a public FQDN, check your network security group first to see whether you have allowed such inbound traffic. --## Next steps --- [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md)-- [Troubleshooting Azure Spring Apps in virtual networks](./troubleshooting-vnet.md)-- [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md) |
spring-apps | How To Access Data Plane Azure Ad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-access-data-plane-azure-ad-rbac.md | - Title: "Access Config Server and Service Registry"- -description: How to access Config Server and Service Registry Endpoints with Microsoft Entra role-based access control. ---- Previously updated : 08/25/2021----# Access Config Server and Service Registry --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ❌ Enterprise --This article explains how to access the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps using Microsoft Entra role-based access control (RBAC). --> [!NOTE] -> Applications deployed and running inside the Azure Spring Apps service are automatically wired up with certificate-based authentication and authorization when accessing the managed Spring Cloud Config Server and Service Registry. You don't need to follow this guidance for these applications. The related certificates are fully managed by the Azure Spring Apps platform, and are automatically injected in your application when connected to Config Server and Service Registry. --<a name='assign-role-to-azure-ad-usergroup-msi-or-service-principal'></a> --## Assign role to Microsoft Entra user/group, MSI, or service principal --Assign the role to the [user | group | service-principal | managed-identity] at [management-group | subscription | resource-group | resource] scope. --| Role name | Description | -|-|| -| Azure Spring Apps Config Server Reader | Allow read access to Azure Spring Apps Config Server. | -| Azure Spring Apps Config Server Contributor | Allow read, write, and delete access to Azure Spring Apps Config Server. | -| Azure Spring Apps Service Registry Reader | Allow read access to Azure Spring Apps Service Registry. | -| Azure Spring Apps Service Registry Contributor | Allow read, write, and delete access to Azure Spring Apps Service Registry. | --For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). --## Access Config Server and Service Registry Endpoints --After the role is assigned, the assignee can access the Spring Cloud Config Server and the Spring Cloud Service Registry endpoints using the following procedures: --1. Get an access token. After a Microsoft Entra user is assigned the role, they can use the following commands to sign in to Azure CLI with user, service principal, or managed identity to get an access token. For details, see [Authenticate Azure CLI](/cli/azure/authenticate-azure-cli). -- ```azurecli - az login - az account get-access-token - ``` --1. Compose the endpoint. We support the default endpoints of the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps. -- * *'https://SERVICE_NAME.svc.azuremicroservices.io/eureka/{path}'* - * *'https://SERVICE_NAME.svc.azuremicroservices.io/config/{path}'* -- >[!NOTE] - > If you're using Microsoft Azure operated by 21Vianet, replace `*.azuremicroservices.io` with `*.microservices.azure.cn`. For more information, see the section [Check endpoints in Azure](/azure/china/resources-developer-guide#check-endpoints-in-azure) in the [Microsoft Azure operated by 21Vianet developer guide](/azure/china/resources-developer-guide). --1. Access the composed endpoint with the access token. Put the access token in a header to provide authorization: `--header 'Authorization: Bearer {TOKEN_FROM_PREVIOUS_STEP}'`. -- For example: -- a. Access an endpoint like `https://SERVICE_NAME.svc.azuremicroservices.io/config/actuator/health` to see the health status of Config Server. -- b. Access an endpoint like `https://SERVICE_NAME.svc.azuremicroservices.io/eureka/eureka/apps` to see the registered apps in Spring Cloud Service Registry (Eureka here). -- If the response is `401 Unauthorized`, check to see if the role is successfully assigned. It will take several minutes for the role to take effect or to verify that the access token has not expired. --For more information about actuator endpoint, see [Production ready endpoints](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-endpoints). --For Eureka endpoints, see [Eureka-REST-operations](https://github.com/Netflix/eureka/wiki/Eureka-REST-operations) --For config server endpoints and detailed path information, see [ResourceController.java](https://github.com/spring-cloud/spring-cloud-config/blob/main/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/resource/ResourceController.java) and [EncryptionController.java](https://github.com/spring-cloud/spring-cloud-config/blob/main/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/encryption/EncryptionController.java). --## Register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps --After the role is assigned, you can register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps with Microsoft Entra token authentication. Both Config Server and Service Registry support [custom REST template](https://cloud.spring.io/spring-cloud-config/reference/html/#custom-rest-template) to inject the bearer token for authentication. --For more information, see the samples [Access Azure Spring Apps managed Config Server](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-config-server-client) and [Access Azure Spring Apps managed Service Registry](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-eureka-client). The following sections explain some important details in these samples. --**In *AccessTokenManager.java*:** --`AccessTokenManager` is responsible for getting an access token from Microsoft Entra ID. Configure the service principal's sign-in information in the *application.properties* file and initialize `ApplicationTokenCredentials` to get the token. You can find this file in both samples. --```java -prop.load(in); -tokenClientId = prop.getProperty("access.token.clientId"); -String tenantId = prop.getProperty("access.token.tenantId"); -String secret = prop.getProperty("access.token.secret"); -String clientId = prop.getProperty("access.token.clientId"); -credentials = new ApplicationTokenCredentials( - clientId, tenantId, secret, AzureEnvironment.AZURE); -``` --**In *CustomConfigServiceBootstrapConfiguration.java*:** --`CustomConfigServiceBootstrapConfiguration` implements the custom REST template for Config Server and injects the token from Microsoft Entra ID as `Authorization` headers. You can find this file in the [Config Server sample](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-config-server-client). --```java -public class RequestResponseHandlerInterceptor implements ClientHttpRequestInterceptor { -- @Override - public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { - String accessToken = AccessTokenManager.getToken(); - request.getHeaders().remove(AUTHORIZATION); - request.getHeaders().add(AUTHORIZATION, "Bearer " + accessToken); -- ClientHttpResponse response = execution.execute(request, body); - return response; - } --} -``` --**In *CustomRestTemplateTransportClientFactories.java*:** --The previous two classes are for the implementation of the custom REST template for Spring Cloud Service Registry. The `intercept` part is the same as in the Config Server above. Be sure to add `factory.mappingJacksonHttpMessageConverter()` to the message converters. You can find this file in the [Spring Cloud Service Registry sample](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/custom-eureka-client). --```java -private RestTemplate customRestTemplate() { - /* - * Inject your custom rest template - */ - RestTemplate restTemplate = new RestTemplate(); - restTemplate.getInterceptors() - .add(new RequestResponseHandlerInterceptor()); - RestTemplateTransportClientFactory factory = new RestTemplateTransportClientFactory(); -- restTemplate.getMessageConverters().add(0, factory.mappingJacksonHttpMessageConverter()); -- return restTemplate; -} -``` --If you're running applications on a Kubernetes cluster, we recommend that you use an IP address to register Spring Cloud Service Registry for access. --```properties -eureka.instance.prefer-ip-address=true -``` --## Next steps --* [Authenticate Azure CLI](/cli/azure/authenticate-azure-cli) -* [Production ready endpoints](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-endpoints) -* [Create roles and permissions](how-to-permissions.md) |
spring-apps | How To Appdynamics Java Agent Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-appdynamics-java-agent-monitor.md | - Title: "How to monitor Spring Boot apps with the AppDynamics Java Agent (Preview)"- -description: How to use the AppDynamics Java agent to monitor Spring Boot applications in Azure Spring Apps. ---- Previously updated : 06/07/2022----# How to monitor Spring Boot apps with the AppDynamics Java Agent --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌️ Enterprise --This article explains how to use the AppDynamics Java Agent to monitor Spring Boot applications in Azure Spring Apps. --With the AppDynamics Java Agent, you can: --- Monitor applications-- Configure the AppDynamics Java Agent using environment variables-- Check all monitoring data from the AppDynamics dashboard--The following video introduces the AppDynamics Java in-process agent. --<br> --> [!VIDEO https://www.youtube.com/embed/4dZuRX5bNAs] --## Prerequisites --* [Azure CLI](/cli/azure/install-azure-cli) -* [An AppDynamics account](https://www.appdynamics.com/) --## Activate the AppDynamics Java in-process agent --For the whole workflow, you need to: --* Activate the AppDynamics Java in-process agent in Azure Spring Apps to generate application metrics data. -* Connect the AppDynamics Agent to the AppDynamics Controller to collect and visualize the data in the controller. --![Diagram showing a Spring Boot application in 'Azure Spring Apps' box with a two-directional arrow connecting it to an 'AppDynamics Agent' box, which also has an arrow pointing to an 'AppDynamics Controller' box](media/how-to-appdynamics-java-agent-monitor/appdynamics-activation.jpg) --### Activate an application with the AppDynamics Agent using the Azure CLI --To activate an application through the Azure CLI, use the following steps. --1. Create a resource group. -1. Create an instance of Azure Spring Apps. -1. Create an application using the following command. Replace the placeholders *\<...>* with your own values. -- ```azurecli - az spring app create \ - --resource-group "<your-resource-group-name>" \ - --service "<your-Azure-Spring-Apps-instance-name>" \ - --name "<your-app-name>" \ - --is-public true - ``` --1. Create a deployment with the AppDynamics Agent using environment variables. -- ```azurecli - az spring app deploy \ - --resource-group "<your-resource-group-name>" \ - --service "<your-Azure-Spring-Apps-instance-name>" \ - --name "<your-app-name>" \ - --artifact-path app.jar \ - --jvm-options="-javaagent:/opt/agents/appdynamics/java/javaagent.jar" \ - --env APPDYNAMICS_AGENT_APPLICATION_NAME=<your-app-name> \ - APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY=<your-agent-access-key> \ - APPDYNAMICS_AGENT_ACCOUNT_NAME=<your-agent-account-name> \ - APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME=true \ - APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX=<your-agent-node-name> \ - APPDYNAMICS_AGENT_TIER_NAME=<your-agent-tier-name> \ - APPDYNAMICS_CONTROLLER_HOST_NAME=<your-AppDynamics-controller-host-name> \ - APPDYNAMICS_CONTROLLER_SSL_ENABLED=true \ - APPDYNAMICS_CONTROLLER_PORT=443 - ``` --Azure Spring Apps pre-installs the AppDynamics Java agent to the path */opt/agents/appdynamics/java/javaagent.jar*. You can activate the agent from your applications' JVM options, then configure the agent using environment variables. You can find values for these variables at [Monitor Azure Spring Apps with Java Agent](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent). For more information about how these variables help to view and organize reports in the AppDynamics UI, see [Tiers and Nodes](https://docs.appdynamics.com/21.9/en/application-monitoring/tiers-and-nodes). --### Activate an application with the AppDynamics Agent using the Azure portal --To activate an application through the Azure portal, use the following steps. --1. Navigate to your Azure Spring Apps instance in the Azure portal. --1. Select **Apps** in the **Settings** section of the navigation pane. -- :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-list.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-list.png"::: --1. Select the app, and then select **Configuration** in the navigation pane. --1. Use the **General settings** tab to update values such as the JVM options. -- :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-general.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app in an Azure Spring Apps instance, with the General settings tab selected." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-general.png"::: --1. Select **Environment variables** to add or update the variables used by your application. -- :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-env.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app in an Azure Spring Apps instance, with the Environment variables tab selected." lightbox="media/how-to-appdynamics-java-agent-monitor/azure-spring-cloud-app-configuration-env.png"::: --## Automate provisioning --You can also run a provisioning automation pipeline using Terraform, Bicep, or Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. --### Automate provisioning using Terraform --To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). --```terraform -resource "azurerm_spring_cloud_java_deployment" "example" { - ... - jvm_options = "-javaagent:/opt/agents/appdynamics/java/javaagent.jar" - ... - environment_variables = { - "APPDYNAMICS_AGENT_APPLICATION_NAME" : "<your-app-name>", - "APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY" : "<your-agent-access-key>", - "APPDYNAMICS_AGENT_ACCOUNT_NAME" : "<your-agent-account-name>", - "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME" : "true", - "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX" : "<your-agent-node-name>", - "APPDYNAMICS_AGENT_TIER_NAME" : "<your-agent-tier-name>", - "APPDYNAMICS_CONTROLLER_HOST_NAME" : "<your-AppDynamics-controller-host-name>", - "APPDYNAMICS_CONTROLLER_SSL_ENABLED" : "true", - "APPDYNAMICS_CONTROLLER_PORT" : "443" - } -} -``` --### Automate provisioning using Bicep --To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). --```bicep -deploymentSettings: { - environmentVariables: { - APPDYNAMICS_AGENT_APPLICATION_NAME : '<your-app-name>' - APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY : '<your-agent-access-key>' - APPDYNAMICS_AGENT_ACCOUNT_NAME : '<your-agent-account-name>' - APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME : 'true' - APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX : '<your-agent-node-name>' - APPDYNAMICS_AGENT_TIER_NAME : '<your-agent-tier-name>' - APPDYNAMICS_CONTROLLER_HOST_NAME : '<your-AppDynamics-controller-host-name>' - APPDYNAMICS_CONTROLLER_SSL_ENABLED : 'true' - APPDYNAMICS_CONTROLLER_PORT : '443' - } - jvmOptions: '-javaagent:/opt/agents/appdynamics/java/javaagent.jar' -} -``` --### Automate provisioning using an ARM template --To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). --```JSON -"deploymentSettings": { - "environmentVariables": { - "APPDYNAMICS_AGENT_APPLICATION_NAME" : "<your-app-name>", - "APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY" : "<your-agent-access-key>", - "APPDYNAMICS_AGENT_ACCOUNT_NAME" : "<your-agent-account-name>", - "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME" : "true", - "APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX" : "<your-agent-node-name>", - "APPDYNAMICS_AGENT_TIER_NAME" : "<your-agent-tier-name>", - "APPDYNAMICS_CONTROLLER_HOST_NAME" : "<your-AppDynamics-controller-host-name>", - "APPDYNAMICS_CONTROLLER_SSL_ENABLED" : "true", - "APPDYNAMICS_CONTROLLER_PORT" : "443" - }, - "jvmOptions": "-javaagent:/opt/agents/appdynamics/java/javaagent.jar", - ... -} -``` --## Review reports in the AppDynamics dashboard --This section shows various reports in AppDynamics. --The following screenshot shows an overview of your apps in the AppDynamics dashboard: ---The **Application Dashboard** shows the overall information for each of your apps, as shown in the following screenshots using example applications: --- `api-gateway`-- :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-api-gateway.jpg" alt-text="AppDynamics screenshot showing the Application Dashboard for the example api-gateway app." lightbox="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-api-gateway.jpg"::: --- `customers-service`-- :::image type="content" source="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-customers-service.jpg" alt-text="AppDynamics screenshot showing the Application Dashboard for the example customers-service app." lightbox="media/how-to-appdynamics-java-agent-monitor/appdynamics-dashboard-customers-service.jpg"::: --The following screenshot shows how you can get basic information from the **Database Calls** dashboard. ---You can also get information about the slowest database calls, as shown in these screenshots: ----The following screenshot shows memory usage analysis in the **Heap** section of the **Memory** page: ---You can also see the garbage collection process, as shown in this screenshot: ---The following screenshot shows the **Slow Transactions** page: ---You can define more metrics for the JVM, as shown in this screenshot of the **Metric Browser**: ---## View AppDynamics Agent logs --By default, Azure Spring Apps will print the *info* level logs of the AppDynamics Agent to `STDOUT`. The logs will be mixed with the application logs. You can find the explicit agent version from the application logs. --You can also get the logs of the AppDynamics Agent from the following locations: --* Azure Spring Apps logs -* Azure Spring Apps Application Insights -* Azure Spring Apps LogStream --## Learn about AppDynamics Agent upgrade --The AppDynamics Agent will be upgraded regularly with JDK (quarterly). Agent upgrade may affect the following scenarios: --* Existing applications using AppDynamics Agent before upgrade will be unchanged, but will require restart or redeploy to engage the new version of AppDynamics Agent. -* Applications created after upgrade will use the new version of AppDynamics Agent. --## Configure virtual network injection instance outbound traffic --For virtual network injection instances of Azure Spring Apps, make sure the outbound traffic is configured correctly for AppDynamics Agent. For details, see [SaaS Domains and IP Ranges](https://docs.appdynamics.com/display/PA). --## Understand the limitations --To understand the limitations of the AppDynamics Agent, see [Monitor Azure Spring Apps with Java Agent](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent). --## Next steps --[Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md) |
spring-apps | How To Application Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-application-insights.md | - Title: How to use Application Insights Java In-Process Agent in Azure Spring Apps -description: How to monitor apps using Application Insights Java In-Process Agent in Azure Spring Apps. ---- Previously updated : 06/20/2022--zone_pivot_groups: spring-apps-tier-selection ---# Use Application Insights Java In-Process Agent in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. -> -> With Spring Boot Native Image applications, use the [Azure Monitor OpenTelemetry Distro / Application Insights in Spring Boot native image Java application](https://aka.ms/AzMonSpringNative) project instead of the Application Insights Java agent. ---**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌️ Enterprise --This article explains how to monitor applications by using the Application Insights Java agent in Azure Spring Apps. --With this feature you can: --* Search tracing data with different filters. -* View a dependency map of Spring applications. -* Check request performance. -* Monitor real-time live metrics. -* Check request failures. -* Check application metrics. -* Check application logs. --Application Insights can provide many observable perspectives, including: --* Application map -* Performance -* Failures -* Metrics -* Live Metrics -* Availability -* Logs --## Using the Application Insights feature --When the **Application Insights** feature is enabled, you can: --* In the navigation pane, select **Application Insights** to view the **Overview** page of Application Insights. The **Overview** page shows you an overview of all running applications. -* Select **Application Map** to see the status of calls between applications. -- :::image type="content" source="media/how-to-application-insights/insights-process-agent-map.png" alt-text="Screenshot of Azure portal Application Insights with Application map page showing." lightbox="media/how-to-application-insights/insights-process-agent-map.png"::: --* Select the link between customers-service and `petclinic` to see more details such as a query from SQL. -* Select an endpoint to see all the applications making requests to the endpoint. --* In the navigation pane, select **Performance** to see the performance data of all applications' operations, dependencies, and roles. -- :::image type="content" source="media/how-to-application-insights/insights-process-agent-performance.png" alt-text="Screenshot of Azure portal Application Insights with Performance page showing." lightbox="media/how-to-application-insights/insights-process-agent-performance.png"::: --* In the navigation pane, select **Failures** to see any unexpected failures or exceptions from your applications. -- :::image type="content" source="media/how-to-application-insights/insights-process-agent-failures.png" alt-text="Screenshot of Azure portal Application Insights with Failures page showing." lightbox="media/how-to-application-insights/insights-process-agent-failures.png"::: --* In the navigation pane, select **Metrics** and select the namespace to see both Spring Boot metrics and custom metrics, if any. -- :::image type="content" source="media/how-to-application-insights/insights-process-agent-metrics.png" alt-text="Screenshot of Azure portal Application Insights with Metrics page showing." lightbox="media/how-to-application-insights/insights-process-agent-metrics.png"::: --* In the navigation pane, select **Live Metrics** to see the real-time metrics for different dimensions. -- :::image type="content" source="media/how-to-application-insights/petclinic-microservices-live-metrics.png" alt-text="Screenshot of Azure portal Application Insights with Live Metrics page showing." lightbox="media/how-to-application-insights/petclinic-microservices-live-metrics.png"::: --* In the navigation pane, select **Availability** to monitor the availability and responsiveness of Web apps by creating [Availability tests in Application Insights](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability). -- :::image type="content" source="media/how-to-application-insights/petclinic-microservices-availability.png" alt-text="Screenshot of Azure portal Application Insights with Availability page showing." lightbox="media/how-to-application-insights/petclinic-microservices-availability.png"::: --* In the navigation pane, select **Logs** to view all applications' logs, or one application's logs when filtering by `cloud_RoleName`. -- :::image type="content" source="media/how-to-application-insights/application-insights-application-logs.png" alt-text="Screenshot of Azure portal Application Insights with Logs page showing." lightbox="media/how-to-application-insights/application-insights-application-logs.png"::: --## Manage Application Insights using the Azure portal ---Enable the Java In-Process Agent by using the following procedure. --1. Go to the **service | Overview** page of your service instance, then select **Application Insights** in the **Monitoring** section. -1. Select **Enable Application Insights** to enable Application Insights in Azure Spring Apps. -1. Select an existing instance of Application Insights or create a new one. -1. When **Application Insights** is enabled, you can configure one optional sampling rate (default 10.0%). -- :::image type="content" source="media/how-to-application-insights/insights-process-agent.png" alt-text="Screenshot of Azure portal Azure Spring Apps instance with Application Insights page showing and 'Enable Application Insights' checkbox highlighted." lightbox="media/how-to-application-insights/insights-process-agent.png"::: --1. Select **Save** to save the change. --> [!NOTE] -> Don't use the same Application Insights instance in different Azure Spring Apps instances, or you're shown mixed data. ----You can use the Portal to check or update the current settings in Application Insights. --### Enable Application Insights using the Azure portal --1. Select **Application Insights**. -1. Enable Application Insights by selecting **Edit binding**, or the **Unbound** hyperlink. -- :::image type="content" source="media/how-to-application-insights/application-insights-binding-enable.png" alt-text="Screenshot of Azure portal Azure Spring Apps instance with Application Insights page showing and drop-down menu visible with 'Edit binding' option."::: --1. Edit **Application Insights** or **Sampling rate**, then select **Save**. --### Disable Application Insights --1. Select **Application Insights**. -1. Select **Unbind binding** to disable Application Insights. -- :::image type="content" source="media/how-to-application-insights/application-insights-unbind-binding.png" alt-text="Screenshot of Azure portal Azure Spring Apps instance with Application Insights page showing and drop-down menu visible with 'Unbind binding' option."::: --### Change Application Insights Settings --Select the name under the *Application Insights* column to open the Application Insights section. ---### Edit Application Insights buildpack bindings in Build Service --To check and update the current settings for the Application Insights buildpack bindings in Build Service, follow these steps: --1. Select **Build Service**. -1. Choose your builder. -1. Select **Edit** under the Bindings column. --Application Insights settings are found in the *ApplicationInsights* item listed under the *Binding type* column. --1. Select the **Bound** hyperlink, or select **Edit Binding** under the ellipse, to open and edit the Application Insights buildpack bindings. -- :::image type="content" source="media/how-to-application-insights/application-insights-builder-settings.png" alt-text="Screenshot of Azure portal 'Edit bindings for default builder' pane."::: --1. Edit the binding settings, then select **Save**. -- :::image type="content" source="media/how-to-application-insights/application-insights-edit-binding.png" alt-text="Screenshot of Azure portal 'Edit binding' pane."::: ---## Manage Application Insights using Azure CLI --You can manage Application Insights using Azure CLI commands. In the following commands, be sure to replace the *\<placeholder>* text with the values described. The *\<service-instance-name>* placeholder refers to the name of your Azure Spring Apps instance. --### Enable Application Insights --To configure Application Insights when creating an Azure Spring Apps instance, use the following command. For the `app-insights` argument, you can specify an Application Insights name or resource ID. ---```azurecli -az spring create \ - --resource-group <resource-group-name> \ - --name "service-instance-name" \ - --app-insights <name-or-resource-ID> \ - --sampling-rate <sampling-rate> -``` ----```azurecli -az spring create \ - --resource-group <resource-group-name> \ - --name "service-instance-name" \ - --app-insights <name-or-resource-ID> \ - --sampling-rate <sampling-rate> - --sku Enterprise -``` ---You can also use an Application Insights connection string (preferred) or instrumentation key, as shown in the following example. ---```azurecli -az spring create \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --app-insights-key <connection-string-or-instrumentation-key> \ - --sampling-rate <sampling-rate> -``` ----```azurecli -az spring create \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --app-insights-key <connection-string-or-instrumentation-key> \ - --sampling-rate <sampling-rate> - --sku Enterprise -``` ---### Disable Application Insights --To disable Application Insights when creating an Azure Spring Apps instance, use the following command: ---```azurecli -az spring create \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --disable-app-insights -``` ----```azurecli -az spring create \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --disable-app-insights - --sku Enterprise -``` ----### Check Application Insights settings --To check the Application Insights settings of an existing Azure Spring Apps instance, use the following command: --```azurecli -az spring app-insights show \ - --resource-group <resource-group-name> \ - --name <service-instance-name> -``` --### Update Application Insights --To update Application Insights to use a connection string (preferred) or instrumentation key, use the following command: --```azurecli -az spring app-insights update \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --app-insights-key <connection-string-or-instrumentation-key> \ - --sampling-rate <sampling-rate> -``` --To update Application Insights to use the resource name or ID, use the following command: --```azurecli -az spring app-insights update \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --app-insights <name-or-resource-ID> \ - --sampling-rate <sampling-rate> -``` --### Disable Application Insights with the update command --To disable Application Insights on an existing Azure Spring Apps instance, use the following command: --```azurecli -az spring app-insights update \ - --resource-group <resource-group-name> \ - --name <service-instance-name> \ - --disable -``` ----### Manage Application Insights buildpack bindings --This section applies to the Enterprise plan only, and provides instructions that supplement the previous section. --The Azure Spring Apps Enterprise plan uses buildpack bindings to integrate [Azure Application Insights](../azure-monitor/app/app-insights-overview.md) with the type `ApplicationInsights`. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). --To create an Application Insights buildpack binding, use the following command: --```azurecli -az spring build-service builder buildpack-binding create \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ - --type ApplicationInsights \ - --properties sampling-percentage=<your-sampling-percentage> \ - connection-string=<your-connection-string> -``` --To list all buildpack bindings, and find Application Insights bindings the type `ApplicationInsights`, use the following command: --```azurecli -az spring build-service builder buildpack-binding list \ - --resource-group <your-resource-group-name> \ - --service <your-service-resource-name> \ - --builder-name <your-builder-name> -``` --To replace an Application Insights buildpack binding, use the following command: --```azurecli -az spring build-service builder buildpack-binding set \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ - --type ApplicationInsights \ - --properties sampling-percentage=<your-sampling-percentage> \ - connection-string=<your-connection-string> -``` --To get an Application Insights buildpack binding, use the following command: --```azurecli -az spring build-service builder buildpack-binding show \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ -``` --To delete an Application Insights buildpack binding, use the following command: --```azurecli -az spring build-service builder buildpack-binding delete \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ -``` ---## Automation ---The following sections describe how to automate your deployment using Bicep, Azure Resource Manager templates (ARM templates) or Terraform. --### Bicep --To deploy using a Bicep file, copy the following content into a *main.bicep* file. For more information, see [Microsoft.AppPlatform Spring/monitoringSettings](/azure/templates/microsoft.appplatform/spring/monitoringsettings). --```bicep -param springName string -param location string = resourceGroup().location --resource spring 'Microsoft.AppPlatform/Spring@2020-07-01' = { - name: springName - location: location - properties: {} -} --resource monitorSetting 'Microsoft.AppPlatform/Spring/monitoringSettings@2020-11-01-preview' = { - parent: spring - name: 'default' - properties: { - appInsightsInstrumentationKey: '00000000-0000-0000-0000-000000000000' - appInsightsSamplingRate: 88 - } -} -``` --### ARM templates --To deploy using an ARM template, copy the following content into an *azuredeploy.json* file. For more information, see [Microsoft.AppPlatform Spring/monitoringSettings](/azure/templates/microsoft.appplatform/spring/monitoringsettings). --```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "springName": { - "type": "string" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - } - }, - "resources": [ - { - "type": "Microsoft.AppPlatform/Spring", - "apiVersion": "2020-07-01", - "name": "[parameters('springName')]", - "location": "[parameters('location')]", - "properties": {} - }, - { - "type": "Microsoft.AppPlatform/Spring/monitoringSettings", - "apiVersion": "2020-11-01-preview", - "name": "[format('{0}/{1}', parameters('springName'), 'default')]", - "properties": { - "appInsightsInstrumentationKey": "00000000-0000-0000-0000-000000000000", - "appInsightsSamplingRate": 88 - }, - "dependsOn": [ - "[resourceId('Microsoft.AppPlatform/Spring', parameters('springName'))]" - ] - } - ] -} -``` --### Terraform --For a Terraform deployment, use the following template. For more information, see [azurerm_spring_cloud_service](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_service). --```terraform -provider "azurerm" { - features {} -} --resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} --resource "azurerm_application_insights" "example" { - name = "tf-test-appinsights" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - application_type = "web" -} --resource "azurerm_spring_cloud_service" "example" { - name = "example-springcloud" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - sku_name = "S0" -- config_server_git_setting { - uri = "https://github.com/Azure-Samples/piggymetrics" - label = "config" - search_paths = ["dir1", "dir2"] - } -- trace { - connection_string = azurerm_application_insights.example.connection_string - sample_rate = 10.0 - } -- tags = { - Env = "staging" - } -} -``` ----Automation in the Enterprise plan is pending support. Documentation is added as soon as it's available. ---## Java agent update/upgrade ---The Java agent is updated/upgraded regularly with the JDK, which may affect the following scenarios. --> [!NOTE] -> The JDK version is updated/upgraded quarterly per year. --* Existing applications that use the Java agent before updating/upgrading aren't affected. -* Applications created after updating/upgrading use the new version of the Java agent. -* Existing applications that didn't previously use the Java agent require restart or redeployment to use the new version of the Java agent. ----The Java agent is updated/upgraded when the buildpack is updated. ----## Java agent configuration hot-loading --Azure Spring Apps has enabled a hot-loading mechanism to adjust the settings of agent configuration without restart of applications. --> [!NOTE] -> The hot-loading mechanism has a delay in minutes. --* When the Java agent has been previously enabled, changes to the Application Insights instance and/or SamplingRate do NOT require applications to be restarted. -* If you enable the Java agent, then you must restart applications. -* When you disable the Java agent, applications stop sending all monitoring data after a delay in minutes. You can restart applications to remove the agent from the Java runtime environment. ---## Concept matching between Azure Spring Apps and Application Insights --| Azure Spring Apps | Application Insights | -| | | -| `App` | * __Application Map__/Role<br />* __Live Metrics__/Role<br />* __Failures__/Roles/Cloud Role<br />* __Performance__/Roles/Could Role | -| `App Instance` | * __Application Map__/Role Instance<br />* __Live Metrics__/Service Name<br />* __Failures__/Roles/Cloud Instance<br />* __Performance__/Roles/Could Instance | --The name `App Instance` from Azure Spring Apps is changed or generated in the following scenarios: --* You create a new application. -* You deploy a JAR file or source code to an existing application. -* You initiate a blue/green deployment. -* You restart the application. -* You stop the deployment of an application, and then restart it. --When data is stored in Application Insights, it contains the history of Azure Spring Apps app instances created or deployed since the Java agent was enabled. For example, in the Application Insights portal, you can see application data created yesterday, but then deleted within a specific time range, like the last 24 hours. The following scenarios show how this works: --* You created an application around 8:00 AM today from Azure Spring Apps with the Java agent enabled, and then you deployed a JAR file to this application around 8:10 AM today. After some testing, you change the code and deploy a new JAR file to this application at 8:30 AM today. Then, you take a break, and when you come back around 11:00 AM, you check some data from Application Insights. You see: - * Three instances in Application Map with time ranges in the last 24 hours, and Failures, Performance, and Metrics. - * One instance in Application Map with a time range in the last hour, and Failures, Performance, and Metrics. - * One instance in Live Metrics. -* You created an application around 8:00 AM today from Azure Spring Apps with the Java agent enabled, and then you deployed a JAR file to this application around 8:10 AM today. Around 8:30 AM today, you try a blue/green deployment with another JAR file. Currently, you have two deployments for this application. After a break around 11:00 AM today, you want to check some data from Application Insights. You see: - * Three instances in Application Map with time ranges in the last 24 hours, and Failures, Performance, and Metrics. - * Two instances in Application Map with time ranges in last hour, and Failures, Performance, and Metrics. - * Two instances in Live Metrics. --## Next steps --* [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md) -* [Analyze logs and metrics](diagnostic-services.md) -* [Stream logs in real time](./how-to-log-streaming.md) -* [Application Map](../azure-monitor/app/app-map.md) -* [Live Metrics](../azure-monitor/app/live-stream.md) -* [Performance](../azure-monitor/app/tutorial-performance.md) -* [Failures](../azure-monitor/app/tutorial-runtime-exceptions.md) -* [Metrics](../azure-monitor/essentials/tutorial-metrics.md) -* [Logs](../azure-monitor/logs/data-platform-logs.md) |
spring-apps | How To Bind Cosmos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-cosmos.md | - Title: Connect an Azure Cosmos DB to your application in Azure Spring Apps -description: Learn how to connect Azure Cosmos DB to your application in Azure Spring Apps --- Previously updated : 11/09/2022-----# Connect an Azure Cosmos DB database to your application in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --Instead of manually configuring your Spring Boot applications, you can automatically connect selected Azure services to your applications by using Azure Spring Apps. This article demonstrates how to connect your application to an Azure Cosmos DB database. --## Prerequisites --* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). -* An Azure Cosmos DB database instance. -* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. --## Prepare your project --### [Java](#tab/Java) --1. Add one of the following dependencies to your application's *pom.xml* file. Choose the dependency that is appropriate for your API type. -- * API type: NoSQL -- ```xml - <dependency> - <groupId>com.azure.spring</groupId> - <artifactId>spring-cloud-azure-starter-data-cosmos</artifactId> - </dependency> - ``` -- * API type: MongoDB -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-data-mongodb</artifactId> - </dependency> - ``` -- * API type: Cassandra -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-data-cassandra</artifactId> - </dependency> - ``` --1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. --### [Polyglot](#tab/Polyglot) --All the connection strings and credentials are injected as environment variables, which you can reference in your application code. --For the default environment variable names, see the following articles: --* [Azure Cosmos DB for Table](../service-connector/how-to-integrate-cosmos-table.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) -* [Azure Cosmos DB for NoSQL](../service-connector/how-to-integrate-cosmos-sql.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) -* [Azure Cosmos DB for MongoDB](../service-connector/how-to-integrate-cosmos-db.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) -* [Azure Cosmos DB for Gremlin](../service-connector/how-to-integrate-cosmos-gremlin.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) -* [Azure Cosmos DB for Cassandra](../service-connector/how-to-integrate-cosmos-cassandra.md?tabs=spring-apps#default-environment-variable-names-or-application-properties-and-sample-code) ----## Connect your app to the Azure Cosmos DB --### [Service Connector](#tab/Service-Connector) --> [!NOTE] -> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. --#### Use the Azure CLI --Use the Azure CLI to configure your Spring app to connect to a Cosmos NoSQL Database by using the `az spring connection create` command, as shown in the following example. Be sure to replace the variables in the example with actual values. --> [!NOTE] -> Updating Azure Cosmos DB database settings can take a few minutes to complete. --> [!NOTE] -> If you're using Cosmos Cassandra, use `--key_space` instead of `--database`. If you're using Cosmos Table, use `--table` instead of `--database`. For more information, see [Quickstart: Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md). --```azurecli -az spring connection create cosmos-sql \ - --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \ - --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --target-resource-group $COSMOSDB_RESOURCE_GROUP \ - --account $COSMOSDB_ACCOUNT_NAME \ - --database $DATABASE_NAME \ - --secret -``` --> [!NOTE] -> If you're using [Service Connector](../service-connector/overview.md) for the first time, start by running the command `az provider register --namespace Microsoft.ServiceLinker` to register the Service Connector resource provider. --> [!TIP] -> Run the command `az spring connection list-support-types --output table` to get a list of supported target services and authentication methods for Azure Spring Apps. If the `az spring` command isn't recognized by the system, check that you have installed the required extension by running `az extension add --name spring`. --#### Use the Azure portal --Alternatively, you can use the Azure portal to configure this connection by completing the following steps. The Azure portal provides the same capabilities as the Azure CLI and provides an interactive experience. --1. Select your Azure Spring Apps instance in the Azure portal and select **Apps** from the navigation menu. Choose the app you want to connect and select **Service Connector** on the navigation menu. --1. Select **Create**. --1. On the **Basics** tab, for service type, select Cosmos DB, then choose a subscription. For API type, select Core (SQL), choose a Cosmos DB account, and a database. For client type, select Java, then select **Next: Authentication**. If you haven't created your database yet, see [Quickstart: Create an Azure Cosmos DB account, database, container, and items from the Azure portal](../cosmos-db/nosql/quickstart-portal.md). --1. On the **Authentication** tab, choose **Connection string**. Service Connector automatically retrieves the access key from your Cosmos DB account. Select **Next: Networking**. --1. On the **Networking** tab, select **Configure firewall rules to enable access to target service**, then select **Next: Review + Create**. --1. On the **Review + Create** tab, wait for the validation to pass and then select **Create**. The creation can take a few minutes to complete. --1. Once the connection between your Spring apps and your Cosmos DB database has been generated, you can see it in the Service Connector page and select the unfold button to view the configured connection variables. --### [Terraform](#tab/Terraform) --The following Terraform script shows how to set up an app deployed to Azure Spring Apps with an Azure Cosmos DB account. --```terraform -provider "azurerm" { - features {} -} --variable "application_name" { - type = string - description = "The name of your application" - default = "demo-cosmosdb" -} --resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} --resource "azurerm_cosmosdb_account" "cosmosdb" { - name = "cosmosacct-${var.application_name}-001" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - offer_type = "Standard" - kind = "GlobalDocumentDB" -- consistency_policy { - consistency_level = "Session" - } -- geo_location { - failover_priority = 0 - location = azurerm_resource_group.example.location - } -} --resource "azurerm_cosmosdb_sql_database" "cosmosdb" { - name = "cosmos-${var.application_name}-001" - resource_group_name = azurerm_cosmosdb_account.cosmosdb.resource_group_name - account_name = azurerm_cosmosdb_account.cosmosdb.name -} --resource "azurerm_spring_cloud_service" "example" { - name = "${var.application_name}" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location -} --resource "azurerm_spring_cloud_app" "example" { - name = "${var.application_name}-app" - resource_group_name = azurerm_resource_group.example.name - service_name = azurerm_spring_cloud_service.example.name - is_public = true - https_only = true -} --resource "azurerm_spring_cloud_java_deployment" "example" { - name = "default" - spring_cloud_app_id = azurerm_spring_cloud_app.example.id - quota { - cpu = "2" - memory = "4Gi" - } - instance_count = 1 - jvm_options = "-XX:+PrintGC" - runtime_version = "Java_11" -- environment_variables = { - "spring.cloud.azure.cosmos.endpoint" : azurerm_cosmosdb_account.cosmosdb.endpoint - "spring.cloud.azure.cosmos.key" : azurerm_cosmosdb_account.cosmosdb.primary_key - "spring.cloud.azure.cosmos.database" : azurerm_cosmosdb_sql_database.cosmosdb.name - } -} --resource "azurerm_spring_cloud_active_deployment" "example" { - spring_cloud_app_id = azurerm_spring_cloud_app.example.id - deployment_name = azurerm_spring_cloud_java_deployment.example.name -} -``` ----## Next steps --In this article, you learned how to connect your application in Azure Spring Apps to an Azure Cosmos DB database. To learn more about connecting services to your application, see [Connect to an Azure Cache for Redis cache](./how-to-bind-redis.md). |
spring-apps | How To Bind Mysql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-mysql.md | - Title: How to connect an Azure Database for MySQL instance to your application in Azure Spring Apps -description: Learn how to connect an Azure Database for MySQL instance to your application in Azure Spring Apps --- Previously updated : 11/09/2022-----# Connect an Azure Database for MySQL instance to your application in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --With Azure Spring Apps, you can connect selected Azure services to your applications automatically, instead of having to configure your Spring Boot application manually. This article shows you how to connect your application to your Azure Database for MySQL instance. --## Prerequisites --* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). -* An Azure Database for MySQL Flexible Server instance. -* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. --## Prepare your project --### [Java](#tab/Java) --1. In your project's *pom.xml* file, add the following dependency: -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-data-jpa</artifactId> - </dependency> - <dependency> - <groupId>com.azure.spring</groupId> - <artifactId>spring-cloud-azure-starter-jdbc-mysql</artifactId> - </dependency> - ``` --1. In the *application.properties* file, remove any `spring.datasource.*` properties. --1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. --### [Polyglot](#tab/Polyglot) --All the connection strings and credentials are injected as environment variables, which you can reference in your application code. --For the default environment variable names, see [Integrate Azure Database for MySQL with Service Connector](../service-connector/how-to-integrate-mysql.md#default-environment-variable-names-or-application-properties-and-sample-code). ----## Connect your app to the Azure Database for MySQL instance --### [Service Connector](#tab/Service-Connector) --> [!NOTE] -> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. --Follow these steps to configure your Spring app to connect to an Azure Database for MySQL Flexible Server with a system-assigned managed identity. --1. Use the following command to install the Service Connector passwordless extension for the Azure CLI. -- ```azurecli - az extension add --name serviceconnector-passwordless --upgrade - ``` --1. Then, use the following command to create a user-assigned managed identity for Microsoft Entra authentication. Be sure to replace the variables in the example with actual values. For more information, see [Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](../mysql/flexible-server/how-to-azure-ad.md). -- ```azurecli - export AZ_IDENTITY_RESOURCE_ID=$(az identity create \ - --name $AZURE_USER_IDENTITY_NAME \ - --resource-group $AZURE_IDENTITY_RESOURCE_GROUP \ - --query id \ - --output tsv) - ``` --1. Run the `az spring connection create` command, as shown in the following example. Be sure to replace the variables in the example with actual values. -- ```azurecli - az spring connection create mysql-flexible \ - --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \ - --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --target-resource-group $MYSQL_RESOURCE_GROUP \ - --server $MYSQL_SERVER_NAME \ - --database $DATABASE_NAME \ - --system-identity mysql-identity-id=$AZ_IDENTITY_RESOURCE_ID - ``` --### [Terraform](#tab/Terraform) --The following Terraform script shows how to set up an Azure Spring Apps app with Azure Database for MySQL. --```terraform -provider "azurerm" { - features {} -} --variable "application_name" { - type = string - description = "The name of your application" - default = "demo-abc" -} --variable "administrator_login" { - type = string - description = "The MySQL administrator login" - default = "myadmin" -} --resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} --resource "random_password" "password" { - length = 32 - special = true - override_special = "_%@" -} --resource "azurerm_mysql_server" "database" { - name = "mysql-${var.application_name}-001" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location -- administrator_login = var.administrator_login - administrator_login_password = random_password.password.result -- sku_name = "B_Gen5_1" - storage_mb = 5120 - version = "5.7" - auto_grow_enabled = true - backup_retention_days = 7 - geo_redundant_backup_enabled = false - infrastructure_encryption_enabled = false - public_network_access_enabled = true - ssl_enforcement_enabled = true - ssl_minimal_tls_version_enforced = "TLS1_2" -} --resource "azurerm_mysql_database" "database" { - name = "mysqldb-${var.application_name}-001" - resource_group_name = azurerm_resource_group.example.name - server_name = azurerm_mysql_server.database.name - charset = "utf8" - collation = "utf8_unicode_ci" -} --# This rule is to enable the 'Allow access to Azure services' checkbox -resource "azurerm_mysql_firewall_rule" "database" { - name = "mysqlfw-${var.application_name}-001" - resource_group_name = azurerm_resource_group.example.name - server_name = azurerm_mysql_server.database.name - start_ip_address = "0.0.0.0" - end_ip_address = "0.0.0.0" -} --resource "azurerm_spring_cloud_service" "example" { - name = "example-springcloud" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location -} --resource "azurerm_spring_cloud_app" "example" { - name = "example-springcloudapp" - resource_group_name = azurerm_resource_group.example.name - service_name = azurerm_spring_cloud_service.example.name - is_public = true - https_only = true -} --resource "azurerm_spring_cloud_java_deployment" "example" { - name = "default" - spring_cloud_app_id = azurerm_spring_cloud_app.example.id - quota { - cpu = "2" - memory = "4Gi" - } - instance_count = 2 - jvm_options = "-XX:+PrintGC" - runtime_version = "Java_11" -- environment_variables = { - "spring.datasource.url" : "jdbc:mysql://${azurerm_mysql_server.database.fqdn}:3306/${azurerm_mysql_database.database.name}?useSSL=true&requireSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC" - "spring.datasource.username" : "${var.administrator_login}@${azurerm_mysql_server.database.name}" - "spring.datasource.password" : random_password.password.result - "spring.jpa.properties.hibernate.dialect" : "org.hibernate.dialect.MySQL5InnoDBDialect" - } -} --resource "azurerm_spring_cloud_active_deployment" "example" { - spring_cloud_app_id = azurerm_spring_cloud_app.example.id - deployment_name = azurerm_spring_cloud_java_deployment.example.name -} -``` ----## Next steps --In this article, you learned how to connect an application in Azure Spring Apps to an Azure Database for MySQL instance. To learn more about connecting services to an application, see [Connect an Azure Cosmos DB database to an application in Azure Spring Apps](./how-to-bind-cosmos.md). |
spring-apps | How To Bind Postgres | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-postgres.md | - Title: How to bind an Azure Database for PostgreSQL to your application in Azure Spring Apps -description: Learn how to bind an Azure Database for PostgreSQL instance to your application in Azure Spring Apps. --- Previously updated : 09/26/2022---zone_pivot_group_filename: spring-apps/postgresql-zone-pivot-groups.json -zone_pivot_groups: passwordless-postgresql ---# Bind an Azure Database for PostgreSQL to your application in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --With Azure Spring Apps, you can bind select Azure services to your applications automatically, instead of having to configure your Spring Boot application manually. This article shows you how to bind your application to your Azure Database for PostgreSQL instance. --In this article, we include two authentication methods: Microsoft Entra authentication and PostgreSQL authentication. The Passwordless tab shows the Microsoft Entra authentication and the Password tab shows the PostgreSQL authentication. --Microsoft Entra authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. --PostgreSQL authentication uses accounts stored in PostgreSQL. If you choose to use passwords as credentials for the accounts, these credentials are stored in the user table. Because these passwords are stored in PostgreSQL, you need to manage the rotation of the passwords by yourself. ---## Prerequisites --* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). -* An Azure Database for PostgreSQL Flexible Server instance. -* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. --## Prepare your project --### [Java](#tab/JavaFlex) --Use the following steps to prepare your project. --1. In your project's *pom.xml* file, add the following dependency: -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-data-jpa</artifactId> - </dependency> - <dependency> - <groupId>com.azure.spring</groupId> - <artifactId>spring-cloud-azure-starter-jdbc-postgresql</artifactId> - </dependency> - ``` --1. In the *application.properties* file, remove any `spring.datasource.*` properties. --1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. --### [Polyglot](#tab/PolyglotFlex) --All the connection strings and credentials are injected as environment variables, which you can reference in your application code. --For the default environment variable names, see [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-code). ----## Bind your app to the Azure Database for PostgreSQL instance --> [!NOTE] -> Be sure to select only one of the following approaches to create a connection. If you've already created tables with one connection, other users can't access or modify the tables. When you try the other approach, the application will throw errors such as "Permission denied". To fix this issue, connect to a new database or delete and recreate an existing one. --> [!NOTE] -> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. --### [Passwordless (Recommended)](#tab/Passwordlessflex) --1. Install the [Service Connector](../service-connector/overview.md) passwordless extension for the Azure CLI: -- ```azurecli - az extension add --name serviceconnector-passwordless --upgrade - ``` --1. Configure Azure Spring Apps to connect to the PostgreSQL Database with a system-assigned managed identity using the `az spring connection create` command. -- ```azurecli - az spring connection create postgres-flexible \ - --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ - --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --deployment $DEPLOYMENT_NAME \ - --target-resource-group $POSTGRES_RESOURCE_GROUP \ - --server $POSTGRES_SERVER_NAME \ - --database $DATABASE_NAME \ - --system-identity - ``` --### [Password](#tab/Secretsflex) --Use the following steps to bind your app using a secret. --1. Note the admin username and password of your Azure Database for PostgreSQL account. --1. Connect to the server, create a database named **testdb** from a PostgreSQL client, and then create a new non-admin account. --1. Run the following command to connect to the database with admin username and password. -- ```azurecli - az spring connection create postgres-flexible \ - --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ - --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --deployment $DEPLOYMENT_NAME \ - --target-resource-group $POSTGRES_RESOURCE_GROUP \ - --server $POSTGRES_SERVER_NAME \ - --database $DATABASE_NAME \ - --secret name=$USERNAME secret=$PASSWORD - ``` ------## Prerequisites --* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). -* An Azure Database for PostgreSQL Single Server instance. -* [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. --## Prepare your project --### [Java](#tab/JavaSingle) --Use the following steps to prepare your project. --1. In your project's *pom.xml* file, add the following dependency: -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-data-jpa</artifactId> - </dependency> - <dependency> - <groupId>com.azure.spring</groupId> - <artifactId>spring-cloud-azure-starter-jdbc-postgresql</artifactId> - </dependency> - ``` --1. In the *application.properties* file, remove any `spring.datasource.*` properties. --1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`. --### [Polyglot](#tab/PolyglotSingle) --All the connection strings and credentials will be injected as the environment variables, which can be referenced in your application codes. --You can find the default environment variable names in this doc: [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-code) ----## Bind your app to the Azure Database for PostgreSQL instance --> [!NOTE] -> Service Connectors are created at the deployment level. So if another deployment is created, you need to create the connections again. --### [Passwordless](#tab/PasswordlessSingle) --1. Install the [Service Connector](../service-connector/overview.md) passwordless extension for the Azure CLI: -- ```azurecli - az extension add --name serviceconnector-passwordless --upgrade - ``` --1. Configure Azure Spring Apps to connect to the PostgreSQL Database with a system-assigned managed identity using the `az spring connection create` command. -- ```azurecli - az spring connection create postgres \ - --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ - --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --deployment $DEPLOYMENT_NAME \ - --target-resource-group $POSTGRES_RESOURCE_GROUP \ - --server $POSTGRES_SERVER_NAME \ - --database $DATABASE_NAME \ - --system-identity - ``` --### [Password](#tab/SecretsSingle) --Use the following steps to bind your app using a secret. --1. Note the admin username and password of your Azure Database for PostgreSQL account. --1. Connect to the server, create a database named **testdb** from a PostgreSQL client, and then create a new non-admin account. --1. Run the following command to connect to the database with admin username and password. -- ```azurecli - az spring connection create postgres \ - --resource-group $AZ_SPRING_APPS_RESOURCE_GROUP \ - --service $AZ_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --deployment $DEPLOYMENT_NAME \ - --target-resource-group $POSTGRES_RESOURCE_GROUP \ - --server $POSTGRES_SERVER_NAME \ - --database $DATABASE_NAME \ - --secret name=$USERNAME secret=$PASSWORD - ``` -----## Next steps --In this article, you learned how to bind an application in Azure Spring Apps to an Azure Database for PostgreSQL instance. To learn more about binding services to an application, see [Bind an Azure Cosmos DB database to an application in Azure Spring Apps](./how-to-bind-cosmos.md). |
spring-apps | How To Bind Redis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-redis.md | - Title: Connect Azure Cache for Redis to your application in Azure Spring Apps -description: Learn how to connect Azure Cache for Redis to your application in Azure Spring Apps --- Previously updated : 10/31/2019-----# Connect Azure Cache for Redis to your application in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --Instead of manually configuring your Spring Boot applications, you can automatically connect selected Azure services to your applications by using Azure Spring Apps. This article shows how to connect your application to Azure Cache for Redis. --## Prerequisites --* A deployed Azure Spring Apps instance -* An Azure Cache for Redis service instance -* The Azure Spring Apps extension for the Azure CLI --If you don't have a deployed Azure Spring Apps instance, follow the steps in the [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). --## Prepare your project --### [Java](#tab/Java) --1. Add the following dependency to your project's *pom.xml* file: -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-data-redis-reactive</artifactId> - </dependency> - ``` --1. Remove any `spring.redis.*` properties from the *application.properties* file --1. Update the current deployment using `az spring app update` or create a new deployment using `az spring app deployment create`. --### [Polyglot](#tab/Polyglot) --All the connection strings and credentials are injected as environment variables, which you can reference in your application code. --For the default environment variable names, see [Integrate Azure Cache for Redis with Service Connector](../service-connector/how-to-integrate-redis-cache.md#default-environment-variable-names-or-application-properties-and-sample-code). ----## Connect your app to the Azure Cache for Redis --### [Service Connector](#tab/Service-Connector) --> [!NOTE] -> By default, Service Connectors are created at the application level. To override the connections, you can create other connections again in the deployments. --1. Use the Azure CLI to configure your Spring app to connect to a Redis database with an access key using the `az spring connection create` command, as shown in the following example. -- ```azurecli - az spring connection create redis \ - --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \ - --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \ - --app $APP_NAME \ - --deployment $DEPLOYMENT_NAME \ - --target-resource-group $REDIS_RESOURCE_GROUP \ - --server $REDIS_SERVER_NAME\ - --database $REDIS_DATABASE_NAME \ - --secret - ``` -- > [!NOTE] - > If you're using [Service Connector](../service-connector/overview.md) for the first time, start by running the command `az provider register --namespace Microsoft.ServiceLinker` to register the Service Connector resource provider. - > - > If you're using Redis Enterprise, use the `az spring connection create redis-enterprise` command instead. -- > [!TIP] - > Run the command `az spring connection list-support-types --output table` to get a list of supported target services and authentication methods for Azure Spring Apps. If the `az spring` command isn't recognized by the system, check that you have installed the required extension by running `az extension add --name spring`. --1. Alternatively, you can use the Azure portal to configure this connection by completing the following steps. The Azure portal provides the same capabilities as the Azure CLI and provides an interactive experience. -- 1. Select your Azure Spring Apps instance in the Azure portal and then select **Apps** from the navigation menu. Choose the app you want to connect and then select **Service Connector** on the navigation menu. -- 1. Select **Create**. -- 1. On the **Basics** tab, for service type, select Cache for Redis. Choose a subscription and a Redis cache server. Fill in the Redis database name ("0" in this example) and under client type, select Java. Select **Next: Authentication**. -- 1. On the **Authentication** tab, choose **Connection string**. Service Connector automatically retrieves the access key from your Redis database account. Select **Next: Networking**. -- 1. On the **Networking** tab, select **Configure firewall rules to enable access to target service**, then select **Review + Create**. -- 1. On the **Review + Create** tab, wait for the validation to pass and then select **Create**. The creation can take a few minutes to complete. -- 1. Once the connection between your Spring app your Redis database has been generated, you can see it in the Service Connector page and select the unfold button to view the configured connection variables. --### [Terraform](#tab/Terraform) --The following Terraform script shows how to set up an Azure Spring Apps app with Azure Cache for Redis. --```terraform -provider "azurerm" { - features {} -} --variable "application_name" { - type = string - description = "The name of your application" - default = "demo-abc" -} --resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} --resource "azurerm_redis_cache" "redis" { - name = "redis-${var.application_name}-001" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - capacity = 0 - family = "C" - sku_name = "Standard" - enable_non_ssl_port = false - minimum_tls_version = "1.2" -} --resource "azurerm_spring_cloud_service" "example" { - name = "${var.application_name}" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location -} --resource "azurerm_spring_cloud_app" "example" { - name = "${var.application_name}-app" - resource_group_name = azurerm_resource_group.example.name - service_name = azurerm_spring_cloud_service.example.name - is_public = true - https_only = true -} --resource "azurerm_spring_cloud_java_deployment" "example" { - name = "default" - spring_cloud_app_id = azurerm_spring_cloud_app.example.id - quota { - cpu = "2" - memory = "4Gi" - } - instance_count = 2 - jvm_options = "-XX:+PrintGC" - runtime_version = "Java_11" -- environment_variables = { - "spring.redis.host" = azurerm_redis_cache.redis.hostname - "spring.redis.password" = azurerm_redis_cache.redis.primary_access_key - "spring.redis.port" = "6380" - "spring.redis.ssl" = "true" - } -} --resource "azurerm_spring_cloud_active_deployment" "example" { - spring_cloud_app_id = azurerm_spring_cloud_app.example.id - deployment_name = azurerm_spring_cloud_java_deployment.example.name -} -``` ----## Next steps --In this article, you learned how to connect your application in Azure Spring Apps to Azure Cache for Redis. To learn more about connecting services to your application, see [Connect to an Azure Database for MySQL instance](./how-to-bind-mysql.md). |
spring-apps | How To Built In Persistent Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-built-in-persistent-storage.md | - Title: Use built-in persistent storage in Azure Spring Apps | Microsoft Docs -description: Learn how to use built-in persistent storage in Azure Spring Apps --- Previously updated : 10/28/2021-----# Use built-in persistent storage in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ❌ Enterprise --Azure Spring Apps provides two types of built-in storage for your application: persistent and temporary. --By default, Azure Spring Apps provides temporary storage for each application instance. Temporary storage is limited to 5 GB per instance with */tmp* as the default mount path. --> [!WARNING] -> If you restart an application instance, the associated temporary storage is permanently deleted. --Persistent storage is a file-share container managed by Azure and allocated per application. All instances of an application share data stored in persistent storage. An Azure Spring Apps instance can have a maximum of 10 applications with persistent storage enabled. Each application is allocated 50 GB of persistent storage. The default mount path for persistent storage is */persistent*. --## Enable or disable built-in persistent storage --You can enable or disable built-in persistent storage using the Azure portal or Azure CLI. --#### [Portal](#tab/azure-portal) --Use the following steps to enable or disable built-in persistent storage using the Azure portal. --1. Go to your Azure Spring Apps instance in the Azure portal. --1. Select **Apps** to view apps for your service instance, and then select an app to display the app's **Overview** page. -- :::image type="content" source="media/how-to-built-in-persistent-storage/app-selected.png" lightbox="media/how-to-built-in-persistent-storage/app-selected.png" alt-text="Screenshot of Azure portal showing the Apps page."::: --1. On the **Overview** page, select **Configuration**. -- :::image type="content" source="media/how-to-built-in-persistent-storage/select-configuration.png" lightbox="media/how-to-built-in-persistent-storage/select-configuration.png" alt-text="Screenshot of Azure portal showing details for an app."::: --1. On the **Configuration** page, select **Persistent Storage**. -- :::image type="content" source="media/how-to-built-in-persistent-storage/select-persistent-storage.png" lightbox="media/how-to-built-in-persistent-storage/select-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Configuration page."::: --1. On the **Persistent Storage** tab, select **Enable** to enable persistent storage, or **Disable** to disable persistent storage. -- :::image type="content" source="media/how-to-built-in-persistent-storage/enable-persistent-storage.png" lightbox="media/how-to-built-in-persistent-storage/enable-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Persistent Storage tab."::: --If persistent storage is enabled, the **Persistent Storage** tab displays the storage size and path. --#### [Azure CLI](#tab/azure-cli) --If necessary, install the Azure Spring Apps extension for the Azure CLI using this command: --```azurecli -az extension add --name spring -``` --Other operations: --- To create an app with built-in persistent storage enabled:-- ```azurecli - az spring app create -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage true - ``` --- To enable built-in persistent storage for an existing app:-- ```azurecli - az spring app update -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage true - ``` --- To disable built-in persistent storage in an existing app:-- ```azurecli - az spring app update -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage false - ``` ----> [!WARNING] -> If you disable an application's persistent storage, all of that storage is deallocated and all of the stored data is permanently lost. --## Next steps --- [Quotas and service plans for Azure Spring Apps](./quotas.md)-- [Scale an application in Azure Spring Apps](./how-to-scale-manual.md) |
spring-apps | How To Circuit Breaker Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-circuit-breaker-metrics.md | - Title: Collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer -description: How to collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer in Azure Spring Apps. ---- Previously updated : 12/15/2020----# Collect Spring Cloud Resilience4J Circuit Breaker Metrics with Micrometer (Preview) --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to collect Spring Cloud Resilience4j Circuit Breaker Metrics with Application Insights Java in-process agent. With this feature, you can monitor the metrics of Resilience4j circuit breaker from Application Insights with Micrometer. --The demo [spring-cloud-circuit-breaker-demo](https://github.com/spring-cloud-samples/spring-cloud-circuitbreaker-demo) shows how the monitoring works. --## Prerequisites --* Enable Java In-Process agent from the [Java In-Process Agent for Application Insights guide](./how-to-application-insights.md#manage-application-insights-using-the-azure-portal). -* Enable dimension collection for resilience4j metrics from the [Application Insights guide](../azure-monitor/app/pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation). -* Install Git, Maven, and Java, if not already installed on the development computer. --## Build and deploy apps --Use the following steps to build and deploy the sample applications. --1. Clone and build the demo repository. -- ```bash - git clone https://github.com/spring-cloud-samples/spring-cloud-circuitbreaker-demo.git - cd spring-cloud-circuitbreaker-demo && mvn clean package -DskipTests - ``` --1. Create applications with endpoints. -- ```azurecli - az spring app create \ - --resource-group ${resource-group-name} \ - --service ${Azure-Spring-Apps-instance-name} \ - --name resilience4j \ - --assign-endpoint - az spring app create \ - --resource-group ${resource-group-name} \ - --service ${Azure-Spring-Apps-instance-name} \ - --name reactive-resilience4j \ - --assign-endpoint - ``` --1. Deploy applications. -- ```azurecli - az spring app deploy \ - --resource-group ${resource-group-name} \ - --service ${Azure-Spring-Apps-instance-name} \ - --name resilience4j \ - --artifact-path ./spring-cloud-circuitbreaker-demo-resilience4j/target/spring-cloud-circuitbreaker-demo-resilience4j-0.0.1-SNAPSHOT.jar - az spring app deploy \ - --resource-group ${resource-group-name} \ - --service ${Azure-Spring-Apps-instance-name} \ - --name reactive-resilience4j \ - --artifact-path ./spring-cloud-circuitbreaker-demo-reactive-resilience4j/target/spring-cloud-circuitbreaker-demo-reactive-resilience4j-0.0.1-SNAPSHOT.jar - ``` --> [!NOTE] -> -> * Include the required dependency for Resilience4j: -> -> ```xml -> <dependency> -> <groupId>io.github.resilience4j</groupId> -> <artifactId>resilience4j-micrometer</artifactId> -> </dependency> -> <dependency> -> <groupId>org.springframework.cloud</groupId> -> <artifactId>spring-cloud-starter-circuitbreaker-resilience4j</artifactId> -> </dependency> -> ``` -> -> * Your code must use the `CircuitBreakerFactory` API, which is implemented as a `bean` automatically created when you include a Spring Cloud Circuit Breaker starter. For more information, see [Spring Cloud Circuit Breaker](https://spring.io/projects/spring-cloud-circuitbreaker#overview). -> -> * The following two dependencies have conflicts with Resilient4j packages. Be sure you don't include them. -> -> ```xml -> <dependency> -> <groupId>org.springframework.cloud</groupId> -> <artifactId>spring-cloud-starter-sleuth</artifactId> -> </dependency> -> <dependency> -> <groupId>org.springframework.cloud</groupId> -> <artifactId>spring-cloud-starter-zipkin</artifactId> -> </dependency> -> ``` -> -> -> Navigate to the URL provided by gateway applications, and access the endpoint from [spring-cloud-circuit-breaker-demo](https://github.com/spring-cloud-samples/spring-cloud-circuitbreaker-demo) as follows: -> -> ```console -> /get -> /delay/{seconds} -> /fluxdelay/{seconds} -> ``` --## Locate Resilence4j Metrics on the Azure portal --1. In your Azure Spring Apps instance, select **Application Insights** in the navigation pane and then select **Application Insights** on the page. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/application-insights.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps Application Insights page with the Application Insights on the button bar highlighted." lightbox="media/how-to-circuit-breaker-metrics/application-insights.png"::: --1. Select **Metrics** in the navigation pane. The **Metrics** page provides dropdown menus and options to define the charts in this procedure. For all charts, set **Metric Namespace** to **azure.applicationinsights**. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/chart-menus.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page, with Metrics highlighted in the navigation pane, and with azure-applicationinsights highlighted in the Metric Namespace dropdown menu." lightbox="media/how-to-circuit-breaker-metrics/chart-menus.png"::: --1. Set **Metric** to **resilience4j_circuitbreaker_buffered_calls**, and then set **Aggregation** to **Avg**. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/buffered-calls.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker buffered calls and Aggregation set to Average." lightbox="media/how-to-circuit-breaker-metrics/buffered-calls.png"::: --1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/calls.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker calls and Aggregation set to Average." lightbox="media/how-to-circuit-breaker-metrics/calls.png"::: --1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. Select **Add filter** and set **Name** to **Delay**. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/calls-filter.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker calls and Aggregation set to Average, and with Filter set to the name Delay." lightbox="media/how-to-circuit-breaker-metrics/calls-filter.png"::: --1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. Select **Apply splitting** and set **Split by** to **kind**. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/calls-splitting.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing a chart with Metric set to circuit breaker calls and Aggregation set to Average, and with Apply splitting selected with Split by set to kind." lightbox="media/how-to-circuit-breaker-metrics/calls-splitting.png"::: --1. Set **Metric** to **resilience4j_circuitbreaker_calls**, and then set **Aggregation** to **Avg**. Select **Add metric** and set **Metric** to **resilience4j_circuitbreaker_buffered_calls**, and then set **Aggregation** to **Avg**. Select **Add metric** again and set **Metric** to **resilience4j_circuitbreaker_slow_calls**, and then set **Aggregation** set to **Avg**. -- :::image type="content" source="media/how-to-circuit-breaker-metrics/slow-calls.png" alt-text="Screenshot of the Azure portal Application Insights Metrics page showing three charts: A chart with Metric set to circuit breaker calls and Aggregation set to Average. A chart with Metric set to circuit breaker calls buffered and Aggregation set to Average. A chart with Metric set to circuit breaker slow calls and Aggregation set to Average." lightbox="media/how-to-circuit-breaker-metrics/slow-calls.png"::: --## Next steps --* [Application insights](./how-to-application-insights.md) -* [Circuit breaker dashboard](./tutorial-circuit-breaker.md) |
spring-apps | How To Config Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-config-server.md | - Title: Configure your managed Spring Cloud Config Server in Azure Spring Apps -description: Learn how to configure a managed Spring Cloud Config Server in Azure Spring Apps on the Azure portal ---- Previously updated : 12/10/2021----# Configure a managed Spring Cloud Config Server in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise --This article shows you how to configure a managed Spring Cloud Config Server in Azure Spring Apps service. --Spring Cloud Config Server provides server and client-side support for an externalized configuration in a distributed system. The Config Server instance provides a central place to manage external properties for applications across all environments. For more information, see the [Spring Cloud Config documentation](https://spring.io/projects/spring-cloud-config). --> [!NOTE] -> To use config server in the Standard consumption and dedicated plan, you must enable it first. For more information, see [Enable and disable Spring Cloud Config Server in Azure Spring Apps](quickstart-standard-consumption-config-server.md). --## Prerequisites --- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- An already provisioned and running Azure Spring Apps service instance using the Basic or Standard plan. To set up and launch an Azure Spring Apps service, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). Spring Cloud Config Server isn't applicable to the Enterprise plan.-- [Git](https://git-scm.com/downloads).--## Restriction --There are some restrictions when you use Config Server with a Git back end. The following properties are automatically injected into your application environment to access Config Server and Service Discovery. If you also configure those properties from your Config Server files, you might experience conflicts and unexpected behavior. --```yaml -eureka.client.service-url.defaultZone -eureka.client.tls.keystore -eureka.instance.preferIpAddress -eureka.instance.instance-id -server.port -spring.cloud.config.tls.keystore -spring.config.import -spring.application.name -spring.jmx.enabled -management.endpoints.jmx.exposure.include -``` --> [!CAUTION] -> Don't put these properties in your Config Server application files. --## Create your Config Server files --Azure Spring Apps supports Azure DevOps Server, GitHub, GitLab, and Bitbucket for storing your Config Server files. When your repository is ready, you can create the configuration files and store them there. --Some configurable properties are available only for certain types. The following sections describe the properties for each repository type. --> [!NOTE] -> Config Server takes `master` (on Git) as the default label if you don't specify one. However, GitHub has recently changed the default branch from `master` to `main`. To avoid Azure Spring Apps Config Server failure, be sure to pay attention to the default label when setting up Config Server with GitHub, especially for newly-created repositories. --### Public repository --When you use a public repository, your configurable properties are more limited than with a private repository. --The following table lists the configurable properties that you can use to set up a public Git repository. --> [!NOTE] -> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, you can use *default-label*, but not *defaultLabel*. --| Property | Required | Feature | -|:-|-|| -| `uri` | Yes | The URI of the Git repository that's used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | -| `default-label` | No | The default label of the Git repository. Should be the branch name, tag name, or commit ID of the repository. | -| `search-paths` | No | An array of strings that are used to search subdirectories of the Git repository. | --### Private repository with SSH authentication --The following table lists the configurable properties that you can use to set up a private Git repository with SSH. --> [!NOTE] -> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, you can use *default-label*, but not *defaultLabel*. --| Property | Required | Feature | -|:|-|| -| `uri` | Yes | The URI of the Git repository used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | -| `default-label` | No | The default label of the Git repository. Should be the branch name, tag name, or commit ID of the repository. | -| `search-paths` | No | An array of strings used to search subdirectories of the Git repository. | -| `private-key` | No | The SSH private key to access the Git repository. Required when the URI starts with `git@` or `ssh://`. | -| `host-key` | No | The host key of the Git repository server. Shouldn't include the algorithm prefix as covered by `host-key-algorithm`. | -| `host-key-algorithm` | No | The host key algorithm. Should be *ssh-dss*, *ssh-rsa*, *ecdsa-sha2-nistp256*, *ecdsa-sha2-nistp384*, or *ecdsa-sha2-nistp521*. Required only if `host-key` exists. | -| `strict-host-key-checking` | No | Indicates whether the Config Server instance fails to start when using the private `host-key`. Should be *true* (default value) or *false*. | --### Private repository with basic authentication --The following table lists the configurable properties that you can use to set up a private Git repository with basic authentication. --> [!NOTE] -> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, use *default-label*, not *defaultLabel*. --| Property | Required | Feature | -|:-|-|-| -| `uri` | Yes | The URI of the Git repository that's used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | -| `default-label` | No | The default label of the Git repository. Should be the *branch name*, *tag name*, or *commit-id* of the repository. | -| `search-paths` | No | An array of strings used to search subdirectories of the Git repository. | -| `username` | No | The username that's used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | -| `password` | No | The password or personal access token used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | --> [!NOTE] -> Many Git repository servers support the use of tokens rather than passwords for HTTP basic authentication. Some repositories allow tokens to persist indefinitely. However, some Git repository servers, including Azure DevOps Server, force tokens to expire in a few hours. Repositories that cause tokens to expire shouldn't use token-based authentication with Azure Spring Apps. If you use such a token, remember to update it before it expires. -> -> GitHub has removed support for password authentication, so you need to use a personal access token instead of password authentication for GitHub. For more information, see [Token authentication requirements for Git operations](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/). --### Other Git repositories --The following table lists the configurable properties you can use to set up Git repositories with a pattern. --> [!NOTE] -> Using a hyphen (-) to separate words is the only naming convention that's currently supported. For example, use *default-label*, not *defaultLabel*. --| Property | Required | Feature | -|:--|-|| -| `repos` | No | A map consisting of the settings for a Git repository with a given name. | -| `repos."uri"` | Yes on `repos` | The URI of the Git repository that's used as the Config Server back end. Should begin with `http://`, `https://`, `git@`, or `ssh://`. | -| `repos."name"` | Yes on `repos` | A name to identify the repository; for example, *team-A* or *team-B*. Required only if `repos` exists. | -| `repos."pattern"` | No | An array of strings used to match an application name. For each pattern, use the format *{application}/{profile}* format with wildcards. | -| `repos."default-label"` | No | The default label of the Git repository. Should be the branch name, tag name, or commit IOD of the repository. | -| `repos."search-paths`" | No | An array of strings used to search subdirectories of the Git repository. | -| `repos."username"` | No | The username used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | -| `repos."password"` | No | The password or personal access token used to access the Git repository server. Required when the Git repository server supports HTTP basic authentication. | -| `repos."private-key"` | No | The SSH private key to access Git repository. Required when the URI begins with `git@` or `ssh://`. | -| `repos."host-key"` | No | The host key of the Git repository server. Shouldn't include the algorithm prefix as covered by `host-key-algorithm`. | -| `repos."host-key-algorithm"` | No | The host key algorithm. Should be *ssh-dss*, *ssh-rsa*, *ecdsa-sha2-nistp256*, *ecdsa-sha2-nistp384*, or *ecdsa-sha2-nistp521*. Required only if `host-key` exists. | -| `repos."strict-host-key-checking"` | No | Indicates whether the Config Server instance fails to start when using the private `host-key`. Should be *true* (default value) or *false*. | --The following table shows some examples of patterns for configuring your service with an optional extra repository. For more information, see the [Extra repositories](#extra-repositories) section and the [Pattern Matching and Multiple Repositories section](https://cloud.spring.io/spring-cloud-config/reference/html/#_pattern_matching_and_multiple_repositories) of the Spring documentation. --| Patterns | Description | -|:--|| -| *test-config-server-app-0/\** | The pattern and repository URI matches a Spring boot application named `test-config-server-app-0` with any profile. | -| *test-config-server-app-1/dev* | The pattern and repository URI matches a Spring boot application named `test-config-server-app-1` with a dev profile. | -| *test-config-server-app-2/prod* | The pattern and repository URI matches a Spring boot application named `test-config-server-app-2` with a prod profile. | ---## Attach your Config Server repository to Azure Spring Apps --Now that your configuration files are saved in a repository, use the following steps to connect Azure Spring Apps to the repository. --1. Sign in to the [Azure portal](https://portal.azure.com). --1. Go to your Azure Spring Apps **Overview** page. --1. Select **Config Server** in the left navigation pane. --1. In the **Default repository** section, set **URI** to `https://github.com/Azure-Samples/piggymetrics-config`. --1. Select **Validate**. -- :::image type="content" source="media/how-to-config-server/portal-config.png" lightbox="media/how-to-config-server/portal-config.png" alt-text="Screenshot of Azure portal showing the Config Server page."::: --1. When validation is complete, select **Apply** to save your changes. -- :::image type="content" source="media/how-to-config-server/validate-complete.png" lightbox="media/how-to-config-server/validate-complete.png" alt-text="Screenshot of Azure portal showing Config Server page with Apply button highlighted."::: --Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. --### Enter repository information directly to the Azure portal --You can enter repository information for the default repository and, optionally, for extra repositories. --#### Default repository --Use the steps in this section to enter repository information for a public or private repository. --- **Public repository**: In the **Default repository** section, in the **Uri** box, paste the repository URI. Enter *config* for the **Label** setting. Ensure that the **Authentication** setting is *Public*, and then select **Apply**.--- **Private repository**: Azure Spring Apps supports basic password/token-based authentication and SSH.-- - **Basic Authentication**: In the **Default repository** section, in the **Uri** box, paste the repository URI, and then select the setting under **Authentication** to open the **Edit Authentication** pane. In the **Authentication type** drop-down list, select **HTTP Basic**, and then enter your username and password/token to grant access to Azure Spring Apps. Select **OK**, and then select **Apply** to finish setting up your Config Server instance. -- :::image type="content" source="media/how-to-config-server/basic-auth.png" lightbox="media/how-to-config-server/basic-auth.png" alt-text="Screenshot of the Default repository section showing authentication settings for Basic authentication."::: -- > [!NOTE] - > Many Git repository servers support the use of tokens rather than passwords for HTTP basic authentication. Some repositories allow tokens to persist indefinitely. However, some Git repository servers, including Azure DevOps Server, force tokens to expire in a few hours. Repositories that cause tokens to expire shouldn't use token-based authentication with Azure Spring Apps. If you use such a token, remember to update it before it expires. - > - > GitHub has removed support for password authentication, so you need to use a personal access token instead of password authentication for GitHub. For more information, see [Token authentication requirements for Git operations](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/). -- - **SSH**: In the **Default repository** section, in the **Uri** box, paste the repository URI, and then select the setting under **Authentication** to open the **Edit Authentication** pane. In the **Edit Authentication** pane, in the **Authentication type** drop-down list, select **SSH**, and then enter your private key. Optionally, specify your host key and host key algorithm. Include your public key in your Config Server repository. Select **OK**, and then select **Apply** to finish setting up your Config Server instance. -- :::image type="content" source="media/how-to-config-server/ssh-auth.png" lightbox="media/how-to-config-server/ssh-auth.png" alt-text="Screenshot of the Default repository section showing authentication settings for SSH authentication."::: --#### Extra repositories --If you want to configure your service with an optional extra repository, specify the **Uri** and **Authentication** settings as you did for the default repository. Be sure to include a **Name** setting for your pattern, and then select **Apply** to attach it to your instance. --### Enter repository information into a YAML file --If you've written a YAML file with your repository settings, you can import the file directly from your local machine to Azure Spring Apps. The following example shows a simple YAML file for a private repository with basic authentication. --```yaml -spring: - cloud: - config: - server: - git: - uri: https://github.com/azure-spring-apps-samples-pr/config-server-repository.git - username: <username> - password: <password/token> -``` --Select the **Import settings** button, and then select the YAML file from your project directory. Select **Import**. ---Your **Notifications** displays an `async` operation. Config Server should report success after 1-2 minutes. The information from your YAML file displays in the Azure portal. Select **Apply** to finish the import. --## Use Azure Repos for Azure Spring Apps configuration --Azure Spring Apps can access Git repositories that are public, secured by SSH, or secured using HTTP basic authentication. HTTP basic authentication is the easiest of the options for creating and managing repositories with Azure Repos. --### Get repo URL and credentials --Use the following steps to get your repo URL and credentials. --1. In the Azure Repos portal for your project, select the **Clone** button: --1. Copy the clone URL from the textbox. This URL is typically in the following form: -- ```text - https://<organization name>@dev.azure.com/<organization name>/<project name>/_git/<repository name> - ``` -- Remove everything after `https://` and before `dev.azure.com`, including the `@` symbol. The resulting URL should be in the following form: -- ```text - https://dev.azure.com/<organization name>/<project name>/_git/<repository name> - ``` -- Save this URL for use in the next section. --1. Select **Generate Git Credentials** to display a username and password, which should be saved for use in the following section. --### Configure Azure Spring Apps to access the Git repository --1. Sign in to the [Azure portal](https://portal.azure.com). --1. Go to your Azure Spring Apps **Overview** page. --1. Select the service to configure. --1. In the left pane of the service page under **Settings**, select the **Config Server** tab. Configure the repository you created, as follows: -- - Add the repository URI that you saved in the previous section. - - Select the setting under **Authentication** to open the **Edit Authentication** pane. - - For **Authentication type**, select **HTTP Basic**. - - For **Username**, specify the user name that you saved in the previous section. - - For **Password**, specify the password that you saved in the previous section. - - Select **OK**, and then wait for the operation to complete. -- :::image type="content" source="media/how-to-config-server/config-server-azure-repos.png" lightbox="media/how-to-config-server/config-server-azure-repos.png" alt-text="Screenshot of repository configuration settings."::: --## Delete your configuration --Select **Reset** on the **Config Server** tab to erase your existing settings. Delete the config server settings if you want to connect your Config Server instance to another source, such as when you're moving from GitHub to Azure DevOps Server. --## Config Server refresh --When properties are changed, services consuming those properties must be notified before changes can be made. The default solution for Spring Cloud Config Server is to manually trigger the refresh event, which may not be feasible if there are many app instances. For more information, see [Centralized Configuration](https://spring.io/guides/gs/centralized-configuration/) --Instead, you can automatically refresh values from Config Server by letting the config client poll for changes based on a refresh internal. Use the following steps to automatically refresh values from Config Server. --1. Register a scheduled task to refresh the context in a given interval, as shown in the following example. -- ```java - @ConditionalOnBean({RefreshEndpoint.class}) - @Configuration - @AutoConfigureAfter({RefreshAutoConfiguration.class, RefreshEndpointAutoConfiguration.class}) - @EnableScheduling - public class ConfigClientAutoRefreshConfiguration implements SchedulingConfigurer { - @Value("${spring.cloud.config.refresh-interval:60}") - private long refreshInterval; - @Value("${spring.cloud.config.auto-refresh:false}") - private boolean autoRefresh; - private RefreshEndpoint refreshEndpoint; - public ConfigClientAutoRefreshConfiguration(RefreshEndpoint refreshEndpoint) { - this.refreshEndpoint = refreshEndpoint; - } - @Override - public void configureTasks(ScheduledTaskRegistrar scheduledTaskRegistrar) { - if (autoRefresh) { - // set minimal refresh interval to 5 seconds - refreshInterval = Math.max(refreshInterval, 5); - scheduledTaskRegistrar.addFixedRateTask(() -> refreshEndpoint.refresh(), refreshInterval * 1000); - } - } - } - ``` --1. Enable autorefresh and set the appropriate refresh interval in your *application.yml* file. In the following example, the client polls for configuration changes every 60 seconds, which is the minimum value you can set for a refresh interval. -- By default, autorefresh is set to *false* and the refresh-interval is set to *60 seconds*. -- ```yaml - spring: - cloud: - config: - auto-refresh: true - refresh-interval: 60 - management: - endpoints: - web: - exposure: - include: - - refresh - ``` --1. Add @RefreshScope in your code. In the following example, the variable `connectTimeout` is automatically refreshed every 60 seconds. -- ```java - @RestController - @RefreshScope - public class HelloController { - @Value("${timeout:4000}") - private String connectTimeout; - } - ``` --For more information, see the [config-client-polling](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/config-client-polling) sample. --## Next steps --In this article, you learned how to enable and configure your Spring Cloud Config Server instance. To learn more about managing your application, see [Scale an application in Azure Spring Apps](./how-to-scale-manual.md). |
spring-apps | How To Configure Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-enterprise-spring-cloud-gateway.md | - Title: Configure VMware Spring Cloud Gateway -description: Learn how to configure VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan. ---- Previously updated : 11/04/2022----# Configure VMware Spring Cloud Gateway --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article shows you how to configure VMware Spring Cloud Gateway for VMware Tanzu with the Azure Spring Apps Enterprise plan. --[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/https://docsupdatetracker.net/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. VMware Spring Cloud Gateway for Tanzu handles the cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate limiting, resiliency, and security. You can accelerate API delivery by using modern cloud-native patterns in your choice of programming language for API development. --A VMware Spring Cloud Gateway instance routes traffic according to rules. It supports scaling *in/out* and *up/down* to meet a dynamic traffic load. --VMware Spring Cloud Gateway includes the following features: --- Dynamic routing configuration, independent of individual applications, that you can apply and change without recompiling-- Commercial API route filters for transporting authorized JSON Web Token (JWT) claims to application services-- Client certificate authorization-- Rate-limiting approaches-- Circuit breaker configuration-- Support for accessing application services via HTTP Basic Authentication credentials--To integrate with API portal for VMware Tanzu, VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any additions or changes to route configuration. For more information, see [Use API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md). --## Prerequisites --- An already provisioned Azure Spring Apps Enterprise plan service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`.--## Enable or disable VMware Spring Cloud Gateway --You can enable or disable VMware Spring Cloud Gateway after creation of the service instance by using the Azure portal or the Azure CLI. Before you disable VMware Spring Cloud Gateway, you must unassign its endpoint and remove all route configurations. --### [Azure portal](#tab/Azure-portal) --Use the following steps to enable or disable VMware Spring Cloud Gateway by using the Azure portal: --1. Go to your service resource, and then select **Spring Cloud Gateway**. -1. Select **Manage**. -1. Select or clear the **Enable Spring Cloud Gateway** checkbox, and then select **Save**. --You can now view the state of the Spring Cloud Gateway on the **Spring Cloud Gateway** page. ---### [Azure CLI](#tab/Azure-CLI) --Use the following Azure CLI commands to enable or disable VMware Spring Cloud Gateway: --```azurecli -az spring gateway create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> -``` --```azurecli -az spring gateway delete \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> -``` ----## Restart VMware Spring Cloud Gateway --After you complete the restart action, VMware Spring Cloud Gateway instances are restarted on a rolling basis. --### [Azure portal](#tab/Azure-portal) --Use the following steps to restart VMware Spring Cloud Gateway by using the Azure portal: --1. Go to your service resource, and then select **Spring Cloud Gateway**. -1. Select **Restart**. -1. Select **OK** to confirm the restart. ---### [Azure CLI](#tab/Azure-CLI) --Use the following Azure CLI command to restart the gateway: --```azurecli -az spring gateway restart \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> -``` ----## Assign a public endpoint to VMware Spring Cloud Gateway --This section describes how to assign a public endpoint to VMware Spring Cloud Gateway and configure its properties. --#### [Azure portal](#tab/Azure-portal) --To assign an endpoint in the Azure portal, use the following steps: --1. Open your Azure Spring Apps instance. -1. Select **Spring Cloud Gateway** on the navigation pane, and then select **Overview**. -1. Set **Assign endpoint** to **Yes**. --After a few minutes, **URL** shows the configured endpoint URL. Save the URL to use later. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to assign the endpoint: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --assign-endpoint true -``` ----## Configure VMware Spring Cloud Gateway metadata --VMware Spring Cloud Gateway metadata automatically generates OpenAPI version 3 documentation. You can configure VMware Spring Cloud Gateway metadata to display route groups in API portal for VMware Tanzu. For more information, see [Use API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md). --The following table describes the available metadata options: --| Property | Description | -|--|-| -| `title` | A title that describes the context of the APIs available on the VMware Spring Cloud Gateway instance. The default value is `Spring Cloud Gateway for K8S`. | -| `description` | A detailed description of the APIs available on the VMware Spring Cloud Gateway instance. The default value is `Generated OpenAPI 3 document that describes the API routes configured for '[Gateway instance name]' Spring Cloud Gateway instance deployed under '[namespace]' namespace.*.` | -| `documentation` | The location of API documentation that's available on the VMware Spring Cloud Gateway instance. | -| `version` | The version of APIs available on this VMware Spring Cloud Gateway instance. The default value is `unspecified`. | -| `serverUrl` | The base URL to access APIs on the VMware Spring Cloud Gateway instance. This property is mandatory if you want to integrate with the [API portal](./how-to-use-enterprise-api-portal.md). | --You can use the Azure portal or the Azure CLI to edit metadata properties. --#### [Azure portal](#tab/Azure-portal) --To edit metadata in the Azure portal, use the following steps: --1. Open your Azure Spring Apps instance. -1. Select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. -1. Specify values for the properties listed for **API**. -1. Select **Save**. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to configure metadata properties for VMware Spring Cloud Gateway. You need the endpoint URL that you obtained when you completed the [Assign a public endpoint to VMware Spring Cloud Gateway](#assign-a-public-endpoint-to-vmware-spring-cloud-gateway) section. --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --api-description "<api-description>" \ - --api-title "<api-title>" \ - --api-version "v0.1" \ - --server-url "<gateway-endpoint-URL>" \ - --allowed-origins "*" -``` ----## Configure single sign-on --VMware Spring Cloud Gateway supports authentication and authorization through single sign-on (SSO) with an OpenID identity provider. The provider supports the OpenID Connect Discovery protocol. The following table describes the SSO properties: --| Property | Required? | Description | -|-|--|-| -| `issuerUri` | Yes | The URI that is asserted as its issuer identifier. For example, if `issuerUri` is `https://example.com`, an OpenID Provider Configuration Request is made to `https://example.com/.well-known/openid-configuration`. The result is expected to be an OpenID Provider Configuration Response. | -| `clientId` | Yes | The OpenID Connect client ID from your identity provider. | -| `clientSecret` | Yes | The OpenID Connect client secret from your identity provider. | -| `scope` | Yes | A list of scopes to include in JWT identity tokens. This list should be based on the scopes that your identity provider allows. | --To set up SSO with Microsoft Entra ID, see [Set up single sign-on using Microsoft Entra ID for Spring Cloud Gateway and API Portal](./how-to-set-up-sso-with-azure-ad.md). --You can use the Azure portal or the Azure CLI to edit SSO properties. --#### [Azure portal](#tab/Azure-portal) --To edit SSO properties in the Azure portal, use the following steps: --1. Open your Azure Spring Apps instance. -1. Select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. -1. Specify values for the properties listed for **SSO**. -1. Select **Save**. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to configure SSO properties for VMware Spring Cloud Gateway: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --client-id <client-id> \ - --client-secret <client-secret> \ - --issuer-uri <issuer-uri> \ - --scope <scope> -``` ----VMware Spring Cloud Gateway supports only the authorization servers that support the OpenID Connect Discovery protocol. Also, be sure to configure the external authorization server to allow redirects back to the gateway. Refer to your authorization server's documentation and add `https://<gateway-external-url>/login/oauth2/code/sso` to the list of allowed redirect URIs. --If you configure the wrong SSO property, such as the wrong password, you should remove the entire SSO property and then add the correct configuration. --After you configure SSO, remember to set `ssoEnabled: true` for the VMware Spring Cloud Gateway routes. --## Configure SSO logout --VMware Spring Cloud Gateway service instances provide a default API endpoint to log out of the current SSO session. The path to this endpoint is `/scg-logout`. The logout results in one of the following outcomes, depending on how you call the logout endpoint: --- Log out of the session and redirect to the identity provider (IdP) logout.-- Log out of the service instance session.--### Log out of the IdP and SSO session --If you send a `GET` request to the `/scg-logout` endpoint, the endpoint sends a `302` redirect response to the IdP logout URL. To get the endpoint to return the user to a path on the gateway service instance, add a redirect parameter to the `GET` request with the `/scg-logout` endpoint. For example, you can use `${server-url}/scg-logout?redirect=/home`. --The value of the redirect parameter must be a valid path on the VMware Spring Cloud Gateway service instance. You can't redirect to an external URL. --The following steps describe an example of how to implement the function in your micro --1. Get a route configuration to route the logout request to your application. For an example, see the route configuration in the [animal-rescue](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/azure/api-route-config.json#L32) repository on GitHub. --1. Add whatever logout logic you need to the application. At the end, you need a `GET` request to the gateway's `/scg-logout` endpoint, as shown in the `return` value for the `getActionButton` method in the [animal-rescue](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/src/App.js#L84) repository. --### Log out of just the SSO session --If you send the `GET` request to the `/scg-logout` endpoint by using `XMLHttpRequest`, the `302` redirect could be swallowed and not handled in the response handler. In this case, the user would only be logged out of the SSO session on the VMware Spring Cloud Gateway service instance. The user would still have a valid IdP session. Typically, if the user tries to log in again, they're automatically sent back to the gateway as authenticated from IdP. --You need to have a route configuration to route the logout request to your application, as shown in the following example. This code makes a gateway-only logout SSO session. --```java -const req = new XMLHttpRequest(); -req.open("GET", "/scg-logout); -req.send(); -``` --## Configure cross-origin resource sharing --Cross-origin resource sharing (CORS) allows restricted resources on a webpage to be requested from another domain outside the domain from which the first resource was served. The following table describes the available CORS configuration options. --| Property | Description | -|-|| -| `allowedOrigins` | Allowed origins to make cross-site requests | -| `allowedOriginPatterns` | Allowed origin patterns to make cross-site requests | -| `allowedMethods` | Allowed HTTP methods on cross-site requests | -| `allowedHeaders` | Allowed headers in cross-site requests | -| `maxAge` | How long, in seconds, clients cache the response from a preflight request | -| `allowCredentials` | Whether user credentials are supported on cross-site requests | -| `exposedHeaders` | HTTP response headers to expose for cross-site requests | --Be sure that you have the correct CORS configuration if you want to integrate with the API portal. For more information, see the [Assign a public endpoint to VMware Spring Cloud Gateway](#assign-a-public-endpoint-to-vmware-spring-cloud-gateway) section. --## Use service scaling --You can customize resource allocation for VMware Spring Cloud Gateway instances, including vCPU, memory, and instance count. --For high availability, we don't recommend using a single replica. --The following table describes the default resource usage. --| Component name | Instance count | vCPU per instance | Memory per instance | -|-|-|-|| -| VMware Spring Cloud Gateway | 2 | 1 core | 2 GiB | -| VMware Spring Cloud Gateway operator | 2 | 1 core | 2 GiB | --## Configure TLS between the gateway and applications --To enhance security and help protect sensitive information from interception by unauthorized parties, you can enable Transport Layer Security (TLS) between VMware Spring Cloud Gateway and your applications. --Before you configure TLS, you need to have a TLS-enabled application and a TLS certificate. To prepare a TLS certificate, generate a certificate from a trusted certificate authority (CA). The certificate verifies the identity of the server and establishes a secure connection. --After you have a TLS-enabled application running in Azure Spring Apps, upload the certificate to Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). --With the certificate updated to Azure Spring Apps, you can configure the TLS certificate for the gateway and enable certificate verification. You can configure the certificate in the Azure portal or by using the Azure CLI. --#### [Azure portal](#tab/Azure-portal) --Use the following steps to configure the certificate in the Azure portal: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. -1. On the **Spring Cloud Gateway** page, select **Certificate management**. -1. Select **Enable cert verification**. -1. Select the TLS certificate in **Certificates**. -1. Select **Save**. --Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to enable or disable certificate verification by using the Azure CLI. Replace the `<value>` placeholder with `true` to enable or `false` to disable verification. --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --enable-cert-verify <value> \ - --certificate-names <certificate-name-in-Azure-Spring-Apps> -``` ----### Prepare the route configuration --You must specify the protocol as HTTPS in the route configuration. The following JSON object instructs VMware Spring Cloud Gateway to use the HTTPS protocol for all traffic between the gateway and the app. --1. Create a file named *test-tls-route.json* with the following content: -- ```json - { - "routes": [ - { - "title": "Test TLS app", - "predicates": [ - "Path=/path/to/your/app", - "Method=GET" - ] - } - ], - "uri": "https://<app-custom-domain-name>" - } - ``` --1. Use the following command to apply the rule to the application: -- ```azurecli - az spring gateway route-config create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name test-tls-app \ - --routes-file test-tls-route.json - ``` --You can now test whether the application is TLS enabled with the endpoint of the gateway. For more information, see the [Configure routes](how-to-use-enterprise-spring-cloud-gateway.md#configure-routes) section of [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md). --### Rotate certificates --As certificates expire, you need to rotate certificates in VMware Spring Cloud Gateway by using the following steps: --1. Generate new certificates from a trusted CA. -1. Import the certificates into Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). -1. Synchronize the certificates by using the Azure portal or the Azure CLI. --VMware Spring Cloud Gateway restarts to ensure that the gateway uses the new certificate for all connections. --#### [Azure portal](#tab/Azure-portal) --Use the following steps to synchronize certificates: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. -1. On the **Spring Cloud Gateway** page, select **Restart**, and then confirm the operation. --#### [Azure CLI](#tab/Azure-CLI) --Use the following restart command to synchronize a certificate for VMware Spring Cloud Gateway: --```azurecli -az spring gateway restart \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> -``` ----### Set up autoscale settings --You can set autoscale modes for VMware Spring Cloud Gateway. --#### [Azure portal](#tab/Azure-portal) --The following list shows the options available for Autoscale demand management: --* The **Manual scale** option maintains a fixed instance count. You can scale out to a maximum of 10 instances. This value changes the number of separate running instances of the Spring Cloud Gateway. -* The **Custom autoscale** option scales on any schedule, based on any metrics. --On the Azure portal, choose how you want to scale. The following screenshot shows the **Custom autoscale** option and mode settings: ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to create an autoscale setting: --```azurecli -az monitor autoscale create \ - --resource-group <resource-group-name> \ - --name <autoscale-setting-name> \ - --resource /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.AppPlatform/Spring/<service-instance-name>/gateways/default \ - --min-count 1 \ - --max-count 5 \ - --count 1 -``` --Use the following command to create an autoscale rule: --```azurecli -az monitor autoscale rule create \ - --resource-group <resource-group-name> \ - --autoscale-name <autoscale-setting-name> \ - --scale out 1 \ - --cooldown 1 \ - --condition "GatewayHttpServerRequestsSecondsCount > 100 avg 1m" -``` ----For more information on the available metrics, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](./concept-metrics.md). --## Configure the response cache --Response cache configuration provides a way to define an HTTP response cache that you can apply globally or at the route level. --### Enable the response cache globally --After you enable the response cache globally, the response cache is automatically enabled for all applicable routes. --#### [Azure portal](#tab/Azure-portal) --Use the following steps to enable the response cache globally: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. -1. On the **Spring Cloud Gateway** page, select **Configuration**. -1. In the **Response Cache** section, select **Enable response cache** and then set **Scope** to **Instance**. -1. Set **Size** and **Time to live** for the response cache. -1. Select **Save**. --Use the following steps to disable the response cache: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. -1. On the **Spring Cloud Gateway** page, select **Configuration**. -1. In the **Response Cache** section, clear **Enable response cache**. -1. Select **Save**. --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to enable the response cache globally: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> - --enable-response-cache \ - --response-cache-scope Instance \ - --response-cache-size {Examples are 1GB, 100MB, 100KB} \ - --response-cache-ttl {Examples are 1h, 30m, 50s} -``` --Use the following command to disable the response cache: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --enable-response-cache false -``` ----### Enable the response cache at the route level --To enable the response cache for any route, use the `LocalResponseCache` filter. The following example shows you how to use the `LocalResponseCache` filter in the routing rule configuration: --```json -{ - "filters": [ - "<other-app-level-filter-of-route>", - ], - "routes": [ - { - "predicates": [ - "Path=/api/**", - "Method=GET" - ], - "filters": [ - "<other-filter-of-route>", - "LocalResponseCache=3m, 1MB" - ], - } - ] -} -``` --For more information, see the [LocalResponseCache](./how-to-configure-enterprise-spring-cloud-gateway-filters.md#localresponsecache) section of [How to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan](./how-to-configure-enterprise-spring-cloud-gateway-filters.md) and [LocalResponseCache](https://aka.ms/vmware/scg/filters/localresponsecache) in the VMware documentation. --Instead of configuring `size` and `timeToLive` for each `LocalResponseCache` filter individually, you can set these parameters at the Spring Cloud Gateway level. This option enables you to use the `LocalResponseCache` filter without specifying these values initially, while retaining the flexibility to override them later. --#### [Azure portal](#tab/Azure-portal) --Use the following steps to enable the response cache at the route level and set `size` and `timeToLive`: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. -1. On the **Spring Cloud Gateway** page, select **Configuration**. -1. In the **Response Cache** section, select **Enable response cache** and then set **Scope** to **Route**. -1. Set **Size** and **Time to live** for the response cache. -1. Select **Save**. --Use the following steps to disable the response cache at the route level, which clears `size` and `timeToLive`: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane. -1. On the **Spring Cloud Gateway** page, select **Configuration**. -1. In the **Response Cache** section, clear **Enable response cache**. -1. Select **Save**. --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to enable the response cache at the route level and set `size` and `timeToLive`: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --enable-response-cache \ - --response-cache-scope Route \ - --response-cache-size {Examples are 1GB, 100MB, 100KB} \ - --response-cache-ttl {Examples are 1h, 30m, 50s} -``` --Use the following command to disable the response cache at the route level, which clears `size` and `timeToLive`: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --enable-response-cache false -``` ----The following example shows you how to use the `LocalResponseCache` filter when `size` and `timeToLive` are set at the Spring Cloud Gateway level: --```json -{ - "filters": [ - "<other-app-level-filter-of-route>", - ], - "routes": [ - { - "predicates": [ - "Path=/api/path1/**", - "Method=GET" - ], - "filters": [ - "<other-filter-of-route>", - "LocalResponseCache" - ], - }, - { - "predicates": [ - "Path=/api/path2/**", - "Method=GET" - ], - "filters": [ - "<other-filter-of-route>", - "LocalResponseCache=3m, 1MB" - ], - } - ] -} -``` --## Configure environment variables --The Azure Spring Apps service manages and tunes VMware Spring Cloud Gateway. Except for the use cases that configure application performance monitoring (APM) and the log level, you don't normally need to configure VMware Spring Cloud Gateway with environment variables. --If you have requirements that you can't fulfill by other configurations described in this article, you can try to configure the environment variables shown in the [Common application properties](https://cloud.spring.io/spring-cloud-gateway/reference/html/appendix.html#common-application-properties) list. Be sure to verify your configuration in your test environment before applying it to your production environment. --#### [Azure portal](#tab/Azure-portal) --To configure environment variables in the Azure portal, use the following steps: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. -1. Fill in the key/value pairs for the environment variables in the **Properties** and **Secrets** sections. You can include variables with sensitive information in the **Secrets** section. -1. Select **Save** to save your changes. --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to configure environment variables by using the Azure CLI. You can include variables with sensitive information by using the `--secrets` parameter. --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --properties <key=value> \ - --secrets <key=value> -``` ----After you update environment variables, VMware Spring Cloud Gateway restarts. --### Configure application performance monitoring --To monitor VMware Spring Cloud Gateway, you can configure APM. The following table lists the five types of APM Java agents that VMware Spring Cloud Gateway provides, along with their required environment variables. --| Java agent | Required environment variables | -|-|| -| Application Insights | `APPLICATIONINSIGHTS_CONNECTION_STRING` | -| Dynatrace | `DT_TENANT`<br>`DT_TENANTTOKEN`<br>`DT_CONNECTION_POINT` | -| New Relic | `NEW_RELIC_LICENSE_KEY`<br>`NEW_RELIC_APP_NAME` | -| AppDynamics | `APPDYNAMICS_AGENT_APPLICATION_NAME`<br>`APPDYNAMICS_AGENT_TIER_NAME`<br>`APPDYNAMICS_AGENT_NODE_NAME`<br> `APPDYNAMICS_AGENT_ACCOUNT_NAME`<br>`APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY`<br>`APPDYNAMICS_CONTROLLER_HOST_NAME`<br>`APPDYNAMICS_CONTROLLER_SSL_ENABLED`<br>`APPDYNAMICS_CONTROLLER_PORT` | -| Elastic APM | `ELASTIC_APM_SERVICE_NAME`<br>`ELASTIC_APM_APPLICATION_PACKAGES`<br>`ELASTIC_APM_SERVER_URL` | --For other supported environment variables, see the following sources: --- [Application Insights overview](../azure-monitor/app/app-insights-overview.md?tabs=net)-- [Dynatrace environment variables](https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-cloud-platforms/microsoft-azure-services/azure-integrations/azure-spring#envvar)-- [New Relic environment variables](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables)-- [AppDynamics environment variables](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent#MonitorAzureSpringCloudwithJavaAgent-ConfigureUsingtheEnvironmentVariablesorSystemProperties)-- [Elastic environment variables](https://www.elastic.co/guide/en/apm/agent/java/master/configuration.html)--#### Configure APM integration on the service instance level (recommended) --To enable APM monitoring in your VMware Spring Cloud Gateway, you can create APM configuration on the service instance level and bind it to Spring Cloud Gateway. In this way, you can conveniently configure the APM only once and bind the same APM to Spring Cloud Gateway and to your apps. --##### [Azure portal](#tab/Azure-portal) --Use the following steps to set up APM by using the Azure portal: --1. Configure APM on the service instance level with the APM name, type, and properties. For more information, see the [Manage APMs on the service instance level (recommended)](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#manage-apms-on-the-service-instance-level-recommended) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). -- :::image type="content" source="media/how-to-configure-enterprise-spring-cloud-gateway/service-level-apm-configure.png" alt-text="Screenshot of Azure portal that shows the Azure Spring Apps APM editor page." lightbox="media/how-to-configure-enterprise-spring-cloud-gateway/service-level-apm-configure.png"::: --1. Select **Spring Cloud Gateway** on the navigation pane, then select **APM**. --1. Choose the APM name in the **APM reference names** list. The list includes all the APM names configured in step 1. --1. Select **Save** to bind APM reference names to Spring Cloud Gateway. Your gateway restarts to enable APM monitoring. --##### [Azure CLI](#tab/Azure-CLI) --Use the following steps to set up APM in Spring Cloud Gateway by using the Azure CLI: --1. Configure APM on the service instance level with the APM name, type, and properties. For more information, see the [Manage APMs on the service instance level (recommended)](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md#manage-apms-on-the-service-instance-level-recommended) section of [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). --1. Use the following command to update gateway with APM reference names: -- ```azurecli - az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --apms <APM-reference-name> - ``` -- The value for `--apms` is a space-separated list of APM reference names, which you created in step 1. -- > [!NOTE] - > Spring Cloud Gateway is deprecating APM types. Use APM reference names to configure APM in a gateway. ----#### Manage APM in VMware Spring Cloud Gateway (deprecated) --You can use the Azure portal or the Azure CLI to set up APM in VMware Spring Cloud Gateway. You can also specify the types of APM Java agents to use and the corresponding APM environment variables that they support. --##### [Azure portal](#tab/Azure-portal) --Use the following steps to set up APM by using the Azure portal: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. -1. Choose the APM type in the **APM** list to monitor a gateway. -1. Fill in the key/value pairs for the APM environment variables in the **Properties** and **Secrets** sections. You can put variables with sensitive information in **Secrets**. -1. Select **Save** to save your changes. --Updating the configuration can take a few minutes. You should get a notification when the configuration is complete. --##### [Azure CLI](#tab/Azure-CLI) --Use the following command to set up APM by using the Azure CLI: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --apm-types <APM-type> \ - --properties <key=value> \ - --secrets <key=value> -``` --The allowed values for `--apm-types` are `ApplicationInsights`, `AppDynamics`, `Dynatrace`, `NewRelic`, and `ElasticAPM`. The following command shows the usage for Application Insights as an example: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --apm-types ApplicationInsights \ - --properties APPLICATIONINSIGHTS_CONNECTION_STRING=<your-Application-Insights-connection-string> APPLICATIONINSIGHTS_SAMPLE_RATE=10 -``` --You can also put environment variables in the `--secrets` parameter instead of `--properties`. It makes the environment variable more secure in network transmission and data storage in the back end. ----> [!NOTE] -> Azure Spring Apps upgrades the APM agent and deployed apps with the same cadence to keep compatibility of agents between VMware Spring Cloud Gateway and Azure Spring Apps. -> -> By default, Azure Spring Apps prints the logs of the APM Java agent to `STDOUT`. These logs are included with the VMware Spring Cloud Gateway logs. You can check the version of the APM agent used in the logs. You can query these logs in Log Analytics to troubleshoot. -> -> To make the APM agents work correctly, increase the CPU and memory of VMware Spring Cloud Gateway. --### Configure log levels --You can configure the log levels of VMware Spring Cloud Gateway in the following ways to get more details or to reduce logs: --- You can set log levels to `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, or `OFF`. The default log level for VMware Spring Cloud Gateway is `INFO`.-- You can turn off logs by setting log levels to `OFF`.-- When the log level is set to `WARN`, `ERROR`, or `OFF`, you might be required to adjust it to `INFO` when requesting support from the Azure Spring Apps team. This change causes a restart of VMware Spring Cloud Gateway.-- When the log level is set to `TRACE` or `DEBUG`, it might affect the performance of VMware Spring Cloud Gateway. Try avoid these settings in your production environment.-- You can set log levels for the `root` logger or for specific loggers like `io.pivotal.spring.cloud.gateway`.--The following loggers might contain valuable troubleshooting information at the `TRACE` and `DEBUG` levels: --| Logger | Description | -|-|--| -| `io.pivotal.spring.cloud.gateway` | Filters and predicates, including custom extensions | -| `org.springframework.cloud.gateway` | API gateway | -| `org.springframework.http.server.reactive` | HTTP server interactions | -| `org.springframework.web.reactive` | API gateway reactive flows | -| `org.springframework.boot.autoconfigure.web` | API gateway autoconfiguration | -| `org.springframework.security.web` | Authentication and authorization information | -| `reactor.netty` | Reactor Netty | --To get environment variable keys, add the `logging.level.` prefix, and then set the log level by configuring environment `logging.level.{loggerName}={logLevel}`. The following examples show the steps for the Azure portal and the Azure CLI. --#### [Azure portal](#tab/Azure-portal) --To configure log levels in the Azure portal, use the following steps: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. -1. Fill in the key/value pairs for the log levels' environment variables in the **Properties** and **Secrets** sections. If the log level is sensitive information in your case, you can include it by using the **Secrets** section. -1. Select **Save** to save your changes. ---#### [Azure CLI](#tab/Azure-CLI) --For a general CLI command for specifying environment variables, see the [Configure environment variables](#configure-environment-variables) section. The following example shows you how to configure log levels by using the Azure CLI: --```azurecli -az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --properties \ - logging.level.root=INFO \ - logging.level.io.pivotal.spring.cloud.gateway=DEBUG \ - logging.level.org.springframework.cloud.gateway=DEBUG \ - logging.level.org.springframework.boot.autoconfigure.web=TRACE \ - logging.level.org.springframework.security.web=ERROR -``` --If the log level is sensitive information in your case, you can include it by using the `--secrets` parameter. ----## Update add-on configuration --The add-on configuration feature enables you to customize certain properties of VMware Spring Cloud Gateway by using a JSON format string. The feature is useful when you need to configure properties that aren't exposed through the REST API. --The add-on configuration is a JSON object with key/value pairs that represent the desired configuration. The following example shows the structure of the JSON format: --```json -{ - "<addon-key-name>": { - "<addon-key-name>": "<addon-value>" - ... - }, - "<addon-key-name>": "<addon-value>", - ... -} -``` --The following list shows the supported add-on configurations for the add-on key names and value types. This list is subject to change as we upgrade the VMware Spring Cloud Gateway version. --- SSO configuration:- - Key name: `sso` - - Value type: Object - - Properties: - - `RolesAttributeName` (String): Specifies the name of the attribute that contains the roles associated with the SSO session. - - `InactiveSessionExpirationInMinutes` (Integer): Specifies the expiration time, in minutes, for inactive SSO sessions. A value of `0` means the session never expires. - - Example: - - ```json - { - "sso": { - "rolesAttributeName": "roles", - "inactiveSessionExpirationInMinutes": 1 - } - } - ``` --- Metadata configuration:- - Key name: `api` - - Value type: Object - - Properties - - `groupId` (String): A unique identifier for the group of APIs available on the VMware Spring Cloud Gateway instance. The value can contain only lowercase letters and numbers. - - Example: -- ```json - { - "api": { - "groupId": "id1" - } - } - ``` --Use the following steps to update the add-on configuration. --### [Azure portal](#tab/Azure-portal) --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** on the navigation pane, and then select **Configuration**. -1. Specify the JSON value for **Addon Configs**. -1. Select **Save**. --### [Azure CLI](#tab/Azure-CLI) --1. Prepare the JSON file for add-on configurations (*\<file-name-of-addon-configs-json\>.json*) with the following content: -- ```json - { - "sso": { - "rolesAttributeName": "roles", - "inactiveSessionExpirationInMinutes": 1 - }, - "api": { - "groupId": "id1" - } - } - ``` --1. Use the following command to update the add-on configurations for VMware Spring Cloud Gateway: -- ```azurecli - az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --addon-configs-file <file-name-of-addon-configs-json>.json - ``` ----## Next steps --- [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md) |
spring-apps | How To Configure Health Probes Graceful Termination | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-health-probes-graceful-termination.md | - Title: How to configure health probes and graceful termination period for apps hosted in Azure Spring Apps -description: Learn how to customize apps running in Azure Spring Apps with health probes and graceful termination period. --- Previously updated : 07/02/2022-----# How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to customize apps running in Azure Spring Apps with health probes and graceful termination periods. --A probe is a diagnostic activity performed periodically by Azure Spring Apps on an app instance. To perform a diagnostic, Azure Spring Apps takes one of the following actions: --- Executes an arbitrary command of your choice within the app instance.-- Establishes a TCP socket connection.-- Makes an HTTP request.--Azure Spring Apps offers default health probe rules for every application. This article shows you how to customize your application with three kinds of health probes: --- *Liveness probes* determine when to restart an application. For example, liveness probes can identify a deadlock, such as when an application is running but unable to make progress. Restarting the application in a deadlock state can make the application available despite errors.--- *Readiness probes* determine when an app instance is ready to start accepting traffic. For example, readiness probes can control which app instances are used as backends for the application. When an app instance isn't ready, it's removed from Kubernetes service discovery. For more information, see [Discover and register your Spring Boot applications](how-to-service-registration.md). For more information about service discovery with the Enterprise plan, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md).--- *Startup probes* determine when an application has started. A startup probe disables liveness and readiness checks until startup succeeds, ensuring that liveness and readiness probes don't interfere with application startup. You can use startup probes to perform liveness checks on slow starting applications, preventing the app from terminating before it's up and running.--## Prerequisites --- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the spring-cloud extension, uninstall it to avoid configuration and version mismatches.-- ```azurecli - az extension remove --name spring - az extension add --name spring - az extension remove --name spring-cloud - ``` --## Configure health probes and graceful termination for applications --The following sections describe how to configure health probes and graceful termination using the Azure CLI. --### Graceful termination --The following table describes the `terminationGracePeriodSeconds` property, which you can use to configure graceful termination. --| Property name | Description | -|-|| -| `terminationGracePeriodSeconds` | The duration in seconds after processes running in the app instance are sent a termination signal before they're forcibly halted. Set this value longer than the expected cleanup time for your process. The value must be a non-negative integer. Setting the grace period to *0* stops the app instance immediately via the kill signal, with no opportunity to shut down. If the value is *nil*, Azure Spring Apps uses the default grace period. The default value is *90*. | --### Health probe properties --The following table describes the properties you can use to configure health probes. --| Property name | Description | -||--| -| `initialDelaySeconds` | The number of seconds after the app instance has started before probes are initiated. The default value is *0*, the minimum value. | -| `periodSeconds` | The frequency in seconds to perform the probe. The default value is *10*. The minimum value is *1*. | -| `timeoutSeconds` | The number of seconds until the probe times out. The default value is *1*, the minimum value. | -| `failureThreshold` | The minimum number of consecutive failures for the probe to be considered failed after having succeeded. The default value is *3*. The minimum value is *1*. | -| `successThreshold` | The minimum number of consecutive successes for the probe to be considered successful after having failed. The default value is *1*. The value must be *1* for liveness and startup. The minimum value is *1*. | --### Probe action properties --There are three ways you can check an app instance using a probe. Each probe must define one of the following probe actions: --- `HTTPGetAction`-- Performs an HTTP GET request against the app instance on a specified path. The diagnostic is considered successful if the response has a status code greater than or equal to 200 and less than 400. -- | Property name | Description | - |-|| - | `scheme` | The scheme to use for connecting to the host. The default is *HTTP*. | - | `path` | The path to access on the HTTP server of the app instance, such as */healthz*. | --- `ExecAction`-- Executes a specified command inside the app instance. The diagnostic is considered successful if the command exits with a status code of 0. -- | Property name | Description | - |-|--| - | `command` | The command to execute inside the app instance. The working directory for the command is the root directory (*/*) in the app instance's file system. Because the command is run using `exec` rather than inside a shell, shell instructions won't work. To use a shell, explicitly call out to the shell. An exit status of *0* is treated as live/healthy, and non-zero is unhealthy. | --- `TCPSocketAction`-- Performs a TCP check against the app instance. -- There are no available properties for the `TCPSocketAction` action. --### Customize your application --#### [Azure portal](#tab/azure-portal) --Use the following steps to customize your application using Azure portal. --1. Under **Settings**, select **Apps**, and then select the application from the list. -- :::image type="content" source="media/how-to-configure-health-probes-graceful-termination/select-app.jpg" lightbox="media/how-to-configure-health-probes-graceful-termination/select-app.jpg" alt-text="Screenshot of Azure portal showing the Apps page."::: --1. Select **Configuration** in the left navigation pane, select **Health probes**, and then specify Health probe properties. -- :::image type="content" source="media/how-to-configure-health-probes-graceful-termination/probe-config.jpg" lightbox="media/how-to-configure-health-probes-graceful-termination/probe-config.jpg" alt-text="Screenshot of the Azure portal Configuration page showing the Health probes tab."::: --1. To set the termination grace period, select **General settings**, and specify a value in the **Termination grace period** box. -- :::image type="content" source="media/how-to-configure-health-probes-graceful-termination/termination-grace-period-config.jpg" lightbox="media/how-to-configure-health-probes-graceful-termination/termination-grace-period-config.jpg" alt-text="Screenshot of the Azure portal Configuration page showing the General settings tab."::: --#### [Azure CLI](#tab/azure-cli) --Use the following steps to customize your application using Azure CLI. --1. Use the following command to create an application with a liveness probe and readiness probe: -- ```azurecli - az spring app create \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <application-name> \ - --enable-liveness-probe true \ - --liveness-probe-config <path-to-liveness-probe-json-file> \ - --enable-readiness-probe true \ - --readiness-probe-config <path-to-readiness-probe-json-file> - ``` -- The following example shows the contents of a sample JSON file passed to the `--liveness-probe-config` parameter in the create command: -- ```json - { - "probe": { - "initialDelaySeconds": 30, - "periodSeconds": 10, - "timeoutSeconds": 1, - "failureThreshold": 30, - "successThreshold": 1, - "probeAction": { - "type": "TCPSocketAction", - } - } - } - ``` -- The following example shows an `HTTPGetAction` action: -- ```json - "probeAction": { - "type": "HTTPGetAction", - "scheme": "HTTP", - "path": "/anyPath" - } - ``` -- The following example shows an `ExecAction` action: -- ```json - "probeAction": { - "type": "ExecAction", - "command": ["cat", "/tmp/healthy"] - } - ``` --1. Optionally, use the following command to protect slow starting containers with a startup probe: -- ```azurecli - az spring app update \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <application-name> \ - --enable-startup-probe true \ - --startup-probe-config <path-to-startup-probe-json-file> - ``` --1. Optionally, use the following command to disable a health probe: -- ```azurecli - az spring app update \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <application-name> \ - --enable-liveness-probe false - ``` --1. Optionally, use the following command to set the termination grace period: -- ```azurecli - az spring app update \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <application-name> \ - --grace-period <termination-grace-period-seconds> - ``` ----## Best practices --Use the following best practices when adding health probes to Azure Spring Apps: --- Use liveness and readiness probes together. Azure Spring Apps provides two approaches for service discovery at the same time. When the readiness probe fails, the app instance is removed only from Kubernetes service discovery. A properly configured liveness probe can remove the issued app instance from Eureka service discovery to avoid unexpected cases. For more information about service discovery, see [Discover and register your Spring Boot applications](how-to-service-registration.md). For more information about service discovery with the Enterprise plan, see [Use Tanzu Service Registry](how-to-enterprise-service-registry.md).--- When an app instance starts, the first check occurs after the delay specified by `initialDelaySeconds`. Subsequent checks occur periodically, according to the period length specified by `periodSeconds`. If the app fails to respond to the requests for several times as specified by `failureThreshold`, the app instance is restarted. Make sure your application can start fast enough, or update these parameters, so that the total timeout `initialDelaySeconds + periodSeconds * failureThreshold` is longer than the start time of your application.--- For Spring Boot applications, Spring Boot is shipped with the [Health Groups](https://docs.spring.io/spring-boot/docs/3.0.x/reference/html/actuator.html#actuator.endpoints.health.groups) support, allowing developers to select a subset of health indicators and group them under a single, correlated health status. For more information, see [Liveness and Readiness Probes with Spring Boot](https://spring.io/blog/2020/03/25/liveness-and-readiness-probes-with-spring-boot) on the Spring Blog.-- The following example shows a liveness probe with Spring Boot: -- ```json - "probe": { - "initialDelaySeconds": 30, - "periodSeconds": 10, - "timeoutSeconds": 1, - "failureThreshold": 30, - "successThreshold": 1, - "probeAction": { - "type": "HTTPGetAction", - "scheme": "HTTP", - "path": "/actuator/health/liveness" - } - } - ``` -- The following example shows a readiness probe with Spring Boot: -- ```json - "probe": { - "initialDelaySeconds": 0, - "periodSeconds": 10, - "timeoutSeconds": 1, - "failureThreshold": 3, - "successThreshold": 1, - "probeAction": { - "type": "HTTPGetAction", - "scheme": "HTTP", - "path": "/actuator/health/readiness" - } - } - ``` --## Frequently asked questions --This section provides answers to frequently asked questions about using health probes with Azure Spring Apps. --- I received a 400 response when I created applications with customized health probes. What does this mean?-- *The error message points out which probe is responsible for the provision failure. Make sure that the health probe rules are correct and that the timeout is long enough for the application to be in the running state.* --- What are the default probe settings for an existing application?-- *The following example shows the default settings:* -- ```json - "startupProbe": null, - "livenessProbe": { - "disableProbe": false, - "failureThreshold": 3, - "initialDelaySeconds": 300, - "periodSeconds": 10, - "probeAction": { - "type": "TCPSocketAction" - }, - "successThreshold": 1, - "timeoutSeconds": 3 - }, - "readinessProbe": { - "disableProbe": false, - "failureThreshold": 3, - "initialDelaySeconds": 0, - "periodSeconds": 5, - "probeAction": { - "type": "TCPSocketAction" - }, - "successThreshold": 1, - "timeoutSeconds": 3 - } - ``` --## Next steps --- [Scale an application in Azure Spring Apps](how-to-scale-manual.md). |
spring-apps | How To Configure Palo Alto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-palo-alto.md | - Title: How to configure Palo Alto for Azure Spring Apps -description: How to configure Palo Alto for Azure Spring Apps ---- Previously updated : 09/17/2021----# How to configure Palo Alto for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes how to use Azure Spring Apps with a Palo Alto firewall. --If your current deployments include a Palo Alto firewall, you can omit the Azure Firewall from the Azure Spring Apps deployment and use Palo Alto instead, as described in this article. --You should keep configuration information, such as rules and address wildcards, in CSV files in a Git repository. This article shows you how to use automation to apply these files to Palo Alto. To understand the configuration to be applied to Palo Alto, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). --> [!NOTE] -> In describing the use of REST APIs, this article uses the PowerShell variable syntax to indicate names and values that are left to your discretion. Be sure to use the same values in all the steps. -> -> After you've configured the TLS/SSL certificate in Palo Alto, remove the `-SkipCertificateCheck` argument from all Palo Alto REST API calls in the examples below. -> -> You should not use this article as a reference for Palo Alto REST APIs. All examples are for demonstration purposes only. For authoritative API details, see [PAN-OS REST API](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/pan-os-rest-api.html) in the Palo Alto documentation. --## Prerequisites --* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* A Palo Alto deployment. If you don't have a deployment, you can provision [Palo Alto from Azure Marketplace](https://portal.azure.com/#create/paloaltonetworks.vmseries-ngfwbundle2). -* [PowerShell](/powershell/scripting/install/installing-powershell) -* [Azure CLI](/cli/azure/install-azure-cli) --## Configure Palo Alto --First, configure the Palo Alto VM-Series Firewall. For detailed instructions, see [Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-firewall-on-azure-solution-template.html). These instructions will help you provision a VM-Series Firewall and configure both the `Trust` and `UnTrust` subnets and the associated network interface cards. To stay consistent, you should create this firewall in the address space of the `Hub` virtual network in the reference architecture. --The [Reference Architecture Guide for Azure](https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide) explores several technical design models for deploying the Firewall on Azure. --The rest of this article assumes you have the following two pre-configured network zones: --* `Trust`, containing the interface connected to a virtual network peered with the Azure Spring Apps virtual network. -* `UnTrust`, containing the interface to the public internet created earlier in the VM-Series deployment guide. --## Prepare CSV files --Next, create three CSV files. --Name the first file *AzureSpringAppsServices.csv*. This file should contain ingress ports for Azure Spring Apps. The values in the following example are for demonstration purposes only. For all of the required values, see the [Azure Global required network rules](./vnet-customer-responsibilities.md#azure-global-required-network-rules) section of [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). --```CSV -name,protocol,port,tag -ASC_1194,udp,1194,AzureSpringApps -ASC_443,tcp,443,AzureSpringApps -ASC_9000,tcp,9000,AzureSpringApps -ASC_445,tcp,445,AzureSpringApps -ASC_123,udp,123,AzureSpringApps -``` --Name the second file *AzureSpringAppsUrlCategories.csv*. This file should contain the addresses (with wildcards) that should be available for egress from Azure Spring Apps. The values in the following example are for demonstration purposes only. For up-to-date values, see the [Azure Global required FQDN / application rules](./vnet-customer-responsibilities.md#azure-global-required-fqdn--application-rules) section of [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). --```CSV -name,description -*.azmk8s.io, -mcr.microsoft.com, -*.cdn.mscr.io, -*.data.mcr.microsoft.com, -management.azure.com, -*.microsoftonline.com, -*.microsoft.com, -packages.microsoft.com, -acs-mirror.azureedge.net, -mscrl.microsoft.com, -crl.microsoft.com, -crl3.digicert.com -``` --Name the third file *AzureMonitorAddresses.csv*. This file should contain all addresses and IP ranges to be made available for metrics and monitoring via Azure Monitor, if you're using Azure monitor. The values in the following example are for demonstration purposes only. For up-to-date values, see [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md). --```CSV -name,type,address,tag -40.114.241.141,ip-netmask,40.114.241.141/32,AzureMonitor -104.45.136.42,ip-netmask,104.45.136.42/32,AzureMonitor -40.84.189.107,ip-netmask,40.84.189.107/32,AzureMonitor -168.63.242.221,ip-netmask,168.63.242.221/32,AzureMonitor -52.167.221.184,ip-netmask,52.167.221.184/32,AzureMonitor -live.applicationinsights.azure.com,fqdn,live.applicationinsights.azure.com,AzureMonitor -rt.applicationinsights.microsoft.com,fqdn,rt.applicationinsights.microsoft.com,AzureMonitor -rt.services.visualstudio.com,fqdn,rt.services.visualstudio.com,AzureMonitor --``` --## Authenticate into Palo Alto --Next you'll need to authenticate into Palo Alto and obtain an API key. For more information, see [Get Your API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key.html) in the Palo Alto documentation. --The following example uses PowerShell to authenticate and generate request headers that will be used later in this article: --```powershell -$username=<username for PaloAlto> -$password=<password for PaloAlto> -$authResponse = irm "https://${PaloAltoIpAddress}/api/?type=keygen&user=${username}&password=${password}" -SkipCertificateCheck -$paloAltoHeaders = @{'X-PAN-KEY' = $authResponse.response.result.key; 'Content-Type' = 'application/json' } -``` --## Delete existing service group --If you've made prior configuration attempts, you should reset these configurations and delete any security rule and service group. --Delete the security rule using the [Security Rule REST API](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/create-security-policy-rule-rest-api.html), as shown in the following example: --```powershell -$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Policies/SecurityRules?location=vsys&vsys=vsys1&name=${paloAltoSecurityPolicyName}" -Invoke-RestMethod -Method Delete -Uri $url -Headers $paloAltoHeaders -SkipCertificateCheck -``` --Delete the service group as shown in the following example: --```powershell -$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/ServiceGroups?location=vsys&vsys=vsys1&name=${paloAltoServiceGroupName}" -Invoke-RestMethod -Method Delete -Uri $url -Headers $paloAltoHeaders -SkipCertificateCheck -``` --Delete each Palo Alto service (as defined in *AzureSpringAppsServices.csv*) as shown in the following example: --```powershell -Get-Content .\AzureSpringAppsServices.csv | ConvertFrom-Csv | select name | ForEach-Object { - $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/Services?location=vsys&vsys=vsys1&name=${_}" - Invoke-RestMethod -Method Delete -Uri $url -Headers $paloAltoHeaders -SkipCertificateCheck -} -``` --## Create a service and service group --To automate the creation of services based on the *AzureSpringAppsServices.csv* file you created earlier, use the following example. --```powershell -# Define a function to create and submit a Palo Alto service creation request -function New-PaloAltoService { - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [PSCustomObject] - $ServiceObject - ) - PROCESS { - $requestBody = @{ - 'entry' = @{ - '@name' = $ServiceObject.name - 'protocol' = @{ - $ServiceObject.protocol = @{ - 'port' = $ServiceObject.port - 'override' = @{ - 'no' = @{} - } -- } - } - 'tag' = @{ - 'member' = @($ServiceObject.tag) - } - } - } -- # Some rules in the CSV may need to conain source ports or descriptions. If these are present, populate them in the request - if ($ServiceObject.description) { - $requestBody.entry.description = $ServiceObject.description - } - if ($ServiceObject.'source-port') { - $requestBody.entry.protocol."$($ServiceObject.protocol)".'source-port' = $ServiceObject.'source-port' - } -- # Send the request - $name = $requestBody.entry.'@name' - $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/Services?location=vsys&vsys=vsys1&name=${name}" - Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body (ConvertTo-Json -WarningAction Ignore $requestBody -Depth 9) -Verbose - } -} --# Now invoke that function for every row in AzureSpringAppsServices.csv -Get-Content ./AzureSpringAppsServices.csv | ConvertFrom-Csv | New-PaloAltoService -``` --Next, create a Service Group for these services, as shown in the following example: --```powershell -# Create a function to consume service definitions and submit a service group creation request -function New-PaloAltoServiceGroup { - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [PSCustomObject[]] - $RuleData, -- [Parameter(Mandatory = $true)] - [string] - $ServiceGroupName - ) - begin { - [array] $names = @() - } -- process { - $names += $RuleData.name - } -- end { - $requestBody = @{ 'entry' = [ordered] @{ - '@name' = $ServiceGroupName - 'members' = @{ 'member' = $names } - 'tag' = @{ 'member' = 'AzureSpringApps' } - } - } -- $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/ServiceGroups?location=vsys&vsys=vsys1&name=${ServiceGroupName}" -- Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body (ConvertTo-Json $requestBody) -Verbose - } -} --# Run that function for all services in AzureSpringAppsServices.csv. -Get-Content ./AzureSpringAppsServices.csv | ConvertFrom-Csv | New-PaloAltoServiceGroup -ServiceGroupName 'AzureSpringApps_SG' -``` --## Create custom URL categories --Next, define custom URL categories for the service group to enable egress from Azure Spring Apps, as shown in the following example. --```powershell -# Read Service entries from CSV to enter into Palo Alto -$csvImport = Get-Content ${PSScriptRoot}/AzureSpringAppsUrls.csv | ConvertFrom-Csv --# Convert name column of CSV to add to the Custom URL Group in Palo Alto -$requestBody = @{ 'entry' = [ordered] @{ - '@name' = 'AzureSpringApps_SG' - 'list' = @{ 'member' = $csvImport.name } - 'type' = 'URL List' - } -} | ConvertTo-Json -Depth 9 --$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/CustomURLCategories?location=vsys&vsys=vsys1&name=AzureSpringApps_SG" --try { - $existingObject = Invoke-RestMethod -Method Get -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders - Invoke-RestMethod -Method Delete -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -} -catch { -} --Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body $requestBody -Verbose -``` --## Create a security rule --Next, create a JSON file to contain a security rule. Name the file *SecurityRule.json* and add the following content. The names of the two zones `Trust` and `UnTrust` match the zone names described earlier in the [Configure Palo Alto](#configure-palo-alto) section. The `service/member` entry contains the name of the service group created in the previous steps. --```json -{ - "entry": [ - { - "@name": "AzureSpringAppsRule", - "@location": "vsys", - "@vsys": "vsys1", - "to": { - "member": [ - "UnTrust" - ] - }, - "from": { - "member": [ - "Trust" - ] - }, - "source-user": { - "member": [ - "any" - ] - }, - "application": { - "member": [ - "any" - ] - }, - "service": { - "member": [ - "AzureSpringApps_SG" - ] - }, - "hip-profiles": { - "member": [ - "any" - ] - }, - "action": "allow", - "category": { - "member": [ - "any" - ] - }, - "source": { - "member": [ - "any" - ] - }, - "destination": { - "member": [ - "any" - ] - } - } - ] -} -``` --Now, apply this rule to Palo Alto, as shown in the following example. --```powershell -$url = "https://${PaloAltoIpAddress}/restapi/v9.1/Policies/SecurityRules?location=vsys&vsys=vsys1&name=AzureSpringAppsRule" --# Delete the rule if it already exists -try { - $getResult = Invoke-RestMethod -Headers $paloAltoHeaders -Method Get -SkipCertificateCheck -Uri $url -Verbose - if ($getResult.'@status' -eq 'success') { - Invoke-RestMethod -Method Delete -Headers $paloAltoHeaders -SkipCertificateCheck -Uri $url - } -} -catch {} --# Create the rule from the JSON file -Invoke-WebRequest -Uri $url -Method Post -Headers $paloAltoHeaders -Body (Get-Content SecurityRule.json) -SkipCertificateCheck -``` --## Create Azure Monitor addresses --Next, use the *AzureMonitorAddresses.csv* file to define Address objects in Palo Alto. The following example code shows you how to automate this task. --```powershell -Get-Content ./AzureMonitorAddresses.csv | ConvertFrom-Csv | ForEach-Object { - $requestBody = @{ 'entry' = [ordered]@{ - '@name' = $_.name - $_.type = $_.address - 'tag' = @{ 'member' = @($_.tag) } - } - } -- $name = $requestBody.entry.'@name' - $url = "https://${PaloAltoIpAddress}/restapi/v9.1/Objects/Addresses?location=vsys&vsys=vsys1&name=${name}" -- # Delete the address if it already exists - try { - Invoke-RestMethod -Method Delete -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders - } - catch { - } -- # Create the address - Invoke-RestMethod -Method Post -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -Body (ConvertTo-Json -WarningAction Ignore $requestBody -Depth 3) -Verbose -} -``` --## Commit changes to Palo Alto --You must commit some of the changes above so they'll become active. You can do this with the following REST API call. --```powershell -$url = "https://${PaloAltoIpAddress}/api/?type=commit&cmd=<commit></commit>" -Invoke-RestMethod -Method Get -Uri $url -SkipCertificateCheck -Headers $paloAltoHeaders -``` --## Configure the Security Rules for Azure Spring Apps subnets --Next, add network security rules to enable traffic from Palo Alto to access Azure Spring Apps. The following examples reference the spoke Network Security Groups (NSGs) created by the Reference Architecture: `nsg-spokeapp` and `nsg-spokeruntime`. --Run the following Azure CLI commands in a PowerShell window to create the necessary network security rule for each of these NSGs, where `$PaloAltoAddressPrefix` is the Classless Inter-Domain Routing (CIDR) address of Palo Alto's private IPs. --```azurecli -az network nsg rule create ` - --resource-group $ResourceGroupName ` - --name 'allow-palo-alto' ` - --nsg-name 'nsg-spokeapp' ` - --access Allow ` - --source-address-prefixes $PaloAltoAddressPrefix ` - --priority 1000 -az network nsg rule create ` - --resource-group $ResourceGroupName ` - --name 'allow-palo-alto' ` - --nsg-name 'nsg-spokeruntime' ` - --access Allow ` - --source-address-prefixes $PaloAltoAddressPrefix ` - --priority 1000 -``` --## Configure the next hop --After you've configured Palo Alto, configure Azure Spring Apps to have Palo Alto as its next hop for outbound internet access. You can use the following Azure CLI commands in a PowerShell window for this configuration. Be sure to provide values for the following variables: --* `$AppResourceGroupName`: The name of the resource group containing your Azure Spring Apps. -* `$AzureSpringAppsServiceSubnetRouteTableName`: The name of the Azure Spring Apps service/runtime subnet route table. In the reference architecture, this is set to `rt-spokeruntime`. -* `$AzureSpringAppsAppSubnetRouteTableName`: The name of the Azure Spring Apps app subnet route table. In the reference architecture, this is set to `rt-spokeapp`. --```azurecli -az network route-table route create ` - --resource-group ${AppResourceGroupName} ` - --name default ` - --route-table-name ${AzureSpringAppsServiceSubnetRouteTableName} ` - --address-prefix 0.0.0.0/0 ` - --next-hop-type VirtualAppliance ` - --next-hop-ip-address ${PaloAltoIpAddress} ` - --verbose --az network route-table route create ` - --resource-group ${AppResourceGroupName} ` - --name default ` - --route-table-name ${AzureSpringAppsAppSubnetRouteTableName} ` - --address-prefix 0.0.0.0/0 ` - --next-hop-type VirtualAppliance ` - --next-hop-ip-address ${PaloAltoIpAddress} ` - --verbose -``` --Your configuration is now complete. --## Next steps --* [Stream Azure Spring Apps app logs in real-time](./how-to-log-streaming.md) -* [Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md) -* [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) |
spring-apps | How To Configure Planned Maintenance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-planned-maintenance.md | - Title: How to configure planned maintenance for Azure Spring Apps -description: Describes how to configure planned maintenance for Azure Spring Apps. ---- Previously updated : 11/07/2023---# How to configure planned maintenance (preview) --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise --This article describes how to configure planned maintenance in Azure Spring Apps. --Routine maintenance is necessary to keep the Azure Spring Apps platform up-to-date and secure. The maintenance, also called auto patching, includes security updates, bug fixes, new features, or performance improvements. Auto patching can be performed on components managed by Azure Spring Apps to support your Java applications, including JDK, APM, base OS image, managed middleware, and runtime infrastructure. For the maintenance to take effect, your applications restart within the maintenance window you specify, but the service quality and uptime guarantees continue to apply during this time. --## Configure maintenance for Azure Spring Apps --### [Azure portal](#tab/Azure-portal) --Use the following steps to configure planned maintenance in Azure Spring Apps: --1. Go to the service **Overview** page and select **Planned Maintenance**. -- :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-section.png" alt-text="Screenshot of Azure portal that shows the Azure Spring Apps sidebar with Planned Maintenance highlighted."::: --1. Select **Choose your preferred time** to specify detailed configuration for the maintenance window. -- :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-checkbox.png" alt-text="Screenshot of the Azure portal that shows the Planned maintenance page with the Choose your preferred time checkbox highlighted."::: --1. Select **Day of the week** to schedule the maintenance. -- :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-week.png" alt-text="Screenshot of Azure portal that shows the Planned maintenance page with the Day of week option highlighted."::: --1. Select **Start time of upgrade**. -- :::image type="content" source="media/how-to-configure-planned-maintenance/maintenance-time.png" alt-text="Screenshot of Azure portal that shows the Planned maintenance page with the Start time of upgrade option highlighted."::: --1. Select **Apply** to submit your configuration for planned maintenance. --### [Azure CLI](#tab/azure-cli) --Use the following command to configure planned maintenance: --```azurecli -az spring update \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-instance-name> \ - --enable-planned-maintenance \ - --planned-maintenance-day $DAY_OF_WEEK \ - --planned-maintenance-start-hour $START_HOUR -``` ----Updating the configuration can take a few minutes. You get a notification when the configuration is complete. --> [!NOTE] -> If you don't configure planned maintenance, the maintenance takes place at a time chosen by the service team, with the best effort to minimize business risks for most customers. --## Manage maintenance notification --Notifications and messages are sent out before and during the maintenance. The following table describes the message types and time details: --| Sequence number | Message type | Channel | Time the message is sent out | -|--|--||--| -| 1 | Release note | Activity Log | At the end of the release rollout. | -| 2 | Maintenance announcement | Planned Maintenance | Two weeks before the first available maintenance window. | -| 3 | Start of maintenance window | Activity Log | At the start of the execution of the entire maintenance. | -| 4 | Changelog of components | Activity Log | At the end of upgrade for each managed component. | -| 5 | End of maintenance window | Activity Log | At the end of the execution of the entire maintenance. | -| 6 | Feature update | What's New article | After the new feature becomes available to the customers. | --## Manage maintenance frequency --Currently, Azure Spring Apps performs one regular planned maintenance to upgrade the underlying infrastructure every three months. For a detailed maintenance timeline, check the notifications on the [Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health) page. --## Best practices --- When you configure planned maintenance for multiple service instances in the same region, the maintenance takes place within the same week. For example, if maintenance for cluster A is set on Monday and cluster B on Sunday, then cluster A is maintained before cluster B, in the same week.-- If you have two service instances that span across [Azure paired regions](../availability-zones/cross-region-replication-azure.md#azure-paired-regions), the maintenance takes place in different weeks for such service instances, but there's no guarantee which region is maintained first. Follow each maintenance announcement for the exact information.-- The length of the time window for the planned maintenance is fixed to 8 hours. For example, if the start time is set to 10:00, then the maintenance job is executed at any time between 10:00 and 18:00. The service team tries its best to finish the maintenance within this time window, but sometimes it might take longer.-- You can't exempt a maintenance job regardless of how or whether planned maintenance is configured. If you have special requests for a maintenance time that can't be met with this feature, open a support ticket.--## Next steps --- [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md) |
spring-apps | How To Create User Defined Route Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-create-user-defined-route-instance.md | - Title: Control egress traffic for an Azure Spring Apps instance -description: Learn how to control egress traffic for an Azure Spring Apps instance. ---- Previously updated : 01/17/2023----# Control egress traffic for an Azure Spring Apps instance --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes how to secure outbound traffic from your applications hosted in Azure Spring Apps. The article provides an example of a user-defined route. A user-defined route is an advanced feature that lets you fully control egress traffic. You can use a user-defined route in scenarios such as disallowing an Azure Spring Apps autogenerated public IP address. --## Prerequisites --- All prerequisites for [deploying Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md)-- An API version of `2022-09-01 preview` or later-- [Azure CLI version 1.1.7 or later](/cli/azure/install-azure-cli)-- Familiarity with information in the following articles:- - [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md) - - [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md) - - [Customize Azure Spring Apps egress with a user-defined route](concept-outbound-type.md) --## Create a virtual network by using a user-defined route --The following illustration shows an example of an Azure Spring Apps virtual network that uses a user-defined route (UDR). ---This diagram illustrates the following features of the architecture: --- Public ingress traffic must flow through firewall filters.-- Each Azure Spring Apps instance is isolated within a dedicated subnet.-- Customers own and manage the firewall.-- This structure ensures that the firewall enables a healthy environment for all the functions you need.-- Azure Spring Apps doesn't automatically generate public IP resources.--### Define environment variables --The following example shows how to define a set of environment variables to be used in resource creation: --```bash -export PREFIX="asa-egress" -export RG="${PREFIX}-rg" -export LOC="eastus" -export ASANAME="${PREFIX}" -export VNET_NAME="${PREFIX}-vnet" -export ASA_APP_SUBNET_NAME="asa-app-subnet" -export ASA_SERVICE_RUNTIME_SUBNET_NAME="asa-service-runtime-subnet" -# Do not change FWSUBNET_NAME. This is currently a requirement for Azure Firewall. -export FWSUBNET_NAME="AzureFirewallSubnet" -export FWNAME="${PREFIX}-fw" -export FWPUBLICIP_NAME="${PREFIX}-fwpublicip" -export FWIPCONFIG_NAME="${PREFIX}-fwconfig" -export APP_ROUTE_TABLE_NAME="${PREFIX}-app-rt" -export SERVICE_RUNTIME_ROUTE_TABLE_NAME="${PREFIX}-service-runtime-rt" -export FWROUTE_NAME="${PREFIX}-fwrn" -export ASA_NAME="${PREFIX}-instance" -``` --### Create a virtual network with multiple subnets --This section shows you how to provision a virtual network with three separate subnets: one for the user apps, one for the service runtime, and one for the firewall. --First create a resource group, as shown in the following example: --```azurecli -# Create a resource group. --az group create --name $RG --location $LOC -``` --Then create a virtual network with three subnets to host the Azure Spring Apps and Azure Firewall instances, as shown in the following example: --```azurecli -# Dedicated virtual network with an Azure Spring Apps app subnet. --az network vnet create \ - --resource-group $RG \ - --name $VNET_NAME \ - --location $LOC \ - --address-prefixes 10.42.0.0/16 \ - --subnet-name $ASA_APP_SUBNET_NAME \ - --subnet-prefix 10.42.1.0/24 --# Dedicated subnet for the Azure Spring Apps service runtime subnet. --az network vnet subnet create \ - --resource-group $RG \ - --vnet-name $VNET_NAME \ - --name $ASA_SERVICE_RUNTIME_SUBNET_NAME\ - --address-prefix 10.42.2.0/24 --# Dedicated subnet for Azure Firewall. (Firewall name can't be changed.) --az network vnet subnet create \ - --resource-group $RG \ - --vnet-name $VNET_NAME \ - --name $FWSUBNET_NAME \ - --address-prefix 10.42.3.0/24 -``` --### Set up an Azure Firewall instance with a user-defined route --Use the following command to create and set up an Azure Firewall instance with a user-defined route, and to configure Azure Firewall outbound rules. The firewall lets you configure granular egress traffic rules from Azure Spring Apps. --> [!IMPORTANT] -> If your cluster or application creates a large number of outbound connections directed to the same destination or to a small subset of destinations, you might require more firewall front-end IP addresses to avoid reaching the maximum ports per front-end IP address. For more information on how to create an Azure Firewall instance with multiple IP addresses, see [Quickstart: Create an Azure Firewall instance with multiple public IP addresses - ARM template](../firewall/quick-create-multiple-ip-template.md). Create a Standard SKU public IP resource for use as the Azure Firewall front-end address. --```azurecli -az network public-ip create \ - --resource-group $RG \ - --name $FWPUBLICIP_NAME -l $LOC \ - --sku "Standard" -``` --The following example shows how to install the Azure Firewall preview CLI extension and deploy Azure Firewall: --```azurecli -# Install the Azure Firewall preview CLI extension. --az extension add --name azure-firewall --# Deploy Azure Firewall. --az network firewall create \ - --resource-group $RG \ - --name $FWNAME -l $LOC \ - --enable-dns-proxy true -``` --The following example shows how to assign the IP address that you created to the firewall front end. --> [!NOTE] -> Setting up the public IP address to the Azure Firewall instance might take a few minutes. To use a fully qualified domain name (FQDN) on network rules, enable a DNS proxy. After you enable the proxy, the firewall listens on port 53 and forwards DNS requests to the specified DNS server. The firewall can then translate the FQDN automatically. --```azurecli -# Configure the firewall IP address. --az network firewall ip-config create \ - --resource-group $RG \ - --firewall-name $FWNAME \ - --name $FWIPCONFIG_NAME \ - --public-ip-address $FWPUBLICIP_NAME \ - --vnet-name $VNET_NAME -``` --When the operation is finished, save the firewall's front-end IP address for configuration later, as shown in the following example: --```azurecli -# Capture the firewall IP address for later use. --export FWPUBLIC_IP=$(az network public-ip show \ - --resource-group $RG \ - --name $FWPUBLICIP_NAME \ - --query "ipAddress" \ - --output tsv) -export FWPRIVATE_IP=$(az network firewall show \ - --resource-group $RG \ - --name $FWNAME \ - --query "ipConfigurations[0].privateIPAddress" \ - --output tsv | tr -d '[:space:]') -``` --### Create a user-defined route with a hop to Azure Firewall --Azure automatically routes traffic between Azure subnets, virtual networks, and on-premises networks. If you want to change the default routing in Azure, create a route table. --The following example shows how to create a route table to be associated with a specified subnet. The route table defines the next hop, as in the Azure Firewall instance that you created. Each subnet can have one route table associated with it, or it might have no associated route table. --```azurecli -# Create a user-defined route and add a route for Azure Firewall. --az network route-table create \ - --resource-group $RG -l $LOC \ - --name $APP_ROUTE_TABLE_NAME -az network route-table route create \ - --resource-group $RG \ - --name $FWROUTE_NAME \ - --route-table-name $APP_ROUTE_TABLE_NAME \ - --address-prefix 0.0.0.0/0 \ - --next-hop-type VirtualAppliance \ - --next-hop-ip-address $FWPRIVATE_IP -az network route-table create \ - --resource-group $RG -l $LOC \ - --name $SERVICE_RUNTIME_ROUTE_TABLE_NAME -az network route-table route create \ - --resource-group $RG \ - --name $FWROUTE_NAME \ - --route-table-name $SERVICE_RUNTIME_ROUTE_TABLE_NAME \ - --address-prefix 0.0.0.0/0 \ - --next-hop-type VirtualAppliance \ - --next-hop-ip-address $FWPRIVATE_IP -``` --### Add firewall rules --The following example shows how to add rules to your firewall. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). --```azurecli -# Add firewall network rules. --az network firewall network-rule create \ - --resource-group $RG \ - --firewall-name $FWNAME \ - --collection-name 'asafwnr' \ - --name 'springcloudtcp' \ - --protocols 'TCP' \ - --source-addresses '*' \ - --destination-addresses "AzureCloud" \ - --destination-ports 443 445 \ - --action allow \ - --priority 100 --# Add firewall application rules. --az network firewall application-rule create \ - --resource-group $RG \ - --firewall-name $FWNAME \ - --collection-name 'aksfwar'\ - --name 'fqdn' \ - --source-addresses '*' \ - --protocols 'https=443' \ - --fqdn-tags "AzureKubernetesService" \ - --action allow \ - --priority 100 -``` --### Associate route tables with subnets --To associate the cluster with the firewall, make sure that the dedicated subnet for the cluster references the route table that you created. App and service runtime subnets must be associated with corresponding route tables. The following example shows how to associate a route table with a subnet: --```azurecli -# Associate the route table with a next hop to the firewall for the Azure Spring Apps subnet. --az network vnet subnet update \ - --resource-group $RG \ - --vnet-name $VNET_NAME \ - --name $ASA_APP_SUBNET_NAME \ - --route-table $APP_ROUTE_TABLE_NAME --az network vnet subnet update - --resource-group $RG \ - --vnet-name $VNET_NAME \ - --name $ASA_SERVICE_RUNTIME_SUBNET_NAME \ - --route-table $SERVICE_RUNTIME_ROUTE_TABLE_NAME -``` --### Add a role for an Azure Spring Apps resource provider --The following example shows how to add a role for the Azure Spring Apps resource provider. The role is assigned to all users identified by the string `e8de9221-a19c-4c81-b814-fd37c6caf9d2`: --```azurecli -export VIRTUAL_NETWORK_RESOURCE_ID=$(az network vnet show \ - --name $VNET_NAME \ - --resource-group $RG \ - --query "id" \ - --output tsv) --az role assignment create \ - --role "Owner" \ - --scope ${VIRTUAL_NETWORK_RESOURCE_ID} \ - --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 --export APP_ROUTE_TABLE_RESOURCE_ID=$(az network route-table show \ - --name $APP_ROUTE_TABLE_NAME \ - --resource-group $RG \ - --query "id" \ - --output tsv) - -az role assignment create \ - --role "Owner" \ - --scope ${APP_ROUTE_TABLE_RESOURCE_ID} \ - --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 - -export SERVICE_RUNTIME_ROUTE_TABLE_RESOURCE_ID=$(az network route-table show \ - --name $SERVICE_RUNTIME_ROUTE_TABLE_NAME \ - --resource-group $RG \ - --query "id" \ - --output tsv) - -az role assignment create \ - --role "Owner" \ - --scope ${SERVICE_RUNTIME_ROUTE_TABLE_RESOURCE_ID} \ - --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 -``` --### Create an Azure Spring Apps instance with user-defined routing --The following example shows how to create an Azure Spring Apps instance with user-defined routing: --```azurecli -az spring create \ - --name $ASA_NAME \ - --resource-group $RG \ - --vnet $VNET_NAME \ - --app-subnet $ASA_APP_SUBNET_NAME \ - --service-runtime-subnet $ASA_SERVICE_RUNTIME_SUBNET_NAME \ - --outbound-type userDefinedRouting -``` --You can now access the public IP address of the firewall from the internet. The firewall routes traffic into Azure Spring Apps subnets according to your routing rules. --## Next steps --- [Troubleshooting Azure Spring Apps in virtual networks](troubleshooting-vnet.md)-- [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md) |
spring-apps | How To Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-custom-domain.md | - Title: Map an existing custom domain to Azure Spring Apps -description: Learn how to map an existing custom Distributed Name Service (DNS) name to Azure Spring Apps --- Previously updated : 03/19/2020-----# Map an existing custom domain to Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Standard ✔️ Enterprise --Domain Name Service (DNS) is a technique for storing network node names throughout a network. This article maps a domain, such as `www.contoso.com`, using a CNAME record. It secures the custom domain with a certificate and shows how to enforce Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL). --Certificates encrypt web traffic. These TLS/SSL certificates can be stored in Azure Key Vault. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`-- An application deployed to Azure Spring Apps (see [Quickstart: Launch an existing application in Azure Spring Apps using the Azure portal](./quickstart.md), or use an existing app). If your application is deployed using the Basic plan, be sure to upgrade to the Standard plan.-- A domain name with access to the DNS registry for a domain provider, such as GoDaddy.-- A private certificate (that is, your self-signed certificate) from a third-party provider. The certificate must match the domain.-- A deployed instance of Azure Key Vault. For more information, see [About Azure Key Vault](../key-vault/general/overview.md).--## Key Vault private link considerations --The IP addresses for Azure Spring Apps management aren't yet part of the Azure Trusted Microsoft services. Therefore, to enable Azure Spring Apps to load certificates from a Key Vault protected with private endpoint connections, you must add the following IP addresses to Azure Key Vault firewall: --- `20.99.204.111`-- `20.201.9.97`-- `20.74.97.5`-- `52.235.25.35`-- `20.194.10.0`-- `20.59.204.46`-- `104.214.186.86`-- `52.153.221.222`-- `52.160.137.39`-- `20.39.142.56`-- `20.199.190.222`-- `20.79.64.6`-- `20.211.128.96`-- `52.149.104.144`-- `20.197.121.209`-- `40.119.175.77`-- `20.108.108.22`-- `102.133.143.38`-- `52.226.244.150`-- `20.84.171.169`-- `20.93.48.108`-- `20.75.4.46`-- `20.78.29.213`-- `20.106.86.34`-- `20.193.151.132`--## Import certificate --### Prepare your certificate file in PFX (optional) --Azure Key Vault supports importing private certificate in PEM and PFX format. If the PEM file you obtained from your certificate provider doesn't work in the [Save certificate in Key Vault](#save-certificate-in-key-vault) section, follow the steps here to generate a PFX for Azure Key Vault. --#### Merge intermediate certificates --If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order. --To do this task, open each certificate you received in a text editor. --Create a file for the merged certificate, called _mergedcertificate.crt_. In a text editor, copy the content of each certificate into this file. The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. It looks like the following example: --```crt BEGIN CERTIFICATE---<your entire Base64 encoded SSL certificate> END CERTIFICATE---BEGIN CERTIFICATE---<The entire Base64 encoded intermediate certificate 1> END CERTIFICATE---BEGIN CERTIFICATE---<The entire Base64 encoded intermediate certificate 2> END CERTIFICATE---BEGIN CERTIFICATE---<The entire Base64 encoded root certificate> END CERTIFICATE---``` --#### Export certificate to PFX --Export your merged TLS/SSL certificate with the private key that your certificate request was generated with. --If you generated your certificate request using OpenSSL, then you have created a private key file. To export your certificate to PFX, run the following command. Replace the placeholders _<private-key-file>_ and _<merged-certificate-file>_ with the paths to your private key and your merged certificate file. --```bash -openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file> -``` --When prompted, define an export password. Use this password when uploading your TLS/SSL certificate to Azure Key Vault later. --If you used IIS or _Certreq.exe_ to generate your certificate request, install the certificate to your local machine, and then [export the certificate to PFX](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754329(v=ws.11)). --### Save certificate in Key Vault --The procedure to import a certificate requires the PEM or PFX encoded file to be on disk and you must have the private key. --#### [Azure portal](#tab/Azure-portal) --Use the following steps to upload your certificate to key vault: --1. Go to your key vault instance. -1. In the navigation pane, select **Certificates**. -1. On the upper menu, select **Generate/import**. -1. On the **Create a certificate** page, select **Import** for **Method of Certificate Creation**, and then provide a value for **Certificate Name**. -1. Under **Upload Certificate File**, navigate to certificate location and select it. -1. Under **Password**, if you're uploading a password protected certificate file, provide that password here. Otherwise, leave it blank. Once the certificate file is successfully imported, key vault removes that password. -1. Select **Create**. -- :::image type="content" source="./media/how-to-custom-domain/import-certificate-a.png" alt-text="Screenshot of the Create a certificate pane." lightbox="./media/how-to-custom-domain/import-certificate-a.png"::: --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to import a certificate: --```azurecli -az keyvault certificate import \ - --file <path-to-pfx-or-pem-file> \ - --name <certificate-name> \ - --vault-name <key-vault-name> \ - --password <password-if-needed> -``` ----### Grant Azure Spring Apps access to your key vault --You need to grant Azure Spring Apps access to your key vault before you import the certificate. --#### [Azure portal](#tab/Azure-portal) --use the following steps to grant access using the Azure portal: --1. Go to your key vault instance. -1. In the navigation pane, select **Access policies**. -1. On the upper menu, select **Create**. -1. Fill in the info, and select **Add** button, then **Create** access police. --| Secret permission | Certificate permission | Select principal | -|-||--| -| Get, List | Get, List | Azure Spring Apps Domain-Management | -- > [!NOTE] - > If you don't find the "Azure Spring Apps Domain-Management", search for "Azure Spring Cloud Domain-Management". -- :::image type="content" source="./media/how-to-custom-domain/import-certificate-b.png" alt-text="Screenshot of the Azure portal showing the Add Access Policy page for a key vault with Get and List selected from Secret permissions and from Certificate permissions." lightbox="./media/how-to-custom-domain/import-certificate-b.png"::: -- :::image type="content" source="./media/how-to-custom-domain/import-certificate-c.png" alt-text="Screenshot of the Azure portal showing the Create Access Policy page for a key vault with Azure Spring Apps Domain-management selected from the Select a principal dropdown." lightbox="./media/how-to-custom-domain/import-certificate-c.png"::: --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to grant Azure Spring Apps read access to key vault: --```azurecli -az keyvault set-policy \ - --resource-group <key-vault-resource-group-name> \ - --name <key-vault-name> \ - --object-id 938df8e2-2b9d-40b1-940c-c75c33494239 \ - --certificate-permissions get list \ - --secret-permissions get list -``` ----### Import certificate to Azure Spring Apps --#### [Azure portal](#tab/Azure-portal) --1. Go to your Azure Spring Apps instance. -1. From the navigation pane, select **TLS/SSL settings**. -1. Select **Import key vault certificate**. -- :::image type="content" source="./media/how-to-custom-domain/import-certificate.png" alt-text="Screenshot of the Azure portal showing the TLS/SSL settings page for an Azure Spring Apps instance, with the Import key vault certificate button highlighted." lightbox="./media/how-to-custom-domain/import-certificate.png"::: --1. On the **Select certificate from Azure** page, select the **Subscription**, **Key Vault**, and **Certificate** from the drop-down options, and then choose **Select**. -- :::image type="content" source="./media/how-to-custom-domain/select-certificate-from-key-vault.png" alt-text="Screenshot of the Azure portal showing the Select certificate from Azure page." lightbox="./media/how-to-custom-domain/select-certificate-from-key-vault.png"::: --1. On the opened **Set certificate name** page, enter your certificate name, select **Enable auto sync** if needed, and then select **Apply**. For more information, see the [Auto sync certificate](#auto-sync-certificate) section. -- :::image type="content" source="./media/how-to-custom-domain/set-certificate-name.png" alt-text="Screenshot of the Set certificate name dialog box."::: --1. When you have successfully imported your certificate, it displays in the list of **Private Key Certificates**. -- :::image type="content" source="./media/how-to-custom-domain/key-certificates.png" alt-text="Screenshot of a private key certificate."::: --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to add a certificate: --```azurecli -az spring certificate add \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <cert-name> \ - --vault-uri <key-vault-uri> \ - --vault-certificate-name <key-vault-cert-name> \ - --enable-auto-sync false -``` --To enable certificate auto sync, include the `--enable-auto-sync true` setting when you add the certificate, as shown in the following example. For more information, see the [Auto sync certificate](#auto-sync-certificate) section. --```azurecli -az spring certificate add \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <cert-name> \ - --vault-uri <key-vault-uri> \ - --vault-certificate-name <key-vault-cert-name> \ - --enable-auto-sync true -``` --Use the following command to show a list of imported certificates: --```azurecli -az spring certificate list \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> -``` ----> [!IMPORTANT] -> To secure a custom domain with this certificate, be sure to bind the certificate to the specific domain. For more information, see the [Add SSL binding](#add-ssl-binding) section. --### Auto sync certificate --A certificate stored in Azure Key Vault sometimes gets renewed before it expires. Similarly, your organization's security policies for certificate management might require your DevOps team to replace certificates with new ones regularly. After you enable auto sync for a certificate, Azure Spring Apps starts to sync your key vault for a new version regularly - usually every 24 hours. If a new version is available, Azure Spring Apps imports it, and then reloads it for various components using the certificate without causing any downtime. The following list shows the affected components and relevant scenarios: --- App- - Custom domain -- [VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md)- - Custom domain -- [API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md)- - Custom domain -- [VMware Tanzu Application Accelerator](./how-to-use-accelerator.md)- - Connecting to a Git repository with a self-signed certificate. -- [Application Configuration Service for Tanzu](./how-to-enterprise-application-configuration-service.md)- - Connecting to a Git repository with a self-signed certificate. --When Azure Spring Apps imports or reloads a certificate, an activity log is generated. To see the activity logs, navigate to your Azure Spring Apps instance in the Azure portal and select **Activity log** in the navigation pane. --> [!NOTE] -> The certificate auto sync feature works with private certificates and public certificates imported from Azure Key Vault. This feature is unavailable for content certificates, which the customer uploads. --You can enable or disable the certificate auto sync feature when you import a certificate from your key vault to Azure Spring Apps. For more information, see the [Import certificate to Azure Spring Apps](#import-certificate-to-azure-spring-apps) section. --You can also enable or disable this feature for a certificate that has already been imported to Azure Spring Apps. --#### [Azure portal](#tab/Azure-portal) --Use the following steps to enable or disable auto sync for an imported certificate: --1. Go to the list of **Private Key Certificates** or **Public Key Certificates**. --1. Select the ellipsis (**...**) button after the **Auto sync** column, and then select either **Enable auto sync** or **Disable auto sync**. -- :::image type="content" source="./media/how-to-custom-domain/edit-auto-sync.png" alt-text="Screenshot of the Azure portal that shows a certificate list with the ellipsis button menu open and the Enable auto sync option selected." lightbox="./media/how-to-custom-domain/edit-auto-sync.png"::: --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to enable auto sync for an imported certificate: --```azurecli -az spring certificate update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <cert-name> \ - --enable-auto-sync true -``` --Use the following command to disable auto sync for an imported certificate: --```azurecli -az spring certificate update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <cert-name> \ - --enable-auto-sync false -``` ----## Add Custom Domain --You can use a CNAME record to map a custom DNS name to Azure Spring Apps. --> [!NOTE] -> The A record isn't supported. --### Create the CNAME record --Go to your DNS provider and add a CNAME record to map your domain to the `<service-name>.azuremicroservices.io`. Here, `<service-name>` is the name of your Azure Spring Apps instance. We support wildcard domain and sub domain. -After you add the CNAME, the DNS records page resembles the following example: ---## Map your custom domain to Azure Spring Apps app --If you don't have an application in Azure Spring Apps, follow the instructions in [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md). --#### [Azure portal](#tab/Azure-portal) --Go to application page. --1. Select **Custom Domain**. -2. Then **Add Custom Domain**. -- :::image type="content" source="./media/how-to-custom-domain/custom-domain.png" alt-text="Screenshot of a custom domain page." lightbox="./media/how-to-custom-domain/custom-domain.png"::: --3. Type the fully qualified domain name for which you added a CNAME record, such as www.contoso.com. Make sure that Hostname record type is set to CNAME (`<service-name>.azuremicroservices.io`) -4. Select **Validate** to enable the **Add** button. -5. Select **Add**. -- :::image type="content" source="./media/how-to-custom-domain/add-custom-domain.png" alt-text="Screenshot of the Add custom domain pane."::: --One app can have multiple domains, but one domain can only map to one app. When you successfully mapped your custom domain to the app, it displays on the custom domain table. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to bind a custom domain with the app: --```azurecli -az spring app custom-domain bind \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --domain-name <domain-name> \ - --app <app-name> --``` --Use the following command to show the list of custom domains: --```azurecli -az spring app custom-domain list \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --app <app-name> -``` ----> [!NOTE] -> A **Not Secure** label for your custom domain means that it's not yet bound to an SSL certificate. Any HTTPS request from a browser to your custom domain receives an error or warning. --## Add SSL binding --#### [Azure portal](#tab/Azure-portal) --In the custom domain table, select **Add ssl binding** as shown in the previous figure. --1. Select your **Certificate** or import it. -1. Select **Save**. -- :::image type="content" source="./media/how-to-custom-domain/add-ssl-binding.png" alt-text="Screenshot of the SSL Binding pane."::: --#### [Azure CLI](#tab/Azure-CLI) --Use the following command to update a custom domain of the app. --```azurecli -az spring app custom-domain update \ - --resource-group <resource-group-name> \ - --service <service-name> \ - --domain-name <domain-name> \ - --certificate <cert-name> \ - --app <app-name> --``` ----After you successfully add SSL binding, the domain state is secure: **Healthy**. ---## Enforce HTTPS --By default, anyone can still access your app using HTTP, but you can redirect all HTTP requests to the HTTPS port. --#### [Azure portal](#tab/Azure-portal) --In your app page, in the navigation, select **Custom Domain**. Then, set **HTTPS Only** to `Yes`. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to update the configurations of an app. --```azurecli -az spring app update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --https-only -``` ----When the operation is complete, navigate to any of the HTTPS URLs that point to your app. Note that HTTP URLs don't work. --## Next steps --- [What is Azure Key Vault?](../key-vault/general/overview.md)-- [Import a certificate](../key-vault/certificates/certificate-scenarios.md#import-a-certificate)-- [Use TLS/SSL certificates](./how-to-use-tls-certificate.md) |
spring-apps | How To Custom Persistent Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-custom-persistent-storage.md | - Title: How to enable your own persistent storage in Azure Spring Apps | Microsoft Docs -description: Learn how to bring your own storage as persistent storages in Azure Spring Apps --- Previously updated : 2/18/2022-----# How to enable your own persistent storage in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to enable your own persistent storage in Azure Spring Apps. --When you use the built-in persistent storage in Azure Spring Apps, artifacts generated by your application are uploaded into Azure Storage Accounts. Microsoft controls the encryption-at-rest and lifetime management policies for those artifacts. --When you use your own persistent storage, artifacts generated by your application are uploaded into a storage account that you control. You control the encryption-at-rest policy, the lifetime management policy, and network access. You're responsible for the costs associated with that storage account. --## Prerequisites --- An existing Azure Storage Account and an existing Azure File Share. If you need to create a storage account and file share in Azure, see [Create an SMB Azure file share](../storage/files/storage-how-to-create-file-share.md).-- [Azure CLI](/cli/azure/install-azure-cli), version 2.45.0 or higher.--> [!IMPORTANT] -> If you deployed your Azure Spring Apps in your own virtual network and you want the storage account to be accessed only from the virtual network, see [Use private endpoints for Azure Storage](../storage/common/storage-private-endpoints.md) and the [Grant access from a virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) section of [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md). --## Mount your own extra persistent storage to applications --> [!NOTE] -> Updating persistent storage restarts your applications. -> -> When you use virtual network integration, ensure that ports 80 and 445 are open. --### [Azure portal](#tab/Azure-portal) --Use the following steps to bind an Azure Storage account as a storage resource in your Azure Spring Apps and create an app with your own persistent storage. --1. Go to the service **Overview** page, and then select **Storage** in the left-hand navigation pane. --1. On the **Storage** page, select **Add storage**. -- :::image type="content" source="media/how-to-custom-persistent-storage/add-storage.png" alt-text="Screenshot of Azure portal showing the Storage page." lightbox="media/how-to-custom-persistent-storage/add-storage.png"::: --1. Enter the following information on the **Add storage** page, and then select **Apply**. -- | Setting | Value | - |--|--| - | Storage name | The name of the storage resource, which is a service-level resource in Azure Spring Apps. | - | Account name | The name of the storage account. | - | Account key | The storage account key. | -- :::image type="content" source="media/how-to-custom-persistent-storage/add-storage-resource.png" alt-text="Screenshot of Azure portal showing the Add storage page." lightbox="media/how-to-custom-persistent-storage/add-storage-resource.png"::: --1. Go to the **Apps** page, and then select an application to mount the persistent storage. -- :::image type="content" source="media/how-to-custom-persistent-storage/select-app-mount-persistent-storage.png" alt-text="Screenshot of Azure portal Apps page." lightbox="media/how-to-custom-persistent-storage/select-app-mount-persistent-storage.png"::: --1. Select **Configuration**, and then select **Persistent Storage**. --1. Select **Add persistent storage**. Add the values in the following table, and then select **Apply**. -- | Setting | Value | - |-|-| - | Storage name | The name of the storage resource that you entered earlier. | - | Persistent storage type | **AzureFileVolume** | - | Share name | The name of the Azure File share in the Azure Storage account. | - | Mount path | A unique mount path. | - | Mount options | Optional | - | Read only | Optional | -- :::image type="content" source="media/how-to-custom-persistent-storage/add-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Add persistent storage page." lightbox="media/how-to-custom-persistent-storage/add-persistent-storage.png"::: --1. Select **Save** to apply the configuration changes. -- :::image type="content" source="media/how-to-custom-persistent-storage/save-persistent-storage-changes.png" alt-text="Screenshot of Azure portal showing the Persistent Storage tab of the Configuration page." lightbox="media/how-to-custom-persistent-storage/save-persistent-storage-changes.png"::: --### [Azure CLI](#tab/Azure-CLI) --Use the following steps to enable your own storage with the Azure CLI. --1. Use the following command to bind your Azure Storage account as a storage resource in your Azure Spring Apps instance. -- ```azurecli - az spring storage add \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <storage-resource-name> \ - --storage-type StorageAccount \ - --account-name <account-name> \ - --account-key <account-key> - ``` --1. Use the following command to create an app with your own persistent storage. -- ```azurecli - az spring app create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --persistent-storage <path-to-JSON-file> - ``` -- The following example shows a JSON file that is passed to the `--persistent-storage` parameter. -- ```json - { - "customPersistentDisks": [ - { - "storageName": "<storage-resource-name>", - "customPersistentDiskProperties": { - "type": "AzureFileVolume", - "shareName": "<Azure-file-share-name>", - "mountPath": "<unique-mount-path>", - "mountOptions": [ - "uid=0", - "gid=0" - ], - "readOnly": false - } - }, - { - "storageName": "<storage-resource-name>", - "customPersistentDiskProperties": { - "type": "AzureFileVolume", - "shareName": "<Azure-file-share-name>", - "mountPath": "<unique-mount-path>", - "readOnly": true - } - } - ] - } - ``` --1. Optionally, use the following command to add extra persistent storage to an existing app. -- ```azurecli - az spring app append-persistent-storage \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --persistent-storage-type AzureFileVolume \ - --share-name <Azure-file-share-name> \ - --mount-path <unique-mount-path> \ - --storage-name <storage-resource-name> - ``` --1. Optionally, use the following command to list the existing persistent storage of a specific storage resource. -- ```azurecli - az spring storage list-persistent-storage \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <storage-resource-name> - ``` ----## Best practices --Use the following best practices when you add your own persistent storage to Azure Spring Apps. --- To avoid potential latency issues, place the Azure Spring Apps instance and the Azure Storage Account in the same Azure region.--- In the Azure Storage Account, avoid regenerating the account key that you're using. The storage account contains two different keys. Use a step-by-step approach to ensure that the persistent storage remains available to applications during key regeneration.-- For example, use the following steps to ensure that the persistent storage remains available if you used *key1* to bind a storage account to Azure Spring Apps. -- 1. Regenerate *key2*. - 1. Update the account key of the storage resource to use the regenerated *key2*. - 1. Restart the applications that mount the persistent storage from this storage resource. Use the `az spring storage list-persistent-storage` command to list all related applications. - 1. Regenerate *key1*. --- If you delete an Azure Storage account or Azure file share, avoid possible errors by removing the corresponding storage resource or persistent storage in the applications.--- If you'd like to write files to the same path for every individual application instance, but keep them in separate subdirectories from the perspective of the file share, you could use the *SubPath* option. Note that the *SubPath* option is incompatible with *Read only* because *SubPath* is used for writing new files and *Read only* is used for reading existing files.--## FAQ --This section addresses frequently asked questions about using your own persistent storage with Azure Spring Apps. --- If I have built-in persistent storage enabled, and then I enabled my own storage as extra persistent storage, is my data migrated into my Azure Storage account?-- *No. But we're going to provide a document to help you do the migration yourself soon.* --- What are the reserved mount paths?-- *Azure Spring Apps reserves the following mount paths:* -- - */tmp* - - */persistent* - - */secrets* - - */app-insights/agents* - - */etc/azure-spring-cloud/certs* - - */app-insights/agents/settings* - - */app-lifecycle/settings* --- What are the available mount options?-- *We currently support the following mount options:* -- - `uid` - - `gid` - - `file_mode` - - `dir_mode` -- *The `mountOptions` property is optional. The default values for these mount options are: ["uid=0", "gid=0", "file_mode=0777", "dir_mode=0777"]* --- I'm using the service endpoint to configure the storage account to allow access only from my own virtual network. Why did I receive a *Permission Denied* error when I tried to mount custom persistent storage to my applications?-- *A service endpoint provides network access on a subnet level only. Make sure you've added both subnets used by the Azure Spring Apps instance to the scope of the service endpoint.* --## Next steps --- [How to use Logback to write logs to custom persistent storage](how-to-write-log-to-custom-persistent-storage.md).-- [Scale an application in Azure Spring Apps](how-to-scale-manual.md). |
spring-apps | How To Deploy In Azure Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-deploy-in-azure-virtual-network.md | - Title: "Deploy Azure Spring Apps in a virtual network" -description: Deploy Azure Spring Apps in a virtual network (VNet injection). ---- Previously updated : 07/21/2020----# Deploy Azure Spring Apps in a virtual network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise --This tutorial explains how to deploy an Azure Spring Apps instance in your virtual network. This deployment is sometimes called VNet injection. --The deployment enables: --* Isolation of Azure Spring Apps apps and service runtime from the internet on your corporate network. -* Azure Spring Apps interaction with systems in on-premises data centers or Azure services in other virtual networks. -* Empowerment of customers to control inbound and outbound network communications for Azure Spring Apps. --The following video describes how to secure Spring Boot applications using managed virtual networks. --<br> --> [!VIDEO https://www.youtube.com/embed/LbHD0jd8DTQ?list=PLPeZXlCR7ew8LlhnSH63KcM0XhMKxT1k_] --> [!NOTE] -> You can select your Azure virtual network only when you create a new Azure Spring Apps service instance. You can't change to use another virtual network after Azure Spring Apps has been created. --## Prerequisites --Register the Azure Spring Apps resource provider `Microsoft.AppPlatform` and `Microsoft.ContainerService` according to the instructions in [Register resource provider on Azure portal](../azure-resource-manager/management/resource-providers-and-types.md#azure-portal) or by running the following Azure CLI command: --```azurecli -az provider register --namespace Microsoft.AppPlatform -az provider register --namespace Microsoft.ContainerService -``` --## Virtual network requirements --The virtual network to which you deploy your Azure Spring Apps instance must meet the following requirements: --* Location: The virtual network must reside in the same location as the Azure Spring Apps instance. -* Subscription: The virtual network must be in the same subscription as the Azure Spring Apps instance. -* Subnets: The virtual network must include two subnets dedicated to an Azure Spring Apps instance: - * One for the service runtime. - * One for your Spring applications. - * There's a one-to-one relationship between these subnets and an Azure Spring Apps instance. Use a new subnet for each service instance you deploy. Each subnet can only include a single service instance. -* Address space: CIDR blocks up to */28* for both the service runtime subnet and the Spring applications subnet. -* Route table: By default the subnets don't need existing route tables associated. You can [bring your own route table](#bring-your-own-route-table). --Use the following steps to set up the virtual network to contain the Azure Spring Apps instance. --## Create a virtual network --### [Azure portal](#tab/azure-portal) --If you already have a virtual network to host an Azure Spring Apps instance, skip steps 1, 2, and 3. You can start from step 4 to prepare subnets for the virtual network. --1. On the Azure portal menu, select **Create a resource**. From Azure Marketplace, select **Networking** > **Virtual network**. --1. In the **Create virtual network** dialog box, enter or select the following information: -- | Setting | Value | - |--|--| - | Subscription | Select your subscription. | - | Resource group | Select your resource group, or create a new one. | - | Name | Enter *azure-spring-apps-vnet*. | - | Location | Select **East US**. | --1. Select **Next: IP Addresses**. --1. For the IPv4 address space, enter *10.1.0.0/16*. --1. Select **Add subnet**. Then enter *service-runtime-subnet* for **Subnet name** and enter *10.1.0.0/24* for **Subnet address range**. Then select **Add**. --1. Select **Add subnet** again, and then enter the subnet name and subnet address range. For example, enter *apps-subnet* and *10.1.1.0/24*. Then select **Add**. --1. Select **Review + create**. Leave the rest as defaults, and select **Create**. --### [Azure CLI](#tab/azure-CLI) --If you already have a virtual network to host an Azure Spring Apps instance, skip steps 1, 2, 3 and 4. You can start from step 5 to prepare subnets for the virtual network. --1. Use the following command to define variables for your subscription, resource group, and Azure Spring Apps instance. Customize the values based on your real environment. -- ```azurecli - export SUBSCRIPTION='<subscription-id>' - export RESOURCE_GROUP='<resource-group-name>' - export LOCATION='eastus' - export AZURE_SPRING_APPS_INSTANCE_NAME='<Azure-Spring-Apps-Instance-name>' - export VIRTUAL_NETWORK_NAME='azure-spring-apps-vnet' - ``` --1. Use the following command to sign in to the Azure CLI and choose your active subscription. -- ```azurecli - az login - az account set --subscription ${SUBSCRIPTION} - ``` --1. Use the following command to create a resource group for your resources: -- ```azurecli - az group create --name $RESOURCE_GROUP --location $LOCATION - ``` --1. Use the following command to create the virtual network: -- ```azurecli - az network vnet create \ - --resource-group $RESOURCE_GROUP \ - --name $VIRTUAL_NETWORK_NAME \ - --location $LOCATION \ - --address-prefix 10.1.0.0/16 - ``` --1. Use the following command to create two subnets in this virtual network: -- ```azurecli - az network vnet subnet create \ - --resource-group $RESOURCE_GROUP \ - --vnet-name $VIRTUAL_NETWORK_NAME \ - --address-prefixes 10.1.0.0/24 \ - --name service-runtime-subnet - az network vnet subnet create \ - --resource-group $RESOURCE_GROUP \ - --vnet-name $VIRTUAL_NETWORK_NAME \ - --address-prefixes 10.1.1.0/24 \ - --name apps-subnet - ``` ----## Grant service permission to the virtual network --This section shows you to grant Azure Spring Apps the [Owner](../role-based-access-control/built-in-roles.md#owner) permission on your virtual network. This permission enables you to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. --> [!NOTE] -> The minimal required permissions are [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) and [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor). You can grant role assignments to both of them if you can't grant `Owner` permission. -> -> If you're using your own route table or a user defined route feature, you also need to grant Azure Spring Apps the same role assignments to your route tables. For more information, see the [Bring your own route table](#bring-your-own-route-table) section and [Control egress traffic for an Azure Spring Apps instance](how-to-create-user-defined-route-instance.md). --### [Azure portal](#tab/azure-portal) --Use the following steps to grant permission: --1. Select the virtual network `azure-spring-apps-vnet` you previously created. --1. Select **Access control (IAM)**, and then select **Add** > **Add role assignment**. -- :::image type="content" source="media/how-to-deploy-in-azure-virtual-network/access-control.png" alt-text="Screenshot of the Azure portal Access Control (IAM) page showing the Check access tab with the Add role assignment button highlighted." lightbox="media/how-to-deploy-in-azure-virtual-network/access-control.png"::: --1. Assign the `Owner` role to the Azure Spring Apps Resource Provider. For more information, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). -- > [!NOTE] - > If you don't find Azure Spring Apps Resource Provider, search for *Azure Spring Cloud Resource Provider*. -- :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/assign-owner-resource-provider.png" alt-text="Screenshot of the Azure portal showing the Access Control (IAM) page, with the Add Role Assignment pane open and search results displaying the Azure Spring Apps Resource Provider." lightbox="./media/how-to-deploy-in-azure-virtual-network/assign-owner-resource-provider.png"::: --### [Azure CLI](#tab/azure-CLI) --Use the following commands to grant permission: --```azurecli -export VIRTUAL_NETWORK_RESOURCE_ID=$(az network vnet show \ - --resource-group $RESOURCE_GROUP \ - --name $VIRTUAL_NETWORK_NAME \ - --query "id" \ - --output tsv) --az role assignment create \ - --role "Owner" \ - --scope ${VIRTUAL_NETWORK_RESOURCE_ID} \ - --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2 -``` --The `--assignee` argument represents the service principal Azure Spring Apps uses to interact with the customer's virtual network. ----## Deploy an Azure Spring Apps instance --### [Azure portal](#tab/azure-portal) --Use the following steps to deploy an Azure Spring Apps instance in the virtual network: --1. Open the [Azure portal](https://portal.azure.com). --1. In the top search box, search for **Azure Spring Apps**. Select **Azure Spring Apps** from the result. --1. On the **Azure Spring Apps** page, select **Add**. --1. Fill out the form on the Azure Spring Apps **Create** page. --1. Select the same resource group and region as the virtual network. --1. For **Name** under **Service Details**, select **azure-spring-apps-vnet**. --1. Select the **Networking** tab, and select the following values: -- | Setting | Value | - |--|-| - | Deploy in your own virtual network | Select **Yes**. | - | Virtual network | Select **azure-spring-apps-vnet**. | - | Service runtime subnet | Select **service-runtime-subnet**. | - | Spring Boot microservice apps subnet | Select **apps-subnet**. | -- :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/creation-blade-networking-tab.png" alt-text="Screenshot of the Azure portal Azure Spring Apps Create page showing the Networking tab."::: --1. Select **Review and create**. --1. Verify your specifications, and select **Create**. -- :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/verify-specifications.png" alt-text="Screenshot of the Azure portal Azure Spring Apps Create page showing the Networking section of the Review and create tab."::: --### [Azure CLI](#tab/azure-CLI) --To deploy an Azure Spring Apps instance in the virtual network: --Use the following command to create your Azure Spring Apps instance, specifying the virtual network and subnets you created previously: --```azurecli -az spring create \ - --resource-group "$RESOURCE_GROUP" \ - --name "$AZURE_SPRING_APPS_INSTANCE_NAME" \ - --vnet $VIRTUAL_NETWORK_NAME \ - --service-runtime-subnet service-runtime-subnet \ - --app-subnet apps-subnet \ - --enable-java-agent \ - --sku standard \ - --location $LOCATION -``` ----After the deployment, two more resource groups are created in your subscription to host the network resources for the Azure Spring Apps instance. Go to **Home**, and then select **Resource groups** from the top menu items to find the following new resource groups. --The resource group named as `ap-svc-rt_{service instance name}_{service instance region}` contains network resources for the service runtime of the service instance. ---The resource group named as `ap-app_{service instance name}_{service instance region}` contains network resources for your Spring applications of the service instance. ---Those network resources are connected to your virtual network created in the preceding image. ---> [!IMPORTANT] -> The resource groups are fully managed by the Azure Spring Apps service. Do *not* manually delete or modify any resource inside. --## Using smaller subnet ranges --This table shows the maximum number of app instances Azure Spring Apps supports using smaller subnet ranges. --| App subnet CIDR | Total IPs | Available IPs | Maximum app instances | -|--|--||--| -| /28 | 16 | 8 | <p>App with 0.5 core: 192 <br/> App with one core: 96 <br/> App with two cores: 48<br/> App with three cores: 32<br/> App with four cores: 24</p> | -| /27 | 32 | 24 | <p>App with 0.5 core: 456 <br/> App with one core: 228<br/> App with two cores: 144<br/> App with three cores: 96<br/> App with four cores: 72</p> | -| /26 | 64 | 56 | <p>App with 0.5 core: 500 <br/> App with one core: 500<br/> App with two cores: 336<br/> App with three cores: 224<br/> App with four cores: 168</p> | -| /25 | 128 | 120 | <p>App with 0.5 core: 500 <br/> App with one core: 500<br/> App with two cores: 500<br/> App with three cores: 480<br> App with four cores: 360</p> | -| /24 | 256 | 248 | <p>App with 0.5 core: 500 <br/> App with one core: 500<br/> App with two cores: 500<br/> App with three cores: 500<br/> App with four cores: 500</p> | --For subnets, Azure reserves five IP addresses, and Azure Spring Apps requires at least three IP addresses. At least eight IP addresses are required, so /29 and /30 are nonoperational. --For a service runtime subnet, the minimum size is /28. --> [!NOTE] -> A small subnet range impacts the underlying resource you can use for system components like ingress controller. Azure Spring Apps uses an underlying ingress controller to handle application traffic management. The number of ingress controller instances automatically increases as application traffic increases. Reserve a larger virtual network subnet IP range if application traffic could increase in the future. You typically reserve one IP addresses for traffic of 10000 requests per second. --## Bring your own route table --Azure Spring Apps supports using existing subnets and route tables. --If your custom subnets don't contain route tables, Azure Spring Apps creates them for each of the subnets and adds rules to them throughout the instance lifecycle. If your custom subnets contain route tables, Azure Spring Apps acknowledges the existing route tables during instance operations and adds/updates and/or rules accordingly for operations. --> [!WARNING] -> Custom rules can be added to the custom route tables and updated. However, rules are added by Azure Spring Apps and these must not be updated or removed. Rules such as 0.0.0.0/0 must always exist on a given route table and map to the target of your internet gateway, such as an NVA or other egress gateway. Use caution when updating rules when only your custom rules are being modified. --### Route table requirements --The route tables to which your custom vnet is associated must meet the following requirements: --* You can associate your Azure route tables with your vnet only when you create a new Azure Spring Apps service instance. You can't change to use another route table after Azure Spring Apps has been created. -* Both the Spring application subnet and the service runtime subnet must associate with different route tables or neither of them. -* Permissions must be assigned before instance creation. Be sure to grant Azure Spring Apps Resource Provider the `Owner` permission (or `User Access Administrator` and `Network Contributor` permissions) on your route tables. -* You can't update the associated route table resource after cluster creation. While you can't update the route table resource, you can modify custom rules on the route table. -* You can't reuse a route table with multiple instances due to potential conflicting routing rules. --## Using Custom DNS Servers --Azure Spring Apps supports using custom DNS servers in your virtual network. --If you don't specify custom DNS servers in your DNS Server Virtual Network setting, Azure Spring Apps will, by default, use the Azure DNS to resolve IP addresses. If your virtual network is configured with custom DNS settings, add Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server. Azure DNS can resolve IP addresses for all the public FQDNs mentioned in [Customer responsibilities running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). It can also resolve IP address for `*.svc.private.azuremicroservices.io` in your virtual network. --If your custom DNS server can't add Azure DNS IP `168.63.129.16` as the upstream DNS server, use the following steps: --* Ensure that your custom DNS server can resolve IP addresses for all the public FQDNs. For more information, see [Customer responsibilities running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). -* Add the DNS record `*.svc.private.azuremicroservices.io` to the IP of your application. For more information, see the [Find the IP for your application](access-app-virtual-network.md#find-the-ip-for-your-application) section of [Access an app in Azure Spring Apps in a virtual network](access-app-virtual-network.md). --## Next steps --* [Troubleshooting Azure Spring Apps in VNET](troubleshooting-vnet.md) -* [Customer Responsibilities for Running Azure Spring Apps in VNET](vnet-customer-responsibilities.md) |
spring-apps | How To Deploy Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-deploy-powershell.md | - Title: Create and deploy applications in Azure Spring Apps by using PowerShell -description: How to create and deploy applications in Azure Spring Apps by using PowerShell ---- Previously updated : 2/15/2022----# Create and deploy applications by using PowerShell --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes how you can create an instance of Azure Spring Apps by using the [Az.SpringCloud](/powershell/module/Az.SpringCloud) PowerShell module. --## Requirements --The requirements for completing the steps in this article depend on your Azure subscription: --* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. --- > [!IMPORTANT] - > While the **Az.SpringCloud** PowerShell module is in preview, you must install it by using - > the `Install-Module` cmdlet. See the following command. After this PowerShell module becomes generally available, it will be part of future Az PowerShell releases and available by default from within Azure Cloud Shell. -- ```azurepowershell-interactive - Install-Module -Name Az.SpringCloud - ``` --* If you have multiple Azure subscriptions, choose the appropriate subscription in which the - resources should be billed. Select a specific subscription by using the [Set-AzContext](/powershell/module/az.accounts/set-azcontext) cmdlet: -- ```azurepowershell-interactive - Set-AzContext -SubscriptionId 00000000-0000-0000-0000-000000000000 - ``` --## Create a resource group --A resource group is a logical container in which Azure resources are deployed and managed as -a group. Create an [Azure resource group](../azure-resource-manager/management/overview.md) -by using the [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) -cmdlet. The following example creates a resource group with a specified name and location. --```azurepowershell-interactive -New-AzResourceGroup -Name <resource group name> -Location eastus -``` --## Provision a new instance --To create a new instance of Azure Spring Apps, you use the -[New-AzSpringCloud](/powershell/module/az.springcloud/new-azspringcloud) cmdlet. The following -example creates an Azure Spring Apps service, with the name that you specified in the resource group you created previously. --```azurepowershell-interactive -New-AzSpringCloud -ResourceGroupName <resource group name> -name <service instance name> -Location eastus -``` --## Create a new application --To create a new app, you use the -[New-AzSpringCloudApp](/powershell/module/az.springcloud/new-azspringcloudapp) cmdlet. The following example creates an app in Azure Spring Apps named `gateway`. --```azurepowershell-interactive -New-AzSpringCloudApp -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -``` --## Create a new app deployment --To create a new app Deployment, you use the -[New-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/new-azspringcloudappdeployment) -cmdlet. The following example creates an app deployment in Azure Spring Apps named `default` with an empty welcome application, for the `gateway` app. --```azurepowershell-interactive -$welcomeApplication = New-AzSpringCloudAppDeploymentJarUploadedObject -RuntimeVersion "Java_11" -New-AzSpringCloudAppDeployment -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -Name default -Source $welcomeApplication -``` --## Get a service and its properties --To get an Azure Spring Apps service and its properties, you use the -[Get-AzSpringCloud](/powershell/module/az.springcloud/get-azspringcloud) cmdlet. The following -example retrieves information about the specified Azure Spring Apps service. --```azurepowershell-interactive -Get-AzSpringCloud -ResourceGroupName <resource group name> -ServiceName <service instance name> -``` --## Get an application --To get an app and its properties in Azure Spring Apps, you use the -[Get-AzSpringCloudApp](/powershell/module/az.springcloud/get-azspringcloudapp) cmdlet. The following example retrieves information about the app `gateway`. --```azurepowershell-interactive -Get-AzSpringCloudApp -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -``` --## Get an app deployment --To get an app deployment and its properties in Azure Spring Apps, you use the -[Get-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/get-azspringcloudappdeployment) cmdlet. The following example retrieves information about the `default` Azure Spring Apps deployment. --```azurepowershell-interactive -Get-AzSpringCloudAppDeployment -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -DeploymentName default -``` --## Clean up resources --If the resources created in this article aren't needed, you can delete them by running the examples shown in the following sections. --### Delete an app deployment --To remove an app deployment in Azure Spring Apps, you use the -[Remove-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/remove-azspringcloudappdeployment) cmdlet. The following example deletes an app deployed in Azure Spring Apps named `default`, for the specified service and app. --```azurepowershell-interactive -Remove-AzSpringCloudAppDeployment -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -DeploymentName default -``` --### Delete an app --To remove an app in Azure Spring Apps, you use the -[Remove-AzSpringCloudApp](/powershell/module/Az.SpringCloud/remove-azspringcloudapp) cmdlet. The following example deletes the `gateway` app in the specified service and resource group. --```azurepowershell -Remove-AzSpringCloudApp -ResourceGroupName <resource group name> -ServiceName <service instance name> -AppName gateway -``` --### Delete a service --To remove an Azure Spring Apps service, you use the -[Remove-AzSpringCloud](/powershell/module/Az.SpringCloud/remove-azspringcloud) cmdlet. The following example deletes the specified Azure Spring Apps service. --```azurepowershell -Remove-AzSpringCloud -ResourceGroupName <resource group name> -ServiceName <service instance name> -``` --### Delete the resource group --> [!CAUTION] -> The following example deletes the specified resource group and all resources contained within it. If resources outside the scope of this article exist in the specified resource group, they will also be deleted. --```azurepowershell-interactive -Remove-AzResourceGroup -Name <resource group name> -``` --## Next steps --[Azure Spring Apps developer resources](./resources.md) |
spring-apps | How To Deploy With Custom Container Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-deploy-with-custom-container-image.md | - Title: How to deploy applications in Azure Spring Apps with a custom container image -description: How to deploy applications in Azure Spring Apps with a custom container image ----- Previously updated : 4/28/2022---# Deploy an application with a custom container image --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard ✔️ Enterprise --This article explains how to deploy Spring Boot applications in Azure Spring Apps using a custom container image. Deploying an application with a custom container supports most features as when deploying a JAR application. Other Java and non-Java applications can also be deployed with the container image. --## Prerequisites --* A container image containing the application. -* The image is pushed to an image registry. For more information, see [Azure Container Registry](../container-instances/container-instances-tutorial-prepare-acr.md). --> [!NOTE] -> The web application must listen on port `1025` for the Standard plan and on port `8080` for the Enterprise plan. The way to change the port depends on the framework of the application. For example, specify `SERVER_PORT=1025` for Spring Boot applications or `ASPNETCORE_URLS=http://+:1025/` for ASP.NET Core applications. You can disable the probe for applications that don't listen on any port. For more information, see [How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps](how-to-configure-health-probes-graceful-termination.md). --## Deploy your application --To deploy an application to a custom container image, use the following steps: --### [Azure CLI](#tab/azure-cli) --To deploy a container image, use one of the following commands: --* To deploy a container image to the public Docker Hub to an app, use the following command: -- ```azurecli - az spring app deploy \ - --resource-group <your-resource-group> \ - --name <your-app-name> \ - --container-image <your-container-image> \ - --service <your-service-name> - ``` --* To deploy a container image from ACR to an app, or from another private registry to an app, use the following command: -- ```azurecli - az spring app deploy \ - --resource-group <your-resource-group> \ - --name <your-app-name> \ - --container-image <your-container-image> \ - --service <your-service-name> - --container-registry <your-container-registry> \ - --registry-password <your-password> | - --registry-username <your-username> - ``` --To overwrite the entry point of the image, add the following two arguments to any of the above commands: --```azurecli - --container-command "java" \ - --container-args "-jar /app.jar -Dkey=value" -``` --To disable listening on a port for images that aren't web applications, add the following argument to the above commands: --```azurecli - --disable-probe true -``` --### [Portal](#tab/azure-portal) --1. Open the [Azure portal](https://portal.azure.com). -1. Open your existing Azure Spring Apps service instance. -1. Select **Apps** from left the menu, then select **Create App**. -1. Name your app, and in the **Runtime platform** pulldown list, select **Custom Container**. -- :::image type="content" source="media/how-to-deploy-with-custom-container-image/create-app-custom-container.png" alt-text="Screenshot of Azure portal Create App page with Runtime platform dropdown showing and Custom Container selected." lightbox="media/how-to-deploy-with-custom-container-image/create-app-custom-container.png"::: --1. Select **Edit** under *Image*, then fill in the fields as shown in the following image: -- :::image type="content" source="media/how-to-deploy-with-custom-container-image/custom-image-settings.png" alt-text="Screenshot of Azure portal showing the Custom Image Settings pane." lightbox="media/how-to-deploy-with-custom-container-image/custom-image-settings.png"::: -- > [!NOTE] - > The **Commands** and **Arguments** field are optional, which are used to overwrite the `cmd` and `entrypoint` of the image. - > - > You need to also specify the **Language Framework**, which is the web framework of the container image used. Currently, only **Spring Boot** is supported. For other Java applications or non-Java (polyglot) applications, select **Polyglot**. --1. Select **Save**, then select **Create** to deploy your application. ----## Feature Support matrix --The following matrix shows what features are supported in each application type. --| Feature | Spring Boot Apps - container deployment | Polyglot Apps - container deployment | Notes | -|--|--|--|--| -| App lifecycle management | ✔️ | ✔️ | | -| Support for container registries | ✔️ | ✔️ | | -| Assign endpoint | ✔️ | ✔️ | | -| Azure Monitor | ✔️ | ✔️ | | -| APM integration | ✔️ | ✔️ | Supported by [manual installation](#install-an-apm-into-the-image-manually). | -| Blue/green deployment | ✔️ | ✔️ | | -| Custom domain | ✔️ | ✔️ | | -| Scaling - auto scaling | ✔️ | ✔️ | | -| Scaling - manual scaling (in/out, up/down) | ✔️ | ✔️ | | -| Managed identity | ✔️ | ✔️ | | -| Spring Cloud Eureka & Config Server | ✔️ | ❌ | | -| API portal for VMware Tanzu | ✔️ | ✔️ | Enterprise plan only. | -| Spring Cloud Gateway for VMware Tanzu | ✔️ | ✔️ | Enterprise plan only. | -| Application Configuration Service for VMware Tanzu | ✔️ | ❌ | Enterprise plan only. -| Application Live View for VMware Tanzu | ✔️ | ❌ | Enterprise plan only. | -| VMware Tanzu Service Registry | ✔️ | ❌ | Enterprise plan only. | -| VNET | ✔️ | ✔️ | Add registry to [allowlist in NSG or Azure Firewall](#avoid-not-being-able-to-connect-to-the-container-registry-in-a-vnet). | -| Outgoing IP Address | ✔️ | ✔️ | | -| E2E TLS | ✔️ | ✔️ | [Trust a self-signed CA](#trust-a-certificate-authority). | -| Liveness and readiness settings | ✔️ | ✔️ | | -| Advanced troubleshooting - thread/heap/JFR dump | ✔️ | ❌ | The image must include Bash and the JDK with `PATH` specified. | -| Bring your own storage | ✔️ | ✔️ | | -| Integrate service binding with Resource Connector | ✔️ | ❌ | | -| Availability Zone | ✔️ | ✔️ | | -| App Lifecycle events | ✔️ | ✔️ | | -| Reduced app size - 0.5 vCPU and 512 MB | ✔️ | ✔️ | | -| Automate app deployments with Terraform | ✔️ | ✔️ | | -| Soft Deletion | ✔️ | ✔️ | | -| Interactive diagnostic experience (AppLens-based) | ✔️ | ✔️ | | -| SLA | ✔️ | ✔️ | | --> [!NOTE] -> Polyglot apps include non-Spring Boot Java, NodeJS, AngularJS, Python, and .NET apps. --## Common points to be aware of when deploying with a custom container --The following points will help you address common situations when deploying with a custom image. --### Trust a Certificate Authority --There are two options to trust a Certificate Authority: --**Option 1: Upload via Azure Spring Apps** --To load the CA certs into your apps, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). Then the certs will be mounted into the location */etc/azure-spring-cloud/certs/public/*. --**Option 2: Manual installation in the image** --To trust a CA in the image, set the following variables depending on your environment: --* You must import Java applications into the trust store by adding the following lines into your *Dockerfile*: -- ```dockerfile - ADD EnterpriseRootCA.crt /opt/ - RUN keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias EnterpriseRootCA -file /opt/EnterpriseRootCA.crt - ``` --* For Node.js applications, set the `NODE_EXTRA_CA_CERTS` environment variable: -- ```dockerfile - ADD EnterpriseRootCA.crt /opt/ - ENV NODE_EXTRA_CA_CERTS="/opt/EnterpriseRootCA.crt" - ``` --* For Python, or other languages relying on the system CA store, on Debian or Ubuntu images, add the following environment variables: -- ```dockerfile - ADD EnterpriseRootCA.crt /usr/local/share/ca-certificates/ - RUN /usr/sbin/update-ca-certificates - ``` --* For Python, or other languages relying on the system CA store, on CentOS or Fedora based images, add the following environment variables: -- ```dockerfile - ADD EnterpriseRootCA.crt /etc/pki/ca-trust/source/anchors/ - RUN /usr/bin/update-ca-trust - ``` --### Avoid unexpected behavior when images change --When your application is restarted or scaled out, the latest image will always be pulled. If the image has been changed, the newly started application instances will use the new image while the old instances will continue to use the old image. --> [!NOTE] -> Avoid using the `latest` tag or overwrite the image without a tag change to avoid unexpected application behavior. --### Avoid not being able to connect to the container registry in a VNet --If you deployed the instance to a VNet, make sure you allow the network traffic to your container registry in the NSG or Azure Firewall (if used). For more information, see [Customer responsibilities for running in VNet](./vnet-customer-responsibilities.md) to add the needed security rules. --### Install an APM into the image manually --The installation steps vary on different application performance monitors (APMs) and languages. The following steps are for New Relic with Java applications. You must modify the *Dockerfile* using the following steps: --1. Download and install the agent file into the image by adding the following to the *Dockerfile*: -- ```dockerfile - ADD newrelic-agent.jar /opt/agents/newrelic/java/newrelic-agent.jar - ``` --1. Add the environment variables required by the APM: -- ```dockerfile - ENV NEW_RELIC_APP_NAME=appName - ENV NEW_RELIC_LICENSE_KEY=newRelicLicenseKey - ``` --1. Modify the image entry point by adding: `java -javaagent:/opt/agents/newrelic/java/newrelic-agent.jar` --To install the agents for other languages, refer to the official documentation for the other agents: --New Relic: --* Python: [Standard Python agent install](https://docs.newrelic.com/docs/apm/agents/python-agent/installation/standard-python-agent-install/) -* Node.js: [Install the Node.js agent](https://docs.newrelic.com/docs/apm/agents/nodejs-agent/installation-configuration/install-nodejs-agent/) --Dynatrace: --* Python: [Instrument Python applications with OpenTelemetry](https://www.dynatrace.com/support/help/extend-dynatrace/opentelemetry/opentelemetry-traces/opentelemetry-ingest/opent-python) -* Node.js: [Instrument Node.js applications with OpenTelemetry](https://www.dynatrace.com/support/help/extend-dynatrace/opentelemetry/opentelemetry-traces/opentelemetry-ingest/opent-nodejs) --AppDynamics: --* Python: [Install the Python Agent](https://docs.appdynamics.com/appd/21.x/21.12/en/application-monitoring/install-app-server-agents/python-agent/install-the-python-agent) -* Node.js: [Installing the Node.js Agent](https://docs.appdynamics.com/appd/21.x/21.12/en/application-monitoring/install-app-server-agents/node-js-agent/install-the-node-js-agent#InstalltheNode.jsAgent-install_nodejsInstallingtheNode.jsAgent) --### View the container logs --To view the console logs of your container application, the following CLI command can be used: --```azurecli -az spring app logs \ - --resource-group <your-resource-group> \ - --name <your-app-name> \ - --service <your-service-name> \ - --instance <your-instance-name> -``` --To view the container events logs from the Azure Monitor, enter the query: --```query -AppPlatformContainerEventLogs -| where App == "hw-20220317-1b" -``` ---### Scan your image for vulnerabilities --We recommend that you use Microsoft Defender for Cloud with ACR to prevent your images from being vulnerable. For more information, see [Microsoft Defender for Cloud](../defender-for-cloud/defender-for-containers-introduction.md?tabs=defender-for-container-arch-aks) --### Switch between JAR deployment and container deployment --You can switch the deployment type from JAR deployment to container deployment directly by redeploying using the following command: --```azurecli -az spring app deploy \ - --resource-group <your-resource-group> \ - --name <your-app-name> \ - --container-image <your-container-image> \ - --service <your-service-name> -``` --Or reversely: --```azurecli -az spring app deploy \ - --resource-group <your-resource-group> \ - --name <your-app-name> \ - --artifact-path <your-jar-file> \ - --service <your-service-name> -``` --### Create another deployment with an existing JAR deployment --You can create another deployment using an existing JAR deployment using the following command: --```azurecli -az spring app deployment create \ - --resource-group <your-resource-group> \ - --name <your-deployment-name> \ - --app <your-app-name> \ - --container-image <your-container-image> \ - --service <your-service-name> -``` --### CI/CD --Automating deployments using Azure Pipelines Tasks or GitHub Actions are supported now. For more information, see [Automate application deployments to Azure Spring Apps](how-to-cicd.md) and [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) --## Next steps --* [How to capture dumps](./how-to-capture-dumps.md) |
spring-apps | How To Dynatrace One Agent Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-dynatrace-one-agent-monitor.md | - Title: How to monitor Spring Boot apps with Dynatrace Java OneAgent -description: How to use Dynatrace Java OneAgent to monitor Spring Boot applications in Azure Spring Apps ---- Previously updated : 06/07/2022----# How to monitor Spring Boot apps with Dynatrace Java OneAgent --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌️ Enterprise --This article shows you how to use Dynatrace OneAgent to monitor Spring Boot applications in Azure Spring Apps. --With the Dynatrace OneAgent, you can: --* Monitor apps with the Dynatrace OneAgent. -* Configure the Dynatrace OneAgent by using environment variables. -* Check all monitoring data from Dynatrace dashboard. --The following video introduces Dynatrace OneAgent. --<br> --> [!VIDEO https://www.youtube.com/embed/PF0_SxuiZ2w] --## Prerequisites --* [Azure CLI](/cli/azure/install-azure-cli) -* [A Dynatrace account](https://www.dynatrace.com/) -* [A Dynatrace PaaS token and tenant token](https://www.dynatrace.com/support/help/reference/dynatrace-concepts/access-tokens/) --## Activate Dynatrace OneAgent --The following sections describe how to activate Dynatrace OneAgent. --### Prepare your Azure Spring Apps environment --1. Create an instance of Azure Spring Apps. -1. Create an application that you want to report to Dynatrace by running the following command. Replace the placeholders *\<...>* with your own values. - ```azurecli - az spring app create \ - --resource-group <your-resource-group-name> \ - --service <your-Azure-Spring-Apps-name> \ - --name <your-application-name> \ - --is-public true - ``` --### Determine the values for the required environment variables --To activate Dynatrace OneAgent on your Azure Spring Apps instance, you need to configure four environment variables: `DT_TENANT`, `DT_TENANTTOKEN`, `DT_CONNECTION_POINT`, and `DT_CLUSTER_ID`. For more information, see [Integrate OneAgent with Azure Spring Apps](https://www.dynatrace.com/support/help/shortlink/azure-spring). --For applications with multiple instances, Dynatrace has several ways to group them. `DT_CLUSTER_ID` is one of the ways. For more information, see [Process group detection](https://www.dynatrace.com/support/help/how-to-use-dynatrace/process-groups/configuration/pg-detection). --### Add the environment variables to your application --You can add the environment variable key/value pairs to your application using either the Azure portal or the Azure CLI. --#### Option 1: Azure CLI --To add the key/value pairs using the Azure CLI, run the following command, replacing the placeholders *\<...>* with the values determined in the previous steps. --```azurecli -az spring app deploy \ - --resource-group <your-resource-group-name> \ - --service <your-Azure-Spring-Apps-name> \ - --name <your-application-name> \ - --artifact-path app.jar \ - --env \ - DT_TENANT=<your-environment-ID> \ - DT_TENANTTOKEN=<your-tenant-token> \ - DT_CONNECTION_POINT=<your-communication-endpoint> -``` --#### Option 2: Azure portal --To add the key/value pairs using the Azure portal, use the following steps: --1. In your Azure Spring Apps instance, select **Apps** in the navigation pane. -- :::image type="content" source="media/how-to-dynatrace-one-agent-monitor/existing-applications.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/how-to-dynatrace-one-agent-monitor/existing-applications.png"::: --1. Select the application from the list, and then select **Configuration** in the navigation pane. --1. Use the **Environment variables** tab to add or update the variables used by your application. -- :::image type="content" source="media/how-to-dynatrace-one-agent-monitor/configuration-application.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app with the Environment variables tab selected." lightbox="media/how-to-dynatrace-one-agent-monitor/configuration-application.png"::: --## Automate provisioning --Using Terraform, Bicep, or Azure Resource Manager template (ARM template), you can also run a provisioning automation pipeline. This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. --### Automate provisioning using Terraform --To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). --```terraform -environment_variables = { - "DT_TENANT": "<your-environment-ID>", - "DT_TENANTTOKEN": "<your-tenant-token>", - "DT_CONNECTION_POINT": "<your-communication-endpoint>", - "DT_CLUSTER_ID": "<your-cluster-ID>" -} -``` --### Automate provisioning using a Bicep file --To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). --```bicep -environmentVariables: { - DT_TENANT: '<your-environment-ID>' - DT_TENANTTOKEN: '<your-tenant-token>' - DT_CONNECTION_POINT: '<your-communication-endpoint>' - DT_CLUSTER_ID: '<your-cluster-ID>' -} -``` --### Automate provisioning using an ARM template --To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). --```json -"environmentVariables": { - "DT_TENANT": "<your-environment-ID>", - "DT_TENANTTOKEN": "<your-tenant-token>", - "DT_CONNECTION_POINT": "<your-communication-endpoint>", - "DT_CLUSTER_ID": "<your-cluster-ID>" -} -``` --## View reports in Dynatrace --This section describes how to find various reports in Dynatrace. --> [!NOTE] -> The Dynatrace menu and user interface will evolve gradually. For this reason, the dashboard may be moved to other sections in the Dynatrace website, and the following screenshots may not reflect the current version of the user interface. --After you add the environment variables to your application, Dynatrace starts collecting data. To view reports, use the [Dynatrace menu](https://www.dynatrace.com/support/help/get-started/navigation/), go to **Services**, and then select your application. --You can find the **Service flow** from **\<your-app-name>/Details/Service flow**: ---You can find the **Method hotspots** from **\<your-app-name>/Details/Method hotspots**: ---You can find the **Database statements** from **\<your-app-name>/Details/Response time analysis**: ---Next, go to the **Multidimensional analysis** section. --You can find the **Top database statements** from **Multidimensional analysis/Top database statements**: ---You can find the **Exceptions overview** from **Multidimensional analysis/Exceptions overview**: ---Next, go to the **Profiling and optimization** section. --You can find the **CPU analysis** from **Profiling and optimization/CPU analysis**: ---Next, go to the **Databases** section. --You can find **Backtrace** from **Databases/Details/Backtrace**: ---## View Dynatrace OneAgent logs --By default, Azure Spring Apps prints the *info* level logs of the Dynatrace OneAgent to `STDOUT`. The logs are mixed with the application logs. You can find the explicit agent version from the application logs. --You can also get the logs of the Dynatrace agent from the following locations: --* Azure Spring Apps logs -* Azure Spring Apps Application Insights -* Azure Spring Apps LogStream --You can apply some environment variables provided by Dynatrace to configure logging for the Dynatrace OneAgent. For example, `DT_LOGLEVELCON` controls the level of logs. The default value for `DT_LOGLEVELCON` is `info`. You can disable the logs of the agent by setting `DT_LOGLEVELCON` to `off`. If logging is disabled, Dynatrace support requests that you first enable logging to diagnose any agent issues effectively. You must then restart the app, which is necessary for the change to take effect. For other log levels, consult the Dynatrace support team. --> [!CAUTION] -> We strongly recommend that you don't override the default logging behavior provided by Azure Spring Apps for Dynatrace. If you do, the logging scenarios previously described are blocked, and the log file(s) may be lost. For example, you shouldn't output the `DT_LOGLEVELFILE` environment variable to your applications. --## Dynatrace OneAgent upgrade --The Dynatrace OneAgent auto-upgrade is disabled and is upgraded quarterly with the JDK. Agent upgrade may affect the following scenarios: --* Existing applications using Dynatrace OneAgent before upgrade are unchanged, but require restart or redeploy to engage the new version of Dynatrace OneAgent. -* Applications created after upgrade use the new version of Dynatrace OneAgent. --## Virtual network injection instance outbound traffic configuration --For a virtual network injection instance of Azure Spring Apps, you need to make sure the outbound traffic for Dynatrace communication endpoints is configured correctly for Dynatrace OneAgent. For information about how to get `communicationEndpoints`, see [Deployment API - GET connectivity information for OneAgent](https://www.dynatrace.com/support/help/dynatrace-api/environment-api/deployment/oneagent/get-connectivity-info/). For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md). --## Dynatrace support model --For information about limitations when deploying Dynatrace OneAgent in application-only mode, see the [Cloud application platforms](https://www.dynatrace.com/support/help/technology-support/oneagent-platform-and-capability-support-matrix/#cloud-application-platforms) section of [OneAgent platform and capability support matrix](https://www.dynatrace.com/support/help/technology-support/oneagent-platform-and-capability-support-matrix). --## Next steps --[Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md) |
spring-apps | How To Elastic Apm Java Agent Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-elastic-apm-java-agent-monitor.md | - Title: How to monitor Spring Boot apps with Elastic APM Java Agent -description: How to use Elastic APM Java Agent to monitor Spring Boot applications running in Azure Spring Apps ---- Previously updated : 06/07/2022----# How to monitor Spring Boot apps with Elastic APM Java Agent --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ❌ Enterprise --This article explains how to use Elastic APM Agent to monitor Spring Boot applications running in Azure Spring Apps. --With the Elastic Observability Solution, you can achieve unified observability to: --* Monitor apps using the Elastic APM Java Agent and using persistent storage with Azure Spring Apps. -* Use diagnostic settings to ship Azure Spring Apps logs to Elastic. For more information, see [Analyze logs with Elastic (ELK) using diagnostics settings](how-to-elastic-diagnostic-settings.md). --The following video introduces unified observability for Spring Boot applications using Elastic. --<br> --> [!VIDEO https://www.youtube.com/embed/KjmQX1SxZdA] --## Prerequisites --* [Azure CLI](/cli/azure/install-azure-cli) -* [Deploy Elastic on Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement) -* [Manage your APM & Fleet Server](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-manage-apm-and-fleet.html) --## Deploy the Spring Petclinic application --This article uses the Spring Petclinic sample to walk through the required steps. Use the following steps to deploy the sample application: --1. Follow the steps in [Deploy Spring Boot apps using Azure Spring Apps and MySQL](https://github.com/Azure-Samples/spring-petclinic-microservices#readme) until you reach the [Deploy Spring Boot applications and set environment variables](https://github.com/Azure-Samples/spring-petclinic-microservices#deploy-spring-boot-applications-and-set-environment-variables) section. --1. Use the Azure Spring Apps extension for Azure CLI with the following command to create an application to run in Azure Spring Apps: -- ```azurecli - az spring app create \ - --resource-group <your-resource-group-name> \ - --service <your-Azure-Spring-Apps-instance-name> \ - --name <your-app-name> \ - --is-public true - ``` --## Enable custom persistent storage for Azure Spring Apps --Use the following steps to enable custom persistent storage: --1. Follow the steps in [How to enable your own persistent storage in Azure Spring Apps](how-to-custom-persistent-storage.md). --1. Use the following Azure CLI command to add persistent storage for your Azure Spring Apps apps. -- ```azurecli - az spring app append-persistent-storage \ - --resource-group <your-resource-group-name> \ - --service <your-Azure-Spring-Apps-instance-name> \ - --name <your-app-name> \ - --persistent-storage-type AzureFileVolume \ - --share-name <your-Azure-file-share-name> \ - --mount-path <unique-mount-path> \ - --storage-name <your-mounted-storage-name> - ``` --## Activate Elastic APM Java Agent --Before proceeding, you need your Elastic APM server connectivity information handy, which assumes you've deployed Elastic on Azure. For more information, see [How to deploy and manage Elastic on Microsoft Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement). To get this information, use the following steps: --1. In the Azure portal, go to the **Overview** page of your Elastic deployment, then select **Manage Elastic Cloud Deployment**. -- :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-link-from-microsoft-azure.png" alt-text="Screenshot of Azure portal 'Elasticsearch (Elastic Cloud)' page." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-link-from-microsoft-azure.png"::: --1. Under your deployment on Elastic Cloud Console, select the **APM & Fleet** section to get Elastic APM Server endpoint and secret token. -- :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-endpoint-secret.png" alt-text="Elastic screenshot 'A P M & Fleet' page." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-endpoint-secret.png"::: --1. Download Elastic APM Java Agent from [Maven Central](https://search.maven.org/search?q=g:co.elastic.apm%20AND%20a:elastic-apm-agent). -- :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/maven-central-repository-search.png" alt-text="Maven Central screenshot with jar download highlighted." lightbox="media/how-to-elastic-apm-java-agent-monitor/maven-central-repository-search.png"::: --1. Upload Elastic APM Agent to the custom persistent storage you enabled earlier. Go to Azure Fileshare and select **Upload** to add the agent JAR file. -- :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/upload-files-microsoft-azure.png" alt-text="Screenshot of Azure portal showing 'Upload files' pane of 'File share' page." lightbox="media/how-to-elastic-apm-java-agent-monitor/upload-files-microsoft-azure.png"::: --1. After you have the Elastic APM endpoint and secret token, use the following command to activate Elastic APM Java agent when deploying applications. The placeholder *`<agent-location>`* refers to the mounted storage location of the Elastic APM Java Agent. -- ```azurecli - az spring app deploy \ - --name <your-app-name> \ - --artifact-path <unique-path-to-your-app-jar-on-custom-storage> \ - --jvm-options='-javaagent:<elastic-agent-location>' \ - --env ELASTIC_APM_SERVICE_NAME=<your-app-name> \ - ELASTIC_APM_APPLICATION_PACKAGES='<your-app-package-name>' \ - ELASTIC_APM_SERVER_URL='<your-Elastic-APM-server-URL>' \ - ELASTIC_APM_SECRET_TOKEN='<your-Elastic-APM-secret-token>' - ``` --## Automate provisioning --You can also run a provisioning automation pipeline using Terraform, Bicep, or an Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. --### Automate provisioning using Terraform --To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). --```terraform -resource "azurerm_spring_cloud_java_deployment" "example" { - ... - jvm_options = "-javaagent:<elastic-agent-location>" - ... - environment_variables = { - "ELASTIC_APM_SERVICE_NAME"="<your-app-name>", - "ELASTIC_APM_APPLICATION_PACKAGES"="<your-app-package>", - "ELASTIC_APM_SERVER_URL"="<your-Elastic-APM-server-URL>", - "ELASTIC_APM_SECRET_TOKEN"="<your-Elastic-APM-secret-token>" - } -} -``` --### Automate provisioning using a Bicep file --To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). --```bicep -deploymentSettings: { - environmentVariables: { - ELASTIC_APM_SERVICE_NAME='<your-app-name>', - ELASTIC_APM_APPLICATION_PACKAGES='<your-app-package>', - ELASTIC_APM_SERVER_URL='<your-Elastic-APM-server-URL>', - ELASTIC_APM_SECRET_TOKEN='<your-Elastic-APM-secret-token>' - }, - jvmOptions: '-javaagent:<elastic-agent-location>', - ... -} -``` --### Automate provisioning using an ARM template --To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). --```json -"deploymentSettings": { - "environmentVariables": { - "ELASTIC_APM_SERVICE_NAME"="<your-app-name>", - "ELASTIC_APM_APPLICATION_PACKAGES"="<your-app-package>", - "ELASTIC_APM_SERVER_URL"="<your-Elastic-APM-server-URL>", - "ELASTIC_APM_SECRET_TOKEN"="<your-Elastic-APM-secret-token>" - }, - "jvmOptions": "-javaagent:<elastic-agent-location>", - ... -} -``` --## Upgrade Elastic APM Java Agent --To plan your upgrade, see [Upgrade versions](https://www.elastic.co/guide/en/cloud/current/ec-upgrade-deployment.html) for Elastic Cloud on Azure, and [Breaking Changes](https://www.elastic.co/guide/en/apm/server/current/breaking-changes.html) for APM. After you've upgraded APM Server, upload the Elastic APM Java agent JAR file in the custom persistent storage. Then, restart your apps with the updated JVM options pointing to the upgraded Elastic APM Java agent JAR. --## Monitor applications and metrics with Elastic APM --Use the following steps to monitor applications and metrics: --1. In the Azure portal, go to the **Overview** page of your Elastic deployment, then select the Kibana link. -- :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-kibana-link.png" alt-text="Screenshot of Azure portal showing Elasticsearch page with 'Deployment U R L / Kibana' highlighted." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-get-kibana-link.png"::: --1. After Kibana is open, search for *APM* in the search bar, then select **APM**. -- :::image type="content" source="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-kibana-search-apm.png" alt-text="Elastic / Kibana screenshot showing A P M search results." lightbox="media/how-to-elastic-apm-java-agent-monitor/elastic-apm-kibana-search-apm.png"::: --Kibana APM is the curated application to support Application Monitoring workflows. Here you can view high-level details such as request/response times, throughput, and the transactions in a service with the most impact on the duration. ---You can drill down in a specific transaction to understand the transaction-specific details such as the distributed tracing. ---Elastic APM Java agent also captures the JVM metrics from the Azure Spring Apps apps that are available with Kibana App for users for troubleshooting. ---Using the inbuilt AI engine in the Elastic solution, you can also enable Anomaly Detection on the Azure Spring Apps Services and choose an appropriate action - such as Teams notification, creation of a JIRA issue, a webhook-based API call, and others. ---## Next steps --* [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md) -* [Deploy Elastic on Azure](https://www.elastic.co/blog/getting-started-with-the-azure-integration-enhancement) |
spring-apps | How To Enable Ingress To App Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enable-ingress-to-app-tls.md | - Title: Enable ingress-to-app Transport Layer Security in Azure Spring Apps- -description: How to enable ingress-to-app Transport Layer Security for an application. ---- Previously updated : 04/12/2022---# Enable ingress-to-app TLS for an application --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise --> [!NOTE] -> This feature is not available in the Basic plan. --This article describes secure communications in Azure Spring Apps. The article also explains how to enable ingress-to-app SSL/TLS to secure traffic from an ingress controller to applications that support HTTPS. --The following picture shows the overall secure communication support in Azure Spring Apps. ---## Secure communication model within Azure Spring Apps --This section explains the secure communication model shown in the overview diagram above. --1. The client request from the client to the application in Azure Spring Apps comes into the ingress controller. The request can be either HTTP or HTTPS. The TLS certificate returned by the ingress controller is issued by the Microsoft Azure TLS issuing CA. -- If the app has been mapped to an existing custom domain and is configured as HTTPS only, the request to the ingress controller can only be HTTPS. The TLS certificate returned by the ingress controller is the SSL binding certificate for that custom domain. The server side SSL/TLS verification for the custom domain is done in the ingress controller. --1. The secure communication between the ingress controller and the applications in Azure Spring Apps are controlled by the ingress-to-app TLS. You can also control the communication through the portal or CLI, which will be explained later in this article. If ingress-to-app TLS is disabled, the communication between the ingress controller and the apps in Azure Spring Apps is HTTP. If ingress-to-app TLS is enabled, the communication will be HTTPS and has no relation to the communication between the clients and the ingress controller. The ingress controller won't verify the certificate returned from the apps because the ingress-to-app TLS encrypts the communication. --1. Communication between the apps and the Azure Spring Apps services is always HTTPS and handled by Azure Spring Apps. Such services include config server, service registry, and Eureka server. --1. You manage the communication between the applications. You can also take advantage of Azure Spring Apps features to load certificates into the application's trust store. For more information, see [Use TLS/SSL certificates in an application](./how-to-use-tls-certificate.md). --1. You manage the communication between applications and external services. To reduce your development effort, Azure Spring Apps helps you manage your public certificates and loads them into your application's trust store. For more information, see [Use TLS/SSL certificates in an application](./how-to-use-tls-certificate.md). --## Enable ingress-to-app TLS for an application --The following section shows you how to enable ingress-to-app SSL/TLS to secure traffic from an ingress controller to applications that support HTTPS. --### Prerequisites --- A deployed Azure Spring Apps instance. Follow our [quickstart on deploying via the Azure CLI](./quickstart.md) to get started.-- If you're unfamiliar with ingress-to-app TLS, see the [end-to-end TLS sample](https://github.com/Azure-Samples/spring-boot-secure-communications-using-end-to-end-tls-ssl).-- To securely load the required certificates into Spring Boot apps, you can use [spring-cloud-azure-starter-keyvault-certificates](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring/spring-cloud-azure-starter-keyvault-certificates).--### Enable ingress-to-app TLS on an existing app --Use the command `az spring app update --enable-ingress-to-app-tls` to enable or disable ingress-to-app TLS for an app. --```azurecli -az spring app update --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name -az spring app update --enable-ingress-to-app-tls false -n app_name -s service_name -g resource_group_name -``` --### Enable ingress-to-app TLS when you bind a custom domain --Use the command `az spring app custom-domain update --enable-ingress-to-app-tls` or `az spring app custom-domain bind --enable-ingress-to-app-tls` to enable or disable ingress-to-app TLS for an app. --```azurecli -az spring app custom-domain update --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name -az spring app custom-domain bind --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name -``` --### Enable ingress-to-app TLS using the Azure portal --To enable ingress-to-app TLS in the [Azure portal](https://portal.azure.com/), first create an app, and then enable the feature. --1. Create an app in the portal as you normally would. Navigate to it in the portal. -2. Scroll down to the **Settings** group in the left navigation pane. -3. Select **Ingress-to-app TLS**. -4. Switch **Ingress-to-app TLS** to *Yes*. ---### Verify ingress-to-app TLS status --Use the command `az spring app show` to check the value of `enableEndToEndTls`. --```azurecli -az spring app show -n app_name -s service_name -g resource_group_name -``` --## Next steps --[Access Config Server and Service Registry](how-to-access-data-plane-azure-ad-rbac.md) |
spring-apps | How To Enterprise Build Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enterprise-build-service.md | - Title: How to use Tanzu Build Service in the Azure Spring Apps Enterprise plan -description: Learn how to use Tanzu Build Service in the Azure Spring Apps Enterprise plan. ---- Previously updated : 05/25/2023----# Use Tanzu Build Service --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article shows you how to use VMware Tanzu Build Service with the Azure Spring Apps Enterprise plan. --VMware Tanzu Build Service automates container creation, management, and governance at enterprise scale. Tanzu Build Service uses the open-source [Cloud Native Buildpacks](https://buildpacks.io/) project to turn application source code into container images. It executes reproducible builds aligned with modern container standards and keeps images up to date. --## Buildpacks --VMware Tanzu Buildpacks provide framework and runtime support for applications. Buildpacks typically examine your applications to determine what dependencies to download and how to configure applications to communicate with bound services. --The [language family buildpacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-https://docsupdatetracker.net/index.html) are [composite buildpacks](https://paketo.io/docs/concepts/buildpacks/#composite-buildpacks) that provide easy out-of-the-box support for the most popular language runtimes and app configurations. These buildpacks combine multiple component buildpacks into ordered groupings. The groupings satisfy each buildpack's requirements. --## Builders --A [Builder](https://docs.vmware.com/en/Tanzu-Build-Service/1.6/vmware-tanzu-build-service/GUID-https://docsupdatetracker.net/index.html#builder) is a Tanzu Build Service resource. A Builder contains a set of buildpacks and a [stack](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-stacks.html) used in the process of building source code. --## Build agent pool --Tanzu Build Service in the Enterprise plan is the entry point to containerize user applications from both source code and artifacts. There's a dedicated build agent pool that reserves compute resources for a given number of concurrent build tasks. The build agent pool prevents resource contention with your running apps. --The following table shows the sizes available for build agent pool scale sets: --| Scale set | CPU/Gi | -|--|--| -| S1 | 2 vCPU, 4 Gi | -| S2 | 3 vCPU, 6 Gi | -| S3 | 4 vCPU, 8 Gi | -| S4 | 5 vCPU, 10 Gi | -| S5 | 6 vCPU, 12 Gi | -| S6 | 8 vCPU, 16 Gi | -| S7 | 16 vCPU, 32 Gi | -| S8 | 32 vCPU, 64 Gi | -| S9 | 64 vCPU, 128 Gi | --Tanzu Build Service allows at most one pool-sized build task to build and twice the pool-sized build tasks to queue. If the quota of the agent pool is insufficient for the build task, the request for this build gets the following error: `The usage of build results in Building or Queuing status are (cpu: xxx, memory: xxxMi) and the remained quota is insufficient for this build. please retry with smaller size of build resourceRequests, retry after the previous build process completed or increased your build agent pool size`. --## Configure the build agent pool --When you create a new Azure Spring Apps Enterprise service instance using the Azure portal, you can use the **VMware Tanzu settings** tab to configure the number of resources given to the build agent pool. ---The following image shows the resources given to the Tanzu Build Service Agent Pool after you successfully provision the service instance. You can also update the configured agent pool size here after you create the service instance. ---## Build service on demand --You can enable or disable the build service when you create an Azure Spring Apps Enterprise plan instance. --### Build and deployment characteristics --By default, Tanzu Build Service is enabled so that you can use a container registry. If you disable the build service, you can deploy an application only with a custom container image. You have the following options: --- Enable the build service and use the Azure Spring Apps managed container registry.-- Azure Spring Apps provides a managed Azure Container Registry to store built images for your applications. You can execute build and deployment together only as one command, but not separately. You can use the built container images to deploy applications in the same service instance only. The images aren't accessible by other Azure Spring Apps Enterprise service instances. --- Enable the build service and use your own container registry.-- This scenario separates build from deployment. You can execute builds from an application's source code or artifacts to a container image separately from the application deployment. You can deploy the container images stored in your own container registry to multiple Azure Spring Apps Enterprise service instances. --- Disable the build service.-- When you disable the build service, you can deploy applications only with container images, which you can build from any Azure Spring Apps Enterprise service instance. --### Configure build service settings --You can configure Tanzu Build Service and container registry settings using the Azure portal or the Azure CLI. --#### [Azure portal](#tab/azure-portal) --Use the following steps to enable Tanzu Build Service when provisioning an Azure Spring Apps service instance: --1. Open the [Azure portal](https://portal.azure.com). -1. On the **Basics** tab, select **Enterprise tier** in the **Pricing** section, and then specify the required information. -1. Select **Next: VMware Tanzu settings**. -1. On the **VMware Tanzu settings** tab, select **Enable Build Service**. For **Container registry**, the default setting is **Use a managed Azure Container Registry to store built images**. -- :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png" alt-text="Screenshot of the Azure portal that shows the V M ware Tanzu Settings for the Azure Spring Apps Create page with default Build Service settings highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png"::: --1. If you select **Use your own container registry to store built images (preview)** for **Container registry**, provide your container registry's server, username, and password. -- :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png" alt-text="Screenshot of the Azure portal that shows V M ware Tanzu Settings for the Azure Spring Apps Create page with use your own container registry highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png"::: --1. If you disable **Enable Build Service**, the container registry options aren't provided but you can deploy applications with container images. -- :::image type="content" source="media/how-to-enterprise-build-service/disable-build-service.png" alt-text="Screenshot of the Azure portal that shows V M ware Tanzu Settings for the Azure Spring Apps Create page with the Enable Build Service not selected." lightbox="media/how-to-enterprise-build-service/disable-build-service.png"::: --1. Select **Review and create**. --#### [Azure CLI](#tab/azure-cli) --Use the following steps to enable Tanzu Build Service when provisioning an Azure Spring Apps service instance: --1. Use the following commands to sign in to the Azure CLI, list available subscriptions, and set your active subscription: -- ```azurecli - az login - az account list --output table - az account set --subscription <subscription-id> - ``` --1. Use the following command to register the `Microsoft.Saas` namespace. -- ```azurecli - az provider register --namespace Microsoft.SaaS - ``` --1. Use the following command to accept the legal terms and privacy statements for the Azure Spring Apps Enterprise plan. This step is necessary only if you never used your subscription to create an Enterprise plan instance. -- ```azurecli - az term accept \ - --plan asa-ent-hr-mtr \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --publisher vmware-inc - ``` --1. Select a location. The location must support the Azure Spring Apps Enterprise plan. For more information, see [Azure Spring Apps FAQ](faq.md). --1. Use the following command to create a resource group: -- ```azurecli - az group create \ - --name <resource-group-name> \ - --location <location> - ``` -- For more information about resource groups, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md) --1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --1. Use one of the following commands to create an Azure Spring Apps service instance: -- - Use the following command to create an Azure Spring Apps service instance with the build service enabled and using a managed Azure Container Registry. The build service is enabled by default. -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise - ``` -- - Use the following command to create an Azure Spring Apps service instance with the build service enabled and using your own container registry. The build service is enabled by default. -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise \ - --registry-server <your-container-registry-login-server> \ - --registry-username <your-container-registry-username> \ - --registry-password <your-container-registry-password> - ``` -- - Use the following command to create an Azure Spring Apps service instance with the build service disabled. -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise \ - --disable-build-service - ``` ----## Deploy polyglot applications --You can deploy polyglot applications in an Azure Spring Apps Enterprise service instance with Tanzu Build Service either enabled or disabled. For more information, see [How to deploy polyglot apps in Azure Spring Apps Enterprise](how-to-enterprise-deploy-polyglot-apps.md). --## Configure APM integration and CA certificates --By using Tanzu Partner Buildpacks and CA Certificates Buildpack, the Azure Spring Apps Enterprise plan provides a simplified configuration experience to support application performance monitor (APM) integration. This integration includes certificate authority (CA) certificates integration scenarios for polyglot applications. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). --## Real-time build logs --A build task is triggered when an application is deployed from an Azure CLI command. Build logs are streamed in real time as part of the CLI command output. For information about using build logs to diagnose problems, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). --## Build history --You can see all the build resources in the **Builds** section of the Azure Spring Apps Build Service page. ---The table in the **Builds** section contains the following columns: --- **Build Name**: The name of the build.-- **Provisioning State**: The provisioning state of the build. The values are `Succeeded`, `Failed`, `Updating`, and `Creating`. Provisioning states `Updating` and `Creating` mean the build can't be updated until the current build finishes. Provisioning state `Failed` means your latest source code build has failed to generate a new build result.-- **Resource Quota**: The resource quota in build pod of the build.-- **Builder**: The builder used in the build.-- **Latest Build Result**: The latest build result image tag of the build.-- **Latest Build Result Provisioning State**: The latest build result provisioning state of the build. The values are `Queuing`, `Building`, `Succeeded`, and `Failed`.-- **Latest Build Result Last Transition Time**: The last transition time for the latest build result of the build.-- **Latest Build Result Last Transition Reason**: The last transition reason for the latest build result of the build. The values are `CONFIG`, `STACK`, and `BUILDPACK`. `CONFIG` means the build result is changed by builder updates or by a new source code deploy operation. `STACK` means the build result is changed by a stack upgrade. `BUILDPACK` means the build result is changed by a buildpack upgrade.-- **Latest Build Result Last Transition Status**: The last transition status for the latest build result of the build. The values are `True` and `False`.--For **Provisioning State**, when the value is `Failed`, deploy the source code again. If the error persists, create a support ticket. --For **Latest Build Result Provisioning State**, when the value is `Failed`, check the build logs. For more information, see [Troubleshoot common build issues in Azure Spring Apps](troubleshoot-build-exit-code.md). --For **Latest Build Result Last Transition Status**, when the value is `Failed`, see the **Latest Build Result Last Transition Reason** column. If the reason is `BUILDPACK` or `STACK`, no action is necessary. If the reason is `CONFIG`, deploy the source code again. If the error persists, create a support ticket. --## Next steps --- [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md) |
spring-apps | How To Enterprise Configure Apm Integration And Ca Certificates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enterprise-configure-apm-integration-and-ca-certificates.md | - Title: How to configure APM integration and CA certificates- -description: Shows you how to configure APM integration and CA certificates in the Azure Spring Apps Enterprise plan. ---- Previously updated : 05/25/2023----# How to configure APM integration and CA certificates --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article shows you how to configure application performance monitor (APM) integration and certificate authority (CA) certificates in the Azure Spring Apps Enterprise plan. --You can enable or disable Tanzu Build Service on an Azure Springs Apps Enterprise plan instance. For more information, see the [Build service on demand](how-to-enterprise-build-service.md#build-service-on-demand) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md). --## Prerequisites --- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- [Azure CLI](/cli/azure/install-azure-cli) version 2.49.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`--## Supported scenarios - APM and CA certificates integration --Tanzu Build Service uses buildpack binding to integrate with [Tanzu Partner Buildpacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-partner-integrations-partner-integration-buildpacks.html) and other cloud native buildpacks such as the [ca-certificates](https://github.com/paketo-buildpacks/ca-certificates) buildpack on GitHub. --Currently, Azure Spring Apps supports the following APM types: --- ApplicationInsights-- Dynatrace-- AppDynamics-- New Relic-- ElasticAPM--Azure Spring Apps supports CA certificates for all language family buildpacks, but not all supported APMs. The following table shows the binding types supported by Tanzu language family buildpacks. --| Buildpack | ApplicationInsights | New Relic | AppDynamics | Dynatrace | ElasticAPM | -|-||--|-|--|| -| Java | ✔ | ✔ | ✔ | ✔ | ✔ | -| .NET | | ✔ | | ✔ | | -| Go | | | | ✔ | | -| Python | | | | | | -| NodeJS | | ✔ | ✔ | ✔ | ✔ | -| Web servers | | | | ✔ | | -| Java Native Image | | | | | | -| PHP | | ✔ | ✔ | ✔ | | --For information about using Web servers, see [Deploy web static files](how-to-enterprise-deploy-static-file.md). --Tanzu Build Service is enabled by default in Azure Spring Apps Enterprise. If you choose to disable the build service, you can deploy applications but only by using a custom container image. This section provides guidance for both build service enabled and disabled scenarios. --### Supported APM types --This section lists the supported languages and required environment variables for the APMs that you can use for your integrations. --- **Application Insights**-- Supported languages: - - Java -- Environment variables required for buildpack binding: - - `connection-string` -- For other supported environment variables, see [Application Insights Overview](../azure-monitor/app/app-insights-overview.md?tabs=java). --- **DynaTrace**-- Supported languages: - - Java - - .NET - - Go - - Node.js - - WebServers - - PHP -- Environment variables required for buildpack binding: - - `api-url` or `environment-id` (used in build step) - - `api-token` (used in build step) - - `TENANT` - - `TENANTTOKEN` - - `CONNECTION_POINT` -- For other supported environment variables, see [Dynatrace](https://www.dynatrace.com/support/help/shortlink/azure-spring#envvar) --- **New Relic**-- Supported languages: - - Java - - .NET - - Node.js - - PHP -- Environment variables required for buildpack binding: - - `license_key` - - `app_name` -- For other supported environment variables, see [New Relic](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables) --- **Elastic**-- Supported languages: - - Java - - Node.js - - PHP -- Environment variables required for buildpack binding: - - `service_name` - - `application_packages` - - `server_url` -- For other supported environment variables, see [Elastic](https://www.elastic.co/guide/en/apm/agent/java/master/configuration.html) --- **AppDynamics**-- Supported languages: - - Java - - Node.js -- Environment variables required for buildpack binding: - - `agent_application_name` - - `agent_tier_name` - - `agent_node_name` - - `agent_account_name` - - `agent_account_access_key` - - `controller_host_name` - - `controller_ssl_enabled` - - `controller_port` -- For other supported environment variables, see [AppDynamics](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent#MonitorAzureSpringCloudwithJavaAgent-ConfigureUsingtheEnvironmentVariablesorSystemProperties) --## Bindings in builder is deprecated --> [!NOTE] -> Previously, you would manage APM integration and CA certificates via bindings in the builder. The bindings in builder feature is deprecated and is being removed in the future. We recommend that you migrate the APM configured in bindings. For more information, see the [Migrate the APM configured in bindings](#migrate-the-apm-configured-in-bindings) section. -> -> When you use your own container registry for the build service or disable the build service, the bindings feature in builder is not available. -> -> When you use a managed Azure Container Registry for the build service, the registry is still available for backward compatibility, but is being removed in the future. --When you use the Azure CLI to create a service instance, you might get the error message `Buildpack bindings feature is deprecated, it's not available when your own container registry is used for build service or build service is disabled`. This message indicates that you're using an old version of the Azure CLI. To fix this issue, upgrade the Azure CLI. For more information, see [How to update the Azure CLI](/cli/azure/update-azure-cli). --## Configure APM integration for app builds and deployments --You can configure APM in Azure Spring Apps in the following two ways: --- Manage APM configurations on the service instance level and bind to app builds and deployments by referring to them. This approach is the recommended way to configure APM.--- Manage APM configurations via bindings in the builder and bind to app builds and deployments by referring to the builder.--> [!NOTE] -> This approach is the old way to configure APM, and it's now deprecated. We recommend that you migrate the APM configured in bindings. For more information, see the [Migrate the APM configured in bindings](#migrate-the-apm-configured-in-bindings) section. --You can now configure APM in Azure Spring Apps by managing APM configurations on the service instance level and bind to app builds and deployments by referring to them. This approach is the recommended way to configure APM. --The following sections provide guidance for both of these approaches. --### Manage APMs on the service instance level (recommended) --You can create an APM configuration and bind to app builds and deployments, as explained in the following sections. --#### Manage APM configuration in Azure Spring Apps --You can manage APM integration by configuring properties or secrets in the APM configuration using the Azure portal or the Azure CLI. --> [!NOTE] -> When configuring properties or secrets via APM configurations, use key names without the APM name as prefix. For example, don't use a `DT_` prefix for Dynatrace or `APPLICATIONINSIGHTS_` for Application Insights. Tanzu APM buildpacks transform the key name to the original environment variable name with a prefix. -> -> If you intend to override or configure some properties or secrets, such as app name or app level, you need to set environment variables when deploying an app with the original environment variables with the APM name as prefix. --##### [Azure portal](#tab/azure-portal) --Use the following steps to show, add, edit, or delete an APM configuration: --1. Open the [Azure portal](https://portal.azure.com). -1. In the navigation pane, select **APM**. -1. To create an APM configuration, select **Add**. If you want to enable the APM configuration globally, select **Enable globally**. All the subsequent builds and deployments use the APM configuration automatically. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/add-apm.png" alt-text="Screenshot of the Azure portal showing the APM configuration page with the Add button highlighted." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/add-apm.png"::: --1. To view or edit an APM configuration, select the ellipsis (**...**) button for the configuration, then select **Edit APM**. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-apm.png" alt-text="Screenshot of the Azure portal showing the APM configuration page with the Edit APM option selected." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-apm.png"::: --1. To delete an APM configuration, select the ellipsis (**...**) button for the configuration and then select **Delete**. If the APM configuration is used by any build or deployment, you aren't able to delete it. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/delete-apm.png" alt-text="Screenshot of the Azure portal showing the APM configuration page with the Delete button highlighted." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/delete-apm.png"::: --Use the following steps to view the APM configurations bound to the build: --1. Navigate to the **Build Service** page for your Azure Spring Apps instance. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png" alt-text="Screenshot of the Azure portal showing the build service page with the current build in the list." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png"::: --1. On the navigation pane, in the **Settings** section, select **APM bindings**. --1. On the **APM bindings** page, view the APM configurations bound to the build. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-apm-bindings.png" alt-text="Screenshot of the APM bindings page showing the APM configurations bound to the build." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-apm-bindings.png"::: --Use the following steps to view the APM configurations bound to the deployment: --1. Navigate to your application page. --1. On the navigation pane, in the **Settings** section, select **APM bindings**. --1. On the **APM bindings** page, view the APM configurations bound to the deployment. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/deployment-apm-bindings.png" alt-text="Screenshot of the APM bindings page showing the APM configurations bound to the deployment." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/deployment-apm-bindings.png"::: --##### [Azure CLI](#tab/azure-cli) --The following list shows you the Azure CLI commands you can use to manage APM configuration: --- Use the following command to list all the APM configurations:-- ```azurecli - az spring apm list \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> - ``` --- Use the following command to list all the supported APM types:-- ```azurecli - az spring apm list-support-types \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> - ``` --- Use the following command to create an APM configuration:-- ```azurecli - az spring apm create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - --type <your-APM-type> \ - --properties a=b c=d \ - --secrets e=f g=h - ``` --- Use the following command to view the details of an APM configuration:-- ```azurecli - az spring apm show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> - ``` --- Use the following command to change an APM's properties:-- ```azurecli - az spring apm update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - --type <your-APM-type> \ - --properties a=b c=d \ - --secrets e=f2 g=h - ``` --- Use the following command to enable an APM configuration globally. When you enable an APM configuration globally, all the subsequent builds and deployments use it automatically.-- ```azurecli - az spring apm enable-globally \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - ``` --- Use the following command to disable an APM configuration globally. When you disable an APM configuration globally, all the subsequent builds and deployments don't use it.-- ```azurecli - az spring apm disable-globally \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - ``` --- Use the following command to list all the APM configurations enabled globally:-- ```azurecli - az spring apm list-enabled-globally \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> - ``` --- Use the following command to delete an APM configuration.-- ```azurecli - az spring apm delete \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - ``` ----For more information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section. --#### Bind to app builds and deployments --For a build service that uses a managed Azure Container Registry, use the following command to integrate APM into your deployments: --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --apms <APM-name> \ - --artifact-path <path-to-your-JAR-file> -``` --When you enable an APM configuration globally, all the subsequent builds and deployments use it automatically, and it's unnecessary to specify the `--apms` parameter. If you want to override the APM configuration enabled globally for a deployment, specify the APM configurations via `--apms` parameter. --For a build service that uses your own container registry, you can build an application into a container image and deploy the image to the current or other Azure Spring Apps Enterprise service instances. --Providing your own container registry separates building from deployment. You can use the build command to create or update a build with a builder, then use the deploy command to deploy the container image to the service. --Use the following command to build an image and configure APM: --```azurecli -az spring build-service build <create|update> \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --apms <APM-name> \ - --artifact-path <path-to-your-JAR-file> -``` --When you enable an APM configuration globally, all the subsequent builds and deployments use it automatically, and it's unnecessary to specify the `--apms` parameter. If you want to override the APM configuration enabled globally for a build, specify the APM configurations via the `--apms` parameter. --Use the following command to deploy the application with the container image built previously and configure APM. You can use the APM configuration enabled globally or use the `--apms` parameter to specify APM configuration. --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --container-image <your-container-image> \ - --container-registry <your-container-registry> \ - --registry-password <your-password> \ - --registry-username <your-username> \ - --apms <your-APM> -``` --When you disable the build service, you can only deploy an application with a container image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md). --You can use multiple instances of Azure Spring Apps Enterprise, where some instances build and deploy images and others only deploy images. Consider the following scenario: --For one instance, you enable the build service with a user container registry. Then, you build from an artifact file or source code with APM or a CA certificate into a container image. You can then deploy to the current Azure Spring Apps instance or other service instances. For more information, see the [Build and deploy polyglot applications](how-to-enterprise-deploy-polyglot-apps.md#build-and-deploy-polyglot-applications) section of [How to deploy polyglot apps in Azure Spring Apps Enterprise](How-to-enterprise-deploy-polyglot-apps.md). --In another instance with the build service disabled, you deploy an application with the container image in your registry and also make use of APM. --In this scenario, you can use the APM configuration enabled globally or use the `--apms` parameter to specify the APM configuration, as shown in the following example: --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --container-image <your-container-image> \ - --container-registry <your-container-registry> \ - --registry-password <your-password> \ - --registry-username <your-username> \ - --apms <your-APM> -``` --### Manage APMs via bindings in builder (deprecated) --When the build service uses the Azure Spring Apps managed container registry, you can build an application to an image and then deploy it, but only within the current Azure Spring Apps service instance. --#### Manage APM configurations via bindings in builder --You can manage APM configurations via bindings in builder. For more information, see the [Manage bindings in builder in Azure Spring Apps (deprecated)](#manage-bindings-in-builder-in-azure-spring-apps-deprecated) section. --#### Bind to app builds and deployments --Use the following command to integrate APM into your deployments. The APM is configured via bindings in the builder: --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --artifact-path <path-to-your-JAR-file> -``` --### Enable Application Insights when creating the service instance --If you enable Application Insights when creating a service instance, the following conditions apply: --- If you use a managed Azure Container Registry for the build service, Application Insights is bound to bindings in the default builder.-- If you use your own container registry for the build service or you disable the build service, a default APM configuration is created for Application Insights. The default APM is enabled globally and all the subsequent builds and deployments use it automatically.--## Configure CA certificates for app builds and deployments --You can configure CA certificates in Azure Spring Apps in the following two ways: --- You can manage public certificates in the TLS/SSL settings and bind to app builds and deployments by referring to them. This approach is the recommended way to configure CA certificates.-- You can manage public certificates in the TLS/SSL settings and bind CA certificates via bindings in the builder. For more information, see the [Manage bindings in builder in Azure Spring Apps (deprecated)](#manage-bindings-in-builder-in-azure-spring-apps-deprecated) section.--> [!NOTE] -> This approach is the old way to configure CA certificates and it has been deprecated. We recommend that you migrate the CA certificate configured in bindings. For more information, see the [Migrate CA certificate configured in bindings](#migrate-ca-certificate-configured-in-bindings) section. --You can now manage public certificates in the TLS/SSL settings and bind to app builds and deployments by referring to them. This approach is the recommended way to configure CA certificates. --To manage public certificates on the service instance level, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). then, follow one of the approaches described in the following sections to bind CA certificates to app builds and deployments. --### Bind CA certificates to app builds and deployments --For information on how to bind CA certificates to deployments, see the [Load a certificate](how-to-use-tls-certificate.md#load-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). Then, use the following instructions to bind to app builds. --When you enable the build service and use a managed Azure Container Registry, use the following command to integrate CA certificates into your deployment: --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --build-certificates <CA certificate-name> \ - --artifact-path <path-to-your-JAR-file> - ``` --When you use your own container registry for the build service or disable the build service, use the following command to integrate CA certificates into your build: --```azurecli -az spring build-service build <create|update> \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --certificates <CA certificate-name> \ - --artifact-path <path-to-your-JAR-file> -``` --### View CA certificates bound to app builds --Use the following steps to view the CA certificates bound to the build: --1. Navigate to your build page. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png" alt-text="Screenshot of the Azure portal showing the build service page with the current build in the list." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-service-build.png"::: --1. On the navigation pane, in the **Settings** section, select **Certificate bindings**. --1. On the **Certificate bindings** page, view the CA certificates bound to the build. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-certificate-bindings.png" alt-text="Screenshot of the certificate bindings page showing CA certificates bound to the build." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/build-certificate-bindings.png"::: --### Bind CA certificates via bindings in builder (deprecated) --CA certificates use the [ca-certificates](https://github.com/paketo-buildpacks/ca-certificates) buildpack to support providing CA certificates to the system trust store at build and runtime. --In the Azure Spring Apps Enterprise plan, the CA certificates use the **Public Key Certificates** tab on the **TLS/SSL settings** page in the Azure portal, as shown in the following screenshot: ---You can configure the CA certificates on the **Edit binding** page. The `succeeded` certificates are shown in the **CA Certificates** list. ---## Manage bindings in builder in Azure Spring Apps (deprecated) --This section applies only to an Azure Spring Apps Enterprise service instance with the build service enabled. With the build service enabled, one buildpack binding means either credential configuration against one APM type, or CA certificates configuration against the CA certificates type. For APM integration, follow the earlier instructions to configure the necessary environment variables or secrets for your APM. --> [!NOTE] -> When configuring environment variables for APM bindings, use key names without a prefix. For example, do not use a `DT_` prefix for a Dynatrace binding or `APPLICATIONINSIGHTS_` for Application Insights. Tanzu APM buildpacks transform the key name to the original environment variable name with a prefix. --You can manage buildpack bindings with the Azure portal or the Azure CLI. --### [Azure portal](#tab/azure-portal) --Use the following steps to view the buildpack bindings: --1. In the Azure portal, go to your Azure Spring Apps Enterprise service instance. -1. In the navigation pane, select **Build Service**. -1. Select **Edit** under the **Bindings** column to view the bindings configured for a builder. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/edit-binding.png" alt-text="Screenshot of Azure portal showing the Build Service page with the Bindings Edit link highlighted for a selected builder." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/edit-binding.png"::: --1. Review the bindings on the **Edit binding for default builder** page. -- :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-service-binding.png" alt-text="Screenshot of Azure portal showing the Edit bindings for default builder page with the binding types and their status listed."::: --### Create a buildpack binding --To create a buildpack binding, select **Unbound** on the **Edit Bindings** page, specify the binding properties, and then select **Save**. --### Unbind a buildpack binding --You can unbind a buildpack binding by using the **Unbind binding** command, or by editing the binding properties. --To use the **Unbind binding** command, select the **Bound** hyperlink, and then select **Unbind binding**. ---To unbind a buildpack binding by editing binding properties, select **Edit Binding**, and then select **Unbind**. ---When you unbind a binding, the bind status changes from **Bound** to **Unbound**. --### [Azure CLI](#tab/azure-cli) --### View buildpack bindings using the Azure CLI --View the current buildpack bindings by using the following command: --```azurecli -az spring build-service builder buildpack-binding list \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --builder-name <your-builder-name> -``` --### Create a binding --Use this command to change the binding from *Unbound* to *Bound* status: --```azurecli -az spring build-service builder buildpack-binding create \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-buildpack-binding-name> \ - --builder-name <your-builder-name> \ - --type <your-binding-type> \ - --properties a=b c=d \ - --secrets e=f g=h -``` --For information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section. --### Show the details for a specific binding --You can view the details of a specific binding by using the following command: --```azurecli -az spring build-service builder buildpack-binding show \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-buildpack-binding-name> \ - --builder-name <your-builder-name> -``` --### Edit the properties of a binding --You can change a binding's properties by using the following command: --```azurecli -az spring build-service builder buildpack-binding set \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-buildpack-binding-name> \ - --builder-name <your-builder-name> \ - --type <your-binding-type> \ - --properties a=b c=d \ - --secrets e=f2 g=h -``` --For more information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section. --### Delete a binding --Use the following command to change the binding status from *Bound* to *Unbound*. --```azurecli -az spring build-service builder buildpack-binding delete \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-buildpack-binding-name> \ - --builder-name <your-builder-name> -``` ----## Migrate APM and CA certificates from bindings in builder --The bindings feature in builder is deprecated and is being removed in the future. We recommend that you migrate bindings in builder. --You can configure APM and CA certificates in bindings and you can migrate them by using the following sections. --### Migrate the APM configured in bindings --In most use cases, there's only one APM configured in bindings in the default builder. You can create a new APM configuration with the same configuration in bindings and enable this APM configuration globally. All the subsequent builds and deployments use this configuration automatically. Use the following steps to migrate: --1. Use the following command to create an APM configuration: -- ```azurecli - az spring apm create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - --type <your-APM-type> \ - --properties a=b c=d \ - --secrets e=f g=h - ``` --1. Use the following command to enable the APM configuration globally: -- ```azurecli - az spring apm enable-globally \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-name> \ - ``` --1. Use the following command to redeploy all the applications to use the new APM configuration enabled globally: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --artifact-path <path-to-your-JAR-file> - ``` --1. Verify that the new APM configuration works for all the applications. If everything works fine, use the following command to remove the APM bindings in builder: -- ```azurecli - az spring build-service builder buildpack-binding delete \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-APM-buildpack-binding-name> \ - --builder-name <your-builder-name> - ``` --If there are several APMs configured in bindings, you can create several APM configurations with the same configuration in bindings and enable the APM configuration globally if it's applicable. Use the `--apms` parameter to specify an APM configuration for a deployment if you want to override the APM enabled globally, as shown in the following command: --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --apms <APM-name> \ - --artifact-path <path-to-your-JAR-file> -``` --During the migration process, APM is configured in both bindings and APM configuration. In this case, the APM configuration takes effect and the binding is ignored. --### Migrate CA certificate configured in bindings --Use the following steps to migrate a CA certificate: --1. For a CA certificate configured in binding, if it's used in runtime, you can load the certificate into your application. For more information, see [Load a certificate](how-to-use-tls-certificate.md#load-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). --1. Use the following command to redeploy all the applications using the CA certificate. If you use the certificate at build time, use the `--build-certificates` parameter to specify the CA certificate to use at build time for a deployment: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --builder <builder-name> \ - --build-certificates <CA certificate-name> \ - --artifact-path <path-to-your-JAR-file> - ``` --1. Verify if the CA certificate works for all the applications using it. If everything works fine, use the following command to remove the CA certificate bindings in the builder: -- ```azurecli - az spring build-service builder buildpack-binding delete \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-CA-certificate-buildpack-binding-name> \ - --builder-name <your-builder-name> - ``` --## Next steps --- [How to deploy polyglot apps in Azure Spring Apps Enterprise](how-to-enterprise-deploy-polyglot-apps.md) |
spring-apps | How To Enterprise Marketplace Offer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enterprise-marketplace-offer.md | - Title: Enterprise plan in Azure Marketplace -description: Learn about the Azure Spring Apps Enterprise plan offering available in Azure Marketplace. ---- Previously updated : 03/24/2023----# Enterprise plan in Azure Marketplace --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article describes the Azure Marketplace offer and license requirements for the VMware Taznu components in the Enterprise plan in Azure Spring Apps. --## Enterprise plan and VMware Tanzu components --The Azure Spring Apps Enterprise plan is optimized for the needs of enterprise Spring developers and provides advanced configurability, flexibility, and portability. Azure Spring Apps also provides the enterprise-ready VMware Spring Runtime with 24/7 support in a strong partnership with VMware. You can learn more about the plan's value propositions in the [Enterprise plan](overview.md#enterprise-plan) section of [What is Azure Spring Apps?](overview.md) --Because the Enterprise plan provides feature parity with the Standard plan, it provides a rich set of features that include app lifecycle management, monitoring, and troubleshooting. --The Enterprise plan provides the following managed [VMware Tanzu components](./vmware-tanzu-components.md) that empower enterprises to ship faster: --- Tanzu Build Service-- Application Configuration Service for Tanzu-- Tanzu Service Registry-- Spring Cloud Gateway for Tanzu-- API portal for VMware Tanzu-- Application Live View for VMware Tanzu-- Application Accelerator for VMware Tanzu--The pricing for Azure Spring Apps Enterprise plan is composed of the following two parts: --- Infrastructure pricing, set by Microsoft, based on vCPU and memory usage of apps and managed Tanzu components.-- Tanzu component licensing pricing, set by VMware, based on vCPU usage of apps.--For more information about pricing, see [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). --To provide the best customer experience to manage the Tanzu component license purchasing and metering, VMware creates an [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer in Azure Marketplace. This offer represents a Tanzu component license that's automatically purchased on behalf of customers during the creation of an Azure Spring Apps Enterprise plan instance. --Under this implicit Azure Marketplace third-party offer purchase from VMware, your personal data and application vCPU usage data is shared with VMware. You agree to this data sharing when you agree to the marketplace terms upon creating the service instance. --To purchase the Tanzu component license successfully, the [billing account](../cost-management-billing/manage/view-all-accounts.md) of your subscription must be included in one of the locations listed in the [Supported geographic locations of billing account](#supported-geographic-locations-of-billing-account) section. Because of tax management restrictions from VMware in some countries/regions, not all countries/regions are supported. --The extra license fees apply only to the Enterprise plan. In the Azure Spring Apps Standard plan, there are no extra license fees because the managed Spring components use the OSS config server and Eureka server. No other third-party license fees are required. --On the [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer page in Azure Marketplace, you can review the Tanzu component license pricing. --You can use the Azure portal or the Azure CLI to provision an Azure Spring Apps Enterprise plan service instance. You can also select **Subscribe** on the Azure Marketplace offer page to create the service instance. Azure Marketplace redirects you to the Azure Spring Apps creation page. --## Requirements --You must understand and fulfill the following requirements to successfully create an instance of the Azure Spring Apps Enterprise plan when purchasing the Azure Marketplace offer. --- Your Azure subscription must be registered to the `Microsoft.SaaS` resource provider. For more information, see the [Register resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) section of [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md).--- Your Azure subscription must have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview)--- Your Azure subscription must belong to a [billing account](../cost-management-billing/manage/view-all-accounts.md) in a supported geographic location defined in the [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer in Azure Marketplace. For more information, see the [Supported geographic locations of billing account](#supported-geographic-locations-of-billing-account) section.--- Your region must be available. Choose an Azure region currently available. For more information, see [In which regions is the Azure Spring Apps Enterprise plan available?](./faq.md#in-which-regions-is-the-azure-spring-apps-enterprise-plan-available) in the [Azure Spring Apps FAQ](faq.md).--- Your organization must allow Azure Marketplace purchases. For more information, see the [Enabling Azure Marketplace purchases](../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../cost-management-billing/manage/ea-azure-marketplace.md).--- Your organization must allow acquisition of any Azure Marketplace software application as described in the [Purchase policy management](/marketplace/azure-purchasing-invoicing#purchase-policy-management) section of [Azure Marketplace purchasing](/marketplace/azure-purchasing-invoicing).--- You must accept the marketplace legal terms and privacy statements while provisioning the plan on the Azure portal, or you can use the following commands to do so in advance.-- ```azurecli - az term accept \ - --publisher vmware-inc \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --plan asa-ent-hr-mtr - ``` --## Supported geographic locations of billing account --To successfully purchase the [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) offer on Azure Marketplace, your Azure subscription must belong to a [billing account](../cost-management-billing/manage/view-all-accounts.md) in a supported geographic location defined in the offer. --The following table lists each supported geographic location and its [ISO 3166 two-digit alpha code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). --| Country/Region Name |ISO-2| -|-|--| -| Argentina | AR | -| Armenia | AM | -| Australia | AU | -| Austria | AT | -| Belarus | BY | -| Belgium | BE | -| Brazil | BR | -| Bulgaria | BG | -| Canada | CA | -| Chile | CL | -| Colombia | CO | -| Croatia | HR | -| Cyprus | CY | -| Czechia | CZ | -| Denmark | DK | -| Estonia | EE | -| Finland | FI | -| France | FR | -| Germany | DE | -| Greece | GR | -| Hong Kong SAR | HK | -| Hungary | HU | -| Iceland | IS | -| India | IN | -| Indonesia | ID | -| Ireland | IE | -| Israel<sup>1</sup> | IL | -| Italy | IT | -| Korea | KE | -| Latvia | LV | -| Liechtenstein | LI | -| Lithuania | LT | -| Luxembourg | LU | -| Malaysia | MY | -| Malta | MT | -| Mexico | MX | -| Monaco | MC | -| Netherlands | NL | -| New Zealand | NZ | -| Nigeria | NG | -| Norway | NO | -| Poland | PL | -| Portugal | PT | -| Puerto Rico | PR | -| Qatar | QA | -| Romania | RO | -| Saudi Arabia | SA | -| Serbia | RS | -| Singapore | SG | -| Slovakia | SK | -| Slovenia | SI | -| South Africa | ZA | -| Spain | ES | -| Sweden | SE | -| Switzerland | CH | -| Taiwan | TW | -| Thailand | TH | -| Türkiye | TR | -| United Arab Emirates | AE | -| United Kingdom | GB | -| United States | US | --<sup>1</sup> Israel requires reaching out to asa-e-contact@vmware.com with Tax ID (TIN) information to unlock. --## Troubleshoot errors --The following list shows the errors you might encounter when you create an Azure Spring Apps Enterprise plan instance, and the actions to take to resolve the errors: --- `Failed to purchase on Azure Marketplace because the Microsoft.SaaS RP is not registered on the Azure subscription.`-- Register your Azure subscription with the `Microsoft.SaaS` resource provider. For more information, see the [Register resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) section of [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md). --- `Failed to load catalog product vmware-inc.azure-spring-cloud-vmware-tanzu-2 in the Azure subscription market.`-- The billing account for your subscription doesn't contain a valid billing address in the scope of the supported geographic locations. Use the following steps to fix this problem: -- 1. Find the billing address of the billing account for your subscription by following the steps in the [Check the type of your account](../cost-management-billing/manage/view-all-accounts.md#check-the-type-of-your-account) section of [Billing accounts and scopes in the Azure portal](../cost-management-billing/manage/view-all-accounts.md). If you can't view or manage billing accounts, you probably don't have permission to access them. Ask your billing account administrator for help. -- 1. Determine whether the billing address is in the scope of the [supported geographic locations](#supported-geographic-locations-of-billing-account). If it isn't, try one of the following approaches: -- - If possible, use another billing account with a supported billing address and then try again. -- - If you want to use the current subscription, raise a support ticket with us with the subject "Unsupported market in billing address when creating Azure Spring Apps enterprise". --- `Failed to purchase on Azure Marketplace due to signature verification on Marketplace legal agreement.`-- You haven't accepted the marketplace legal terms and privacy statements while provisioning the plan. Use the following command to accept the terms: -- ```azurecli - az term accept \ - --publisher vmware-inc \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --plan asa-ent-hr-mtr - ``` --- `Purchase has failed because we couldn't find a valid credit card nor a payment method associated with your Azure subscription.`-- Your Azure subscription doesn't have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) --- `Plan can not be purchased on a free subscription.`-- Your Azure subscription doesn't have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) --- `Your Azure subscription which is associated with a deleted organization. The billing account is not valid to purchase the SaaS.`-- Your Azure subscription doesn't have an associated payment method. Azure credits or free MSDN subscriptions aren't supported. For more information, see the [Purchasing requirements](/marketplace/azure-marketplace-overview#purchasing-requirements) section of [What is Azure Marketplace?](/marketplace/azure-marketplace-overview) --- `Failed to check if marketplace is enabled for your Azure subscription.`-- Your organization doesn't allow Azure Marketplace purchases. To allow the purchase, see the [Enabling Azure Marketplace purchases](../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../cost-management-billing/manage/ea-azure-marketplace.md). --- `Purchase for Azure product azure-spring-cloud-vmware-tanzu-2 and plan Azure Spring Apps Enterprise (Public) is not allowed.`-- Your organization doesn't allow Azure Marketplace purchases. To allow the purchase, see the [Enabling Azure Marketplace purchases](../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../cost-management-billing/manage/ea-azure-marketplace.md). --- `Failed to process eligibility check with error Plan 'Azure Spring Apps Enterprise (Public)' of offer 'Azure Spring Apps Enterprise' by publisher 'VMware Inc.' is not available to you for purchase due to private marketplace settings made by your tenant's IT admin.`-- Your organization doesn't allow Azure Marketplace purchases or acquisition of any Azure Marketplace software application. To allow the purchase, see the [Enabling Azure Marketplace purchases](../cost-management-billing/manage/ea-azure-marketplace.md#enabling-azure-marketplace-purchases) section of [Azure Marketplace](../cost-management-billing/manage/ea-azure-marketplace.md) and the [Purchase policy management](/marketplace/azure-purchasing-invoicing#purchase-policy-management) section of [Azure Marketplace purchasing](/marketplace/azure-purchasing-invoicing). --- `This offer 'vmware-inc.azure-spring-cloud-vmware-tanzu-2' is not available for purchasing by subscriptions belonging to Microsoft Azure Cloud Solution Providers.`-- There's currently no support for Azure Cloud Solution Providers to purchase Azure Spring Apps Enterprise yet. We're working on enabling this support. --## Next steps --- [Launch your first app](./quickstart.md) |
spring-apps | How To Integrate Azure Load Balancers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-integrate-azure-load-balancers.md | - Title: Tutorial - Integrate Azure Spring Apps with Azure Load Balance Solutions -description: How to integrate Azure Spring Apps with Azure Load Balance Solutions ---- Previously updated : 04/20/2020----# Integrate Azure Spring Apps with Azure Load Balance Solutions --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --Azure Spring Apps supports Spring applications on Azure. Increasing business can require multiple data centers with management of multiple instances of Azure Spring Apps. --Azure already provides [different load-balance solutions](/azure/architecture/guide/technology-choices/load-balancing-overview). There are three common options to integrate Azure Spring Apps with Azure load-balance solutions: --1. Integrate Azure Spring Apps with Azure Traffic Manager -1. Integrate Azure Spring Apps with Azure App Gateway -1. Integrate Azure Spring Apps with Azure Front Door --In the examples below, we will load balance requests for a custom domain of `www.contoso.com` towards two deployments of Azure Spring Apps in two different regions: `eastus.azuremicroservices.io` and `westus.azuremicroservices.io`. --We recommend that the domain name, as seen by the browser, is the same as the host name which the load balancer uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using a load balancer to expose applications hosted in Azure Spring Apps. If the domain exposed by the load balancer is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation). --## Prerequisites --* A custom domain to be used to access the application: [Tutorial: Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) -* Azure Spring Apps: [How to create an Azure Spring Apps service](./quickstart.md) -* Azure Traffic -* Azure App Gateway: [How to create an application gateway](../application-gateway/quick-create-portal.md) -* Azure Front Door: [How to create a front door](../frontdoor/quickstart-create-front-door.md) --## Integrate Azure Spring Apps with Azure Traffic Manager --To integrate Azure Spring Apps with Traffic Manager, add its public endpoints as traffic manager’s endpoints and then configure custom domain for both traffic manager and Azure Spring Apps. --### Add Endpoint in Traffic Manager --Add endpoints in traffic --1. Specify **Type** to be *External endpoint*. -1. Input fully qualified domain name (FQDN) of each Azure Spring Apps public endpoint. -1. Select **OK**. -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/traffic-manager-1.png" alt-text="Screenshot of the Azure portal that shows the Add endpoint page with an eastus FQDN with Priority 1." lightbox="media/how-to-integrate-azure-load-balancers/traffic-manager-1.png"::: -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/traffic-manager-2.png" alt-text="Screenshot of the Azure portal that shows the Add endpoint page with a westus FQDN with Priority 2." lightbox="media/how-to-integrate-azure-load-balancers/traffic-manager-2.png"::: --### Configure Custom Domain --To finish the configuration: --1. Sign in to the website of your domain provider, and create a CNAME record mapping from your custom domain to traffic manager’s Azure default domain name. --## Integrate Azure Spring Apps with Azure App Gateway --To integrate with Azure Spring Apps service, complete the following configurations: --### Configure Backend Pool --1. Specify **Target type** as *IP address* or *FQDN*. -1. Enter your Azure Spring Apps public endpoints. -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-1.png" alt-text="Screenshot of the Azure portal that shows the Add backend pool page with the Backend targets values highlighted." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-1.png"::: --### Add Custom Probe --1. Select **Health Probes** then **Add** to open custom **Probe** dialog. -1. The key point is to select **No** for **Pick host name from backend HTTP settings** option and explicitly specify the host name. For more information, see [Application Gateway configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation#application-gateway). -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-2.png" alt-text="Screenshot of the Azure portal that shows the probe page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-2.png"::: --### Configure Backend Setting --1. Select **Backend settings** then **Add** to add a backend setting. -1. **Override with new host name:** select **No**. -1. **Use custom probe**: select **Yes** and pick the custom probe created above. -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/app-gateway-3.png" alt-text="Screenshot of the Azure portal that shows the Add Backend setting page." lightbox="media/how-to-integrate-azure-load-balancers/app-gateway-3.png"::: --## Integrate Azure Spring Apps with Azure Front Door --To integrate with Azure Spring Apps service and configure an origin group, use the following steps: --1. **Add origin group**. -1. Specify the backend endpoints by adding origins for the different Azure Spring Apps instances. -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-1.png" alt-text="Screenshot of the Azure portal that shows the Add an origin group page with the Add an origin button highlighted." lightbox="media/how-to-integrate-azure-load-balancers/front-door-1.png"::: --1. Specify **origin type** as *Azure Spring Apps*. -1. Select your Azure Spring Apps instance for the **host name**. -1. Keep the **origin host header** empty, so that the incoming host header will be used towards the backend. For more information, see [Azure Front Door configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation#azure-front-door). -- :::image type="content" source="media/how-to-integrate-azure-load-balancers/front-door-2.png" alt-text="Screenshot of the Azure portal that shows the Add an origin page." lightbox="media/how-to-integrate-azure-load-balancers/front-door-2.png"::: --## Next steps --* [How to create a traffic manager](../traffic-manager/quickstart-create-traffic-manager-profile.md) -* [How to create an application gateway](../application-gateway/quick-create-portal.md) -* [How to create a front door](../frontdoor/quickstart-create-front-door.md) |
