Use App Configuration to store all the settings for your application and secure their accesses in one place.
Centralize management and distribution of hierarchical configuration data for different environments and geographies
Dynamically change application settings without the need to redeploy or restart an application
At the core its a key-value store
Supports history
Great fit for Event-driven microservices architecture
Control feature availability in real-time
Cloud Native Implementation of the “External configuration store” pattern
https://www.meetup.com/Stockholm-Azure-Meetup/events/265524268/
2. Who am I ?
• Lead Cloud Solutions Architect at PwC Sweden
• Leading Cloud Center for Enablement and
Cloud-native transformation initiative for the
organization.
• Architecture Council at PwC
• Microsoft Azure Advisory group
• Blogger https://www.msajid.cloud/
• Speaker (Swetugg, APIDays, Azure meetup)
• Badminton
• Photography
• Ping pong
2
https://www.linkedin.com/in/musa/
https://twitter.com/sajid_nazeer
4. 1. What is Azure App Configuration and why should you care
2. Using App Configuration in .NET Core, ASP.NET Core and Azure Functions
3. Integration with Azure Key Vault and Event Grid
4. High Availability -> replication and failover using import/export feature
5. Using App Configuration in Azure DevOps
6. ETA and Pricing
7. Feature management
8. Key Takeaways
4
6. What is Azure App Configurationhttps://docs.microsoft.com/en-us/azure/azure-app-configuration/overview
6
• Centralize management and distribution of hierarchical
configuration data
• At the core its a key-value store
• Great fit for Event-driven microservices architecture
• Control feature availability in real-time
• Cloud Native Implementation of the “External
configuration store” pattern
7. Why should we care
• Cloud Native applications are
mostly polyglot Microservices (with
different programming languages,
technology stacks etc) but every
Micoservice needs some kind of
configuration
• According to 12 factor App, It is
recommended to separate
Configuration from the Code
https://12factor.net/config
https://content.pivotal.io/blog/beyond-the-twelve-factor-app
7
App Configuration supports:
• Namespaces
• Labeling
• Extensive queries
• Batch retrieval
• History
• feature-management
• Event-driven Architecture
Author: Kevin Hoffman
https://learning.oreilly.com/library/view/beyond-th
e-twelve-factor/9781492042631/
Author: multiple authors
https://www.amazon.in/Cloud-Native-Transforma
tion-Pini-Reznik/dp/1492048909
8. Configuration information out of the application
deployment package to a centralized location.
This pattern is useful for:
• Shared configuration between multiple
applications or multiple instances of the same
application.
• A standard Key-Value configuration system
• Simplify administration and monitoring of
configuration settings
External Configuration Storehttps://docs.microsoft.com/en-us/azure/architecture/patterns/external-configuration-store
8
18. 18
KeyVault client using ManagedIdentity for
fetching secrets using Configuration provider
Configuration and KeyVault
client Glue
Namespace/prefix to watch
Trigger refresh only when
sentinel is changed to
avoid splicing
19. 19
Role of a Sentinel
• Sentinel is just another key-value item in the
App Configuration
• It is used as a signal for configuration
provider client that one or more properties
have changed
• Sentinel or any other configuration item will
only be checked for changes if cache has
expired. Cache expiry is 30 seconds by
default
22. How does configuration Refresh works at runtime?
22
Timer-based watch (Old design)
• Configuration was kept in sync with
Azure App Configuration using a
watch mechanism which ran on a
timer.
Flaws
• On-demand invocation not possible.
• Background activity even in the
dormant application instances.
• Polling
Activity-based watch (New design)
• Uses a middleware to determine
activity
• Works only in ASP.NET (middleware
dependency)
https://devblogs.microsoft.com/aspnet/redesigning-configuration-refresh-for-azure-app-configuration/?WT.mc_id=cloudnative-ch9-shboyer
28. Azure Key Vault Integration
28
https://github.com/Azure/AppConfiguration-Announcements/issues/1#issue-504279728
October 8, 2019
Lisa Guthrie
Senior Program
Manager
29. Azure Key Vault Integration
29
https://github.com/Azure/AppConfiguration-Announcements/issues/1#issue-504279728
• App Configuration and Key Vault are complementary services
• App Configuration allows you to create Keys that reference
value of Key Vault secrets
• App Configuration stores the Uri or the secret not the Value
• Client providers detect the key as a Key Vault secret and use
Key Vault client to retrieve the actual value of the secret
• App Configuration and Key Vault does not communicate to
each other automatically
Lisa Guthrie
Senior Program Manager
30. 30
App Configuration provider uses KeyVault client under the hood
to fetch the value for a secret.
