Edit

Centralized app configuration and security

Microsoft Entra ID
Azure App Configuration
Azure Key Vault

Solution ideas

This article is a solution idea. If you'd like us to expand the content with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know by providing GitHub feedback.

This article outlines a solution for creating a robust and scalable application in a distributed environment. The solution uses Azure App Configuration and Azure Key Vault to manage and store app configuration settings, feature flags, and secure access settings in one place.

Architecture

The following diagrams show how App Configuration and Key Vault can work together to manage and secure apps in development and Azure environments.

Development environment

In the development environment, the app uses an identity via Visual Studio or version 2.0 of the Azure CLI to sign in and send an authentication request to Microsoft Entra ID.

Architecture diagram that shows how an app signs in and authenticates in a development environment.

Download a Visio file of this architecture.

Azure staging or production environment

The Azure staging and production environments use a managed identity for sign-in and authentication.

Architecture diagram that shows how an app signs in and authenticates in a staging or production environment.

Download a Visio file of this architecture.

Dataflow

  1. The application sends an authentication request during debugging in Visual Studio, or authenticates via the MSI in Azure.
  2. Upon successful authentication, Microsoft Entra ID returns an access token.
  3. The App Configuration SDK sends a request with the access token to read the app's App Configuration Key Vault secretURI value for the app's key vault.
  4. Upon successful authorization, App Configuration sends the configuration value.
  5. Utilizing the sign-in identity, the app sends a request to Key Vault to retrieve the application secret for the secretURI that App Configuration sent.
  6. Upon successful authorization, Key Vault returns the secret value.

Components

  • Microsoft Entra ID is a universal platform for managing and securing identities.
  • App Configuration provides a way to store configurations for all your Azure apps in a universal, hosted location.
  • Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication.
  • Key Vault safeguards cryptographic keys and other secrets that are used by cloud apps and services.

Scenario details

Cloud-based applications often run on multiple virtual machines or containers in multiple regions, and use multiple external services. Creating a robust and scalable application in a distributed environment presents a significant challenge.

By using App Configuration, you can manage and store all your app's configuration settings, feature flags, and secure access settings in one place. App Configuration works seamlessly with Key Vault, which stores passwords, keys, and secrets for secure access.

Potential use cases

Any application can use App Configuration, but the following types of applications benefit most from it:

  • Microservices running on Azure Kubernetes Service (AKS) or other containerized apps that are deployed in one or more regions.
  • Serverless apps, which include Azure Functions or other event-driven stateless compute apps.
  • Apps that use a continuous deployment (CD) pipeline.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

  • It's best to use a different key vault for each application in each environment: development, Azure pre-production, and Azure production. Using different vaults helps prevent sharing secrets across environments, and reduces threats in the event of a breach.

  • To use these scenarios, the sign-in identity must have the App Configuration Data Reader role in the App Configuration resource, and have explicit access policies for retrieving the secrets in Key Vault.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

Next steps

Learn more about the component technologies: