Friday, October 4, 2019

Azure Key Vault and App Configuration Together

Azure App Configuration provides a great set of options for the people who would like to store the configuration on cloud and manage through a central location. On the other hand, Azure Key Vault is a service that lets you manage all your Secrets, Keys and Certificates. There is a hint of both being connected, but for the time being they are working as two separate services. Connecting them would be great as it will help storing secured app configurations. 

This article focus on how the each service is available as of now. 

Think of an application that is hosted on Azure and distributed across multiple regions. If it is a large scale application, you may have divided different worker roles across the regions. Eg: An App Service along with a Database separate for the East US. Then another for Australia, while the load balancer and metadata information are geo replicated. 


You would not prefer to change the configuration for each region via declarative files or managed code. In such instances, what you can do is using app configuration and assign a label for each label. Then based on the label relevant, a set of values assigned for each configuration variable will become available. 

A big advantage with App Configuration is that it can be enabled to cached and expired with managed code. Now imagine you need to troubleshoot some issue at your application with production data. When an app service is provisioned, it loads the data that is there in configuration by the time of app service provisioning till it is terminated. Once you change the configuration in Azure, it will not be reflected to the application by default. This has a big advantage of being able to change the production App Configuration service and test on a different environment. Another big advantage is that it does not continuously make calls for the app configuration service so the process is optimized. 

Although it is cached, this can be set to expire either timely, or based on a configuration variable values. Imagine you want configuration to have versioning and the version value is stored in a configuration variable. You can set the configuration on running app to change when that version value is changed. This way it makes less miserable. 

If you need to store secrets in App Configuration, I would not recommend that. Depending on the situation, you may have to have a different design that will connect them in a relevant manner. One option would be storing the key vault secret key in app configurations. Then, depending on the key, it can configure the key vault value and load them. 

No comments:

Post a Comment