Refresh works for both App Configuration Items and Key Vault
Secret
Use App Service token provider to get token for Accessing Key
Vault
31. 31
App Configuration provider will not know
if you delete a secret from Key Vault until
you restart. For running instances it will
not crash or reload other configuration
items.
32. 32
How to handle transient errors?https://docs.microsoft.com/en-us/azure/architecture/best-practices/transient-faults
• Due to the distributed nature of the cloud, transient
faults are very common
• Handling transient errors is very important for the
building resilience applications
• Use Polly to add retry policy while refreshing
33. 33
Polly integration for Transient errors using custom refresh
middleware
Add Polly nuget package
37. 37
• Storing data in a different store and
passing a reference to the original
data along. The receiver is
responsible for retrieving original
data from the store (in this case
from Key Vault).
• The pattern can also be used if the
payload should be accessed only
by services that are authorized to
see it. (Skinny payload)
Claim check?
Also known as Reference-Based Messaging
https://www.enterpriseintegrationpatterns.com/patter
ns/messaging/StoreInLibrary.html
https://docs.microsoft.com/en-us/azure/architecture/
patterns/claim-check
Reference:
{"uri":"https://abc1234keyvault.va
ult.azure.net/secrets/testsecret"}
Content Type:
application/vnd.microsoft.appcon
fig.keyvaultref+json;charset=utf-8
43. 43
Event-driven Sync
• Use Event-Grid to receive changes and replicate
configuration items to secondary store
• Use special Sync sentinel if you want to control
sync
• Use App Configuration SDK to replicate
configuration items using C#
45. Configure Event-Grid for Receiving Sync Sentinel signal
45
Apply a filter to receive events only when
Sync Sentinel is changed.
Filter on subject suffix match
You can specify empty labels as %00
Api-version is always included
46. Receive Events in a Bus, Storage or directly to an Azure
Function
46
User App Configuration SDK to manage key-value
pairs and you can use ConfigurationClient to
replicate primary store to secondary store
47. 47
Replicator function takes primary and secondary connection.
Replicate only when you receive “Sync Sentinel” trigger via Event Grid
string primaryConnection = "Endpoint=https://abc1234configstore.azconfig.io;Id=XXXX;Secret=YYYYYYY";
var primary = new ConfigurationClient(primaryConnection);
54. GA and Pricing
Azure App Configuration Service is planned to be Generally available in January 2020
54
October 26, 2019
Lisa Guthrie
Senior Program
Manager
55. PwC 55
Free Standard
Stores 1 / subscription Unlimited
Keys 1000 or 1MB / store 20000 or 1GB / store
History 7 days 30 days
Requests / day 1000 Unlimited
SLA N/A 99.9%
Cost Free
US$1.20/day + any
additional changes at
US$0.06/10000 requests
ETA and Pricing
Azure App Configuration Service is planned to be Generally available in January 2020
64. • Create separate stores if you want to separately control the permissions
• If permission is not a concern then use one multi-tenant store
65. • Another reason to have multiple stores would be for disaster recovery
https://docs.microsoft.com/en-us/azure/azure-app-configuration/concept-disaster-recovery
66. • Beware of the key storage and request limitations per store
• Beware of limitations of creating multiple stores per subscription
66
67. • It is ok to store a secret in App Configuration but use Key Vault which is
designed for this use case.
67
69. • If an environment does not have possibility to fetch configuration at runtime
(possibly due to a firewall) then inject the configuration using Azure DevOps
69
70. • Listen to configuration changes using Azure Event Grid and react accordingly
• Use managed identity for authentication
70
71. • Sync configuration to multiple stores for high availability and disaster recovery
• If you have a Key Vault referenced key you must add permission to Key Vault for
both stores
• Use Sync Sentinel
71