Configure backup for an App Service

Posted on by zeusexam

Configure backup for an App Service

Most App Service plans include an automatic backup feature that can be further customized to create backups of your web app. The Free and Shared App Service plan tiers do not include backups. Automatic backups occur every hour and have a 30-day sliding retention scale:

  • Hourly backups are kept for the most recent three days.
    • Days 4–14 retain every third hour of backups.
    • Days 15–30 retain every sixth hour of backups.

If you need to modify the timing, retention, partial backups, and more, customize the backup for the App Service. To customize the backup, navigate to the App Service resource and select the Backups blade. The automatic hourly backups will be displayed, as shown in Figure 3-82, with an option on each row to restore from that backup. Alternatively, you can click Configure Custom Backups on the top menu.

FIGURE 3-82  App Service backups

Custom backups require you to specify a storage account and blob container to store the backups in. As part of the schedule, you can specify the backup hourly or daily at a specific time, as well as retain the backup. Retention can be configured as a value from 0–60, with zero representing storing the backup indefinitely. Figure 3-83 displays the custom backup configu- ration page.

FIGURE 3-83 App Service custom backups

Configure networking settings for an App Service

By default, App Services include a publicly accessible URL, and public network access is enabled with no restrictions. However, most organizations will have a security or compliance policy that requires all inbound traffic to first be inspected by a Web Application Firewall (WAF), or might require that all inbound traffic originate from a specific network.

To achieve this, modify the network settings of the App Service. From the Azure portal, navigate to the App Service and then select the Networking blade, as shown in Figure 3-84.

FIGURE 3-84  App Service networking

Inbound traffic configuration

By default, a public App Service endpoint is accessible anywhere on the internet with no access restrictions. If your organization needs to modify that behavior, click Enabled With No Access Restrictions.

On the Access Restrictions page, you can modify the inbound network to respond only from specific virtual networks and/or IP addresses, or to have inbound access disabled completely, as shown in Figure 3-85.

FIGURE 3-85  App Service networking

If you select Enabled From Select Virtual Networks And IP Addresses, you can create indi- vidual rules that allow or deny specific IP addresses. There is also an Unmatched Rule Action field to either allow or deny traffic that does not explicitly match any of the rules that you configure.

On the Access Restrictions page, click Add. The Add Rule page has the following fields:

  • Name The display name of the rule
  • Action  Whether to allow or deny the traffic that matches
  • Priority The priority of the rule for processing
  • Description A description of the rule for internal documentation
  • Type The source of the traffic: IPv4, IPv6, a virtual network, or Azure service tag
  • IP Address Block  When IPv4 is selected, the CIDR notation of the address(es) to configure
  • X-Forwarded-Host Any hostnames that should be forwarded to the App Service
  • X-Forwarded-For The IP address to forward to communicate
  • X-Azure-FDID  An optional Front Door or reverse proxy ID
  • X-FD-HealthProbe The health probe ID to use with a reverse proxy

Figure 3-86 displays the Add Rule page configured to allow traffic from the 10.0.0.0/16 network.

FIGURE 3-86 Add inbound traffic rule

Leave a Reply

Your email address will not be published. Required fields are marked *