Azure App Service: PaaS Web Hosting Guide
Azure App Service = fully managed PaaS cho web apps — không cần quản lý servers, OS patches, load balancers. Support .NET, Node.js, Python, Java, PHP, Ruby, Go. Deploy từ GitHub, Azure DevOps, hoặc Docker. Auto-scale, deployment slots (zero-downtime), built-in Microsoft Entra ID authentication. Admin quản lý qua Azure portal, monitor qua Azure Monitor + Application Insights, secure qua Microsoft Defender for Cloud.
App Service Plans
| Tier | vCPU | RAM | Storage | Custom Domain | SSL | Slots | Auto-scale | Price/month |
|---|---|---|---|---|---|---|---|---|
| Free (F1) | Shared | 1 GB | 1 GB | ❌ | ❌ | ❌ | ❌ | $0 |
| Basic (B1) | 1 | 1.75 GB | 10 GB | ✅ | ✅ | ❌ | ❌ | ~$13 |
| Standard (S1) | 1 | 1.75 GB | 50 GB | ✅ | ✅ | 5 | ✅ | ~$70 |
| Premium (P1v3) | 2 | 8 GB | 250 GB | ✅ | ✅ | 20 | ✅ | ~$125 |
| Isolated (I1v2) | 2 | 8 GB | 1 TB | ✅ | ✅ | 20 | ✅ | ~$350 |
Choosing the right tier:
Development/Testing:
→ Free (F1) or Basic (B1)
→ No SLA, shared resources
→ Good for: dev, staging, POC
Production (small):
→ Standard (S1)
→ 99.95% SLA
→ Deployment slots (staging → swap → production)
→ Auto-scale up to 10 instances
→ Good for: SMB apps, internal tools
Production (high-traffic):
→ Premium (P1v3/P2v3/P3v3)
→ More CPU/RAM
→ 30 instances max
→ VNet integration
→ Good for: customer-facing apps, APIs
Compliance/Isolation:
→ Isolated (ASE - App Service Environment)
→ Dedicated hardware
→ Full network isolation (VNet)
→ Good for: banking, healthcare, government
Deploy Methods
| Method | Complexity | CI/CD | Best For |
|---|---|---|---|
| Azure Portal (ZIP) | Easy | ❌ | Quick test |
| VS Code extension | Easy | ❌ | Developer local |
| GitHub Actions | Medium | ✅ | GitHub repos |
| Azure DevOps | Medium | ✅ | Enterprise teams |
| Docker container | Medium | ✅ | Containerized apps |
| Azure CLI | Medium | ✅ | Scripted deploys |
| FTP | Easy | ❌ | Legacy (not recommended) |
Deploy with GitHub Actions:
1. Azure portal → App Service → Deployment Center
2. Source: GitHub
3. Authorize GitHub → select repo + branch
4. Build provider: GitHub Actions
5. Azure auto-creates .github/workflows/azure-deploy.yml
6. Push to main → auto-deploy → live in minutes
Workflow file example (.NET):
name: Deploy to Azure
on:
push:
branches: [main]
jobs:
build-deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: azure/webapps-deploy@v3
with:
app-name: 'my-app'
publish-profile: ${{ secrets.AZURE_PUBLISH_PROFILE }}
package: './publish'
Deploy with Docker:
→ Azure portal → App Service → Container settings
→ Image source: Docker Hub, Azure Container Registry, or private
→ Image: myregistry.azurecr.io/myapp:latest
→ Continuous deployment: ON (webhook auto-deploy on new image)
Deployment Slots
Deployment slots = zero-downtime deployments:
How it works:
Production slot: app.azurewebsites.net (LIVE)
Staging slot: app-staging.azurewebsites.net (TEST)
1. Deploy NEW version to staging slot
2. Test staging thoroughly
3. Swap staging ↔ production (instant, zero-downtime)
4. If issues → swap back (instant rollback)
Configuration:
→ Azure portal → App Service → Deployment slots → + Add Slot
→ Name: "staging"
→ Clone from: Production (copies settings)
Sticky settings (per-slot):
→ Connection strings (staging DB vs production DB)
→ App settings marked as "slot setting"
→ Custom domains (production only)
→ Auth settings (different for staging)
Slot traffic routing:
→ Route 10% traffic to staging (canary deployment)
→ Monitor errors → if OK → route 100% → swap
→ Settings: Deployment slots → Traffic % → staging: 10
Custom Domain & SSL
Custom domain setup:
1. Azure portal → App Service → Custom domains
2. + Add custom domain → enter: app.company.com
3. Validate: add DNS records:
→ CNAME: app → myapp.azurewebsites.net (for subdomains)
→ A record: @ → App Service IP (for root domain)
→ TXT: asuid → verification ID
4. Validate → Add
