Azure App Service
Azure App ServiceA fully managed PaaS for hosting web applications, REST APIs, and mobile backends as code or containers. All App Service apps must be associated with an App Service plan, which defines the underlying compute and pricing tier. is a fully managed PaaS for hosting web applications, REST APIs, and mobile backends. All apps within the same plan share its compute resources.
App Service Plan Tiers
| Tier | Category | SLA | Autoscale | Deployment Slots | Custom Domain/TLS | Notes |
|---|---|---|---|---|---|---|
| Free / Shared | Shared compute | None | No | No | No (Shared: Yes) | Dev/test only; no SLA |
| Basic | Dedicated | 99.95% | No | No | Yes | Up to 3 scale-out instances |
| Standard | Dedicated | 99.95% | Yes | 5 per app | Yes | Most common production tier |
| Premium (v1–v4) | Dedicated | 99.95% | Yes | 20 per app | Yes | Higher performance, VNet integration |
| Isolated (v2) | Dedicated VNet | 99.95% | Yes | 20 per app | Yes | Full network isolation (ASE), max scale |
Deployment Slots
Deployment slotsLive staging environments within an App Service app with their own hostnames. Available from the Standard tier and above. Swapping a slot with production routes traffic atomically and warms up the target slot first, ensuring zero-downtime deployments. are live staging environments with their own hostnames (Standard tier and above); swapping with production routes traffic atomically for zero-downtime deployments. Slot-specific (sticky) settingsApp settings or connection strings marked to stay with a slot through swaps — useful for configuration that differs between staging and production environments. These settings do NOT travel during a slot swap. are app settings or connection strings marked to stay with a slot — they do NOT travel during a swap.
App Service Networking
Inbound traffic security:
- Private endpointsAssign the app a private IP in your VNet so it is not reachable from the internet. Handles inbound private connectivity. (Basic and above)
- Access restrictions — IP allowlists/denylists for lightweight inbound filtering
Outbound traffic from the app:
- VNet IntegrationRoutes outbound traffic from the App Service app through your VNet, enabling the app to reach private resources. Must NOT be confused with Private endpoints — VNet Integration is for OUTBOUND traffic only.
Custom DNS and TLS
Custom DNS requires at minimum the Shared tier. You add a CNAME or A record in your DNS provider pointing to the app's default hostname.
TLS/SSL certificates can be:
- App Service Managed Certificates (free, auto-renewing)
- Uploaded custom certificates
- SNI-based TLS bindings (free); IP-based TLS bindings (hourly charge)
Backups
Backups require Basic or higher. Stored in an Azure Storage account you specify. Standard tier: scheduled backups up to every 2 hours (max 12/day); Premium/Isolated: up to every 1 hour (max 50/day).
Tier Feature Matrix Detail
Exam Trap
"Autoscale is available on the Basic tier App Service plan." → Autoscale requires Standard tier or higher. Basic supports manual scale-out (up to 3 instances) but not rules-based autoscale.
Exam Trap
"Deployment slots are available on all App Service plan tiers." → Slots require Standard or higher. Free, Shared, and Basic plans do not support deployment slots.
Must Memorize
Both autoscale and deployment slots require Standard tier minimum. This is the most commonly tested tier boundary on AZ-104.
Slot Swap Behavior
Exam Trap
"Swapping a deployment slot with production always causes brief downtime." → App Service pre-warms the source slot using the target slot's settings before routing traffic. The swap is zero-downtime by design.
Exam Trap
"Slot settings (sticky settings) are swapped between slots during a slot swap." → Sticky settings are slot-specific and do NOT move when slots are swapped. Settings that are NOT marked as slot-specific DO get swapped along with the app code.
VNet Integration vs. Private Endpoints
Must Memorize
| Direction | Feature |
|---|---|
| Outbound (app → VNet resources) | VNet Integration |
| Inbound (users → app via private IP) | Private endpoints |
These two features serve different purposes and can be combined.