spring-apps | How To Launch From Source | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-launch-from-source.md | - Title: How to Deploy Spring Boot applications from Azure CLI -description: In this quickstart, learn how to launch your application in Azure Spring Apps directly from your source code --- Previously updated : 11/12/2021-----# How to Deploy Spring Boot applications from Azure CLI --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ❌ C# --**This article applies to:** ✔️ Basic/Standard ❌️ Enterprise --Azure Spring Apps enables Spring Boot applications on Azure. --You can launch applications directly from Java source code or from a pre-built JAR. This article explains the deployment procedures. --## Prerequisites --Before you begin, ensure that your Azure subscription has the required dependencies: --1. [Install Git](https://git-scm.com/) -2. [Install JDK 8](https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) -3. [Install Maven 3.0 or above](https://maven.apache.org/download.cgi) -4. [Install the Azure CLI](/cli/azure/install-azure-cli) -5. [Sign up for an Azure subscription](https://azure.microsoft.com/free/) --> [!TIP] -> The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled, including the latest versions of Git, JDK, Maven, and the Azure CLI. If you are logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md) --## Install the Azure CLI extension --Install the Azure Spring Apps extension for the Azure CLI with the following command --```azurecli -az extension add --name spring -``` --## Provision a service instance using the Azure CLI --Sign in to the Azure CLI and choose your active subscription. --```azurecli -az login -az account list -o table -az account set --subscription <subscription-id> -``` --Create a resource group to contain your service in Azure Spring Apps. You can learn more about [Azure Resource Groups](../azure-resource-manager/management/overview.md). --```azurecli -az group create --location eastus --name <resource-group-name> -``` --Run the following commands to provision an instance of Azure Spring Apps. Prepare a name for your service in Azure Spring Apps. The name must be between 4 and 32 characters and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --```azurecli -az spring create --resource-group <resource-group-name> --name <resource-name> -``` --The service instance will take about five minutes to deploy. --Set your default resource group name and Azure Spring Apps instance name using the following commands: --```azurecli -az config set defaults.group=<service-group-name> -az config set defaults.spring=<service-instance-name> -``` --## Create the application in Azure Spring Apps --The following command creates an application in Azure Spring Apps in your subscription. This creates an empty service to which you can upload your application. --```azurecli -az spring app create --name <app-name> -``` --## Deploy your Spring Boot application --You can deploy your application from a pre-built JAR or from a Gradle or Maven repository. Find instructions for each case below. --### Deploy a pre-built JAR --To deploy from a JAR built on your local machine, ensure that your build produces a [fat-JAR](https://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-create-an-executable-jar-with-maven). --To deploy the fat-JAR to an active deployment --```azurecli -az spring app deploy --name <app-name> --artifact-path <path-to-fat-JAR> -``` --To deploy the fat-JAR to a specific deployment --```azurecli -az spring app deployment create --app <app-name> \ - --name <deployment-name> \ - --artifact-path <path-to-fat-JAR> -``` --### Deploy from source code --Azure Spring Apps uses [kpack](https://github.com/pivotal/kpack) to build your project. You can use Azure CLI to upload your source code, build your project using kpack, and deploy it to the target application. --> [!WARNING] -> The project must produce only one JAR file with a `main-class` entry in the `MANIFEST.MF` in `target` (for Maven deployments) or `build/libs` (for Gradle deployments). Multiple JAR files with `main-class` entries will cause the deployment to fail. --For single module Maven / Gradle projects: --```azurecli -cd <path-to-maven-or-gradle-source-root> -az spring app deploy --name <app-name> --source-path -``` --For Maven / Gradle projects with multiple modules, repeat for each module: --```azurecli -cd <path-to-maven-or-gradle-source-root> -az spring app deploy --name <app-name> --source-path \ - --target-module <relative-path-to-module> -``` --### Show deployment logs --Review the kpack build logs using the following command: --```azurecli -az spring app show-deploy-log --name <app-name> -``` --> [!NOTE] -> The kpack logs will only show the latest deployment if that deployment was built from source using kpack. --## Assign a public endpoint to an application --1. Open the **Apps** pane to view apps for your service instance. -2. Select an application to view its **Overview** page. -3. Select **Assign endpoint** to assign a public endpoint to the application. This process can take a few minutes. -4. Copy the URL from the **Overview** page and paste it into your browser to view running application. --## Next steps --[Quickstart: Monitoring Azure Spring Apps with logs, metrics, and tracing](quickstart-logs-metrics-tracing.md) --More samples are available on GitHub: [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). |
spring-apps | How To Log Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-log-streaming.md | - Title: Stream Azure Spring Apps application console logs in real time -description: Describes how to use log streaming to view application logs in real time ---- Previously updated : 08/10/2022----# Stream Azure Spring Apps application console logs in real time --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes how to enable log streaming in the Azure CLI to get real-time application console logs for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). --For streaming logs of managed components in Azure Spring Apps, see [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md). --## Prerequisites --- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, version 1.0.0 or higher. You can install the extension by using the following command: `az extension add --name spring`-- An instance of Azure Spring Apps with a running application. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md).--## Use the Azure CLI to produce tail logs --This section provides examples of using the Azure CLI to produce tail logs. To avoid repeatedly specifying your resource group and service instance name, use the following commands to set your default resource group name and cluster name: --```azurecli -az config set defaults.group=<service-group-name> -az config set defaults.spring=<service-instance-name> -``` --The resource group and service name are omitted in the following examples. --### View the tail log for an app with a single instance --If an app named `auth-service` has only one instance, you can view the log of the app instance with the following command: --```azurecli -az spring app logs --name <application-name> -``` --The command returns logs similar to the following examples, where `auth-service` is the application name. --```output -... -2020-01-15 01:54:40.481 INFO [auth-service,,,] 1 [main] o.apache.catalina.core.StandardService : Starting service [Tomcat] -2020-01-15 01:54:40.482 INFO [auth-service,,,] 1 [main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.22] -2020-01-15 01:54:40.760 INFO [auth-service,,,] 1 [main] o.a.c.c.C.[Tomcat].[localhost].[/uaa] : Initializing Spring embedded WebApplicationContext -2020-01-15 01:54:40.760 INFO [auth-service,,,] 1 [main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 7203 ms --... -``` --### View the tail log for an app with multiple instances --If multiple instances exist for the app named `auth-service`, you can view the instance log by using the `-i/--instance` option. --First, run the following command to get the app instance names: --```azurecli -az spring app show --name auth-service --query properties.activeDeployment.properties.instances --output table -``` --The command produces results similar to the following output: --```output -Name Status DiscoveryStatus -- -- ---auth-service-default-12-75cc4577fc-pw7hb Running UP -auth-service-default-12-75cc4577fc-8nt4m Running UP -auth-service-default-12-75cc4577fc-n25mh Running UP -``` --Then, you can stream logs of an app instance using the `-i/--instance` option, as follows: --```azurecli -az spring app logs --name auth-service --instance auth-service-default-12-75cc4577fc-pw7hb -``` --You can also get details of app instances from the Azure portal. After selecting **Apps** in the left navigation pane of your Azure Spring Apps service, select **App Instances**. --### Continuously stream new logs --By default, `az spring app logs` prints only existing logs streamed to the app console and then exits. If you want to stream new logs, add the `-f/--follow` argument, as shown in the following example: --```azurecli -az spring app logs --name auth-service --follow -``` --When you use the `--follow` argument to tail instant logs, the Azure Spring Apps log streaming service sends heartbeat logs to the client every minute unless your application is writing logs constantly. Heartbeat log messages use the following format: `2020-01-15 04:27:13.473: No log from server`. --Use the following command to check all the logging options that are supported: --```azurecli -az spring app logs --help -``` --### Format JSON structured logs --> [!NOTE] -> Formatting JSON structured logs requires spring extension version 2.4.0 or later. --Structured application logs are displayed in JSON format, which can be difficult to read. You can use the `--format-json` argument to format logs in JSON format into a more readable format. For more information, see [Structured application log for Azure Spring Apps](./structured-app-log.md). --The following example shows how to use the `--format-json` argument: --```azurecli -# Raw JSON log -$ az spring app logs --name auth-service -{"timestamp":"2021-05-26T03:35:27.533Z","logger":"com.netflix.discovery.DiscoveryClient","level":"INFO","thread":"main","mdc":{},"message":"Disable delta property : false"} -{"timestamp":"2021-05-26T03:35:27.533Z","logger":"com.netflix.discovery.DiscoveryClient","level":"INFO","thread":"main","mdc":{},"message":"Single vip registry refresh property : null"} --# Formatted JSON log -$ az spring app logs --name auth-service --format-json -2021-05-26T03:35:27.533Z INFO [ main] com.netflix.discovery.DiscoveryClient : Disable delta property : false -2021-05-26T03:35:27.533Z INFO [ main] com.netflix.discovery.DiscoveryClient : Single vip registry refresh property : null -``` --The `--format-json` argument also accepts an optional customized format using format string syntax. For more information, see [Format String Syntax](https://docs.python.org/3/library/string.html#format-string-syntax). --The following example shows how to use format string syntax: --```azurecli -# Custom format -$ az spring app logs --name auth-service --format-json="{message}{n}" -Disable delta property : false -Single vip registry refresh property : null -``` --> The default format being used is: -> -> ```format -> {timestamp} {level:>5} [{thread:>15.15}] {logger{39}:<40.40}: {message}{n}{stackTrace} -> ``` --## Stream an Azure Spring Apps app log in a virtual network injection instance --For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md) --Azure Spring Apps also enables you to access real-time app logs from a public network using Azure portal or the Azure CLI. --> [!NOTE] -> Enabling the log streaming endpoint on the public network adds a public inbound IP to your virtual network. Be sure to use caution if this is a concern for you. --### [Azure portal](#tab/azure-portal) --Use the following steps to enable a log streaming endpoint on the public network: --1. Select the Azure Spring Apps service instance deployed in your virtual network and then select **Networking** in the navigation menu. --1. Select the **Vnet injection** tab. --1. Switch the status of **Dataplane resources on public network** to **enable** to enable a log streaming endpoint on the public network. This process takes a few minutes. -- :::image type="content" source="media/how-to-log-streaming/dataplane-public-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Networking page with the Vnet injection tab selected and the Troubleshooting section highlighted." lightbox="media/how-to-log-streaming/dataplane-public-endpoint.png"::: --#### [Azure CLI](#tab/azure-CLI) --Use the following command to enable the log stream public endpoint: --```azurecli -az spring update \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --enable-dataplane-public-endpoint true -``` ----After you enable the log stream public endpoint, you can access the app log from a public network just like you would access a normal instance. --## Secure traffic to the log streaming public endpoint --Log streaming uses the same key as the test endpoint described in [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md) to authenticate the connections to your deployments. As a result, only users who have read access to the test keys can access log streaming. --To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. --> [!NOTE] -> If you can't access app logs in the virtual network injection instance from the internet after you enable a log stream public endpoint, check your network security group to see whether you allowed such inbound traffic. --The following table shows an example of a basic rule that we recommend. You can use commands like `nslookup` with the endpoint `<service-name>.private.azuremicroservices.io` to get the target IP address of a service. --| Priority | Name | Port | Protocol | Source | Destination | Action | -|-|--||-|-|--|--| -| 100 | Rule name | 80 | TCP | Internet | Service IP address | Allow | -| 110 | Rule name | 443 | TCP | Internet | Service IP address | Allow | --## Next steps --- [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md)-- [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md)-- [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md) |
spring-apps | How To Managed Component Log Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-managed-component-log-streaming.md | - Title: Stream Azure Spring Apps managed component logs in real time -description: Learn how to use log streaming to view managed component logs in real time. ---- Previously updated : 01/10/2024----# Stream Azure Spring Apps managed component logs in real time --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article describes how to use the Azure CLI to get real-time logs of managed components for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). --For streaming logs of applications in Azure Spring Apps, see [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md). --## Prerequisites --- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, version 1.19.0 or higher. You can install the extension by using the following command: `az extension add --name spring`.--## Supported managed components --The following table lists the managed components that are currently supported, along with their subcomponents: --| Managed component | Subcomponents | -|--|-| -| Application Configuration Service | `application-configuration-service` <br/> `flux-source-controller` (Supported in ACS Gen2 version) | -| Spring Cloud Gateway | `spring-cloud-gateway` <br/> `spring-cloud-gateway-operator` | --You can use the following command to list all subcomponents: --```azurecli -az spring component list - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> -``` --## Assign an Azure role --To stream logs of managed components, you must have the relevant Azure roles assigned to you. The following table lists the required roles and the operations for which these roles are granted permissions: --| Managed component | Required role | Operations | -|--||| -| Application Configuration Service | Azure Spring Apps Application Configuration Service Log Reader Role | `Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action` | -| Spring Cloud Gateway | Azure Spring Apps Spring Cloud Gateway Log Reader Role | `Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action` | --### [Azure portal](#tab/azure-Portal) --Use the following steps to assign an Azure role using the Azure portal: --1. Open the [Azure portal](https://portal.azure.com). --1. Open your Azure Spring Apps service instance. --1. In the navigation pane, select **Access Control (IAM)**. --1. On the **Access Control (IAM)** page, select **Add** and then select **Add role assignment**. -- :::image type="content" source="media/how-to-managed-component-log-streaming/add-role-assignment.png" alt-text="Screenshot of the Azure portal that shows the Access Control (IAM) page for an Azure Spring Apps instance with the Add role assignment option highlighted." lightbox="media/how-to-managed-component-log-streaming/add-role-assignment.png"::: --1. On the **Add role assignment** page, in the **Name** list, search for and select the target role and then select **Next**. -- :::image type="content" source="media/how-to-managed-component-log-streaming/application-configuration-service-log-reader-role.png" alt-text="Screenshot of the Azure portal that shows the Add role assignment page for an Azure Spring Apps instance with the Azure Spring Apps Application Configuration Service Log Reader Role name highlighted." lightbox="media/how-to-managed-component-log-streaming/application-configuration-service-log-reader-role.png"::: --1. Select **Members** and then search for and select your username. --1. Select **Review + assign**. --### [Azure CLI](#tab/azure-CLI) --Use the following command to assign an Azure role: -- ```azurecli - az role assignment create \ - --role "<Log-reader-role-for-managed-component>" \ - --scope "<service-instance-resource-id>" \ - --assignee "<your-identity>" - ``` ----## List all instances in a component --Use the following command to list all instances in a component: --```azurecli -az spring component instance list \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --component <component-name> -``` --For example, to list all instances for `flux-source-controller` in ACS Gen2 version, use the following command: --```azurecli -az spring component instance list \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --component flux-source-controller -``` --## View tail logs --This section provides examples of using the Azure CLI to produce tail logs. --### View tail logs for a specific instance --To view the tail logs for a specific instance, use the `az spring component logs` command with the `-i/--instance` argument, as shown in the next section. --#### View tail logs for an instance of application-configuration-service --Use the following command to view the tail logs for `application-configuration-service`: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name application-configuration-service \ - --instance <instance-name> -``` --For ACS Gen2, the command returns logs similar to the following example: --```output -... -2023-12-18T07:09:54.020Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8090 (https) -2023-12-18T07:09:54.116Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting service [Tomcat] -2023-12-18T07:09:54.117Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting Servlet engine: [Apache Tomcat/10.1.12] -2023-12-18T07:09:54.522Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Initializing Spring embedded WebApplicationContext -2023-12-18T07:09:54.524Z INFO 16715 [main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 14100 ms -2023-12-18T07:09:56.920Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8090 (https) with context path '' -2023-12-18T07:09:57.528Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8081 (http) -2023-12-18T07:09:57.529Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting service [Tomcat] -2023-12-18T07:09:57.529Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Starting Servlet engine: [Apache Tomcat/10.1.12] -2023-12-18T07:09:57.629Z INFO 16715 [main] org.apache.juli.logging.DirectJDKLog : Initializing Spring embedded WebApplicationContext -2023-12-18T07:09:57.629Z INFO 16715 [main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 603 ms -2023-12-18T07:09:57.824Z INFO 16715 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8081 (http) with context path '' -2023-12-18T07:09:58.127Z INFO 16715 [main] o.springframework.boot.StartupInfoLogger : Started ReconcilerApplication in 21.005 seconds (process running for 22.875) -... -``` --#### View tail logs for an instance of flux-source-controller --Use the following command to view the tail logs for `flux-source-controller`: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name flux-source-controller \ - --instance <instance-name> -``` --The command returns logs similar to the following example: --```output -... -{"level":"info","ts":"2023-12-18T07:07:54.615Z","logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"} -{"level":"info","ts":"2023-12-18T07:07:54.615Z","logger":"setup","msg":"starting manager"} -{"level":"info","ts":"2023-12-18T07:07:54.615Z","msg":"Starting server","path":"/metrics","kind":"metrics","addr":"[::]:8080"} -{"level":"info","ts":"2023-12-18T07:07:54.615Z","msg":"Starting server","kind":"health probe","addr":"[::]:9440"} -{"level":"info","ts":"2023-12-18T07:07:54.817Z","logger":"runtime","msg":"attempting to acquire leader lease flux-system/source-controller-leader-election...\n"} -{"level":"info","ts":"2023-12-18T07:07:54.830Z","logger":"runtime","msg":"successfully acquired lease flux-system/source-controller-leader-election\n"} -... -``` --#### View tail logs for an instance of spring-cloud-gateway --Use the following command to view the tail logs for `spring-cloud-gateway`: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name spring-cloud-gateway \ - --instance <instance-name> -``` --The command returns logs similar to the following example: --```output -... -2023-12-11T14:13:40.310Z INFO 1 [ main] i.p.s.c.g.s.SsoDeactivatedConfiguration : SSO is deactivated, setting up default security filters -2023-12-11T14:13:40.506Z INFO 1 [ main] .h.HazelcastReactiveSessionConfiguration : Configuring Hazelcast as a session management storage -2023-12-11T14:13:51.008Z INFO 1 [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8443 -2023-12-11T14:13:51.810Z INFO 1 [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 7 endpoint(s) beneath base path '/actuator' -2023-12-11T14:13:52.410Z INFO 1 [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8090 -2023-12-11T14:13:52.907Z INFO 1 [ main] i.p.s.c.g.r.h.HazelcastRateLimitsRemover : Removing Hazelcast map 'GLOBAL_RATE_LIMIT' with rate limit information -2023-12-11T14:13:52.912Z INFO 1 [ main] i.p.s.cloud.gateway.GatewayApplication : Started GatewayApplication in 36.084 seconds (process running for 38.651) -... -``` --#### View tail logs for an instance of spring-cloud-gateway-operator --Use the following command to view the tail logs for `spring-cloud-gateway-operator`: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name spring-cloud-gateway-operator \ - --instance <instance-name> -``` --The command returns logs similar to the following example: --```output -... -2023-12-01T08:37:05.080Z INFO 1 [ main] c.v.t.s.OperatorApplication : Starting OperatorApplication v2.0.6 using Java 17.0.7 with PID 1 (/workspace/BOOT-INF/classes started by cnb in /workspace) -2023-12-01T08:37:05.157Z INFO 1 [ main] c.v.t.s.OperatorApplication : No active profile set, falling back to 1 default profile: "default" -2023-12-01T08:37:14.379Z INFO 1 [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 1 endpoint(s) beneath base path '/actuator' -2023-12-01T08:37:15.274Z INFO 1 [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8080 -2023-12-01T08:37:15.366Z INFO 1 [ main] c.v.t.s.OperatorApplication : Started OperatorApplication in 11.489 seconds (process running for 12.467) -... -``` ----### View tail logs for all instances in one command --To view the tail logs for all instances, use the `--all-instances` argument, as shown in the following command. The instance name is the prefix of each log line. When there are multiple instances, logs are printed in batch for each instance, so logs of one instance aren't interleaved with the logs of another instance. --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <component-name> \ - --all-instances -``` --## Stream new logs continuously --By default, `az spring component logs` prints only existing logs streamed to the console and then exits. If you want to stream new logs, add the `-f/--follow` argument. --When you use the `-f/--follow` option to tail instant logs, the Azure Spring Apps log streaming service sends heartbeat logs to the client every minute unless the component is writing logs constantly. Heartbeat log messages use the following format: `2023-12-18 09:12:17.745: No log from server`. --### Stream logs for a specific instance --Use the following command to stream logs for a specific instance: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <component-name> \ - --instance <instance-name> \ - --follow -``` --### Stream logs for all instances --Use the following command to stream logs for all instances: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <component-name> \ - --all-instances \ - --follow -``` --When you stream logs for multiple instances in a component, the logs of one instance interleave with logs of others. --## Stream logs in a virtual network injection instance --For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md) --Azure Spring Apps also enables you to access real-time managed component logs from a public network. --> [!NOTE] -> Enabling the log streaming endpoint on the public network adds a public inbound IP to your virtual network. Be sure to use caution if this is a concern for you. --### [Azure portal](#tab/azure-Portal) --Use the following steps to enable a log streaming endpoint on the public network: --1. Select the Azure Spring Apps service instance deployed in your virtual network and then select **Networking** in the navigation menu. --1. Select the **Vnet injection** tab. --1. Switch the status of **Dataplane resources on public network** to **Enable** to enable a log streaming endpoint on the public network. This process takes a few minutes. -- :::image type="content" source="media/how-to-managed-component-log-streaming/dataplane-public-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Networking page with the Vnet injection tab selected and the Troubleshooting section highlighted." lightbox="media/how-to-log-streaming/dataplane-public-endpoint.png"::: --#### [Azure CLI](#tab/azure-CLI) --Use the following command to enable the log stream public endpoint. --```azurecli -az spring update \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --enable-dataplane-public-endpoint true -``` ----After you enable the log stream public endpoint, you can access the managed component logs from a public network just like you would access a normal instance. --## Secure traffic to the log streaming public endpoint --Log streaming for managed components uses Azure RBAC to authenticate the connections to the components. As a result, only users who have the proper roles can access the logs. --To ensure the security of your managed components when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. --> [!NOTE] -> If you can't access managed component logs in the virtual network injection instance from the internet after you enable a log stream public endpoint, check your network security group to see whether you've allowed such inbound traffic. --The following table shows an example of a basic rule that we recommend. You can use commands like `nslookup` with the endpoint `<service-name>.private.azuremicroservices.io` to get the target IP address of a service. --| Priority | Name | Port | Protocol | Source | Destination | Action | -|-|--||-|-|--|--| -| 100 | Rule name | 80 | TCP | Internet | Service IP address | Allow | -| 110 | Rule name | 443 | TCP | Internet | Service IP address | Allow | --## Next steps --- [Troubleshoot VMware Spring Cloud Gateway](./how-to-troubleshoot-enterprise-spring-cloud-gateway.md)-- [Use Application Configuration Service](./how-to-enterprise-application-configuration-service.md)-- [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md) |
spring-apps | How To Migrate Standard Tier To Enterprise Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-migrate-standard-tier-to-enterprise-tier.md | - Title: How to migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan- -description: Shows you how to migrate an Azure Spring Apps Basic or Standard plan instance to Enterprise plan. ---- Previously updated : 6/20/2023----# Migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to migrate an existing application in the Basic or Standard plan to the Enterprise plan. When you migrate from the Basic or Standard plan to the Enterprise plan, VMware Tanzu components replace the open-source software (OSS) Spring Cloud components to provide more feature support. --This article uses the Pet Clinic sample apps as examples of how to migrate. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher.-- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)]-- [Git](https://git-scm.com/downloads).--## Provision a service instance --In the Azure Spring Apps Enterprise plan, VMware Tanzu components replace the OSS Spring Cloud components to provide more feature support. Tanzu components are enabled on demand according to your needs. You must enable the components you need before creating the Azure Spring Apps service instance. --> [!NOTE] -> To use Tanzu Components, you must enable them when you provision your Azure Spring Apps service instance. You can't enable them after provisioning at this time. --Use the following steps to provision an Azure Spring Apps service instance: --### [Azure portal](#tab/azure-portal) --1. Open the [Azure portal](https://portal.azure.com/). -1. In the top search box, search for *Azure Spring Apps*. -1. Select **Azure Spring Apps** from the results and then select **Create**. -1. On the **Create Azure Spring Apps** page, set your **Subscription**, **Resource group**, and **Name** for the instance. -1. For **Plan** in **Service Details**, select **Change**. -- :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/change-plan.png" alt-text="Screenshot of the Azure portal Azure Spring Apps creation page with the Change button highlighted in the plan section." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/change-plan.png"::: --1. On the **Choose your plan** page, select the **Enterprise** row in the table, and then select **Select**. -- :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/choose-enterprise-tier.png" alt-text="Screenshot of the Azure portal Azure Spring Apps creation page with Basics section and 'Choose your pricing tier' pane showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/choose-enterprise-tier.png"::: --1. Back on the **Create Azure Spring Apps** page, select **Terms** to agree to the legal terms and privacy statements of the Enterprise plan offering in the Azure Marketplace. --1. Select **Next: VMware Tanzu settings**. --1. On the **VMWare Tanzu settings** tab, scroll through the list to review the Tanzu components. All components are enabled by default. -- :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/create-instance-tanzu-settings-public-preview.png" alt-text="Screenshot of the Azure portal Azure Spring Apps creation page with V M ware Tanzu Settings section showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/create-instance-tanzu-settings-public-preview.png"::: -- > [!NOTE] - > Carefully consider which Tanzu components you want to use or enable during the provisioning phase. After provisioning the Azure Spring Apps instance, you can't enable or disable Tanzu components. --1. Select the **Application Insights** tab and then select **Enable Application Insights**. Review the following settings: -- - **Enable Application Insights** should be selected. - - Choose an existing Application Insights instance or create a new Application Insights instance. - - Enter a **Sampling rate** in the range of 0-100, or use the default value 10. -- You can also enable Application Insights after you provision the Azure Spring Apps instance. For more information about Application Insights pricing, see the [Application Insights billing](../azure-monitor/logs/cost-logs.md#application-insights-billing) section of [Azure Monitor Logs cost calculations and options](../azure-monitor/logs/cost-logs.md). -- > [!NOTE] - > You'll pay for the usage of Application Insights when integrated with Azure Spring Apps. --1. Select **Review and create** and wait for validation to complete, then select **Create** to start provisioning the service instance. --It takes about 5 minutes to finish the resource provisioning. --### [Azure CLI](#tab/azure-cli) --1. Use the following command to update Azure CLI with the Azure Spring Apps extension: -- ```azurecli - az extension add --upgrade --name spring - ``` --1. Use the following commands to sign in to the Azure CLI and choose your active subscription: -- ```azurecli - az login - az account list --output table - az account set --subscription <subscription-ID> - ``` --1. Use the following command to accept the legal terms and privacy statements for the Enterprise plan. This step is required only the first time you create an Azure Spring Apps instance on the Enterprise plan. -- ```azurecli - az provider register --namespace Microsoft.SaaS - az term accept --publisher vmware-inc --product azure-spring-cloud-vmware-tanzu-2 --plan asa-ent-hr-mtr - ``` --1. Create a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can only contain lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --1. Use the following command to create a resource group and an Azure Spring Apps service instance: -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise - ``` -- For more information about resource groups, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md). ----## Create and configure apps --The app creation steps are the same as Standard plan. --1. Use the following command to set Azure CLI defaults. Be sure to replace the placeholders with your own values. -- ```azurecli - az config set defaults.group=<resource-group-name> - az config set defaults.spring=<Azure-Spring-Apps-service-instance-name> - ``` --1. Use the following commands to create the two core applications for PetClinic, `api-gateway` and `customers-service`: -- ```azurecli - az spring app create --name api-gateway --instance-count 1 --memory 2Gi --assign-endpoint - az spring app create --name customers-service --instance-count 1 --memory 2Gi - ``` --## Use Application Configuration Service for external configuration --For externalized configuration in a distributed system, managed Spring Cloud Config Server (OSS) is available only in the Basic and Standard plans. In the Enterprise plan, Application Configuration Service for Tanzu provides similar functions for your apps. The following table describes some differences in usage between the OSS config server and Application Configuration Service. --| Component | Support plans | Enabled | Bind to app | Profile | -||-|-|-|--| -| Spring Cloud Config Server | Basic/Standard | Always enabled. | Auto bound | Configured in app's source code. | -| Application Configuration Service for Tanzu | Enterprise | Enable on demand. | Manual bind | Provided as `config-file-pattern` in an Azure Spring Apps deployment. | --Unlike the client-server mode in the OSS config server, Application Configuration Service manages configuration by using the Kubernetes-native `ConfigMap`, which is populated from properties defined in backend Git repositories. Application Configuration Service can't get the active profile configured in the app's source code to match the right configuration, so the explicit configuration `config-file-pattern` should be specified at the Azure Spring Apps deployment level. --## Configure Application Configuration Service for Tanzu --Follow these steps to use Application Configuration Service for Tanzu as a centralized configuration service. --### [Azure portal](#tab/azure-portal) --1. In your Azure Spring Apps Enterprise instance, select **Application Configuration Service** in the navigation pane. View the running state and resources allocated to Application Configuration Service for Tanzu. -- :::image type="content" source="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-overview.png" alt-text="Screenshot of the Azure portal showing the Overview tab of the Application Configuration Service page." lightbox="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-overview.png"::: --1. Select **Settings** and complete the form in **Repositories** to add a new entry with the following information: -- - Name: `default` - - Patterns: `api-gateway,customers-service` - - URI: `https://github.com/Azure-Samples/spring-petclinic-microservices-config` - - Label: `master` -- :::image type="content" source="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-settings.png" alt-text="Screenshot of the Azure portal showing the Settings tab of the Application Configuration Service page." lightbox="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-service-settings.png"::: --1. Select **Validate** to validate access to the target URI. --1. After validation completes successfully, select **Apply** to update the configuration settings. --### [Azure CLI](#tab/azure-cli) --Use the following command to set the default repository: --```azurecli -az spring application-configuration-service git repo add \ - --name default \ - --patterns api-gateway,customers-service \ - --uri https://github.com/Azure-Samples/spring-petclinic-microservices-config.git \ - --label master -``` ----## Bind applications to Application Configuration Service for Tanzu --When you use Application Configuration Service for Tanzu with a Git backend, you must bind the app to Application Configuration Service for Tanzu. After binding the app, you'll need to configure which pattern is used by the app. Use the following steps to bind and configure the pattern for the app. --### [Azure portal](#tab/azure-portal) --Use the following steps to bind apps to Application Configuration Service for VMware Tanzu. --1. In your Azure Spring Apps Enterprise instance, select **Application Configuration Service** in the navigation pane. --1. Select **App binding** and then select **Bind app**. -- :::image type="content" source="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-bind-app.png" alt-text="Screenshot of the Azure portal showing the App binding tab of the Application Configuration Service page and the Bind app dropdown menu showing." lightbox="./media/how-to-migrate-standard-tier-to-enterprise-tier/config-bind-app.png"::: --1. Select an app in the dropdown menu and then select **Apply** to bind the application to Application Configuration Service for Tanzu. --### [Azure CLI](#tab/azure-cli) --Use the following commands to bind apps to Application Configuration Service for VMware Tanzu and VMware Tanzu Service Registry: --```azurecli -az spring application-configuration-service bind --app api-gateway -az spring application-configuration-service bind --app customers-service -``` ----For more information, see [Use Application Configuration Service for Tanzu](./how-to-enterprise-application-configuration-service.md). --## Using Service Registry for Tanzu --[Service Registry](https://docs.vmware.com/en/Spring-Cloud-Services-for-VMware-Tanzu/3.1/spring-cloud-services/GUID-service-registry-https://docsupdatetracker.net/index.html) is one of the proprietary VMware Tanzu components. It provides your apps with an implementation of the Service Discovery pattern, one of the key concepts of a microservice-based architecture. In the Enterprise plan, Service Registry for Tanzu provides service registry and discover support for your apps. Managed Spring Cloud Eureka is available only in the Basic and Standard plan and isn't available in the Enterprise plan. --| Component | Standard plan | Enterprise plan | -||-|--| -| Service Registry | OSS eureka <br> Auto bound (always injection) <br>Always provisioned | Service Registry for Tanzu <br> Needs manual binding to app <br> Enable on demand | --## Bind an application to Tanzu Service Registry --To bind apps to Application Configuration Service for VMware Tanzu, follow these steps. --### [Azure portal](#tab/azure-portal) --1. In your Azure Spring Apps Enterprise instance, select **Service Registry**. --1. Select **App binding**. Currently bound apps appear under **App name**. --1. Select **Bind app**. --1. Select an app in the dropdown menu and then select **Apply** to bind the application to Tanzu Service Registry. -- :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/service-reg-app-bind-dropdown.png" alt-text="Screenshot of the Azure portal Azure Spring Apps with Service Registry page and 'Bind app' dialog showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/service-reg-app-bind-dropdown.png"::: --### [Azure CLI](#tab/azure-cli) --Use the following commands to bind apps to Application Configuration Service for VMware Tanzu and VMware Tanzu Service Registry: --```azurecli -az spring service-registry bind --app api-gateway -az spring service-registry bind --app customers-service -``` ----> [!NOTE] -> When you change the bind/unbind status, you must restart or redeploy the app to make the change take effect. --For more information, see [Use Tanzu Service Registry](./how-to-enterprise-service-registry.md). --## Build and deploy applications --In the Enterprise plan, Tanzu Build Service is used to build apps. It provides more features like polyglot apps to deploy from artifacts such as source code and zip files. --To use Tanzu Build Service, you need to specify a resource for build task and builder to use. You can also specify the `--build-env` parameter to set build environments. --If the app binds with Application Configuration Service for Tanzu, you need specify an extra argument `—config-file-pattern`. --For more information, see [Use Tanzu Build Service](how-to-enterprise-build-service.md). --## Build applications locally --Use the following steps to build locally: --1. Use the following commands to clone the sample app repository in your Azure account, change the directory, and build the project: -- ```bash - git clone -b enterprise https://github.com/azure-samples/spring-petclinic-microservices - cd spring-petclinic-microservices - mvn clean package -DskipTests - ``` -- Compiling the project can take several minutes. When complete, you have individual JAR files for each service in its respective folder. --1. Use the following commands to deploy the JAR files built in the previous step: -- ```azurecli - az spring app deploy \ - --name api-gateway \ - --artifact-path spring-petclinic-api-gateway/target/spring-petclinic-api-gateway-2.3.6.jar \ - --config-file-patterns api-gateway - az spring app deploy \ - --name customers-service \ - --artifact-path spring-petclinic-customers-service/target/spring-petclinic-customers-service-2.3.6.jar \ - --config-file-patterns customers-service - ``` --1. Use the following command to query the application status after deployment: -- ```azurecli - az spring app list --output table - ``` -- This command produces output similar to the following example: -- ```output - Name Location ResourceGroup Public Url Production Deployment Provisioning State CPU Memory Running Instance Registered Instance Persistent Storage Bind Service Registry Bind Application Configuration Service - -- - -- -- -- -- -- -- - - api-gateway eastus <resource group> https://<service_name>-api-gateway.asc-test.net default Succeeded 1 2Gi 1/1 1/1 - True True - customers-service eastus <resource group> default Succeeded 1 2Gi 1/1 1/1 - True True - ``` --## Use Application Insights --The Azure Spring Apps Enterprise plan uses buildpack bindings to integrate [Application Insights](../azure-monitor/app/app-insights-overview.md) with the type `ApplicationInsights` instead of In-Process Agent. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md). --The following table lists the APM providers available the plans. --| Standard plan | Enterprise plan | -|--|| -| Application insight <br> New Relic <br> Dynatrace <br> AppDynamics | Application insight <br> New Relic <br> Dynatrace <br> AppDynamics <br> ElasticAPM | --### [Azure portal](#tab/azure-portal) --To check or update the current settings in Application Insights, use the following steps: --1. In your Azure Spring Apps Enterprise instance, select **Application Insights**. -1. Enable or disable Application Insights by selecting **Edit binding** or **Unbind binding**. -- :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-binding-enable.png" alt-text="Screenshot of the Azure portal Application Insights page with the Edit binding option dropdown menu showing." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-binding-enable.png"::: --1. Select **Edit binding**. Edit the binding settings and then select **Save**. -- :::image type="content" source="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-edit-binding.png" alt-text="Screenshot of the Azure portal 'Edit binding' pane." lightbox="media/how-to-migrate-standard-tier-to-enterprise-tier/application-insights-edit-binding.png"::: --### [Azure CLI](#tab/azure-cli) --The following commands show you how to check or update the current settings in Application Insights. --Use the following command to create an Application Insights buildpack binding: --```azurecli -az spring build-service builder buildpack-binding create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ - --type ApplicationInsights \ - --properties sampling-percentage=<your-sampling-percentage> \ - connection-string=<your-connection-string> -``` --Use the following command to list all buildpack bindings, and find Application Insights bindings for the type `ApplicationInsights`: --```azurecli -az spring build-service builder buildpack-binding list \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --builder-name <your-builder-name> -``` --Use the following command to replace an Application Insights buildpack binding: --```azurecli -az spring build-service builder buildpack-binding set \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ - --type ApplicationInsights \ - --properties sampling-percentage=<your-sampling-percentage> \ - connection-string=<your-connection-string> -``` --Use the following command to get an Application Insights buildpack binding: --```azurecli -az spring build-service builder buildpack-binding show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ -``` --Use the following command to delete an Application Insights buildpack binding: --```azurecli -az spring build-service builder buildpack-binding delete \ - --resource-group <your-resource-group-name> \ - --service <your-service-instance-name> \ - --name <your-binding-name> \ - --builder-name <your-builder-name> \ -``` --For more information, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md). ----## Next steps --- [Azure Spring Apps](index.yml)-- [Use API portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md)-- [Use Spring Cloud Gateway](./how-to-use-enterprise-spring-cloud-gateway.md) |
spring-apps | How To Move Across Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-move-across-regions.md | - Title: Move an Azure Spring Apps service instance to another region -description: Learn how to move an Azure Spring Apps service instance to another region. ---- Previously updated : 01/27/2022----# Move an Azure Spring Apps service instance to another region --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to move your Azure Spring Apps service instance to another region. Moving your instance is useful, for example, as part of a disaster recovery plan or to create a duplicate testing environment. --You can't move an Azure Spring Apps instance from one region to another directly, but you can use an Azure Resource Manager template (ARM template) to deploy your instance to a new region. For more information about using Azure Resource Manager and templates, see [Quickstart: Create and deploy ARM templates by using the Azure portal](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md). --Before you move your service instance, consider the following limitations: --- Different feature sets are supported by different pricing plans (SKUs). If you change the SKU, you may need to change the template to include only features supported by the target SKU.-- You might not be able to move all subresources in Azure Spring Apps using the template. Your move may require extra setup after the template is deployed. For more information, see the [Configure the new Azure Spring Apps service instance](#configure-the-new-azure-spring-apps-service-instance) section of this article.-- When you move a virtual network (VNet) instance, you must create new network resources. For more information, see [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md).--## Prerequisites --- An existing Azure Spring Apps service instance. To create a new service instance, see [Quickstart: Deploy your first application in Azure Spring Apps](./quickstart.md).-- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.11.2 or later.--## Export the template --### [Portal](#tab/azure-portal) --Use the following steps to export the template: --1. Sign in to the [Azure portal](https://portal.azure.com). -1. Select **All resources** in the left menu, and then select your Azure Spring Apps instance. -1. Under **Automation**, select **Export template**. -1. Select **Download** on the **Export template** pane. -1. Locate the *.zip* file, unzip it, and get the *template.json* file. This file contains the resource template. --### [Azure CLI](#tab/azure-cli) --Use the following command to export the template: --```azurecli -az login -az account set --subscription <resource-subscription-id> -az group export \ - --resource-group <resource-group> \ - --resource-ids <resource-id> -``` ----## Modify the template --Use the following steps to modify the *template.json* file. In the following examples, the new Azure Spring Apps instance name is *new-service-name*. The previous instance name is *old-service-name*. --1. The following example shows how to change all `name` instances in the template from *old-service-name* to *new-service-name*: -- ```json - { - "type": "Microsoft.AppPlatform/Spring", - "apiVersion": "{api-version}", - "_comment": "the following line was changed from 'old-service-name'", - "name": "[parameters('new-service-name')]", - …. - } - ``` --1. The following example shows how to change the `location` instances in the template to the new target location: -- ```json - { - "type": "Microsoft.AppPlatform/Spring", - "apiVersion": "{api-version}", - "name": "[parameters('new_service_name')]", - "_comment": "the following line was changed from 'old-region'", - "location": "{new-region}", - ….. - } - ``` --1. If the instance you're moving is a virtual network instance, the following example shows how to update the target virtual network resource `parameters` instances in the template: -- ```json - "parameters": { - … - "virtualNetworks_service_vnet_externalid": { - "_comment": "the following line was changed from 'old-vnet-resource-id'", - "defaultValue": "{new-vnet-resource-id}", - "type": "String" - } - }, - ``` -- The following example shows how to make sure the `serviceRuntimeSubnetId` and `appSubnetId` subnets exist. The subnets are defined in the `networkProfile` service: -- ```json - { - "type": "Microsoft.AppPlatform/Spring", - "apiVersion": "{api-version}", - "name": "[parameters('Spring_new_service_name')]", - … - "properties": { - "networkProfile": { - "serviceRuntimeSubnetId": "[concat(parameters('virtualNetworks_service_vnet_externalid'), '/subnets/apps-subnet')]", - "appSubnetId": "[concat(parameters('virtualNetworks_service_vnet_externalid'), '/subnets/service-runtime-subnet')]", - } - } - } - ``` --1. If any custom domain resources are configured, create the CNAME records as described in [Tutorial: Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). Make sure the record name is expected for the new service name. --1. The following example shows how to change all `relativePath` instances in the template `properties` for all app resources to `<default>`: -- ```json - { - "type": "Microsoft.AppPlatform/Spring/apps/deployments", - "apiVersion": "{api-version}", - "name": "[concat(parameters('Spring_new_service_name'), '/api-gateway/default')]", - … - "properties": { - "active": true, - "source": { - "type": "Jar", - "_comment": "the following line was changed to 'default'", - "relativePath": "<default>" - }, - … - } - } - ``` -- After the app is created, it uses a default banner application. Deploy the JAR files again using the Azure CLI. For more information, see the [Configure the new Azure Spring Apps service instance](#configure-the-new-azure-spring-apps-service-instance) section of this article. --1. If service binding was used and you want to import it to the new service instance, add the `key` property for the target bound resource. In the following example, a bound MySQL database is included: -- ```json - { - "type": "Microsoft.AppPlatform/Spring/apps/bindings", - "apiVersion": "{api-version}", - "name": "[concat(parameters('Spring_new_service_name'), '/api-gateway/mysql')]", - … - "_comment": "the following line imports a mysql binding", - "properties": { - "resourceId": "[parameters('servers_test_mysql_name_externalid')]", - "key": "{mysql-password}", - "bindingParameters": { - "databaseName": "mysql", - "username": "{mysql-user-name}" - } - } - } - ``` --## Deploy the template --### [Portal](#tab/azure-portal) --After you modify the template, use the following steps to deploy the template and create the new resource. --1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the top search box, search for *Deploy a custom template*. -- :::image type="content" source="media/how-to-move-across-regions/search-deploy-template.png" alt-text="Screenshot of Azure portal showing search results." lightbox="media/how-to-move-across-regions/search-deploy-template.png" border="true"::: --1. Under **Services**, select **Deploy a custom template**. -1. Go to the **Select a template** tab, and then select **Build your own template in the editor**. -1. In the template editor, paste in the *template.json* file you modified earlier, and then select **Save**. -1. In the **Basics** tab, fill in the following information: -- - The target subscription. - - The target resource group. - - The target region. - - Any other parameters required for the template. -- :::image type="content" source="media/how-to-move-across-regions/deploy-template.png" alt-text="Screenshot of Azure portal showing the Custom deployment pane." lightbox="media/how-to-move-across-regions/deploy-template.png" ::: --1. Select **Review + create** to create the target service instance. -1. Wait until the template has deployed successfully. If the deployment fails, select **Deployment details** to view the reason it failed, and then update the template or configurations accordingly. --### [Azure CLI](#tab/azure-cli) --After you modify the template, use the following command to deploy the custom template and create the new resource: --```azurecli -az login -az account set --subscription <resource-subscription-id> -az deployment group create \ - --name <custom-deployment-name> \ - --resource-group <resource-group> \ - --template-file <path-to-template> \ - --parameters <param-name-1>=<param-value-1> -``` --Wait until the template has deployed successfully. If the deployment fails, view the deployment details with the command `az deployment group list`, and then update the template or configurations accordingly. ----## Configure the new Azure Spring Apps service instance --Some features aren't exported to the template, or can't be imported with a template. You must manually set up some Azure Spring Apps items on the new instance after the template deployment completes successfully. The following guidelines describe these requirements: --- The JAR files for the previous service aren't deployed directly to the new service instance. To deploy all apps, follow the instructions in [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md). If there's no active deployment configured automatically, you must configure a production deployment. For more information, see [Set up a staging environment in Azure Spring Apps](how-to-staging-environment.md).-- Config Server won't be imported automatically. To set up Config Server on your new instance, see [Configure a managed Spring Cloud Config Server in Azure Spring Apps](how-to-config-server.md).-- Managed identity is created automatically for the new service instance, but the object ID will be different from the previous instance. For managed identity to work in the new service instance, follow the instructions in [Enable system-assigned managed identity for an application in Azure Spring Apps](how-to-enable-system-assigned-managed-identity.md).-- For Monitoring -> Metrics, see [Metrics for Azure Spring Apps](concept-metrics.md). To avoid mixing the data, create a new Log Analytics instance to collect the new data. You should also create a new instance for other monitoring configurations.-- For Monitoring -> Diagnostic settings and logs, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md).-- For Monitoring -> Application Insights, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md).--## Next steps --- [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md)-- [Quickstart: Set up Azure Spring Apps Config Server](quickstart-setup-config-server.md)-- [Quickstart: Set up a Log Analytics workspace](quickstart-setup-log-analytics.md) |
spring-apps | How To New Relic Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-new-relic-monitor.md | - Title: How to monitor Spring Boot apps using New Relic Java agent- -description: Learn how to monitor Spring Boot applications using the New Relic Java agent. ---- Previously updated : 06/08/2021----# How to monitor Spring Boot apps using New Relic Java agent --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise --This article shows you how to monitor of Spring Boot applications in Azure Spring Apps with the New Relic Java agent. --With the New Relic Java agent, you can: --* Consume the New Relic Java agent. -* Configure the New Relic Java agent using environment variables. -* Check all monitoring data from the New Relic dashboard. --The following video describes how to activate and monitor Spring Boot applications in Azure Spring Apps using New Relic One. --<br> --> [!VIDEO https://www.youtube.com/embed/4GQPwJSP3ys?list=PLPeZXlCR7ew8LlhnSH63KcM0XhMKxT1k_] --## Prerequisites --* A [New Relic](https://newrelic.com/) account. -* [Azure CLI version 2.0.67 or later](/cli/azure/install-azure-cli). --## Activate the New Relic Java in process agent --Use the following procedure to access the agent: --1. Create an instance of Azure Spring Apps. --1. Create an application. -- ```azurecli - az spring app create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --is-public true \ - ``` --1. Create a deployment with the New Relic agent and environment variables. -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --artifact-path app.jar \ - --jvm-options="-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar" \ - --env NEW_RELIC_APP_NAME=appName \ - NEW_RELIC_LICENSE_KEY=newRelicLicenseKey - ``` --Azure Spring Apps preinstalls the New Relic Java agent to */opt/agents/newrelic/java/newrelic-agent.jar*. Customers can activate the agent from applications' **JVM options**, and configure the agent using the [New Relic Java agent environment variables](https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables). --## Azure portal --You can also activate this agent from the Azure portal with the following procedure. --1. In your Azure Spring Apps instance, select **Apps** in the navigation pane. -- :::image type="content" source="media/how-to-new-relic-monitor/find-app.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/how-to-new-relic-monitor/find-app.png"::: --1. Select the application from the list, and then select **Configuration** in the navigation pane. --1. Use the **General settings** tab to update values such as the JVM options. -- :::image type="content" source="media/how-to-new-relic-monitor/update-jvm-option.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app with the General settings tab selected." lightbox="media/how-to-new-relic-monitor/update-jvm-option.png"::: --1. Select **Environment variables** to add or update the variables used by your application. -- :::image type="content" source="media/how-to-new-relic-monitor/configurations-update-environment.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app with the Environment variables tab selected." lightbox="media/how-to-new-relic-monitor/configurations-update-environment.png"::: --1. View the application api/gateway **Summary** page from the New Relic dashboard. -- :::image type="content" source="media/how-to-new-relic-monitor/app-summary-page.png" alt-text="Screenshot of the New Relic dashboard showing the API Gateway summary page." lightbox="media/how-to-new-relic-monitor/app-summary-page.png"::: --1. View the application customers-service **Summary** page from the New Relic dashboard. -- :::image type="content" source="media/how-to-new-relic-monitor/customers-service.png" alt-text="Screenshot of the New Relic dashboard showing the Customers Service page." lightbox="media/how-to-new-relic-monitor/customers-service.png"::: --1. View the **Service Map** page from the New Relic dashboard. -- :::image type="content" source="media/how-to-new-relic-monitor/service-map.png" alt-text="Screenshot of the New Relic dashboard showing the Service Map page." lightbox="media/how-to-new-relic-monitor/service-map.png"::: --1. View the **JVMs** page of the application from the New Relic dashboard. -- :::image type="content" source="media/how-to-new-relic-monitor/jvm-page.png" alt-text="Screenshot of the New Relic dashboard showing the JVM page." lightbox="media/how-to-new-relic-monitor/jvm-page.png"::: --1. View the application profile from the New Relic dashboard. -- :::image type="content" source="media/how-to-new-relic-monitor/profile-app.png" alt-text="Screenshot of the New Relic dashboard showing the Application Profile page." lightbox="media/how-to-new-relic-monitor/profile-app.png"::: --## Automate provisioning --You can also run a provisioning automation pipeline using Terraform, Bicep, or an Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy. --### Automate provisioning using Terraform --To configure the environment variables in a Terraform template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Manages an Active Azure Spring Apps Deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_active_deployment). --```terraform -resource "azurerm_spring_cloud_java_deployment" "example" { - ... - jvm_options = "-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar" - ... - environment_variables = { - "NEW_RELIC_APP_NAME": "<app-name>", - "NEW_RELIC_LICENSE_KEY": "<new-relic-license-key>" - } -} -``` --### Automate provisioning using a Bicep file --To configure the environment variables in a Bicep file, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep). --```bicep -deploymentSettings: { - environmentVariables: { - NEW_RELIC_APP_NAME : '<app-name>', - NEW_RELIC_LICENSE_KEY : '<new-relic-license-key>' - }, - jvmOptions: '-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar', - ... -} -``` --### Automate provisioning using an ARM template --To configure the environment variables in an ARM template, add the following code to the template, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=json). --```json -"deploymentSettings": { - "environmentVariables": { - "NEW_RELIC_APP_NAME" : "<app-name>", - "NEW_RELIC_LICENSE_KEY" : "<new-relic-license-key>" - }, - "jvmOptions": "-javaagent:/opt/agents/newrelic/java/newrelic-agent.jar", - ... -} -``` --## Forward application logs to New Relic --The New Relic agent can collect application logs directly from your apps, and forward them to New Relic. For more information, see [Forward your logs to New Relic](https://docs.newrelic.com/docs/logs/forward-logs/enable-log-management-new-relic/) and [APM logs in context](https://docs.newrelic.com/docs/logs/logs-context/get-started-logs-context/). --## View New Relic Java Agent logs --By default, Azure Spring Apps prints the logs of the New Relic Java agent to `STDOUT`. The logs are mixed with the application logs. You can find the explicit agent version from the application logs. --You can also get the logs of the New Relic agent from the following locations: --* Azure Spring Apps logs -* Azure Spring Apps Application Insights -* Azure Spring Apps LogStream --You can use some environment variables provided by New Relic to configure the logging of the New Agent, such as, `NEW_RELIC_LOG_LEVEL` to control the level of logs. For more information, see [New Relic logging configuration](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#cfg-log_level). --> [!NOTE] -> Do not use `finer` or `finest` unless New Relic Support asks you to do that. These logging levels can generate excessive overhead. For most situations, use `info`. --> [!CAUTION] -> We strongly recommend that you don't override the logging default behavior provided by Azure Spring Apps for New Relic. If you do, the logging scenarios previously described are blocked, and the log file(s) may be lost. For example, you shouldn't pass the following environment variables to your applications. Log file(s) may be lost after restart or redeployment of application(s). -> -> * NEW_RELIC_LOG -> * NEW_RELIC_LOG_FILE_PATH --## New Relic Java Agent update/upgrade --The New Relic Java agent update/upgrade the JDK regularly. The agent update/upgrade may affect following scenarios. --* Existing applications that use the New Relic Java agent before update/upgrade are unchanged. -* Existing applications that use the New Relic Java agent before update/upgrade require restart or redeploy to engage the new version of the New Relic Java agent. -* New applications created after update/upgrade use the new version of the New Relic Java agent. --## Vnet Injection Instance Outbound Traffic Configuration --For a vnet injection instance of Azure Spring Apps, you need to make sure the outbound traffic is configured correctly for the New Relic Java agent. For more information, see [Networks of New Relic](https://docs.newrelic.com/docs/using-new-relic/cross-product-functions/install-configure/networks/#agents). --## Next steps --[Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md) |
spring-apps | How To Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-permissions.md | - Title: "Use permissions in Azure Spring Apps" -description: This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. ---- Previously updated : 09/04/2020----# How to use permissions in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to create custom roles that delegate permissions to Azure Spring Apps resources. Custom roles extend [Azure built-in roles](../role-based-access-control/built-in-roles.md) with various stock permissions. --We'll implement the following custom roles. --* **Developer role**: -- * Deploy - * Test - * Restart apps - * Apply and make changes to app configurations in the Git repository - * Get log streams --* **DevOps Engineer role**: -- * Create, read, update, and delete everything in Azure Spring Apps --* **Ops - Site Reliability Engineering role**: -- * Restart apps - * Get log streams - * Can't make changes to apps or configurations --* **Azure Pipelines / Jenkins / GitHub Actions role**: -- * Perform create, read, update, and delete operations - * Use Terraform or ARM templates to create and configure everything in Azure Spring Apps and apps within a service instance: Azure Pipelines, Jenkins, and GitHub Actions --## Define the Developer role --The Developer role includes permissions to restart apps and see their log streams. This role can't make changes to apps or configurations. --### [Portal](#tab/Azure-portal) --1. In the Azure portal, open the subscription where you want to assign the custom role. --1. Open **Access control (IAM)**. --1. Select **Add**. --1. Select **Add custom role**. --1. Select **Next**: -- :::image type="content" source="media/how-to-permissions/create-custom-role.png" alt-text="Screenshot that shows the Basics tab of the Create a custom role window." lightbox="media/how-to-permissions/create-custom-role.png"::: --1. Select **Add permissions**: -- :::image type="content" source="media/how-to-permissions/add-permissions.png" alt-text="Screenshot that shows the Add permissions button." lightbox="media/how-to-permissions/add-permissions.png"::: --1. In the search box, search for **Microsoft.app**. Select **Microsoft Azure Spring Apps**: -- :::image type="content" source="media/how-to-permissions/permissions.png" alt-text="Screenshot that shows the results of searching for Microsoft.app." lightbox="media/how-to-permissions/permissions.png"::: --1. Select the permissions for the Developer role. -- Under **Microsoft.AppPlatform/Spring**, select: -- * **Write : Create or Update Azure Spring Apps service instance** - * **Read : Get Azure Spring Apps service instance** - * **Other : List Azure Spring Apps service instance test keys** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices**, select: -- * **Read : Read Microsoft Azure Spring Apps Build Services** - * **Other : Get an Upload URL in Azure Spring Apps** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds**, select: -- * **Read : Read Microsoft Azure Spring Apps Builds** - * **Write : Write Microsoft Azure Spring Apps Builds** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds/results**, select: -- * **Read : Read Microsoft Azure Spring Apps Build Results** - * **Other : Get an Log File URL in Azure Spring Apps** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders**, select: -- * **Read : Read Microsoft Azure Spring Apps Builders** - * **Write : Write Microsoft Azure Spring Apps Builders** - * **Delete : Delete Microsoft Azure Spring Apps Builders** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings**, select: -- * **Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding** - * **Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding** - * **Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks**, select: -- * **Read : Read Microsoft Azure Spring Apps Supported Buildpacks** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedStacks**, select: -- * **Read : Read Microsoft Azure Spring Apps Supported Stacks** -- Under **Microsoft.AppPlatform/Spring/apps**, select: -- * **Read : Read Microsoft Azure Spring Apps application** - * **Other : Get Microsoft Azure Spring Apps application resource upload URL** -- Under **Microsoft.AppPlatform/Spring/apps/bindings**, select: -- * **Read : Read Microsoft Azure Spring Apps application binding** -- Under **Microsoft.AppPlatform/Spring/apps/deployments**, select: -- * **Write : Write Microsoft Azure Spring Apps application deployment** - * **Read : Read Microsoft Azure Spring Apps application deployment** - * **Other : Start Microsoft Azure Spring Apps application deployment** - * **Other : Stop Microsoft Azure Spring Apps application deployment** - * **Other : Restart Microsoft Azure Spring Apps application deployment** - * **Other : Get Microsoft Azure Spring Apps application deployment log file URL** -- Under **Microsoft.AppPlatform/Spring/apps/domains**, select: -- * **Read : Read Microsoft Azure Spring Apps application custom domain** -- Under **Microsoft.AppPlatform/Spring/certificates**, select: -- * **Read : Read Microsoft Azure Spring Apps certificate** -- Under **Microsoft.AppPlatform/locations/operationResults/Spring**, select: -- * **Read : Read operation result** -- Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: -- * **Read : Read operation status** -- :::image type="content" source="media/how-to-permissions/developer-permissions-box.png" alt-text="Screenshot of Azure portal that shows the selections for Developer permissions." lightbox="media/how-to-permissions/developer-permissions-box.png"::: --1. Select **Add**. --1. Review the permissions. --1. Select **Review and create**. --### [JSON](#tab/JSON) --1. In the Azure portal, open the subscription where you want to assign the custom role. --1. Open **Access control (IAM)**. --1. Select **Add**. --1. Select **Add custom role**. --1. Select **Next**. --1. Select the **JSON** tab. --1. Select **Edit**, and then delete the default text: -- :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: --1. Paste in the following JSON to define the Developer role: -- * Basic/Standard plan -- ```json - { - "properties": { - "roleName": "Developer", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/write", - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/apps/bindings/read", - "Microsoft.AppPlatform/Spring/apps/domains/read", - "Microsoft.AppPlatform/Spring/apps/deployments/write", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/certificates/read", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` -- * Enterprise plan -- ```json - { - "properties": { - "roleName": "Developer", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/write", - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/buildServices/read", - "Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/buildServices/builds/read", - "Microsoft.AppPlatform/Spring/buildServices/builds/write", - "Microsoft.AppPlatform/Spring/buildServices/builds/results/read", - "Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/buildServices/builders/read", - "Microsoft.AppPlatform/Spring/buildServices/builders/write", - "Microsoft.AppPlatform/Spring/buildServices/builders/delete", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete", - "Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read", - "Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/apps/bindings/read", - "Microsoft.AppPlatform/Spring/apps/domains/read", - "Microsoft.AppPlatform/Spring/apps/deployments/write", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/certificates/read", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` -- :::image type="content" source="media/how-to-permissions/create-custom-role-json.png" alt-text="Screenshot that shows the JSON for the Developer role." lightbox="media/how-to-permissions/create-custom-role-json.png"::: --1. Select **Save**. --1. Review the permissions. --1. Select **Review and create**. ----## Define the DevOps Engineer role --This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps. --### [Portal](#tab/Azure-portal) --1. Repeat steps 1 through 4 in the procedure for adding the Developer role. --1. Select the permissions for the DevOps Engineer role: -- Under **Microsoft.AppPlatform/Spring**, select: -- * **Write : Create or Update Azure Spring Apps service instance** - * **Delete : Delete Azure Spring Apps service instance** - * **Read : Get Azure Spring Apps service instance** - * **Other : Enable Azure Spring Apps service instance test endpoint** - * **Other : Disable Azure Spring Apps service instance test endpoint** - * **Other : List Azure Spring Apps service instance test keys** - * **Other : Regenerate Azure Spring Apps service instance test key** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices**, select: -- * **Read : Read Microsoft Azure Spring Apps Build Services** - * **Other : Get an Upload URL in Azure Spring Apps** - - (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/agentPools**, select: -- * **Read : Read Microsoft Azure Spring Apps Agent Pools** - * **Write : Write Microsoft Azure Spring Apps Agent Pools** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds**, select: -- * **Read : Read Microsoft Azure Spring Apps Builds** - * **Write : Write Microsoft Azure Spring Apps Builds** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds/results**, select: -- * **Read : Read Microsoft Azure Spring Apps Build Results** - * **Other : Get an Log File URL in Azure Spring Apps** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders**, select: -- * **Read : Read Microsoft Azure Spring Apps Builders** - * **Write : Write Microsoft Azure Spring Apps Builders** - * **Delete : Delete Microsoft Azure Spring Apps Builders** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings**, select: -- * **Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding** - * **Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding** - * **Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks**, select: -- * **Read : Read Microsoft Azure Spring Apps Supported Buildpacks** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedStacks**, select: -- * **Read : Read Microsoft Azure Spring Apps Supported Stacks** -- Under **Microsoft.AppPlatform/Spring/apps**, select: -- * **Write : Write Microsoft Azure Spring Apps application** - * **Delete : Delete Microsoft Azure Spring Apps application** - * **Read : Read Microsoft Azure Spring Apps application** - * **Other : Get Microsoft Azure Spring Apps application resource upload URL** - * **Other : Validate Microsoft Azure Spring Apps application custom domain** -- Under **Microsoft.AppPlatform/Spring/apps/bindings**, select: -- * **Write : Write Microsoft Azure Spring Apps application binding** - * **Delete : Delete Microsoft Azure Spring Apps application binding** - * **Read : Read Microsoft Azure Spring Apps application binding** -- Under **Microsoft.AppPlatform/Spring/apps/deployments**, select: -- * **Write : Write Microsoft Azure Spring Apps application deployment** - * **Delete : Delete Azure Spring Apps application deployment** - * **Read : Read Microsoft Azure Spring Apps application deployment** - * **Other : Start Microsoft Azure Spring Apps application deployment** - * **Other : Stop Microsoft Azure Spring Apps application deployment** - * **Other : Restart Microsoft Azure Spring Apps application deployment** - * **Other : Get Microsoft Azure Spring Apps application deployment log file URL** -- Under **Microsoft.AppPlatform/Spring/apps/deployments/skus**, select: -- * **Read : List application deployment available skus** -- Under **Microsoft.AppPlatform/locations**, select: -- * **Other : Check name availability** -- Under **Microsoft.AppPlatform/locations/operationResults/Spring** select: -- * **Read : Read operation result** -- Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: -- * **Read : Read operation status** -- Under **Microsoft.AppPlatform/skus**, select: -- * **Read : List available skus** -- :::image type="content" source="media/how-to-permissions/dev-ops-permissions.png" alt-text="Screenshot of Azure portal that shows the selections for DevOps permissions." lightbox="media/how-to-permissions/dev-ops-permissions.png"::: --1. Select **Add**. --1. Review the permissions. --1. Select **Review and create**. --### [JSON](#tab/JSON) --1. Repeat steps 1 through 4 from the procedure for adding the Developer role. --1. Select **Next**. --1. Select the **JSON** tab. --1. Select **Edit**, and then delete the default text: -- :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: --1. Paste in the following JSON to define the DevOps Engineer role: -- * Basic/Standard plan -- ```json - { - "properties": { - "roleName": "DevOps engineer", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/write", - "Microsoft.AppPlatform/Spring/delete", - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/regenerateTestKey/action", - "Microsoft.AppPlatform/Spring/apps/write", - "Microsoft.AppPlatform/Spring/apps/delete", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/apps/validateDomain/action", - "Microsoft.AppPlatform/Spring/apps/bindings/write", - "Microsoft.AppPlatform/Spring/apps/bindings/delete", - "Microsoft.AppPlatform/Spring/apps/bindings/read", - "Microsoft.AppPlatform/Spring/apps/deployments/write", - "Microsoft.AppPlatform/Spring/apps/deployments/delete", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/apps/deployments/skus/read", - "Microsoft.AppPlatform/locations/checkNameAvailability/action", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read", - "Microsoft.AppPlatform/skus/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` -- * Enterprise plan -- ```json - { - "properties": { - "roleName": "DevOps engineer", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/write", - "Microsoft.AppPlatform/Spring/delete", - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/regenerateTestKey/action", - "Microsoft.AppPlatform/Spring/buildServices/read", - "Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/buildServices/agentPools/read", - "Microsoft.AppPlatform/Spring/buildServices/agentPools/write", - "Microsoft.AppPlatform/Spring/buildServices/builds/read", - "Microsoft.AppPlatform/Spring/buildServices/builds/write", - "Microsoft.AppPlatform/Spring/buildServices/builds/results/read", - "Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/buildServices/builders/read", - "Microsoft.AppPlatform/Spring/buildServices/builders/write", - "Microsoft.AppPlatform/Spring/buildServices/builders/delete", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete", - "Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read", - "Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read", - "Microsoft.AppPlatform/Spring/apps/write", - "Microsoft.AppPlatform/Spring/apps/delete", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/apps/validateDomain/action", - "Microsoft.AppPlatform/Spring/apps/bindings/write", - "Microsoft.AppPlatform/Spring/apps/bindings/delete", - "Microsoft.AppPlatform/Spring/apps/bindings/read", - "Microsoft.AppPlatform/Spring/apps/deployments/write", - "Microsoft.AppPlatform/Spring/apps/deployments/delete", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/apps/deployments/skus/read", - "Microsoft.AppPlatform/locations/checkNameAvailability/action", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read", - "Microsoft.AppPlatform/skus/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` --1. Review the permissions. --1. Select **Review and create**. ----## Define the Ops - Site Reliability Engineering role --This procedure defines a role that has permissions to deploy, test, and restart Azure Spring Apps apps. --### [Portal](#tab/Azure-portal) --1. Repeat steps 1 through 4 from the procedure for adding the Developer role. --1. Select the permissions for the Ops - Site Reliability Engineering role: -- Under **Microsoft.AppPlatform/Spring**, select: -- * **Read : Get Azure Spring Apps service instance** - * **Other : List Azure Spring Apps service instance test keys** -- Under **Microsoft.AppPlatform/Spring/apps**, select: -- * **Read : Read Microsoft Azure Spring Apps application** -- Under **Microsoft.AppPlatform/apps/deployments**, select: -- * **Read : Read Microsoft Azure Spring Apps application deployment** - * **Other : Start Microsoft Azure Spring Apps application deployment** - * **Other : Stop Microsoft Azure Spring Apps application deployment** - * **Other : Restart Microsoft Azure Spring Apps application deployment** -- Under **Microsoft.AppPlatform/locations/operationResults/Spring**, select: -- * **Read : Read operation result** -- Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: -- * **Read : Read operation status** -- :::image type="content" source="media/how-to-permissions/ops-sre-permissions.png" alt-text="Screenshot of Azure portal that shows the selections for Ops - Site Reliability Engineering permissions." lightbox="media/how-to-permissions/ops-sre-permissions.png"::: --1. Select **Add**. --1. Review the permissions. --1. Select **Review and create**. --### [JSON](#tab/JSON) --1. Repeat steps 1 through 4 from the procedure for adding the Developer role. --1. Select **Next**. --1. Select the **JSON** tab. --1. Select **Edit**, and then delete the default text: -- :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: --1. Paste in the following JSON to define the Ops - Site Reliability Engineering role: -- * Enterprise/Basic/Standard plan -- ```json - { - "properties": { - "roleName": "Ops - Site Reliability Engineering", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` --1. Review the permissions. --1. Select **Review and create**. ----## Define the Azure Pipelines / Jenkins / GitHub Actions role --This role can create and configure everything in Azure Spring Apps and apps with a service instance. This role is for releasing or deploying code. --### [Portal](#tab/Azure-portal) --1. Repeat steps 1 through 4 from the procedure for adding the Developer role. --1. Open the **Permissions** options. --1. Select the permissions for the Azure Pipelines / Jenkins / GitHub Actions role: -- Under **Microsoft.AppPlatform/Spring**, select: -- * **Write : Create or Update Azure Spring Apps service instance** - * **Delete : Delete Azure Spring Apps service instance** - * **Read : Get Azure Spring Apps service instance** - * **Other : Enable Azure Spring Apps service instance test endpoint** - * **Other : Disable Azure Spring Apps service instance test endpoint** - * **Other : List Azure Spring Apps service instance test keys** - * **Other : Regenerate Azure Spring Apps service instance test key** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices**, select: -- * **Read : Read Microsoft Azure Spring Apps Build Services** - * **Other : Get an Upload URL in Azure Spring Apps** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds**, select: -- * **Read : Read Microsoft Azure Spring Apps Builds** - * **Write : Write Microsoft Azure Spring Apps Builds** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builds/results**, select: -- * **Read : Read Microsoft Azure Spring Apps Build Results** - * **Other : Get an Log File URL in Azure Spring Apps** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders**, select: -- * **Read : Read Microsoft Azure Spring Apps Builders** - * **Write : Write Microsoft Azure Spring Apps Builders** - * **Delete : Delete Microsoft Azure Spring Apps Builders** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings**, select: -- * **Read : Read Microsoft Azure Spring Apps Builder BuildpackBinding** - * **Write : Write Microsoft Azure Spring Apps Builder BuildpackBinding** - * **Delete : Delete Microsoft Azure Spring Apps Builder BuildpackBinding** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks**, select: -- * **Read : Read Microsoft Azure Spring Apps Supported Buildpacks** -- (For Enterprise plan only) Under **Microsoft.AppPlatform/Spring/buildServices/supportedStacks**, select: -- * **Read : Read Microsoft Azure Spring Apps Supported Stacks** -- Under **Microsoft.AppPlatform/Spring/apps**, select: -- * **Write : Write Microsoft Azure Spring Apps application** - * **Delete : Delete Microsoft Azure Spring Apps application** - * **Read : Read Microsoft Azure Spring Apps application** - * **Other : Get Microsoft Azure Spring Apps application resource upload URL** - * **Other : Validate Microsoft Azure Spring Apps application custom domain** -- Under **Microsoft.AppPlatform/Spring/apps/bindings**, select: -- * **Write : Write Microsoft Azure Spring Apps application binding** - * **Delete : Delete Microsoft Azure Spring Apps application binding** - * **Read : Read Microsoft Azure Spring Apps application binding** -- Under **Microsoft.AppPlatform/Spring/apps/deployments**, select: -- * **Write : Write Microsoft Azure Spring Apps application deployment** - * **Delete : Delete Azure Spring Apps application deployment** - * **Read : Read Microsoft Azure Spring Apps application deployment** - * **Other : Start Microsoft Azure Spring Apps application deployment** - * **Other : Stop Microsoft Azure Spring Apps application deployment** - * **Other : Restart Microsoft Azure Spring Apps application deployment** - * **Other : Get Microsoft Azure Spring Apps application deployment log file URL** -- Under **Microsoft.AppPlatform/Spring/apps/deployments/skus**, select: -- * **Read : List application deployment available skus** -- Under **Microsoft.AppPlatform/locations**, select: -- * **Other : Check name availability** -- Under **Microsoft.AppPlatform/locations/operationResults/Spring**, select: -- * **Read : Read operation result** -- Under **Microsoft.AppPlatform/locations/operationStatus/operationId**, select: -- * **Read : Read operation status** -- Under **Microsoft.AppPlatform/skus**, select: -- * **Read : List available skus** -- :::image type="content" source="media/how-to-permissions/pipelines-permissions-box.png" alt-text="Screenshot of Azure portal that shows the selections for Azure Pipelines / Jenkins / GitHub Actions permissions." lightbox="media/how-to-permissions/pipelines-permissions-box.png"::: --1. Select **Add**. --1. Review the permissions. --1. Select **Review and create**. --### [JSON](#tab/JSON) --1. Repeat steps 1 through 4 from the procedure for adding the Developer role. --1. Select **Next**. --1. Select the **JSON** tab. --1. Select **Edit**, and then delete the default text: -- :::image type="content" source="media/how-to-permissions/create-custom-role-edit-json.png" alt-text="Screenshot that shows the default JSON text." lightbox="media/how-to-permissions/create-custom-role-edit-json.png"::: --1. Paste in the following JSON to define the Azure Pipelines / Jenkins / GitHub Actions role: -- * Basic/Standard plan -- ```json - { - "properties": { - "roleName": "Azure Pipelines/Provisioning", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/write", - "Microsoft.AppPlatform/Spring/delete", - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/regenerateTestKey/action", - "Microsoft.AppPlatform/Spring/apps/write", - "Microsoft.AppPlatform/Spring/apps/delete", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/apps/validateDomain/action", - "Microsoft.AppPlatform/Spring/apps/bindings/write", - "Microsoft.AppPlatform/Spring/apps/bindings/delete", - "Microsoft.AppPlatform/Spring/apps/bindings/read", - "Microsoft.AppPlatform/Spring/apps/deployments/write", - "Microsoft.AppPlatform/Spring/apps/deployments/delete", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/skus/read", - "Microsoft.AppPlatform/locations/checkNameAvailability/action", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` -- * Enterprise plan -- ```json - { - "properties": { - "roleName": "Azure Pipelines/Provisioning", - "description": "", - "assignableScopes": [ - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - ], - "permissions": [ - { - "actions": [ - "Microsoft.AppPlatform/Spring/write", - "Microsoft.AppPlatform/Spring/delete", - "Microsoft.AppPlatform/Spring/read", - "Microsoft.AppPlatform/Spring/enableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/disableTestEndpoint/action", - "Microsoft.AppPlatform/Spring/listTestKeys/action", - "Microsoft.AppPlatform/Spring/regenerateTestKey/action", - "Microsoft.AppPlatform/Spring/buildServices/read", - "Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/buildServices/builds/read", - "Microsoft.AppPlatform/Spring/buildServices/builds/write", - "Microsoft.AppPlatform/Spring/buildServices/builds/results/read", - "Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action", - "Microsoft.AppPlatform/Spring/buildServices/builders/read", - "Microsoft.AppPlatform/Spring/buildServices/builders/write", - "Microsoft.AppPlatform/Spring/buildServices/builders/delete", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write", - "Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete", - "Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read", - "Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read", - "Microsoft.AppPlatform/Spring/apps/write", - "Microsoft.AppPlatform/Spring/apps/delete", - "Microsoft.AppPlatform/Spring/apps/read", - "Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action", - "Microsoft.AppPlatform/Spring/apps/validateDomain/action", - "Microsoft.AppPlatform/Spring/apps/bindings/write", - "Microsoft.AppPlatform/Spring/apps/bindings/delete", - "Microsoft.AppPlatform/Spring/apps/bindings/read", - "Microsoft.AppPlatform/Spring/apps/deployments/write", - "Microsoft.AppPlatform/Spring/apps/deployments/delete", - "Microsoft.AppPlatform/Spring/apps/deployments/read", - "Microsoft.AppPlatform/Spring/apps/deployments/start/action", - "Microsoft.AppPlatform/Spring/apps/deployments/stop/action", - "Microsoft.AppPlatform/Spring/apps/deployments/restart/action", - "Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action", - "Microsoft.AppPlatform/skus/read", - "Microsoft.AppPlatform/locations/checkNameAvailability/action", - "Microsoft.AppPlatform/locations/operationResults/Spring/read", - "Microsoft.AppPlatform/locations/operationStatus/operationId/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ] - } - } - ``` --1. Select **Add**. --1. Review the permissions. ----## Next steps --* [Create or update Azure custom roles using the Azure portal](../role-based-access-control/custom-roles-portal.md) --For more information about three methods that define custom permissions, see: --* [Clone a role](../role-based-access-control/custom-roles-portal.md#clone-a-role) -* [Start from scratch](../role-based-access-control/custom-roles-portal.md#start-from-scratch) -* [Start from JSON](../role-based-access-control/custom-roles-portal.md#start-from-json) |
spring-apps | How To Prepare App Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-prepare-app-deployment.md | - Title: How to prepare an application for deployment in Azure Spring Apps -description: Learn how to prepare an application for deployment to Azure Spring Apps. --- Previously updated : 07/06/2021---zone_pivot_groups: programming-languages-spring-apps ---# Prepare an application for deployment in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows how to prepare an existing Steeltoe application for deployment to Azure Spring Apps. Azure Spring Apps provides robust services to host, monitor, scale, and update a Steeltoe app. --This article explains the dependencies, configuration, and code that are required to run a .NET Core Steeltoe app in Azure Spring Apps. For information about how to deploy an application to Azure Spring Apps, see [Deploy your first Spring Boot app in Azure Spring Apps](./quickstart.md). --> [!NOTE] -> Steeltoe support for Azure Spring Apps is currently offered as a public preview. Public preview offerings allow customers to experiment with new features prior to their official release. Public preview features and services are not meant for production use. For more information about support during previews, see the [FAQ](https://azure.microsoft.com/support/faq/) or file a [Support request](../azure-portal/supportability/how-to-create-azure-support-request.md). --## Supported versions --Azure Spring Apps supports: --* .NET Core 3.1 -* Steeltoe 2.4 and 3.0 --## Dependencies --For Steeltoe 2.4, add the latest [Microsoft.Azure.SpringCloud.Client 1.x.x](https://www.nuget.org/packages/Microsoft.Azure.SpringCloud.Client/) package to the project file: --```xml -<ItemGroup> - <PackageReference Include="Microsoft.Azure.SpringCloud.Client" Version="1.0.0-preview.1" /> - <PackageReference Include="Steeltoe.Discovery.ClientCore" Version="2.4.4" /> - <PackageReference Include="Steeltoe.Extensions.Configuration.ConfigServerCore" Version="2.4.4" /> - <PackageReference Include="Steeltoe.Management.TracingCore" Version="2.4.4" /> - <PackageReference Include="Steeltoe.Management.ExporterCore" Version="2.4.4" /> -</ItemGroup> -``` --For Steeltoe 3.0, add the latest [Microsoft.Azure.SpringCloud.Client 2.x.x](https://www.nuget.org/packages/Microsoft.Azure.SpringCloud.Client/) package to the project file: --```xml -<ItemGroup> - <PackageReference Include="Microsoft.Azure.SpringCloud.Client" Version="2.0.0-preview.1" /> - <PackageReference Include="Steeltoe.Discovery.ClientCore" Version="3.0.0" /> - <PackageReference Include="Steeltoe.Extensions.Configuration.ConfigServerCore" Version="3.0.0" /> - <PackageReference Include="Steeltoe.Management.TracingCore" Version="3.0.0" /> -</ItemGroup> -``` --## Update Program.cs --In the `Program.Main` method, call the `UseAzureSpringCloudService` method. --For Steeltoe 2.4.4, call `UseAzureSpringCloudService` after `ConfigureWebHostDefaults` and after `AddConfigServer` if it's called: --```csharp -public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - { - webBuilder.UseStartup<Startup>(); - }) - .AddConfigServer() - .UseAzureSpringCloudService(); -``` --For Steeltoe 3.0.0, call `UseAzureSpringCloudService` before `ConfigureWebHostDefaults` and before any Steeltoe configuration code: --```csharp -public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .UseAzureSpringCloudService() - .ConfigureWebHostDefaults(webBuilder => - { - webBuilder.UseStartup<Startup>(); - }) - .AddConfigServer(); -``` --## Enable Eureka Server service discovery --> [!NOTE] -> Eureka is not applicable to the Enterprise plan. If you're using the Enterprise plan, see [Use Service Registry](how-to-enterprise-service-registry.md). --In the configuration source that's used when the app runs in Azure Spring Apps, set `spring.application.name` to the same name as the Azure Spring Apps app to which the project is deployed. --For example, if you deploy a .NET project named `EurekaDataProvider` to an Azure Spring Apps app named `planet-weather-provider` the *appSettings.json* file should include the following JSON: --```json -"spring": { - "application": { - "name": "planet-weather-provider" - } -} -``` --## Use service discovery --To call a service by using the Eureka Server service discovery, make HTTP requests to `http://<app_name>` where `app_name` is the value of `spring.application.name` of the target app. For example, the following code calls the `planet-weather-provider` service: --```csharp -using (var client = new HttpClient(discoveryHandler, false)) -{ - var responses = await Task.WhenAll( - client.GetAsync("http://planet-weather-provider/weatherforecast/mercury"), - client.GetAsync("http://planet-weather-provider/weatherforecast/saturn")); - var weathers = await Task.WhenAll(from res in responses select res.Content.ReadAsStringAsync()); - return new[] - { - new KeyValuePair<string, string>("Mercury", weathers[0]), - new KeyValuePair<string, string>("Saturn", weathers[1]), - }; -} -``` ---This article shows how to prepare an existing Java Spring application for deployment to Azure Spring Apps. If configured properly, Azure Spring Apps provides robust services to monitor, scale, and update your Java Spring application. --Before running this example, you can try the [basic quickstart](./quickstart.md). --Other examples explain how to deploy an application to Azure Spring Apps when the POM file is configured. --* [Launch your first App](./quickstart.md) -* [Introduction to the sample app](./quickstart-sample-app-introduction.md) --This article explains the required dependencies and how to add them to the POM file. --## Java Runtime version --For details, see the [Java runtime and OS versions](./faq.md?pivots=programming-language-java#java-runtime-and-os-versions) section of the [Azure Spring Apps FAQ](./faq.md). --## Spring Boot and Spring Cloud versions --To prepare an existing Spring Boot application for deployment to Azure Spring Apps, include the Spring Boot and Spring Cloud dependencies in the application POM file as shown in the following sections. --Azure Spring Apps supports the latest Spring Boot or Spring Cloud major version starting from 30 days after its release. Azure Spring Apps supports the latest minor version as soon as it's released. You can get supported Spring Boot versions from [Spring Boot Releases](https://github.com/spring-projects/spring-boot/wiki/Supported-Versions#releases) and Spring Cloud versions from [Spring Cloud Releases](https://github.com/spring-cloud/spring-cloud-release/wiki). --The following table lists the supported Spring Boot and Spring Cloud combinations: --### [Enterprise plan](#tab/enterprise-plan) --| Spring Boot version | Spring Cloud version | End of commercial support | -|||| -| 3.2.x | 2022.0.3+ also known as Kilburn | 2026-02-23 | -| 3.1.x | 2022.0.3+ also known as Kilburn | 2025-08-18 | -| 3.0.x | 2022.0.3+ also known as Kilburn | 2025-02-24 | -| 2.7.x | 2021.0.3+ also known as Jubilee | 2025-08-24 | -| 2.6.x | 2021.0.3+ also known as Jubilee | 2024-02-24 | --### [Basic/Standard plan](#tab/basic-standard-plan) --| Spring Boot version | Spring Cloud version | End of support | -|||-| -| 3.2.x | 2022.0.3+ also known as Kilburn | 2024-11-23 | -| 3.1.x | 2022.0.3+ also known as Kilburn | 2024-05-18 | -| 3.0.x | 2022.0.3+ also known as Kilburn | 2023-11-24 | -| 2.7.x | 2021.0.3+ also known as Jubilee | 2023-11-24 | ----For more information, see the following pages: --* [Spring Boot support](https://spring.io/projects/spring-boot#support) -* [Spring Cloud Config support](https://spring.io/projects/spring-cloud-config#support) -* [Spring Cloud Netflix support](https://spring.io/projects/spring-cloud-netflix#support) -* [Adding Spring Cloud To An Existing Spring Boot Application](https://spring.io/projects/spring-cloud#overview:~:text=Adding%20Spring%20Cloud%20To%20An%20Existing%20Spring%20Boot%20Application) --## Other recommended dependencies to enable Azure Spring Apps features --To enable the built-in features of Azure Spring Apps from service registry to distributed tracing, you need to also include the following dependencies in your application. You can drop some of these dependencies if you don't need corresponding features for the specific apps. --### Service Registry --To use the managed Azure Service Registry service, include the `spring-cloud-starter-netflix-eureka-client` dependency in the *pom.xml* file as shown here: --```xml -<dependency> - <groupId>org.springframework.cloud</groupId> - <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> -</dependency> -``` --The endpoint of the Service Registry server is automatically injected as environment variables with your app. Applications can register themselves with the Service Registry server and discover other dependent applications. --#### EnableDiscoveryClient annotation --Add the following annotation to the application source code. --```java -@EnableDiscoveryClient -``` --For example, see the piggymetrics application from earlier examples: --```java -package com.piggymetrics.gateway; --import org.springframework.boot.SpringApplication; -import org.springframework.boot.autoconfigure.SpringBootApplication; -import org.springframework.cloud.client.discovery.EnableDiscoveryClient; -import org.springframework.cloud.netflix.zuul.EnableZuulProxy; --@SpringBootApplication -@EnableDiscoveryClient -@EnableZuulProxy --public class GatewayApplication { - public static void main(String[] args) { - SpringApplication.run(GatewayApplication.class, args); - } -} -``` --### Distributed configuration --#### [Enterprise plan](#tab/enterprise-plan) --To enable distributed configuration in the Enterprise plan, use [Application Configuration Service for VMware Tanzu](https://docs.vmware.com/en/Application-Configuration-Service-for-VMware-Tanzu/2.0/acs/GUID-overview.html), which is one of the proprietary VMware Tanzu components. Application Configuration Service for Tanzu is Kubernetes-native, and different from Spring Cloud Config Server. Application Configuration Service for Tanzu enables the management of Kubernetes-native ConfigMap resources that are populated from properties defined in one or more Git repositories. --In the Enterprise plan, there's no Spring Cloud Config Server, but you can use Application Configuration Service for Tanzu to manage centralized configurations. For more information, see [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md) --To use Application Configuration Service for Tanzu, do the following steps for each of your apps: --1. Add an explicit app binding to declare that your app needs to use Application Configuration Service for Tanzu. -- > [!NOTE] - > When you change the bind/unbind status, you must restart or redeploy the app to make the change take effect. --1. Set config file patterns. Config file patterns enable you to choose which application and profile the app uses. For more information, see the [Pattern](how-to-enterprise-application-configuration-service.md#pattern) section of [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md). -- Another option is to set the config file patterns at the same time as your app deployment, as shown in the following example: -- ```azurecli - az spring app deploy \ - --name <app-name> \ - --artifact-path <path-to-your-JAR-file> \ - --config-file-pattern <config-file-pattern> - ``` --#### [Basic/Standard plan](#tab/basic-standard-plan) --To enable distributed configuration, include the following `spring-cloud-config-client` dependency in the dependencies section of your *pom.xml* file: --```xml -<dependency> - <groupId>org.springframework.cloud</groupId> - <artifactId>spring-cloud-config-client</artifactId> -</dependency> -<dependency> - <groupId>org.springframework.cloud</groupId> - <artifactId>spring-cloud-starter-bootstrap</artifactId> -</dependency> -``` --> [!WARNING] -> Don't specify `spring.cloud.config.enabled=false` in your bootstrap configuration. Otherwise, your application stops working with Config Server. ----### Metrics --Include the `spring-boot-starter-actuator` dependency in the dependencies section of your *pom.xml* file as shown here: --```xml -<dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-actuator</artifactId> -</dependency> -``` -- Metrics are periodically pulled from the JMX endpoints. You can visualize the metrics by using the Azure portal. -- > [!WARNING] - > You must specify `spring.jmx.enabled=true` in your configuration property. Otherwise, metrics can't be visualized in the Azure portal. --## See also --* [Analyze application logs and metrics](./diagnostic-services.md) -* [Set up your Config Server](./how-to-config-server.md) -* [Spring Quickstart Guide](https://spring.io/quickstart) -* [Spring Boot documentation](https://spring.io/projects/spring-boot) --## Next steps --In this article, you learned how to configure your Java Spring application for deployment to Azure Spring Apps. To learn how to set up a Config Server instance, see [Set up a Config Server instance](./how-to-config-server.md). --More samples are available on GitHub: [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples). |
