Solution Idea
If you'd like to see us expand this article with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know with GitHub Feedback!
Cloud-based applications often run on multiple virtual machines or containers in multiple regions, and use multiple external services. Creating a robust and scalable application in a distributed environment presents a significant challenge. Azure App Configuration lets you manage and store all your app's configuration settings and feature flags, and secure access settings, in one place.
App Configuration works seamlessly with Azure Key Vault, which stores passwords, keys, and secrets for secure access. This article presents best practices for using App Configuration and Key Vault in development and Azure environments.
Potential use cases
While any application can use Azure App Configuration, the following types of applications benefit most from it:
- Microservices based on Azure Kubernetes Service, Azure Service Fabric, or other containerized apps deployed in one or more geographies
- Serverless apps, which include Azure Functions or other event-driven stateless compute apps
- Apps that use a continuous deployment (CD) pipeline
Architecture
The following diagrams show how Azure App Configuration and Azure Key Vault can work together to manage and secure apps in Development and Azure environments.
Development environment
In the development environment, the app uses an identity via Visual Studio or Azure CLI 2.0 to sign in and send an authentication request to Azure Active Directory (Azure AD).
Azure staging or production environment
The Azure staging and production environments use an Azure Managed Service Identity (MSI) for sign-in and authentication.
Download a Visio file of this architecture.
Data flow
- The application sends an authentication request during debugging in Visual Studio, or authenticates via the MSI in Azure.
- Upon successful authentication, Azure AD returns an access token.
- The App Configuration SDK sends a request with the access token to read the app's App Configuration KeyVault secretURI value for the app's key vault.
- Upon successful authorization, App Configuration sends the configuration value.
- Using the sign-in identity, the app sends a request to Azure Key Vault to retrieve the application secret for the secretURI that App Configuration sent.
- Upon successful authorization, Key Vault returns the secret value.
Considerations
It's best to use a different key vault for each application in each environment: development, Azure pre-production, and Azure production. Using different vaults helps prevent sharing secrets across environments, and reduces the threat in case of a breach.
To use these scenarios, the sign-in identity must have the App Configuration Data Reader role in the App Configuration resource, and have explicit access policies for retrieving the secrets in Azure Key Vault.
Components
- Azure Active Directory: A universal platform to manage and secure identities.
- Azure App Configuration: Store configurations for all your Azure apps in a universal, hosted location.
- Azure Managed Service Identity: Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.
- Azure Key Vault: Safeguard cryptographic keys and other secrets that are used by cloud apps and services.
Next steps
Learn more about the component technologies: