Web apps & APIs
Azure App Service
The workhorse PaaS for HTTP workloads: push code (or a container) in .NET, Java, Node, Python, PHP and get TLS, custom domains, autoscale, auth, slots and CI/CD — with the OS, patching and load balancers fully managed.
How it works
flowchart LR
DEV[Code / container
GitHub Actions · azd · zip deploy] --> SLOT2
subgraph PLAN[App Service plan · shared compute]
subgraph APP[Web app]
SLOT1[Production slot
100% traffic]
SLOT2[Staging slot
warm-up · smoke tests]
end
APP2[Another app
same plan]
end
U[Users] --> FD[Front Door / App Gateway
optional WAF + global LB]
FD --> SLOT1
SLOT2 -->|swap: zero downtime| SLOT1
SLOT1 --> VNI[VNet integration] --> BE[(SQL · Service Bus ·
private APIs)]
Core capabilities
Deployment slots
Deploy to staging, warm up, run smoke tests, swap to production instantly — and swap back if anything's wrong. Auto-swap and traffic %-routing for A/B tests.
Built-in auth (Easy Auth)
Entra ID, Google, GitHub… authentication at the platform layer, no code changes; tokens flow to the app via headers.
Networking
Private endpoints inbound, VNet integration outbound, access restrictions, hybrid connections to on-prem endpoints without VPN.
Autoscale
Rule-based or automatic scaling per plan; scale out on schedule or metrics.
Sidecars
Attach sidecar containers (OpenTelemetry collectors, caches, even small local LLMs) next to your main app.
WebJobs & ops
Background tasks alongside the web app; diagnostics, log streaming, Kudu console, health checks with instance replacement.
Plans at a glance
| Plan | Use |
|---|---|
| Free / Basic | Dev/test, small sites. |
| Standard / Premium v3/v4 | Production: slots, autoscale, VNet, zone redundancy; Pv3/Pv4 best price-performance. |
| App Service Environment v3 | Fully isolated, VNet-injected, at-scale compliance workloads. |
Detailed use cases
Line-of-business web apps
Internal portals with Easy Auth (Entra ID), private endpoints, and slot-based releases — boring in the best way.
Public APIs behind APIM
App Service hosts the API; APIM adds products, keys, rate limits; access restrictions ensure only the gateway reaches the app.
.NET/Java modernization
Lift ASP.NET and Java (JBoss/Tomcat) apps off IIS/VMs with minimal change; hybrid connections bridge to on-prem databases during migration.
Chat frontends for AI apps
Web app hosts the UI + orchestration calling Azure OpenAI through APIM; sidecar collects OTel traces; slots let you ship prompt changes safely.
App Service vs the alternatives
- App Service: HTTP app from code, platform-managed everything — fastest path for classic web workloads.
- Container Apps: microservices, event-driven scale-to-zero, Dapr, jobs — when the unit is a container fleet.
- Functions: single-purpose event handlers, pay-per-execution.
- Static Web Apps: SPA/static frontends with global CDN + managed Functions API.
Best practices
- Always release via staging slot + swap; enable health check endpoint.
- Use managed identity + Key Vault references in app settings — zero secrets in config.
- Enable Always On, HTTP/2, and run on Linux Pv3/Pv4 unless Windows-specific.
- Front internet apps with Front Door/App Gateway + WAF; lock app access to the fronting service.
- Application Insights auto-instrumentation on day one.