Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Azure App configuration

Azure App configuration

Use App Configuration to store all the settings for your application and secure their accesses in one place.

Centralize management and distribution of hierarchical configuration data for different environments and geographies
Dynamically change application settings without the need to redeploy or restart an application

At the core its a key-value store
Supports history
Great fit for Event-driven microservices architecture
Control feature availability in real-time
Cloud Native Implementation of the “External configuration store” pattern

Muhammad Sajid

November 06, 2019

More Decks by Muhammad Sajid

Other Decks in Programming


  1. #StockholmAzure Meetup Sponsors

  2. Who am I ? • Lead Cloud Solutions Architect at

    PwC Sweden • Leading Cloud Center for Enablement and Cloud-native transformation initiative for the organization. • Architecture Council at PwC • Microsoft Azure Advisory group • Blogger https://www.msajid.cloud/ • Speaker (Swetugg, APIDays, Azure meetup) • Badminton • Photography • Ping pong 2 https://www.linkedin.com/in/musa/ https://twitter.com/sajid_nazeer
  3. Azure App Configuration and Feature management Presentation by Muhammad Sajid

    November 2019
  4. 1. What is Azure App Configuration and why should you

    care 2. Using App Configuration in .NET Core, ASP.NET Core and Azure Functions 3. Integration with Azure Key Vault and Event Grid 4. High Availability -> replication and failover using import/export feature 5. Using App Configuration in Azure DevOps 6. ETA and Pricing 7. Feature management 8. Key Takeaways 4
  5. What is Azure App Configuration 1

  6. What is Azure App Configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/overview 6 • Centralize management

    and distribution of hierarchical configuration data • At the core its a key-value store • Great fit for Event-driven microservices architecture • Control feature availability in real-time • Cloud Native Implementation of the “External configuration store” pattern
  7. Why should we care • Cloud Native applications are mostly

    polyglot Microservices (with different programming languages, technology stacks etc) but every Micoservice needs some kind of configuration • According to 12 factor App, It is recommended to separate Configuration from the Code https://12factor.net/config https://content.pivotal.io/blog/beyond-the-twelve-factor-app 7 App Configuration supports: • Namespaces • Labeling • Extensive queries • Batch retrieval • History • feature-management • Event-driven Architecture Author: Kevin Hoffman https://learning.oreilly.com/library/view/beyond-th e-twelve-factor/9781492042631/ Author: multiple authors https://www.amazon.in/Cloud-Native-Transforma tion-Pini-Reznik/dp/1492048909
  8. Configuration information out of the application deployment package to a

    centralized location. This pattern is useful for: • Shared configuration between multiple applications or multiple instances of the same application. • A standard Key-Value configuration system • Simplify administration and monitoring of configuration settings External Configuration Store https://docs.microsoft.com/en-us/azure/architecture/patterns/external-configuration-store 8
  9. 9 Search App Configuration in Azure Portal and Create Creating

    the resource
  10. 10 Name should be globally unique Choose subscription, resource group

    and location
  11. 11 Endpoint to use Configuration and feature management Import/export configuration

  12. 12 Use read-only keys

  13. 13 https://docs.microsoft.com/en-us/azure/azure-app-configuration/cli-samples

  14. 14 Resource type Microsoft.AppConfiguration/configurationStores Api Version 2019-02-01-preview

  15. Using Azure App Configuration in .NET Core, ASP.NET Core and

    Azure Functions 2
  16. 16 .NET Core Add nuget package Microsoft.Extensions.Configuration.AzureAppConfiguration

  17. 17 ManagedIdentity or Connect with Connection string Key to watch

    and if changed refresh everything
  18. 18 KeyVault client using ManagedIdentity for fetching secrets using Configuration

    provider Configuration and KeyVault client Glue Namespace/prefix to watch Trigger refresh only when sentinel is changed to avoid splicing
  19. 19 Role of a Sentinel • Sentinel is just another

    key-value item in the App Configuration • It is used as a signal for configuration provider client that one or more properties have changed • Sentinel or any other configuration item will only be checked for changes if cache has expired. Cache expiry is 30 seconds by default
  20. 20 Use Managed Identity Same identity will work with fetching

    Key Vault Secret ASP.NET Core
  21. 21 Middleware responsible for refreshing the configuration based on activity

  22. How does configuration Refresh works at runtime? 22 Timer-based watch

    (Old design) • Configuration was kept in sync with Azure App Configuration using a watch mechanism which ran on a timer. Flaws • On-demand invocation not possible. • Background activity even in the dormant application instances. • Polling Activity-based watch (New design) • Uses a middleware to determine activity • Works only in ASP.NET (middleware dependency) https://devblogs.microsoft.com/aspnet/redesigning-configuration-refresh-for-azure-app-configuration/?WT.mc_id=cloudnative-ch9-shboyer
  23. Activity based refresh 23

  24. 24 Azure Functions Use Azure functions Dependency injection to configure

    Azure App Configuration
  25. 25 Inject Settings using IOptionsSnapshot

  26. 26 Create a separate refresh function to refresh configuration. Refresh

    will only happen when Cache has expired
  27. Integration with Azure Key Vault and Event Grid 3

  28. Azure Key Vault Integration 28 https://github.com/Azure/AppConfiguration-Announcements/issues/1#issue-504279728 October 8, 2019 Lisa

    Guthrie Senior Program Manager
  29. Azure Key Vault Integration 29 https://github.com/Azure/AppConfiguration-Announcements/issues/1#issue-504279728 • App Configuration and