SSL certificate:
→ Free managed certificate (Azure-issued, auto-renew)
→ OR: upload custom certificate (PFX)
→ OR: import from Azure Key Vault
→ Enforce HTTPS: Custom domains → HTTPS Only = ON
Multiple domains:
→ app.company.com → main app
→ api.company.com → API endpoints
→ admin.company.com → admin panel
→ All pointing to same App Service (or different slots)
Authentication (Easy Auth)
| Provider | Setup | Use Case |
|---|---|---|
| Microsoft Entra ID | 1-click | Employee apps (SSO with M365) |
| OAuth client ID | Consumer apps | |
| App ID | Social login | |
| GitHub | OAuth app | Developer tools |
| Custom OIDC | Any OIDC provider | Enterprise IdP |
Easy Auth = built-in auth, NO code changes:
Setup:
1. Azure portal → App Service → Authentication
2. + Add identity provider → Microsoft
3. Select: Current tenant (employees)
4. Save
Result:
→ EVERY request requires Microsoft Entra ID login
→ No anonymous access
→ User info available via: X-MS-CLIENT-PRINCIPAL header
→ Token: X-MS-TOKEN-AAD-ACCESS-TOKEN header
→ No code changes needed!
Advanced:
→ Allow unauthenticated: redirect to login
→ Return 401/403 for APIs
→ Combine with Conditional access policies
→ Managed identity for backend API calls
Scaling
Vertical scaling (Scale Up):
→ More CPU/RAM per instance
→ B1 → S1 → P1v3 → P2v3
→ Minutes to change
→ Good for: predictable load increase
Horizontal scaling (Scale Out):
→ More instances (1 → 5 → 10 → 30)
→ Load balanced automatically
→ Auto-scale rules:
→ CPU > 70% for 5 minutes → add 1 instance
→ CPU < 30% for 10 minutes → remove 1 instance
→ Schedule: weekdays 3 instances, weekends 1
→ Custom metric: requests/sec > 1000 → add instance
Setup auto-scale:
1. Azure portal → App Service → Scale out
2. Custom autoscale
3. + Add rule:
→ Metric: CPU Percentage
→ Operator: Greater than 70
→ Duration: 5 minutes
→ Action: Increase count by 1
→ Cool down: 5 minutes
4. Instance limits: Min 1, Max 10, Default 2
5. Save
Checklist Deploy App Service
- Choose App Service Plan tier (Free/Basic/Standard/Premium)
- Create App Service (Azure portal or CLI)
- Configure runtime stack (.NET, Node.js, Python)
- Setup deployment method (GitHub Actions recommended)
- Add custom domain + SSL certificate
- Enable authentication (Easy Auth with Entra ID)
- Configure environment variables (App settings)
- Setup deployment slots (staging + production)
- Configure auto-scale rules
- Enable Application Insights monitoring
- Setup backup schedule
- Configure diagnostic logging
- Review security (Microsoft Defender for Cloud)
FAQ
1) App Service vs Azure VM — khi nào dùng gì?
App Service cho web apps (90% cases), VM cho full OS control. App Service (PaaS): zero server management, auto-patching, built-in scaling, deploy trong minutes. VM (IaaS): full control, install any software, configure OS — nhưng phải manage patches, security, networking, backup. Dùng App Service khi: web app (.NET, Node.js, Python), REST API, static sites. Dùng VM khi: legacy Windows apps (cần specific OS config), custom services (RDP access), software không support PaaS. Cost comparison: App Service S1 ~$70/mo vs VM B2s ~$30/mo — nhưng VM cần thêm managed disk, IP, backup ($40-80 thêm). Admin monitor cả hai qua Azure Monitor + Microsoft Defender for Cloud.
2) App Service có support WebSocket và Server-Sent Events không?
Có — WebSocket supported trên tất cả tiers. Enable: Azure portal → App Service → Configuration → General → Web sockets = ON. Limitations: Free tier: max 5 concurrent WebSocket connections (test only). Basic+: unlimited connections (giới hạn bởi plan resources). Load balancing: App Service auto-handles WebSocket sticky sessions (ARR affinity). Server-Sent Events (SSE): supported, long-running HTTP connections. SignalR: Azure SignalR Service recommended (managed, scales to millions). Admin monitor connections qua Application Insights → Live Metrics.