SLA and Custom Domain Tiers
Exam Trap
"Custom domain names require at minimum the Basic tier." → Custom domain names actually require the Shared tier at minimum (not Basic). TLS bindings however require Basic or above.
Exam Trap
"Free tier has an SLA of 99.9%." → Free and Shared tiers have no financially backed SLA. An SLA is first offered at the Basic tier (99.95%).
Create an App Service Plan and Web App
- Portal → Create a resource → Web App
- Basics: Subscription, Resource group, App name (globally unique), Publish (Code or Container), Runtime stack, OS, Region
- App Service Plan: create new or select existing → choose Pricing plan (e.g., Standard S1 for slots + autoscale)
- Review + create → Create
Configure Autoscale
- Portal → navigate to the App Service Plan → Scale out (App Service plan) blade
- Toggle from Manual scale to Custom autoscale
- Add rules: scale out when CPU > 70% for 10 minutes; scale in when CPU < 30% for 10 minutes
- Set instance limits: minimum, maximum, default
Add a Deployment Slot
- Portal → Web App → Deployment slots blade → Add Slot
- Give the slot a name (e.g., "staging"), optionally clone settings from production
- Deploy new version to the staging slot URL for validation
- When ready: Swap → select Source: staging, Target: production → Start Swap
Make a Setting Slot-Specific (Sticky)
- Portal → Web App (or Slot) → Configuration → Application settings
- Edit an app setting → check Deployment slot setting checkbox → Save
- That setting will now stay with the slot and not travel during a swap
Configure VNet Integration (Outbound)
- Portal → Web App → Networking blade → VNet Integration → Add VNet Integration
- Select the VNet and subnet (subnet must be delegated to
Microsoft.Web/serverFarms)
Add a Private Endpoint (Inbound)
- Portal → Web App → Networking blade → Private endpoints → Add
- Select VNet, subnet, and target sub-resource (sites)
Map a Custom Domain
- Portal → Web App → Custom domains blade → Add custom domain
- Enter the domain, validate ownership (via TXT record or CNAME), then add the CNAME/A record at your DNS provider
- To add TLS: TLS/SSL settings blade → upload or create App Service Managed Certificate → bind to the custom domain
Configure Backup
- Portal → Web App → Backups blade → Configure backup
- Select a Storage Account and container, set schedule frequency, and optionally include the database
AZ-104 Exam Focus
Exam Trap
"Autoscale is available on the Basic tier App Service plan." → Autoscale requires Standard tier or higher. Basic supports manual scale-out only (up to 3 instances).
Exam Trap
"Deployment slots are available on all App Service plan tiers." → Slots require Standard or higher. Free, Shared, and Basic plans do not support deployment slots.
Exam Trap
"Swapping a deployment slot with production always causes brief downtime." → Slot swaps are zero-downtime by design — App Service pre-warms the slot before routing traffic.
Exam Trap
"Slot settings (sticky settings) are swapped between slots during a slot swap." → Sticky settings stay with the slot and do NOT travel during a swap. Non-sticky settings DO get swapped.
Exam Trap
"VNet Integration provides inbound private connectivity to an App Service app." → VNet Integration is for outbound traffic (app reaching VNet resources). Private endpoints handle inbound private connectivity.
Exam Trap
"Custom domain names require at minimum the Basic tier." → Custom domains require the Shared tier at minimum. TLS bindings require Basic or above.
Question — click to flip
Q: What is the minimum App Service plan tier that provides both deployment slots and autoscale?
Question — click to flip
Q: During a deployment slot swap, what happens to settings marked as slot-specific (sticky)?
Question — click to flip
Q: What is the difference between VNet Integration and Private endpoints in App Service?
Question — click to flip
Q: What is the minimum App Service plan tier with a financially backed SLA?
Question — click to flip
Q: Is a slot swap in App Service zero-downtime?
Question — click to flip
Q: What is the minimum App Service tier to add a custom domain name?