Configure a Linux Java app for Azure App Service

Azure App Service on Linux lets Java developers to quickly build, deploy, and scale their Tomcat or Java Standard Edition (SE) packaged web applications on a fully managed Linux-based service. Deploy applications with Maven plugins from the command line or in editors like IntelliJ, Eclipse, or Visual Studio Code.

This guide provides key concepts and instructions for Java developers who use a built-in Linux container in App Service. If you've never used Azure App Service, follow the Java quickstart and Java with PostgreSQL tutorial first.

Deploying your app

You can use Maven Plugin for Azure App Service to deploy both .jar and .war files. Deployment with popular IDEs is also supported with Azure Toolkit for IntelliJ or Azure Toolkit for Eclipse.

Otherwise, your deployment method will depend on your archive type:

  • To deploy .war files to Tomcat, use the /api/wardeploy/ endpoint to POST your archive file. For more information on this API, please see this documentation.
  • To deploy .jar files on the Java SE images, use the /api/zipdeploy/ endpoint of the Kudu site. For more information on this API, please see this documentation.

Do not deploy your .war or .jar using FTP. The FTP tool is designed to upload startup scripts, dependencies, or other runtime files. It is not the optimal choice for deploying web apps.

Logging and debugging apps

Performance reports, traffic visualizations, and health checkups are available for each app through the Azure portal. For more information, see Azure App Service diagnostics overview.

SSH console access

To make open a direct SSH session with your container, your app should be running.

Paste the following URL into your browser and replace <app-name> with your app name:


If you're not yet authenticated, you're required to authenticate with your Azure subscription to connect. Once authenticated, you see an in-browser shell, where you can run commands inside your container.

SSH connection


Any changes you make outside the /home directory are stored in the container itself and don't persist beyond an app restart.

To open a remote SSH session from your local machine, see Open SSH session from remote shell.

Stream diagnostic logs

You can access the console logs generated from inside the container. First, turn on container logging by running the following command in the Cloud Shell:

az webapp log config --name <app-name> --resource-group myResourceGroup --docker-container-logging filesystem

Once container logging is turned on, run the following command to see the log stream:

az webapp log tail --name <app-name> --resource-group myResourceGroup

If you don't see console logs immediately, check again in 30 seconds.


You can also inspect the log files from the browser at https://<app-name>

To stop log streaming at any time, type Ctrl+C.

For more information, see Streaming logs with the Azure CLI.

App logging

Enable application logging through the Azure portal or Azure CLI to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the /home/LogFiles/Application/ directory.

If your application uses Logback or Log4j for tracing, you can forward these traces for review into Azure Application Insights using the logging framework configuration instructions in Explore Java trace logs in Application Insights.

Troubleshooting tools

The built-in Java images are based on the Alpine Linux operating system. Use the apk package manager to install any troubleshooting tools or commands.

Flight Recorder

All Linux Java images on App Service have Zulu Flight Recorder installed so you can easily connect to the JVM and start a profiler recording or generate a heap dump.

Timed Recording

To get started, SSH into your App Service and run the jcmd command to see a list of all the Java processes running. In addition to jcmd itself, you should see your Java application running with a process ID number (pid).

078990bbcd11:/home# jcmd
116 /home/site/wwwroot/app.jar

Execute the command below to start a 30-second recording of the JVM. This will profile the JVM and create a JFR file named jfr_example.jfr in the home directory. (Replace 116 with the pid of your Java app.)

jcmd 116 JFR.start name=MyRecording settings=profile duration=30s filename="/home/jfr_example.jfr"

During the 30 second interval, you can validate the recording is taking place by running jcmd 116 JFR.check. This will show all recordings for the given Java process.

Continuous Recording

You can use Zulu Flight Recorder to continuously profile your Java application with minimal impact on runtime performance (source). To do so, run the following Azure CLI command to create an App Setting named JAVA_OPTS with the necessary configuration. The contents of the JAVA_OPTS App Setting are passed to the java command when your app is started.

az webapp config appsettings set -g <your_resource_group> -n <your_app_name> --settings JAVA_OPTS=-XX:StartFlightRecording=disk=true,name=continuous_recording,dumponexit=true,maxsize=1024m,maxage=1d

Once the recording has started, you can dump the current recording data at any time using the JFR.dump command.

jcmd <pid> JFR.dump name=continuous_recording filename="/home/recording1.jfr"

For more information, please see the Jcmd Command Reference.