    Key Vault are complementary services • App Configuration allows you to create Keys that reference value of Key Vault secrets • App Configuration stores the Uri or the secret not the Value • Client providers detect the key as a Key Vault secret and use Key Vault client to retrieve the actual value of the secret • App Configuration and Key Vault does not communicate to each other automatically Lisa Guthrie Senior Program Manager
  30. 30 App Configuration provider uses KeyVault client under the hood

    to fetch the value for a secret. Refresh works for both App Configuration Items and Key Vault Secret Use App Service token provider to get token for Accessing Key Vault
  31. 31 App Configuration provider will not know if you delete

    a secret from Key Vault until you restart. For running instances it will not crash or reload other configuration items.
  32. 32 How to handle transient errors? https://docs.microsoft.com/en-us/azure/architecture/best-practices/transient-faults • Due to

    the distributed nature of the cloud, transient faults are very common • Handling transient errors is very important for the building resilience applications • Use Polly to add retry policy while refreshing
  33. 33 Polly integration for Transient errors using custom refresh middleware

    Add Polly nuget package
  34. 34 Program.cs Configure App Configuration as usual

  35. 35 Startup.cs User custom middleware with Retry logic

  36. 36

  37. 37 • Storing data in a different store and passing

    a reference to the original data along. The receiver is responsible for retrieving original data from the store (in this case from Key Vault). • The pattern can also be used if the payload should be accessed only by services that are authorized to see it. (Skinny payload) Claim check? Also known as Reference-Based Messaging https://www.enterpriseintegrationpatterns.com/patter ns/messaging/StoreInLibrary.html https://docs.microsoft.com/en-us/azure/architecture/ patterns/claim-check Reference: {"uri":"https://abc1234keyvault.va ult.azure.net/secrets/testsecret"} Content Type: application/vnd.microsoft.appcon fig.keyvaultref+json;charset=utf-8
  38. Event Grid Integration 38

  39. 39

  40. 40

  41. High availability 4

  42. Import/Export 42

  43. 43 Event-driven Sync • Use Event-Grid to receive changes and

    replicate configuration items to secondary store • Use special Sync sentinel if you want to control sync • Use App Configuration SDK to replicate configuration items using C#
  44. Configure Event-Grid for Receiving Sync Sentinel signal 44

  45. Configure Event-Grid for Receiving Sync Sentinel signal 45 Apply a

    filter to receive events only when Sync Sentinel is changed. Filter on subject suffix match You can specify empty labels as %00 Api-version is always included
  46. Receive Events in a Bus, Storage or directly to an

    Azure Function 46 User App Configuration SDK to manage key-value pairs and you can use ConfigurationClient to replicate primary store to secondary store
  47. 47 Replicator function takes primary and secondary connection. Replicate only

    when you receive “Sync Sentinel” trigger via Event Grid string primaryConnection = "Endpoint=https://abc1234configstore.azconfig.io;Id=XXXX;Secret=YYYYYYY"; var primary = new ConfigurationClient(primaryConnection);
  48. 48

  49. Azure DevOps Integration 5

  50. Install App Configuration Task 50

  51. 51

  52. 52

  53. ETA and Pricing 6

  54. GA and Pricing Azure App Configuration Service is planned to

    be Generally available in January 2020 54 October 26, 2019 Lisa Guthrie Senior Program Manager
  55. PwC 55 Free Standard Stores 1 / subscription Unlimited Keys

    1000 or 1MB / store 20000 or 1GB / store History 7 days 30 days Requests / day 1000 Unlimited SLA N/A 99.9% Cost Free US$1.20/day + any additional changes at US$0.06/10000 requests ETA and Pricing Azure App Configuration Service is planned to be Generally available in January 2020
  56. 7Feature management

  57. 57

  58. 58

  59. 59

  60. 60

  61. 8Key takeaways

  62. • Group keys using Prefixes and Labels • Design hierarchical

    namespaces • Always set a Content-Type • Use Sentinel to avoid splicing 62
  63. 63 Jimmy Campbell • Use Labels as an extra dimension

    for organizing/grouping settings
  64. • Create separate stores if you want to separately control

    the permissions • If permission is not a concern then use one multi-tenant store
  65. • Another reason to have multiple stores would be for

    disaster recovery https://docs.microsoft.com/en-us/azure/azure-app-configuration/concept-disaster-recovery
  66. • Beware of the key storage and request limitations per

    store • Beware of limitations of creating multiple stores per subscription 66
  67. • It is ok to store a secret in App

    Configuration but use Key Vault which is designed for this use case. 67
  68. • Beware of the configuration stacking 68

  69. • If an environment does not have possibility to fetch

    configuration at runtime (possibly due to a firewall) then inject the configuration using Azure DevOps 69
  70. • Listen to configuration changes using Azure Event Grid and

    react accordingly • Use managed identity for authentication 70
  71. • Sync configuration to multiple stores for high availability and

    disaster recovery • If you have a Key Vault referenced key you must add permission to Key Vault for both stores • Use Sync Sentinel 71
  72. 72 Questions

  73. PwC Presentation Title [View > Master and edit/delete on very

    top slide master] Date [View > Master and edit/delete on very top slide master] 73 References: Icons @SandroPereira -> repo, blog | @Azurekid -> repo | @BenCodeGeek -> project | @David Summers -> repo Documentation https://docs.microsoft.com/en-us/azure/azure-app-configuration/ Feedback page https://feedback.azure.com/forums/920545-azure-app-configuration GitHub https://github.com/Azure/AppConfiguration/ Slack https://aka.ms/azconfig/slack Announcements https://github.com/Azure/AppConfiguration-Announcements CloudNativeShow episode https://www.youtube.com/watch?v=DJqmA5PcfzE DOTNETConf https://www.youtube.com/watch?v=zRstfC3Nn7M Thank you https://www.linkedin.com/in/musa/ https://twitter.com/sajid_nazeer