spring-apps | How To Self Diagnose Running In Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-self-diagnose-running-in-vnet.md | - Title: "How to self-diagnose Azure Spring Apps with virtual networks" -description: Learn how to self-diagnose and solve problems in Azure Spring Apps running in virtual networks. ---- Previously updated : 04/28/2023----# Self-diagnose running Azure Spring Apps in virtual networks --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to use Azure Spring Apps diagnostics to diagnose and solve problems in Azure Spring Apps running in virtual networks. --Azure Spring Apps diagnostics supports interactive troubleshooting applications running in virtual networks without configuration. Azure Spring Apps diagnostics identifies problems and guides you to information that helps troubleshoot issues and resolve them. --## Navigate to the diagnostics page --Use the following steps to start diagnostics for networked applications. --1. Sign in to the Azure portal. -1. Go to your Azure Spring Apps instance. -1. Select **Diagnose and solve problems** in the navigation pane. -1. Select **Networking**. -- :::image type="content" source="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-title.png" alt-text="Screenshot of the Azure portal showing the Diagnose and solve problems page with the Networking troubleshooting category highlighted." lightbox="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-title.png"::: --## View a diagnostic report --After you select the **Networking** category, you can view two issues related to networking specific to your virtual-network injected Azure Spring Apps instances: **DNS Resolution** and **Required Outbound Traffic**. -- :::image type="content" source="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-dns-req-outbound-options.png" alt-text="Screenshot of the Azure portal showing the Network troubleshooting page for diagnose and solve problems." lightbox="media/how-to-self-diagnose-running-in-vnet/self-diagnostic-dns-req-outbound-options.png"::: --Select your target issue to view the diagnostic report. A summary of diagnostics displays, such as: --* *Resource has been removed.* -* *Resource isn't deployed in your own virtual network*. --Some results contain related documentation. Different subnets display the results separately. --## DNS resolution --If you select **DNS Resolution**, results indicate whether there are DNS issues with applications. Examples of healthy applications are shown the following examples: --* *DNS issues resolved with no issues in subnet 'subnet01'*. -* *DNS issues resolved with no issues in subnet 'subnet02'*. --The following diagnostic report example indicates that the health of the application is unknown. The reporting time frame doesn't include the time when the health status was reported. Assume that the context end time is `2021-03-03T04:20:00Z`. The latest TIMESTAMP in the **DNS Resolution Table Renderings** is `2021-03-03T03:39:00Z`, the previous day. The health check log may not have been sent out because of a blocked network. --The unknown health status results contain related documentation. You can select the left angle bracket to see the drop-down display. ---If you misconfigured your Private DNS Zone record set, a critical result appears such as: `Failed to resolve the Private DNS in subnet xxx`. --In **DNS Resolution Table Renderings**, detailed message information displays from which you can check your configurations. --If your VNET uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to `168.63.129.16`. Azure recursive resolvers uses this IP address to resolve requests. If you don't use the Azure recursive resolvers, the Azure Spring Apps environment won't function as expected. For more information, see the [Name resolution that uses your own DNS server](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) section of [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md) --## Required Outbound Traffic --If you select **Required Outbound Traffic**, results indicate whether there are outbound traffic issues with applications. The following examples are results for healthy applications: --* *Required outbound traffic resolved with no issues in subnet 'subnet01'. -* *Required outbound traffic resolved with no issues in subnet 'subnet02'. --If any subnet is blocked because of NSG or firewall rules, and if you haven't blocked the log, endpoint check failures display in the summary for the issue. The following destination endpoints fail because no rule is matched: --* `http://clr3.gigicert.com` -* `http://mscrl.microsoft.com` -* `http://crl.microsoft.com` --You can check whether you overlooked any customer responsibilities. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md). --If there's no data displayed for **Required Outbound Traffic Table Renderings** within 30 minutes, the result is `health status unknown`. -Your network may be blocked or the log service is down. --## Next steps --* [How to self diagnose Azure Spring Apps](./how-to-self-diagnose-solve.md) |
spring-apps | How To Service Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-service-registration.md | - Title: Discover and register your Spring Boot applications in Azure Spring Apps -description: Discover and register your Spring Boot applications with managed Spring Cloud Service Registry (OSS) in Azure Spring Apps. ---- Previously updated : 05/09/2022--zone_pivot_groups: programming-languages-spring-apps ---# Discover and register your Spring Boot applications --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise --This article shows you how to register your application using Spring Cloud Service Registry. --Service registration and discovery are key requirements for maintaining a list of live app instances to call, and routing and load balancing inbound requests. Configuring each client manually takes time and introduces the possibility of human error. Azure Spring Apps provides two options for you to solve this problem: --> [!NOTE] -> To use service registry in the Standard consumption and dedicated plan, you must enable it first. For more information, see [Enable and disable Eureka Server in Azure Spring Apps](quickstart-standard-consumption-eureka-server.md). --* Use Kubernetes Service Discovery approach to invoke calls among your apps. -- Azure Spring Apps creates a corresponding Kubernetes service for every app running in it using the app name as the Kubernetes service name. You can invoke calls from one app to another app by using the app name in an HTTP/HTTPS request such as `http(s)://{app name}/path`. This approach is also suitable for the Enterprise plan. For more information, see the [Kubernetes registry code sample](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/k8s-service-registry). -- > [!NOTE] - > This approach isn't suitable for Standard consumption and dedicated (Preview). --* Use Managed Spring Cloud Service Registry (OSS) in Azure Spring Apps. -- After configuration, a Service Registry server will control service registration and discovery for your applications. The Service Registry server maintains a registry of live app instances, enables client-side load-balancing, and decouples service providers from clients without relying on DNS. ---For information about how to set up service registration for a Steeltoe app, see [Prepare a Java Spring application for deployment in Azure Spring Apps](how-to-prepare-app-deployment.md). ----## Register your application using Spring Cloud Service Registry --Before your application can manage service registration and discovery using Spring Cloud Service Registry, you must include the following dependency for `spring-cloud-starter-netflix-eureka-client` in your *pom.xml* file: --```xml -<dependency> - <groupId>org.springframework.cloud</groupId> - <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> -</dependency> -``` --## Update the top level class --Finally, add an annotation to the top level class of your application, as shown in the following example: --```java -package foo.bar; --import org.springframework.boot.SpringApplication; -import org.springframework.boot.autoconfigure.SpringBootApplication; -import org.springframework.cloud.netflix.eureka.EnableEurekaClient; --@SpringBootApplication -@EnableEurekaClient -public class DemoApplication { -- public static void main(String[] args) { - SpringApplication.run(DemoApplication.class, args); - } -} -``` --The Spring Cloud Service Registry server endpoint is injected as an environment variable in your application. Applications can register themselves with the Service Registry server and discover other dependent applications. --> [!NOTE] -> It can take a few minutes for the changes to propagate from the server to all applications. --## Next steps --In this article, you learned how to register your application using Spring Cloud Service Registry. To learn how to access the Spring Cloud Service Registry using Microsoft Entra role-based access control (RBAC), see [Access Config Server and Service Registry](how-to-access-data-plane-azure-ad-rbac.md). |
spring-apps | How To Setup Autoscale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-setup-autoscale.md | - Title: "Set up autoscale for applications" -description: This article describes how to set up Autoscale settings for your applications using the Microsoft Azure portal or the Azure CLI. ---- Previously updated : 11/03/2021----# Set up autoscale for applications --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes how to set up Autoscale settings for your applications using the Microsoft Azure portal or the Azure CLI. --Autoscale is a built-in feature of Azure Spring Apps that helps applications perform their best when demand changes. Azure Spring Apps supports scale-out and scale-in, which includes modifying the number of app instances and load balancing. --## Prerequisites --To follow these procedures, you need: --* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* A deployed Azure Spring Apps service instance. Follow the [quickstart on deploying an app via the Azure CLI](./quickstart.md) to get started. -* At least one application already created in your service instance. --## Navigate to the Autoscale page in the Azure portal --1. Sign in to the [Azure portal](https://portal.azure.com/). -1. Go to the Azure Spring Apps **Overview** page. -1. Select the **Apps** tab under **Settings** in the menu on the left navigation pane. -1. Select the application for which you want to set up Autoscale. In this example, select the application named **demo**. You should then see the application's **Overview** page. -1. Go to the **Scale out** tab under **Settings** in the menu on the left navigation pane. --## Set up Autoscale settings for your application in the Azure portal --There are two options for Autoscale demand management: --* Manual scale: Maintains a fixed instance count. In the Standard plan, you can scale out to a maximum of 500 instances. This value changes the number of separate running instances of the application. -* Custom autoscale: Scales on any schedule, based on any metrics. --In the Azure portal, choose how you want to scale. The following figure shows the **Custom autoscale** option and mode settings. ---## Set up Autoscale settings for your application in Azure CLI --You can also set Autoscale modes using the Azure CLI. The following commands create an Autoscale setting and an Autoscale rule. --* Create Autoscale setting: -- ```azurecli - az monitor autoscale create \ - --resource-group <resource-group-name> \ - --name <autoscale-setting-name> \ - --resource /subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.AppPlatform/Spring/<service-instance-name>/apps/<app-name>/deployments/<deployment-name> \ - --min-count 1 \ - --max-count 5 \ - --count 1 - ``` --* Create Autoscale rule: -- ```azurecli - az monitor autoscale rule create \ - --resource-group <resource-group-name> \ - --autoscale-name <autoscale-setting-name> \ - --scale out 1 \ - --cooldown 1 \ - --condition "tomcat.global.request.total.count > 100 avg 1m where AppName == <app-name> and Deployment == <deployment-name>" - ``` --For information on the available metrics, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](./concept-metrics.md). --## Upgrade to the Standard plan --If you're on the Basic plan and constrained by one or more of these limits, you can upgrade to the Standard plan. To upgrade, go to the **Pricing** plan menu by first selecting the **Standard tier** column and then selecting the **Upgrade** button. --## Next steps --* [Overview of autoscale in Microsoft Azure](../azure-monitor/autoscale/autoscale-overview.md) -* [Azure CLI Monitoring autoscale](/cli/azure/monitor/autoscale) |
spring-apps | How To Staging Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-staging-environment.md | - Title: Set up a staging environment in Azure Spring Apps -description: Learn how to use blue-green deployment with Azure Spring Apps --- Previously updated : 01/14/2021-----# Set up a staging environment in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ❌ C# --**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise --This article explains how to set up a staging deployment by using the blue-green deployment pattern in Azure Spring Apps. Blue-green deployment is an Azure DevOps continuous delivery pattern that relies on keeping an existing (blue) version live while a new (green) one is deployed. This article shows you how to put that staging deployment into production without changing the production deployment. --## Prerequisites --- An existing Azure Spring Apps instance on the Standard plan.-- [Azure CLI](/cli/azure/install-azure-cli).--This article uses an application built from Spring Initializr. If you want to use a different application for this example, make a change in a public-facing portion of the application to differentiate your staging deployment from the production deployment. --> [!TIP] -> [Azure Cloud Shell](https://shell.azure.com) is a free interactive shell that you can use to run the instructions in this article. It has common, preinstalled Azure tools, including the latest versions of Git, JDK, Maven, and the Azure CLI. If you're signed in to your Azure subscription, start your Cloud Shell instance. To learn more, see [Overview of Azure Cloud Shell](../cloud-shell/overview.md). --To set up blue-green deployment in Azure Spring Apps, follow the instructions in the next sections. --## Install the Azure CLI extension --Install the [Azure Spring Apps extension](/cli/azure/azure-cli-extensions-overview) for the Azure CLI by using the following command: --```azurecli -az extension add --name spring -``` --## Prepare the app and deployments --To build the application, follow these steps: --1. Generate the code for the sample app by using Spring Initializr with [this configuration](https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client). --1. Download the code. -1. Add the following *HelloController.java* source file to the folder *\src\main\java\com\example\hellospring\*: -- ```java - package com.example.hellospring; - import org.springframework.web.bind.annotation.RestController; - import org.springframework.web.bind.annotation.RequestMapping; -- @RestController -- public class HelloController { -- @RequestMapping("/") -- public String index() { - return "Greetings from Azure Spring Apps!"; - } -- } - ``` --1. Build the *.jar* file: -- ```azurecli - mvn clean package -DskipTests - ``` --1. Create the app in your Azure Spring Apps instance: -- ```azurecli - az spring app create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name demo \ - --runtime-version Java_17 \ - --assign-endpoint - ``` --1. Deploy the app to Azure Spring Apps: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name demo \ - --artifact-path target\hellospring-0.0.1-SNAPSHOT.jar - ``` --1. Modify the code for your staging deployment: -- ```java - package com.example.hellospring; - import org.springframework.web.bind.annotation.RestController; - import org.springframework.web.bind.annotation.RequestMapping; -- @RestController -- public class HelloController { -- @RequestMapping("/") -- public String index() { - return "Greetings from Azure Spring Apps! THIS IS THE GREEN DEPLOYMENT"; - } -- } - ``` --1. Rebuild the *.jar* file: -- ```azurecli - mvn clean package -DskipTests - ``` --1. Create the green deployment: -- ```azurecli - az spring app deployment create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --app demo \ - --name green \ - --runtime-version Java_17 \ - --artifact-path target\hellospring-0.0.1-SNAPSHOT.jar - ``` --## View apps and deployments --Use the following steps to view deployed apps. --1. Go to your Azure Spring Apps instance in the Azure portal. --1. From the navigation pane, open the **Apps** pane to view apps for your service instance. -- :::image type="content" source="media/how-to-staging-environment/app-dashboard.png" lightbox="media/how-to-staging-environment/app-dashboard.png" alt-text="Screenshot of the Apps pane showing apps for your service instance."::: --1. Select an app to view details. -- :::image type="content" source="media/how-to-staging-environment/app-overview.png" lightbox="media/how-to-staging-environment/app-overview.png" alt-text="Screenshot of details for an app."::: --1. Open **Deployments** to see all deployments of the app. The grid shows both production and staging deployments. -- :::image type="content" source="media/how-to-staging-environment/deployments-dashboard.png" lightbox="media/how-to-staging-environment/deployments-dashboard.png" alt-text="Screenshot that shows listed app deployments."::: --1. Select the URL to open the currently deployed application. -- :::image type="content" source="media/how-to-staging-environment/running-blue-app.png" lightbox="media/how-to-staging-environment/running-blue-app.png" alt-text="Screenshot that shows the URL of the deployed application."::: --1. Select **Production** in the **State** column to see the default app. -- :::image type="content" source="media/how-to-staging-environment/running-default-app.png" lightbox="media/how-to-staging-environment/running-default-app.png" alt-text="Screenshot that shows the URL of the default app."::: --1. Select **Staging** in the **State** column to see the staging app. -- :::image type="content" source="media/how-to-staging-environment/running-staging-app.png" lightbox="media/how-to-staging-environment/running-staging-app.png" alt-text="Screenshot that shows the URL of the staging app."::: -->[!TIP] -> Confirm that your test endpoint ends with a slash (/) to ensure that the CSS file is loaded correctly. If your browser requires you to enter login credentials to view the page, use [URL decode](https://www.urldecoder.org/) to decode your test endpoint. URL decode returns a URL in the format `https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/demo/green`. Use this format to access your endpoint. -->[!NOTE] -> Configuration server settings apply to both your staging environment and your production environment. For example, if you set the context path (*server.servlet.context-path*) for your app demo in the configuration server as *somepath*, the path to your green deployment changes to `https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/demo/green/somepath/...`. --If you visit your public-facing app demo at this point, you should see the old page without your new change. --## Set the green deployment as the production environment --1. After you've verified your change in your staging environment, you can push it to production. On the **Apps** > **Deployments** page, select the application currently in **Production**. --1. Select the ellipsis after **Registration status** of the green deployment, and then select **Set as production**. -- :::image type="content" source="media/how-to-staging-environment/set-staging-deployment.png" lightbox="media/how-to-staging-environment/set-staging-deployment.png" alt-text="Screenshot that shows selections for setting the staging build to production."::: --1. Confirm that the URL of the app displays your changes. -- :::image type="content" source="media/how-to-staging-environment/new-production-deployment.png" lightbox="media/how-to-staging-environment/new-production-deployment.png" alt-text="Screenshot that shows the URL of the app now in production."::: -->[!NOTE] -> After you've set the green deployment as the production environment, the previous deployment becomes the staging deployment. --## Modify the staging deployment --If you're not satisfied with your change, you can modify your application code, build a new .jar package, and upload it to your green deployment by using the Azure CLI: --```azurecli -az spring app deploy \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name demo \ - --deployment green \ - --artifact-path demo.jar -``` --## Delete the staging deployment --To delete your staging deployment from the Azure portal, go to the page for your staging deployment and select the **Delete** button. --Alternatively, delete your staging deployment from the Azure CLI by running the following command: --```azurecli -az spring app deployment delete \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <staging-deployment-name> \ - --app demo -``` --## Next steps --- [CI/CD for Azure Spring Apps](./how-to-cicd.md?pivots=programming-language-java) |
spring-apps | How To Start Stop Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-start-stop-service.md | - Title: How to start or stop an Azure Spring Apps service instance -description: Describes how to start or stop an Azure Spring Apps service instance ---- Previously updated : 11/04/2021----# Start or stop your Azure Spring Apps service instance --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to start or stop your Azure Spring Apps service instance. --Your applications running in Azure Spring Apps may not need to run continuously. For example, an application may not need to run continuously if you have a service instance that's used only during business hours. There may be times when Azure Spring Apps is idle and running only the system components. --You can reduce the active footprint of Azure Spring Apps by reducing the running instances, which reduces costs for compute resources. For more information, see [Start, stop, and delete an application in Azure Spring Apps](./how-to-start-stop-delete.md) and [Scale an application in Azure Spring Apps](./how-to-scale-manual.md). --To reduce your costs further, you can completely stop your Azure Spring Apps service instance. All user apps and system components are stopped. However, all your objects and network settings are saved so you can restart your service instance and pick up right where you left off. --## Limitations --The ability to stop and start your Azure Spring Apps service instance has the following limitations: --- You can stop and start your Azure Spring Apps service instance to help you save costs. However, you shouldn't stop and start a running instance for service recovery - for example, to recover from an invalid virtual network configuration.-- The state of a stopped Azure Spring Apps service instance is preserved for up to 90 days. If your cluster is stopped for more than 90 days, you can't recover the cluster state.-- You can only start, view, or delete a stopped Azure Spring Apps service instance. You must start your service instance before performing any update operation, such as creating or scaling an app.-- If an Azure Spring Apps service instance has been stopped or started successfully, you have to wait for at least 30 minutes to start or stop the instance again. However, if your last operation failed, you can try again to start or stop without having to wait.-- For virtual network instances, the start operation may fail due to invalid virtual network configurations. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md).--## Prerequisites --- An existing service instance in Azure Spring Apps. To create a new service instance, see [Quickstart: Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md).-- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or later.--## [Portal](#tab/azure-portal) --## Stop a running instance --In the Azure portal, use the following steps to stop a running Azure Spring Apps instance: --1. Go to the Azure Spring Apps service overview page. --1. Select **Stop** to stop a running instance. -- :::image type="content" source="media/how-to-start-stop-service/spring-cloud-stop-service.png" alt-text="Screenshot of Azure portal showing the Azure Spring Apps Overview page with the Stop button and Status value highlighted."::: --1. After the instance stops, the status shows **Succeeded (Stopped)**. --## Start a stopped instance --In the Azure portal, use the following steps to start a stopped Azure Spring Apps instance: --1. Go to Azure Spring Apps service overview page. --1. Select **Start** to start a stopped instance. -- :::image type="content" source="media/how-to-start-stop-service/spring-cloud-start-service.png" alt-text="Screenshot of Azure portal showing the Azure Spring Apps Overview page with the Start button and Status value highlighted."::: --1. After the instance starts, the status shows **Succeeded (Running)**. --## [Azure CLI](#tab/azure-cli) --## Stop a running instance --With the Azure CLI, use the following command to stop a running Azure Spring Apps instance: --```azurecli -az spring stop \ - --name <service-instance-name> \ - --resource-group <resource-group-name> -``` --## Start a stopped instance --With the Azure CLI, use the following command to start a stopped Azure Spring Apps instance: --```azurecli -az spring start \ - --name <service-instance-name> \ - --resource-group <resource-group-name> -``` --## Check the power state --After the instance stops or starts, use the following command to check the power state: --```azurecli -az spring show \ - --name <service-instance-name> \ - --resource-group <resource-group-name> -``` ----## Troubleshoot failed resource provisioning during startup --When you start a service instance, you might get an error message even if the `ProvisioningState` is `Succeeded`. This error message helps you identify the resources that failed to start or the settings that weren't applied. --You might receive an error message similar to the following example: `Failed to start the following resource(s) or apply setting(s): [<failed resource list>]. Please check and update them accordingly.` --The following list describes some common actions you can take to recover from these failures: --- Identify the failed resources: Refer to the `<failed resource list>` section in the error message to identify the resources that failed to start or the settings that failed to apply.-- Investigate and mitigate: Examine each listed resource, check failure logs if available, and make necessary mitigations. These mitigations could involve updating the specific resources that failed to start or reapplying the affected settings.--## Next steps --- [Monitor app lifecycle events using Azure Activity log and Azure Service Health](./monitor-app-lifecycle-events.md)-- [Azure Monitor cost and usage](../azure-monitor/cost-usage.md) |
spring-apps | How To Troubleshoot Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-troubleshoot-enterprise-spring-cloud-gateway.md | - Title: How to troubleshoot VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan -description: Shows you how to troubleshoot VMware Spring Cloud Gateway with the Azure Spring Apps Enterprise plan. ---- Previously updated : 06/26/2023----# Troubleshoot VMware Spring Cloud Gateway --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article shows you how to troubleshoot Spring Cloud Gateway for VMware Tanzu with the Azure Spring Apps Enterprise plan. To learn more about VMware Spring Cloud Gateway, see [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md). --## Prerequisites --- An already provisioned Azure Spring Apps Enterprise plan service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or later. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`.--## Check Gateway metrics --For more information on how to check metrics on the Azure portal, see the [Common metrics page](./concept-metrics.md#common-metrics-page) section of [Metrics for Azure Spring Apps](concept-metrics.md). --For more information on each supported metric, see the [Gateway](./concept-metrics.md#gateway) section of [Metrics for Azure Spring Apps](./concept-metrics.md). --## Check Gateway logs --Spring Cloud Gateway is composed of following subcomponents: --- `spring-cloud-gateway-operator` is for managing the Gateway.-- `spring-cloud-gateway` fulfills the features.--The logs of both subcomponents are available. The following sections describe how to check these logs. --### Use real-time log streaming --You can stream logs in real time with the Azure CLI. For more information, see [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md). The following examples show how you can use Azure CLI commands to continuously stream new logs for `spring-cloud-gateway` and `spring-cloud-gateway-operator` subcomponents. --Use the following command to stream logs for `spring-cloud-gateway`: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name spring-cloud-gateway \ - --all-instances \ - --follow -``` --Use the following command to stream logs for `spring-cloud-gateway-operator`: --```azurecli -az spring component logs \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name spring-cloud-gateway-operator \ - --all-instances \ - --follow -``` --### Use Log Analytics --The following sections show you how to view System Logs using Log Analytics. --#### Diagnostic settings for Log Analytics --You must turn on System Logs and send to your Log Analytics before you query the logs for VMware Spring Cloud Gateway. To enable System Logs in the Azure portal, use the following steps: --1. Open your Azure Spring Apps instance. --1. In the navigation menu, select **Diagnostics settings**. --1. Select **Add diagnostic setting** or select **Edit setting** for an existing setting. --1. In the **Logs** section, select the **System Logs** category. --1. In the **Destination details** section, select **Send to Log Analytics workspace** and then select your workspace. --1. Select **Save** to update the setting. --#### Check logs in Log Analytics --To check the logs of `spring-cloud-gateway` and `spring-cloud-gateway-operator` using the Azure portal, use the following steps: --1. Make sure you turned on **System Logs**. For more information, see the [Diagnostic settings for Log Analytics](#diagnostic-settings-for-log-analytics) section. --1. Open your Azure Spring Apps instance. --1. Select **Logs** in the navigation pane and then select **Overview**. --1. Use the following sample queries in the query edit pane. Adjust the time range then select **Run** to search for logs. -- - To view the logs for `spring-cloud-gateway`, use the following query: -- ```kusto - AppPlatformSystemLogs - | where LogType in ("SpringCloudGateway") - | project TimeGenerated , ServiceName , LogType, Log , _ResourceId - | limit 100 - ``` -- :::image type="content" source="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway.png" alt-text="Screenshot of the Azure portal that shows the query result of logs for VMware Spring Cloud Gateway." lightbox="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway.png"::: -- - To view the logs for `spring-cloud-gateway-operator`, use the following query: -- ```kusto - AppPlatformSystemLogs - | where LogType in ("SpringCloudGatewayOperator") - | project TimeGenerated , ServiceName , LogType, Log , _ResourceId - | limit 100 - ``` -- :::image type="content" source="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway-operator.png" alt-text="Screenshot of the Azure portal that shows the query result of logs for VMware Spring Cloud Gateway operator." lightbox="media/how-to-troubleshoot-enterprise-spring-cloud-gateway/query-logs-spring-cloud-gateway-operator.png"::: --> [!NOTE] -> There could be a few minutes delay before the logs are available in Log Analytics. --### Adjust log levels --This section describes how to adjust the log levels for VMware Spring Cloud Gateway and offers one logger as an example. --> [!IMPORTANT] -> Before you get started, be sure to understand the details and impacts of adjusting the log levels by reading the [Configure log levels](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-log-levels) section of [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-log-levels). --Use the following steps to adjust the log levels: --1. In your Azure Spring Apps instance, select **Spring Cloud Gateway** in the navigation pane and then select **Configuration**. -1. In the **Properties** sections, fill in the key/value pair `logging.level.org.springframework.cloud.gateway=DEBUG`. -1. Select **Save** to save your changes. -1. After the change is successful, you can find more detailed logs for troubleshooting, such as information about how requests are routed. --## Setup alert rules --You can create alert rules based on logs and metrics. For more information, see [Create or edit an alert rule](../azure-monitor/alerts/alerts-create-new-alert-rule.md). --Use the following steps to directly create alert rules from the Azure portal for Azure Spring Apps: --1. Open your Azure Spring Apps instance. -1. Navigate to **Logs** or **Metrics**. -1. Write the log query in the **Logs** pane, or add a metrics chart. -1. Select **New alert rule**. This action takes you to the **Create an alert rule** pane, and the log query or the metrics is filled out automatically. --You can now configure the alert rule details. --## Monitor Gateway with application performance monitor -- For more information on supported application performance monitors and how to configure them, see the [Configure application performance monitoring](./how-to-configure-enterprise-spring-cloud-gateway.md#configure-application-performance-monitoring) section of [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md). --## Restart Gateway --For some errors, a restart might help solve the issue. For more information, see the [Restart Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md#restart-vmware-spring-cloud-gateway) section of [Configure VMware Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md). --## Next steps --- [How to Configure Spring Cloud Gateway](./how-to-configure-enterprise-spring-cloud-gateway.md)-- [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md) |
spring-apps | How To Use Accelerator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-accelerator.md | - Title: Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan -description: Learn how to use VMware Tanzu App Accelerator with the Azure Spring Apps Enterprise plan. --- Previously updated : 11/29/2022-----# Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article shows you how to use [Application Accelerator for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-about-application-accelerator.html) (App Accelerator) with the Azure Spring Apps Enterprise plan to bootstrap developing your applications in a discoverable and repeatable way. --App Accelerator helps you bootstrap developing your applications and deploying them in a discoverable and repeatable way. You can use App Accelerator to create new projects based on published accelerator projects. For more information, see [Application Accelerator for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-about-application-accelerator.html) in the VMware documentation. --## Prerequisites --- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- Understand and fulfill the requirements listed in the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md).-- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches.-- ```azurecli - az extension remove --name spring - az extension add --name spring - az extension remove --name spring-cloud - ``` --- To use App Accelerator in VS Code, you'll also need to satisfy the following prerequisites:-- - [Visual Studio Code](https://code.visualstudio.com/Download) - - [Azure Spring Apps extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-spring-cloud) --## Enable App Accelerator --You can enable App Accelerator when you provision an Azure Spring Apps Enterprise plan instance. If you already have an Azure Spring Apps Enterprise plan resource, see the [Manage App Accelerator in an existing Enterprise plan instance](#manage-app-accelerator-in-an-existing-enterprise-plan-instance) section to enable it. --You can enable App Accelerator using the Azure portal or Azure CLI. --### [Azure portal](#tab/Portal) --Use the following steps to enable App Accelerator using the Azure portal: --1. Open the [Azure portal](https://portal.azure.com). -1. On the **Basics** tab, select **Enterprise tier** in the **Pricing** section and specify the required information. Then select **Next: VMware Tanzu settings**. -1. On the **VMware Tanzu settings** tab, select **Enable App Accelerator**. -- :::image type="content" source="media/how-to-use-accelerator/create-instance.png" alt-text="Screenshot of the Azure portal that shows the VMware Tanzu settings tab of the Azure Spring Apps Create screen, with the Enable App Accelerator checkbox highlighted." lightbox="media/how-to-use-accelerator/create-instance.png"::: --1. Specify other settings, and then select **Review and Create**. -1. On the **Review an create** tab, make sure that **Enable App Accelerator** and **Enable Dev Tools Portal** are set to **Yes**. Select **Create** to create the Enterprise plan instance. --### [Azure CLI](#tab/Azure-CLI) --Use the following steps to provision an Azure Spring Apps service instance with App Accelerator enabled using the Azure CLI. --1. Use the following command to sign in to the Azure CLI and choose your active subscription: -- ```azurecli - az login - az account list --output table - az account set --subscription <subscription-ID> - ``` --1. Use the following command to accept the legal terms and privacy statements for the Azure Spring Apps Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance. -- ```azurecli - az provider register --namespace Microsoft.SaaS - az term accept \ - --publisher vmware-inc \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --plan asa-ent-hr-mtr - ``` --1. Select a location. The location must support the Azure Spring Apps Enterprise plan. For more information, see the [Azure Spring Apps FAQ](faq.md). --1. Use the following command to create a resource group: -- ```azurecli - az group create \ - --name <resource-group-name> \ - --location <location> - ``` -- For more information about resource groups, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md) --1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --1. Use the following command to create an Azure Spring Apps service instance with App Accelerator enabled: -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise \ - --enable-application-accelerator - ``` ----## Monitor App Accelerator --Application Accelerator lets you generate new projects from files in Git repositories. The following table describes Application Accelerator's components: --| Component name | Instance count | vCPU per instance | Memory per instance | Description | -||-|-||-| -| `accelerator-server` | 2 | 0.4 core | 0.5Gi | Serves API used by Dev Tools Portal to list available accelerators and options. | -| `accelerator-engine` | 1 | 1 core | 3Gi | Processes the input values and files (pulled from a snapshot of a Git repository) and applies dynamic transformations to generate projects. | -| `accelerator-controller` | 1 | 0.2 core | 0.25Gi | Reconciles Application Accelerator resources. | -| `source-controller` | 1 | 0.2 core | 0.25Gi | Registers a controller to reconcile the `ImageRepositories` and `MavenArtifacts` resources used by Application Accelerator. | -| `flux-source-controller` | 1 | 0.2 core | 0.25Gi | Registers a controller to reconcile `GithubRepository` resources used by Application Accelerator. Supports managing Git repository sources for Application Accelerator. | --You can see the running instances and resource usage of all the components using the Azure portal and Azure CLI. --### [Azure portal](#tab/Portal) --You can view the state of Application Accelerator in the Azure portal on the **Developer Tools** page, as shown in the following screenshot: ---### [Azure CLI](#tab/Azure-CLI) --Use the following command in the Azure CLI to view Application Accelerator. --```azurecli -az spring application-accelerator show \ - --service <Azure-Spring-Apps-service-instance-name> \ - --resource-group <resource-group-name> -``` ----## Configure Dev Tools to access Application Accelerator --To access Application Accelerator, you must configure Tanzu Dev Tools. For more information, see [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](./how-to-use-dev-tool-portal.md). --## Use Application Accelerator to bootstrap your new projects --To use Application Accelerator to bootstrap your new projects, you must get permissions to manage accelerators. You can then manage predefined accelerators or your own accelerators. --### Get permissions to manage accelerators --Managing your accelerators requires the following permissions: --- Read: Get Azure Spring Apps Predefined Accelerator-- Other: Disable Azure Spring Apps Predefined Accelerator-- Other: Enable Azure Spring Apps Predefined Accelerator-- Write: Create or Update Microsoft Azure Spring Apps Customized Accelerator-- Read: Get Azure Spring Apps Customized Accelerator--For more information, see [How to use permissions in Azure Spring Apps](./how-to-permissions.md). --### Manage predefined accelerators --You can start with several predefined accelerators to bootstrap your new projects. You can disable or enable the built-in accelerators according to your own preference. --You can manage predefined accelerators using the Azure portal or Azure CLI. --#### [Azure portal](#tab/Portal) --You can view the built-in accelerators in the Azure portal on the **Accelerators** tab, as shown in the following screenshot: ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command in the Azure CLI to view a list of built-in accelerators: --```azurecli -az spring application-accelerator predefined-accelerator list \ - --service <service-instance-name> \ - --resource-group <resource-group-name> -``` --Use the following command to disable a built-in predefined accelerator: --```azurecli -az spring application-accelerator predefined-accelerator disable \ - --name <predefined-accelerator-name> \ - --service <service-instance-name> \ - --resource-group <resource-group-name> -``` --Use the following command to enable a built-in predefined accelerator: --```azurecli -az spring application-accelerator predefined-accelerator enable \ - --name <predefined-accelerator-name> \ - --service <service-instance-name> \ - --resource-group <resource-group-name> -``` ----### Manage your own accelerators --In addition to using the predefined accelerators, you can create your own accelerators. You can use any Git repository in Azure Devops, GitHub, GitLab, or BitBucket. --Use the following steps to create and maintain your own accelerators: --First, create a file named *accelerator.yaml* in the root directory of your Git repository. --You can use the *accelerator.yaml* file to declare input options that users fill in using a form in the UI. These option values control processing by the template engine before it returns the zipped output files. If you don't include an *accelerator.yaml* file, the repository still works as an accelerator, but the files are passed unmodified to users. For more information, see [Creating an accelerator.yaml file](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-creating-accelerators-accelerator-yaml.html). --Next, publish the new accelerator. --After you create your *accelerator.yaml* file, you can create your accelerator. You can then view it in the Azure portal or the Application Accelerator page in Dev Tools Portal. You can publish the new accelerator using the Azure portal or Azure CLI. --#### [Azure portal](#tab/Portal) --To create your own accelerator, open the **Accelerators** section and then select **Add Accelerator** under the Customized Accelerators section. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to create your own accelerator in Azure CLI: --```azurecli -az spring application-accelerator customized-accelerator create \ - --name <customized-accelerator-name> \ - --service <service-instance-name> \ - --resource-group <resource-group-name> \ - --display-name <display-name> \ - --git-url <git-repo-url> \ - [--description <description>] \ - [--icon-url <icon-url>] \ - [--accelerator-tags <tags-on-accelerator>] \ - [--git-interval <git-repository-refresh-interval-in-seconds>] \ - [--git-branch <git-branch-name>] \ - [--git-commit <git-commit-ID>] \ - [--git-tag <git-tag>] \ - [--ca-cert-name <ca-cert-name>] \ - [--username] \ - [--password] \ - [--private-key] \ - [--host-key] \ - [--host-key-algorithm] -``` ----The following table describes the customizable accelerator fields. --| Portal | CLI | Description | Required/Optional | -|||--|-| -| **Name** | `name` | A unique name for the accelerator. The name can't change after you create it. | Required | -| **Description** | `display-name` | A longer description of the accelerator. | Optional | -| **Icon url** | `icon-url` | A URL for an image to represent the accelerator in the UI. | Optional | -| **Tags** | `accelerator-tags` | An array of strings defining attributes of the accelerator that can be used in a search in the UI. | Optional | -| **Git url** | `git-url` | The repository URL of the accelerator source Git repository. The URL can be an HTTP/S or SSH address. The [scp-like syntax](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_ssh_protocol) isn't supported for SSH addresses (for example, `user@example.com:repository.git`). Instead, the valid URL format is `ssh://user@example.com:22/repository.git`. | Required | -| **Git interval** | `git-interval-in-seconds` | The interval at which to check for repository updates. If not specified, the interval defaults to 10 minutes. There's also a refresh interval (currently 10 seconds) before accelerators may appear in the UI. There could be a 10-second delay before changes are reflected in the UI. | Optional | -| **Git branch** | `git-branch` | The Git branch to check out and monitor for changes. You should specify only the Git branch, Git commit, or Git tag. | Optional | -| **Git commit** | `git-commit` | The Git commit SHA to check out. You should specify only the Git branch, Git commit, or Git tag. | Optional | -| **Git tag** | `git-tag` | The Git commit tag to check out. You should specify only the Git branch, Git commit, or Git tag. | Optional | -| **Git sub path** | `git-sub-path` | The folder path inside the Git repository to consider as the root of the accelerator or fragment. | Optional | -| **Authentication type** | `N/A` | The authentication type of the accelerator source repository. The type can be `Public`, `Basic auth`, or `SSH`. | Required | -| **User name** | `username` | The user name to access the accelerator source repository whose authentication type is `Basic auth`. | Required when the authentication type is `Basic auth`. | -| **Password/Personal access token** | `password` | The password to access the accelerator source repository whose authentication type is `Basic auth`. | Required when the authentication type is `Basic auth`. | -| **Private key** | `private-key` | The private key to access the accelerator source repository whose authentication type is `SSH`. Only OpenSSH private key is supported. | Required when authentication type is `SSH`. | -| **Host key** | `host-key` | The host key to access the accelerator source repository whose authentication type is `SSH`. | Required when the authentication type is `SSH`. | -| **Host key algorithm** | `host-key-algorithm` | The host key algorithm to access the accelerator source repository whose authentication type is `SSH`. Can be `ecdsa-sha2-nistp256` or `ssh-rsa`. | Required when authentication type is `SSH`. | -| **CA certificate name** | `ca-cert-name` | The CA certificate name to access the accelerator source repository with self-signed certificate whose authentication type is `Public` or `Basic auth`. | Required when a self-signed cert is used for the Git repo URL. | -| **Type** | `type` | The type of customized accelerator. The type can be `Accelerator` or `Fragment`. The default value is `Accelerator`. | Optional | --To view all published accelerators, see the App Accelerators section of the **Developer Tools** page. Select the App Accelerator URL to view the published accelerators in Dev Tools Portal: ---To view the newly published accelerator, refresh Dev Tools Portal. ---> [!NOTE] -> It might take a few seconds for Dev Tools Portal to refresh the catalog and add an entry for your new accelerator. The refresh interval is configured as `git-interval` when you create the accelerator. After you change the accelerator, it also takes time to be reflected in Dev Tools Portal. The best practice is to change the `git-interval` to speed up for verification after you apply changes to the Git repo. --### Reference a fragment in your own accelerators --Writing and maintaining accelerators can become repetitive and verbose as new accelerators are added. Some people create new projects by copying existing ones and making modifications, but this process can be tedious and error prone. To make the creation and maintenance of accelerators easier, Application Accelerator supports a feature named Composition that allows the reuse of parts of an accelerator, called *fragments*. --Use the following steps to reference a fragment in your accelerator: --1. Publish the new accelerator of type `Fragment` using the Azure portal or the Azure CLI. -- #### [Azure portal](#tab/Portal) -- To create a fragment accelerator, open the **Accelerators** section, select **Add Accelerator** under the **Customized Accelerators** section, and then select **Fragment**. -- :::image type="content" source="media/how-to-use-accelerator/add-fragment.png" alt-text="Screenshot of the Azure portal that shows the Customized Accelerators of type `Fragment`." lightbox="media/how-to-use-accelerator/add-fragment.png"::: -- #### [Azure CLI](#tab/Azure-CLI) -- Use the following command to create a customized accelerator of type `Fragment`: -- ```azurecli - az spring application-accelerator customized-accelerator create \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <fragment-accelerator-name> \ - --display-name <display-name> \ - --type Fragment \ - [--git-sub-path <sub project path>] \ - --git-url <git-repo-URL> - ``` --1. Change the *accelerator.yaml* file in your accelerator project. Use the `imports` instruction in the `accelerator` section and the `InvokeFragment` instruction in the `engine` section to reference the fragment in the accelerator, as shown in the following example: -- ```yaml - accelerator: - ... - # options for the UI - options: - ... - imports: - - name: <fragment-accelerator-name> - ... -- engine: - chain: - ... - - merge: - - include: [ "**" ] - - type: InvokeFragment - reference: <fragment-accelerator-name> - ``` --1. Synchronize the change with the Dev Tools Portal. -- To reflect the changes on the Dev Tools Portal more quickly, you can provide a value for the **Git interval** field of your customized accelerator. The **Git interval** value indicates how frequently the system checks for updates in the Git repository. --1. Synchronize the change with your customized accelerator on the Azure portal by using the Azure portal or the Azure CLI. -- #### [Azure portal](#tab/Portal) -- The following list shows the two ways you can sync changes: -- - Create or update your customized accelerator. - - Open the **Accelerators** section, and then select **Sync certificate**. -- #### [Azure CLI](#tab/Azure-CLI) -- Use the following command to sync changes for an accelerator: -- ```azurecli - az spring application-accelerator customized-accelerator sync-cert \ - --name <customized-accelerator-name> \ - --service <service-instance-name> \ - --resource-group <resource-group-name> - ``` --For more information, see [Use fragments in Application Accelerator](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/application-accelerator-creating-accelerators-composition.html) in the VMware documentation. --### Use accelerators to bootstrap a new project --Use the following steps to bootstrap a new project using accelerators: --1. On the **Developer Tools** page, select the App Accelerator URL to open the Dev Tools Portal. -- :::image type="content" source="media/how-to-use-accelerator/tap-gui-url.png" alt-text="Screenshot of the Azure portal that shows the Developer Tools page with the App Accelerator URL highlighted." lightbox="media/how-to-use-accelerator/tap-gui-url.png"::: --1. On the Dev Tools Portal, select an accelerator. --1. Specify input options in the **Configure accelerator** section of the **Generate Accelerators** page. -- :::image type="content" source="media/how-to-use-accelerator/configure-accelerator.png" alt-text="Screenshot of the VMware Tanzu Dev Tools for Azure Spring Apps Generate Accelerators page that shows the Configure accelerator section." lightbox="media/how-to-use-accelerator/configure-accelerator.png"::: --1. Select **EXPLORE FILE** to view the project structure and source code. -- :::image type="content" source="media/how-to-use-accelerator/explore-accelerator-project.png" alt-text="Screenshot of the VMware Tanzu Dev Tools for Azure Spring Apps Explore project pane." lightbox="media/how-to-use-accelerator/explore-accelerator-project.png"::: --1. Select **Review and generate** to review the specified parameters, and then select **Generate accelerator**. -- :::image type="content" source="media/how-to-use-accelerator/generate-accelerator.png" alt-text="Screenshot of the VMware Tanzu Dev Tools for Azure Spring Apps Generate Accelerators page that shows the Review and generate section." lightbox="media/how-to-use-accelerator/generate-accelerator.png"::: --1. You can then view or download the project as a zip file. -- :::image type="content" source="media/how-to-use-accelerator/download-file.png" alt-text="Screenshot the VMware Tanzu Dev Tools for Azure Spring Apps that shows the Task Activity pane." lightbox="media/how-to-use-accelerator/download-file.png"::: --### Configure accelerators with a self-signed certificate --When you set up a private Git repository and enable HTTPS with a self-signed certificate, you should configure the CA certificate name to the accelerator for client certificate verification from the accelerator to the Git repository. --Use the following steps to configure accelerators with a self-signed certificate: --1. Import the certificates into Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). -1. Configure the certificate for the accelerator by using the Azure portal or the Azure CLI. --#### [Azure portal](#tab/Portal) --To configure a certificate for an accelerator, open the **Accelerators** section and then select **Add Accelerator** under the **Customized Accelerators** section. Then, select the certificate from the dropdown list. ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to configure a certificate for the accelerator: --```azurecli -az spring application-accelerator customized-accelerator create \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name <customized-accelerator-name> \ - --git-url <git-repo-URL> \ - --ca-cert-name <ca-cert-name> -``` ----### Rotate certificates --As certificates expire, you need to rotate certificates in Spring Cloud Apps by using the following steps: --1. Generate new certificates from a trusted CA. -1. Import the certificates into Azure Spring Apps. For more information, see the [Import a certificate](how-to-use-tls-certificate.md#import-a-certificate) section of [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). -1. Synchronize the certificates using the Azure portal or the Azure CLI. --The accelerators won't automatically use the latest certificate. You should sync one or all certificates by using the Azure portal or the Azure CLI. --#### [Azure portal](#tab/Portal) --To sync certificates for all accelerators, open the **Accelerators** section and then select **Sync certificate**, as shown in the following screenshot: ---To sync a certificate for a single accelerator, open the **Accelerators** section and then select **Sync certificate** from the context menu of an accelerator, as shown in the following screenshot: ---#### [Azure CLI](#tab/Azure-CLI) --Use the following command to sync certificates for an accelerator: --```azurecli -az spring application-accelerator customized-accelerator sync-cert \ - --name <customized-accelerator-name> \ - --service <service-instance-name> \ - --resource-group <resource-group-name> -``` ----## Manage App Accelerator in an existing Enterprise plan instance --You can enable App Accelerator under an existing Azure Spring Apps Enterprise plan instance using the Azure portal or Azure CLI. --### [Azure portal](#tab/Portal) --If a Dev tools public endpoint has already been exposed, you can enable App Accelerator, and then press <kbd>Ctrl</kbd>+<kbd>F5</kbd> to deactivate the browser cache to view it on the Dev Tools Portal. --Use the following steps to enable App Accelerator under an existing Azure Spring Apps Enterprise plan instance using the Azure portal: --1. Navigate to your service resource, and then select **Developer Tools**. -1. Select **Manage tools**. -1. Select **Enable App Accelerator**, and then select **Apply**. -- :::image type="content" source="media/how-to-use-accelerator/enable-app-accelerator.png" alt-text="Screenshot of the Azure portal that shows the Manage tools pane with the Enable App Accelerator option highlighted." lightbox="media/how-to-use-accelerator/enable-app-accelerator.png"::: --You can view whether App Accelerator is enabled or disabled on the **Developer Tools** page. --### [Azure CLI](#tab/Azure-CLI) --Use the following command to enable App Accelerator for an Azure Spring Apps service instance using the Azure CLI: --```azurecli -az spring application-accelerator create \ - --service <Azure-Spring-Apps-service-instance-name> \ - --resource-group <resource-group-name> -``` --Use the following command to disable App Accelerator for an Azure Spring Apps service instance: --```azurecli -az spring application-accelerator delete \ - --service <Azure-Spring-Apps-service-instance-name> \ - --resource-group <resource-group-name> -``` --To access the Dev Tools Portal, make sure it's enabled with an assigned public endpoint. Use the following command to enable the Dev Tools Portal: --```azurecli -az spring dev-tool create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --assign-endpoint -``` ----## Use App Accelerator in VS Code --You can bootstrap your project from any accelerator of App Accelerator in an Azure Spring Apps Enterprise plan service instance in VS Code directly. --### View the list of App Accelerators --Use the following steps to view the list of App Accelerators in an Azure Spring Apps Enterprise plan service instance: --1. In Visual Studio Code, open the Azure Spring Apps extension, and then sign in to your Azure account. --1. Expand the service instance that you want and right-click to select the service instance. --1. From the menu, select **Open Application Accelerator** to open the list of App Accelerators. The system prompts you to install the [Tanzu Application Accelerator Visual Studio Code extension](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.6/tap/application-accelerator-vscode.html) if it isn't installed. -- :::image type="content" source="media/how-to-use-accelerator/visual-studio-code-open-accelerator.png" alt-text="Screenshot of the VS Code extension showing the Open Application Accelerator option for a service instance." lightbox="media/how-to-use-accelerator/visual-studio-code-open-accelerator.png"::: --1. Select any accelerator to bootstrap your project. -- :::image type="content" source="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png" alt-text="Screenshot of VS Code that shows the list of App Accelerator extensions." lightbox="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png"::: --> [!NOTE] -> When using the extension, if you experience any issues that you can't fix, log out of your account from the extension. --### Troubleshoot App Accelerator issues --If you try to open App Accelerator for a service instance that hasn't enabled App Accelerator or exposed a public endpoint, you see the following error message: `Application Accelerator of Spring Apps <instance-name> is not enabled or publically accessible`. --To enable App Accelerator and expose public endpoints, use the following steps. For more information, see the [Manage App Accelerator in an existing Enterprise plan instance](#manage-app-accelerator-in-an-existing-enterprise-plan-instance) section. --1. If you enabled single sign-on in the Dev Tools Portal, you see the following message when you access the extension: `The extension 'Tanzu App Accelerator' wants to sign in using VMware Tanzu.` For more information, see the [Configure Dev Tools Portal](./how-to-use-dev-tool-portal.md#configure-dev-tools-portal) section of [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](how-to-use-dev-tool-portal.md). --1. Select **Allow**, select **Open**, and then select **Open** again to open the list of VS Code extensions. -- :::image type="content" source="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png" alt-text="Screenshot of VS Code that shows the list of App Accelerator extensions." lightbox="media/how-to-use-accelerator/visual-studio-code-extension-accelerator-list.png"::: --Sometimes, you might get an error message similar to the following example: `AADSTS50011: The redirect URI 'vscode://VMware.tanzu-app-accelerator' specified in the request does not match the redirect URIs configured for the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.` --To address this issue, add the redirect URI `vscode://VMware.tanzu-app-accelerator` to the relevant identity provider (IdP). In Microsoft Entra ID, go to the **Authentication** menu and add redirect URIs to mobile and desktop applications in the platform configurations. --## Next steps --- [Azure Spring Apps](index.yml) |
spring-apps | How To Use Application Live View | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-application-live-view.md | - Title: Use Application Live View with the Azure Spring Apps Enterprise plan -description: Learn how to use Application Live View for VMware Tanzu. ---- Previously updated : 12/01/2022----# Use Application Live View with the Azure Spring Apps Enterprise plan --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This article shows you how to use Application Live View for VMware Tanzu with the Azure Spring Apps Enterprise plan. --[Application Live View for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.4/tap/app-live-view-about-app-live-view.html) is a lightweight insights and troubleshooting tool that helps app developers and app operators look inside running apps. --Application Live View only supports Spring Boot applications. --## Prerequisites --- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md).-- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the `spring-cloud` extension, uninstall it to avoid configuration and version mismatches.-- ```azurecli - az extension remove --name spring - az extension add --name spring - az extension remove --name spring-cloud - ``` --## Enable Application Live View --You can enable Application Live View when you provision an Azure Spring Apps Enterprise plan instance. If you already have a provisioned Azure Spring Apps Enterprise resource, see the [Manage Application Live View in existing Enterprise plan instances](#manage-application-live-view-in-existing-enterprise-plan-instances) section of this article. --You can enable Application Live View using the Azure portal or Azure CLI. --### [Azure portal](#tab/Portal) --Use the following steps to enable Application Live View using the Azure portal: --1. Navigate to the [Azure portal](https://portal.azure.com/#create/vmware-inc.azure-spring-cloud-vmware-tanzu-2). -1. On the **Basics** tab, select **Enterprise tier** in pricing, specify other input fields, and then select **Next**. -1. On the **VMware Tanzu settings** tab, select **Enable App Live View**. -- :::image type="content" source="media/how-to-use-application-live-view/create.png" alt-text="Screenshot of the VMware Tanzu settings tab with the Enable App Live View checkbox selected." lightbox="media/how-to-use-application-live-view/create.png"::: --1. Specify other settings, and then select **Review and Create**. -1. Make sure that **Enable Application Live View** and **Enable Dev Tools Portal** are set to *Yes* on the **Review and Create** tab, and then select **Create** to create the Enterprise plan instance. --### [Azure CLI](#tab/Azure-CLI) --Use the following steps to provision an Azure Spring Apps service instance using the Azure CLI. --1. Use the following command to sign in to the Azure CLI and specify your active subscription: -- ```azurecli - az login - az account list --output table - az account set --subscription <subscription-ID> - ``` --1. Use the following command to accept the legal terms and privacy statements for the Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance of Azure Spring Apps. -- ```azurecli - az provider register --namespace Microsoft.SaaS - az term accept \ - --publisher vmware-inc \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --plan asa-ent-hr-mtr - ``` --1. Select a location. This location must be a location supporting the Azure Spring Apps Enterprise plan. For more information, see the [Azure Spring Apps FAQ](faq.md). --1. Use the following command to create a resource group: -- ```azurecli - az group create \ - --name <resource-group-name> \ - --location <location> - ``` -- For more information about resource groups, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md) --1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --1. Use the following command to create an Azure Spring Apps service instance: -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise \ - --enable-application-live-view - ``` ----## Monitor Application Live View --Azure Spring Apps runs the Application Live View in connector mode. --| Component | Description | -||-| -| Application Live View Server | The central server component that contains a list of registered apps. Application Live View Server is responsible for proxying the request to fetch the actuator information related to the app. | -| Application Live View Connector | The component responsible for discovering the running app and registering the instances to the Application Live View Server for it to be observed. The Application Live View Connector is also responsible for proxying the actuator queries to the app. | --After you provision the Azure Spring Apps Enterprise plan instance, you can obtain its running state and resource consumption, or manage Application Live View. --You can monitor Application Live View using the Azure portal or Azure CLI. --### [Azure portal](#tab/Portal) --You can view the state of Application Live View in the Azure portal on the **Overview** tab of the **Developer Tools** page. ---### [Azure CLI](#tab/Azure-CLI) --Use the following command in the Azure CLI to view Application Live View: --```azurecli -az spring application-live-view show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> -``` ----## Configure Dev Tools to access Application Live View --To access Application Live View, you need to configure Tanzu Dev Tools. For more information, see [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](./how-to-use-dev-tool-portal.md). --## Use Application Live View to monitor your apps --Application Live View lets you view live metrics for Spring Boot applications and Spring Native applications. The Application Live View is based on the concept of Spring Boot Actuators. --Use the following steps to deploy an app and monitor it in Application Live View: --1. Add the following dependency to your application's *pom.xml* file. -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-actuator</artifactId> - </dependency> - ``` --1. Add the following execution goal to your Maven plugin in the *pom.xml* file to expose build information: -- ```xml - <plugin> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-maven-plugin</artifactId> - <executions> - <execution> - <goals> - <goal>build-info</goal> - </goals> - <configuration> - <additionalProperties> - <spring.boot.version>${project.parent.version}</spring.boot.version> - </additionalProperties> - </configuration> - </execution> - </executions> - </plugin> - ``` --1. Enable the actuator endpoint by adding the following configuration in *application.properties*: -- ```properties - management.endpoints.web.exposure.include=info,health - ``` --1. Use the following command to build your package locally: -- ```bash - mvn clean package -DskipTests - ``` --1. Use the following command to deploy the binary: -- ```azurecli - az spring app create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --name <app-name> - az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --name <app-name> \ - --artifact-path <jar-file-in-target-folder> - ``` --1. After the app is successfully deployed, you can monitor it using the Application Live View dashboard on Dev Tools Portal. For more information, see [Monitor apps by Application Live View](./monitor-apps-by-application-live-view.md). -- If you've already enabled Dev Tools Portal and exposed a public endpoint, use the following command to get the Dev Tools Portal dashboard URL. Add the suffix `/app-live-view` to compose the endpoint to access Application Live View. -- ```azurecli - az spring dev-tool show --service <Azure-Spring-Apps-service-instance-name> \ - --resource-group <resource-group-name> \ - --query properties.url \ - --output tsv - ``` -- You can also access the Application Live View using Visual Studio Code (VS Code). For more information, see the [Use Application Live View in VS Code](#use-application-live-view-in-vs-code) section. --## Manage Application Live View in existing Enterprise plan instances --You can enable Application Live View in an existing Azure Spring Apps Enterprise plan instance using the Azure portal or Azure CLI. --If you have already enabled Dev Tools Portal and exposed a public endpoint, use <kbd>Ctrl</kbd>+<kbd>F5</kbd> to deactivate the browser cache after you enable Application Live View. --### [Azure portal](#tab/Portal) --Use the following steps to manage Application Live View using the Azure portal: --1. Navigate to your service resource, and then select **Developer Tools**. -1. Select **Manage tools**. -- :::image type="content" source="media/how-to-use-application-live-view/manage.png" alt-text="Screenshot of the Developer Tools page." lightbox="media/how-to-use-application-live-view/manage.png"::: --1. Select the **Enable App Live View** checkbox, and then select **Save**. -- :::image type="content" source="media/how-to-use-application-live-view/check-enable.png" alt-text="Screenshot of the Developer Tools section showing the Enable App Live View checkbox." lightbox="media/how-to-use-application-live-view/check-enable.png"::: --1. You can then view the state of Application Live View on the **Developer Tools**. -- :::image type="content" source="media/how-to-use-application-live-view/check-enable.png" alt-text="Screenshot of the Developer Tools section showing the Enable App Live View checkbox." lightbox="media/how-to-use-application-live-view/check-enable.png"::: --### [Azure CLI](#tab/Azure-CLI) --Use the following command to enable Application Live View using the Azure CLI: --```azurecli -az spring application-live-view create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> -``` --To access the Application Live View dashboard, you must enable Dev Tools Portal and assign a public endpoint. Use the following command to enable Dev Tools Portal and assign a public endpoint: --```azurecli -az spring dev-tool create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --assign-endpoint -``` ----## Use Application Live View in VS Code --You can access Application Live View directly in VS Code to monitor your apps in the Azure Spring Apps Enterprise plan. --### Prerequisites --- [Visual Studio Code](https://code.visualstudio.com/Download)-- [Azure Spring Apps extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-spring-cloud)--### View Application Live View dashboard --Use the following steps to view the Application Live View dashboard for a service instance: --1. In Visual Studio Code, open the Azure Spring Apps extension, and then sign in to your Azure account. -1. Expand the service instance that you want to monitor and right-click to select the service instance. -1. Select **Open Application Live View** from the menu to open the Application Live View dashboard in your default browser. -- :::image type="content" source="media/how-to-use-application-live-view/visual-studio-code-open-service.png" alt-text="Screenshot of the VS Code extension showing the Open Application Live View option for a service instance." lightbox="media/how-to-use-application-live-view/visual-studio-code-open-service.png"::: --### View Application Live View page for an app --Use the following steps to view the Application Live View page for an app: --1. In Visual Studio Code, open the Azure Spring Apps extension, and then sign in to your Azure account. -1. Expand the service instance and the app that you want to monitor. Right-click the app. -1. Select **Open Application Live View** from the menu to open the Application Live View page for the app in your default browser. -- :::image type="content" source="media/how-to-use-application-live-view/visual-studio-code-open-app.png" alt-text="Screenshot of the VS Code extension showing the Open Application Live View option for an app." lightbox="media/how-to-use-application-live-view/visual-studio-code-open-app.png"::: --### Troubleshoot Application Live View issues --If you try to open Application Live View for a service instance or an app that hasn't enabled Application Live View or exposed a public endpoint, you see an error message. -- :::image type="content" source="media/how-to-use-application-live-view/visual-studio-code-not-enabled.png" alt-text="Screenshot of the error message showing Application Live View not enabled and public endpoint not accessible." lightbox="media/how-to-use-application-live-view/visual-studio-code-not-enabled.png"::: --To enable Application Live View and expose public endpoint, use either the Azure portal or the Azure CLI. For more information, see the [Manage Application Live View in existing Enterprise plan instances](#manage-application-live-view-in-existing-enterprise-plan-instances) section. --## Next steps --- [Azure Spring Apps](index.yml) |
spring-apps | How To Use Grpc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-grpc.md | - Title: How to use gRPC in Azure Spring Apps -description: Shows you how to use gRPC in Azure Spring Apps. ---- Previously updated : 5/24/2023----# How to use gRPC in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to use gRPC in Azure Spring Apps. --In this article, you modify and redeploy the [Spring Boot Pet Clinic](https://github.com/Azure-Samples/spring-petclinic-microservices) sample application. From your local environment, you create a gRPC service by modifying the `customers-service` microservice, deploy the modified sample to Azure Spring Apps, and then use `grpcurl` commands to test the service by making calls to gRPC methods. --For a demonstration of this process, see the following video: --<br> --> [!VIDEO https://www.youtube.com/embed/yNvoQ4YIDCI title="Video that shows how to use gRPC in Spring Apps."] --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Azure CLI](/cli/azure/install-azure-cli).- - Use the following command to install the Azure Spring Apps extension: `az extension add --name spring` -- [Git](https://git-scm.com/downloads).-- [Microsoft Build of OpenJDK](/java/openjdk/download#openjdk-17) Version 17.-- [Maven](https://maven.apache.org/download.cgi).-- An Azure Spring Apps instance. For more information, see [Quickstart: Provision an Azure Spring Apps service instance](quickstart-provision-service-instance.md).-- A built and deployed Pet Clinic sample application. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md).--## Assign a public endpoint --To facilitate testing, assign a public endpoint. The public endpoint is used in the `grpcurl` commands as the hostname. For more information, see [fullstorydev/grpcurl](https://github.com/fullstorydev/grpcurl). --Use the following command to assign a public endpoint. Be sure to replace the placeholders with the resource group name, service instance name, and app name that you used when you fulfilled the prerequisites. --```azurecli -az spring app update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name <app-name> \ - --assign-public-endpoint true -``` --You can also use the Azure portal to assign a public endpoint. For more information, see [Expose applications on Azure Spring Apps to the internet from a public network](how-to-access-app-from-internet-virtual-network.md). --## Modify an existing service to be a gRPC service --Before the service is changed into a gRPC server, look at the Owners page of the deployed PetClinic instance application to examine the current pet owners data. You can also list all owners by adding `/owners` to the URL path, which you can get from the Overview page for the `customers-service` page in the Azure portal. --Use the following steps to change `customers-service` into a gRPC server: --1. Locate *pom.xml* in the *spring-petclinic-customers-service* folder. --1. In the *pom.xml* file, delete the following element that defines the `spring-boot-starter-web` dependency: -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-web</artifactId> - </dependency> - ``` -- If you don't remove this dependency, the application starts both a web server and a gRPC server. Azure Spring Apps then rewrites the server port to `1025` for the Basic/Standard plan or to `8080` for the Enterprise plan, which prevents gRPC from being routed correctly with a static server address. --1. Add the following elements to the *pom.xml* file. These elements define the dependency and build plugins required for gRPC. -- ```xml - <dependencies> - <!-- For both gRPC server and client --> - <dependency> - <groupId>net.devh</groupId> - <artifactId>grpc-spring-boot-starter</artifactId> - <version>2.5.1.RELEASE</version> - <exclusions> - <exclusion> - <groupId>io.grpc</groupId> - <artifactId>grpc-netty-shaded</artifactId> - </exclusion> - </exclusions> - </dependency> - <!-- For the gRPC server (only) --> - <dependency> - <groupId>net.devh</groupId> - <artifactId>grpc-server-spring-boot-starter</artifactId> - <version>2.5.1.RELEASE</version> - <exclusions> - <exclusion> - <groupId>io.grpc</groupId> - <artifactId>grpc-netty-shaded</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>net.devh</groupId> - <artifactId>grpc-client-spring-boot-autoconfigure</artifactId> - <version>2.5.1.RELEASE</version> - <type>pom</type> - </dependency> - </dependencies> - <build> - <extensions> - <extension> - <groupId>kr.motd.maven</groupId> - <artifactId>os-maven-plugin</artifactId> - <version>1.6.1</version> - </extension> - </extensions> - <plugins> - <plugin> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-maven-plugin</artifactId> - </plugin> - <plugin> - <groupId>org.xolstice.maven.plugins</groupId> - <artifactId>protobuf-maven-plugin</artifactId> - <version>0.6.1</version> - <configuration> - <protocArtifact> - com.google.protobuf:protoc:3.3.0:exe:${os.detected.lassifier} - </protocArtifact> - <pluginId>grpc-java</pluginId> - <pluginArtifact> - io.grpc:protoc-gen-grpc-java:1.4.0:exe:${os.detected.classifier} - </pluginArtifact> - </configuration> - <executions> - <execution> - <goals> - <goal>compile</goal> - <goal>compile-custom</goal> - </goals> - </execution> - </executions> - </plugin> - </plugins> - </build> - ``` --## Build the gRPC service --Use the following steps to create and run a *.proto* file that defines the message types and RPC interface methods: --1. Create a new file with the *.proto* extension in the source code folder that has the following content: -- ```protobuf - syntax = "proto3"; - option java_multiple_files = true; - package org.springframework.samples.petclinic.customers.grpc; - import "google/protobuf/empty.proto"; -- message OwnerRequest { - int32 ownerId = 1; - } -- message PetRequest { - int32 petId = 1; - } -- message OwnerResponse { - int32 id = 1; - string firstName = 2; - string lastName = 3; - string address = 4; - string city = 5; - string telephone = 6; - repeated PetResponse pets = 7; - } -- message PetResponse { - int32 id = 1; - string name = 2; - string birthDate = 3; - PetType type = 4; - OwnerResponse owner = 5; - } -- message PetType { - int32 id = 1; - string name = 2; - } -- message PetTypes { - repeated PetType ele = 1; - } -- message Owners { - repeated OwnerResponse ele = 1; - } -- service CustomersService { - rpc createOwner(OwnerResponse) returns (OwnerResponse); - rpc findOwner(OwnerRequest) returns (OwnerResponse); - rpc findAll(google.protobuf.Empty) returns (Owners); - rpc updateOwner(OwnerResponse) returns (google.protobuf.Empty); - rpc getPetTypes(google.protobuf.Empty) returns (PetTypes); - rpc createPet(PetResponse) returns (PetResponse); - rpc updatePet(PetResponse) returns (google.protobuf.Empty); - rpc findPet(PetRequest) returns (PetResponse); - } - ``` --1. Use the following command to generate the gRPC service files: -- ```bash - mvn package - ``` -- You can implement the gRPC service with the RPC methods defined in the *.proto* file. In the sample application, the generated files include *CustomersServiceGrpc.java*, as defined by the gRPC `proto` plugin. --## Implement the gRPC service --In your development environment, create a Java class file for the project with the following content that implements the RPC methods defined in the *.proto* file. Use the annotation `@GrpcService` to extend the autogenerated gRPC service base class to implement its methods. The following example shows an implementation of some of the methods: --```java -@GrpcService -@Slf4j -public class CustomersServiceImpl extends CustomersServiceGrpc.CustomersServiceImplBase { - @Autowired - private OwnerRepository ownerRepository; -- @Autowired - private PetRepository petRepository; -- @Override - public void createOwner(OwnerResponse request, StreamObserver<OwnerResponse> responseObserver) { - Owner owner = new Owner(); - BeanUtils.copyProperties(request, owner); - ownerRepository.save(owner); -- responseObserver.onNext(request); - responseObserver.onCompleted(); - } -} -``` --## Configure the server port --Next, configure the server port to `1025` for the Basic/Standard plan or to `8080` for the Enterprise plan so that the ingress rule works correctly. Add the following line to the *application.properties* file in the *spring-petclinic-customers-service/src/main/resources* folder. --```properties -grpc.server.port=1025 -``` --## Build the service JAR file --Use the following command to build the gRPC server JAR file: --```bash -mvn package -``` --The modification of `customers-service` is now complete, and it's now a gRPC service. --## Deploy the application to Azure Spring Apps --You can now configure the server and deploy the application. --Use the following command to deploy the newly built JAR file to your Azure Spring Apps instance. --```azurecli -az spring app deploy \ - --name ${CUSTOMERS_SERVICE} \ - --artifact-path ${CUSTOMERS_SERVICE_JAR} \ - --jvm-options='-Xms2048m -Xmx2048m -Dspring.profiles.active=mysql' \ - --env MYSQL_SERVER_FULL_NAME=${MYSQL_SERVER_FULL_NAME} \ - MYSQL_DATABASE_NAME=${MYSQL_DATABASE_NAME} \ - MYSQL_SERVER_ADMIN_LOGIN_NAME=${MYSQL_SERVER_ADMIN_LOGIN_NAME} \ - MYSQL_SERVER_ADMIN_PASSWORD=${MYSQL_SERVER_ADMIN_PASSWORD} -``` --The deployment can take a few minutes to complete. --Now that the application is deployed in Azure Spring Apps, call a gRPC service from outside the Azure Spring Apps service instance. As you did earlier, test the `customers-service` endpoint to attempt to list all pet owners by adding `/owners` to the URL path. This time, the test fails as expected because a gRPC service can't be accessed using the HTTP protocol. --## Set the ingress configuration --Set the backend protocol to use gRPC so that you can use `grpcurl` commands to test the gRPC server. Update your application's ingress settings. For more information, see [Customize the ingress configuration in Azure Spring Apps](how-to-configure-ingress.md). --## Call the sample application from a local environment --You can use `grpcurl` to test the gRPC server. The only port supported for gRPC calls from outside Azure Spring Apps is port `443`. The traffic is automatically routed to port `1025` or to `8080` on the backend. --Use the following `grpcurl` commands to check the gRPC server by listing all the pet owners. --```bash -grpcurl <service-instance-name>-customers-service.azuremicroservices.io:443 list -grpcurl <service-instance-name>-customers-service.azuremicroservices.io:443 org.springframework.samples.petclinic.customers.grpc.CustomersService.findAll -grpcurl -d "{\"ownerId\":7}" <service-instance-name>-customers-service.azuremicroservices.io:443 org.springframework.samples.petclinic.customers.grpc.CustomersService.findOwner -``` --## Frequently asked questions --- How do I use the test endpoint?-- Use the following `curl` and HTTP commands to use the test endpoint of the gRPC server: -- ```bash - echo -n '0000000000' | xxd -r -p - frame.bin - curl -v --insecure --raw -X POST -H "Content-Type: application/grpc" -H "TE: trailers" --data-binary @frame.bin <test-endpoint/org. springframework.samples.petclinic.customers.grpc.CustomersService/findAll - ``` -- For more information, see the [View apps and deployments](how-to-staging-environment.md#view-apps-and-deployments) section of [Set up a staging environment in Azure Spring Apps](how-to-staging-environment.md). --## Next steps --- [Customize the ingress configuration in Azure Spring Apps](how-to-configure-ingress.md) |
spring-apps | How To Use Tls Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-tls-certificate.md | - Title: Use TLS/SSL certificates in your application in Azure Spring Apps- -description: Use TLS/SSL certificates in an application. ---- Previously updated : 10/08/2021----# Use TLS/SSL certificates in your application in Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to use public certificates in Azure Spring Apps for your application. Your app might act as a client and access an external service that requires certificate authentication, or it might need to perform cryptographic tasks. --When you let Azure Spring Apps manage your TLS/SSL certificates, you can maintain the certificates and your application code separately to safeguard your sensitive data. Your app code can access the public certificates you add to your Azure Spring Apps instance. --## Prerequisites --- An application deployed to Azure Spring Apps. See [Quickstart: Deploy your first application in Azure Spring Apps](./quickstart.md), or use an existing app.-- Either a certificate file with *.crt*, *.cer*, *.pem*, or *.der* extension, or a deployed instance of Azure Key Vault with a private certificate.--## Import a certificate --You can choose to import your certificate into your Azure Spring Apps instance from either Key Vault or use a local certificate file. --### Import a certificate from Key Vault --You need to grant Azure Spring Apps access to your key vault before you import your certificate using these steps: --1. Sign in to the [Azure portal](https://portal.azure.com). -1. Select **Key vaults**, then select the Key Vault you import your certificate from. -1. In the left navigation pane, select **Access policies**, then select **Create**. -1. Select **Certificate permissions**, then select **Get** and **List**. -- :::image type="content" source="media/how-to-use-tls-certificate/grant-key-vault-permission.png" alt-text="Screenshot of the Azure portal that shows the Create an access policy page with Permission pane showing and Get and List permissions highlighted." lightbox="media/how-to-use-tls-certificate/grant-key-vault-permission.png"::: --1. Under **Principal**, select your **Azure Spring Cloud Resource Provider**. -- :::image type="content" source="media/how-to-use-tls-certificate/select-service-principal.png" alt-text="Screenshot of the Azure portal that shows the Create an access policy page with Principal pane showing and Azure Spring Apps Resource Provider highlighted." lightbox="media/how-to-use-tls-certificate/select-service-principal.png"::: --1. Select **Review + Create**, then select **Create**. --After you grant access to your key vault, you can import your certificate using these steps: --1. Go to your service instance. --1. From the left navigation pane of your instance, select **TLS/SSL settings**. --1. Select **Import Key Vault Certificate** in the **Public Key Certificates** section. --1. Select your key vault in the **Key vaults** section, select your certificate in the **Certificate** section, and then select **Select**. --1. Provide a value for **Certificate name**, select **Enable auto sync** if needed, and then select **Apply**. For more information, see the [Auto sync certificate](./how-to-custom-domain.md#auto-sync-certificate) section of [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md). --After you've successfully imported your certificate, you see it in the list of Public Key Certificates. --> [!NOTE] -> The Azure Key Vault and Azure Spring Apps instances should be in the same tenant. --### Import a local certificate file --You can import a certificate file stored locally using these steps: --1. Go to your service instance. -1. From the left navigation pane of your instance, select **TLS/SSL settings**. -1. Select **Upload public certificate** in the **Public Key Certificates** section. --After you've successfully imported your certificate, you see it in the list of Public Key Certificates. --## Load a certificate --To load a certificate into your application in Azure Spring Apps, start with these steps: --1. Go to your application instance. -1. From the left navigation pane of your app, select **Certificate management**. -1. Select **Add certificate** to choose certificates accessible for the app. ---### Load a certificate from code --Your loaded certificates are available in the */etc/azure-spring-cloud/certs/public* folder. Use the following Java code to load a public certificate in an application in Azure Spring Apps. --```java -CertificateFactory factory = CertificateFactory.getInstance("X509"); -FileInputStream is = new FileInputStream("/etc/azure-spring-cloud/certs/public/<certificate name>"); -X509Certificate cert = (X509Certificate) factory.generateCertificate(is); --// use the loaded certificate -``` --### Load a certificate into the trust store --For a Java application, you can choose **Load into trust store** for the selected certificate. The certificate is automatically added to the Java default TrustStores to authenticate a server in SSL authentication. --The following log from your app shows that the certificate is successfully loaded. --```output -Load certificate from specific path. alias = <certificate alias>, thumbprint = <certificate thumbprint>, file = <certificate name> -``` --## Next steps --- [Enable ingress-to-app Transport Layer Security](./how-to-enable-ingress-to-app-tls.md)-- [Access Config Server and Service Registry](./how-to-access-data-plane-azure-ad-rbac.md) |
spring-apps | Monitor App Lifecycle Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/monitor-app-lifecycle-events.md | - Title: Monitor app lifecycle events using Azure Activity log and Azure Service Health -description: Monitor app lifecycle events and set up alerts with Azure Activity log and Azure Service Health. ---- Previously updated : 08/19/2021----# Monitor app lifecycle events using Azure Activity log and Azure Service Health --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to monitor app lifecycle events and set up alerts with Azure Activity log and Azure Service Health. --Azure Spring Apps provides built-in tools to monitor the status and health of your applications. App lifecycle events help you understand any changes that were made to your applications so you can take action as necessary. --## Prerequisites --- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- A deployed Azure Spring Apps service instance and at least one application already created in your service instance. For more information, see [Quickstart: Deploy your first Spring Boot app in Azure Spring Apps](quickstart.md). --## Monitor app lifecycle events triggered by users in Azure Activity logs --[Azure Activity logs](../azure-monitor/essentials/activity-log.md) contain resource events emitted by operations taken on the resources in your subscription. The following details for application lifecycle events (such as start, stop, and restart) are added into Azure Activity Logs: --- The time the operation occurred.-- The status of the operation.-- Which instance(s) are created when you start your app.-- Which instance(s) are deleted when you stop your app.-- Which instance(s) are deleted and created when you restart your app.--To see the affected instances when you restart your app, navigate to your Azure Spring Apps instance in the Azure portal and select **Activity log** in the navigation pane. ---## Monitor app lifecycle events in Azure Service Health --[Azure Resource Health](../service-health/resource-health-overview.md) helps you diagnose and get support for issues that may affect the availability of your service. These issues include service incidents, planned maintenance periods, and regional outages. Application restarting events are added into Azure Service Health. They include both unexpected incidents (for example, an unplanned app crash) and scheduled actions (for example, planned maintenance). --### Monitor unplanned app lifecycle events --When your app is restarted because of unplanned events, your Azure Spring Apps instance shows a status of **degraded** in the **Resource health** section of the Azure portal. Degraded means that your resource detected a potential loss in performance, although it's still available for use. Examples of unplanned events include app crash, health check failure, and system outage. --On the Azure Home page, select **Service Health** and then select **Resource Health**. --In **Health history**, you can find the latest status, the root cause, and affected instances. ---### Monitor planned app lifecycle events --Your app may be restarted during platform maintenance. You can receive a maintenance notification in advance from the **Planned maintenance** page of Azure Service Health. ---When platform maintenance happens, your Azure Spring Apps instance shows a status of **degraded**. If restarting is needed during platform maintenance, Azure Spring Apps performs a rolling update to incrementally update your applications. Rolling updates are designed to update your workloads without downtime. You can find the latest status in the health history page. --->[!NOTE] -> Currently, Azure Spring Apps performs one regular planned maintenance to upgrade the underlying Kubernetes version every 2-4 months. For a detailed maintenance timeline, check the notifications on the Azure Service Health page. --## Set up alerts --You can set up alerts for app lifecycle events. Service health notifications are also stored in the Azure activity log. The activity log stores a large volume of information, so there's a separate user interface to make it easier to view and set up alerts on service health notifications. --The following list describes the key steps needed to set up an alert: --1. Set up an action group with the actions to take when an alert is triggered. Example action types include sending a voice call, SMS, email; or triggering various types of automated actions. Various alerts may use the same action group or different action groups depending on the user's requirements. -2. Set up alert rules. The alerts use action groups to notify users that an alert for some specific app lifecycle event has been triggered. --### Set up alerts on Activity log --Use the following steps to create an activity log alert rule in the Azure portal: --1. Navigate to your Azure Spring Apps instance and select **Activity log** in the navigation pane. --1. Select any log to open its detail pane and then select **New alert rule**. -- :::image type="content" source="media/monitor-app-lifecycle-events/activity-log-alert.png" alt-text="Screenshot of the Azure portal showing the Activity log page and the New Alert rule button highlighted for a selected log." lightbox="media/monitor-app-lifecycle-events/activity-log-alert.png" ::: --1. By default, alerts are scoped to the current subscription. Select the **Scope** tab to select a different subscription. --1. Select the **Condition** tab. Select **Signal name** to configure the criteria for the condition. -- :::image type="content" source="media/monitor-app-lifecycle-events/activity-log-alert-condition.png" alt-text="Screenshot of Azure portal activity log alert condition." lightbox="media/monitor-app-lifecycle-events/activity-log-alert-condition.png"::: --1. Select the **Actions** tab. Add action groups to be applied to the alert rule. --1. Select **Review + create** and then select **Create**. --### Set up alerts to monitor app lifecycle events in Azure Service Health --Use the following steps to create an alert rule for service health notifications in the Azure portal. --1. On the Azure Home page, select **Service Health** and then select **Resource health** in the navigation pane. -1. Select **Add resource health alert**. -- :::image type="content" source="media/monitor-app-lifecycle-events/add-resource-health-alert.png" alt-text="Screenshot of Azure portal Resource health page with the 'Add resource health alert' button highlighted." lightbox="media/monitor-app-lifecycle-events/add-resource-health-alert.png"::: --1. Select the **Scope** tab. Specify the resources to be applied to the alert rule. -- :::image type="content" source="media/monitor-app-lifecycle-events/resource-health-alert-target.png" alt-text="Screenshot of the Azure portal showing the Scope tab for Create an alert rule dialog when selected from the Resource health page." lightbox="media/monitor-app-lifecycle-events/resource-health-alert-target.png"::: --1. Select the **Condition** tab. Define the criteria to trigger the alert rule. -- :::image type="content" source="media/monitor-app-lifecycle-events/resource-health-alert-condition.png" alt-text="Screenshot of the Azure portal showing the Condition tab for Create an alert rule dialog when selected from the Resource health page." lightbox="media/monitor-app-lifecycle-events/resource-health-alert-condition.png"::: --1. Select the **Actions** tab. Add action groups to be applied to the alert rule. --1. Select **Review + create** and then select **Create**. --### Set up alerts to monitor the planned maintenance notification --Use the following steps to create an alert rule for planned maintenance notifications in the Azure portal: --1. On the Azure Home page, select **Service Health** and then select **Health alerts** in the navigation pane. -1. Select **Add service health alert**. -- :::image type="content" source="media/monitor-app-lifecycle-events/add-service-health-alert.png" alt-text="Screenshot of Azure portal Health alerts page the 'Add service health alert' button highlighted." lightbox="media/monitor-app-lifecycle-events/add-service-health-alert.png"::: --1. Provide values for settings on the **Scope**, **Condition**, and **Actions** tabs. -- :::image type="content" source="media/monitor-app-lifecycle-events/add-service-health-alert-details.png" lightbox="media/monitor-app-lifecycle-events/add-service-health-alert-details.png" alt-text="Screenshot of the Azure portal showing the Scope tab for Create an alert rule dialog when selected from the Health alerts page."::: --1. Select **Review + create** and then select **Create**. --## Next steps --[Self-diagnose and solve problems in Azure Spring Apps](how-to-self-diagnose-solve.md) |
spring-apps | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/overview.md | - Title: Introduction to Azure Spring Apps -description: Learn the features and benefits of Azure Spring Apps to deploy and manage Java Spring applications in Azure. --- Previously updated : 05/23/2023---#Customer intent: As an Azure Cloud user, I want to deploy, run, and monitor Spring applications. ---# What is Azure Spring Apps? --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Enterprise ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard --Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. --The following video shows an app composed of Spring Boot applications running on Azure using Azure Spring Apps. --<br> --> [!VIDEO https://www.youtube.com/embed/1jOXMFc1oRg] --## Why use Azure Spring Apps? --You get the following benefits when you deploy applications to Azure Spring Apps: --* Efficiently migrate existing Spring apps and manage cloud scaling and costs. -* Modernize apps with Spring Cloud patterns to improve agility and speed of delivery. -* Run Java at cloud scale and drive higher usage without complicated infrastructure. -* Develop and deploy rapidly without containerization dependencies. -* Monitor production workloads efficiently and effortlessly. --Azure Spring Apps supports both Java [Spring Boot](https://spring.io/projects/spring-boot) and ASP.NET Core [Steeltoe](https://steeltoe.io/) apps. Steeltoe support is currently offered as a public preview. With public preview offerings, you can experiment with new features prior to their official release. --## Service overview --As part of the Azure ecosystem, Azure Spring Apps allows easy binding to other Azure services including storage, databases, monitoring, and more, as shown in the following diagram: ---Azure Spring Apps provides you with the following capabilities: --* A fully managed service for Spring Boot apps that lets you focus on building and running apps without the hassle of managing infrastructure. --* Automatic wiring of your apps with the Spring service runtime and built-in app lifecycle support when you deploy your JARs or code for your Spring Boot app, or zip file for your Steeltoe app. --* Ease of monitoring. After deployment, you can monitor app performance, fix errors, and rapidly improve applications. --* Full integration to Azure's ecosystems and services. --* Enterprise readiness with fully managed infrastructure and built-in lifecycle management. --### Get started with Azure Spring Apps --The following articles help you get started: --* [Deploy your first application to Azure Spring Apps](quickstart.md) -* [Introduction to the sample app](quickstart-sample-app-introduction.md) --The following articles help you migrate existing Spring Boot apps to Azure Spring Apps: --* [Migrate Spring Boot applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-boot-to-azure-spring-apps) -* [Migrate Spring Cloud applications to Azure Spring Apps](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-apps?pivots=sc-standard-tier) --The following quickstarts apply to the Basic/Standard plan only. For Enterprise quickstarts, see the [Get started with the Enterprise plan](#get-started-with-the-enterprise-plan) section. --* [Provision an Azure Spring Apps service instance](quickstart-provision-service-instance.md) -* [Set up Spring Cloud Config Server for Azure Spring Apps](quickstart-setup-config-server.md) -* [Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md) --## Enterprise plan --The Enterprise plan provides commercially supported Tanzu components with SLA assurance. For more information, see the [SLA for Azure Spring Apps](https://azure.microsoft.com/support/legal/sla/spring-apps). This support helps enterprise customers ship faster for mission-critical workloads with peace of mind. The Enterprise plan helps unlock Spring’s full potential while including feature parity and region parity with the Standard plan. --The following video introduces the Azure Spring Apps Enterprise plan. --<br> --> [!VIDEO https://www.youtube.com/embed/CLvtz8SkrMA] --### Deploy and manage Spring and polyglot applications --The Azure Spring Apps Enterprise plan provides the fully managed VMware® Tanzu Build Service. The Tanzu Build Service automates the creation, management, and governance of containers at enterprise scale with the following buildpack options: --* Open-source [Cloud Native Buildpacks](https://buildpacks.io/) -* Commercial [Language Family Buildpacks for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/https://docsupdatetracker.net/index.html). --Tanzu Build Service offers a higher-level abstraction for building applications. Tanzu Build Service also provides a balance of control that reduces the operational burden on developers, and supports enterprise IT operators who manage applications at scale. You can configure what Tanzu Buildpacks to apply and build polyglot applications that run alongside Spring applications on Azure Spring Apps. --Tanzu Buildpacks makes it easier to build Spring, Java, NodeJS, Python, Go and .NET Core applications. You can also use Tanzu Buildpacks to configure application performance monitoring agents such as Application Insights, New Relic, Dynatrace, AppDynamics, and Elastic. --### Route client requests to applications --You can manage and discover request routes and APIs exposed by applications using the fully managed Spring Cloud Gateway for VMware Tanzu and API portal for VMware Tanzu. --Spring Cloud Gateway for Tanzu effectively routes diverse client requests to applications in Azure Spring Apps, Azure, and on-premises. Spring Cloud Gateway also addresses cross-cutting considerations for applications behind the Gateway. These considerations include securing, routing, rate limiting, caching, monitoring, resiliency and hiding applications. You can make the following configurations to Spring Cloud Gateway: --* Single sign-on integration with your preferred identity provider without any extra code or dependencies. -* Dynamic routing rules to applications without any application redeployment. -* Request throttling without any backing services. --API Portal for VMware Tanzu provides API consumers with the ability to find and view API route details exposed by Spring Cloud Gateway for Tanzu and test API requests. --### Use flexible and configurable VMware Tanzu components --With the Azure Spring Apps Enterprise plan, you can use fully managed VMware Tanzu components on Azure without operational hassle. You can select which VMware Tanzu components you want to use in your environment, either during or after Enterprise instance creation. The following components are available: --* [Tanzu Build Service](how-to-enterprise-build-service.md) -* [Spring Cloud Gateway for Tanzu](how-to-configure-enterprise-spring-cloud-gateway.md) -* [API Portal for VMware Tanzu](how-to-use-enterprise-api-portal.md) -* [Application Configuration Service for VMware Tanzu](how-to-enterprise-application-configuration-service.md) -* [VMware Tanzu Service Registry](how-to-enterprise-service-registry.md) -* [Application Live View for VMware Tanzu](how-to-use-application-live-view.md) -* [Application Accelerator for VMware Tanzu](how-to-use-accelerator.md) --VMware Tanzu components deliver increased value so you can accomplish the following tasks: --* Grow your enterprise grade application portfolio from a few applications to thousands with end-to-end observability while delegating operational complexity to Microsoft and VMware. -* Lift and shift Spring applications across Azure Spring Apps and any other compute environment. -* Control your build dependencies, deploy polyglot applications, and deploy Spring Cloud middleware components as needed. --### Unlock Spring’s full potential with Long-Term Support (LTS) --The Azure Spring Apps Enterprise plan includes VMware Spring Runtime Support for application development and deployments. This support gives you access to Spring experts, enabling you to unlock the full potential of the Spring ecosystem to develop and deploy applications faster. --Typically, open-source Spring project minor releases receive support for a minimum of 12 months from the date of initial release. In the Azure Spring Apps Enterprise plan, Spring project minor releases receive commercial support for a minimum of 24 months from the date of initial release. This extended support is available through the VMware Spring Runtime Support entitlement and ensures the security and stability of your Spring application portfolio, even after the open source end of life dates. For more information, see [Spring Boot](https://spring.io/projects/spring-boot#support). --### Fully integrate into the Azure and Java ecosystems --Azure Spring Apps, including the Enterprise plan, runs on Azure in a fully managed environment. You get all the benefits of Azure and the Java ecosystem, and the experience is familiar and intuitive as described in the following table: --| Best practice | Ecosystem | -|--|-| -| Create service instances using a provisioning tool. | Azure portal, CLI, ARM Template, Bicep, or Terraform | -| Automate environments and application deployments. | GitHub, Azure DevOps Server, GitLab, and Jenkins | -| Monitor end-to-end using any tool and platform. | Application Insights, Azure Log Analytics, Splunk, Elastic, New Relic, Dynatrace, or AppDynamics | -| Connect Spring applications and interact with cloud services. | Spring integration with Azure services for data, messaging, eventing, cache, storage, and directories | -| Securely load app secrets and certificates. | Azure Key Vault | -| Use familiar development tools. | IntelliJ, Visual Studio Code, Eclipse, Spring Tool Suite, Maven, or Gradle | --After you create your Enterprise plan service instance and deploy your applications, you can monitor with Application Insights or any other application performance management tools of your choice. --### Get started with the Enterprise plan --The following articles help you get started using the Enterprise plan: --* [The Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md) -* [Introduction to Fitness Store sample app](quickstart-sample-app-acme-fitness-store-introduction.md) -* [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md) -* [Configure single sign-on for applications using Azure Spring Apps Enterprise plan](quickstart-configure-single-sign-on-enterprise.md) -* [Integrate with Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md) -* [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md) -* [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md) -* [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md) -* [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md) --Most of the Azure Spring Apps documentation applies to all the service plans. Some articles apply only to the Enterprise plan or only to the Basic/Standard plan, as indicated at the beginning of each article. --As a quick reference, the articles listed previously and the articles in the following list apply only to the Enterprise plan, or contain significant content that applies only to the Enterprise plan: --* [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md) -* [Use Tanzu Build Service](how-to-enterprise-build-service.md) -* [Use Tanzu Service Registry](how-to-enterprise-service-registry.md) -* [Use API portal for VMware Tanzu](how-to-use-enterprise-api-portal.md) -* [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md) -* [Deploy polyglot apps in Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md) -* [Enable system-assigned managed identity for an application in Azure Spring Apps](how-to-enable-system-assigned-managed-identity.md?pivots=sc-enterprise-tier) -* [Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md?pivots=sc-enterprise-tier) --## Standard consumption and dedicated plan --The Standard consumption and dedicated plan provides a hybrid pricing solution that combines the best of pay-as-you-go and resource-based pricing. With this comprehensive package, you have the flexibility to pay only for compute time as you get started, while enjoying enhanced cost predictability and significant savings when your resources scale up. --When you create a Standard consumption and dedicated plan, a consumption workload profile is always created by default. You can additionally add dedicated workload profiles to the same plan to fit the requirements of your workload. --Workload profiles determine the amount of compute and memory resources available to Spring apps deployed in the Standard consumption and dedicated plan. There are different machine sizes and characteristics with different workload profiles. For more information, see [Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)](../container-apps/workload-profiles-overview.md). --You can run your apps in any combination of consumption or dedicated workload profiles. Consider using the consumption workload profile when your applications need to start from and scale to zero. Use the dedicated workload profile when you need dedicated hardware for single tenancy, and for customizable compute as with a memory optimized machine. You can also use the dedicated workload profile to optimize for cost savings when resources are running at scale. --The Standard consumption and dedicated plan simplifies the virtual network experience for running polyglot applications. In the Standard consumption and dedicated plan, when you deploy frontend applications as containers in Azure Container Apps, all your applications share the same virtual network in the same Azure Container Apps environment. There's no need to create disparate subnets and Network Security Groups for frontend apps, Spring apps, and the Spring service runtime. --The following diagram shows the architecture of a virtual network in Azure Spring Apps: ---### Get started with the Standard consumption and dedicated plan --The following articles help you get started using the Standard consumption and dedicated plan: --* [Provision an Azure Spring Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md) -* [Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network](quickstart-provision-standard-consumption-app-environment-with-virtual-network.md) -* [Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network](quickstart-access-standard-consumption-within-virtual-network.md) -* [Deploy an event-driven application to Azure Spring Apps](quickstart-deploy-event-driven-app.md) -* [Set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan](quickstart-apps-autoscale-standard-consumption.md) -* [Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan](quickstart-standard-consumption-custom-domain.md) -* [Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan](quickstart-analyze-logs-and-metrics-standard-consumption.md) -* [Enable your own persistent storage in Azure Spring Apps with the Standard consumption and dedicated plan](how-to-custom-persistent-storage-with-standard-consumption.md) -* [Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network](standard-consumption-customer-responsibilities.md) --## Next steps --> [!div class="nextstepaction"] -> [Quickstart: Deploy your first application to Azure Spring Apps](quickstart.md) --Samples are available on GitHub. See [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/). --For feature updates about Azure Spring Apps, see [Azure updates](https://azure.microsoft.com/updates/?query=spring). |
spring-apps | Policy Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/policy-reference.md | - Title: Built-in policy definitions for Azure Spring Apps -description: Lists Azure Policy built-in policy definitions for Azure Spring Apps. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/22/2024--------# Azure Policy built-in definitions for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy -definitions for Azure Spring Apps. For additional Azure Policy built-ins for other services, see -[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md). --The name of each built-in policy definition links to the policy definition in the Azure portal. Use -the link in the **Version** column to view the source on the -[Azure Policy GitHub repo](https://github.com/Azure/azure-policy). --## Azure Spring Apps ---## Next steps --- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).-- Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).-- Review [Understanding policy effects](../governance/policy/concepts/effects.md). |
spring-apps | Quickstart Access Standard Consumption Within Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-access-standard-consumption-within-virtual-network.md | - Title: Quickstart - Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network -description: Learn how to access applications in a virtual network that are using the Azure Spring Apps Standard consumption and dedicated plan. ---- Previously updated : 06/21/2023----# Quickstart: Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes how to access your application in a virtual network using Azure Spring Apps Standard consumption and dedicated plan. --When you create an Azure Container Apps environment in an existing virtual network, you can access all the apps inside the environment only within that virtual network. In addition, when you create an instance of Azure Spring Apps inside the Azure Container Apps environment, you can access the applications in the Azure Spring Apps instance only from the virtual network. For more information, see [Provide a virtual network to an internal Azure Container Apps environments](../container-apps/vnet-custom-internal.md?tabs=bash&pivots=azure-portal). --## Create a private DNS zone --Create a private DNS zone named as the default domain of the Azure Container Apps environment - `<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io` - with an A record. --Use the following command to get the default domain of Azure Container Apps environment. --```azurecli -az containerapp env show \ - --resource-group <resource-group-name> \ - --name <Azure-Container-Apps-environment-name> \ - --query 'properties.defaultDomain' -``` --Use the following command to create a Private DNS Zone for applications in the virtual network. --```azurecli -az network private-dns zone create \ - --resource-group <resource-group-name> \ - --name <private-dns-zone-name> -``` --## Create an A record --Create an A record that contains the name `<DNS Suffix>` and the static IP address of the Azure Container Apps environment. --Use the following command to get the static IP address for an Azure Container Apps environment. --```azurecli -az containerapp env show \ - --resource-group <resource-group-name> \ - --name <Azure-Container-Apps-environment-name> \ - --query 'properties.staticIp' -``` --Use the following command to create the A record: --```azurecli -az network private-dns record-set a add-record \ - --resource-group <resource-group-name> \ - --zone-name <private-dns-zone-name> \ - --record-set-name '*' \ - --ipv4-address <static-ip> -``` --## Link the virtual network --Use the following command to create a virtual network link to the private DNS zone of the virtual network. --```azurecli -az network private-dns link vnet create \ - --resource-group <resource-group-name> \ - --name <link-name> \ - --zone-name <private-dns-zone-name> \ - --virtual-network <virtual-network-name> \ - --registration-enabled false -``` --## Access the application --Now you can access an application in an Azure Spring Apps instance within your virtual network, using the URL of the application. --## Clean up resources --Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --> [!div class="nextstepaction"] -> [Quickstart: Set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan](./quickstart-apps-autoscale-standard-consumption.md) |
spring-apps | Quickstart Analyze Logs And Metrics Standard Consumption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-analyze-logs-and-metrics-standard-consumption.md | - Title: Quickstart - Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan -description: Learn how to analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan. ---- Previously updated : 06/21/2023----# Quickstart: Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article shows you how to analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md).-- A Spring app deployed to Azure Spring Apps.--## Analyze logs --The following sections describe various tools in Azure that you can use to analyze your consumption and dedicated plan usage. --### Configure logging options --You can configure logging options in the Azure Container Apps environment where you deploy your Azure Spring Apps instance. You can choose between the following log destinations: --- **Log Analytics** - Azure Monitor Log Analytics is the default storage and viewing option. Your logs are stored in a Log Analytics workspace where you can view and analyze them using Log Analytics queries.--- **Azure Monitor** - Azure Monitor routes logs to one or more of the following destinations:-- - A Log Analytics workspace for viewing and analysis. - - An Azure storage account to archive. - - An Azure event hub for data ingestion and analytic services. - - An Azure partner monitoring solution such as Datadog, Elastic, Logz.io, and others. --- **None** - You can disable the storage of log data.--You can enable logs in Azure Spring Apps in the following ways: --- When you select **Log Analytics** as the logging option.-- When you select **Azure Monitor** as the logging option, with the **Spring App console logs** category selected in the **Diagnostic** setting.--For more information, see [Log storage and monitoring options in Azure Container Apps](../container-apps/log-options.md). --### Query logs by using Log Analytics --Log Analytics is a tool in the Azure portal that you can use to view and analyze log data. By using Log Analytics, you can write Kusto queries and then sort, filter, and visualize the results in charts to spot trends and identify issues. You can work interactively with the query results or use them with other features such as alerts, dashboards, and workbooks. --The following sections describe various methods to view logs. --#### Use logs --Use the following steps to query log data. --1. In the Azure portal, go to your Azure Spring Apps instance. -1. Select **Logs** from the navigation pane. -1. In the **New Query 1** settings, enter a query such as the following example: -- ```sql - AppEnvSpringAppConsoleLogs_CL - | limit 50 - ``` --1. Select **Run**. --#### Use Log Analytics --Use the following steps to perform analytics on log data. --1. In the Azure portal, go to your Azure Spring Apps instance. -1. Select **Log Analytics** in the navigation pane. -1. Select the Log Analytics workspace where you chose to store the logs. -1. To open the **Log Search** pane, select **Logs**. -1. To view logs, in the **Tables** search box, enter a query such as the following example: -- ```sql - AppEnvSpringAppConsoleLogs_CL - | limit 50 - ``` --1. To view the search result, select **Run**. -1. You can search the logs of the specific application, deployment, or instance by setting a filter condition, as shown in the following example: -- ```sql - AppEnvSpringAppConsoleLogs_CL - | where ContainerAppName_s == "YourAppName" and RevisionName_s has "YourDeploymentName" and ContainerGroupName_s == "YourInstanceName" - | limit 50 - ``` -- > [!NOTE] - > `==` is case sensitive, but `=~` isn't. --To learn more about the query language used in Log Analytics, see [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, see [Query data in Azure Monitor using Azure Data Explorer](/azure/data-explorer/query-monitor-data). --## Analyze metrics --Azure Monitor collects metric data from your Azure Spring Apps instance at regular intervals to help you gain insights into the performance and health of your Spring apps. --To visualize the data, select **Metrics** in the navigation pane in your Azure Spring Apps instance. You can also retrieve raw metric data through the [Azure CLI](/cli/azure/monitor/metrics) and Azure [PowerShell cmdlets](/powershell/module/az.monitor/get-azmetric). --### Available metrics --Azure Spring Apps provides the metrics described in the following table: --| Title | Description | Metric ID | Unit | -|--|--|-|--| -| CPU usage nanocores | CPU usage in nanocores (1,000,000,000 nanocores = 1 core) | `UsageNanoCores` | nanocores | -| Memory working set bytes | Working set memory used in bytes | `WorkingSetBytes` | bytes | -| Network in bytes | Network received bytes | `RxBytes` | bytes | -| Network out bytes | Network transmitted bytes | `TxBytes` | bytes | -| Requests | Requests processed | `Requests` | n/a | -| Restart count | Restart count of Spring App | `RestartCount` | n/a | --### Use metrics explorer --The Azure Monitor metrics explorer enables you to create charts from metric data to help you analyze your Azure Spring Apps resource and network usage over time. You can pin charts to a dashboard or in a shared workbook. --1. Open the metrics explorer in the Azure portal by selecting **Metrics** in the navigation pane on the overview page of your Azure Spring Apps instance. To learn more about metrics explorer, see [Getting started with metrics explorer](../azure-monitor/essentials/metrics-getting-started.md). --1. Create a chart by selecting a metric in the **Metric** dropdown menu. You can modify the chart by changing the aggregation, adding more metrics, changing time ranges and intervals, adding filters, and applying splitting. --#### Add filters --Optionally, you can create filters to limit the data shown based on application name and instance name. Use the following steps to create a filter: --1. Select **Add filter**. -1. Select **App** or **Instance** from the **Property** list. -1. Select values from the **Value** list. --## Next steps --> [!div class="nextstepaction"] -> [How to enable your own persistent storage in Azure Spring Apps with the Standard consumption and dedicated plan](./how-to-custom-persistent-storage-with-standard-consumption.md) |
spring-apps | Quickstart Apps Autoscale Standard Consumption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-apps-autoscale-standard-consumption.md | - Title: Quickstart - Set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan -description: Learn how to set up autoscale for applications in Azure Spring Apps Standard consumption and dedicated plan. ---- Previously updated : 06/21/2023----# Quickstart: Set up autoscale for applications in the Azure Spring Apps Standard consumption and dedicated plan --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes how to set up autoscale rules for your applications in Azure Spring Apps Standard consumption and dedicated plan. The plan uses an Azure Container Apps environment to host your Spring applications, and provides the following management and support: --- Manages automatic horizontal scaling through a set of declarative scaling rules.-- Supports all the scaling rules that Azure Container Apps supports.--For more information, see [Azure Container Apps documentation](../container-apps/index.yml). --## Prerequisites --- An Azure subscription. If you don't have an Azure subscription, see [Azure free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md).-- A Spring app deployed to Azure Spring Apps.--## Scale definition --Scaling is defined by the combination of limits and rules. --- Limits are the minimum and maximum number of instances that your Spring allows.-- | Scale limit | Default value | Min value | Max value | - |--||--|--| - | Minimum number of instances per deployment | 1 | 0 | 30 | - | Maximum number of instances per deployment | 10 | 1 | 30 | -- By default, the minimum instance count of your Spring application is set to 1 to ensure that your deployment is always running. If you want to scale in to zero, you can set the minimum instance count to zero. --- Rules are the criteria that the autoscaling abides by to add or remove instances. The scale rules include HTTP, TCP, and Custom rules as described in the [Scale rules](../container-apps/scale-app.md#scale-rules) section of [Set scaling rules in Azure Container Apps](../container-apps/scale-app.md).-- If you define more than one scale rule, the autoscaling begins when the first condition of any rule is met. --- The *polling interval* and *cooldown period* are two time spans that occur during autoscaling.- - The polling interval defines the time span between each polling action of real time data as defined by your rules. The polling interval is set to 30 seconds by default. - - The cooldown period applies only when scaling to zero - for example, to wait five minutes after the last time autoscaling checked the message queue and it was empty. --## Set up autoscale settings --You can set up autoscale settings for your application by using the Azure portal or Azure CLI. --### [Azure portal](#tab/azure-portal) --Use the following steps to define autoscale settings and rules. --1. Sign in to the Azure portal. -1. Select **Azure Spring Apps** under **Azure services**. -1. In the **Name** column, select the Azure Spring Apps instance that you want to autoscale. -1. On the overview page for your Azure Spring Apps instance, select **Apps** in the navigation pane. -1. Select the application that you want to autoscale. -1. On the overview page for the selected app, select **Scale out** in the navigation pane. -1. On the **Scale out (Preview)** page, select the deployment you want to autoscale. -1. Set up the instance limits of your deployment. -1. Select **Add** to add your scale rules. ---### [Azure CLI](#tab/azure-cli) --Use the following commands to create an application in Azure Spring Apps with an autoscaling rule, based on [Keda Azure Service Bus Scaler](https://keda.sh/docs/2.8/scalers/azure-service-bus/). --```azurecli-interactive -az spring app create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --name <app-name> \ - --secrets "connection-string-secret=<service-bus-connection-string>" \ - --scale-rule-name azure-servicebus-queue-rule \ - --scale-rule-type azure-servicebus \ - --scale-rule-metadata "queueName=my-queue" \ - "namespace=service-bus-namespace" \ - "messageCount=5" \ - --scale-rule-auth "connection=connection-string-secret" \ - --min-replicas 0 \ - --max-replicas 5 -``` --The replicas count is adjusted automatically according to the count of messages in Azure Service Bus Queue. When there are no messages in the queue, your application is scaled to 0 replica. When there are messages in the queue, the application is scaled out according to the message count. ----## Custom scaling rules --For information on defining custom rules, see [Keda scalers](https://keda.sh/docs/2.9/scalers/). The following sections show two examples of setting scale rules on MySQL and Cron. --### Set up auto scaling rules on MySQL database --The following CLI commands show you how to autoscale your Spring application based on [Keda MySQL Scaler](https://keda.sh/docs/2.8/scalers/mysql/). First, create a secret to store your SQL connection string. This secret is used for your scale rule authentication. Then, set up a rule which scales the app based on the rows count of a table. --```azurecli-interactive -az spring app update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --name <app-name> \ - --secrets mysqlconnectionstring="<username>:<pwd>@tcp(<server name>:3306)/<database name>" --az spring app scale \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --name <app-name> \ - --scale-rule-type mysql \ - --scale-rule-name <your rule name> \ - --scale-rule-auth "connectionString=mysqlconnectionstring" \ - --scale-rule-metadata queryValue=4 query="SELECT count(*) FROM mytable" \ - --min-replicas 0 \ - --max-replicas 3 -``` --### Create a rule based on Linux cron --The following commands show you how to set up a rule based on [Keda Cron Scaler](https://keda.sh/docs/2.8/scalers/cron/). The replicas are scaled to the desired number during the cron time interval. --```azurecli-interactive -az spring app scale \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --name <app-name> \ - --scale-rule-type cron \ - --scale-rule-name testscalerule \ - --scale-rule-metadata timezone="Asia/Shanghai" \ - start="10 * * * *" \ - end="15 * * * *" \ - desiredReplicas="3" \ - --min-replicas 0 \ - --max-replicas 3 -``` --## Scaling events --You can find the scaling events from the system logs of your underlying container app, and filter the EventSource by using `KEDA`, as shown in the following example: --```sql -ContainerAppSystemLogs_CL -| where ContainerAppName_s == 'YourAppName' and EventSource_s == 'KEDA' -``` --## Clean up resources --Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternately, to delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --> [!div class="nextstepaction"] -> [Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan](./quickstart-standard-consumption-custom-domain.md) |
spring-apps | Quickstart Deploy Apps Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-apps-enterprise.md | - Title: "Quickstart - Build and deploy apps to the Azure Spring Apps Enterprise plan" -description: Describes app deployment to the Azure Spring Apps Enterprise plan. ---- Previously updated : 05/31/2022----# Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This quickstart shows you how to build and deploy applications to Azure Spring Apps using the Enterprise plan. --## Prerequisites --- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md).-- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli).-- [Git](https://git-scm.com/).-- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)]--## Download the sample app --Use the following commands to download the sample: --```bash -git clone https://github.com/Azure-Samples/acme-fitness-store -cd acme-fitness-store -``` --## Provision a service instance --Use the following steps to provision an Azure Spring Apps service instance. --1. Use the following command to sign in to the Azure CLI and choose your active subscription: -- ```azurecli - az login - az account list --output table - az account set --subscription <subscription-ID> - ``` --1. Use the following command to accept the legal terms and privacy statements for the Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance of Azure Spring Apps. -- ```azurecli - az provider register --namespace Microsoft.SaaS - az term accept \ - --publisher vmware-inc \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --plan asa-ent-hr-mtr - ``` --1. Select a location. This location must be a location supporting the Azure Spring Apps Enterprise plan. For more information, see the [Azure Spring Apps FAQ](faq.md). --1. Use the following command to create a resource group: -- ```azurecli - az group create \ - --name <resource-group-name> \ - --location <location> - ``` -- For more information about resource groups, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md). --1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --1. Use the following command to create an Azure Spring Apps service instance: -- ```azurecli - az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --sku enterprise \ - --enable-application-configuration-service \ - --enable-service-registry \ - --enable-gateway \ - --enable-api-portal - ``` --1. Use the following command to create a Log Analytics Workspace to be used for your Azure Spring Apps service: -- ```azurecli - az monitor log-analytics workspace create \ - --resource-group <resource-group-name> \ - --workspace-name <workspace-name> \ - --location <location> - ``` --1. Use the following commands to retrieve the Resource ID for your Log Analytics Workspace and Azure Spring Apps service instance: -- ```azurecli - export LOG_ANALYTICS_RESOURCE_ID=$(az monitor log-analytics workspace show \ - --resource-group <resource-group-name> \ - --workspace-name <workspace-name> \ - --query id \ - --output tsv) -- export AZURE_SPRING_APPS_RESOURCE_ID=$(az spring show \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-service-instance-name> \ - --query id \ - --output tsv) - ``` --1. Use the following command to configure diagnostic settings for the Azure Spring Apps Service: -- ```azurecli - az monitor diagnostic-settings create \ - --name "send-logs-and-metrics-to-log-analytics" \ - --resource ${AZURE_SPRING_APPS_RESOURCE_ID} \ - --workspace ${LOG_ANALYTICS_RESOURCE_ID} \ - --logs '[ - { - "category": "ApplicationConsole", - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - { - "category": "SystemLogs", - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - { - "category": "IngressLogs", - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - } - ]' \ - --metrics '[ - { - "category": "AllMetrics", - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - } - ]' - ``` --1. Use the following commands to create applications for `cart-service`, `order-service`, `payment-service`, `catalog-service`, and `frontend`: -- ```azurecli - az spring app create \ - --resource-group <resource-group-name> \ - --name cart-service \ - --service <Azure-Spring-Apps-service-instance-name> -- az spring app create \ - --resource-group <resource-group-name> \ - --name order-service \ - --service <Azure-Spring-Apps-service-instance-name> -- az spring app create \ - --resource-group <resource-group-name> \ - --name payment-service \ - --service <Azure-Spring-Apps-service-instance-name> -- az spring app create \ - --resource-group <resource-group-name> \ - --name catalog-service \ - --service <Azure-Spring-Apps-service-instance-name> -- az spring app create \ - --resource-group <resource-group-name> \ - --name frontend \ - --service <Azure-Spring-Apps-service-instance-name> - ``` --## Externalize configuration with Application Configuration Service --Use the following steps to configure Application Configuration Service. --1. Use the following command to create a configuration repository for Application Configuration Service: -- ```azurecli - az spring application-configuration-service git repo add \ - --resource-group <resource-group-name> \ - --name acme-fitness-store-config \ - --service <Azure-Spring-Apps-service-instance-name> \ - --label main \ - --patterns "catalog/default,catalog/key-vault,identity/default,identity/key-vault,payment/default" \ - --uri "https://github.com/Azure-Samples/acme-fitness-store-config" - ``` --1. Use the following commands to bind applications to Application Configuration Service: -- ```azurecli - az spring application-configuration-service bind \ - --resource-group <resource-group-name> \ - --app payment-service \ - --service <Azure-Spring-Apps-service-instance-name> -- az spring application-configuration-service bind \ - --resource-group <resource-group-name> \ - --app catalog-service \ - --service <Azure-Spring-Apps-service-instance-name> - ``` --## Activate service registration and discovery --To active service registration and discovery, use the following commands to bind applications to Service Registry: --```azurecli -az spring service-registry bind \ - --resource-group <resource-group-name> \ - --app payment-service \ - --service <Azure-Spring-Apps-service-instance-name> --az spring service-registry bind \ - --resource-group <resource-group-name> \ - --app catalog-service \ - --service <Azure-Spring-Apps-service-instance-name> -``` --## Deploy polyglot applications with Tanzu Build Service --Use the following steps to deploy and build applications. For these steps, make sure that the terminal is in the project folder before running any commands. --1. Use the following command to create a custom builder in Tanzu Build Service: -- ```azurecli - az spring build-service builder create \ - --resource-group <resource-group-name> \ - --name quickstart-builder \ - --service <Azure-Spring-Apps-service-instance-name> \ - --builder-file azure-spring-apps-enterprise/resources/json/tbs/builder.json - ``` --1. Use the following command to build and deploy the payment service: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --name payment-service \ - --service <Azure-Spring-Apps-service-instance-name> \ - --config-file-pattern payment/default \ - --source-path apps/acme-payment \ - --build-env BP_JVM_VERSION=17 - ``` --1. Use the following command to build and deploy the catalog service: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --name catalog-service \ - --service <Azure-Spring-Apps-service-instance-name> \ - --config-file-pattern catalog/default \ - --source-path apps/acme-catalog \ - --build-env BP_JVM_VERSION=17 - ``` --1. Use the following command to build and deploy the order service: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --name order-service \ - --service <Azure-Spring-Apps-service-instance-name> \ - --builder quickstart-builder \ - --source-path apps/acme-order - ``` --1. Use the following command to build and deploy the cart service: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --name cart-service \ - --service <Azure-Spring-Apps-service-instance-name> \ - --builder quickstart-builder \ - --env "CART_PORT=8080" \ - --source-path apps/acme-cart - ``` --1. Use the following command to build and deploy the frontend application: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --name frontend \ - --service <Azure-Spring-Apps-service-instance-name> \ - --source-path apps/acme-shopping - ``` --> [!TIP] -> To troubleshot deployments, you can use the following command to get logs streaming in real time whenever the app is running: `az spring app logs --name <app name> --follow`. --## Route requests to apps with Spring Cloud Gateway --Use the following steps to configure Spring Cloud Gateway and configure routes to applications. --1. Use the following command to assign an endpoint to Spring Cloud Gateway: -- ```azurecli - az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --assign-endpoint true - ``` --1. Use the following commands to configure Spring Cloud Gateway API information: -- ```azurecli - export GATEWAY_URL=$(az spring gateway show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --query properties.url \ - --output tsv) -- az spring gateway update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --api-description "Fitness Store API" \ - --api-title "Fitness Store" \ - --api-version "v1.0" \ - --server-url "https://${GATEWAY_URL}" \ - --allowed-origins "*" - ``` --1. Use the following command to create routes for the cart service: -- ```azurecli - az spring gateway route-config create \ - --resource-group <resource-group-name> \ - --name cart-routes \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app-name cart-service \ - --routes-file azure-spring-apps-enterprise/resources/json/routes/cart-service.json - ``` --1. Use the following command to create routes for the order service: -- ```azurecli - az spring gateway route-config create \ - --resource-group <resource-group-name> \ - --name order-routes \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app-name order-service \ - --routes-file azure-spring-apps-enterprise/resources/json/routes/order-service.json - ``` --1. Use the following command to create routes for the catalog service: -- ```azurecli - az spring gateway route-config create \ - --resource-group <resource-group-name> \ - --name catalog-routes \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app-name catalog-service \ - --routes-file azure-spring-apps-enterprise/resources/json/routes/catalog-service.json - ``` --1. Use the following command to create routes for the frontend: -- ```azurecli - az spring gateway route-config create \ - --resource-group <resource-group-name> \ - --name frontend-routes \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app-name frontend \ - --routes-file azure-spring-apps-enterprise/resources/json/routes/frontend.json - ``` --1. Use the following commands to retrieve the URL for Spring Cloud Gateway: -- ```azurecli - export GATEWAY_URL=$(az spring gateway show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --query properties.url \ - --output tsv) -- echo "https://${GATEWAY_URL}" - ``` -- You can open the output URL in a browser to explore the deployed application. --## Browse and try APIs with API Portal --Use the following steps to configure API Portal. --1. Use the following command to assign an endpoint to API Portal: -- ```azurecli - az spring api-portal update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --assign-endpoint true - ``` --1. Use the following commands to retrieve the URL for API Portal: -- ```azurecli - export PORTAL_URL=$(az spring api-portal show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --query properties.url \ - --output tsv) -- echo "https://${PORTAL_URL}" - ``` -- You can open the output URL in a browser to explore the application APIs. ----## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --Now that you've successfully built and deployed your app, continue on to any of the following optional quickstarts: --- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md)-- [Integrate Azure Database for PostgreSQL and Azure Cache for Redis](quickstart-integrate-azure-database-and-redis-enterprise.md)-- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md)-- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md)-- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md)-- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md)-- [Integrate Azure Open AI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Deploy Event Driven App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-event-driven-app.md | - Title: Quickstart - Deploy event-driven application to Azure Spring Apps -description: Learn how to deploy an event-driven application to Azure Spring Apps. --- Previously updated : 07/19/2023---zone_pivot_groups: spring-apps-plan-selection ---# Quickstart: Deploy an event-driven application to Azure Spring Apps --> [!NOTE] -> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise --This article explains how to deploy a Spring Boot event-driven application to Azure Spring Apps. --The sample project is an event-driven application that subscribes to a [Service Bus queue](../service-bus-messaging/service-bus-queues-topics-subscriptions.md#queues) named `lower-case`, and then handles the message and sends another message to another queue named `upper-case`. To make the app simple, message processing just converts the message to uppercase. The following diagram depicts this process: ---This article provides the following options for deploying to Azure Spring Apps: ------- The **Azure portal** option is the easiest and fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services.-- The **Azure portal + Maven plugin** option is a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time.-- The **Azure CLI** option uses a powerful command line tool to manage Azure resources. This option is suitable for Spring developers who are familiar with Azure cloud services.--## 1. Prerequisites ---### [Azure portal](#tab/Azure-portal) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure Developer CLI](#tab/Azure-Developer-CLI) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure Developer CLI (AZD)](/azure/developer/azure-developer-cli/install-azd), version 1.2.0 or higher.------### [Azure portal](#tab/Azure-portal-ent) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure CLI](#tab/Azure-CLI) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher.--------------## 5. Validate the app --Use the following steps to confirm that the event-driven app works correctly. You can validate the app by sending a message to the `lower-case` queue, then confirm that there's a message in the `upper-case` queue. ----3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ----### [Azure portal](#tab/Azure-portal-ent) ---3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ---3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure CLI](#tab/Azure-CLI) ---3. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: --1. Use the following command to check the app's log to investigate any deployment issue: -- ```azurecli - az spring app logs \ - --service ${AZURE_SPRING_APPS_INSTANCE} \ - --name ${APP_NAME} - ``` ------## 7. Next steps --> [!div class="nextstepaction"] -> [Structured application log for Azure Spring Apps](./structured-app-log.md) --> [!div class="nextstepaction"] -> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) --> [!div class="nextstepaction"] -> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) --> [!div class="nextstepaction"] -> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) --> [!div class="nextstepaction"] -> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) --> [!div class="nextstepaction"] -> [Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md) ---> [!div class="nextstepaction"] -> [Run microservice apps (Pet Clinic)](./quickstart-sample-app-introduction.md) ----> [!div class="nextstepaction"] -> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) ---For more information, see the following articles: --- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples).-- [Spring on Azure](/azure/developer/java/spring/)-- [Spring Cloud Azure](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Infrastructure Vnet Azure Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-infrastructure-vnet-azure-cli.md | - Title: Quickstart - Provision Azure Spring Apps using Azure CLI -description: This quickstart shows you how to use Azure CLI to deploy an Azure Spring Apps cluster into an existing virtual network. ------ Previously updated : 05/31/2022---# Quickstart: Provision Azure Spring Apps using Azure CLI --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** Γ¥î Basic Γ£ö∩╕Å Standard Γ£ö∩╕Å Enterprise --This quickstart describes how to use Azure CLI to deploy an Azure Spring Apps cluster into an existing virtual network. --Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. --The Enterprise deployment plan includes the following Tanzu components: --* Build Service -* Application Configuration Service -* Service Registry -* Spring Cloud Gateway -* API Portal --## Prerequisites --* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings and a workspace-based Application Insights resource. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) and [Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). -* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges won't be directly routable and will be used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Spring app CIDR ranges, or any IP ranges included within the cluster virtual network address range. -* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also need to satisfy the following prerequisites: - * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). - * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* [Azure CLI](/cli/azure/install-azure-cli) -* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). --## Review the Azure CLI deployment script --The deployment script used in this quickstart is from the [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture). --### [Enterprise plan](#tab/azure-spring-apps-enterprise) ---### [Standard plan](#tab/azure-spring-apps-standard) -----## Deploy the cluster --To deploy the Azure Spring Apps cluster using the Azure CLI script, follow these steps: --1. Sign in to Azure by using the following command: -- ```azurecli - az login - ``` -- After you sign in, this command will output information about all the subscriptions you have access to. Take note of the name and ID of the subscription you want to use. --1. Set the target subscription. -- ```azurecli - az account set --subscription "<your subscription name>" - ``` --1. Register the Azure Spring Apps Resource Provider. -- ```azurecli - az provider register --namespace 'Microsoft.AppPlatform' - ``` --1. Add the required extensions to Azure CLI. -- ```azurecli - az extension add --name spring - ``` --1. Choose a deployment location from the regions where Azure Spring Apps is available, as shown in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud®ions=all). --1. Use the following command to generate a list of Azure locations. Take note of the short **Name** value for the region you selected in the previous step. -- ```azurecli - az account list-locations --output table - ``` --1. Create a resource group to deploy the resource to. -- ```azurecli - az group create --name <your-resource-group-name> --location <location-name> - ``` --1. Save the script for Azure Spring Apps [Standard plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/CLI/brownfield-deployment/azuredeploySpringStandard.sh) or [Enterprise plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/CLI/brownfield-deployment/azuredeploySpringEnterprise.sh) locally, then run it from the Bash prompt. -- **Standard plan:** -- ```azurecli - ./azuredeploySpringStandard.sh - ``` -- **Enterprise plan:** -- ```azurecli - ./azuredeploySpringEnterprise.sh - ``` --1. Enter the following values when prompted by the script: -- * The Azure subscription ID that you saved earlier. - * The Azure location name that you saved earlier. - * The name of the resource group that you created earlier. - * The name of the virtual network resource group where you'll deploy your resources. - * The name of the spoke virtual network (for example, *vnet-spoke*). - * The name of the subnet to be used by the Azure Spring Apps Application Service (for example, *snet-app*). - * The name of the subnet to be used by the Azure Spring Apps Runtime Service (for example, *snet-runtime*). - * The name of the resource group for the Azure Log Analytics workspace to be used for storing diagnostic logs. - * The name of the Azure Log Analytics workspace (for example, *la-cb5sqq6574o2a*). - * The CIDR ranges from your virtual network to be used by Azure Spring Apps (for example, *XX.X.X.X/16,XX.X.X.X/16,XX.X.X.X/16*). - * The key/value pairs to be applied as tags on all resources that support tags. For more information, see [Use tags to organize your Azure resources and management hierarchy](../azure-resource-manager/management/tag-resources.md). Use a space-separated list to apply multiple tags (for example, *environment=Dev BusinessUnit=finance*). --After you provide this information, the script will create and deploy the Azure resources. --## Review deployed resources --You can either use the Azure portal to check the deployed resources, or use Azure CLI to list the deployed resources. --## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using Azure CLI, and then validated the deployment. To learn more about Azure Spring Apps, continue on to the resources below. --* Deploy one of the following sample applications from the locations below: - * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) - * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI). -* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. -* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). -* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). |
spring-apps | Quickstart Deploy Infrastructure Vnet Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-infrastructure-vnet-bicep.md | - Title: Quickstart - Provision Azure Spring Apps using Bicep -description: This quickstart shows you how to use Bicep to deploy an Azure Spring Apps cluster into an existing virtual network. ----- Previously updated : 05/31/2022---# Quickstart: Provision Azure Spring Apps using Bicep --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise --This quickstart describes how to use a Bicep template to deploy an Azure Spring Apps cluster into an existing virtual network. --Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. --The Enterprise deployment plan includes the following Tanzu components: --* Build Service -* Application Configuration Service -* Service Registry -* Spring Cloud Gateway -* API Portal --## Prerequisites --* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). -* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges won't be directly routable and will be used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Spring app CIDR ranges, or any IP ranges included within the cluster virtual network address range. -* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also need to satisfy the following prerequisites: - * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). - * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* [Azure CLI](/cli/azure/install-azure-cli) -* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). --## Deploy using Bicep --To deploy the cluster, use the following steps. --First, create an *azuredeploy.bicep* file with the following contents: --### [Enterprise plan](#tab/azure-spring-apps-enterprise) ---### [Standard plan](#tab/azure-spring-apps-standard) -----Next, open a Bash window and run the following Azure CLI command, replacing the *\<value>* placeholders with the following values: --* **resource-group:** The resource group name for deploying the Azure Spring Apps instance. -* **springCloudInstanceName:** The name of the Azure Spring Apps resource. -* **appInsightsName:** The name of the Application Insights instance for Azure Spring Apps. -* **laWorkspaceResourceId:** The resource ID of the existing Log Analytics workspace (for example, */subscriptions/\<your subscription>/resourcegroups/\<your Log Analytics resource group>/providers/Microsoft.OperationalInsights/workspaces/\<your Log Analytics workspace name>*.) -* **springCloudAppSubnetID:** The resource ID of the Azure Spring Apps Application Subnet. -* **springCloudRuntimeSubnetID:** The resource ID of the Azure Spring Apps Runtime Subnet. -* **springCloudServiceCidrs:** A comma-separated list of IP address ranges (three in total) in CIDR format. The IP ranges are reserved to host underlying Azure Spring Apps infrastructure. These three ranges should be at least */16* unused IP ranges, and must not overlap with any routable subnet IP ranges used within the network. -- ```azurecli - az deployment group create \ - --resource-group <value> \ - --name initial \ - --template-file azuredeploy.bicep \ - --parameters \ - springCloudInstanceName=<value> \ - appInsightsName=<value> \ - laWorkspaceResourceId=<value> \ - springCloudAppSubnetID=<value> \ - springCloudRuntimeSubnetID=<value> \ - springCloudServiceCidrs=<value> - ``` -- This command uses the Bicep template to create an Azure Spring Apps instance in an existing virtual network. The command also creates a workspace-based Application Insights instance in an existing Azure Monitor Log Analytics Workspace. --## Review deployed resources --You can either use the Azure portal to check the deployed resources, or use Azure CLI or Azure PowerShell script to list the deployed resources. --## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using Bicep, and then validated the deployment. To learn more about Azure Spring Apps, continue on to the resources below. --* Deploy one of the following sample applications from the locations below: - * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) - * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI). -* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. -* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). -* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). |
spring-apps | Quickstart Deploy Infrastructure Vnet Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-infrastructure-vnet-terraform.md | - Title: Quickstart - Provision Azure Spring Apps using Terraform -description: This quickstart shows you how to use Terraform to deploy an Azure Spring Apps cluster into an existing virtual network. ----- Previously updated : 05/31/2022---# Quickstart: Provision Azure Spring Apps using Terraform --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** Γ¥î Basic Γ£ö∩╕Å Standard Γ£ö∩╕Å Enterprise --This quickstart describes how to use Terraform to deploy an Azure Spring Apps cluster into an existing virtual network. --Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. --The Enterprise deployment plan includes the following Tanzu components: --* Build Service -* Application Configuration Service -* Service Registry -* Spring Cloud Gateway -* API Portal --The API Portal component will be included when it becomes available through the AzureRM Terraform provider. --For more customization including custom domain support, see the [Azure Spring Apps Terraform provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_service) documentation. --## Prerequisites --* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* [Hashicorp Terraform](https://www.terraform.io/downloads.html) -* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings and a workspace-based Application Insights resource. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) and [Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). -* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges won't be directly routable and will be used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Azure Spring Apps CIDR. Clusters also may not use any IP ranges included within the cluster virtual network address range. -* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you'll also need to satisfy the following prerequisites: - * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). - * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). --## Review the Terraform plan --The configuration file used in this quickstart is from the [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture). --### [Enterprise plan](#tab/azure-spring-apps-enterprise) ---### [Standard plan](#tab/azure-spring-apps-standard) -----## Apply the Terraform plan --To apply the Terraform plan, follow these steps: --1. Save the *variables.tf* file for the [Standard plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/terraform/brownfield-deployment/Standard/variable.tf) or the [Enterprise plan](https://raw.githubusercontent.com/Azure/azure-spring-apps-landing-zone-accelerator/reference-architecture/terraform/brownfield-deployment/Enterprise/variable.tf) locally, then open it in an editor. --1. Edit the file to add the following values: -- * The subscription ID of the Azure account you'll be deploying to. -- * A deployment location from the regions where Azure Spring Apps is available, as shown in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud®ions=all). You'll need the short form of the location name. To get this value, use the following command to generate a list of Azure locations, then look up the **Name** value for the region you selected. -- ```azurecli - az account list-locations --output table - ``` --1. Edit the file to add the following new deployment information: -- * The name of the resource group you'll deploy to. - * A name of your choice for the Azure Spring Apps Deployment. - * A name of your choice for the Application Insights resource. - * Three CIDR ranges (at least /16) which are used to host the Azure Spring Apps backend infrastructure. The CIDR ranges must not overlap with any existing CIDR ranges in the target Subnet - * The key/value pairs to be applied as tags on all resources that support tags. For more information, see [Use tags to organize your Azure resources and management hierarchy](../azure-resource-manager/management/tag-resources.md) --1. Edit the file to add the following existing infrastructure information: -- * The name of the resource group where the existing virtual network resides. - * The name of the existing scope virtual network. - * The name of the existing subnet to be used by the Azure Spring Apps Application Service. - * The name of the existing subnet to be used by the Azure Spring Apps Runtime Service. - * The name of the Azure Log Analytics workspace. --1. Run the following command to initialize the Terraform modules: -- ```bash - terraform init - ``` --1. Run the following command to create the Terraform deployment plan: -- ```bash - terraform plan -out=springcloud.plan - ``` --1. Run the following command to apply the Terraform deployment plan: -- ```bash - terraform apply springcloud.plan - ``` --## Review deployed resources --You can either use the Azure portal to check the deployed resources, or use Azure CLI or Azure PowerShell script to list the deployed resources. --## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resources created in this article by using the following command. --```bash -terraform destroy -auto-approve -``` --## Next steps --In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using Terraform, and then validated the deployment. To learn more about Azure Spring Apps, continue on to the resources below. --* Deploy one of the following sample applications from the locations below: - * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) - * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI) -* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. -* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). -* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). |
spring-apps | Quickstart Deploy Infrastructure Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-infrastructure-vnet.md | - Title: Quickstart - Provision Azure Spring Apps using an Azure Resource Manager template (ARM template) -description: This quickstart shows you how to use an ARM template to deploy an Azure Spring Apps cluster into an existing virtual network. ------ Previously updated : 05/31/2022---# Quickstart: Provision Azure Spring Apps using an ARM template --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise --This quickstart describes how to use an Azure Resource Manager template (ARM template) to deploy an Azure Spring Apps cluster into an existing virtual network. --Azure Spring Apps makes it easy to deploy Spring applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. --The Enterprise deployment plan includes the following Tanzu components: --* Build Service -* Application Configuration Service -* Service Registry -* Spring Cloud Gateway -* API Portal -* Application Accelerator -* Application Live View ---## Prerequisites --* An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* Two dedicated subnets for the Azure Spring Apps cluster, one for the service runtime and another for the Spring applications. For subnet and virtual network requirements, see the [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* An existing Log Analytics workspace for Azure Spring Apps diagnostics settings and a workspace-based Application Insights resource. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) and [Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md). -* Three internal Classless Inter-Domain Routing (CIDR) ranges (at least */16* each) that you've identified for use by the Azure Spring Apps cluster. These CIDR ranges aren't directly routable and are used only internally by the Azure Spring Apps cluster. Clusters may not use *169.254.0.0/16*, *172.30.0.0/16*, *172.31.0.0/16*, or *192.0.2.0/24* for the internal Azure Spring Apps CIDR ranges. Clusters also may not use any IP ranges included within the cluster virtual network address range. -* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires Owner permission to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* If you're using Azure Firewall or a Network Virtual Appliance (NVA), you also need to satisfy the following prerequisites: -- * Network and fully qualified domain name (FQDN) rules. For more information, see [Virtual network requirements](how-to-deploy-in-azure-virtual-network.md#virtual-network-requirements). - * A unique User Defined Route (UDR) applied to each of the service runtime and Spring application subnets. For more information about UDRs, see [Virtual network traffic routing](../virtual-network/virtual-networks-udr-overview.md). The UDR should be configured with a route for *0.0.0.0/0* with a destination of your NVA before deploying the Azure Spring Apps cluster. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). -* If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). --## Review the template --The templates used in this quickstart are from the [Azure Spring Apps Reference Architecture](/previous-versions/azure/spring-apps/reference-architecture). --### [Enterprise plan](#tab/azure-spring-apps-enterprise) ---### [Standard plan](#tab/azure-spring-apps-standard) -----Two Azure resources are defined in the template: --* [Microsoft.AppPlatform/Spring](/azure/templates/microsoft.appplatform/spring) creates an Azure Spring Apps instance. -* [Microsoft.Insights/components](/azure/templates/microsoft.insights/components) creates an Application Insights workspace. --## Deploy the template --To deploy the template, use the following steps. --First, select the following image to sign in to Azure and open a template. The template creates an Azure Spring Apps instance in an existing Virtual Network and a workspace-based Application Insights instance in an existing Azure Monitor Log Analytics Workspace. --### [Enterprise plan](#tab/azure-spring-apps-enterprise) ---### [Standard plan](#tab/azure-spring-apps-standard) -----Next, enter values for the following fields: --* **Resource Group:** Select **Create new**, enter a unique name for the **resource group**, and then select **OK**. -* **springCloudInstanceName:** Enter the name of the Azure Spring Apps resource. -* **appInsightsName:** Enter the name of the Application Insights instance for Azure Spring Apps. -* **laWorkspaceResourceId:** Enter the resource ID of the existing Log Analytics workspace (for example, */subscriptions/\<your subscription>/resourcegroups/\<your Log Analytics resource group>/providers/Microsoft.OperationalInsights/workspaces/\<your Log Analytics workspace name>*.) -* **springCloudAppSubnetID:** Enter the resource ID of the Azure Spring Apps Application Subnet. -* **springCloudRuntimeSubnetID:** Enter the resource ID of the Azure Spring Apps Runtime Subnet. -* **springCloudServiceCidrs:** Enter a comma-separated list of IP address ranges (three in total) in CIDR format. The IP ranges are reserved to host underlying Azure Spring Apps infrastructure. These three ranges should be at least */16* unused IP ranges, and must not overlap with any routable subnet IP ranges used within the network. -* **tags:** Enter any custom tags. --Finally, select **Review + Create** and then **Create**. --## Review deployed resources --You can either use the Azure portal to check the deployed resources, or use Azure CLI or Azure PowerShell script to list the deployed resources. --## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI or Azure PowerShell, use the following commands: --### [Azure CLI](#tab/azure-cli) --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --### [PowerShell](#tab/azure-powershell) --```azurepowershell-interactive -$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name" -Remove-AzResourceGroup -Name $resourceGroupName -Write-Host "Press [ENTER] to continue..." -``` ----## Next steps --In this quickstart, you deployed an Azure Spring Apps instance into an existing virtual network using an ARM template, and then validated the deployment. To learn more about Azure Spring Apps and Azure Resource Manager, continue on to the following resources. --* Deploy one of the following sample applications from the following locations: - * [Pet Clinic App with MySQL Integration](https://github.com/azure-samples/spring-petclinic-microservices) - * [Simple Hello World](./quickstart.md?pivots=programming-language-java&tabs=Azure-CLI) -* Use [custom domains](how-to-custom-domain.md) with Azure Spring Apps. -* Expose applications in Azure Spring Apps to the internet using Azure Application Gateway. For more information, see [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md). -* View the secure end-to-end [Azure Spring Apps reference architecture](/previous-versions/azure/spring-apps/reference-architecture), which is based on the [Microsoft Azure Well-Architected Framework](/azure/architecture/framework/). -* Learn more about [Azure Resource Manager](../azure-resource-manager/management/overview.md). |
spring-apps | Quickstart Deploy Java Native Image App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-java-native-image-app.md | - Title: Quickstart - Deploy your first Java Native Image application to Azure Spring Apps -description: Describes how to deploy a Java Native Image application to Azure Spring Apps. --- Previously updated : 08/29/2023-----# Quickstart: Deploy your first Java Native Image application to Azure Spring Apps --> [!NOTE] -> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This quickstart shows how to deploy a Spring Boot application to Azure Spring Apps as a Native Image. --[Native Image](https://www.graalvm.org/latest/reference-manual/native-image/) capability enables you to compile Java applications to standalone executables, known as Native Images. These executables can provide significant benefits, including faster startup times and lower runtime memory overhead compared to a traditional JVM (Java Virtual Machine). --The sample project is the Spring Petclinic application. The following screenshot shows the application: ---## 1. Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).---## 5. Validate Native Image App --Now you can access the deployed Native Image app to see whether it works. Use the following steps to validate: --1. After the deployment has completed, you can run the following command to get the app URL: -- ```azurecli - az spring app show \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${NATIVE_APP_NAME} \ - --output table - ``` -- You can access the app with the URL shown in the output as `Public Url`. The page should appear as you saw it o localhost. --1. Use the following command to check the app's log to investigate any deployment issue: -- ```azurecli - az spring app logs \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${NATIVE_APP_NAME} - ``` --## 6. Compare performance for JAR and Native Image --The following sections describe how to compare the performance between JAR and Native Image deployment. --### Server startup time --Use the following command to check the app's log `Started PetClinicApplication in XXX seconds` to get the server startup time for a JAR app: --```azurecli -az spring app logs \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${JAR_APP_NAME} -``` --The server startup time is around 25 s for a JAR app. --Use the following command to check the app's log to get the server startup time for a Native Image app: --```azurecli -az spring app logs \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${NATIVE_APP_NAME} -``` --The server startup time is less than 0.5 s for a Native Image app. --### Memory usage --Use the following command to scale down the memory size to 512 Mi for a Native Image app: --```azurecli -az spring app scale \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${NATIVE_APP_NAME} \ - --memory 512Mi -``` --The command output should show that the Native Image app started successfully. --Use the following command to scale down the memory size to 512 Mi for the JAR app: --```azurecli -az spring app scale \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${JAR_APP_NAME} \ - --memory 512Mi -``` --The command output should show that the JAR app failed to start due to insufficient memory. The output message should be similar to the following example: `Terminating due to java.lang.OutOfMemoryError: Java heap space`. --The following figure shows the optimized memory usage for the Native Image deployment for a constant workload of 400 requests per second into the Petclinic application. The memory usage is about 1/5th of the memory consumed by its equivalent JAR deployment. ---Native Images offer quicker startup times and reduced runtime memory overhead when compared to the conventional Java Virtual Machine (JVM). --## 7. Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When you no longer need the resources, delete them by deleting the resource group. Use the following command to delete the resource group: --```azurecli -az group delete --name ${RESOURCE_GROUP} -``` --## 8. Next steps --> [!div class="nextstepaction"] -> [How to deploy Java Native Image apps in the Azure Spring Apps Enterprise plan](./how-to-enterprise-deploy-polyglot-apps.md#deploy-java-native-image-applications-preview) --> [!div class="nextstepaction"] -> [Structured application log for Azure Spring Apps](./structured-app-log.md) --> [!div class="nextstepaction"] -> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) --> [!div class="nextstepaction"] -> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) --> [!div class="nextstepaction"] -> [Set up Azure Spring Apps CI/CD with Azure DevOps](./how-to-cicd.md) --> [!div class="nextstepaction"] -> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) --> [!div class="nextstepaction"] -> [Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md) --> [!div class="nextstepaction"] -> [Run the polyglot ACME fitness store apps on Azure Spring Apps](./quickstart-sample-app-acme-fitness-store-introduction.md) --> [!div class="nextstepaction"] -> [Monitor your Spring Boot Native Image application](https://aka.ms/AzMonSpringNative) --For more information, see the following articles: --- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples).-- [Spring on Azure](/azure/developer/java/spring/)-- [Spring Cloud Azure](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Microservice Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-microservice-apps.md | - Title: Quickstart - Deploy microservice applications to Azure Spring Apps -description: Learn how to deploy microservice applications to Azure Spring Apps. --- Previously updated : 01/10/2024---zone_pivot_groups: spring-apps-tier-selection ---# Quickstart: Deploy microservice applications to Azure Spring Apps --> [!NOTE] -> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --This article explains how to deploy microservice applications to Azure Spring Apps using the well-known sample app [PetClinic](https://github.com/spring-petclinic/spring-petclinic-microservices). ---The Pet Clinic sample demonstrates the microservice architecture pattern. The following diagram shows the architecture of the PetClinic application on the Azure Spring Apps Enterprise plan. ---The diagram shows the following architectural flows and relationships of the Pet Clinic sample: --- Uses Azure Spring Apps to manage the frontend and backend apps. The backend apps are built with Spring Boot and each app uses HSQLDB as the persistent store. The reforged frontend app builds upon Pet Clinic API Gateway App with Node.js serving as a standalone frontend web application.-- Uses the managed components on Azure Spring Apps, including Service Registry, Application Configuration Service, Spring Cloud Gateway, and Application Live View. The Application Configuration Service reads the Git repository configuration.-- Exposes the URL of Spring Cloud Gateway to route request to backend service apps, and exposes the URL of the Application Live View to monitor the backend apps.-- Analyzes logs using the Log Analytics workspace.-- Monitors performance with Application Insights.--> [!NOTE] -> This article uses a simplified version of PetClinic, using an in-memory database that isn't production-ready to quickly deploy to Azure Spring Apps. -> -> The Tanzu Developer Tools exposes public access for Application Live View, which is a risk point. The production environment needs to secure the access. For more information, see the [Configure Dev Tools Portal](./how-to-use-dev-tool-portal.md#configure-dev-tools-portal) section of [Configure Tanzu Dev Tools in the Azure Spring Apps Enterprise plan](how-to-use-dev-tool-portal.md). ----The Pet Clinic sample demonstrates the microservice architecture pattern. The following diagram shows the architecture of the PetClinic application on the Azure Spring Apps Standard plan. ---The diagram shows the following architectural flows and relationships of the Pet Clinic sample: --- Uses Azure Spring Apps to manage the Spring Boot apps. Each app uses HSQLDB as the persistent store.-- Uses the managed components Spring Cloud Config Server and Eureka Service Registry on Azure Spring Apps. The Config Server reads the Git repository configuration.-- Exposes the URL of API Gateway to load balance requests to service apps, and exposes the URL of the Admin Server to manage the applications.-- Analyzes logs using the Log Analytics workspace.-- Monitors performance with Application Insights.--> [!NOTE] -> This article uses a simplified version of PetClinic, using an in-memory database that isn't production-ready to quickly deploy to Azure Spring Apps. -> -> The deployed app `admin-server` exposes public access, which is a risk point. The production environment needs to secure the Spring Boot Admin application. ---This article provides the following options for deploying to Azure Spring Apps: ---- The **Azure portal** option is the easiest and the fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services.-- The **Azure portal + Maven plugin** option is a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time.----- The **Azure portal + Maven plugin** option is a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time.-- The **Azure Developer CLI** option is a more efficient way to automatically create resources and deploy applications through simple commands. The Azure Developer CLI uses a template to provision the Azure resources needed and to deploy the application code. This option is suitable for Spring developers who are familiar with Azure cloud services.---## 1. Prerequisites ---### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure Developer CLI](#tab/Azure-Developer-CLI) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure Developer CLI](https://aka.ms/azd-install), version 1.2.0 or higher.------### [Azure portal](#tab/Azure-portal-ent) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- (Optional) [Git](https://git-scm.com/downloads).-- (Optional) [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Git](https://git-scm.com/downloads).-- (Optional) [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- (Optional) [Node.js](https://nodejs.org/en/download), version 16.20 or higher.-- [Azure CLI](/cli/azure/install-azure-cli), version 2.45.0 or higher.-----------## 5. Validate the apps --The following sections describe how to validate the deployment. ---### [Azure portal](#tab/Azure-portal-ent) ---### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --### 5.1. Access the applications --Using the endpoint assigned from Spring Cloud Gateway - for example, ` -https://<your-Azure-Spring-Apps-instance-name>-gateway-xxxxx.svc.azuremicroservices.io`. The application should look similar to the following screenshot: ---### 5.2. Query the application logs --After you browse each function of the Pet Clinic, the Log Analytics workspace collects logs of each application. You can check the logs by using custom queries, as shown in the following screenshot: ---### 5.3. Monitor the applications --Application Insights monitors the application dependencies, as shown by the following application tracing map: ---Open the Application Live View URL exposed by the Developer Tools to monitor application runtimes, as shown in the following screenshot: ---------## 6. Clean up resources ------Be sure to delete the resources you created in this article when you no longer need them. You can delete the Azure resource group, which includes all the resources in the resource group. --Use the following steps to delete the entire resource group, including the newly created service instance: --1. Locate your resource group in the Azure portal. On the navigation menu, select **Resource groups** and then select the name of your resource group. --1. On the **Resource group** page, select **Delete**. Enter the name of your resource group in the text box to confirm deletion, then select **Delete**. ---## 7. Next steps --> [!div class="nextstepaction"] -> [Quickstart: Integrate Azure Spring Apps with Azure Database for MySQL](./quickstart-integrate-azure-database-mysql.md) --> [!div class="nextstepaction"] -> [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) --> [!div class="nextstepaction"] -> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) --> [!div class="nextstepaction"] -> [Structured application log for Azure Spring Apps](./structured-app-log.md) --> [!div class="nextstepaction"] -> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) --> [!div class="nextstepaction"] -> [Quickstart: Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md) --> [!div class="nextstepaction"] -> [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md) --> [!div class="nextstepaction"] -> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) --> [!div class="nextstepaction"] -> [Quickstart: Introduction to the sample app](./quickstart-sample-app-introduction.md) --> [!div class="nextstepaction"] -> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) --For more information, see the following articles: --- [Azure Pet Clinic microservices](https://github.com/Azure-Samples/spring-petclinic-microservices)-- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples)-- [Azure for Spring developers](/azure/developer/java/spring/)-- [Spring Cloud Azure documentation](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Deploy Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-web-app.md | - Title: Quickstart - Deploy your first web application to Azure Spring Apps -description: Describes how to deploy a web application to Azure Spring Apps. --- Previously updated : 07/11/2023---zone_pivot_groups: spring-apps-plan-selection ---# Quickstart: Deploy your first web application to Azure Spring Apps --> [!NOTE] -> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --This quickstart shows how to deploy a Spring Boot web application to Azure Spring Apps. The sample project is a simple ToDo application to add tasks, mark when they're complete, and then delete them. The following screenshot shows the application: ---This application is a typical three-layers web application with the following layers: --- A frontend bounded [React](https://reactjs.org/) application.-- A backend Spring web application that uses Spring Data JPA to access a relational database.-- A relational database. For localhost, the application uses [H2 Database Engine](https://www.h2database.com/html/main.html). For Azure Spring Apps, the application uses Azure Database for PostgreSQL. For more information about Azure Database for PostgreSQL, see [Flexible Server documentation](../postgresql/flexible-server/overview.md).--The following diagram shows the architecture of the system: ----This article provides the following options for deploying to Azure Spring Apps: --- The **Azure portal** option is the easiest and the fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services.-- The **Azure portal + Maven plugin** option provides a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time.-- The **Azure Developer CLI** option is a more efficient way to automatically create resources and deploy applications through simple commands. The Azure Developer CLI uses a template to provision the Azure resources needed and to deploy the application code. This option is suitable for Spring developers who are familiar with Azure cloud services.----This article provides the following options for deploying to Azure Spring Apps: --- The **Azure portal** option is the easiest and the fastest way to create resources and deploy applications with a single click. This option is suitable for Spring developers who want to quickly deploy applications to Azure cloud services.-- The **Azure portal + Maven plugin** option provides a more conventional way to create resources and deploy applications step by step. This option is suitable for Spring developers using Azure cloud services for the first time.-- The **Azure CLI** option is a powerful command line tool to manage Azure resources. This option is suitable for Spring developers who are familiar with Azure cloud services.---## 1. Prerequisites ---### [Azure portal](#tab/Azure-portal) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure Developer CLI](#tab/Azure-Developer-CLI) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure Developer CLI (AZD)](/azure/developer/azure-developer-cli/install-azd), version 1.2.0 or higher.------### [Azure portal](#tab/Azure-portal-ent) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure CLI](#tab/Azure-CLI) --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).--------------## 5. Validate the web app --Now you can access the deployed app to see whether it works. ---### [Azure portal](#tab/Azure-portal-ent) --Use the following steps to validate: --1. After the deployment finishes, you can find the application URL from the deployment outputs: -- :::image type="content" source="media/quickstart-deploy-web-app/web-app-url-standard.png" alt-text="Diagram that shows the enterprise app URL of the ARM deployment outputs." border="false" lightbox="media/quickstart-deploy-web-app/web-app-url-standard.png"::: --1. Access the application with the output application URL. The page should appear as you saw in localhost. --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --Access the application with the output application URL. The page should appear as you saw in localhost. --### [Azure CLI](#tab/Azure-CLI) --Use the following steps to validate: --1. After the deployment finishes, you can access the app with this URL: `https://${AZURE_SPRING_APPS_NAME}-${APP_NAME}.azuremicroservices.io/`. The page should appear as you saw in localhost. --1. To check the app's log to investigate any deployment issue, use the following command: -- ```azurecli - az spring app logs \ - --service ${AZURE_SPRING_APPS_NAME} \ - --name ${APP_NAME} - ``` ------### [Azure portal](#tab/Azure-portal) --Use the following steps to validate: --1. After the deployment finishes, you can find the application URL from the deployment outputs: -- :::image type="content" source="media/quickstart-deploy-web-app/web-app-url-consumption.png" alt-text="Diagram that shows the consumption app URL of the ARM deployment outputs." border="false" lightbox="media/quickstart-deploy-web-app/web-app-url-consumption.png"::: --1. Access the application URL. The page should appear as you saw in localhost. --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --Access the application with the output application URL. The page should appear as you saw in localhost. --### [Azure Developer CLI](#tab/Azure-Developer-CLI) --Access the application with the output endpoint. The page should appear as you saw in localhost. ------### [Azure portal](#tab/Azure-portal) --Use the following steps to validate: --1. After the deployment finishes, find the application URL from the deployment outputs: -- :::image type="content" source="media/quickstart-deploy-web-app/web-app-url-standard.png" alt-text="Diagram that shows the standard app URL of the ARM deployment outputs." border="false" lightbox="media/quickstart-deploy-web-app/web-app-url-standard.png"::: --1. Access the application URL. The page should appear as you saw in localhost. --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --Access the application with the output application URL. The page should appear as you saw in localhost. --### [Azure Developer CLI](#tab/Azure-Developer-CLI) --Access the application with the output endpoint. The page should appear as you saw in localhost. -----## 6. Clean up resources --Be sure to delete the resources you created in this article when you no longer need them. You can delete the Azure resource group, which includes all the resources in the resource group. ------### [Azure portal](#tab/Azure-portal-ent) ---### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) ---### [Azure CLI](#tab/Azure-CLI) --Use the following command to delete the entire resource group, including the newly created service: --```azurecli -az group delete --name ${RESOURCE_GROUP} -``` -----## 7. Next steps --> [!div class="nextstepaction"] -> [Structured application log for Azure Spring Apps](./structured-app-log.md) --> [!div class="nextstepaction"] -> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) --> [!div class="nextstepaction"] -> [Set up Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) --> [!div class="nextstepaction"] -> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) --> [!div class="nextstepaction"] -> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) --> [!div class="nextstepaction"] -> [Quickstart: Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md) ---> [!div class="nextstepaction"] -> [Introduction to the sample app](./quickstart-sample-app-introduction.md) ----> [!div class="nextstepaction"] -> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) ---For more information, see the following articles: --- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples).-- [Azure for Spring developers](/azure/developer/java/spring/)-- [Spring Cloud Azure documentation](/azure/developer/java/spring-framework/) |
spring-apps | Quickstart Integrate Azure Database And Redis Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-integrate-azure-database-and-redis-enterprise.md | - Title: "Quickstart - Integrate with Azure Database for PostgreSQL and Azure Cache for Redis"- -description: Explains how to provision and prepare an Azure Database for PostgreSQL and an Azure Cache for Redis to be used with apps running the Azure Spring Apps Enterprise plan. ---- Previously updated : 05/31/2022----# Quickstart: Integrate with Azure Database for PostgreSQL and Azure Cache for Redis --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Basic/Standard ✔️ Enterprise --This quickstart shows you how to provision and prepare an Azure Database for PostgreSQL and an Azure Cache for Redis to be used with apps running in the Azure Spring Apps Enterprise plan. --This article uses these services for demonstration purposes. You can connect your application to any backing service of your choice by using instructions similar to the ones in the [Create Service Connectors](#create-service-connectors) section later in this article. --## Prerequisites --- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Understand and fulfill the [Requirements](how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md).-- [The Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli).-- [Git](https://git-scm.com/).-- [jq](https://stedolan.github.io/jq/download/)-- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)]-- Complete the steps in [Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).--## Provision services --To add persistence to the application, create an Azure Cache for Redis and an Azure Database for PostgreSQL Flexible Server. --### [Azure CLI](#tab/azure-cli) --The following steps describe how to provision an Azure Cache for Redis instance and an Azure Database for PostgreSQL Flexible Server by using the Azure CLI. --1. Use the following command to create an instance of Azure Cache for Redis: -- ```azurecli - az redis create \ - --resource-group <resource-group-name> \ - --name <redis-cache-name> \ - --location ${REGION} \ - --sku Basic \ - --vm-size c0 - ``` -- > [!NOTE] - > Redis Cache creation takes approximately 20 minutes. --1. Use the following command to create an Azure Database for PostgreSQL Flexible Server instance: -- ```azurecli - az postgres flexible-server create \ - --resource-group <resource-group-name> \ - --name <postgres-server-name> \ - --location <location> \ - --admin-user <postgres-username> \ - --admin-password <postgres-password> \ - --yes - ``` --1. Use the following command to allow connections from other Azure Services to the newly created Flexible Server: -- ```azurecli - az postgres flexible-server firewall-rule create \ - --rule-name allAzureIPs \ - --name <postgres-server-name> \ - --resource-group <resource-group-name> \ - --start-ip-address 0.0.0.0 \ - --end-ip-address 0.0.0.0 - ``` --1. Use the following command to enable the `uuid-ossp` extension for the newly created Flexible Server: -- ```azurecli - az postgres flexible-server parameter set \ - --resource-group <resource-group-name> \ - --name azure.extensions \ - --value uuid-ossp \ - --server-name <postgres-server-name> - ``` --1. Use the following command to create a database for the Order Service application: -- ```azurecli - az postgres flexible-server db create \ - --resource-group <resource-group-name> \ - --server-name <postgres-server-name> \ - --database-name acmefit_order - ``` --1. Use the following command to create a database for the Catalog Service application: -- ```azurecli - az postgres flexible-server db create \ - --resource-group <resource-group-name> \ - --server-name <postgres-server-name> \ - --database-name acmefit_catalog - ``` --### [ARM template](#tab/arm-template) --The following instructions describe how to provision an Azure Cache for Redis and an Azure Database for PostgreSQL Flexible Server by using an Azure Resource Manager template (ARM template). ---You can find the template used in this quickstart in the [fitness store sample GitHub repository](https://github.com/Azure-Samples/acme-fitness-store/blob/HEAD/azure-spring-apps-enterprise/resources/json/deploy/azuredeploy.json). --To deploy this template, follow these steps: --1. Select the following image to sign in to Azure and open a template. The template creates an Azure Cache for Redis and an Azure Database for PostgreSQL Flexible Server. -- :::image type="content" source="../media/template-deployments/deploy-to-azure.svg" alt-text="Button to deploy the ARM template to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Facme-fitness-store%2FAzure%2Fazure-spring-apps-enterprise%2Fresources%2Fjson%2Fdeploy%2Fazuredeploy.json"::: --1. Enter values for the following fields: -- - **Resource Group:** Select **Create new**, enter a unique name for the **resource group**, and then select **OK**. - - **cacheName:** Enter the name for the Azure Cache for Redis Server. - - **dbServerName:** Enter the name for the Azure Database for PostgreSQL Flexible Server. - - **administratorLogin:** Enter the admin username for the Azure Database for PostgreSQL Flexible Server. - - **administratorLoginPassword:** Enter the admin password for the Azure Database for PostgreSQL Flexible Server. - - **tags:** Enter any custom tags. --1. Select **Review + Create** and then **Create**. ----## Create Service Connectors --The following steps show how to bind applications running in the Azure Spring Apps Enterprise plan to other Azure services by using Service Connectors. --1. Use the following command to create a service connector to Azure Database for PostgreSQL for the Order Service application: -- ```azurecli - az spring connection create postgres-flexible \ - --resource-group <resource-group-name> \ - --target-resource-group <target-resource-group> \ - --connection order_service_db \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app order-service \ - --deployment default \ - --server <postgres-server-name> \ - --database acmefit_order \ - --secret name=<postgres-username> secret=<postgres-password> \ - --client-type dotnet - ``` --1. Use the following command to create a service connector to Azure Database for PostgreSQL for the Catalog Service application: -- ```azurecli - az spring connection create postgres-flexible \ - --resource-group <resource-group-name> \ - --target-resource-group <target-resource-group> \ - --connection catalog_service_db \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app catalog-service \ - --deployment default \ - --server <postgres-server-name> \ - --database acmefit_catalog \ - --secret name=<postgres-username> secret=<postgres-password> \ - --client-type springboot - ``` --1. Use the following command to create a service connector to Azure Cache for Redis for the Cart Service application: -- ```azurecli - az spring connection create redis \ - --resource-group <resource-group-name> \ - --target-resource-group <target-resource-group> \ - --connection cart_service_cache \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app cart-service \ - --deployment default \ - --server <redis-cache-name> \ - --database 0 \ - --client-type java - ``` --1. Use the following command to reload the Catalog Service application to load the new connection properties: -- ```azurecli - az spring app restart \ - --resource-group <resource-group-name> \ - --name catalog-service \ - --service <Azure-Spring-Apps-service-instance-name> - ``` --1. Use the following command to retrieve the database connection information: -- ```azurecli - export POSTGRES_CONNECTION_STR=$(az spring connection show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --deployment default \ - --connection order_service_db \ - --app order-service \ - | jq '.configurations[0].value' -r) - ``` -- > [!NOTE] - > If you get an SSL verification exception with Nofsql 6.0, be sure to change the SSL mode from `Require` to `VerifyFull`. For more information, see the [Npgsql 6.0 Release Notes](https://www.npgsql.org/doc/release-notes/6.0.html). --1. Use the following command to update the Order Service application: -- ```azurecli - az spring app update \ - --resource-group <resource-group-name> \ - --name order-service \ - --service <Azure-Spring-Apps-service-instance-name> \ - --env "DatabaseProvider=Postgres" "ConnectionStrings__OrderContext=${POSTGRES_CONNECTION_STR}" - ``` --1. Use the following commands to retrieve Redis connection information and update the Cart Service application: -- ```azurecli - export REDIS_CONN_STR=$(az spring connection show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --deployment default \ - --app cart-service \ - --connection cart_service_cache | jq -r '.configurations[0].value') -- export GATEWAY_URL=$(az spring gateway show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') - - az spring app update \ - --resource-group <resource-group-name> \ - --name cart-service \ - --service <Azure-Spring-Apps-service-instance-name> \ - --env "CART_PORT=8080" "REDIS_CONNECTIONSTRING=${REDIS_CONN_STR}" "AUTH_URL=https://${GATEWAY_URL}" - ``` --## Access the application --Retrieve the URL for Spring Cloud Gateway and explore the updated application. You can use the output from the following command to explore the application: --```azurecli -export GATEWAY_URL=$(az spring gateway show \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> | jq -r '.properties.url') --echo "https://${GATEWAY_URL}" -``` --## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --Continue on to any of the following optional quickstarts: --- [Configure single sign-on](quickstart-configure-single-sign-on-enterprise.md)-- [Load application secrets using Key Vault](quickstart-key-vault-enterprise.md)-- [Monitor applications end-to-end](quickstart-monitor-end-to-end-enterprise.md)-- [Set request rate limits](quickstart-set-request-rate-limits-enterprise.md)-- [Automate deployments](quickstart-automate-deployments-github-actions-enterprise.md)-- [Integrate Azure OpenAI](quickstart-fitness-store-azure-openai.md) |
spring-apps | Quickstart Integrate Azure Database Mysql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-integrate-azure-database-mysql.md | - Title: "Quickstart - Integrate with Azure Database for MySQL" -description: Explains how to provision and prepare an Azure Database for MySQL instance, and then configure Pet Clinic on Azure Spring Apps to use it as a persistent database with only one command. ---- Previously updated : 08/28/2022----# Quickstart: Integrate Azure Spring Apps with Azure Database for MySQL --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ❌ Enterprise --Pet Clinic, as deployed in the default configuration [Quickstart: Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md), uses an in-memory database (HSQLDB) that is populated with data at startup. This quickstart explains how to provision and prepare an Azure Database for MySQL instance and then configure Pet Clinic on Azure Spring Apps to use it as a persistent database. --## Prerequisites --An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free). --## Create an Azure Database for MySQL instance --Create an Azure Database for MySQL flexible server using the [az mysql flexible-server create](/cli/azure/mysql/flexible-server#az-mysql-flexible-server-create) command. Replace the placeholders `<database-name>`, `<resource-group-name>`, `<MySQL-flexible-server-name>`, `<admin-username>`, and `<admin-password>` with a name for your new database, the name of your resource group, a name for your new server, and an admin username and password. Use single quotes around the value for `admin-password`. --```azurecli-interactive -az mysql flexible-server create \ - --resource-group <resource-group-name> \ - --name <MySQL-flexible-server-name> \ - --database-name <database-name> \ - --public-access 0.0.0.0 \ - --admin-user <admin-username> \ - --admin-password '<admin-password>' -``` --> [!NOTE] -> The `Standard_B1ms` SKU is used by default. For pricing details, see [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/). --> [!TIP] -> The password should be at least eight characters long and contain at least one English uppercase letter, one English lowercase letter, one number, and one non-alphanumeric character (!, $, #, %, and so on.). --## Connect your application to the MySQL database --Use [Service Connector](../service-connector/overview.md) to connect the app hosted in Azure Spring Apps to your MySQL database. --> [!NOTE] -> The service binding feature in Azure Spring Apps is being deprecated in favor of Service Connector. --### [Azure CLI](#tab/azure-cli) --1. If you're using Service Connector for the first time, start by running the command [az provider register](/cli/azure/provider#az-provider-register) to register the Service Connector resource provider. -- ```azurecli-interactive - az provider register --namespace Microsoft.ServiceLinker - ``` --1. Run the `az spring connection create` command to create a service connection between the `customers-service` app and the Azure MySQL database. Replace the placeholders for the following settings with your own information. Use single quotes around the value for MySQL server `secret`. -- | Setting | Description | - ||| - | `--connection` | The name of the connection that identifies the connection between your app and target service. | - | `--resource-group` | The name of the resource group that contains the app hosted by Azure Spring Apps. | - | `--service` | The name of the Azure Spring Apps resource. | - | `--app` | The name of the application hosted by Azure Spring Apps that connects to the target service. | - | `--target-resource-group` | The name of the resource group with the storage account. | - | `--server` | The MySQL server you want to connect to | - | `--database` | The name of the database you created earlier. | - | `--secret name= secret=` | The MySQL server username and password. | -- ```azurecli-interactive - az spring connection create mysql-flexible \ - --resource-group <Azure-Spring-Apps-resource-group-name> \ - --service <Azure-Spring-Apps-resource-name> \ - --app customers-service \ - --connection <mysql-connection-name-for-app> \ - --target-resource-group <mySQL-server-resource-group> \ - --server <server-name> \ - --database <database-name> \ - --secret name=<username> secret='<secret>' - ``` -- > [!TIP] - > If the `az spring` command isn't recognized by the system, check that you have installed the Azure Spring Apps extension by running `az extension add --name spring`. --### [Azure portal](#tab/azure-portal) --1. In the Azure portal, type the name of your Azure Spring Apps instance in the search box at the top of the screen and select your instance. -1. Under **Settings**, select **Apps**, and then select the `customers-service` application from the list. -1. Select **Service Connector** from the left table of contents and select **Create**. -- :::image type="content" source="media/quickstart-integrate-azure-database-mysql/create-service-connection.png" alt-text="Screenshot of the Azure portal, in the Azure Spring Apps instance, create a connection with Service Connector."::: --1. Select or enter the following settings in the table. -- | Setting | Example | Description | - ||--|-| - | **Service type** | *DB for MySQL flexible server* | Select DB for MySQL flexible server as your target service | - | **Connection name** | *mysql_9e8af* | The connection name that identifies the connection between your app and target service. Use the connection name provided by Service Connector or enter your own connection name. | - | **Subscription** | *My Subscription* | The subscription that contains your target service. The default value is the subscription that contains the app deployed to Azure Spring Apps. | - | **MySQL flexible server** | *MySQL80* | Select the MySQL flexible server you want to connect to. | - | **MySQL database** | *petclinic* | Select the database you created earlier. | - | **Client type** | *SpringBoot* | Select the application stack that works with the target service you selected. | -- :::image type="content" source="media/quickstart-integrate-azure-database-mysql/basics-tab.png" alt-text="Screenshot of the Azure portal, filling out the basics tab in Service Connector."::: --1. Select **Next: Authentication** to select the authentication type. Then select **Connection string > Database credentials** and enter your database username and password. --1. Select **Next: Networking** to select the network configuration and select **Configure firewall rules to enable access to target service**. Enter your username and password so that your app can reach the database. --1. Select **Next: Review + Create** to review the provided information. Wait a few seconds for Service Connector to validate the information and select **Create** to create the service connection. ----Repeat these steps to create connections for the `customers-service`, `vets-service`, and `visits-service` applications. --## Check connection to MySQL database --### [Azure CLI](#tab/azure-cli) --Run the `az spring connection validate` command to show the status of the connection between the `customers-service` app and the Azure MySQL database. Replace the placeholders with your own information. --```azurecli-interactive -az spring connection validate \ - --resource-group <Azure-Spring-Apps-resource-group-name> \ - --service <Azure-Spring-Apps-resource-name> \ - --app customers-service \ - --connection <mysql-connection-name-for-app> \ - --output table -``` --The following output is displayed: --```Output -Name Result Description - -- - -Target resource existence validated. success -Target service firewall validated. success -Username and password validated. success -``` --> [!TIP] -> To get more details about the connection between your services, remove `--output table` from the above command. --### [Azure portal](#tab/azure-portal) --Azure Spring Apps connections are displayed under **Settings > Service Connector**. Select **Validate** to check your connection status, and select **Learn more** to review the connection validation details. -----Repeat these instructions to validate the connections for the `customers-service`, `vets-service`, and `visits-service` applications. --## Update apps to use MySQL profile --The following section explains how to update the apps to connect to the MySQL database. --### [Azure CLI](#tab/azure-cli) --Use the following command to set an environment variable to activate the `mysql` profile for the `customers-service` app: --```azurecli -az spring app update \ - --resource-group <Azure-Spring-Apps-resource-group-name> \ - --service <Azure-Spring-Apps-resource-name> \ - --name customers-service \ - --env SPRING_PROFILES_ACTIVE=mysql -``` --### [Azure portal](#tab/azure-portal) --Use the following steps to set an environment variable to activate the `mysql` profile for the `customers-service` app: --1. Go to the Azure Spring Apps instance overview page, select **Apps** from the navigation menu, and then select the **customers-service** application from the list. --1. On the **customers-service Overview** page, select **Configuration** from the navigation menu. --1. On the **Configuration** page, select **Environment variables**. Enter `SPRING_PROFILES_ACTIVE` for **Key**, enter `mysql` for **Value**, and then select **Save**. -- :::image type="content" source="media/quickstart-integrate-azure-database-mysql/customers-service-app-configuration.png" alt-text="Screenshot of the Azure portal showing the configuration settings for the customers-service app." lightbox="media/quickstart-integrate-azure-database-mysql/customers-service-app-configuration.png"::: ----Repeat these instructions to update app configuration for the `customers-service`, `vets-service`, and `visits-service` applications. --## Validate the apps --To validate the Pet Clinic service and to query records from the MySQL database to confirm the database connection, follow the instructions in the [Verify the services](./quickstart-deploy-apps.md?pivots=programming-language-java#verify-the-services) section of [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md). --## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group by using the [az group delete](/cli/azure/group#az-group-delete) command, which deletes the resources in the resource group. Replace `<resource-group>` with the name of your resource group. --```azurecli -az group delete --name <resource-group> -``` --## Next steps --* [Bind an Azure Database for MySQL instance to your application in Azure Spring Apps](./how-to-bind-mysql.md) -* [Use a managed identity to connect Azure SQL Database to an app in Azure Spring Apps](./connect-managed-identity-to-azure-sql.md) |
spring-apps | Quickstart Logs Metrics Tracing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-logs-metrics-tracing.md | - Title: "Quickstart - Monitoring Azure Spring Apps apps with logs, metrics, and tracing" -description: Use log streaming, log analytics, metrics, and tracing to monitor PetClinic sample apps on Azure Spring Apps. ---- Previously updated : 10/12/2021--zone_pivot_groups: programming-languages-spring-apps ---# Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ❌ Enterprise ---With the built-in monitoring capability in Azure Spring Apps, you can debug and monitor complex issues. Azure Spring Apps integrates Steeltoe [distributed tracing](https://docs.steeltoe.io/api/v3/tracing/) with Azure's [Application Insights](../azure-monitor/app/app-insights-overview.md). This integration provides powerful logs, metrics, and distributed tracing capability from the Azure portal. --The following procedures explain how to use Log Streaming, Log Analytics, Metrics, and Distributed Tracing with the sample app that you deployed in the preceding quickstarts. --## Prerequisites --- Complete the previous quickstarts in this series:-- - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md). - - [Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps](./quickstart-setup-config-server.md). - - [Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md). - - [Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md). --## Logs --There are two ways to see logs on Azure Spring Apps: **Log Streaming** of real-time logs per app instance or **Log Analytics** for aggregated logs with advanced query capability. --### Log streaming --You can use log streaming in the Azure CLI with the following command. --```azurecli -az spring app logs --name solar-system-weather --follow -``` --You're shown output similar to the following example: --```output -=> ConnectionId:0HM2HOMHT82UK => RequestPath:/weatherforecast RequestId:0HM2HOMHT82UK:00000003, SpanId:|e8c1682e-46518cc0202c5fd9., TraceId:e8c1682e-46518cc0202c5fd9, ParentId: => Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) -Executing action method Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) - Validation state: Valid -←[40m←[32minfo←[39m←[22m←[49m: Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController[0] --=> ConnectionId:0HM2HOMHT82UK => RequestPath:/weatherforecast RequestId:0HM2HOMHT82UK:00000003, SpanId:|e8c1682e-46518cc0202c5fd9., TraceId:e8c1682e-46518cc0202c5fd9, ParentId: => Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) -Retrieved weather data from 4 planets -←[40m←[32minfo←[39m←[22m←[49m: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2] --=> ConnectionId:0HM2HOMHT82UK => RequestPath:/weatherforecast RequestId:0HM2HOMHT82UK:00000003, SpanId:|e8c1682e-46518cc0202c5fd9., TraceId:e8c1682e-46518cc0202c5fd9, ParentId: => Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.Controllers.WeatherForecastController.Get (Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather) -Executing ObjectResult, writing value of type 'System.Collections.Generic.KeyValuePair`2[[System.String, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]][]'. -←[40m←[32minfo←[39m←[22m←[49m: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2] -``` --> [!TIP] -> Use `az spring app logs -h` to explore more parameters and log stream functionality. --### Log Analytics --1. In the Azure portal, go to the **service | Overview** page and select **Logs** in the **Monitoring** section. Select **Run** on one of the sample queries for Azure Spring Apps. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-entry.png" alt-text="Screenshot of the Logs opening page." lightbox="media/quickstart-logs-metrics-tracing/logs-entry.png"::: --1. Edit the query to remove the Where clauses that limit the display to warning and error logs. --1. Select **Run**. You're shown logs. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md). -- :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-query-steeltoe.png" alt-text="Screenshot of a Logs Analytics query." lightbox="media/quickstart-logs-metrics-tracing/logs-query-steeltoe.png"::: --1. To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). --## Metrics --1. In the Azure portal, go to the **service | Overview** page and select **Metrics** in the **Monitoring** section. Add your first metric by selecting one of the .NET metrics under **Performance (.NET)** or **Request (.NET)** in the **Metric** drop-down, and `Avg` for **Aggregation** to see the timeline for that metric. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/metrics-basic-cpu-steeltoe.png" alt-text="Screenshot of the Metrics page." lightbox="media/quickstart-logs-metrics-tracing/metrics-basic-cpu-steeltoe.png"::: --1. Select **Add filter** in the toolbar, select `App=solar-system-weather` to see CPU usage only for the **solar-system-weather** app. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/metrics-filter-steeltoe.png" alt-text="Screenshot of adding a filter." lightbox="media/quickstart-logs-metrics-tracing/metrics-filter-steeltoe.png"::: --1. Dismiss the filter created in the preceding step, select **Apply Splitting**, and select `App` for **Values** to see CPU usage by different apps. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/metrics-split-steeltoe.png" alt-text="Screenshot of applying splitting." lightbox="media/quickstart-logs-metrics-tracing/metrics-split-steeltoe.png"::: --## Distributed tracing --1. In the Azure portal, go to the **service | Overview** page and select **Distributed tracing** in the **Monitoring** section. Then select the **View application map** tab on the right. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-entry.png" alt-text="Screenshot of the Distributed tracing page." lightbox="media/quickstart-logs-metrics-tracing/tracing-entry.png"::: --1. You can now see the status of calls between apps. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-overview-steeltoe.png" alt-text="Screenshot of the Application map page." lightbox="media/quickstart-logs-metrics-tracing/tracing-overview-steeltoe.png"::: --1. Select the link between **solar-system-weather** and **planet-weather-provider** to see more details such as the slowest calls by HTTP methods. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-call-steeltoe.png" alt-text="Screenshot of Application map details." lightbox="media/quickstart-logs-metrics-tracing/tracing-call-steeltoe.png"::: --1. Finally, select **Investigate Performance** to explore more powerful built-in performance analysis. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/tracing-performance-steeltoe.png" alt-text="Screenshot of Performance page." lightbox="media/quickstart-logs-metrics-tracing/tracing-performance-steeltoe.png"::: ----With the built-in monitoring capability in Azure Spring Apps, you can debug and monitor complex issues. Azure Spring Apps integrates [Spring Cloud Sleuth](https://spring.io/projects/spring-cloud-sleuth) with Azure's [Application Insights](../azure-monitor/app/app-insights-overview.md). This integration provides powerful logs, metrics, and distributed tracing capability from the Azure portal. The following procedures explain how to use Log Streaming, Log Analytics, Metrics, and Distributed tracing with deployed PetClinic apps. --## Prerequisites --- Complete the previous quickstarts in this series:-- - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md). - - [Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps](./quickstart-setup-config-server.md). - - [Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md). - - [Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md). --## Logs --There are two ways to see logs on Azure Spring Apps: **Log Streaming** of real-time logs per app instance or **Log Analytics** for aggregated logs with advanced query capability. --### Log streaming --#### [CLI](#tab/Azure-CLI) --You can use log streaming in the Azure CLI with the following command. --```azurecli -az spring app logs \ - --resource-group <resource-group-name> \ - --service <service-instance-name> \ - --name api-gateway \ - --follow -``` --You're shown logs like this: ---> [!TIP] -> Use `az spring app logs -h` to explore more parameters and log stream functionalities. --To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). --#### [IntelliJ](#tab/IntelliJ) --To get the logs using Azure Toolkit for IntelliJ: --1. Select **Azure Explorer**, then **Spring Cloud**. --1. Right-click the running app. --1. Select **Streaming Logs** from the drop-down list. -- ![Select streaming logs](media/quickstart-logs-metrics-tracing/streaming-logs.png) --1. Select **Instance**. -- ![Select instance](media/quickstart-logs-metrics-tracing/select-instance.png) --1. The streaming log is visible in the output window. -- ![Streaming log output](media/quickstart-logs-metrics-tracing/streaming-log-output.png) -- To learn more about the query language that's used in Log Analytics, see [Azure Monitor log queries](/azure/data-explorer/kusto/query/). To query all your Log Analytics logs from a centralized client, check out [Azure Data Explorer](/azure/data-explorer/query-monitor-data). ----### Log Analytics --1. Go to the **service | Overview** page and select **Logs** in the **Monitoring** section. Select **Run** on one of the sample queries for Azure Spring Apps. -- :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-entry.png" alt-text="Screenshot of the Logs opening page." lightbox="media/quickstart-logs-metrics-tracing/logs-entry.png"::: --1. Then you're shown filtered logs. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md). -- :::image type="content" source="media/quickstart-logs-metrics-tracing/logs-query.png" alt-text="Screenshot of filtered logs." lightbox="media/quickstart-logs-metrics-tracing/logs-query.png"::: --## Metrics --Navigate to the `Application insights` blade, and then navigate to the `Metrics` blade. You can see metrics contributed by Spring Boot apps, Spring modules, and dependencies. --The following chart shows `gateway-requests` (Spring Cloud Gateway), `hikaricp_connections` (JDBC Connections), and `http_client_requests`. ---Spring Boot registers several core metrics, including JVM, CPU, Tomcat, and Logback. The Spring Boot autoconfiguration enables the instrumentation of requests handled by Spring MVC. All three REST controllers (`OwnerResource`, `PetResource`, and `VisitResource`) are instrumented by the `@Timed` Micrometer annotation at the class level. --The `customers-service` application has the following custom metrics enabled: --- @Timed: `petclinic.owner`-- @Timed: `petclinic.pet`--The `visits-service` application has the following custom metrics enabled: --- @Timed: `petclinic.visit`--You can see these custom metrics in the `Metrics` blade: ---You can use the Availability Test feature in Application Insights and monitor the availability of applications: ---Navigate to the `Live Metrics` blade to can see live metrics with low latencies (less than one second): ---## Tracing --Open the Application Insights created by Azure Spring Apps and start monitoring Spring applications. --Navigate to the `Application Map` blade: ---Navigate to the `Performance` blade: ---Navigate to the `Performance/Dependenices` blade - you can see the performance number for dependencies, particularly SQL calls: ---Select a SQL call to see the end-to-end transaction in context: ---Navigate to the `Failures/Exceptions` blade - you can see a collection of exceptions: ---Select an exception to see the end-to-end transaction and stacktrace in context: ----## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --In an earlier quickstart, you also set the default resource group name. If you don't intend to continue to the next quickstart, clear out that default by running the following CLI command: --```azurecli -az config set defaults.group= -``` --## Next steps --To explore more monitoring capabilities of Azure Spring Apps, see: --> [!div class="nextstepaction"] -> [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) -> [Stream Azure Spring Apps app logs in real-time](./how-to-log-streaming.md) |
spring-apps | Quickstart Provision Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-provision-service-instance.md | - Title: "Quickstart - Provision an Azure Spring Apps service" -description: Describes creation of an Azure Spring Apps service instance for app deployment. ---- Previously updated : 7/28/2022--zone_pivot_groups: programming-languages-spring-apps ---# Provision an Azure Spring Apps service instance --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ❌ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ❌ Enterprise --This article shows you how to provision a Basic or Standard plan Azure Spring Apps service instance. --Azure Spring Apps supports multiple plans. For more information, see [Quotas and service plans for Azure Spring Apps](./quotas.md). To learn how to create service instances for other plans, see the following articles: --- [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](./quickstart-provision-standard-consumption-service-instance.md)-- [Migrate an Azure Spring Apps Basic or Standard plan instance to the Enterprise plan](./how-to-migrate-standard-tier-to-enterprise-tier.md)--## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- (Optional) [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli).--## Provision an instance of Azure Spring Apps --Use the following steps to create an instance of Azure Spring Apps: --#### [Azure portal](#tab/Azure-portal) --1. In a new browser tab, open the [Azure portal](https://portal.azure.com/). --1. Using the search box, search for *Azure Spring Apps*. --1. Select **Azure Spring Apps** from the search results. -- :::image type="content" source="media/quickstart-provision-service-instance/spring-apps-start.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps service in search results." lightbox="media/quickstart-provision-service-instance/spring-apps-start.png"::: --1. On the Azure Spring Apps page, select **Create**. -- :::image type="content" source="media/quickstart-provision-service-instance/spring-apps-create.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps resource with Create button highlighted."::: --1. Fill out the form on the Azure Spring Apps **Create** page. Consider the following guidelines: -- - **Subscription**: Select the subscription you want to be billed for this resource. - - **Resource group**: Creating new resource groups for new resources is a best practice. You use this value in later steps as `<resource-group-name>`. - - **Service Details/Name**: Specify the `<service-instance-name>`. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. - - **Location**: Select the location for your service instance. - - **Zone Redundant**: Select to create your service instance with an availability zone. - - Select **Standard** for the **Pricing tier** option. -- :::image type="content" source="media/quickstart-provision-service-instance/portal-start.png" alt-text="Screenshot of Azure portal showing the Azure Spring Apps Create page." lightbox="media/quickstart-provision-service-instance/portal-start.png"::: --1. Select **Review and create**. --#### [Azure CLI](#tab/Azure-CLI) --1. Use the following command to add or update the Azure Spring Apps extension for the Azure CLI: -- ```azurecli - az extension add --upgrade --name spring - ``` --1. Use the following commands to sign in to the Azure CLI and choose your active subscription. If you have access to only one subscription, you can skip the `az account set` command. -- ```azurecli - az login - az account list --output table - az account set --subscription <subscription-name-or-ID> - ``` --1. Prepare a name for your Azure Spring Apps service. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. --1. use the following commands to create a resource group to contain your Azure Spring Apps service instance, and to create the service instance: -- ```azurecli - az group create \ - --name <resource-group-name> \ - --location <resource-group-region> - az spring create \ - --resource-group <resource-group-name> \ - --name <service-instance-name> - ``` ----## Clean up resources --If you plan to continue working with subsequent tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -az group delete --name <resource-group-name> -``` --## Next steps --> [!div class="nextstepaction"] -> [Quickstart: Set up Azure Spring Apps Config Server](./quickstart-setup-config-server.md) |
spring-apps | Quickstart Provision Standard Consumption App Environment With Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-provision-standard-consumption-app-environment-with-virtual-network.md | - Title: Quickstart - Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network -description: Learn how to create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network. ---- Previously updated : 06/21/2023----# Quickstart: Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes how create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network. An Azure Container Apps environment creates a secure boundary around a group of applications. Applications deployed to the same environment are deployed in the same virtual network and write logs to the same Log Analytics workspace. --When you create an Azure Spring Apps instance in an Azure Container Apps environment, it shares the same virtual network with other services and resources in the same Azure Container Apps environment. --All apps are in the same Azure Container Apps environment in the following scenarios: --- When you deploy frontend apps as containers in Azure Container Apps.-- When you deploy Spring apps in the Azure Spring Apps Standard consumption and dedicated plan.--You can also deploy your Azure Container Apps environment to an existing virtual network created by your IT team. This scenario simplifies the virtual network experience for running polyglot apps. --> [!NOTE] -> You can use an existing virtual network that has a dedicated subnet with a CIDR range of `/23` or higher. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`--## Create an Azure Spring Apps instance in an Azure Container Apps environment --Use the following steps to create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network. --> [!IMPORTANT] -> The Consumption workload profile has a pay-as-you-go billing model, with no starting cost. You're billed for the dedicated workload profile based on the provisioned resources. For more information, see [Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)](../container-apps/workload-profiles-overview.md) and [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). --### [Azure portal](#tab/Azure-portal) --1. Open the [Azure portal](https://portal.azure.com/). --1. In the search box, search for *Azure Spring Apps*, and then select **Azure Spring Apps** in the results. -- :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-start.png" alt-text="Screenshot of the Azure portal showing Azure Spring Apps in search results, with Azure Spring Apps highlighted in the search bar and in the results." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-start.png"::: --1. On the Azure Spring Apps page, select **Create**. -- :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-create.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps page with the Create button highlighted." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/azure-spring-apps-create.png"::: --1. Fill out the **Basics** form on the Azure Spring Apps **Create** page using the following guidelines: -- - **Project Details**: -- - **Subscription**: Select the subscription you want to be billed for this resource. - - **Resource group**: Select an existing resource group or create a new one. -- - **Service Details**: -- - **Name**: Create the name for the Azure Spring Apps instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. - - **Location**: Currently, only the following regions are supported: Australia East, Central US, East US, East US 2, West Europe, East Asia, North Europe, South Central US, UK South, West US 3. -- - **Plan**: Select **Standard Consumption and dedicated** for the **Pricing tier** option. -- - **App Environment**: -- - Select **Create new** to create a new Azure Container Apps environment or select an existing environment from the dropdown menu. -- :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/select-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with Consumption and Dedicated workload profiles selected for the plan." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/select-azure-container-apps-environment.png"::: --1. Fill out the **Basics** form on the **Create Container Apps environment** page. Use the default value `asa-standard-consumption-app-env` for the **Environment name** and choose **Consumption and Dedicated workload profiles** for the **Plan**. -- :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Basics tab selected." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment.png"::: --1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. If you wish to add a dedicated workload profile to the same Azure Container Apps environment, you can select the **Workload profiles** tab and then select **Add workload profile**. -- :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-workload-profiles.png" alt-text="Screenshot of the Azure portal showing the Create Workload Profiles tab." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-workload-profiles.png"::: --1. Select **Networking** and then specify the settings using the following guidelines: -- - For **Use your own virtual network**, select **Yes**. - - Select the names for **Virtual network** and for **Infrastructure subnet** from the dropdown menus or use **Create new** as needed. - - Set **Virtual IP** to **External**. You can set the value to **Internal** if you prefer to use only internal IP addresses available in the virtual network instead of a public static IP. -- :::image type="content" source="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment-virtual-network.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Networking tab selected." lightbox="media/quickstart-provision-standard-consumption-app-environment-with-virtual-network/create-azure-container-apps-environment-virtual-network.png"::: -- >[!NOTE] - > The subnet associated with an Azure Container Apps environment requires a CIDR prefix of `/23` or higher. --1. Select **Create**. --1. On the Azure Spring Apps **Create** page, select **Review and Create** to finish creating the Azure Spring Apps instance. --### [Azure CLI](#tab/Azure-CLI) --1. Use the following command to sign in to Azure: -- ```azurecli - az login - ``` --1. Use the following command to install the Azure Container Apps extension for the Azure CLI: -- ```azurecli - az extension add --name containerapp --upgrade - ``` --1. Use the following command to register the `Microsoft.App` namespace: -- ```azurecli - az provider register --namespace Microsoft.App - ``` --1. If you haven't previously used the Azure Monitor Log Analytics workspace, register the `Microsoft.OperationalInsights` provider by using the following command: -- ```azurecli - az provider register --namespace Microsoft.OperationalInsights - ``` --1. Use the following commands to create variables to store various values. If you're using an existing virtual network, specify the name of that network and its resource group. Otherwise, specify the name of a new virtual network and resource group to create. -- ```bash - export RESOURCE_GROUP="<resource-group-name>" - export LOCATION="eastus" - export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" - export VNET_NAME="<virtual-network-name>" - ``` --1. If you aren't using an existing virtual network, use the following commands to create an Azure virtual network and subnet to associate with the Azure Container Apps environment. The virtual network must have a subnet available for the environment deployment. -- ```azurecli - az network vnet create \ - --resource-group $RESOURCE_GROUP \ - --name $VNET_NAME \ - --location $LOCATION \ - --address-prefix 10.0.0.0/16 -- az network vnet subnet create \ - --resource-group $RESOURCE_GROUP \ - --vnet-name $VNET_NAME \ - --name $INFRASTRUCTURE_SUBNET \ - --address-prefixes 10.0.0.0/23 - ``` --1. Use the following command to get the ID for the infrastructure subnet and store it in a variable: -- ```azurecli - export INFRASTRUCTURE_SUBNET=$(az network vnet subnet show \ - --resource-group $RESOURCE_GROUP \ - --vnet-name $VNET_NAME \ - --name infrastructure-subnet \ - --query "id" \ - --output tsv \ - | tr -d '[:space:]') - ``` --1. Use the following command to create the Azure Container Apps environment using the infrastructure subnet ID: -- ```azurecli - az containerapp env create \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ - --location $LOCATION \ - --infrastructure-subnet-resource-id $INFRASTRUCTURE_SUBNET \ - --enable-workload-profiles - ``` -- > [!NOTE] - > You can create an internal Azure Container Apps environment that doesn't use a public static IP, but instead uses only internal IP addresses available in the custom virtual network. For more information, see the [Create an environment](../container-apps/vnet-custom-internal.md?tabs=bash&pivots=azure-cli#create-an-environment) section of [Provide a virtual network to an internal Azure Container Apps environment](../container-apps/vnet-custom-internal.md?tabs=bash&pivots=azure-cli). -- The following table describes the parameters used in the `containerapp env create` command. -- | Parameter | Description | - |-|--| - | `name` | The name of the Azure Container Apps environment. | - | `resource-group` | The name of the resource group. | - | `location` | The Azure location where the environment is to deploy. | - | `infrastructure-subnet-resource-id` | The Resource ID of a subnet for infrastructure components and user application containers. | - | `internal-only` | (Optional) Sets the environment to use only internal IP addresses available in the custom virtual network instead of a public static IP. (Requires the infrastructure subnet resource ID.) | --1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. You can also add a dedicated workload profile to the same Azure Container Apps environment with the following command: -- ```azurecli - az containerapp env workload-profile set \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_CONTAINER_APPS_ENVIRONMENT - --workload-profile-name my-wlp \ - --workload-profile-type D4 \ - --min-nodes 1 \ - --max-nodes 2 - ``` ----## Clean up resources --Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --> [!div class="nextstepaction"] -> [Access applications using Azure Spring Apps Standard consumption and dedicated plan in a virtual network](./quickstart-access-standard-consumption-within-virtual-network.md) |
spring-apps | Quickstart Provision Standard Consumption Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-provision-standard-consumption-service-instance.md | - Title: Quickstart - Provision an Azure Spring Apps Standard consumption and dedicated plan service instance -description: Learn how to create a Standard consumption and dedicated plan in Azure Spring Apps for app deployment. ---- Previously updated : 06/21/2023----# Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes how to create a Standard consumption and dedicated plan in Azure Spring Apps for application deployment. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- (Optional) [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`--## Provision a Standard consumption and dedicated plan instance --You can use either the Azure portal or the Azure CLI to create a Standard consumption and dedicated plan. --> [!IMPORTANT] -> The Consumption workload profile has a pay-as-you-go billing model, with no starting cost. You're billed for the dedicated workload profile based on the provisioned resources. For more information, see [Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)](../container-apps/workload-profiles-overview.md) and [Azure Spring Apps pricing](https://azure.microsoft.com/pricing/details/spring-apps/). --### [Azure portal](#tab/Azure-portal) --Use the following steps to create an instance of Azure Spring Apps using the Azure portal. --1. Open the [Azure portal](https://portal.azure.com/). --1. In the search box, search for *Azure Spring Apps*, and then select **Azure Spring Apps** from the results. -- :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-start.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps service highlighted in the search results." lightbox="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-start.png"::: --1. On the Azure Spring Apps page, select **Create**. -- :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-create.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps resource with the Create button highlighted." lightbox="media/quickstart-provision-standard-consumption-service-instance/azure-spring-apps-create.png"::: --1. Fill out the **Basics** form on the Azure Spring Apps **Create** page using the following guidelines: -- - **Project Details** -- - **Subscription**: Select the subscription you want to be billed for this resource. - - **Resource group**: Select an existing resource group or create a new one. -- - **Service Details** -- - **Name**: Create the name for the Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number. - - **Location**: Currently, only the following regions are supported: Australia East, Central US, East US, East US 2, West Europe, East Asia, North Europe, South Central US, UK South, West US 3. - - **Plan**: Select **Standard Consumption and dedicated** for the **Pricing tier** option. -- - **App Environment** -- - Select **Create new** to create a new Azure Container Apps environment, or select an existing environment from the dropdown menu. -- :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/select-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps Create page." lightbox="media/quickstart-provision-standard-consumption-service-instance/select-azure-container-apps-environment.png"::: --1. Fill out the **Basics** form on the **Create Container Apps environment** page. Use the default value `asa-standard-consumption-app-env` for the **Environment name** and choose **Consumption and Dedicated workload profiles** for the **Plan**. -- :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/create-azure-container-apps-environment.png" alt-text="Screenshot of the Azure portal showing the Create Container Apps environment page with the Consumption and Dedicated workload profiles selected for the plan." lightbox="media/quickstart-provision-standard-consumption-service-instance/create-azure-container-apps-environment.png"::: --1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. If you wish to add a dedicated workload profile to the same Azure Container Apps environment, you can select the **Workload profiles** tab and select **Add workload profile**. -- :::image type="content" source="media/quickstart-provision-standard-consumption-service-instance/create-workload-profiles.png" alt-text="Screenshot of the Azure portal showing the Create Workload Profiles tab." lightbox="media/quickstart-provision-standard-consumption-service-instance/create-workload-profiles.png"::: --1. Select **Review and create**. --1. On the Azure Spring Apps **Create** page, select **Review and Create** to finish creating the Azure Spring Apps instance. -->[!NOTE] -> Optionally, you can also create an Azure Container Apps environment with your own virtual network. For more information, see [Quickstart: Create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network](quickstart-provision-standard-consumption-app-environment-with-virtual-network.md). --### [Azure CLI](#tab/Azure-CLI) --The following sections show you how to create an instance of Azure Spring Apps using the Azure CLI. --## Create an Azure Container Apps environment --An Azure Container Apps environment creates a secure boundary around a group of applications. Apps deployed to the same environment are deployed in the same virtual network and write logs to the same Log Analytics workspace. --You can create the Azure Container Apps environment in one of two ways: --- Using your own virtual network. For more information, see [Quickstart: Create an Azure Spring Apps instance in an Azure Container Apps environment with a virtual network](quickstart-provision-standard-consumption-app-environment-with-virtual-network.md).--- Using a system assigned virtual network, as described in the following procedure.--1. Use the following command to sign in to Azure: -- ```azurecli - az login - ``` --1. Use the following command to install the Azure Container Apps extension for the Azure CLI: -- ```azurecli - az extension add --name containerapp --upgrade - ``` --1. Use the following command to register the `Microsoft.App` namespace: -- ```azurecli - az provider register --namespace Microsoft.App - ``` --1. If you haven't previously used the Azure Monitor Log Analytics workspace, register the `Microsoft.OperationalInsights` provider by using the following command: -- ```azurecli - az provider register --namespace Microsoft.OperationalInsights - ``` --1. Use the following commands to create variables to store name and location information. Be sure to replace the placeholder values with your own values. -- ```bash - export RESOURCE_GROUP="<resource-group-name>" - export LOCATION="eastus" - export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" - ``` --1. Use the following command to create a resource group: -- ```azurecli - az group create \ - --name $RESOURCE_GROUP \ - --location $LOCATION - ``` --1. Use the following command to create the Azure Container Apps environment: -- ```azurecli - az containerapp env create \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ - --location $LOCATION \ - --enable-workload-profiles - ``` --1. At this point, you've created an Azure Container Apps environment with a default standard consumption workload profile. You can also add a dedicated workload profile to the same Azure Container Apps environment by using the following command: -- ```azurecli - az containerapp env workload-profile set \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ - --workload-profile-name my-wlp \ - --workload-profile-type D4 \ - --min-nodes 1 \ - --max-nodes 2 - ``` --## Deploy an Azure Spring Apps instance --Use the following steps to deploy the service instance: --1. Use the following command to install the latest Azure CLI extension for Azure Spring Apps: -- ```azurecli - az extension remove --name spring && \ - az extension add --name spring - ``` --1. Use the following command to register the `Microsoft.AppPlatform` provider for the Azure Spring Apps: -- ```azurecli - az provider register --namespace Microsoft.AppPlatform - ``` --1. Use the following commands to create variables to store name and location information. You can skip the first three variables if you set them in the previous section. Be sure to replace the placeholder values with your own values. -- ```azurecli - export RESOURCE_GROUP="<resource-group-name>" - export LOCATION="eastus" - export AZURE_CONTAINER_APPS_ENVIRONMENT="<Azure-Container-Apps-environment-name>" -- export AZURE_SPRING_APPS_INSTANCE="<Azure-Spring-Apps-instance-name>" - export MANAGED_ENV_RESOURCE_ID=$(az containerapp env show \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_CONTAINER_APPS_ENVIRONMENT \ - --query id \ - --output tsv) - ``` --1. Use the following command to deploy a Standard consumption and dedicated plan for an Azure Spring Apps instance on top of the container environment. Create your Azure Spring Apps instance by specifying the resource of the Azure Container Apps environment you created. -- ```azurecli - az spring create \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_SPRING_APPS_INSTANCE \ - --managed-environment $MANAGED_ENV_RESOURCE_ID \ - --sku StandardGen2 \ - --location $LOCATION - ``` --1. After the deployment, an infrastructure resource group is created in your subscription to host the underlying resources for the Azure Spring Apps Standard consumption and dedicated plan instance. The resource group is named `{AZURE_CONTAINER_APPS_ENVIRONMENT}_SpringApps_{SPRING_APPS_SERVICE_ID}`, as shown with the following command: -- ```azurecli - export SERVICE_ID=$(az spring show \ - --resource-group $RESOURCE_GROUP \ - --name $AZURE_SPRING_APPS_INSTANCE \ - --query properties.serviceId \ - --output tsv) - export INFRA_RESOURCE_GROUP=${AZURE_CONTAINER_APPS_ENVIRONMENT}_SpringApps_${SERVICE_ID} - echo ${INFRA_RESOURCE_GROUP} - ``` ----## Clean up resources --Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --> [!div class="nextstepaction"] -> [Create an Azure Spring Apps Standard consumption and dedicated plan instance in an Azure Container Apps environment with a virtual network](./quickstart-provision-standard-consumption-app-environment-with-virtual-network.md) |
spring-apps | Quickstart Sample App Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-sample-app-introduction.md | - Title: "Quickstart - Introduction to the sample app - Azure Spring Apps" -description: Describes the sample app used in this series of quickstarts for deployment to Azure Spring Apps. ---- Previously updated : 10/12/2021----# Introduction to the sample app --> [!NOTE] -> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --In this quickstart, we use the well-known sample app [PetClinic](https://github.com/spring-petclinic/spring-petclinic-microservices) to show you how to deploy apps to the Azure Spring Apps service. The **Pet Clinic** sample demonstrates the microservice architecture pattern and highlights the services breakdown. You see how to deploy services to Azure with Azure Spring Apps capabilities such as service discovery, config server, logs, metrics, distributed tracing, and developer-friendly tooling support. --To follow the Azure Spring Apps deployment examples, you only need the location of the source code, which is provided as needed. --The following diagram shows the architecture of the PetClinic application. ---> [!NOTE] -> When the application is hosted in Azure Spring Apps Enterprise plan, the managed Application Configuration Service for VMware Tanzu assumes the role of Spring Cloud Config Server and the managed VMware Tanzu Service Registry assumes the role of Eureka Service Discovery without any code changes to the application. For more information, see the [Infrastructure services hosted by Azure Spring Apps](#infrastructure-services-hosted-by-azure-spring-apps) section later in this article. --## Functional services to be deployed --PetClinic is decomposed into four core Spring apps. All of them are independently deployable applications organized by business domains. --* **Customers service**: Contains general user input logic and validation including pets and owners information (Name, Address, City, Telephone). -* **Visits service**: Stores and shows visits information for each pet's comments. -* **Vets service**: Stores and shows Veterinarians' information, including names and specialties. -* **API Gateway**: The API Gateway is a single entry point into the system, used to handle requests and route them to an appropriate service or to invoke multiple services, and aggregate the results. The three core services expose an external API to client. In real-world systems, the number of functions can grow quickly with system complexity. Hundreds of services might be involved in rendering one complex webpage. --## Infrastructure services hosted by Azure Spring Apps --There are several common patterns in distributed systems that support core services. Azure Spring Apps provides tools that enhance Spring Boot applications to implement the following patterns: --### [Enterprise plan](#tab/enterprise-plan) --* **Application Configuration Service for Tanzu**: Application Configuration Service for Tanzu is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native ConfigMap resources that are populated from properties defined in one or more Git repositories. -* **Tanzu Service Registry**: Tanzu Service Registry is one of the commercial VMware Tanzu components. It provides your apps with an implementation of the Service Discovery pattern, one of the key tenets of a Spring-based architecture. Your apps can use the Service Registry to dynamically discover and call registered services. --### [Basic/Standard plan](#tab/basic-standard-plan) --* **Config service**: Azure Spring Apps Config is a horizontally scalable centralized configuration service for distributed systems. It uses a pluggable repository that currently supports local storage, Git, and Subversion. -* **Service discovery**: It allows automatic detection of network locations for service instances, which could have dynamically assigned addresses because of autoscaling, failures, and upgrades. ----## Database configuration --In its default configuration, **Pet Clinic** uses an in-memory database (HSQLDB) which is populated at startup with data. A similar setup is provided for MySQL if a persistent database configuration is needed. A dependency for Connector/J, the MySQL JDBC driver, is already included in the pom.xml files. --## Sample usage of PetClinic --For full implementation details, see our fork of [PetClinic](https://github.com/Azure-Samples/spring-petclinic-microservices). The samples reference the source code as needed. --## Next steps --### [Enterprise plan](#tab/enterprise-plan) --> [!div class="nextstepaction"] -> [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md) --### [Basic/Standard plan](#tab/basic-standard-plan) --> [!div class="nextstepaction"] -> [Quickstart: Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md) -- |
spring-apps | Quickstart Setup Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-setup-log-analytics.md | - Title: "Quickstart - Set up a Log Analytics workspace in Azure Spring Apps" -description: This article describes the setup of a Log Analytics workspace for app deployment. ---- Previously updated : 12/09/2021----# Quickstart: Set up a Log Analytics workspace --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ❌ Enterprise --This quickstart explains how to set up a Log Analytics workspace in Azure Spring Apps for application development. --Log Analytics is a tool in the Azure portal that's used to edit and run log queries with data in Azure Monitor Logs. You can write a query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze those records. You can also write a more advanced query to do statistical analysis and visualize the results in a chart to identify particular trends. Whether you work with the results of your queries interactively or use them with other Azure Monitor features, Log Analytics is the tool that you use to write and test queries. --You can set up Azure Monitor Logs for your application in Azure Spring Apps to collect logs and run log queries via Log Analytics. --## Prerequisites --Complete the previous quickstart in this series: [Provision an Azure Spring Apps service](./quickstart-provision-service-instance.md). --#### [Portal](#tab/Azure-Portal) --## Create a Log Analytics workspace --To create a workspace, follow the steps in [Create a Log Analytics workspace in the Azure portal](../azure-monitor/logs/quick-create-workspace.md). --## Set up Log Analytics for a new service --In the wizard for creating an Azure Spring Apps service instance, you can configure the **Log Analytics workspace** field with an existing workspace or create one. ---## Set up Log Analytics for an existing service --1. In the Azure portal, go to the **Diagnostic settings** section under **Monitoring**. -- :::image type="content" source="media/quickstart-setup-log-analytics/diagnostic-settings-entry.png" alt-text="Screenshot that shows the location of diagnostic settings." lightbox="media/quickstart-setup-log-analytics/diagnostic-settings-entry.png"::: --1. If no settings exist, select **Add diagnostic setting**. You can also select **Edit setting** to update existing settings. --1. Fill out the form on the **Diagnostic setting** page: -- - **Diagnostic setting name**: Set a unique name for the configuration. - - **Logs** > **Categories**: Select **ApplicationConsole** and **SystemLogs**. For more information on log categories and contents, see [Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations](../azure-monitor/essentials/diagnostic-settings.md). - - **Destination details**: Select **Send to Log Analytics workspace** and specify the Log Analytics workspace that you created previously. -- :::image type="content" source="media/quickstart-setup-log-analytics/diagnostic-settings-edit-form.png" alt-text="Screenshot that shows an example of set-up diagnostic settings." lightbox="media/quickstart-setup-log-analytics/diagnostic-settings-edit-form.png"::: --1. Select **Save**. --#### [CLI](#tab/Azure-CLI) --## Create a Log Analytics workspace --Use the following commands to create a Log Analytics workspace and get the workspace ID: --```azurecli -az monitor log-analytics workspace create \ - --workspace-name <new-workspace-name> \ - --resource-group <your-resource-group> \ - --location <your-service-region> \ - --query id --output tsv -``` --If you have an existing workspace, you can get the workspace ID by using the following commands: --```azurecli -az monitor log-analytics workspace show \ - --resource-group <your-resource-group> \ - --workspace-name <workspace-name> \ - --query id --output tsv -``` --## Set up Log Analytics for a new service --Setting up for a new service isn't applicable when you're using the Azure CLI. --## Set up Log Analytics for an existing service --1. Get the instance ID for the Azure Spring Apps service: -- ```azurecli - az spring show \ - --name <spring-cloud-service-name> \ - --resource-group <your-resource-group> \ - --query id --output tsv - ``` --1. Configure the diagnostic settings. For more information on log categories and contents, see [Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations](../azure-monitor/essentials/diagnostic-settings.md). -- ```azurecli - az monitor diagnostic-settings create \ - --name "<new-name-for-settings>" \ - --resource "<service-instance-id>" \ - --workspace "<workspace-id>" \ - --logs '[ - { - "category": "ApplicationConsole", - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - { - "category": "SystemLogs", - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - } - ]' - ``` ----## Clean up resources --If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --> [!div class="nextstepaction"] -> [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md) |
spring-apps | Quickstart Standard Consumption Config Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-standard-consumption-config-server.md | - Title: Quickstart - Enable and disable Cloud Config Server in Azure Spring Apps -description: Learn how to enable and disable Spring Cloud Config Server in Azure Spring Apps. ---- Previously updated : 06/21/2023----# Quickstart: Enable and disable Spring Cloud Config Server in Azure Spring Apps --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes how to enable and disable Spring Cloud Config Server for service registration and discovery in Azure Spring Apps. -Spring Cloud Config Server is a centralized configuration service for distributed systems. Config Server uses a pluggable repository layer that currently supports local storage, Git, and Subversion. In this quickstart, you set up the Config Server to get data from a Git repository. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Azure CLI](/cli/azure/install-azure-cli). Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`.-- [Git](https://git-scm.com/downloads).-- The completion of [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](./quickstart-provision-standard-consumption-service-instance.md).--## Set up Config Server --Use the following command to set up Config Server with the project specified by the `--uri` parameter. This example uses the Git repository for Azure Spring Apps as an example project. --```azurecli -az spring config-server git set \ - --name <Azure-Spring-Apps-instance-name> \ - --uri https://github.com/Azure-Samples/azure-spring-apps-samples \ - --search-paths steeltoe-sample/config -``` --> [!TIP] -> For information on using a private repository for Config Server, see [Configure a managed Spring Cloud Config Server in Azure Spring Apps](./how-to-config-server.md). --## Enable Config Server --Use the following command to enable Config Server: --```azurecli -az spring config-server enable \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-instance-name> -``` --## Disable Config Server --Use the following command to disable Config Server: --```azurecli -az spring config-server disable \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-instance-name> -``` --## Next steps --- [Enable and disable Eureka Server in Azure Spring Apps](quickstart-standard-consumption-eureka-server.md) |
spring-apps | Quickstart Standard Consumption Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-standard-consumption-custom-domain.md | - Title: Quickstart - Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan -description: Learn how to map a web domain to apps in Azure Spring Apps. ---- Previously updated : 06/21/2023----# Quickstart: Map a custom domain to Azure Spring Apps with the Standard consumption and dedicated plan --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise -- This article shows you how to map a custom web site domain, such as `https://www.contoso.com`, to your app in Azure Spring Apps. This mapping is accomplished by using a `CNAME` record that the Domain Name Service (DNS) uses to store node names throughout the network. --The mapping secures the custom domain with a certificate and enforces Transport Layer Security (TLS), also known as the Secure Sockets Layer (SSL). --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Azure CLI](/cli/azure/install-azure-cli)-- An Azure Spring Apps Standard consumption and dedicated plan service instance. For more information, see [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](quickstart-provision-standard-consumption-service-instance.md).-- A Spring app deployed to Azure Spring Apps.-- A domain name registered in the DNS registry as provided by a web hosting or domain provider.-- A certificate resource created under an Azure Container Apps environment. For more information, see [Add certificate in Container App](../container-apps/custom-domains-certificates.md).--## Map a custom domain --To map the custom domain, you create the CNAME record and then use the Azure CLI to bind the domain to an app in Azure Spring Apps. --First, use the following steps to create the `CNAME` record: --1. Contact your DNS provider to request a `CNAME` record to map your domain to the Full Qualified Domain Name (FQDN) of your Spring app. --1. Add a `TXT` record with the name `asuid.{subdomain}` with the value being the verification ID of your Azure Container Apps environment. You can obtain this value by using the following command. -- ```azurecli - az containerapp env show \ - --resource-group <resource-group-name> \ - --name <Azure-Container-Apps-environment-name> \ - --query 'properties.customDomainConfiguration.customDomainVerificationId' - ``` -- After you add the `CNAME` and `TXT` record, the DNS records page will resemble the following table. -- | Name | Type | Value | - |||--| - | `{subdomain}` | `CNAME` | `testapp.agreeablewater-4c8480b3.eastus.azurecontainerapps.io` | - | `asuid.{subdomain}` | `A` | `6K861CL04CATKUCFF604024064D57PB52F5DF7B67BC3033BA9808BDA8998U270` | --1. Next, bind the custom domain to your app by using the following command. -- ```azurecli - az spring app custom-domain bind \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-service-instance-name> \ - --app <app-name> \ - --domain-name <your-custom-domain-name> \ - --certificate <name-of-your-certificate-under-Azure-Container-Apps-environment> - ``` --## Clean up resources --Be sure to delete the resources you created in this article when you no longer need them. To delete the resources, just delete the resource group that contains them. You can delete the resource group using the Azure portal. Alternatively, to delete the resource group by using Azure CLI, use the following commands: --```azurecli -echo "Enter the Resource Group name:" && -read resourceGroupName && -az group delete --name $resourceGroupName && -echo "Press [ENTER] to continue ..." -``` --## Next steps --> [!div class="nextstepaction"] -> [Analyze logs and metrics in the Azure Spring Apps Standard consumption and dedicated plan](./quickstart-analyze-logs-and-metrics-standard-consumption.md) |
spring-apps | Quickstart Standard Consumption Eureka Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-standard-consumption-eureka-server.md | - Title: Quickstart - Enable and disable Eureka Server in Azure Spring Apps -description: Learn how to enable and disable Eureka Server in Azure Spring Apps. ---- Previously updated : 06/21/2023----# Quickstart: Enable and disable Eureka Server in Azure Spring Apps --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes how to enable and disable Eureka Server for service registration and discovery in Azure Spring Apps. Service registration and discovery are key requirements for maintaining a list of live app instances to call, and for routing and load balancing inbound requests. Configuring each client manually takes time and introduces the possibility of human error. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Azure CLI](/cli/azure/install-azure-cli). Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`.-- [Git](https://git-scm.com/downloads).-- The completion of [Quickstart: Provision an Azure Spring Apps Standard consumption and dedicated plan service instance](./quickstart-provision-standard-consumption-service-instance.md).--## Enable the Eureka Server --Use the following command to enable Eureka server: --```azurecli -az spring eureka-server enable \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-instance-name> -``` --## Disable the Eureka Server --Use the following command to disable Eureka server: --```azurecli -az spring eureka-server disable - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-instance-name> -``` --## Next steps --> [!div class="nextstepaction"] -> [Discover and register your Spring Boot applications in Azure Spring Apps](how-to-service-registration.md) |
spring-apps | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart.md | - Title: Quickstart - Deploy your first application to Azure Spring Apps -description: Describes how to deploy an application to Azure Spring Apps. ---- Previously updated : 08/09/2023--zone_pivot_groups: spring-apps-plan-selection ---# Quickstart: Deploy your first application to Azure Spring Apps --> [!NOTE] -> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog). --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --This article explains how to deploy a small application to run on Azure Spring Apps. --The application code used in this tutorial is a simple app. When you complete this example, the application is accessible online, and you can manage it through the Azure portal. ---## 1. Prerequisites ---### [Azure portal](#tab/Azure-portal) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure Developer CLI](#tab/Azure-Developer-CLI) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure Developer CLI (AZD)](/azure/developer/azure-developer-cli/install-azd), version 1.2.0 or higher.------### [Azure portal](#tab/Azure-portal-ent) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).--### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.--### [Azure CLI](#tab/Azure-CLI) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Git](https://git-scm.com/downloads).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher.--### [IntelliJ](#tab/IntelliJ) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [IntelliJ IDEA](https://www.jetbrains.com/idea/).-- [Azure Toolkit for IntelliJ](/azure/developer/java/toolkit-for-intellij/install-toolkit).--### [Visual Studio Code](#tab/visual-studio-code) --- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]-- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).-- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- [Visual Studio Code](https://code.visualstudio.com/).--------------## 5. Validate the app --This section describes how to validate your application. ---### [Azure portal](#tab/Azure-portal) --After the deployment finishes, find the application URL from the deployment outputs. Use the following steps to validate: --1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. -- :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --After the deployment finishes, access the application with the output application URL. Use the following steps to check the app's logs to investigate any deployment issue: --1. Access the output application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. -- :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: --1. From the navigation pane of the Azure Spring Apps instance **Overview** page, select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart/logs.png"::: --### [Azure Developer CLI](#tab/Azure-Developer-CLI) --After the deployment finishes, access the application with the output endpoint. When you open the app, you get the response `Hello World`. ------### [Azure portal](#tab/Azure-portal) --After the deployment finishes, use the following steps to find the application URL from the deployment outputs: --1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. -- :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) --After the deployment finishes, use the following steps to check the app's logs to investigate any deployment issue: --1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. -- :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: --1. From the navigation pane of the Azure Spring Apps instance overview page, select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart/logs.png"::: --### [Azure Developer CLI](#tab/Azure-Developer-CLI) --After the deployment finishes, access the application with the output endpoint. When you open the app, you get the response `Hello World`. ------### [Azure portal](#tab/Azure-portal-ent) --After the deployment finishes, use the following steps to find the application URL from the deployment outputs: --1. Access the application URL from the **Outputs** page of the **Deployment**. When you open the app, you get the response `Hello World`. -- :::image type="content" source="media/quickstart/hello-app-url.png" alt-text="Screenshot of the Azure portal that shows the Outputs page of the Deployment." border="false" lightbox="media/quickstart/hello-app-url.png"::: --1. Check the details for each resource deployment, which are useful for investigating any deployment issues. --### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent) --After the deployment finishes, use the following steps to validate the app: --1. Access the application URL. When you open the app, you get the response `Hello World`. --1. Check the console logs, which are useful for investigating any deployment issues. --### [Azure CLI](#tab/Azure-CLI) --After the deployment finishes, use the following steps to check the app's logs to investigate any deployment issue: --1. Access the application with the output application URL. When you open the app, you get the response `Hello World`. --1. Use the following command to check the app's log to investigate any deployment issue: -- ```azurecli - az spring app logs \ - --service ${SERVICE_NAME} \ - --name ${APP_NAME} - ``` --### [IntelliJ](#tab/IntelliJ) --Use the following steps to stream your application logs: --1. Access the application with the output application URL. When you open the app, you get the response `Hello World`. --1. Open the **Azure Explorer** window, expand the node **Azure**, expand the service node **Azure Spring Apps**, expand the Azure Spring Apps instance you created, and then select the **demo** instance of the app you created. --1. Right-click and select **Start Streaming Logs**, then select **OK** to see real-time application logs. -- :::image type="content" source="media/quickstart/app-stream-log.png" alt-text="Screenshot of IntelliJ that shows the Azure Streaming Log." lightbox="media/quickstart/app-stream-log.png"::: --### [Visual Studio Code](#tab/visual-studio-code) --Use the following steps to stream your application logs: --1. Access the application with the output application URL. When you open the app, you get the response `Hello World`. --1. Follow the steps in the [Stream your application logs](https://code.visualstudio.com/docs/java/java-spring-apps#_stream-your-application-logs) section of [Java on Azure Spring Apps](https://code.visualstudio.com/docs/java/java-spring-apps). ------## 7. Next steps --> [!div class="nextstepaction"] -> [Structured application log for Azure Spring Apps](./structured-app-log.md) --> [!div class="nextstepaction"] -> [Map an existing custom domain to Azure Spring Apps](./how-to-custom-domain.md) --> [!div class="nextstepaction"] -> [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md) --> [!div class="nextstepaction"] -> [Automate application deployments to Azure Spring Apps](./how-to-cicd.md) --> [!div class="nextstepaction"] -> [Use managed identities for applications in Azure Spring Apps](./how-to-use-managed-identities.md) --> [!div class="nextstepaction"] -> [Quickstart: Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md) ---> [!div class="nextstepaction"] -> [Introduction to the sample app](./quickstart-sample-app-introduction.md) ----> [!div class="nextstepaction"] -> [Introduction to the Fitness Store sample app](./quickstart-sample-app-acme-fitness-store-introduction.md) ---For more information, see the following articles: --- [Azure Spring Apps Samples](https://github.com/Azure-Samples/azure-spring-apps-samples).-- [Azure for Spring developers](/azure/developer/java/spring/)-- [Spring Cloud Azure documentation](/azure/developer/java/spring-framework/) |
spring-apps | Quotas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quotas.md | - Title: Service plans and quotas for Azure Spring Apps -description: Learn about service quotas and service plans for Azure Spring Apps. --- Previously updated : 05/15/2023-----# Quotas and service plans for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise --All Azure services set default limits and quotas for resources and features. Azure Spring Apps offers four pricing plans: Basic, Standard, Enterprise, and Standard consumption. --## Azure Spring Apps service plans and limits --The following table defines limits for the pricing plans in Azure Spring Apps. --| Resource | Scope | Basic | Standard | Enterprise | Standard consumption | Standard dedicated | -|-|-|--|-|-|-|-| -| vCPU | per app instance | 1 | 4 | 8 | 4 | based on workload profile (for example, 16 in D16) | -| Memory | per app instance | 2 GB | 8 GB | 32 GB | 8 GB | based on workload profile (for example, 128GB in E16) | -| Azure Spring Apps service instances | per region per subscription | 10 | 10 | 10 | 10 | 10 | -| Total app instances | per Azure Spring Apps service instance | 25 | 500 | 1000 | 400 | 1000 | -| Custom Domains for app | per Azure Spring Apps service instance | 0 | 500 | 500 | 500 | 500 | -| Custom Domains for app | per app instance | 0 | 5 | 5 | 5 | 5 | -| Custom Domains for Tanzu Component | per Tanzu Component | N/A | N/A | 5 | N/A | N/A | -| Persistent volumes | per Azure Spring Apps service instance | 1 GB/app x 10 apps | 50 GB/app x 10 apps | 50 GB/app x 10 apps | Not applicable | Not applicable | -| Inbound Public Endpoints | per Azure Spring Apps service instance | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | 10 <sup>1</sup> | -| Outbound Public IPs | per Azure Spring Apps service instance | 1 <sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> | -| User-assigned managed identities | per app instance | 20 | 20 | 20 | Not available during preview | Not available during preview | -| Requests per second/Throughput | per Azure Spring Apps service instance | 5000 <sup>3</sup> | 10000 <sup>3</sup> | 20000 <sup>3</sup> | Not applicable | Not applicable | --<sup>1</sup> You can increase this limit via support request to a maximum of 1 per app. --<sup>2</sup> You can increase this limit via support request to a maximum of 10. --<sup>3</sup> This limit only applies to customers without an Enterprise Agreement subscription. You can increase this limit based on your workload size via raising a support ticket. For customers with an Enterprise Agreement subscription, Azure Spring Apps automatically adjusts underlying resource to support application traffic. --> [!TIP] -> Limits listed apply for apps and deployments in any state, including apps in a stopped state. These limits include total app instances and per service instances. Be sure to delete apps and deployments that aren't being used. --## Next steps --Some default limits can be increased. For more information, see [create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md). |
spring-apps | Secure Communications End To End | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/secure-communications-end-to-end.md | - Title: Secure communications end-to-end for Spring Boot apps in a Zero Trust environment- -description: Describes how to secure communications end-to-end or terminate transport-level security at any communication point for Spring Boot apps. --- Previously updated : 08/15/2022-----# Secure communications end-to-end for Spring Boot apps in a Zero Trust environment --This article describes how to secure communications end-to-end for Spring Boot apps in a Zero Trust environment. You can secure communications end-to-end or terminate transport-level security at any communication point for Spring Boot apps. You can also automate the provisioning and configuration for all the Azure resources needed for securing communications. --Implementing secure communications as part of your solution architecture can be challenging. Many customers manually rotate their certificates or create their own solutions to automate provisioning and configuration. Even then, there's still data exfiltration risk, such as unauthorized copying or transfer of data from server systems. With Azure Spring Apps, these details are handled for you. Azure Spring Apps abstracts away most of the complexity, leaving secure communications as configurable and automatable options in the service. --## Secure internet communications --The TLS/SSL protocol establishes identity and trust, and encrypts communications of all types. TLS/SSL makes secure communications possible, particularly web traffic carrying commerce and customer data. --You can use any type of TLS/SSL certificate. For example, you can use certificates issued by a certificate authority, extended validation certificates, wildcard certificates with support for any number of subdomains, or self-signed certificates for dev and testing environments. --## Load certificates security with Zero Trust --Zero Trust is based on the principle of "never trust, always verify, and credential-free". Zero Trust helps to secure all communications by eliminating unknown and unmanaged certificates. Zero Trust involves trusting only certificates that are shared by verifying identity prior to granting access to those certificates. For more information, see the [Zero Trust Guidance Center](/security/zero-trust/). --To securely load certificates from [Azure Key Vault](../key-vault/index.yml), Spring Boot apps use [managed identities](/entra/identity/managed-identities-azure-resources/overview) and [Azure role-based access control (RBAC)](../role-based-access-control/index.yml). Azure Spring Apps uses a provider [service principal](/entra/identity-platform/app-objects-and-service-principals#service-principal-object) and Azure role-based access control. This secure loading is powered using the Azure Key Vault Java Cryptography Architecture (JCA) Provider. For more information, see [Azure Key Vault JCA client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca). --With Azure Key Vault, you control the storage and distribution of certificates to reduce accidental leakage. Applications and services can securely access certificates. Key Vault uses Azure role-based access control to lock down access to only those requiring access, such as an admin, but also apps, using the principle of least privilege. Applications and services authenticate and authorize, using Microsoft Entra ID and Azure role-based access control, to access certificates. You can monitor the access and use of certificates in Key Vault through its full audit trail. --## Secure communications end-to-end or terminate TLS at any point --As illustrated in the diagram below, there are several segments of communications through the following components: --- Network access points such as Azure Front Door-- Azure App Gateway-- F5 BIG-IP Local Traffic Manager-- Azure API Management-- Apigee API Management Spring Boot apps and Backend systems such as databases, messaging and eventing systems, and app cache.--You can secure communications end-to-end or terminate transport-level security at any communication point for Spring Boot apps. ---The following sections describe this architecture in more detail. --### Segment 1: Secure communications into Azure Spring Apps --The first segment (segment 1 in the diagram) represents communications from consumers to the ingress controller in Azure Spring Apps. These consumers include browsers, mobile phones, desktops, kiosks, or network access points like Azure Front Door, Azure App Gateway, F5 BIG-IP Local Traffic Manager, Azure API Management, and Apigee API Management. --By default, this segment is secured using a Microsoft-supplied TLS/SSL certificate for the `*.azuremicroservices.io` domain. You can apply your own TLS/SSL certificate in Azure Key Vault by binding a custom domain to your app in Azure Spring Apps. No code is necessary. For more information, see [Tutorial: Map an existing custom domain to Azure Spring Apps](how-to-custom-domain.md). --### Segment 2: Secure communications from ingress controller to apps --The next segment (segment 2 in the diagram) represents communications from the Azure Spring Apps ingress controller to any app on Azure Spring Apps. You can enable TLS/SSL to secure traffic from the ingress controller to an app that supports HTTPS. For more information, see [Enable ingress-to-app TLS for an application](how-to-enable-ingress-to-app-tls.md). --A Spring Boot app can use Spring's approach to enable HTTPS, or the app can secure communications by using the Azure Key Vault Certificates Spring Boot Starter. For more information, see [Tutorial: Secure Spring Boot apps using Azure Key Vault certificates](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates). --You need the following three configuration steps to secure communications using a TLS/SSL certificate from an Azure Key Vault. No code is necessary. --1. Include the following Azure Key Vault Certificates Spring Boot Starter dependency in your *pom.xml* file: -- ```xml - <dependency> - <groupId>com.azure.spring</groupId> - <artifactId>azure-spring-boot-starter-keyvault-certificates</artifactId> - </dependency> - ``` --1. Add the following properties to configure an app to load a TLS/SSL certificate from Azure Key Vault. Be sure to specify the URI of the Azure Key Vault and the certificate name. -- ```properties - azure: - keyvault: - uri: ${KEY_VAULT_URI} - - server: - ssl: - key-alias: ${SERVER_SSL_CERTIFICATE_NAME} - key-store-type: AzureKeyVault - ``` --1. Enable the app's managed identity, and then grant the managed identity with "Get" and "List" access to the Azure Key Vault. For more information, see [Enable system-assigned managed identity for an application in Azure Spring Apps](how-to-enable-system-assigned-managed-identity.md) and [Certificate Access Control](../key-vault/certificates/certificate-access-control.md). --### Segment 3: Secure communications from app to managed middleware --The next segment (segment 3 in the diagram) represents communications from any app to the managed Spring Cloud Config Server and Spring Cloud Service Registry in Azure Spring Apps. By default, this segment is secured using a Microsoft-supplied TLS/SSL certificate. --### Segment 4: Secure app to app communications --The next segment (segment 4 in the diagram) represents communications between an app to another app in Azure Spring Apps. You can use the Azure Key Vault Certificates Spring Boot Starter to configure the caller app to trust the TLS/SSL certificate supplied by an HTTPS-enabled called app. The receiver Spring Boot app can use Spring's approach to enable HTTPS, or the app can secure communications by using the Azure Key Vault Certificates Spring Boot Starter. For more information, see [Tutorial: Secure Spring Boot apps using Azure Key Vault certificates](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates). --### Segment 5: Secure app to external system communications --The next segment (segment 5 in the diagram) represents communications between an app running in Azure Spring Apps and external systems. You can use the Azure Key Vault Certificates Spring Boot Starter to configure the app running in Azure Spring Apps to trust the TLS/SSL certificate supplied by any external systems. For more information, see [Tutorial: Secure Spring Boot apps using Azure Key Vault certificates](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates). --### Implicitly load TLS/SSL certificates from Key Vault into an app --If your Spring code, Java code, or open-source libraries, such as OpenSSL, rely on the JVM default JCA chain to implicitly load certificates into the JVM's trust store, then you can import your TLS/SSL certificates from Key Vault into Azure Spring Apps and use those certificates within the app. For more information, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). --### Upload well known public TLS/SSL certificates for backend systems --For an app to communicate to backend services in the cloud or in on-premises systems, it may require the use of public TLS/SSL certificates to secure communication. You can upload those TLS/SSL certificates for securing outbound communications. For more information, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). --### Automate provisioning and configuration for securing communications --Using an ARM Template, Bicep, or Terraform, you can automate the provisioning and configuration of all the Azure resources mentioned above for securing communications. --## Build your solutions and secure communications --Azure Spring Apps is a fully managed service for Spring Boot applications. Azure Spring Apps abstracts away the complexity of infrastructure and Spring Cloud middleware management from users. You can focus on building your business logic and let Azure take care of dynamic scaling, patches, security, compliance, and high availability. With a few steps, you can provision Azure Spring Apps, create applications, deploy, and scale Spring Boot applications, and start securing communications in minutes. --Azure Spring Apps is jointly built, operated, and supported by Microsoft and VMware. --## Next steps --- [Deploy Spring microservices to Azure](/training/modules/azure-spring-cloud-workshop/)-- [Azure Key Vault Certificates Spring Cloud Azure Starter (GitHub.com)](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/spring/spring-cloud-azure-starter-keyvault-certificates/pom.xml)-- [Azure Spring Apps architecture design](/azure/architecture/web-apps/spring-apps?toc=/azure/spring-apps/toc.json&bc=/azure/spring-apps/breadcrumb/toc.json)-- Migrate your [Spring Boot](/azure/developer/java/migration/migrate-spring-boot-to-azure-spring-apps), [Spring Cloud](/azure/developer/java/migration/migrate-spring-cloud-to-azure-spring-apps), and [Tomcat](/azure/developer/java/migration/migrate-tomcat-to-azure-spring-apps) applications to Azure Spring Apps |
spring-apps | Security Controls Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/security-controls-policy.md | - Title: Azure Policy Regulatory Compliance controls for Azure Spring Apps -description: Lists Azure Policy Regulatory Compliance controls available for Azure Spring Apps. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/22/2024-------# Azure Policy Regulatory Compliance controls for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --[Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md) -provides Microsoft created and managed initiative definitions, known as _built-ins_, for the -**compliance domains** and **security controls** related to different compliance standards. This -page lists the **compliance domains** and **security controls** for Azure Spring Apps. You can -assign the built-ins for a **security control** individually to help make your Azure resources -compliant with the specific standard. ----## Next steps --- Learn more about [Azure Policy Regulatory Compliance](../governance/policy/concepts/regulatory-compliance.md).-- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy). |
spring-apps | Standard Consumption Customer Responsibilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/standard-consumption-customer-responsibilities.md | - Title: Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network -description: Learn about the customer responsibilities for running an Azure Spring Apps Standard consumption and dedicated plan service instance in a virtual network. ---- Previously updated : 03/21/2023----# Customer responsibilities for Azure Spring Apps Standard consumption and dedicated plan in a virtual network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ❌ Basic/Standard ❌ Enterprise --This article describes the customer responsibilities for running an Azure Spring Apps Standard consumption and dedicated plan service instance in a virtual network. --Use Network Security Groups (NSGs) to configure virtual networks to conform to the settings required by Kubernetes. --To control all inbound and outbound traffic for the Azure Container Apps environment, you can use NSGs to lock down a network with more restrictive rules than the default NSG rules. --## NSG allow rules --The following tables describe how to configure a collection of NSG allow rules. --> [!NOTE] -> The subnet associated with a Azure Container Apps environment requires a CIDR prefix of `/23` or larger. --### Outbound with ServiceTags --| Protocol | Port | ServiceTag | Description | -|-|--|--|-| -| UDP | `1194` | `AzureCloud.<region>` | Required for internal Azure Kubernetes Service (AKS) secure connection between underlying nodes and the control plane. Replace `<region>` with the region where your container app is deployed. | -| TCP | `9000` | `AzureCloud.<region>` | Required for internal AKS secure connection between underlying nodes and the control plane. Replace `<region>` with the region where your container app is deployed. | -| TCP | `443` | `AzureMonitor` | Allows outbound calls to Azure Monitor. | -| TCP | `443` | `Azure Container Registry` | Enables the Azure Container Registry as described in [Virtual network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). | -| TCP | `443` | `MicrosoftContainerRegistry`| The service tag for container registry for Microsoft containers. | -| TCP | `443` | `AzureFrontDoor.FirstParty` | A dependency of the `MicrosoftContainerRegistry` service tag. | -| TCP | `443`, `445` | `Azure Files` | Enables Azure Storage as described in [Virtual network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). | --### Outbound with wild card IP rules --| Protocol | Port | IP | Description | -|-|--|-|| -| TCP | `443` | \* | Set all outbound traffic on port `443` to allow all fully qualified domain name (FQDN) based outbound dependencies that don't have a static IP. | -| UDP | `123` | \* | NTP server. | -| TCP | `5671` | \* | Container Apps control plane. | -| TCP | `5672` | \* | Container Apps control plane. | -| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment - for example, `10.0.0.0/21`. | --### Outbound with FQDN requirements/application rules --| Protocol | Port | FQDN | Description | -|-|-|-|--| -| TCP | `443` | `mcr.microsoft.com` | Microsoft Container Registry (MCR). | -| TCP | `443` | `*.cdn.mscr.io` | MCR storage backed by the Azure Content Delivery Network (CDN). | -| TCP | `443` | `*.data.mcr.microsoft.com` | MCR storage backed by the Azure CDN. | --### Outbound with FQDN for third-party application performance management (optional) --| Protocol | Port | FQDN | Description | -|-|-|-|-| -| TCP | `443/80` | `collector*.newrelic.com` | The required networks of New Relic application and performance monitoring (APM) agents from the US region. See APM Agents Networks. | -| TCP | `443/80` | `collector*.eu01.nr-data.net` | The required networks of New Relic APM agents from the EU region. See APM Agents Networks. | -| TCP | `443` | `*.live.dynatrace.com` | The required network of Dynatrace APM agents. | -| TCP | `443` | `*.live.ruxit.com` | The required network of Dynatrace APM agents. | -| TCP | `443/80` | `*.saas.appdynamics.com` | The required network of AppDynamics APM agents. See SaaS Domains and IP Ranges. | --#### Considerations --- If you're running HTTP servers, you might need to add ports `80` and `443`.-- Adding deny rules for some ports and protocols with lower priority than `65000` may cause service interruption and unexpected behavior.--## Next steps --- [Azure Spring Apps documentation](./index.yml) |
spring-apps | Structured App Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/structured-app-log.md | - Title: Structured application log for Azure Spring Apps | Microsoft Docs -description: This article explains how to generate and collect structured application log data in Azure Spring Apps. --- Previously updated : 02/05/2021-----# Structured application log for Azure Spring Apps --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article explains how to generate and collect structured application log data in Azure Spring Apps. With proper configuration, Azure Spring Apps provides useful application log query and analysis through Log Analytics. --## Log schema requirements --To improve log query experience, an application log is required to be in JSON format and conform to a schema. Azure Spring Apps uses this schema to parse your application and stream to Log Analytics. --> [!NOTE] -> Enabling the JSON log format makes it difficult to read the log streaming output from console. To get human readable output, append the `--format-json` argument to the `az spring app logs` CLI command. See [Format JSON structured logs](./how-to-log-streaming.md#format-json-structured-logs). --**JSON schema requirements:** --| Json Key | Json value Type| Required | Column in Log Analytics| Description | -| --| |--|--|--| -| timestamp | string | Yes | AppTimestamp | timestamp in UTC format | -| logger | string | No | Logger | logger | -| level | string | No | CustomLevel | log level | -| thread | string | No | Thread | thread | -| message | string | No | Message | log message | -| stackTrace | string | No | StackTrace | exception stack trace | -| exceptionClass| string | No | ExceptionClass | exception class name | -| mdc | nested JSON | No | | mapped diagnostic context| -| mdc.traceId | string | No | TraceId |trace ID for distributed tracing| -| mdc.spanId | string | No | SpanId |span ID for distributed tracing | -| | | | | | --* The "timestamp" field is required, and should be in UTC format, all other fields are optional. -* "traceId" and "spanId" in "mdc" field are used for tracing purpose. -* Log each JSON record in one line. --**Log record sample** --```log -{"timestamp":"2021-01-08T09:23:51.280Z","logger":"com.example.demo.HelloController","level":"ERROR","thread":"http-nio-1456-exec-4","mdc":{"traceId":"c84f8a897041f634","spanId":"c84f8a897041f634"},"stackTrace":"java.lang.RuntimeException: get an exception\r\n\tat com.example.demo.HelloController.throwEx(HelloController.java:54)\r\n\","message":"Got an exception","exceptionClass":"RuntimeException"} -``` --## Limitations --Each line of the JSON logs has at most 16 K bytes. If the JSON output of a single log record exceeds this limit, it's broken into multiple lines, and each raw line is collected into the `Log` column without being parsed structurally. --Generally, this situation happens on exception logging with deep stacktrace, especially when the [AppInsights In-Process Agent](./how-to-application-insights.md) is enabled. Apply limit settings to the stacktrace output (see the below configuration samples) to ensure the final output gets parsed properly. --## Generate schema-compliant JSON log --For Spring applications, you can generate expected JSON log format using common [logging frameworks](https://docs.spring.io/spring-boot/docs/2.7.9/reference/html/features.html#features.logging.custom-log-configuration), such as [Logback](http://logback.qos.ch/) and [Log4j2](https://logging.apache.org/log4j/2.x/). --### Log with logback --When using Spring Boot starters, Logback is used by default. For Logback apps, use [logstash-encoder](https://github.com/logstash/logstash-logback-encoder) to generate JSON formatted log. This method is supported in Spring Boot version 2.1 or later. --The procedure: --1. Add logstash dependency in your `pom.xml` file. -- ```xml - <dependency> - <groupId>net.logstash.logback</groupId> - <artifactId>logstash-logback-encoder</artifactId> - <version>6.5</version> - </dependency> - ``` --1. Update your `logback-spring.xml` config file to set the JSON format. -- ```xml - <configuration> - <appender name="stdout" class="ch.qos.logback.core.ConsoleAppender"> - <encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder"> - <providers> - <timestamp> - <fieldName>timestamp</fieldName> - <timeZone>UTC</timeZone> - </timestamp> - <loggerName> - <fieldName>logger</fieldName> - </loggerName> - <logLevel> - <fieldName>level</fieldName> - </logLevel> - <threadName> - <fieldName>thread</fieldName> - </threadName> - <nestedField> - <fieldName>mdc</fieldName> - <providers> - <mdc /> - </providers> - </nestedField> - <stackTrace> - <fieldName>stackTrace</fieldName> - <!-- maxLength - limit the length of the stack trace --> - <throwableConverter class="net.logstash.logback.stacktrace.ShortenedThrowableConverter"> - <maxDepthPerThrowable>200</maxDepthPerThrowable> - <maxLength>14000</maxLength> - <rootCauseFirst>true</rootCauseFirst> - </throwableConverter> - </stackTrace> - <message /> - <throwableClassName> - <fieldName>exceptionClass</fieldName> - </throwableClassName> - </providers> - </encoder> - </appender> - <root level="info"> - <appender-ref ref="stdout" /> - </root> - </configuration> - ``` --1. When using the logging configuration file with `-spring` suffix like `logback-spring.xml`, you can set the logging configuration based on the Spring active profile. -- ```xml - <configuration> - <springProfile name="dev"> - <!-- JSON appender definitions for local development, in human readable format --> - <include resource="org/springframework/boot/logging/logback/defaults.xml" /> - <include resource="org/springframework/boot/logging/logback/console-appender.xml" /> - <root level="info"> - <appender-ref ref="CONSOLE" /> - </root> - </springProfile> -- <springProfile name="!dev"> - <!-- JSON appender configuration from previous step, used for staging / production --> - ... - </springProfile> - </configuration> - ``` -- For local development, run the Spring application with JVM argument `-Dspring.profiles.active=dev`, then you can see human readable logs instead of JSON formatted lines. --### Log with log4j2 --For log4j2 apps, use [json-template-layout](https://logging.apache.org/log4j/2.x/manual/json-template-layout.html) to generate JSON formatted log. This method is supported in Spring Boot version 2.1+. --The procedure: --1. Exclude `spring-boot-starter-logging` from `spring-boot-starter`, add dependencies `spring-boot-starter-log4j2`, `log4j-layout-template-json` in your `pom.xml` file. -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-web</artifactId> - <exclusions> - <exclusion> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-logging</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-log4j2</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-layout-template-json</artifactId> - <version>2.14.0</version> - </dependency> - ``` --2. Prepare a JSON layout template file `jsonTemplate.json` in your class path. -- ```json - { - "mdc": { - "$resolver": "mdc" - }, - "exceptionClass": { - "$resolver": "exception", - "field": "className" - }, - "stackTrace": { - "$resolver": "exception", - "field": "stackTrace", - "stringified": true - }, - "message": { - "$resolver": "message", - "stringified": true - }, - "thread": { - "$resolver": "thread", - "field": "name" - }, - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", - "timeZone": "UTC" - } - }, - "level": { - "$resolver": "level", - "field": "name" - }, - "logger": { - "$resolver": "logger", - "field": "name" - } - } - ``` --3. Use this JSON layout template in your `log4j2-spring.xml` config file. -- ```xml - <configuration> - <appenders> - <console name="Console" target="SYSTEM_OUT"> - <!-- maxStringLength - limit the length of the stack trace --> - <JsonTemplateLayout eventTemplateUri="classpath:jsonTemplate.json" maxStringLength="14000" /> - </console> - </appenders> - <loggers> - <root level="info"> - <appender-ref ref="Console" /> - </root> - </loggers> - </configuration> - ``` --## Analyze the logs in Log Analytics --After your application is properly set up, your application console log is streamed to Log Analytics. The structure enables efficient query in Log Analytics. --### Check log structure in Log Analytics --Use the following procedure: --1. Go to service overview page of your service instance. -2. Select the **Logs** entry in the **Monitoring** section. -3. Run this query. -- ```query - AppPlatformLogsforSpring - | where TimeGenerated > ago(1h) - | project AppTimestamp, Logger, CustomLevel, Thread, Message, ExceptionClass, StackTrace, TraceId, SpanId - ``` --4. Application logs return as shown in the following image: -- :::image type="content" source="media/structured-app-log/json-log-query.png" alt-text="Screenshot of the Azure portal showing the log Results pane." lightbox="media/structured-app-log/json-log-query.png"::: --### Show log entries containing errors --To review log entries that have an error, run the following query: --```query -AppPlatformLogsforSpring -| where TimeGenerated > ago(1h) and CustomLevel == "ERROR" -| project AppTimestamp, Logger, ExceptionClass, StackTrace, Message, AppName -| sort by AppTimestamp -``` --Use this query to find errors, or modify the query terms to find specific exception class or error code. --### Show log entries for a specific traceId --To review log entries for a specific tracing ID "trace_id", run the following query: --```query -AppPlatformLogsforSpring -| where TimeGenerated > ago(1h) -| where TraceId == "trace_id" -| project AppTimestamp, Logger, TraceId, SpanId, StackTrace, Message, AppName -| sort by AppTimestamp -``` --## Next steps --* To learn more about the Log Query, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md) |
spring-apps | Tools To Troubleshoot Memory Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/tools-to-troubleshoot-memory-issues.md | - Title: Tools to troubleshoot memory issues- -description: Provides a list of tools for troubleshooting Java memory issues. ---- Previously updated : 07/15/2022----# Tools to troubleshoot memory issues --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes various tools that are useful for troubleshooting Java memory issues. You can use these tools in many scenarios not limited to memory issues, but this article focuses only on the topic of memory. --## Alerts and diagnostics --The following sections describe resource health alerts and diagnostics available through the Azure portal. --### Resource health --You can monitor app lifecycle events and set up alerts with Azure Activity log and Azure Service Health. For more information, see [Monitor app lifecycle events using Azure Activity log and Azure Service Health](monitor-app-lifecycle-events.md). --Resource health sends alerts about app restart events due to container out-of-memory (OOM) issues. For more information, see [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md). --The following screenshot shows an app resource health alert indicating an OOM issue. ---### Diagnose and solve problems --Azure Spring Apps diagnostics is an interactive experience to troubleshoot your app without configuration. For more information, see [Self-diagnose and solve problems in Azure Spring Apps](how-to-self-diagnose-solve.md). --In the Azure portal, you can find **Memory Usage** under **Diagnose and solve problems**, as shown in the following screenshot. ---**Memory Usage** provides a simple diagnosis for app memory usage, as shown in the following screenshot. ---### Metrics --The following sections describe metrics that cover issues including high memory usage, heap memory that's too large, and abnormal garbage collection abnormal (too frequent or not frequent enough). For more information, see [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](quickstart-logs-metrics-tracing.md?pivots=programming-language-java). --#### App memory usage --App memory usage is a percentage equal to the app memory used divided by the app memory limit. This value shows the whole app memory. --#### jvm.memory.used/committed/max --For JVM memory, there are three metrics: `jvm.memory.used`, `jvm.memory.committed`, and `jvm.memory.max`, which are described in the following list. --"JVM memory" isn't a clearly defined concept. Here, `jvm.memory` is the sum of [heap memory](concepts-for-java-memory-management.md#heap-memory) and former permGen part of [non-heap memory](concepts-for-java-memory-management.md#non-heap-memory). JVM memory doesn't include direct memory or other memory like the thread stack. Spring Boot Actuator gathers these three metrics and determines the scope of `jvm.memory`. --- `jvm.memory.used` is the amount of used JVM memory, including used heap memory and used former permGen in non-heap memory.-- `jvm.memory.used` is a major reflection of the change of heap memory, because the former permGen part is usually stable. -- If you find `jvm.memory.used` too large, consider setting a smaller maximum heap memory size. --- `jvm.memory.committed` is the amount of memory committed for the JVM to use. The size of `jvm.memory.committed` is basically the limit of usable JVM memory.--- `jvm.memory.max` is the maximum amount of JVM memory, not to be confused with the real available amount.-- The value of `jvm.memory.max` can sometimes be confusing because it can be much higher than the available app memory. To clarify, `jvm.memory.max` is the sum of all maximum sizes of heap memory and the former permGen part of [non-heap memory](concepts-for-java-memory-management.md#non-heap-memory), regardless of the real available memory. For example, if an app is set with 1 GB of memory in the Azure Spring Apps portal, then the default heap memory size is 0.5 GB. For more information, see the [Default maximum heap size](concepts-for-java-memory-management.md#default-maximum-heap-size) section of [Java memory management](concepts-for-java-memory-management.md). -- If the default *compressed class space* size is 1 GB, then the value of `jvm.memory.max` is larger than 1.5 GB regardless of whether the app memory size 1 GB. For more information, see [Java Platform, Standard Edition HotSpot Virtual Machine Garbage Collection Tuning Guide: Other Considerations](https://docs.oracle.com/javase/9/gctuning/other-considerations.htm) in the Oracle documentation. --#### jvm.gc.memory.allocated/promoted --These two metrics are for observing Java garbage collection (GC). For more information, see the [Java garbage collection](concepts-for-java-memory-management.md#java-garbage-collection) section of [Java memory management](concepts-for-java-memory-management.md). The maximum heap size influences the frequency of minor GC and full GC. The maximum metaspace and maximum direct memory size influence full GC. If you want to adjust the frequency of garbage collection, consider modifying the following maximum memory sizes. --- `jvm.gc.memory.allocated` is the amount of increase in the size of the young generation memory pool after one GC and before the next. This value reflects minor GC.--- `jvm.gc.memory.promoted` is the amount of increase in the size of the old generation memory pool after GC. This value reflects full GC.--You can find this feature on the Azure portal, as shown in the following screenshot. You can choose specific metrics and add filters for a specific app, deployment, or instance. You can also apply splitting. ---## Further debugging --For further debugging, you can manually capture heap dumps and thread dumps, and use Java Flight Recorder (JFR). For more information, see [Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps](how-to-capture-dumps.md). --Heap dumps record the state of the Java heap memory. Thread dumps record the stacks of all live threads. These tools are available through the Azure CLI and on the app page of the Azure portal, as shown in the following screenshot. ---For more information, see [Capture heap dump and thread dump manually and use Java Flight Recorder in Azure Spring Apps](how-to-capture-dumps.md). You can also use third party tools like [Memory Analyzer](https://www.eclipse.org/mat/) to analyze heap dumps. --## Modify configurations to fix problems --Some issues you might identify include [container OOM](how-to-fix-app-restart-issues-caused-by-out-of-memory.md#fix-app-restart-issues-due-to-oom), heap memory that's too large, and abnormal garbage collection. If you identify any of these issues, you may need to configure the maximum memory size in the JVM options. For more information, see the [Important JVM options](concepts-for-java-memory-management.md#important-jvm-options) section of [Java memory management](concepts-for-java-memory-management.md#important-jvm-options). --You can modify the JVM options by using the Azure portal or the Azure CLI. --### [Azure portal](#tab/azure-portal) --In the Azure portal, navigate to your app, then select **Configuration** from the **Settings** section of the navigation menu. On the **General Settings** tab, update the **JVM options** field, as shown in the following screenshot: ---### [Azure CLI](#tab/azure-cli) --Use the following command to update the JVM options for your app. Be sure to replace the placeholders with your actual values. For example, you can replace the *`<jvm-options>`* placeholder with a value such as `-Xms1024m -Xmx1536m`. --```azurecli -az spring app update \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --app <app-name> \ - --deployment <deployment-name> \ - --jvm-options <jvm-options> \ -``` ----## See also --- [Java memory management](concepts-for-java-memory-management.md)-- [App restart issues caused by out-of-memory issues](how-to-fix-app-restart-issues-caused-by-out-of-memory.md) |
spring-apps | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/troubleshoot.md | - Title: Troubleshooting guide for Azure Spring Apps | Microsoft Docs -description: Troubleshooting guide for Azure Spring Apps --- Previously updated : 09/08/2020-----# Troubleshoot common Azure Spring Apps issues --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article provides instructions for troubleshooting Azure Spring Apps development issues. For more information, see [Azure Spring Apps FAQ](./faq.md). --## Availability, performance, and application issues --### My application can't start --When your application can't start, you may find that its endpoint can't be connected or it returns a 502 after a few retries. --For troubleshooting, export the logs to Azure Log Analytics. The table for Spring application logs is named *AppPlatformLogsforSpring*. To learn more, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). --The following error message might appear in your logs: `org.springframework.context.ApplicationContextException: Unable to start web server` --The message indicates one of two likely problems: --* One of the beans or one of its dependencies is missing. -* One of the bean properties is missing or invalid. In this case, "java.lang.IllegalArgumentException" is displayed. --Service bindings might also cause application start failures. To query the logs, use keywords that are related to the bound services. For instance, let's assume that your application has a binding to a MySQL instance that's set to local system time. If the application fails to start, the following error message might appear in the log: --> "java.sql.SQLException: The server time zone value 'Coordinated Universal Time' is unrecognized or represents more than one time zone." --To fix this error, go to the `server parameters` of your MySQL instance, and change the `time_zone` value from *SYSTEM* to *+0:00*. --### My application crashes or throws an unexpected error --When you're debugging application crashes, start by checking the running status and discovery status of the application. To do so, go to **Apps** in the Azure portal to ensure that the statuses of all the applications are *Running* and *UP*. --* If the status is *Running* but the discovery status isn't *UP*, go to the ["My application can't be registered"](#my-application-cant-be-registered) section. --* If the discovery status is *UP*, go to Metrics to check the application's health. Inspect the following metrics: -- * `tomcat.global.error`: -- All Spring application exceptions are counted here. If this number is large, go to Azure Log Analytics to inspect your application logs. -- * `jvm.memory.max`: -- The maximum amount of memory available to the application. The amount might be undefined, or it might change over time if it's defined. If it's defined, the amount of used and committed memory is always less than or equal to max. However, a memory allocation might fail with an `OutOfMemoryError` message if the allocation attempts to increase the used memory such that *used > committed*, even if *used <= max* is still true. In such a situation, try to increase the maximum heap size by using the `-Xmx` parameter. -- * `jvm.memory.used`: -- The amount of memory in bytes that's currently used by the application. For a normal load Java application, this metric series forms a *sawtooth* pattern, where the memory usage steadily increases and decreases in small increments and suddenly drops a lot, and then the pattern recurs. This metric series occurs because of garbage collection inside Java virtual machine, where collection actions represent drops on the sawtooth pattern. -- This metric is important to help identify memory issues, such as: -- * A memory explosion at the very beginning. - * The surge memory allocation for a specific logic path. - * Gradual memory leaks. -- For more information, see [Metrics](./concept-metrics.md). -- > [!NOTE] - > These metrics are available only for Spring Boot applications. To enable these metrics, add the `spring-boot-starter-actuator` dependency. For more information, see the [Add actuator dependency](concept-manage-monitor-app-spring-boot-actuator.md#add-actuator-dependency) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md). --* If the application fails to start, verify that the application has valid jvm parameters. If jvm memory is set too high, the following error message might appear in your logs: -- > "required memory 2728741K is greater than 2000M available for allocation" --To learn more about Azure Log Analytics, see [Get started with Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md). --### My application experiences high CPU usage or high memory usage --If your application experiences high CPU or memory usage, one of two things is true: --* All the app instances experience high CPU or memory usage. -* Some of the app instances experience high CPU or memory usage. --To ascertain which situation applies, use the following steps: --1. Go to **Metrics**, and then select either **Service CPU Usage Percentage** or **Service Memory Used**. -2. Add an **App=** filter to specify which application you want to monitor. -3. Split the metrics by **Instance**. --If *all instances* are experiencing high CPU or memory usage, you need to either scale out the application or scale up the CPU or memory usage. For more information, see [Tutorial: Scale an application in Azure Spring Apps](./how-to-scale-manual.md). --If *some instances* are experiencing high CPU or memory usage, check the instance status and its discovery status. --For more information, see [Metrics for Azure Spring Apps](./concept-metrics.md). --If all instances are up and running, go to Azure Log Analytics to query your application logs and review your code logic. This review helps you see whether any of them might affect scale partitioning. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md). --To learn more about Azure Log Analytics, see [Get started with Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md). Query the logs by using the [Kusto query language](/azure/kusto/query/). --### Checklist for deploying your Spring application to Azure Spring Apps --Before you onboard your application, ensure that it meets the following criteria: --* The application can run locally with the specified Java runtime version. -* The environment config (CPU/RAM/Instances) meets the minimum requirement set by the application provider. -* The configuration items have their expected values. For more information, see [Set up a Spring Cloud Config Server instance for your service](./how-to-config-server.md). For the Enterprise plan, see [Use Application Configuration Service](./how-to-enterprise-application-configuration-service.md). -* The environment variables have their expected values. -* The JVM parameters have their expected values. -* We recommended that you disable or remove the embedded *Config Server* and *Spring Service Registry* services from the application package. -* If any Azure resources are to be bound via *Service Binding*, make sure the target resources are up and running. --## Configuration and management --### I encountered a problem with creating an Azure Spring Apps service instance --When you set up an Azure Spring Apps service instance by using the Azure portal, Azure Spring Apps performs the validation for you. --But if you try to set up the Azure Spring Apps service instance by using the [Azure CLI](/cli/azure/get-started-with-azure-cli) or the [Azure Resource Manager template](../azure-resource-manager/index.yml), verify that you meet the following conditions: --* The subscription is active. -* Azure Spring Apps is available in the region you're using. For more information, see the [Azure Spring Apps FAQ](./faq.md). -* The resource group for the instance is already created. -* The resource name conforms to the naming rule. The name must contain only lowercase letters, numbers, and hyphens. The first character must be a letter. The last character must be a letter or number. The value must contain from 2 to 32 characters. --If you want to set up the Azure Spring Apps service instance by using the Resource Manager template, first refer to [Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). --The name of the Azure Spring Apps service instance is used for requesting a subdomain name under `azuremicroservices.io`, so the setup fails if the name conflicts with an existing one. You might find more details in the activity logs. --### I can't deploy a .NET Core app --You can't upload a *.zip* file for a .NET Core Steeltoe app by using the Azure portal or the Resource Manager template. --When you deploy your application package by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), the Azure CLI periodically polls the deployment progress and, in the end, it displays the deployment result. --Ensure that your application is packaged in the correct *.zip* file format. If it isn't packaged correctly, the process stops responding or you receive an error message. --### I can't deploy a JAR package --You can't upload Java Archive file (JAR)/source package by using the Azure portal or the Resource Manager template. --When you deploy your application package by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), the Azure CLI periodically polls the deployment progress and, in the end, it displays the deployment result. --If the polling is interrupted, you can still use the following command to fetch the deployment logs: --```azurecli -az spring app show-deploy-log --name <app-name> -``` --Ensure that your application is packaged in the correct [executable JAR format](https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html). If it isn't packaged correctly, you receive an error message similar to the following example: `Error: Invalid or corrupt jarfile /jar/38bc8ea1-a6bb-4736-8e93-e8f3b52c8714` --### I can't deploy a source package --You can't upload JAR/source package by using the Azure portal or the Resource Manager template. --When you deploy your application package by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), the Azure CLI periodically polls the deployment progress and, in the end, it displays the deployment result. --If the polling is interrupted, you can still use the following command to fetch the build and deployment logs: --```azurecli -az spring app show-deploy-log --name <app-name> -``` --However, one Azure Spring Apps service instance can trigger only one build job for one source package at one time. For more information, see [Deploy an application](./quickstart.md) and [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md). --### My application can't be registered --In most cases, this situation occurs when *Required Dependencies* and *Service Discovery* aren't properly configured in your Project Object Model (POM) file. Once it's configured, the built-in Service Registry server endpoint is injected as an environment variable with your application. Applications then register themselves with the Service Registry server and discover other dependent applications. --Wait at least two minutes before a newly registered instance starts receiving traffic. --If you're migrating an existing Spring Cloud-based solution to Azure, be sure to remove or disable your ad-hoc *Service Registry* and *Config Server* instances to avoid conflicting with the managed instances provided by Azure Spring Apps. --You can also check the *Service Registry* client logs in Azure Log Analytics. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md) --To learn more about Azure Log Analytics, see [Get started with Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md). Query the logs by using the [Kusto query language](/azure/kusto/query/). --### I want to inspect my application's environment variables --Environment variables inform the Azure Spring Apps framework, ensuring that Azure understands where and how to configure the services that make up your application. Ensuring that your environment variables are correct is a necessary first step in troubleshooting potential problems. You can use the Spring Boot Actuator endpoint to review your environment variables. --> [!WARNING] -> This procedure exposes your environment variables by using your test endpoint. Do not proceed if your test endpoint is publicly accessible or if you've assigned a domain name to your application. --1. Go to `https://<your-application-test-endpoint>/actuator/health`. To find the test endpoint, see the [Verify app through test endpoint](concept-manage-monitor-app-spring-boot-actuator.md#verify-app-through-test-endpoint) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md). -- A response similar to `{"status":"UP"}` indicates that the endpoint has been enabled. If the response is negative, include the following dependency in your *POM.xml* file: -- ```xml - <dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-actuator</artifactId> - </dependency> - ``` --1. With the Spring Boot Actuator endpoint enabled, go to the Azure portal and look for the configuration page of your application. Add an environment variable with the name `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE` and the value `*`. --1. Restart your application. --1. Go to `https://<your-application-test-endpoint>/actuator/env` and inspect the response. It should look like this: -- ```json - { - "activeProfiles": [], - "propertySources": {, - "name": "server.ports", - "properties": { - "local.server.port": { - "value": 1025 - } - } - } - } - ``` --Look for the child node named `systemEnvironment`. This node contains your application's environment variables. --> [!IMPORTANT] -> Remember to reverse the exposure of your environment variables before making your application accessible to the public. Go to the Azure portal, look for the configuration page of your application, and delete this environment variable: `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE`. --### I can't find metrics or logs for my application --Go to **Apps** to ensure that the application statuses are *Running* and *UP*. --Check to see whether *JMX* is enabled in your application package. This feature can be enabled with the configuration property `spring.jmx.enabled=true`. --Check to see whether the `spring-boot-actuator` dependency is enabled in your application package and that it successfully boots up. --```xml -<dependency> - <groupId>org.springframework.boot</groupId> - <artifactId>spring-boot-starter-actuator</artifactId> -</dependency> -``` --If your application logs can be archived to a storage account but not sent to Azure Log Analytics, check to see whether you set up your workspace correctly. For more information, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md). Also, be aware that the Basic plan doesn't provide a service-level agreement (SLA). For more information, see [Service Level Agreements (SLA) for Online Services](https://azure.microsoft.com/support/legal/sla/log-analytics/v1_3/). --## Enterprise plan --### Error 112039: Failed to purchase on Azure Marketplace --Creating an Azure Spring Apps Enterprise plan instance fails with error code "112039". For more information, check the detailed error message in the following list: --* **"Failed to purchase on Azure Marketplace because the Microsoft.SaaS RP is not registered on the Azure subscription."**: Azure Spring Apps Enterprise plan purchase a SaaS offer from VMware. -- You must register the `Microsoft.SaaS` resource provider before creating Azure Spring Apps Enterprise instance. See how to [register a resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider). --* **"Failed to load catalog product vmware-inc.azure-spring-cloud-vmware-tanzu-2 in the Azure subscription market."**: Your Azure subscription's billing account address isn't in the supported location. -- For more information, see the section [No plans are available for market '\<Location>'](#no-plans-are-available-for-market-location). --* **"Failed to purchase on Azure Marketplace due to signature verification on Marketplace legal agreement. Check the Azure subscription has agree terms vmware-inc.azure-spring-cloud-vmware-tanzu-2.asa-ent-hr-mtr"**: Your Azure subscription hasn't signed the terms for the offer and plan to be purchased. -- Go to your Azure subscription and run the following Azure CLI command to agree to the terms: -- ```azurecli - az term accept \ - --publisher vmware-inc \ - --product azure-spring-cloud-vmware-tanzu-2 \ - --plan asa-ent-hr-mtr - ``` -- If that doesn't help, you can contact the support team with the following info. -- * `AZURE_TENANT_ID`: the Azure tenant ID that hosts the Azure subscription - * `AZURE_SUBSCRIPTION_ID`: the Azure subscription ID used to create the Azure Spring Apps instance - * `SPRING_CLOUD_NAME`: the failed instance name - * `ERROR_MESSAGE`: the observed error message --### No plans are available for market '\<Location>' --When you visit the SaaS offer [Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) in the Azure Marketplace, it may say "No plans are available for market '\<Location>'" as in the following image. --![No plans available error image](./media/troubleshoot/no-enterprise-plans-available.png) --The Azure Spring Apps Enterprise plan needs customers to pay for a license to Tanzu components through an Azure Marketplace offer. To purchase in the Azure Marketplace, the billing account's country or region for your Azure subscription should be in the SaaS offer's supported geographic locations. --[Azure Spring Apps Enterprise](https://aka.ms/ascmpoffer) now supports all geographic locations that Azure Marketplace supports. See [Marketplace supported geographic location](../marketplace/marketplace-geo-availability-currencies.md#supported-geographic-locations). --You can view the billing account for your subscription if you have admin access. See [view billing accounts](../cost-management-billing/manage/view-all-accounts.md#check-the-type-of-your-account). --### I need VMware Spring Runtime Support (Enterprise plan only) --The Enterprise plan has built-in VMware Spring Runtime Support, so you can open support tickets to [VMware](https://aka.ms/ascevsrsupport) if you think your issue is in the scope of VMware Spring Runtime Support. To better understand VMware Spring Runtime Support itself, see the [VMware Spring Runtime](https://tanzu.vmware.com/spring-runtime). For more information on registering and using this support service, see the Support section in the [Enterprise FAQ from VMware](https://aka.ms/EnterpriseTierFAQ). For any other issues, open a support ticket with Microsoft. --## Next steps --* [How to self-diagnose and solve problems in Azure Spring Apps](./how-to-self-diagnose-solve.md) -* [Troubleshoot common exit code issues in Azure Spring Apps](./troubleshoot-exit-code.md) |
spring-apps | Troubleshooting Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/troubleshooting-vnet.md | - Title: Troubleshooting Azure Spring Apps in virtual network -description: Troubleshooting guide for Azure Spring Apps virtual network. --- Previously updated : 09/19/2020-----# Troubleshooting Azure Spring Apps in virtual networks --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article helps you solve various problems that can arise when using Azure Spring Apps in virtual networks. --## I encountered a problem with creating an Azure Spring Apps service instance --To create an instance of Azure Spring Apps, you must have sufficient permission to deploy the instance to the virtual network. The Azure Spring Apps service instance must itself grant Azure Spring Apps service permission to the virtual network. For more information, see the [Grant service permission to the virtual network](./how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). --If you use the Azure portal to set up the Azure Spring Apps service instance, the Azure portal validates the permissions. --To set up the Azure Spring Apps service instance by using the [Azure CLI](/cli/azure/get-started-with-azure-cli), verify the following requirements: --- The subscription is active.-- The location supports Azure Spring Apps.-- The resource group for the instance is already created.-- The resource name conforms to the naming rule. It must contain only lowercase letters, numbers, and hyphens. The first character must be a letter. The last character must be a letter or number. The value must contain from 2 to 32 characters.--To set up the Azure Spring Apps service instance by using the Resource Manager template, refer to [Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). --### Common creation issues --| Error message | How to fix | -||-| -| `Resources created by Azure Spring Apps were disallowed by policy.` | Network resources are created when deploying Azure Spring Apps in your own virtual network. Be sure to check whether you have [Azure Policy](../governance/policy/overview.md) defined to block that creation. The error message lists the resources that weren't created. | -| `Required traffic is not allowlisted.` | Be sure to check [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md) to ensure that the required traffic is allowlisted. | --## My application can't be registered or it can't get settings from the config server --The applications running inside the Azure Spring Apps user cluster need to access the Eureka Server and the Config Server in the system runtime cluster via the `<service-instance-name>.svc.private.azuremicroservices.io` domain. --This problem occurs if your virtual network is configured with custom DNS settings. In this case, the private DNS zone used by Azure Spring Apps is ineffective. Add the Azure DNS IP 168.63.129.16 as the upstream DNS server in the custom DNS server. --If your custom DNS server can't add the Azure DNS IP `168.63.129.16` as the upstream DNS server, then add the DNS record `*.svc.private.azuremicroservices.io` to the IP of your application. For more information, see the [Find the IP for your application](access-app-virtual-network.md#find-the-ip-for-your-application) section of [Access an app in Azure Spring Apps in a virtual network](access-app-virtual-network.md). --## I can't access my application's endpoint or test endpoint in a virtual network --If your virtual network is configured with custom DNS settings, be sure to add Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server, if you haven't already. Then, proceed with the following instructions. --If your virtual network isn't configured with custom DNS settings, or if your virtual network is configured with custom DNS settings and you've already added Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server, then complete the following steps: --1. Create a new private DNS zone `private.azuremicroservices.io`. -1. Link the private DNS zone to the virtual network. -1. Add the following two DNS records: -- - `*.private.azuremicroservices.io` -> the IP of your application. - - `*.test.private.azuremicroservices.io` -> the IP of your application. --For more information, see [Access your application in a private network](./access-app-virtual-network.md) --## I can't access my application's public endpoint from public network --Azure Spring Apps supports exposing applications to the internet by using public endpoints. For more information, see [Expose applications on Azure Spring Apps to the internet from a public network](how-to-access-app-from-internet-virtual-network.md). --If you're using a user defined route feature, some features aren't supported because of asymmetric routing. For unsupported features, see the following list: --- Use the public network to access the application through the public endpoint.-- Use the public network to access the log stream.-- Use the public network to access the app console.--For more information, see [Control egress traffic for an Azure Spring Apps instance](how-to-create-user-defined-route-instance.md). --Similar limitations also apply to Azure Spring Apps when egress traffics are routed to a firewall. The problem occurs because both situations introduce asymmetric routing into the cluster. Packets arrive on the endpoint's public IP address but return to the firewall via the private IP address. So, the firewall must block such traffic. For more information, see the [Bring your own route table](how-to-deploy-in-azure-virtual-network.md#bring-your-own-route-table) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md). --If you're routing egress traffics to a firewall but also need to expose the application to internet, use the expose applications to the internet with TLS Termination feature. For more information, see [Expose applications to the internet with TLS Termination at Application Gateway](expose-apps-gateway-tls-termination.md). --## Other issues --- [Access your application in a private network](access-app-virtual-network.md)-- [Troubleshoot common Azure Spring Apps issues](./troubleshoot.md) |
spring-apps | Tutorial Alerts Action Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/tutorial-alerts-action-groups.md | - Title: "Tutorial: Monitor Azure Spring Apps resources using alerts and action groups" -description: Learn how to monitor Spring app resources using alerts and action groups in Azure Spring Apps. ---- Previously updated : 6/15/2023----# Tutorial: Monitor Spring app resources using alerts and action groups --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Java ✔️ C# --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article describes how to monitor Spring app resources using alerts and action groups in Azure Spring Apps. --Azure Spring Apps alerts support monitoring resources based on conditions such as available storage, rate of requests, and data usage. An alert sends a notification when rates or conditions meet the defined specifications. --There are two steps to set up an alert pipeline: --1. Set up an action group. -- Action groups define actions to be taken when an alert is triggered, such as with an email, SMS, Runbook, or Webhook. You can use and reuse action groups among different alerts. --1. Set up alert rules. -- Rules bind metrics with action groups based on the target resource, condition, time aggregation, and other factors. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- A deployed Azure Spring Apps instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md) to get started.--## Set up an action group --In the Azure portal, use the following steps: --1. Go to your Azure Spring Apps instance. -1. Select **Alerts** in the navigation pane, and then select **Action groups**. -- :::image type="content" source="media/tutorial-alerts-action-groups/alerts-page-action-groups.png" alt-text="Screenshot of the Azure portal showing the Alerts page with the Action groups button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-page-action-groups.png"::: --1. On the **Action groups** page, select **Create**. -- :::image type="content" source="media/tutorial-alerts-action-groups/alerts-action-groups.png" alt-text="Screenshot of the Azure portal showing the Action groups page with the Create button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-action-groups.png"::: --1. On the **Create action group** page on the **Basics** tab, make any needed changes in **Project details**. In **Instance details**, specify settings for **Action group name** and **Display name**. -- :::image type="content" source="media/tutorial-alerts-action-groups/alerts-create-action-group.png" alt-text="Screenshot of the Azure portal showing the Create action group page with the Basics tab selected." lightbox="media/tutorial-alerts-action-groups/alerts-create-action-group.png"::: --1. Select the **Notifications** tab and then select a **Notification type** from the dropdown menu. This action opens a pane to define the action that is taken upon activation. This example shows an email and messaging type. Complete the form and select **OK**. -- :::image type="content" source="media/tutorial-alerts-action-groups/alerts-create-action-group-notifications.png" alt-text="Screenshot of the Azure portal showing the Create action group page on the Notifications tab with the pane open that defines the notification type." lightbox="media/tutorial-alerts-action-groups/alerts-create-action-group-notifications.png"::: --1. Set **Name** to name the action group. --1. Select **Review + create** to finish creating the action group. --## Set up an alert --Use the following steps configure an alert: --1. Select **Alerts** in the navigation pane, and then select **Alert rules**. -- :::image type="content" source="media/tutorial-alerts-action-groups/alerts-page-rules.png" alt-text="Screenshot of the Azure portal showing the Alerts page with the Alert rule button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-page-rules.png"::: --1. Select **Create**. -- :::image type="content" source="media/tutorial-alerts-action-groups/alerts-rules-page.png" alt-text="Screenshot of the Azure portal showing the Alert rules page with the Create button highlighted." lightbox="media/tutorial-alerts-action-groups/alerts-rules-page.png"::: --1. On the **Create an alert rule** page on the **Condition** tab, you must select a signal to trigger the alert rule. Select **See all signals**. On the **Select a signal** pane, select **CPU Usage** and then select **Apply**. -- :::image type="content" source="media/tutorial-alerts-action-groups/create-alert-rule.png" alt-text="Screenshot of the Azure portal showing the Create an Alert rule page with the select a signal pane open and App CPU Usage highlighted." lightbox="media/tutorial-alerts-action-groups/create-alert-rule.png"::: --1. The signal selection determines the alert logic settings to configure. Set **Threshold value** to 75. -- :::image type="content" source="media/tutorial-alerts-action-groups/rule-value.png" alt-text="Screenshot of the Azure portal showing the Create an Alert rule page with the alert logic setting for Threshold value highlighted." lightbox="media/tutorial-alerts-action-groups/rule-value.png"::: -- For details of the conditions available to monitor, see the [User metrics options](./concept-metrics.md#user-metrics-options) section of [Metrics for Azure Spring Apps](./concept-metrics.md). --1. Select the **Actions** tab and then select **Select action group**. On the **Select action groups** pane, select the action group that should be triggered by the rule such as the action group you defined previously. -- :::image type="content" source="media/tutorial-alerts-action-groups/select-action-group.png" alt-text="Screenshot of the Azure portal showing the Select an action group to attach to this alert rule pane with an Action group name highlighted." lightbox="media/tutorial-alerts-action-groups/select-action-group.png"::: --1. Select **Select**. -1. Select the **Details** tab and set **Severity** and make any other needed changes. -- :::image type="content" source="media/tutorial-alerts-action-groups/create-rule-details.png" alt-text="Screenshot of the Azure portal showing the Create rule page with Severity in Alert Details highlighted." lightbox="media/tutorial-alerts-action-groups/create-rule-details.png"::: -- > [!TIP] - > Select the **Scope** tab to change the resource for the scope of the rule. By default the scope is current Azure Spring Apps instance. --1. Select **Review + create** to finish creating the alert rule. --1. On the **Alert rules** page, verify that the new alert rule is enabled. -- :::image type="content" source="media/tutorial-alerts-action-groups/alert-rule-enabled.png" alt-text="Screenshot of the Azure portal showing the Alert rules page with the rule that was just created enabled." lightbox="media/tutorial-alerts-action-groups/alert-rule-enabled.png"::: --## Next steps --In this article, you learned how to set up alerts and action groups for an application in Azure Spring Apps. To learn more about action groups, see: --> [!div class="nextstepaction"] -> [Action groups](../azure-monitor/alerts/action-groups.md) |
spring-apps | Tutorial Managed Identities Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/tutorial-managed-identities-functions.md | - Title: "Tutorial: Managed identity to invoke Azure Functions" -description: Learn how to use a managed identity to invoke Azure Functions from an Azure Spring Apps app. ----- Previously updated : 05/07/2023---# Tutorial: Use a managed identity to invoke Azure Functions from an Azure Spring Apps app --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article shows you how to create a managed identity for an app hosted in Azure Spring Apps and use it to invoke HTTP triggered Functions. --Both Azure Functions and App Services have built in support for Microsoft Entra authentication. By using this built-in authentication capability along with Managed Identities for Azure Spring Apps, you can invoke RESTful services using modern OAuth semantics. This method doesn't require storing secrets in code and provides more granular controls for controlling access to external resources. --## Prerequisites --- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher.-- [Git](https://git-scm.com/downloads).-- [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or higher.-- [Install the Azure Functions Core Tools](../azure-functions/functions-run-local.md#install-the-azure-functions-core-tools) version 4.x.--## Create a resource group --A resource group is a logical container into which Azure resources are deployed and managed. Use the following command to create a resource group to contain a Function app: --```azurecli -az group create --name <resource-group-name> --location <location> -``` --For more information, see the [az group create](/cli/azure/group#az-group-create) command. --## Create a Function app --To create a Function app, you must first create a backing storage account. You can use the [az storage account create](/cli/azure/storage/account#az-storage-account-create) command. --> [!IMPORTANT] -> Each Function app and storage account must have a unique name. --Use the following command to create the storage account. Replace *\<function-app-name>* with the name of your Function app and *\<storage-account-name>* with the name of your storage account. --```azurecli -az storage account create \ - --resource-group <resource-group-name> \ - --name <storage-account-name> \ - --location <location> \ - --sku Standard_LRS -``` --After the storage account is created, use the following command to create the Function app: --```azurecli -az functionapp create \ - --resource-group <resource-group-name> \ - --name <function-app-name> \ - --consumption-plan-location <location> \ - --os-type windows \ - --runtime node \ - --storage-account <storage-account-name> \ - --functions-version 4 -``` --Make a note of the returned `hostNames` value, which is in the format `https://<your-functionapp-name>.azurewebsites.net`. Use this value in the Function app's root URL for testing the Function app. --<a name='enable-azure-active-directory-authentication'></a> --## Enable Microsoft Entra authentication --Use the following steps to enable Microsoft Entra authentication to access your Function app. --1. In the Azure portal, navigate to your resource group and then open the Function app you created. -1. In the navigation pane, select **Authentication** and then select **Add identity provider** on the main pane. -1. On the **Add an identity provider** page, select **Microsoft** from the **Identity provider** dropdown menu. -- :::image type="content" source="media/tutorial-managed-identities-functions/add-identity-provider.png" alt-text="Screenshot of the Azure portal showing the Add an identity provider page with Microsoft highlighted in the identity provider dropdown menu." lightbox="media/tutorial-managed-identities-functions/add-identity-provider.png"::: --1. Select **Add**. -1. For the **Basics** settings on the **Add an identity provider** page, set **Supported account types** to **Any Microsoft Entra directory - Multi-tenant**. -1. Set **Unauthenticated requests** to **HTTP 401 Unauthorized: recommended for APIs**. This setting ensures that all unauthenticated requests are denied (401 response). -- :::image type="content" source="media/tutorial-managed-identities-functions/identity-provider-settings.png" alt-text="Screenshot of the Azure portal showing the Add an identity provider page with Support account types and Unauthenticated requests highlighted." lightbox="media/tutorial-managed-identities-functions/identity-provider-settings.png"::: --1. Select **Add**. --After you add the settings, the Function app restarts and all subsequent requests are prompted to sign in through Microsoft Entra ID. You can test that unauthenticated requests are currently being rejected with the Function app's root URL (returned in the `hostNames` output of the `az functionapp create` command). You should then be redirected to your organization's Microsoft Entra sign-in screen. --You need the Application ID and the Application ID URI for later use. In the Azure portal, navigate to the Function app you created. --To get the Application ID, select **Authentication** in the navigation pane, and then copy the **App (client) ID** value for the identity provider that includes the name of the Function app. ---To get the Application ID URI, select **Expose an API** in the navigation pane, and then copy the **Application ID URI** value. ---## Create an HTTP triggered function --In an empty local directory, use the following commands to create a new function app and add an HTTP triggered function: --```console -func init --worker-runtime node -func new --template HttpTrigger --name HttpTrigger -``` --By default, functions use key-based authentication to secure HTTP endpoints. To enable Microsoft Entra authentication to secure access to the functions, set the `authLevel` key to `anonymous` in the *function.json* file, as shown in the following example: --```json -{ - "bindings": [ - { - "authLevel": "anonymous", - "type": "httpTrigger", - ... - } - ] -} -``` --For more information, see the [Secure an HTTP endpoint in production](../azure-functions/functions-bindings-http-webhook-trigger.md#secure-an-http-endpoint-in-production) section of [Azure Functions HTTP trigger](../azure-functions/functions-bindings-http-webhook-trigger.md). --Use the following command to publish the app to the instance created in the previous step: --```console -func azure functionapp publish <function-app-name> -``` --The output from the publish command should list the URL to your newly created function, as shown in the following output: --```output -Deployment completed successfully. -Syncing triggers... -Functions in <your-functionapp-name>: - HttpTrigger - [httpTrigger] - Invoke url: https://<function-app-name>.azurewebsites.net/api/httptrigger -``` --## Create an Azure Spring Apps service instance and application --Use the following commands to add the spring extension and to create a new instance of Azure Spring Apps: --```azurecli -az extension add --upgrade --name spring -az spring create \ - --resource-group <resource-group-name> \ - --name <Azure-Spring-Apps-instance-name> \ - --location <location> -``` --Use the following command to create an application named `msiapp` with a system-assigned managed identity, as requested by the `--assign-identity` parameter: --```azurecli -az spring app create \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name "msiapp" \ - --assign-endpoint true \ - --assign-identity -``` --## Build a sample Spring Boot app to invoke the Function --This sample invokes the HTTP triggered function by first requesting an access token from the MSI endpoint and using that token to authenticate the function HTTP request. For more information, see the [Get a token using HTTP](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) section of [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token). --1. Use the following command clone the sample project: -- ```bash - git clone https://github.com/Azure-Samples/azure-spring-apps-samples.git - ``` --1. Use the following command to specify your function URI and the trigger name in your app properties: -- ```bash - cd azure-spring-apps-samples/managed-identity-function - vim src/main/resources/application.properties - ``` --1. To use managed identity for Azure Spring Apps apps, add the following properties with these values to *src/main/resources/application.properties*. -- ```text - azure.function.uri=https://<function-app-name>.azurewebsites.net - azure.function.triggerPath=httptrigger - azure.function.application-id.uri=<function-app-application-ID-uri> - ``` --1. Use the following command to package your sample app: -- ```bash - mvn clean package - ``` --1. Use the following command to deploy the app to Azure Spring Apps: -- ```azurecli - az spring app deploy \ - --resource-group <resource-group-name> \ - --service <Azure-Spring-Apps-instance-name> \ - --name "msiapp" \ - --artifact-path target/asc-managed-identity-function-sample-0.1.0.jar - ``` --1. Use the following command to access the public endpoint or test endpoint to test your app: -- ```bash - curl https://<Azure-Spring-Apps-instance-name>-msiapp.azuremicroservices.io/func/springcloud - ``` -- The following message is returned in the response body. -- ```output - Function Response: Hello, springcloud. This HTTP triggered function executed successfully. - ``` --## Next steps --- [How to enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md)-- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)-- [Configure client apps to access your App Service](../app-service/configure-authentication-provider-aad.md#configure-client-apps-to-access-your-app-service) |
spring-apps | Vnet Customer Responsibilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/vnet-customer-responsibilities.md | - Title: "Customer responsibilities running Azure Spring Apps in a virtual network" -description: This article describes customer responsibilities running Azure Spring Apps in a virtual network. ---- Previously updated : 11/02/2021----# Customer responsibilities for running Azure Spring Apps in a virtual network --> [!NOTE] -> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. --**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise --This article includes specifications for the use of Azure Spring Apps in a virtual network. --When Azure Spring Apps is deployed in your virtual network, it has outbound dependencies on services outside of the virtual network. For management and operational purposes, Azure Spring Apps must access certain ports and fully qualified domain names (FQDNs). Azure Spring Apps requires these endpoints to communicate with the management plane and to download and install core Kubernetes cluster components and security updates. --By default, Azure Spring Apps has unrestricted outbound (egress) internet access. This level of network access allows applications you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible for maintenance tasks. The simplest solution to secure outbound addresses is use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses. --## Azure Spring Apps resource requirements --The following list shows the resource requirements for Azure Spring Apps services. As a general requirement, you shouldn't modify resource groups created by Azure Spring Apps and the underlying network resources. --- Don't modify resource groups created and owned by Azure Spring Apps.- - By default, these resource groups are named `ap-svc-rt_<service-instance-name>_<region>*` and `ap_<service-instance-name>_<region>*`. - - Don't block Azure Spring Apps from updating resources in these resource groups. -- Don't modify subnets used by Azure Spring Apps.-- Don't create more than one Azure Spring Apps service instance in the same subnet.-- When using a firewall to control traffic, don't block the following egress traffic to Azure Spring Apps components that operate, maintain, and support the service instance.--## Azure Global required network rules --| Destination endpoint | Port | Use | Note | -|-||-|-| -| \*:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureCloud:443 | TCP:443 | Azure Spring Apps Service Management. | For information about the service instance `requiredTraffics`, see the resource payload, under the `networkProfile` section. | -| \*.azurecr.io:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling the *Azure Container Registry* [service endpoint in the virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). | -| \*.core.windows.net:443 and \*.core.windows.net:445 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Storage:443 and Storage:445 | TCP:443, TCP:445 | Azure Files | Can be replaced by enabling the *Azure Storage* [service endpoint in the virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). | -| \*.servicebus.windows.net:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - EventHub:443 | TCP:443 | Azure Event Hubs. | Can be replaced by enabling the *Azure Event Hubs* [service endpoint in the virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). | -| \*.prod.microsoftmetrics.com:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. | --## Azure Global required FQDN / application rules --Azure Firewall provides the FQDN tag **AzureKubernetesService** to simplify the following configurations: --| Destination FQDN | Port | Use | -|--|--|| -| <i>*.azmk8s.io</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | -| <i>mcr.microsoft.com</i> | HTTPS:443 | Microsoft Container Registry (MCR). | -| <i>*.data.mcr.microsoft.com</i> | HTTPS:443 | MCR storage backed by the Azure CDN. | -| <i>management.azure.com</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | -| <i>login.microsoftonline.com</i> | HTTPS:443 | Microsoft Entra authentication. | -| <i>packages.microsoft.com</i> | HTTPS:443 | Microsoft packages repository. | -| <i>acs-mirror.azureedge.net</i> | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. | --## Microsoft Azure operated by 21Vianet required network rules --| Destination endpoint | Port | Use | Note | -|--||-|-| -| \*:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureCloud:443 | TCP:443 | Azure Spring Apps Service Management. | For information about the service instance `requiredTraffics`, see the resource payload, under the `networkProfile` section. | -| \*.azurecr.cn:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling the *Azure Container Registry* [service endpoint in the virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). | -| \*.core.chinacloudapi.cn:443 and \*.core.chinacloudapi.cn:445 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Storage:443 and Storage:445 | TCP:443, TCP:445 | Azure Files | Can be replaced by enabling the *Azure Storage* [service endpoint in the virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). | -| \*.servicebus.chinacloudapi.cn:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - EventHub:443 | TCP:443 | Azure Event Hubs. | Can be replaced by enabling the *Azure Event Hubs* [service endpoint in the virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). | -| \*.prod.microsoftmetrics.com:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. | --## Microsoft Azure operated by 21Vianet required FQDN / application rules --Azure Firewall provides the FQDN tag `AzureKubernetesService` to simplify the following configurations: --| Destination FQDN | Port | Use | -||--|| -| <i>*.cx.prod.service.azk8s.cn</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | -| <i>mcr.microsoft.com</i> | HTTPS:443 | Microsoft Container Registry (MCR). | -| <i>*.data.mcr.microsoft.com</i> | HTTPS:443 | MCR storage backed by the Azure CDN. | -| <i>management.chinacloudapi.cn</i> | HTTPS:443 | Underlying Kubernetes Cluster management. | -| <i>login.chinacloudapi.cn</i> | HTTPS:443 | Microsoft Entra authentication. | -| <i>packages.microsoft.com</i> | HTTPS:443 | Microsoft packages repository. | -| <i>*.azk8s.cn</i> | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. | --## Azure Spring Apps optional FQDN for third-party application performance management --| Destination FQDN | Port | Use | -|||| -| <i>collector*.newrelic.com</i> | TCP:443/80 | Required networks of New Relic APM agents from US region, also see [APM Agents Networks](https://docs.newrelic.com/docs/using-new-relic/cross-product-functions/install-configure/networks/#agents). | -| <i>collector*.eu01.nr-data.net</i> | TCP:443/80 | Required networks of New Relic APM agents from EU region, also see [APM Agents Networks](https://docs.newrelic.com/docs/using-new-relic/cross-product-functions/install-configure/networks/#agents). | -| <i>*.live.dynatrace.com</i> | TCP:443 | Required network of Dynatrace APM agents. | -| <i>*.live.ruxit.com</i> | TCP:443 | Required network of Dynatrace APM agents. | -| <i>*.saas.appdynamics.com</i> | TCP:443/80 | Required network of AppDynamics APM agents, also see [SaaS Domains and IP Ranges](https://docs.appdynamics.com/display/PAA/SaaS+Domains+and+IP+Ranges). | --## Azure Spring Apps optional FQDN for Application Insights --You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the [Outgoing ports](../azure-monitor/ip-addresses.md#outgoing-ports) section of [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md). --## Next steps --- [Access your application in a private network](access-app-virtual-network.md)-- [Expose applications with end-to-end TLS in a virtual network](expose-apps-gateway-end-to-end-tls.md) |
stream-analytics | Blob Storage Azure Data Lake Gen2 Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/blob-storage-azure-data-lake-gen2-output.md | Azure Blob storage offers a cost-effective and scalable solution for storing lar ## Output configuration -The following table lists the property names and their descriptions for creating a blob or ADLS Gen2 output. +The following table lists the property names and their descriptions for creating a blob or Azure Data Lake Storage Gen2 output. | Property name | Description | | - | | The following table lists the property names and their descriptions for creating | Storage account | The name of the storage account where you're sending your output. | | Storage account key | The secret key associated with the storage account. | | Container | A logical grouping for blobs stored in the Azure Blob service. When you upload a blob to the Blob service, you must specify a container for that blob. <br /><br /> Dynamic container name is optional. It supports one and only one dynamic {field} in the container name. The field must exist in the output data, and follow the [container name policy](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata).<br /><br />The field data type must be `string`. To use multiple dynamic fields, or combine static text along with dynamic field, you can define it in the query with built-in string functions, like CONCAT, LTRIM, etc. |-| Event serialization format | Serialization format for output data. JSON, CSV, Avro, and Parquet are supported. Delta Lake is listed as an option here. The data will be in Parquet format if Delta Lake is selected. Learn more about [Delta Lake](write-to-delta-lake.md) | +| Event serialization format | Serialization format for output data. JSON, CSV, Avro, and Parquet are supported. Delta Lake is listed as an option here. The data is in Parquet format if Delta Lake is selected. Learn more about [Delta Lake](write-to-delta-lake.md) | | Delta path name | Required when Event serialization format is Delta Lake. The path that is used to write the delta lake table within the specified container. It includes the table name. [More details and examples.](write-to-delta-lake.md) | -|Write Mode | Write mode controls the way ASA writes to output file. Exactly once delivery only happens when write mode is Once. More information in the section below. | +|Write Mode | Write mode controls the way Azure Stream Analytics writes to output file. Exactly once delivery only happens when write mode is Once. More information in the next section. | | Partition Column | Optional. The {field} name from your output data to partition. Only one partition column is supported. |-| Path pattern | Required when Event serialization format is Delta lake. The file path pattern that's used to write your blobs within the specified container. <br /><br /> In the path pattern, you can choose to use one or more instances of the date and time variables to specify the frequency that blobs are written: {date}, {time}. <br /><br />Note that if your write mode is Once, you need to use both {date} and {time}. <br /><br />You can use custom blob partitioning to specify one custom {field} name from your event data to partition blobs. The field name is alphanumeric and can include spaces, hyphens, and underscores. Restrictions on custom fields include the following: <ul><li>No dynamic custom {field} name is allowed if your write mode is Once. </li><li>Field names aren't case-sensitive. For example, the service can't differentiate between column "ID" and column "id."</li><li>Nested fields aren't permitted. Instead, use an alias in the job query to "flatten" the field.</li><li>Expressions can't be used as a field name.</li></ul> <br />This feature enables the use of custom date/time format specifier configurations in the path. Custom date and time formats must be specified one at a time, enclosed by the {datetime:\<specifier>} keyword. Allowable inputs for \<specifier> are yyyy, MM, M, dd, d, HH, H, mm, m, ss, or s. The {datetime:\<specifier>} keyword can be used multiple times in the path to form custom date/time configurations. <br /><br />Examples: <ul><li>Example 1: cluster1/logs/{date}/{time}</li><li>Example 2: cluster1/logs/{date}</li><li>Example 3: cluster1/{client_id}/{date}/{time}</li><li>Example 4: `cluster1/{datetime:ss}/{myField}` where the query is: SELECT data.myField AS myField FROM Input;</li><li>Example 5: cluster1/year={datetime:yyyy}/month={datetime:MM}/day={datetime:dd}</ul><br />The time stamp of the created folder structure follows UTC and not local time. [System.Timestamp](./stream-analytics-time-handling.md#choose-the-best-starting-time) is the time used for all time based partitioning.<br /><br />File naming uses the following convention: <br /><br />{Path Prefix Pattern}/schemaHashcode_Guid_Number.extension<br /><br /> Here Guid represents the unique identifier assigned to an internal writer that is created to write to a blob file. The number represents index of the blob block. <br /><br /> Example output files:<ul><li>Myoutput/20170901/00/45434_gguid_1.csv</li> <li>Myoutput/20170901/01/45434_gguid_1.csv</li></ul> <br />For more information about this feature, see [Azure Stream Analytics custom blob output partitioning](stream-analytics-custom-path-patterns-blob-storage-output.md). | +| Path pattern | Required when Event serialization format is Delta lake. The file path pattern that's used to write your blobs within the specified container. <br /><br /> In the path pattern, you can choose to use one or more instances of the date and time variables to specify the frequency that blobs are written: {date}, {time}. <br /><br />If your write mode is Once, you need to use both {date} and {time}. <br /><br />You can use custom blob partitioning to specify one custom {field} name from your event data to partition blobs. The field name is alphanumeric and can include spaces, hyphens, and underscores. Restrictions on custom fields include the following ones: <ul><li>No dynamic custom {field} name is allowed if your write mode is Once. </li><li>Field names aren't case-sensitive. For example, the service can't differentiate between column `ID` and column `id`."</li><li>Nested fields aren't permitted. Instead, use an alias in the job query to "flatten" the field.</li><li>Expressions can't be used as a field name.</li></ul> <br />This feature enables the use of custom date/time format specifier configurations in the path. Custom date and time formats must be specified one at a time, enclosed by the {datetime:\<specifier>} keyword. Allowable inputs for \<specifier> are yyyy, MM, M, dd, d, HH, H, mm, m, ss, or s. The {datetime:\<specifier>} keyword can be used multiple times in the path to form custom date/time configurations. <br /><br />Examples: <ul><li>Example 1: cluster1/logs/{date}/{time}</li><li>Example 2: cluster1/logs/{date}</li><li>Example 3: cluster1/{client_id}/{date}/{time}</li><li>Example 4: `cluster1/{datetime:ss}/{myField}` where the query is: SELECT data.myField AS myField FROM Input;</li><li>Example 5: cluster1/year={datetime:yyyy}/month={datetime:MM}/day={datetime:dd}</ul><br />The time stamp of the created folder structure follows UTC and not local time. [System.Timestamp](./stream-analytics-time-handling.md#choose-the-best-starting-time) is the time used for all time based partitioning.<br /><br />File naming uses the following convention: <br /><br />{Path Prefix Pattern}/schemaHashcode_Guid_Number.extension<br /><br /> Here Guid represents the unique identifier assigned to an internal writer that is created to write to a blob file. The number represents index of the blob block. <br /><br /> Example output files:<ul><li>Myoutput/20170901/00/45434_gguid_1.csv</li> <li>Myoutput/20170901/01/45434_gguid_1.csv</li></ul> <br />For more information about this feature, see [Azure Stream Analytics custom blob output partitioning](stream-analytics-custom-path-patterns-blob-storage-output.md). | | Date format | Required when Event serialization format is Delta lake. If the date token is used in the prefix path, you can select the date format in which your files are organized. Example: YYYY/MM/DD | | Time format | Required when Event serialization format is Delta lake. If the time token is used in the prefix path, specify the time format in which your files are organized.|-|Minimum rows |The number of minimum rows per batch. For Parquet, every batch will create a new file. The current default value is 2,000 rows and the allowed maximum is 10,000 rows.| +|Minimum rows |The number of minimum rows per batch. For Parquet, every batch creates a new file. The current default value is 2,000 rows and the allowed maximum is 10,000 rows.| |Maximum time |The maximum wait time per batch. After this time, the batch will be written to the output even if the minimum rows requirement isn't met. The current default value is 1 minute and the allowed maximum is 2 hours. If your blob output has path pattern frequency, the wait time can't be higher than the partition time range.| | Encoding | If you're using CSV or JSON format, an encoding must be specified. UTF-8 is the only supported encoding format at this time. |-| Delimiter | Applicable only for CSV serialization. Stream Analytics supports a number of common delimiters for serializing CSV data. Supported values are comma, semicolon, space, tab, and vertical bar. | +| Delimiter | Applicable only for CSV serialization. Stream Analytics supports many common delimiters for serializing CSV data. Supported values are comma, semicolon, space, tab, and vertical bar. | | Format | Applicable only for JSON serialization. **Line separated** specifies that the output is formatted by having each JSON object separated by a new line. If you select **Line separated**, the JSON is read one object at a time. The whole content by itself wouldn't be a valid JSON. **Array** specifies that the output is formatted as an array of JSON objects. This array is closed only when the job stops or Stream Analytics has moved on to the next time window. In general, it's preferable to use line-separated JSON, because it doesn't require any special handling while the output file is still being written to. | ## Exactly Once Delivery (Public Preview) -End-to-end exactly once delivery when reading any streaming input means that processed data will be written to Azure Data Lake Storage Gen2 output once without duplicates. When the feature is enabled, your Stream Analytics job guarantees no data loss and no duplicates being produced as output, across user-initiated restart from last output time. This greatly simplifies your streaming pipeline by not having to implement and troubleshoot deduplication logic. +End-to-end exactly once delivery when reading any streaming input means that processed data will be written to Azure Data Lake Storage Gen2 output once without duplicates. When the feature is enabled, your Stream Analytics job guarantees no data loss and no duplicates being produced as output, across user-initiated restart from last output time. It greatly simplifies your streaming pipeline by not having to implement and troubleshoot deduplication logic. ### Write Mode There's no write mode option for Delta Lake. However Delta lake output also prov ### Configuration -To receive exactly once delivery for your Blob storage or ADLS Gen2 account, you need to configure as below: +To receive exactly once delivery for your Blob storage or ADLS Gen2 account, you need to configure the following settings: * Select **Once after all results of time partition is available** for your **Write Mode**. * Provide **Path Pattern** with both {date} and {time} specified. To receive exactly once delivery for your Blob storage or ADLS Gen2 account, you * [Substream](/stream-analytics-query/timestamp-by-azure-stream-analytics) isn't supported. * Path Pattern becomes a required property, and must contain both{date} and {time}. No dynamic custom {field} name is allowed. Learn more about [custom path pattern](stream-analytics-custom-path-patterns-blob-storage-output.md).-* If the job is started at a **custom time** before or after the last output time, there's risk of file being overwritten. For example, when the **time format** is HH, the file is generated every hour. If you stop the job at 8:15am, and restart the job at 8:30am, the file generated between 8am to 9am will only cover data from 8:30am to 9am. The data from 8am to 8:15am will be lost as it's overwritten. +* If the job is started at a **custom time** before or after the last output time, there's risk of file being overwritten. For example, when the **time format** is HH, the file is generated every hour. If you stop the job at 8:15am, and restart the job at 8:30am, the file generated between 8am to 9am only covers data from 8:30am to 9am. The data from 8am to 8:15am gets lost as it's overwritten. ## Blob output files When you're using Blob storage as output, a new file is created in the blob in t * The file exceeds the maximum number of allowed blocks (currently 50,000). You might reach the maximum allowed number of blocks without reaching the maximum allowed blob size. For example, if the output rate is high, you can see more bytes per block, and the file size is larger. If the output rate is low, each block has less data, and the file size is smaller. * There's a schema change in the output, and the output format requires fixed schema (CSV, Avro, Parquet). * A job is restarted, either externally by a user stopping it and starting it, or internally for system maintenance or error recovery.-* Query is fully partitioned, and a new file is created for each output partition. This comes from using PARTITION BY, or the native parallelization introduced in [compatibility level 1.2](stream-analytics-compatibility-level.md#parallel-query-execution-for-input-sources-with-multiple-partitions) +* Query is fully partitioned, and a new file is created for each output partition. It comes from using PARTITION BY, or the native parallelization introduced in [compatibility level 1.2](stream-analytics-compatibility-level.md#parallel-query-execution-for-input-sources-with-multiple-partitions) * User deletes a file or a container of the storage account. * Output is time partitioned by using the path prefix pattern, and a new blob is used when the query moves to the next hour. * Output is partitioned by a custom field, and a new blob is created per partition key if it doesn't exist. For the maximum message size, see [Azure Storage limits](../azure-resource-manag ## Limitations -* If a forward slash symbol `/` is used in the path pattern (e.g /folder2/folder3), then empty folders will be created and they won't be visible in Storage Explorer -* Azure Stream Analytics appends to the same file in cases where a new blob file isn't needed. Note that this could cause additional triggers to be generated if Azure services like Event Grid are configured to be triggered on blob file update -* Azure Stream Analytics appends to blob by default. When the output format is a Json array, it completes the file on shutdown or when the output moves to the next time partition for time partitioned outputs. In some cases such as an unclean restart, it's possible that the closing "]" for json array may be missing. +* If a forward slash symbol `/` is used in the path pattern (e.g /folder2/folder3), then empty folders are created and they aren't visible in Storage Explorer +* Azure Stream Analytics appends to the same file in cases where a new blob file isn't needed. It could cause more triggers to be generated if Azure services like Event Grid are configured to be triggered on blob file update. +* Azure Stream Analytics appends to blob by default. When the output format is a Json array, it completes the file on shutdown or when the output moves to the next time partition for time partitioned outputs. In some cases such as an unclean restart, it's possible that the closing "]" for json array is missing. ## Next steps |
stream-analytics | Stream Analytics Parallelization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-parallelization.md | Title: Use query parallelization and scale in Azure Stream Analytics -description: This article describes how to scale Stream Analytics jobs by configuring input partitions, tuning the query definition, and setting job streaming units. +description: This article describes how to scale Stream Analytics jobs by configuring input partitions, tune the query definition, and set job streaming units. Previously updated : 05/10/2022 Last updated : 01/29/2024 -# Leverage query parallelization in Azure Stream Analytics -This article shows you how to take advantage of parallelization in Azure Stream Analytics. You learn how to scale Stream Analytics jobs by configuring input partitions and tuning the analytics query definition. -As a prerequisite, you may want to be familiar with the notion of Streaming Unit described in [Understand and adjust Streaming Units](stream-analytics-streaming-unit-consumption.md). +# Use query parallelization in Azure Stream Analytics +This article shows you how to take advantage of parallelization in Azure Stream Analytics. You learn how to scale Stream Analytics jobs by configuring input partitions and tuning the analytics query definition. ++As a prerequisite, you might want to be familiar with the notion of streaming unit described in [Understand and adjust streaming units](stream-analytics-streaming-unit-consumption.md). ## What are the parts of a Stream Analytics job?+ A Stream Analytics job definition includes at least one streaming input, a query, and output. Inputs are where the job reads the data stream from. The query is used to transform the data input stream, and the output is where the job sends the job results to. ## Partitions in inputs and outputs-Partitioning lets you divide data into subsets based on a [partition key](../event-hubs/event-hubs-scalability.md#partitions). If your input (for example Event Hubs) is partitioned by a key, it's highly recommended to specify this partition key when adding input to your Stream Analytics job. Scaling a Stream Analytics job takes advantage of partitions in the input and output. A Stream Analytics job can consume and write different partitions in parallel, which increases throughput. ++Partitioning lets you divide data into subsets based on a [partition key](../event-hubs/event-hubs-scalability.md#partitions). If your input (for example Event Hubs) is partitioned by a key, we recommend that you specify the partition key when adding an input to your Stream Analytics job. Scaling a Stream Analytics job takes advantage of partitions in the input and output. A Stream Analytics job can consume and write different partitions in parallel, which increases throughput. ### Inputs -All Azure Stream Analytics streaming inputs can take advantage of partitioning: Event Hubs, IoT Hub, Blob storage. +All Azure Stream Analytics streaming inputs can take advantage of partitioning: Event Hubs, IoT Hub, Blob storage, Data Lake Storage Gen2. > [!NOTE] > For compatibility level 1.2 and above, the partition key is to be set as an **input property**, with no need for the PARTITION BY keyword in the query. For compatibility level 1.1 and below, the partition key instead needs to be defined with the PARTITION BY keyword **in the query**. All Azure Stream Analytics streaming inputs can take advantage of partitioning: ### Outputs When you work with Stream Analytics, you can take advantage of partitioning in the outputs:-- Azure Data Lake Storage-- Azure Functions-- Azure Table-- Blob storage (can set the partition key explicitly)-- Azure Cosmos DB (need to set the partition key explicitly)-- Event Hubs (need to set the partition key explicitly)-- IoT Hub (need to set the partition key explicitly)-- Service Bus++- Azure Data Lake Storage +- Azure Functions +- Azure Table +- Blob storage (can set the partition key explicitly) +- Azure Cosmos DB (need to set the partition key explicitly) +- Event Hubs (need to set the partition key explicitly) +- IoT Hub (need to set the partition key explicitly) +- Service Bus - SQL and Azure Synapse Analytics with optional partitioning: see more information on the [Output to Azure SQL Database page](./stream-analytics-sql-output-perf.md). -Power BI doesn't support partitioning. However you can still partition the input as described in [this section](#multi-step-query-with-different-partition-by-values) +Power BI doesn't support partitioning. However you can still partition the input as described in [this section](#multi-step-query-with-different-partition-by-values). For more information about partitions, see the following articles: For more information about partitions, see the following articles: ### Query -For a job to be parallel, partition keys need to be aligned between all inputs, all query logic steps and all outputs. The query logic partitioning is determined by the keys used for joins and aggregations (GROUP BY). This last requirement can be ignored if the query logic isn't keyed (projection, filters, referential joins...). +For a job to be parallel, partition keys need to be aligned between all inputs, all query logic steps, and all outputs. The query logic partitioning is determined by the keys used for joins and aggregations (GROUP BY). This last requirement can be ignored if the query logic isn't keyed (projection, filters, referential joins...). -* If an input and an output are partitioned by WarehouseId, and the query groups by ProductId without WarehouseId, then the job isn't parallel. -* If two inputs to be joined are partitioned by different partition keys (WarehouseId and ProductId), then the job isn't parallel. +* If an input and an output are partitioned by `WarehouseId`, and the query groups by `ProductId` without `WarehouseId`, then the job isn't parallel. +* If two inputs to be joined are partitioned by different partition keys (`WarehouseId` and `ProductId`), then the job isn't parallel. * If two or more independent data flows are contained in a single job, each with its own partition key, then the job isn't parallel. -Only when all inputs, outputs and query steps are using the same key will the job be parallel. +Only when all inputs, outputs and query steps are using the same key, the job is parallel. ## Embarrassingly parallel jobs-An *embarrassingly parallel* job is the most scalable scenario in Azure Stream Analytics. It connects one partition of the input to one instance of the query to one partition of the output. This parallelism has the following requirements: --1. If your query logic depends on the same key being processed by the same query instance, you must make sure that the events go to the same partition of your input. For Event Hubs or IoT Hub, this means that the event data must have the **PartitionKey** value set. Alternatively, you can use partitioned senders. For blob storage, this means that the events are sent to the same partition folder. An example would be a query instance that aggregates data per userID where input event hub is partitioned using userID as partition key. However, if your query logic doesn't require the same key to be processed by the same query instance, you can ignore this requirement. An example of this logic would be a simple select-project-filter query. -2. The next step is to make your query be partitioned. For jobs with compatibility level 1.2 or higher (recommended), custom column can be specified as Partition Key in the input settings and the job will be paralelled automatically. Jobs with compatibility level 1.0 or 1.1, requires you to use **PARTITION BY PartitionId** in all the steps of your query. Multiple steps are allowed, but they all must be partitioned by the same key. --3. Most of the outputs supported in Stream Analytics can take advantage of partitioning. If you use an output type that doesn't support partitioning your job won't be *embarrassingly parallel*. For Event Hubs output, ensure **Partition key column** is set to the same partition key used in the query. Refer to the [output section](#outputs) for more details. +An *embarrassingly parallel* job is the most scalable scenario in Azure Stream Analytics. It connects one partition of the input to one instance of the query to one partition of the output. This parallelism has the following requirements: -4. The number of input partitions must equal the number of output partitions. Blob storage output can support partitions and inherits the partitioning scheme of the upstream query. When a partition key for Blob storage is specified, data is partitioned per input partition thus the result is still fully parallel. Here are examples of partition values that allow a fully parallel job: +- If your query logic depends on the same key being processed by the same query instance, you must make sure that the events go to the same partition of your input. For Event Hubs or IoT Hub, it means that the event data must have the **PartitionKey** value set. Alternatively, you can use partitioned senders. For blob storage, this means that the events are sent to the same partition folder. An example would be a query instance that aggregates data per userID where input event hub is partitioned using userID as partition key. However, if your query logic doesn't require the same key to be processed by the same query instance, you can ignore this requirement. An example of this logic would be a simple select-project-filter query. +- The next step is to make your query be partitioned. For jobs with compatibility level 1.2 or higher (recommended), custom column can be specified as Partition Key in the input settings and the job will be parallel automatically. Jobs with compatibility level 1.0 or 1.1, requires you to use **PARTITION BY PartitionId** in all the steps of your query. Multiple steps are allowed, but they all must be partitioned by the same key. +- Most of the outputs supported in Stream Analytics can take advantage of partitioning. If you use an output type that doesn't support partitioning your job won't be *embarrassingly parallel*. For Event Hubs output, ensure **Partition key column** is set to the same partition key used in the query. For more information, see [output section](#outputs). +- The number of input partitions must equal the number of output partitions. Blob storage output can support partitions and inherits the partitioning scheme of the upstream query. When a partition key for Blob storage is specified, data is partitioned per input partition thus the result is still fully parallel. Here are examples of partition values that allow a fully parallel job: * Eight event hub input partitions and eight event hub output partitions * Eight event hub input partitions and blob storage output The following sections discuss some example scenarios that are embarrassingly pa ### Simple query -* Input: Event hub with eight partitions -* Output: Event hub with eight partitions ("Partition key column" must be set to use "PartitionId") +* Input: An event hub with eight partitions +* Output: An event hub with eight partitions ("Partition key column" must be set to use `PartitionId`) Query: Query: GROUP BY TumblingWindow(minute, 3), TollBoothId, PartitionId ``` -This query has a grouping key. Therefore, the events grouped together must be sent to the same Event Hubs partition. Since in this example we group by TollBoothID, we should be sure that TollBoothID is used as the partition key when the events are sent to Event Hubs. Then in ASA, we can use **PARTITION BY PartitionId** to inherit from this partition scheme and enable full parallelization. Since the output is blob storage, we don't need to worry about configuring a partition key value, as per requirement #4. +This query has a grouping key. Therefore, the events grouped together must be sent to the same Event Hubs partition. Since in this example we group by TollBoothID, we should be sure that `TollBoothID` is used as the partition key when the events are sent to Event Hubs. Then in Azure Stream Analytics, you can use **PARTITION BY PartitionId** to inherit from this partition scheme and enable full parallelization. Since the output is blob storage, we don't need to worry about configuring a partition key value, as per requirement #4. -## Example of scenarios that are *not* embarrassingly parallel +## Example of scenarios that aren't* embarrassingly parallel -In the previous section, we showed some embarrassingly parallel scenarios. In this section, we discuss scenarios that don't meet all the requirements to be embarrassingly parallel. +In the previous section, the article covered some embarrassingly parallel scenarios. In this section, you learn about scenarios that don't meet all the requirements to be embarrassingly parallel. ### Mismatched partition count-* Input: Event hub with eight partitions -* Output: Event hub with 32 partitions +* Input: An event hub with eight partitions +* Output: An event hub with 32 partitions If the input partition count doesn't match the output partition count, the topology isn't embarrassingly parallel irrespective of the query. However we can still get some level of parallelization. ### Query using non-partitioned output-* Input: Event hub with eight partitions +* Input: An event hub with eight partitions * Output: Power BI Power BI output doesn't currently support partitioning. Therefore, this scenario isn't embarrassingly parallel. As you can see, the second step uses **TollBoothId** as the partitioning key. Th ### Multi-step query with different PARTITION BY values * Input: Event hub with eight partitions ("Partition key column" not set, default to "PartitionId") * Output: Event hub with eight partitions ("Partition key column" must be set to use "TollBoothId")-* Compatibility level - 1.2 or above +* Compatibility level - 1.2 or higher Query: Partitioning a step requires the following conditions: * The **SELECT** statement of the query must read from a partitioned input source. * The query within the step must have the **PARTITION BY** keyword. -When a query is partitioned, the input events are processed and aggregated in separate partition groups, and outputs events are generated for each of the groups. If you want a combined aggregate, you must create a second non-partitioned step to aggregate. +When a query is partitioned, the input events are processed and aggregated in separate partition groups, and outputs events are generated for each of the groups. If you want a combined aggregate, you must create a second nonpartitioned step to aggregate. ### Calculate the max streaming units for a job-All non-partitioned steps together can scale up to one streaming unit (SU V2s) for a Stream Analytics job. In addition, you can add 1 SU V2 for each partition in a partitioned step. -You can see some **examples** in the table below. +All nonpartitioned steps together can scale up to one streaming unit (SU V2s) for a Stream Analytics job. In addition, you can add one SU V2 for each partition in a partitioned step. +You can see some **examples** in the following table. | Query | Max SUs for the job | | | - | | <ul><li>The query contains one step.</li><li>The step isn't partitioned.</li></ul> | 1 SU V2 | | <ul><li>The input data stream is partitioned by 16.</li><li>The query contains one step.</li><li>The step is partitioned.</li></ul> | 16 SU V2 (1 * 16 partitions) | | <ul><li>The query contains two steps.</li><li>Neither of the steps is partitioned.</li></ul> | 1 SU V2 |-| <ul><li>The input data stream is partitioned by 3.</li><li>The query contains two steps. The input step is partitioned and the second step isn't.</li><li>The <strong>SELECT</strong> statement reads from the partitioned input.</li></ul> | 4 SU V2s (3 for partitioned steps + 1 for non-partitioned steps | +| <ul><li>The input data stream is partitioned by 3.</li><li>The query contains two steps. The input step is partitioned and the second step isn't.</li><li>The <strong>SELECT</strong> statement reads from the partitioned input.</li></ul> | 4 SU V2s (3 for partitioned steps + 1 for nonpartitioned steps | ### Examples of scaling To use more SUs for the query, both the input data stream and the query must be When a query is partitioned, the input events are processed and aggregated in separate partition groups. Output events are also generated for each of the groups. Partitioning can cause some unexpected results when the **GROUP BY** field isn't the partition key in the input data stream. For example, the **TollBoothId** field in the previous query isn't the partition key of **Input1**. The result is that the data from TollBooth #1 can be spread in multiple partitions. -Each of the **Input1** partitions will be processed separately by Stream Analytics. As a result, multiple records of the car count for the same tollbooth in the same Tumbling window will be created. If the input partition key can't be changed, this problem can be fixed by adding a non-partition step to aggregate values across partitions, as in the following example: +Each of the **Input1** partitions will be processed separately by Stream Analytics. As a result, multiple records of the car count for the same tollbooth in the same Tumbling window will be created. If the input partition key can't be changed, this problem can be fixed by adding a nonpartition step to aggregate values across partitions, as in the following example: ```SQL WITH Step1 AS ( This query can be scaled to 4 SU V2s. ## Achieving higher throughputs at scale -An [embarrassingly parallel](#embarrassingly-parallel-jobs) job is necessary but not sufficient to sustain a higher throughput at scale. Every storage system, and its corresponding Stream Analytics output, has variations on how to achieve the best possible write throughput. As with any at-scale scenario, there are some challenges which can be solved by using the right configurations. This section discusses configurations for a few common outputs and provides samples for sustaining ingestion rates of 1 K, 5 K and 10 K events per second. +An [embarrassingly parallel](#embarrassingly-parallel-jobs) job is necessary but not sufficient to sustain a higher throughput at scale. Every storage system, and its corresponding Stream Analytics output, has variations on how to achieve the best possible write throughput. As with any at-scale scenario, there are some challenges that can be solved by using the right configurations. This section discusses configurations for a few common outputs and provides samples for sustaining ingestion rates of 1 K, 5 K, and 10 K events per second. -The following observations use a Stream Analytics job with stateless (passthrough) query, a basic JavaScript UDF which writes to Event Hubs, Azure SQL, or Azure Cosmos DB. +The following observations use a Stream Analytics job with stateless (passthrough) query, a basic JavaScript UDF that writes to Event Hubs, Azure SQL, or Azure Cosmos DB. #### Event Hubs The [Event Hubs](https://github.com/Azure-Samples/streaming-at-scale/tree/main/e | 5 K | 3 | P4 | | 10 K | 6 | P6 | -[Azure SQL](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-streamanalytics-azuresql) supports writing in parallel, called Inherit Partitioning, but it's not enabled by default. However, enabling Inherit Partitioning, along with a fully parallel query, may not be sufficient to achieve higher throughputs. SQL write throughputs depend significantly on your database configuration and table schema. The [SQL Output Performance](./stream-analytics-sql-output-perf.md) article has more detail about the parameters that can maximize your write throughput. As noted in the [Azure Stream Analytics output to Azure SQL Database](./stream-analytics-sql-output-perf.md#azure-stream-analytics) article, this solution doesn't scale linearly as a fully parallel pipeline beyond 8 partitions and may need repartitioning before SQL output (see [INTO](/stream-analytics-query/into-azure-stream-analytics#into-shard-count)). Premium SKUs are needed to sustain high IO rates along with overhead from log backups happening every few minutes. +[Azure SQL](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-streamanalytics-azuresql) supports writing in parallel, called Inherit Partitioning, but it's not enabled by default. However, enabling Inherit Partitioning, along with a fully parallel query, might not be sufficient to achieve higher throughputs. SQL write throughputs depend significantly on your database configuration and table schema. The [SQL Output Performance](./stream-analytics-sql-output-perf.md) article has more detail about the parameters that can maximize your write throughput. As noted in the [Azure Stream Analytics output to Azure SQL Database](./stream-analytics-sql-output-perf.md#azure-stream-analytics) article, this solution doesn't scale linearly as a fully parallel pipeline beyond 8 partitions and might need repartitioning before SQL output (see [INTO](/stream-analytics-query/into-azure-stream-analytics#into-shard-count)). Premium SKUs are needed to sustain high IO rates along with overhead from log backups happening every few minutes. #### Azure Cosmos DB |Ingestion Rate (events per second) | Streaming Units | Output Resources | |-|-||-| 1 K | 2/3 | 20K RU | -| 5 K | 4 | 60K RU | -| 10 K | 8 | 120K RU | +| 1 K | 2/3 | 20 K RU | +| 5 K | 4 | 60 K RU | +| 10 K | 8 | 120 K RU | [Azure Cosmos DB](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-streamanalytics-cosmosdb) output from Stream Analytics has been updated to use native integration under [compatibility level 1.2](./stream-analytics-documentdb-output.md#improved-throughput-with-compatibility-level-12). Compatibility level 1.2 enables significantly higher throughput and reduces RU consumption compared to 1.1, which is the default compatibility level for new jobs. The solution uses Azure Cosmos DB containers partitioned on /deviceId and the rest of solution is identically configured. -All [Streaming at Scale Azure samples](https://github.com/Azure-Samples/streaming-at-scale) use Event Hubs as input that is fed by load simulating test clients. Each input event is a 1 KB JSON document, which translates configured ingestion rates to throughput rates (1MB/s, 5MB/s and 10MB/s) easily. Events simulate an IoT device sending the following JSON data (in a shortened form) for up to 1000 devices: +All [Streaming at Scale Azure samples](https://github.com/Azure-Samples/streaming-at-scale) use Event Hubs as input that is fed by load simulating test clients. Each input event is a 1 KB JSON document, which translates configured ingestion rates to throughput rates (1 MB/s, 5 MB/s, and 10 MB/s) easily. Events simulate an IoT device sending the following JSON data (in a shortened form) for up to 1,000 devices: ``` { |
stream-analytics | Streaming Technologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/streaming-technologies.md | There are several services available for real-time analytics and streaming proce ## When to use Azure Stream Analytics -Azure Stream Analytics is the recommended service for stream analytics on Azure. It's meant for a wide range of scenarios that include but aren't limited to: +Azure Stream Analytics is the recommended service for stream analytics on Azure. You can use it for a wide range of scenarios that include but aren't limited to: * Dashboards for data visualization * Real-time [alerts](stream-analytics-set-up-alerts.md) from temporal and spatial patterns or anomalies Azure Stream Analytics is the recommended service for stream analytics on Azure. * [Event Sourcing pattern](/azure/architecture/patterns/event-sourcing) * [IoT Edge](stream-analytics-edge.md) -Adding an Azure Stream Analytics job to your application is the fastest way to get streaming analytics up and running in Azure, using the SQL language you already know. Azure Stream Analytics is a job service, so you don't have to spend time managing clusters, and you don't have to worry about downtime with a 99.9% SLA at the job level. Billing is also done at the job level making startup costs low (one Streaming Unit), but scalable (up to 396 Streaming Units). It's much more cost effective to run a few Stream Analytics jobs than it is to run and maintain a cluster. +Adding an Azure Stream Analytics job to your application is the fastest way to get streaming analytics up and running in Azure, using the SQL language you already know. Azure Stream Analytics is a job service, so you don't have to spend time managing clusters, and you don't have to worry about downtime with a 99.9% Service Level Agreement (SLA) at the job level. Billing is also done at the job level making startup costs low (one Streaming Unit), but scalable (up to 396 Streaming Units). It's much more cost effective to run a few Stream Analytics jobs than it's to run and maintain a cluster. -Azure Stream Analytics has a rich out-of-the-box experience. You can immediately take advantage of the following features without any additional setup: +Azure Stream Analytics has a rich out-of-the-box experience. You can immediately take advantage of the following features without any extra setup: * Built-in temporal operators, such as [windowed aggregates](stream-analytics-window-functions.md), temporal joins, and temporal analytic functions. * Native Azure [input](stream-analytics-add-inputs.md) and [output](stream-analytics-define-outputs.md) adapters |
traffic-manager | Traffic Manager Faqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-FAQs.md | Yes. To learn how to create an alias record for your domain name apex to referen ### Does Traffic Manager consider the client subnet address when handling DNS queries? -Yes, in addition to the source IP address of the DNS query it receives (which usually is the IP address of the DNS resolver), when performing lookups for Geographic, Performance, and Subnet routing methods, traffic manager also considers the client subnet address if it's included in the query by the resolver making the request on behalf of the end user. -Specifically, [RFC 7871 ΓÇô Client Subnet in DNS Queries](https://tools.ietf.org/html/rfc7871) that provides an [Extension Mechanism for DNS (EDNS0)](https://tools.ietf.org/html/rfc2671) which can pass on the client subnet address from resolvers that support it. +Yes. In addition to the source IP address of the DNS query (usually the DNS resolver's IP address), Traffic Manager also considers the client subnet address if it's included in the DNS query that is sent by the DNS resolver making the request on behalf of the end user. These IP addresses are used to optimize geographic, performance, and subnet routing methods. Specifically, [RFC 7871 ΓÇô Client Subnet in DNS Queries](https://tools.ietf.org/html/rfc7871) provides an [Extension Mechanism for DNS (EDNS0)](https://tools.ietf.org/html/rfc2671) can pass on the client subnet address from resolvers that support it. ### What is DNS TTL and how does it impact my users? No, the location of the endpoint imposes no restrictions on which regions can be ### Can I assign geographic regions to endpoints in a profile that isn't configured to do geographic routing? -Yes, if the routing method of a profile isn't geographic, you can use the [Azure Traffic Manager REST API](/rest/api/trafficmanager/) to assign geographic regions to endpoints in that profile. In the case of non-geographic routing type profiles, this configuration is ignored. If you change such a profile to geographic routing type at a later time, Traffic Manager can use those mappings. +Yes, if the routing method of a profile isn't geographic, you can use the [Azure Traffic Manager REST API](/rest/api/trafficmanager/) to assign geographic regions to endpoints in that profile. For non-geographic routing type profiles, this configuration is ignored. If you change such a profile to geographic routing type at a later time, Traffic Manager can use those mappings. ### Why am I getting an error when I try to change the routing method of an existing profile to Geographic? The IP addresses to associate with an endpoint can be specified in two ways. Fir - You can't overlap address ranges since each IP address needs to be mapped to only a single endpoint - The start address can't be more than the end address-- In the case of the CIDR notation, the IP address before the '/' should be the start address of that range (for example, 1.2.3.0/24 is valid but 1.2.3.4.4/24 is NOT valid)+- For the CIDR notation, the IP address before the '/' should be the network address of that range (for example, 1.2.3.0/24 is valid but 1.2.3.4.4/24 is NOT valid) ### How can I specify a fallback endpoint when using Subnet routing? For profiles with routing method set to MultiValue: ### Can I use a profile with IPv4 / IPv6 addressed endpoints in a nested profile? -Yes, you can with the exception that a profile of type MultiValue can't be a parent profile in a nested profile set. +Yes you can, with the exception that a profile of type *MultiValue* can't be a parent profile in a nested profile set. ### I stopped a web application endpoint in my Traffic Manager profile but I'm not receiving any traffic even after I restarted it. How can I fix this? The following table describes the behavior of Traffic Manager health checks for | CheckingEndpoints. At least one child profile endpoint is 'CheckingEndpoint'. No endpoints are 'Online' or 'Degraded' |Same as above. | | | Inactive. All child profile endpoints are either Disabled or Stopped, or this profile has no endpoints. |Stopped | | +> [!NOTE] +> When managing child profiles under a parent profile in Azure Traffic Manager, an issue can occur if you disable and then enable two child profiles simultaneously. If there is a brief period when both endpoints are disabled, this can result in the parent profile entering a compromised state. To avoid this problem, use caution when making simultaneous changes to child profiles. Consider staggering the changes slightly to prevent unintended disruptions to your traffic management configuration. + ## Next steps: - Learn more about Traffic Manager [endpoint monitoring and automatic failover](../traffic-manager/traffic-manager-monitoring.md). |
virtual-desktop | Whats New Client Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-client-windows.md | description: Learn about recent changes to the Remote Desktop client for Windows Previously updated : 01/24/2024 Last updated : 01/30/2024 # What's new in the Remote Desktop client for Windows In this release, we've made the following change: *Published: November 7, 2023* -Download: [Windows 64-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1dqzi), [Windows 32-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1dlc8), [Windows ARM64](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1dlc7) - In this release, we've made the following changes: - Added a link to the troubleshooting documentation to error messages to help users resolve minor issues without needing to contact Microsoft Support. |
virtual-machines | Image Builder Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/image-builder-vnet.md | VM Image Builder uses the [user identity](../../active-directory/managed-identit ```azurecli # create user assigned identity for image builder-idenityName=aibBuiUserId$(date +'%s') -az identity create -g $imageResourceGroup -n $idenityName +identityName=aibBuiUserId$(date +'%s') +az identity create -g $imageResourceGroup -n $identityName # get identity id-imgBuilderCliId=$(az identity show -g $sigResourceGroup -n $identityName --query clientId -o tsv) +imgBuilderCliId=$(az identity show -g $imageResourceGroup -n $identityName --query clientId -o tsv) # get the user identity URI, needed for the template-imgBuilderId=/subscriptions/$subscriptionID/resourcegroups/$imageResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$idenityName +imgBuilderId=/subscriptions/$subscriptionID/resourcegroups/$imageResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$identityName # update the template sed -i -e "s%<imgBuilderId>%$imgBuilderId%g" existingVNETLinux.json az role definition create --role-definition ./aibRoleNetworking.json # grant role definition to the user assigned identity az role assignment create \ --assignee $imgBuilderCliId \- --role $imageRoleDefName \ + --role "$imageRoleDefName" \ --scope /subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup az role assignment create \ --assignee $imgBuilderCliId \- --role $netRoleDefName \ + --role "$netRoleDefName" \ --scope /subscriptions/$subscriptionID/resourceGroups/$vnetRgName ``` |
virtual-machines | Nd H100 V5 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/nd-h100-v5-series.md | NVIDIA NVLink Interconnect: Supported <br> <br> >[!IMPORTANT]->To get started with ND H100 v5 VMs, refer to HPC Workload Configuration and Optimization for steps including driver and network configuration. Due to increased GPU memory I/O footprint, the ND H100 v5 requires the use of Generation 2 VMs and marketplace images. The Azure HPC images are strongly recommended. Azure HPC Ubuntu 20.04 image is supported. +>To get started with ND H100 v5 VMs, refer to HPC Workload Configuration and Optimization for steps including driver and network configuration. Due to increased GPU memory I/O footprint, the ND H100 v5 requires the use of Generation 2 VMs and marketplace images. +> +>Azure supports Ubuntu 20.04/22.04, RHEL 7.9/8.7/9.3, AlmaLinux 8.8/9.2, and SLES 15 for ND H100 v5 VMs. On Azure marketplace, there are offerings of optimized and pre-configured [Linux VM images](configure.md#vm-images) for HPC/AI workloads with a variety of HPC tools and libraries installed, and thus they are strongly recommended. Currently, Ubuntu-HPC 20.04/22.04 and AlmaLinux-HPC 8.6/8.7 VM images are supported. ## Example The ND H100 v5 series supports the following kernel version: |
virtual-machines | Nda100 V4 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/nda100-v4-series.md | These instances provide excellent performance for many AI, ML, and analytics too > [!IMPORTANT] > To get started with ND A100 v4 VMs, refer to [HPC Workload Configuration and Optimization](configure.md) for steps including driver and network configuration.-> Due to increased GPU memory I/O footprint, the ND A100 v4 requires the use of [Generation 2 VMs](generation-2.md) and marketplace images. The [Azure HPC images](configure.md) are strongly recommended. Azure HPC Ubuntu 18.04, 20.04 and Azure HPC CentOS 7.9 images are supported. +> Due to increased GPU memory I/O footprint, the ND A100 v4 requires the use of [Generation 2 VMs](generation-2.md) and marketplace images. > +> Azure supports Ubuntu 20.04/22.04, RHEL 7.9/8.7/9.3, AlmaLinux 8.8/9.2, and SLES 15 for ND A100 v4 VMs. On Azure marketplace, there are offerings of optimized and pre-configured [Linux VM images](configure.md#vm-images) for HPC/AI workloads with a variety of HPC tools and libraries installed, and thus they are strongly recommended. Currently, Ubuntu-HPC 20.04/22.04 and AlmaLinux-HPC 8.6/8.7 VM images are supported. <br> |
virtual-machines | Trusted Launch Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/trusted-launch-faq.md | Title: FAQ for Trusted Launch description: Get answers to the most frequently asked questions about Azure Trusted Launch virtual machines and virtual machine scale sets.---+++ Previously updated : 09/28/2023 Last updated : 01/29/2024 # Trusted Launch FAQ -Frequently asked questions about trusted launch. +Frequently asked questions about trusted launch. Feature use cases, support for other Azure features, and fixes for common errors. -## Frequently asked questions about Trusted Launch +## Use cases ### Why should I use trusted launch? What does trusted launch guard against? Trusted launch guards against boot kits, rootkits, and kernel-level malware. The - Kernel rootkits: these kits replace a portion of the OS kernel so the rootkit can start automatically when the OS loads. - Driver rootkits: these kits pretend to be one of the trusted drivers that OS uses to communicate with the virtual machine's components. -### What are the differences between secure boot and measured boot? +### How does trusted launch compare to Hyper-V Shielded VM? -In secure boot chain, each step in the boot process checks a cryptographic signature of the subsequent steps. For example, the BIOS checks a signature on the loader, and the loader checks signatures on all the kernel objects that it loads, and so on. If any of the objects are compromised, the signature does not match, and the VM does not boot. For more information, see [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot). Measured boot does not halt the boot process, it measures or computes the hash of the next objects in the chain and stores the hashes in the Platform Configuration Registers (PCRs) on the vTPM. Measured boot records are used for boot integrity monitoring. +Hyper-V Shielded VM is currently available on Hyper-V only. [Hyper-V Shielded VM](/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms) is typically deployed in with Guarded Fabric. A Guarded Fabric consists of a Host Guardian Service (HGS), one or more guarded hosts, and a set of Shielded VMs. Hyper-V Shielded VMs are used in fabrics where the data and state of the virtual machine must be protected from various actors. These actors are both fabric administrators and untrusted software that might be running on the Hyper-V hosts. Trusted launch on the other hand can be deployed as a standalone virtual machine or Virtual Machine Scale Sets on Azure without other deployment and management of HGS. All of the trusted launch features can be enabled with a simple change in deployment code or a checkbox on the Azure portal. -### What is VM Guest State (VMGS)? +### Can I disable Trusted Launch for new VM deployment? -VM Guest State (VMGS) is specific to Trusted Launch VM. It is a blob managed by Azure and contains the unified extensible firmware interface (UEFI) secure boot signature databases and other security information. The lifecycle of the VMGS blob is tied to that of the OS Disk. +Trusted Launch VMs provide you with foundational compute security and our recommendation isn't to disable same for new VM/VMSS deployments except if your deployments have dependency on: -### How does trusted launch compare to Hyper-V Shielded VM? +- [VM Size families currently not supported with Trusted Launch](trusted-launch.md#virtual-machines-sizes) +- [Feature currently not supported with Trusted Launch](trusted-launch.md#unsupported-features) +- [OS version not supported with Trusted Launch](trusted-launch.md#operating-systems-supported) ++You can use parameter **securityType** with value `Standard` to disable Trusted Launch in new VM/VMSS deployments using Azure PowerShell (v10.3.0+) and CLI (v2.53.0+) ++#### [CLI](#tab/cli) ++```azurecli +az vm create -n MyVm -g MyResourceGroup --image Ubuntu2204 ` + --security-type 'Standard' +``` ++#### [PowerShell](#tab/PowerShell) ++```azurepowershell +$adminUsername = <USER NAME> +$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force +$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword) +New-AzVM -Name MyVm -Credential $vmCred -SecurityType Standard +``` ++++## Supported features and deployments ++### Is Azure Compute Gallery supported by trusted launch? +Trusted launch now allows images to be created and shared through the [Azure Compute Gallery](trusted-launch-portal.md#trusted-launch-vm-supported-images) (formerly Shared Image Gallery). The image source can be: +- an existing Azure VM that is either generalized or specialized OR, +- an existing managed disk or a snapshot OR, +- a VHD or an image version from another gallery. ++For more information about deploying Trusted Launch VM using Azure Compute Gallery, see [deploy Trusted Launch VMs](trusted-launch-portal.md#deploy-a-trusted-launch-vm-from-an-azure-compute-gallery-image). ++### Is Azure Backup supported by trusted launch? +Trusted launch now supports Azure Backup. For more information, see [Support matrix for Azure VM backup](../backup/backup-support-matrix-iaas.md#vm-compute-support). ++### Will Azure Backup continue working after enabling trusted launch? +Backups configured with [enhanced policy](../backup/backup-azure-vms-enhanced-policy.md) will continue to take backup of VM after enabling Trusted Launch. ++### Are Ephemeral OS disks supported by trusted launch? +Trusted launch supports ephemeral OS disks. For more information, see [Trusted Launch for Ephemeral OS disks](ephemeral-os-disks.md#trusted-launch-for-ephemeral-os-disks). +> [!NOTE] +> While using ephemeral disks for Trusted Launch VMs, keys and secrets generated or sealed by the vTPM after the creation of the VM may not be persisted across operations like reimaging and platform events like service healing. -Hyper-V Shielded VM is currently available on Hyper-V only. [Hyper-V Shielded VM](/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms) is typically deployed in with Guarded Fabric. A Guarded Fabric consists of a Host Guardian Service (HGS), one or more guarded hosts, and a set of Shielded VMs. Hyper-V Shielded VMs are intended for use in fabrics where the data and state of the virtual machine must be protected from both fabric administrators and untrusted software that might be running on the Hyper-V hosts. Trusted launch on the other hand can be deployed as a standalone virtual machine or Virtual Machine Scale Sets on Azure without additional deployment and management of HGS. All of the trusted launch features can be enabled with a simple change in deployment code or a checkbox on the Azure portal. -## Deployment +### Can virtual machine be restored using backup taken before enabling trusted launch? +Backups taken before [upgrading existing Generation 2 VM to Trusted Launch](trusted-launch-existing-vm.md) can be used to restore entire virtual machine or individual data disks. They can't be used to restore or replace OS disk only. -### How can I find VM sizes that support Trusted launch? +### How can I find VM sizes that support trusted launch? See the list of [Generation 2 VM sizes supporting Trusted launch](trusted-launch.md#virtual-machines-sizes). -The following commands can be used to check if a [Generation 2 VM Size](../virtual-machines/generation-2.md#generation-2-vm-sizes) does not support Trusted launch. +The following commands can be used to check if a [Generation 2 VM Size](../virtual-machines/generation-2.md#generation-2-vm-sizes) doesn't support Trusted launch. #### [CLI](#tab/cli) $vmSize = "Standard_M64" (Get-AzComputeResourceSku | where {$_.Locations.Contains($region) -and ($_.Name -eq $vmSize) })[0].Capabilities ``` -The response is similar to the following form. `TrustedLaunchDisabled True` in the output indicates that the Generation 2 VM size does not support Trusted launch. If it's a Generation 2 VM size and `TrustedLaunchDisabled` is not part of the output, it implies that Trusted launch is supported for that VM size. +The response is similar to the following form. `TrustedLaunchDisabled True` in the output indicates that the Generation 2 VM size doesn't support Trusted launch. If it's a Generation 2 VM size and `TrustedLaunchDisabled` isn't part of the output, it implies that Trusted launch is supported for that VM size. ``` Name Value MaxNetworkInterfaces 8 -### How can I validate if OS image supports Trusted Launch? +### How can I validate that my OS image supports trusted launch? See the list of [OS versions supported with Trusted Launch](trusted-launch.md#operating-systems-supported), -**Marketplace OS Image** +#### Marketplace OS Images The following commands can be used to check if a Marketplace OS image supports Trusted Launch. -#### [CLI](#tab/cli) +##### [CLI](#tab/cli) ```azurecli az vm image show --urn "MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition:latest" The response is similar to the following form. **hyperVGeneration** `v2` and **S } ``` -#### [PowerShell](#tab/PowerShell) +##### [PowerShell](#tab/PowerShell) ```azurepowershell Get-AzVMImage -Skus 22_04-lts-gen2 -PublisherName Canonical -Offer 0001-com-ubuntu-server-jammy -Location westus3 -Version latest ``` -The response of above command can be used with [Virtual Machines - Get API](/rest/api/compute/virtual-machine-images/get). The response is similar to the following form. **hyperVGeneration** `v2` and **SecurityType** contains `TrustedLaunch` in the output indicates that the Generation 2 OS Image supports Trusted Launch. +The output of the command can be used with [Virtual Machines - Get API](/rest/api/compute/virtual-machine-images/get). The response is similar to the following form. **hyperVGeneration** `v2` and **SecurityType** contains `TrustedLaunch` in the output indicates that the Generation 2 OS Image supports Trusted Launch. ```json { The response of above command can be used with [Virtual Machines - Get API](/res -**Azure Compute Gallery OS Image** +#### Azure Compute Gallery OS Image The following commands can be used to check if a [Azure Compute Gallery](trusted-launch-portal.md#trusted-launch-vm-supported-images) OS image supports Trusted Launch. -#### [CLI](#tab/cli) +##### [CLI](#tab/cli) ```azurecli az sig image-definition show ` The response is similar to the following form. **hyperVGeneration** `v2` and **S } ``` -#### [PowerShell](#tab/PowerShell) +##### [PowerShell](#tab/PowerShell) ```azurepowershell Get-AzGalleryImageDefinition -ResourceGroupName myImageGalleryRg ` Architecture : x64 -### How can I disable Trusted Launch for new VM deployment using PowerShell or CLI? -Trusted Launch VMs provide you with foundational compute security and our recommendation is not to disable same for new VM/VMSS deployments except if your deployments have dependency on: +## Power states -- [VM Size families currently not supported with Trusted Launch](trusted-launch.md#virtual-machines-sizes)-- [Feature currently not supported with Trusted Launch](trusted-launch.md#unsupported-features)-- [OS version not supported with Trusted Launch](trusted-launch.md#operating-systems-supported)+Feature specific states, boot types, and common boot issues. -You can use parameter **securityType** with value `Standard` to disable Trusted Launch in new VM/VMSS deployments using Azure PowerShell (v10.3.0+) and CLI (v2.53.0+) +### What is VM Guest State (VMGS)? -#### [CLI](#tab/cli) +VM Guest State (VMGS) is specific to Trusted Launch VM. It's a blob managed by Azure and contains the unified extensible firmware interface (UEFI) secure boot signature databases and other security information. The lifecycle of the VMGS blob is tied to that of the OS Disk. -```azurecli -az vm create -n MyVm -g MyResourceGroup --image Ubuntu2204 ` - --security-type 'Standard' -``` +### What are the differences between secure boot and measured boot? -#### [PowerShell](#tab/PowerShell) +In secure boot chain, each step in the boot process checks a cryptographic signature of the subsequent steps. For example, the BIOS checks a signature on the loader, and the loader checks signatures on all the kernel objects that it loads, and so on. If any of the objects are compromised, the signature doesn't match, and the VM doesn't boot. For more information, see [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot). Measured boot doesn't halt the boot process, it measures or computes the hash of the next objects in the chain and stores the hashes in the Platform Configuration Registers (PCRs) on the vTPM. Measured boot records are used for boot integrity monitoring. ++### Why is Trusted Launch Virtual Machine not booting correctly? ++If unsigned components are detected from the UEFI (guest firmware), bootloader, operating system, or boot drivers, a Trusted Launch Virtual Machine won't boot. The [secure boot](/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#secure-boot-setting-in-hyper-v-manager) setting in the Trusted Launch virtual machine fails to boot if unsigned or untrusted boot components are encountered during the boot process and will report as a secure boot failure. ++![The trusted launch pipeline from secure boot to third party drivers](./media/trusted-launch/trusted-launch-pipeline.png) ++> [!NOTE] +> Trusted Launch Virtual machines that are created directly from an Azure Marketplace image should not encounter Secure Boot failures. Azure Compute Gallery images with an original image source of Marketplace, and snapshots created from Trusted Launch VMs should also not encounter these errors. ++### How would I verify a no-boot scenario in the Azure portal? +When a virtual machine becomes unavailable from a Secure Boot failure, 'no-boot' means that virtual machine has an operating system component that is signed by a trusted authority, which blocks booting a Trusted Launch VM. On VM deployment, customers may see information from resource health within the Azure portal stating that there's a validation error in secure boot. ++To access resource health from the virtual machine configuration page, navigate to Resource Health under the 'Help' panel. +++Follow the 'Recommended Steps' outlined in the resource health screen. Instructions include a screenshot and downloadable serial log from the boot diagnostics of the virtual machine. ++If you verified the no-boot was caused by a secure boot failure: +1. The image you're using is an older version that may have one or more untrusted boot components and is on a deprecation path. To remedy an outdated image, update to a supported newer image version. +1. The image you're using may have been built outside of a marketplace source or the boot components have been modified and contain unsigned or untrusted boot components. To verify if your image has unsigned or untrusted boot components, refer to 'Verifying secure boot failures'. +1. If the above two scenarios don't apply, the virtual machine is potentially infected with malware (bootkit/rootkit). Consider deleting the virtual machine and re-creating a new VM from the same source image while evaluating all software being installed. ++## Verifying secure boot failures ++### Linux Virtual Machines +To verify which boot components are responsible for Secure Boot failures within an Azure Linux Virtual Machine, end-users can use the SBInfo tool from the Linux Security Package. ++1. Turn off secure boot +1. Connect to your Azure Linux Trusted Launch virtual machine. +2. Install the SBInfo tool for the distro your virtual machine is running. It resides within the Linux Security Package ++#### [Debian-based distros](#tab/debianbased) ++These commands apply to Ubuntu, Debian, and other debian-based distros. ++```bash +echo "deb [arch=amd64] http://packages.microsoft.com/repos/azurecore/ trusty main" | sudo tee -a /etc/apt/sources.list.d/azure.list ++echo "deb [arch=amd64] http://packages.microsoft.com/repos/azurecore/ xenial main" | sudo tee -a /etc/apt/sources.list.d/azure.list ++echo "deb [arch=amd64] http://packages.microsoft.com/repos/azurecore/ bionic main" | sudo tee -a /etc/apt/sources.list.d/azure.list ++wget https://packages.microsoft.com/keys/microsoft.asc ++wget https://packages.microsoft.com/keys/msopentech.asc ++sudo apt-key add microsoft.asc && sudo apt-key add msopentech.asc ++sudo apt update && sudo apt install azure-security -```azurepowershell -$adminUsername = <USER NAME> -$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force -$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword) -New-AzVM -Name MyVm -Credential $vmCred -SecurityType Standard ``` -+#### [Red Hat-based distros](#tab/rhelbased) -## Feature support +These commands apply to RHEL, CentOS, and other Red Hat-based distros. -### Does trusted launch support Azure Compute Gallery? +```bash +echo "[packages-microsoft-com-azurecore]" | sudo tee -a /etc/yum.repos.d/azurecore.repo -Trusted launch now allows images to be created and shared through the [Azure Compute Gallery](trusted-launch-portal.md#trusted-launch-vm-supported-images) (formerly Shared Image Gallery). The image source can be: -- an existing Azure VM that is either generalized or specialized OR,-- an existing managed disk or a snapshot OR,-- a VHD or an image version from another gallery.+echo "name=packages-microsoft-com-azurecore" | sudo tee -a /etc/yum.repos.d/azurecore.repo -For more information about deploying Trusted Launch VM using Azure Compute Gallery, see [deploy Trusted Launch VMs](trusted-launch-portal.md#deploy-a-trusted-launch-vm-from-an-azure-compute-gallery-image). +echo "baseurl=https://packages.microsoft.com/yumrepos/azurecore/" | sudo tee -a /etc/yum.repos.d/azurecore.repo -### Does trusted launch support Azure Backup? +echo "enabled=1" | sudo tee -a /etc/yum.repos.d/azurecore.repo -Trusted launch now supports Azure Backup. For more information, see [Support matrix for Azure VM backup](../backup/backup-support-matrix-iaas.md#vm-compute-support). +echo "gpgcheck=0" | sudo tee -a /etc/yum.repos.d/azurecore.repo -### Does trusted launch support ephemeral OS disks? +sudo yum install azure-security +``` -Trusted launch supports ephemeral OS disks. For more information, see [Trusted Launch for Ephemeral OS disks](ephemeral-os-disks.md#trusted-launch-for-ephemeral-os-disks). -> [!NOTE] -> While using ephemeral disks for Trusted Launch VMs, keys and secrets generated or sealed by the vTPM after the creation of the VM may not be persisted across operations like reimaging and platform events like service healing. +#### [SUSE-based distros](#tab/susebased) -## Enable Trusted Launch on existing VMs +These commands apply to SLES, openSUSE, and other SUSE-based distros. -### Can virtual machine be restored using backup taken before enabling Trusted Launch? -Backups taken before [upgrading existing Generation 2 VM to Trusted Launch](trusted-launch-existing-vm.md) can be used to restore entire virtual machine or individual data disks. They cannot be used to restore or replace OS disk only. +```bash +sudo zypper ar -t rpm-md -n "packages-microsoft-com-azurecore" --no-gpgcheck https://packages.microsoft.com/yumrepos/azurecore/ azurecore -### Will backup continue to work after enabling Trusted Launch? -Backups configured with [enhanced policy](../backup/backup-azure-vms-enhanced-policy.md) will continue to take backup of VM after enabling Trusted Launch. +sudo zypper install azure-security +``` ++++After installing the Linux Security Package for your distro, run the 'sbinfo' command to verify which boot components are responsible for Secure Boot failures by displaying all unsigned modules, kernels, and bootloaders. ++```bash +sudo sbinfo -u -m -k -b +``` -## Boot integrity monitoring +To learn more about the SBInfo diagnostic tool, you can run 'sudo sbinfo -help'. -### What happens when an integrity fault is detected? +### Why am I getting a boot integrity monitoring fault? Trusted launch for Azure virtual machines is monitored for advanced threats. If such threats are detected, an alert is triggered. Alerts are only available if [Defender for Cloud's enhanced security features](../security-center/enable-enhanced-security.md) are enabled. Microsoft Defender for Cloud periodically performs attestation. If the attestation fails, a medium severity alert is triggered. Trusted launch attestation can fail for the following reasons: -- The attested information, which includes a log of the Trusted Computing Base (TCB), deviates from a trusted baseline (like when Secure Boot is enabled). This deviation indicates an untrusted module(s) have been loaded and the OS may be compromised.-- The attestation quote could not be verified to originate from the vTPM of the attested VM. This verification failure indicates a malware is present and may be intercepting traffic to the TPM.-- The attestation extension on the VM is not responding. This unresponsive extension indicates a denial-of-service attack by malware or an OS admin.+- The attested information, which includes a log of the Trusted Computing Base (TCB), deviates from a trusted baseline (like when Secure Boot is enabled). Any deviation indicates an untrusted module(s) were loaded and the OS may be compromised. +- The attestation quote couldn't be verified to originate from the vTPM of the attested VM. The verification failure indicates a malware is present and may be intercepting traffic to the TPM. +- The attestation extension on the VM isn't responding. An unresponsive extension indicates a denial-of-service attack by malware or an OS admin. ## Certificates The virtual TPM AK public certificate provides users with visibility for informa #### Download instructions -Below is the package certificate, compromised of. p7b (Full Certificate Authority) and .cer (Intermediate CA), revealing the signing and certificate authority. Copy the relevant content below and use certificate tooling to inspect and assess details of certificates. +Package certificates, compromised of. p7b (Full Certificate Authority) and .cer (Intermediate CA), reveal the signing and certificate authority. Copy the relevant content and use certificate tooling to inspect and assess details of certificates. [!INCLUDE [json](../virtual-machines/includes/trusted-launch-tpm-certs/tpm-root-certificate-authority.md)] |
web-application-firewall | Custom Waf Rules Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/ag/custom-waf-rules-overview.md | -The Azure Application Gateway Web Application Firewall (WAF) v2 comes with a preconfigured, platform-managed ruleset that offers protection from many different types of attacks. These attacks include cross site scripting, SQL injection, and others. If you're a WAF admin, you may want to write your own rules to augment the core rule set (CRS) rules. Your custom rules can either block, allow, or log requested traffic based on matching criteria. If the WAF policy is set to detection mode, and a custom block rule is triggered, the request is logged and no blocking action is taken. +The Azure Application Gateway Web Application Firewall (WAF) v2 comes with a preconfigured, platform-managed ruleset that offers protection from many different types of attacks. These attacks include cross site scripting, SQL injection, and others. If you're a WAF admin, you might want to write your own rules to augment the core rule set (CRS) rules. Your custom rules can either block, allow, or log requested traffic based on matching criteria. If the WAF policy is set to detection mode, and a custom block rule is triggered, the request is logged and no blocking action is taken. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated. Custom rules can be enabled/disabled on demand. In WAF policy detection mode, if a custom rule is triggered, the action is alway - Allow ΓÇô Authorizes the transaction, skipping all other rules. The specified request is added to the allowlist and once matched, the request stops further evaluation and is sent to the backend pool. Rules that are on the allowlist aren't evaluated for any further custom rules or managed rules. - Block - Blocks or logs the transaction based on SecDefaultAction (detection/prevention mode).- - Prevention mode - Blocks the transaction based on SecDefaultAction. Just like the Allow action, once the request is evaluated and added to the blocklist, evaluation is stopped and the request is blocked. Any request after that meets the same conditions won't be evaluated and will just be blocked. - - Detection mode - Logs the transaction based on SecDefaultAction after which evaluation is stopped. Any request after that meets the same conditions won't be evaluated and will just be logged. + - Prevention mode - Blocks the transaction based on SecDefaultAction. Just like the `Allow` action, once the request is evaluated and added to the blocklist, evaluation is stopped and the request is blocked. Any request after that meets the same conditions isn't evaluated and is blocked. + - Detection mode - Logs the transaction based on SecDefaultAction after which evaluation is stopped. Any request after that meets the same conditions isn't evaluated and is just logged. - Log ΓÇô Lets the rule write to the log, but lets the rest of the rules run for evaluation. The other custom rules are evaluated in order of priority, followed by the managed rules. ## Copying and duplicating custom rules -Custom rules can be duplicated within a given policy. When duplicating a rule, you need to specify a unique name for the rule and a unique priority value. Additionally, custom rules can be copied from one Application Gateway WAF policy to another as long as the policies are both in the same subscription. When copying a rule from one policy to another you need to select the Application Gateway WAF policy you wish to copy the rule into. Once you select the WAF policy you need to give the rule a unique name, and assign a priority rank. +Custom rules can be duplicated within a given policy. When duplicating a rule, you need to specify a unique name for the rule and a unique priority value. Additionally, custom rules can be copied from one Application Gateway WAF policy to another as long as the policies are both in the same subscription. When copying a rule from one policy to another, you need to select the Application Gateway WAF policy you wish to copy the rule into. Once you select the WAF policy you need to give the rule a unique name, and assign a priority rank. ## Geomatch custom rules |