Analyzing Recordings

Use FTPS to download your JFR file to your local machine. To analyze the JFR file, download and install Zulu Mission Control. For instructions on Zulu Mission Control, see the Azul documentation and the installation instructions.

Customization and tuning

Azure App Service for Linux supports out of the box tuning and customization through the Azure portal and CLI. Review the following articles for non-Java-specific web app configuration:

Set Java runtime options

To set allocated memory or other JVM runtime options in both the Tomcat and Java SE environments, create an app setting named JAVA_OPTS with the options. App Service Linux passes this setting as an environment variable to the Java runtime when it starts.

In the Azure portal, under Application Settings for the web app, create a new app setting named JAVA_OPTS that includes the additional settings, such as -Xms512m -Xmx1204m.

To configure the app setting from the Maven plugin, add setting/value tags in the Azure plugin section. The following example sets a specific minimum and maximum Java heap size:

        <value>-Xms512m -Xmx1204m</value>

Developers running a single application with one deployment slot in their App Service plan can use the following options:

  • B1 and S1 instances: -Xms1024m -Xmx1024m
  • B2 and S2 instances: -Xms3072m -Xmx3072m
  • B3 and S3 instances: -Xms6144m -Xmx6144m

When tuning application heap settings, review your App Service plan details and take into account multiple applications and deployment slot needs to find the optimal allocation of memory.

If you are deploying a JAR application, it should be named app.jar so that the built-in image can correctly identify your app. (The Maven plugin does this renaming automatically.) If you do not wish to rename your JAR to app.jar, you can upload a shell script with the command to run your JAR. Then paste the full path to this script in the Startup File textbox in the Configuration section of the portal. The startup script does not run from the directory into which it is placed. Therefore, always use absolute paths to reference files in your startup script (for example: java -jar /home/myapp/myapp.jar).

Turn on web sockets

Turn on support for web sockets in the Azure portal in the Application settings for the application. You'll need to restart the application for the setting to take effect.

Turn on web socket support using the Azure CLI with the following command:

az webapp config set --name <app-name> --resource-group <resource-group-name> --web-sockets-enabled true

Then restart your application:

az webapp stop --name <app-name> --resource-group <resource-group-name>
az webapp start --name <app-name> --resource-group <resource-group-name>

Set default character encoding

In the Azure portal, under Application Settings for the web app, create a new app setting named JAVA_OPTS with value -Dfile.encoding=UTF-8.

Alternatively, you can configure the app setting using the App Service Maven plugin. Add the setting name and value tags in the plugin configuration:


Adjust startup timeout

If your Java application is particularly large, you should increase the startup time limit. To do this, create an application setting, WEBSITES_CONTAINER_START_TIME_LIMIT and set it to the number of seconds that App Service should wait before timing out. The maximum value is 1800 seconds.

Pre-Compile JSP files

To improve performance of Tomcat applications, you can compile your JSP files before deploying to App Service. You can use the Maven plugin provided by Apache Sling, or using this Ant build file.

Secure applications

Java applications running in App Service for Linux have the same set of security best practices as other applications.

Authenticate users (Easy Auth)

Set up app authentication in the Azure portal with the Authentication and Authorization option. From there, you can enable authentication using Azure Active Directory or social logins like Facebook, Google, or GitHub. Azure portal configuration only works when configuring a single authentication provider. For more information, see Configure your App Service app to use Azure Active Directory login and the related articles for other identity providers. If you need to enable multiple sign-in providers, follow the instructions in the customize App Service authentication article.

Tomcat and Wildfly

Your Tomcat or Wildfly application can access the user's claims directly from the servlet by casting the Principal object to a Map object. The Map object will map each claim type to a collection of the claims for that type. In the code below, request is an instance of HttpServletRequest.

Map<String, Collection<String>> map = (Map<String, Collection<String>>) request.getUserPrincipal();

Now you can inspect the Map object for any specific claim. For example, the following code snippet iterates through all the claim types and prints the contents of each collection.

for (Object key : map.keySet()) {
        Object value = map.get(key);
        if (value != null && value instanceof Collection {
            Collection claims = (Collection) value;
            for (Object claim : claims) {

To sign users out, use the /.auth/ext/logout path. To perform other actions, please see the documentation on App Service Authentication and Authorization usage. There is also official documentation on the Tomcat HttpServletRequest interface and its methods. The following servlet methods are also hydrated based on your App Service configuration:

public boolean isSecure()
public String getRemoteAddr()
public String getRemoteHost()
public String getScheme()
public int getServerPort()

To disable this feature, create an Application Setting named WEBSITE_AUTH_SKIP_PRINCIPAL with a value of 1. To disable all servlet filters added by App Service, create a setting named WEBSITE_SKIP_FILTERS with a value of 1.

Spring Boot

Spring Boot developers can use the Azure Active Directory Spring Boot starter to secure applications using familiar Spring Security annotations and APIs. Be sure to increase the maximum header size in your file. We suggest a value of 16384.

Configure TLS/SSL

Follow the instructions in the Bind an existing custom SSL certificate to upload an existing SSL certificate and bind it to your application's domain name. By default your application will still allow HTTP connections-follow the specific steps in the tutorial to enforce SSL and TLS.

Use KeyVault References

Azure KeyVault provides centralized secret management with access policies and audit history. You can store secrets (such as passwords or connection strings) in KeyVault and access these secrets in your application through environment variables.

First, follow the instructions for granting your app access to Key Vault and making a KeyVault reference to your secret in an Application Setting. You can validate that the reference resolves to the secret by printing the environment variable while remotely accessing the App Service terminal.

To inject these secrets in your Spring or Tomcat configuration file, use environment variable injection syntax (${MY_ENV_VAR}). For Spring configuration files, please see this documentation on externalized configurations.

Configure APM platforms

This section shows how to connect Java applications deployed on Azure App Service on Linux with the NewRelic and AppDynamics application performance monitoring (APM) platforms.

Configure New Relic

  1. Create a NewRelic account at
  2. Download the Java agent from NewRelic, it will have a file name similar to
  3. Copy your license key, you'll need it to configure the agent later.
  4. SSH into your App Service instance and create a new directory /home/site/wwwroot/apm.
  5. Upload the unpacked NewRelic Java agent files into a directory under /home/site/wwwroot/apm. The files for your agent should be in /home/site/wwwroot/apm/newrelic.
  6. Modify the YAML file at /home/site/wwwroot/apm/newrelic/newrelic.yml and replace the placeholder license value with your own license key.
  7. In the Azure portal, browse to your application in App Service and create a new Application Setting.
    • If your app is using Java SE, create an environment variable named JAVA_OPTS with the value -javaagent:/home/site/wwwroot/apm/newrelic/newrelic.jar.
    • If you're using Tomcat, create an environment variable named CATALINA_OPTS with the value -javaagent:/home/site/wwwroot/apm/newrelic/newrelic.jar.
    • If you're using WildFly, see the New Relic documentation here for guidance about installing the Java agent and JBoss configuration.

Configure AppDynamics

  1. Create an AppDynamics account at
  2. Download the Java agent from the AppDynamics website, the file name will be similar to
  3. SSH into your App Service instance and create a new directory /home/site/wwwroot/apm.
  4. Upload the Java agent files into a directory under /home/site/wwwroot/apm. The files for your agent should be in /home/site/wwwroot/apm/appdynamics.
  5. In the Azure portal, browse to your application in App Service and create a new Application Setting.
    • If you're using Java SE, create an environment variable named JAVA_OPTS with the value -javaagent:/home/site/wwwroot/apm/appdynamics/javaagent.jar -Dappdynamics.agent.applicationName=<app-name> where <app-name> is your App Service name.
    • If you're using Tomcat, create an environment variable named CATALINA_OPTS with the value -javaagent:/home/site/wwwroot/apm/appdynamics/javaagent.jar -Dappdynamics.agent.applicationName=<app-name> where <app-name> is your App Service name.
    • If you're using WildFly, see the AppDynamics documentation here for guidance about installing the Java agent and JBoss configuration.

If you already have an environment variable for JAVA_OPTS or CATALINA_OPTS, append the -javaagent:/... option to the end of the current value.

Configure JAR Applications

Starting JAR Apps

By default, App Service expects your JAR application to be named app.jar. If it has this name, it will be run automatically. For Maven users, you can set the JAR name by including <finalName>app</finalName> in the <build> section of your pom.xml. You can do the same in Gradle by setting the archiveFileName property.

