If you want to give your tenants the ability to create Web, Mobile, and API applications with their Azure Stack subscription, you must add an App Service Resource Provider to your Azure Stack deployment. To do so, follow these steps:
- Download required components.
- Create certificates to be used by App Service on Azure Stack.
- Use the installer to download, stage and, install App Service.
- Validate App Service Installation.
- Configure Single Sign On for Kudu and the Azure Functions Portal.
- Test Drive the App Service Resource Provider.
Download the required components
- Download the App Service on Azure Stack preview installer.
- Download the App Service on Azure Stack deployment helper scripts.
- Extract the files from the helper scripts zip file. Once extracted the following files and folder structure
Create certificates required by App Service on Azure Stack
This first script works with the Azure Stack certificate authority to create three certificates that are needed by App Service. Run the script on the ClientVM ensuring you are running PowerShell as azurestack\AzureStackAdmin:
- In a PowerShell session running as azurestack\AzureStackAdmin, execute the Create-AppServiceCerts.ps1 script from the folder that you extracted the helper scripts into. The script creates three certificates, in the same folder as the create certificates script, that are needed by App Service.
- Enter a password to secure the pfx files and make a note of it as you need to enter it in the App Service on Azure Stack Installer.
|pfxPassword||Required||null||Password used to protect the certificate private key|
|DomainName||Required||local.azurestack.external||Azure Stack Region and Domain Suffix|
|CertificateAuthority||Required||MAS-CA01.azurestack.local||Certificate Authority Endpoint|
Use the installer to download and install App Service on Azure Stack
The appservice.exe installer will:
- Prompt you to accept the Microsoft and third-party EULAs.
- Collect Azure Stack deployment information.
- Create a blob container in the Azure Stack storage account specified.
- Download the files needed to install the App Service resource provider.
- Prepare the install to deploy the App Service resource provider in the Azure Stack environment.
- Upload the files to the App Service storage account.
- Deploy the App Service Resource Provider.
- Create DNS Zone and Entries for App Service.
- Register the App Service Resource Provider.
- Register the App Service Gallery Items.
The following steps guide you through the installation stages:
You MUST use an elevated account (local or domain administrator) to execute the installer. If you sign in as azurestack\azurestackuser, you will be prompted for elevated credentials.
- Run appservice.exe as azurestack\AzureStackAdmin.
- Click Deploy App Service on your Azure Stack cloud.
- Review and accept the Microsoft Software Pre-Release License Terms, and then click Next.
- Review and accept the third-party license terms, and then click Next.
Review the App Cloud Service configuration information and click Next.
The App Service on Azure Stack Installer provides the default values for a One Node Azure Stack Installation. If you have customized any of the options when you deployed Azure Stack, for example domain suffix, you need to edit the values in this window accordingly. For example, if you are using the domain suffix mycloud.com your Admin ARM endpoint would need to change to adminmanagement.[region].mycloud.com
Click Connect (Next to the Azure Stack Subscriptions box).
- If you are using AAD, then you must provide your Azure Active Directory Service Admin account and password, and then Click Sign In. You must enter the Azure Active Directory account that you provided when you deployed Azure Stack.
- If you are using ADFS, then you must provide your Admin Account (for example firstname.lastname@example.org) and password and then Click Sign In.
- Click the Down Arrow on the right side of the box next to Azure Stack Subscriptions and then select your subscription.
- Click the Down Arrow on the right side of the box next to Azure Stack Locations, select the location corresponding to the region you are deploying (for example, Local), and then click Next.
- Enter the Resource Group Name for your App Service deployment, by default this is set to APPSERVICE-LOCAL.
- Enter the Storage Account Name you would like App Service to create as part of the installation. By default this is set to appsvclocalstor.
- Review the SQL Server details and make changes if necessary. By default the SQL Server name, is populated with the default SQL RP information, but you can change the location of the SQL Server for App Service to suit your needs. Click Next and the installer will validate the SQL connection properties and move to the next step.
- Click Browse next to the App Service Default SSL Certificate File and navigate to the _.appservice.local.AzureStack.external certificate created earlier. If you specified a different location and domain suffix when creating certificates, then select the corresponding certificate.
- Enter the certificate password that you set when you created the certificates.
- Click Browse next to the Resource Provider SSL Certificate File and navigate to the api.appservice.local.AzureStack.external certificate created earlier. If you specified a different location and domain suffix when creating certificates, then select the corresponding certificate.
- Enter the certificate password that you set when you created the certificates.
- Click Browse next to the Resource Provider Root Certificate File and navigate to the AzureStackCertificationAuthority certificate created earlier.
- Click Next the installer verifies the certificate password provided.
Review the App Service Role Configuration. The defaults are populated with the minimum recommended instance SKUs for each role. A summary of core and memory requirements is provided to help plan your deployment. Once you have made your selections, click Next to advance.
- Controller: By default 1 Standard A1 instance is selected. This is the minimum we recommend. The Controller role is responsible for managing and maintaining the health of the App Service cloud.
- Management: By default 1 Standard A2 instance is selected. To provide failover we recommend two instances. The Management role is responsible for the App Service ARM and API endpoints, Portal Extensions (Admin, Tenant, Functions Portal), and the Data Service.
- Publisher: By default 1 Standard A1 instance is selected. This is the minimum we recommend. The Publisher role is responsible for publishing content via FTP and Web Deploy.
- FrontEnd: By default 1 Standard A1 instance is selected. This is the minimum we recommend. The Frontend role is responsible for routing requests to App Service Applications.
- Shared Worker: By default 1 Standard A1 instance is selected but you may wish to add more. You as an administrator can define your offering and as such can choose any tier of SKU but they must have a minimum of one core. The Shared Worker is responsible for hosting Web/Mobile/API applications and Azure Function Apps.
In the technical previews the App Service RP installer also deploys a Standard A1 instance to operate as a simple File Server to support the farm. This will remain for single node PoC but for Production workloads at GA the App Service installer will enable the use of a HA File Server.
Choose your chosen deployment Windows Server 2016 VM Image, from those available in the Compute Resource Provider, for the App Service Cloud and click Next.
- Provide the Username and Password you would like to configure for the Worker Roles within the App Service Cloud, and then provide the Username and Password you would like to configure for all other App Service roles and click Next.
- The summary listing displays the result of all of the selections you have made for verification. If you wish to make any changes navigate back through the screens and amend the selections. If the configuration is as desired check the checkbox and click Next.
- The installer begins the deployment of App Service on Azure Stack.
- The final step of deploying App Service on Azure Stack will take about 45-60 minutes to complete based on the default selections.
- After the installer successfully completes, click Exit.
Validate App Service on Azure Stack Installation
- In the Azure Stack Admin portal, browse to the Resource Group created by the installer, by default this is APPSERVICE-LOCAL.
- Locate the CN0-VM and connect to the VM by clicking connect in the Virtual Machine blade.
- On the desktop of this VM, double-click the Web Cloud Management Console.
- Navigate to Managed Servers.
- When all the machines except one or more Workers are Ready, proceed to the next step.
- Close the remote desktop machine and return to the machine you executed the App Service installer from. > [!NOTE] > You do not need to wait for one or more Workers to be marked as Ready to complete the installation of App Service on Azure Stack, however you need a minimum of one worker ready to deploy a Web/Mobile/API App or Azure Function.
Configure Single-Sign-On (SSO) for the Azure Functions Portal and Advanced Developer Tools
These steps are only applicable to AAD secured Azure Stack Environments. It is not possible to enable SSO or the Azure Functions Portal in ADFS-based environments at present.
To enable the advanced developer tools within App Service - Kudu - and to enable the use of the Azure Functions Portal experience, administrators need to configure SSO.
- Open a PowerShell instance as azurestack\administrator.
- Navigate to the location of the scripts downloaded and extracted in the prerequisite step.
- Run the CreateIdentityApp.ps1 script. When prompted for your AAD Tenant ID - enter the AAD Tenant ID you are using for your Azure Stack deployment, for example myazurestack.onmicrosoft.com.
- In the Credential window provide your Azure Active Directory Service Admin account and password, and then Click Ok.
- Provide the certificate file path and certificate password for the certificate created earlier. The certificate created for this step by default is sso.appservice.local.azurestack.external.pfx
- The script creates a new application in the Tenant Azure Active Directory and generate a new PowerShell Script.
Make note of the ApplicationID that is returned in the PowerShell output. You will need this to search for it in step 13.
- Copy the identity app certificate file and the generated script to the CN0-VM (use a remote desktop session).
- On the CN0-VM machine, open an Administrator PowerShell window and browse to the directory where the script file and certificate were copied to.
- Now run the script file. This script file enters the properties in the App Service on Azure Stack configuration and initiates a repair operation on all Front-End and Management roles.
- Open a new browser window and login to the Azure portal (portal.azure.com) as the Azure Active Directory Service Admin.
- Open the Azure Active Directory resource provider.
- Click App Registrations.
- Search for the Application ID returned as part of step 6. An App Service application is listed.
- Click the Application in the list and open the Keys blade
- Add a new key with Description - FunctionsPortal and set the Expiration Date to NeverExpires
- Click Save and then copy the key generated. >[!NOTE] > Before sure to note or copy the key when generated. Once saved it can't be viewed again and you need to regenerate a new key.
- Return to CN0-VM and open the Web Cloud Management Console once more.
- Select the Settings node on the left-hand pane and look for the ApplicationClientSecret Setting.
- Right click and select Edit. Paste the key generated in step 15 and click OK.
- Select the Managed Servers node under Web Cloud.
- In the Actions pane, on the right-hand side, click Repair all servers in role..
- In the dropdownlist, select Management and click OK. This applies the setting to all Management Roles.
- Return to the Application Registration in the Azure Active Directory within the Azure portal (portal.azure.com).
- Click Required Permissions and then click Grant Permissions and click Yes.
|AadTenantId||Mandatory||null||Azure Active Directory Tenant Id, provide the GUID or string, for example, myazureaaddirectory.onmicrosoft.com|
|TenantArmEndpoint||Mandatory||management.local.azurestack.external||The Tenant ARM Endpoint|
|CertificateFilePath||Mandatory||null||Path to the identity application certificate file generated earlier|
|CertificatePassword||Mandatory||null||Password used to protect the certificate private key|
|$DomainName||Required||local.azurestack.external||Azure Stack Region and Domain Suffix|
Test Drive App Service on Azure Stack
Now that you have deployed and registered the App Service resource provider, you can test it to make sure that tenants can deploy Web, Mobile, and API apps.
You need to create an offer that has the Microsoft.Web namespace within the plan and then you need to have a tenant subscription that has subscribed to this offer. For more information, see the following articles - Create Offer and Create Plan
You must have a Tenant Subscription to create applications using App Service on Azure Stack. The only capabilities that a Service Admin can complete within the Admin Portal are related to the resource provider administration of App Service such as adding capacity, configuring deployment sources, adding worker tiers and SKUs.
As of TP3 to create Web/Mobile/API/Function Apps, you must use the Tenant portal and have a tenant subscription.
- In the Azure Stack Tenant portal, click New, click Web + Mobile, and click Web App.
- In the Web App blade, type a name in the Web app box.
- Under Resource Group, click New, and then type a name in the Resource Group box.
- Click App Service plan/Location and click Create New.
- In the App Service plan blade, type a name in the App Service plan box.
- Click Pricing tier, click Free-Shared or Shared-Shared, click Select, click OK, and then click Create.
- In under a minute, a tile for the new web app appears on the Dashboard. Click the tile.
- In the web app blade, click Browse to view the default website for this app.
Deploy a WordPress, DNN, or Django website (optional)**
- In the Azure Stack tenant portal, click “+”, go to the Azure Marketplace, deploy a Django website, and wait for successful completion. The Django web platform uses a file system-based database and doesn’t require any additional resource providers like SQL or MySQL.
- If you also deployed a MySQL resource provider, you can deploy a WordPress website from the Marketplace. When you're prompted for database parameters, input the user name as User1@Server1 (with the user name and server name of your choice).
- If you also deployed a SQL Server resource provider, you can deploy a DNN website from the Marketplace. When you're prompted for database parameters, pick a database in the computer running SQL Server that is connected to your resource provider.
You can also try out other platform as a service (PaaS) services