3) Zero-downtime deployment hoạt động thế nào?
Deployment slots + swap = zero-downtime. Deploy new version lên staging slot (users vẫn dùng production). Test staging thoroughly. Click "Swap" → Azure instantly routes traffic từ production → staging (DNS/routing swap, không restart). Nếu lỗi → click "Swap" lại → instant rollback. Under the hood: swap changes routing rules, không move files — nên instant. Pre-warm: trước khi swap, Azure sends requests to staging → warm up caches, JIT compile. Sticky settings: connection strings per-slot → staging dùng staging DB, production dùng production DB. Admin setup: Standard tier trở lên (Free/Basic không có slots).
4) Custom domain có miễn phí SSL không?
Có — Azure managed certificate hoàn toàn free. Azure portal → App Service → Custom domains → Binding → "Free App Service Managed Certificate". Azure tự issue SSL cert, auto-renew trước khi hết hạn. Hỗ trợ: single domain (app.company.com), subdomains. KHÔNG support: wildcard (*.company.com) — cần custom cert hoặc Azure Key Vault. Enforce HTTPS: Custom domains → HTTPS Only = ON → tất cả HTTP requests auto-redirect HTTPS. Custom cert: upload PFX hoặc import từ Azure Key Vault (recommended cho enterprise — centralized cert management).
5) App Service có integrate được Microsoft Entra ID cho SSO không?
Có — Easy Auth, 1-click setup, không cần code. Azure portal → App Service → Authentication → Add Microsoft provider → select tenant → done. Tất cả users phải login qua Microsoft Entra ID trước khi access app. SSO: users đã login M365 (Teams, Outlook) → auto-login app (no password prompt). Combine với Conditional access: require MFA, block unmanaged devices, location-based. User info: app nhận headers (X-MS-CLIENT-PRINCIPAL) chứa user email, name, groups. Managed Identity: app gọi Azure resources (SQL, Storage, Key Vault) không cần credentials — Entra ID handles auth. Admin manage registered apps qua Microsoft Entra admin center → App registrations.
Nguồn Tham Khảo Authority
- Microsoft Azure App Service — Tài liệu chính thức Azure App Service — PaaS web hosting
- App Service Deployment Guide — CI/CD và deployment best practices cho App Service
- App Service Scaling — Hướng dẫn scale up và scale out App Service
- App Service Security Best Practices — Bảo mật toàn diện cho Azure App Service
- GitHub Actions Azure Deploy — Deploy lên App Service qua GitHub Actions CI/CD
- Azure Well-Architected Framework — Nguyên tắc thiết kế ứng dụng cloud từ Microsoft
- OWASP Cloud Security — Top 10 Cloud Native Application Security Issues từ OWASP
Hành Động Ngay Hôm Nay
- Tạo App Service Plan (Standard S1) và deploy sample app từ GitHub để test CI/CD pipeline end-to-end
- Enable Application Insights, cấu hình custom domain + managed SSL certificate, và test deployment slot swap
- Tư vấn miễn phí: Liên hệ PUPAM Tech Team để được hỗ trợ thiết kế App Service architecture, cấu hình CI/CD, auto-scaling, và security hardening cho web apps.
Bài Liên Quan Nên Đọc
- Azure App Service Web Hosting — Hướng Dẫn 2026
- Azure Blob Storage Cloud Storage 2026
- Azure AD Managed Identities Azure Resources 2026
- Azure DevOps CI/CD Pipelines 2026
Kết Luận
Azure App Service = fastest path to production cho web apps. Không cần manage servers, OS patches, load balancers — Azure handles tất cả. GitHub Actions CI/CD → push to main → auto-deploy. Deployment slots cho zero-downtime deployments + instant rollback. Free SSL certificate + custom domain. Easy Auth integrate Microsoft Entra ID SSO không cần code. Auto-scale handle traffic spikes automatically.
Admin monitor qua Application Insights, secure qua Microsoft Defender for Cloud. Start: Free tier (dev) → Standard (production) → Premium (high-traffic). Tại Việt Nam, App Service là lựa chọn tối ưu cho doanh nghiệp muốn chạy web apps trên Azure mà không muốn quản lý infrastructure phức tạp.