If you want to use a different name for your JAR, you must also provide the Startup Command that executes your JAR file. For example, java -jar my-jar-app.jar. You can set the value for your Startup Command in the Portal, under Configuration > General Settings, or with an Application Setting named STARTUP_COMMAND.

Server Port

App Service Linux routes incoming requests to port 80, so your application should listen on port 80 as well. You can do this in your application's configuration (such as Spring's file), or in your Startup Command (for example, java -jar spring-app.jar --server.port=80). Please see the following documentation for common Java frameworks:

Data sources


These instructions apply to all database connections. You will need to fill placeholders with your chosen database's driver class name and JAR file. Provided is a table with class names and driver downloads for common databases.

Database Driver Class Name JDBC Driver
PostgreSQL org.postgresql.Driver Download
MySQL com.mysql.jdbc.Driver Download (Select "Platform Independent")
SQL Server Download

To configure Tomcat to use Java Database Connectivity (JDBC) or the Java Persistence API (JPA), first customize the CATALINA_OPTS environment variable that is read in by Tomcat at start-up. Set these values through an app setting in the App Service Maven plugin:

        <value>"$CATALINA_OPTS -Ddbuser=${DBUSER} -Ddbpassword=${DBPASSWORD} -DconnURL=${CONNURL}"</value>

Or set the environment variables in the Configuration > Application Settings page in the Azure portal.

Next, determine if the data source should be available to one application or to all applications running on the Tomcat servlet.

Application-level data sources

  1. Create a context.xml file in the META-INF/ directory of your project. Create the META-INF/ directory if it does not exist.

  2. In context.xml, add a Context element to link the data source to a JNDI address. Replace the driverClassName placeholder with your driver's class name from the table above.

            driverClassName="<insert your driver class name>"
  3. Update your application's web.xml to use the data source in your application.


Shared server-level resources

  1. Copy the contents of /usr/local/tomcat/conf into /home/tomcat/conf on your App Service Linux instance using SSH if you don't have a configuration there already.

    mkdir -p /home/tomcat
    cp -a /usr/local/tomcat/conf /home/tomcat/conf
  2. Add a Context element in your server.xml within the <Server> element.

            driverClassName="<insert your driver class name>"
  3. Update your application's web.xml to use the data source in your application.


Finalize configuration

Finally, place the driver JARs in the Tomcat classpath and restart your App Service.

  1. Ensure that the JDBC driver files are available to the Tomcat classloader by placing them in the /home/tomcat/lib directory. (Create this directory if it does not already exist.) To upload these files to your App Service instance, perform the following steps:

    1. In the Cloud Shell, install the webapp extension:
    az extension add -–name webapp
    1. Run the following CLI command to create an SSH tunnel from your local system to App Service:
    az webapp remote-connection create --resource-group <resource-group-name> --name <app-name> --port <port-on-local-machine>
    1. Connect to the local tunneling port with your SFTP client and upload the files to the /home/tomcat/lib folder.

    Alternatively, you can use an FTP client to upload the JDBC driver. Follow these instructions for getting your FTP credentials.

  2. If you created a server-level data source, restart the App Service Linux application. Tomcat will reset CATALINA_HOME to /home/tomcat/conf and use the updated configuration.

Spring Boot

To connect to data sources in Spring Boot applications, we suggest creating connection strings and injecting them into your file.

  1. In the "Configuration" section of the App Service page, set a name for the string, paste your JDBC connection string into the value field, and set the type to "Custom". You can optionally set this connection string as slot setting.

    This connection string is accessible to our application as an environment variable named CUSTOMCONNSTR_<your-string-name>. For example, the connection string we created above will be named CUSTOMCONNSTR_exampledb.

  2. In your file, reference this connection string with the environment variable name. For our example, we would use the following.


Please see the Spring Boot documentation on data access and externalized configurations for more information on this topic.

Configure Java EE (WildFly)


Java Enterprise Edition on App Service Linux is currently in Preview. This stack is not recommended for production-facing work. information on our Java SE and Tomcat stacks.

Azure App Service on Linux lets Java developers to build, deploy, and scale Java Enterprise (Java EE) applications on a fully managed Linux-based service. The underlying Java Enterprise runtime environment is the open-source WildFly application server.

This section contains the following subsections:

Scale with App Service

The WildFly application server running in App Service on Linux runs in standalone mode, not in a domain configuration. When you scale out the App Service Plan, each WildFly instance is configured as a standalone server.

