This is not just another Quickstart template to spin up App Server nor demonstrate vnet integration. It aims to provide a full accerelator template for App Sevices based application modernization which meets the well architected framework guidance of Azure.
The project used bicep as main language for deployment.
To learn about bicep, please visit bicep documentation.
az deployment sub create --name <name your deployment if you like> --template-file main.bicep --location <location of this deployment> --parameters resourceGroupName='<To be created resource group name>' location='<Where to deploy this accelerator>' sqlServerAdmin='<SQL server admin username>' sqlServerPassword='<sql server admin password>' enableZoneRedundant='<true|false>'
Example deployement:
az deployment sub create --name prodeatusdeployment --template-file main.bicep --location eastus --parameters resourceGroupName='prodtemplate03-rg' location='eastus' sqlServerAdmin='sqladmin' sqlServerPassword='Abcd12345678' enableZoneRedundant='true'
- Web application inbound traffic is protected via Application Gateway web firewall OWASP 3.2 prebuilt rule set, SSL termination and using https.
- App Services is provisioned with following best practices:
- zone redundance is applied which helps overcome datacenter failured
- Health check endpoint is configured
- Access restriction is turned and only allow traffice from Application Gateway
- Using keyvault to store sensitive configuration
- Implement secure access to backend database and keyvault via regional VNet integration and private endpoints
- Performance monitoring via Application Insight
- The accelerator also demonstrate how to upload a self-signed certificate to key vault during deployment and how to refer to secret in keyvault using deployment template
- The database & key vault are blocked internet access and only accessible via private endpoint.
- All resources are turn on diagnostics setting to centrally connect platform log and metrics to log analytics workspace.
- Network security group flow log is created under region network watcher and turn on traffice analysis through log analytics workspace.
- Using managed identity to grant access and role assignment.
- Prebiult dashboard with critical metrics to the app and database.
- Apply more security best practices like: DDoS, defenders.
- CI/CD to demo a IaC deployment vis github action.
- you name it via 'issue' :-)
- Fork this repo
- Clone the repor locally
- Create feature branch
- Commit your change to feature branch
- Push your change
- Create a pull request to this repo
Feel free to request new feature and post your idea in issue list.