Scale your application vertically or horizontally with scale rules and by increasing your instance count.

Customize application server configuration

Web App instances are stateless, so each new instance started must be configured on startup to support the WildFly configuration needed by application. You can write a startup Bash script to call the WildFly CLI to:

  • Set up data sources
  • Configure messaging providers
  • Add other modules and dependencies to the WildFly server configuration.

The script runs when WildFly is up and running, but before the application starts. The script should use the JBOSS CLI called from /opt/jboss/wildfly/bin/ to configure the application server with any configuration or changes needed after the server starts.

Do not use the interactive mode of the CLI to configure WildFly. Instead, you can provide a script of commands to the JBoss CLI using the --file command, for example:

/opt/jboss/wildfly/bin/ -c --file=/path/to/your/jboss_commands.cli

Use FTP to upload the startup script to a location in your App Service instance under your /home directory, such as /home/site/deployments/tools. For more info, see Deploy your app to Azure App Service using FTP/S.

Set the Startup Script field in the Azure portal to the location of your startup shell script, for example /home/site/deployments/tools/

Supply app settings in the application configuration to pass environment variables for use in the script. Application settings keep connection strings and other secrets needed to configure your application out of version control.

Install modules and dependencies

To install modules and their dependencies into the WildFly classpath via the JBoss CLI, you will need to create the following files in their own directory. Some modules and dependencies might need additional configuration such as JNDI naming or other API-specific configuration, so this list is a minimum set of what you'll need to configure a dependency in most cases.

  • An XML module descriptor. This XML file defines the name, attributes, and dependencies of your module. This example module.xml file defines a Postgres module, its JAR file JDBC dependency, and other module dependencies required.
  • Any necessary JAR file dependencies for your module.
  • A script with your JBoss CLI commands to configure the new module. This file will contain your commands to be executed by the JBoss CLI to configure the server to use the dependency. For documentation on the commands to add modules, datasources, and messaging providers, refer to this document.
  • A Bash startup script to call the JBoss CLI and execute the script in the previous step. This file will be executed when your App Service instance is restarted or when new instances are provisioned during a scale-out. This startup script is where you can perform any other configurations for your application as the JBoss commands are passed to the JBoss CLI. At minimum, this file can be a single command to pass your JBoss CLI command script to the JBoss CLI:
/opt/jboss/wildfly/bin/ -c --file=/path/to/your/jboss_commands.cli

Once you have the files and content for your module, follow the steps below to add the module to the WildFly application server.

  1. Use FTP to upload your files to a location in your App Service instance under your /home directory, such as /home/site/deployments/tools. For more info, see Deploy your app to Azure App Service using FTP/S.
  2. In the Configuration > General settings page of the Azure portal, set the Startup Script field to the location of your startup shell script, for example /home/site/deployments/tools/
  3. Restart your App Service instance by pressing the Restart button in the Overview section of the portal or using the Azure CLI.

Configure data sources

To configure WildFly/JBoss to access a data source, you use the general process outlined above in the "Install modules and dependencies" section. The following section provides specific details on this process for PostgreSQL, MySQL, and SQL Server data sources.

This section assumes you already have an app, an App Service instance, and an Azure Database service instance. The instructions below refer to your App Service name, its resource group, and your database connection info. You can find this information on the Azure portal.

If you prefer to go through the entire process from the beginning using a sample app, see Tutorial: Build a Java EE and Postgres web app in Azure.

The following steps explain the requirements for connecting your existing App Service and database.

  1. Download the JDBC driver for PostgreSQL, MySQL, or SQL Server. Unpack the downloaded archive to get the driver .jar file.

  2. Create a file with a name like module.xml and add the following markup. Replace the <module name> placeholder (including the angle brackets) with org.postgres for PostgreSQL, com.mysql for MySQL, or for SQL Server. Replace <JDBC .jar file path> with the name of the .jar file from the previous step, including the full path to the location you will place the file in your App Service instance. This can be any location under the /home directory.

    <?xml version="1.0" ?>
    <module xmlns="urn:jboss:module:1.1" name="<module name>">
           <resource-root path="<JDBC .jar file path>" />
            <module name="javax.api"/>
            <module name="javax.transaction.api"/>
  3. Create a file with a name like datasource-commands.cli and add the following code. Replace <JDBC .jar file path> with the value you used in the previous step. Replace <module file path> with the file name and App Service path from the previous step, for example /home/module.xml.


    module add --name=org.postgres --resources=<JDBC .jar file path> --module-xml=<module file path>
    data-source add --name=postgresDS --driver-name=postgres --jndi-name=java:jboss/datasources/postgresDS --connection-url=$DATABASE_CONNECTION_URL --user-name=$DATABASE_SERVER_ADMIN_FULL_NAME --password=$DATABASE_SERVER_ADMIN_PASSWORD --use-ccm=true --max-pool-size=5 --blocking-timeout-wait-millis=5000 --enabled=true --driver-class=org.postgresql.Driver --exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter --jta=true --use-java-context=true --valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker
    reload --use-current-server-config=true


    module add --name=com.mysql --resources=<JDBC .jar file path> --module-xml=<module file path>
    data-source add --name=mysqlDS --jndi-name=java:jboss/datasources/mysqlDS --connection-url=$DATABASE_CONNECTION_URL --driver-name=mysql --user-name=$DATABASE_SERVER_ADMIN_FULL_NAME --password=$DATABASE_SERVER_ADMIN_PASSWORD --use-ccm=true --max-pool-size=5 --blocking-timeout-wait-millis=5000 --enabled=true --driver-class=com.mysql.cj.jdbc.Driver --jta=true --use-java-context=true --exception-sorter-class-name=com.mysql.cj.jdbc.integration.jboss.ExtendedMysqlExceptionSorter
    reload --use-current-server-config=true

    SQL Server

    module add --resources=<JDBC .jar file path> --module-xml=<module file path>
    data-source add --name=sqlDS --jndi-name=java:jboss/datasources/sqlDS --driver-name=sqlserver --connection-url=$DATABASE_CONNECTION_URL --validate-on-match=true --background-validation=false --valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLValidConnectionChecker --exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLExceptionSorter
    reload --use-current-server-config=true

    This file is run by the startup script described in the next step. It installs the JDBC driver as a WildFly module, creates the corresponding WildFly data source, and reloads the server to ensure the changes will take effect.

  4. Create a file with a name like and add the following code. Replace <JBoss CLI script> with the name of the file you created in the previous step. Be sure to include the full path to the location you will place the file in your App Service instance, for example /home/datasource-commands.cli.

    #!/usr/bin/env bash
    /opt/jboss/wildfly/bin/ -c --file=<JBoss CLI script>
  5. Use FTP to upload the JDBC .jar file, the module XML file, the JBoss CLI script, and the startup script to your App Service instance. Put these files in the location you specified in the previous steps, such as /home. For more info on FTP, see Deploy your app to Azure App Service using FTP/S.

  6. Use the Azure CLI to add settings to your App Service that hold your database connection info. Replace <resource group> and <webapp name> with the values your App Service uses. Replace <database server name>, <database name>, <admin name>, and <admin password> with your database connection info. You can get your App Service and database info from the Azure portal.


    az webapp config appsettings set \
        --resource-group <resource group> \
        --name <webapp name> \
        --settings \
            DATABASE_CONNECTION_URL=jdbc:postgresql://<database server name>:5432/<database name>?ssl=true \
            DATABASE_SERVER_ADMIN_FULL_NAME=<admin name> \
            DATABASE_SERVER_ADMIN_PASSWORD=<admin password>


    az webapp config appsettings set \
        --resource-group <resource group> \
        --name <webapp name> \
        --settings \
            DATABASE_CONNECTION_URL=jdbc:mysql://<database server name>:3306/<database name>?ssl=true\&useLegacyDatetimeCode=false\&serverTimezone=GMT \
            DATABASE_SERVER_ADMIN_FULL_NAME=<admin name> \
            DATABASE_SERVER_ADMIN_PASSWORD=<admin password>

    SQL Server:

    az webapp config appsettings set \
        --resource-group <resource group> \
        --name <webapp name> \
        --settings \
            DATABASE_CONNECTION_URL=jdbc:sqlserver://<database server name>:1433;database=<database name>;user=<admin name>;password=<admin password>;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*;loginTimeout=30;

    The DATABASE_CONNECTION_URL values are different for each database server, and different than the values on the Azure portal. The URL formats shown here (and in the snippets above) are required for use by WildFly:

    • PostgreSQL: jdbc:postgresql://<database server name>:5432/<database name>?ssl=true
    • MySQL: jdbc:mysql://<database server name>:3306/<database name>?ssl=true\&useLegacyDatetimeCode=false\&serverTimezone=GMT
    • SQL Server: jdbc:sqlserver://<database server name>:1433;database=<database name>;user=<admin name>;password=<admin password>;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*;loginTimeout=30;
  7. In the Azure portal, navigate to your App Service and find the Configuration > General settings page. Set the Startup Script field to the name and location of your startup script, for example /home/

The next time your App Service restarts, it will run the startup script and perform the necessary configuration steps. To test that this configuration occurs correctly, you can access your App Service using SSH and then run the startup script yourself from the Bash prompt. You can also examine the App Service logs. For more info about these options, see Logging and debugging apps.

Next, you will need to update the WildFly configuration for your app and redeploy it. Use the following steps:

  1. Open the src/main/resources/META-INF/persistence.xml file for your app and find the <jta-data-source> element. Replace its contents as shown here:





    SQL Server

  2. Rebuild and redeploy your app using the following command at the Bash prompt:

    mvn package -DskipTests azure-webapp:deploy
  3. Restart your App Service instance by pressing the Restart button in the Overview section of the Azure portal or by using the Azure CLI.

Your App Service instance is now configured to access your database.

For more info on configuring database connectivity with WildFly, see PostgreSQL, MySQL, or SQL Server.

Enable messaging providers

To enable message driven Beans using Service Bus as the messaging mechanism:

  1. Use the Apache QPId JMS messaging library. Include this dependency in your pom.xml (or other build file) for the application.

  2. Create Service Bus resources. Create an Azure Service Bus namespace and queue within that namespace and a Shared Access Policy with send and receive capabilities.

  3. Pass the shared access policy key to your code either by URL-encoding the primary key of your policy or Use the Service Bus SDK.

  4. Follow the steps outlined in the Installing Modules and Dependencies section with your module XML descriptor, .jar dependencies, JBoss CLI commands, and startup script for the JMS provider. In addition to the four files, you will also need to create an XML file that defines the JNDI name for the JMS queue and topic. See this repository for reference configuration files.

Configure session management caching

By default App Service on Linux will use session affinity cookies to ensure that client requests with existing sessions are routed the same instance of your application. This default behavior requires no configuration but has some limitations:

  • If an application instance is restarted or scaled down, the user session state in the application server will be lost.
  • If applications have long session time out settings or a fixed number of users, it can take some time for autoscaled new instances to receive load since only new sessions will be routed to the newly started instances.

You can configure WildFly to use an external session store such as Azure Cache for Redis. You will need to disable the existing ARR Instance Affinity configuration to turn off the session cookie-based routing and allow the configured WildFly session store to operate without interference.

Docker containers

To use the Azure-supported Zulu JDK in your containers, make sure to pull and use the pre-built images as documented from the supported Azul Zulu Enterprise for Azure download page or use the Dockerfile examples from the Microsoft Java GitHub repo.

Statement of support

Runtime availability

App Service for Linux supports two runtimes for managed hosting of Java web applications:

  • The Tomcat servlet container for running applications packaged as web archive (WAR) files. Supported versions are 8.5 and 9.0.
  • Java SE runtime environment for running applications packaged as Java archive (JAR) files. Supported versions are Java 8 and 11.

JDK versions and maintenance

Azul Zulu Enterprise builds of OpenJDK are a no-cost, multi-platform, production-ready distribution of the OpenJDK for Azure and Azure Stack backed by Microsoft and Azul Systems. They contain all the components for building and running Java SE applications. You can install the JDK from Java JDK Installation.

Supported JDKs are automatically patched on a quarterly basis in January, April, July, and October of each year.

Security updates

Patches and fixes for major security vulnerabilities will be released as soon as they become available from Azul Systems. A "major" vulnerability is defined by a base score of 9.0 or higher on the NIST Common Vulnerability Scoring System, version 2.

Deprecation and retirement

If a supported Java runtime will be retired, Azure developers using the affected runtime will be given a deprecation notice at least six months before the runtime is retired.

Next steps

Visit the Azure for Java Developers center to find Azure quickstarts, tutorials, and Java reference documentation.

General questions about using App Service for Linux that aren't specific to the Java development are answered in the App Service Linux FAQ.