Understanding Azure App Service
IntermediateTopic20 min4 min readAzure
Deep dive into Azure App Service architecture — how scale units, geo-controllers, and worker nodes work together to host your web applications.
What Is Azure App Service?
Azure App Service is a fully managed PaaS (Platform-as-a-Service) offering for hosting:
- Web apps (HTTP-based)
- REST APIs and backends
- Mobile backends
- Function apps
- Containerized applications
You focus on code. Azure manages: infrastructure, OS patching, load balancing, and scaling.
Core Architecture
App Service Plan → infrastructure (VMs + scaling rules)
App Service → your app running on that infrastructure
Multiple App Services can run on the same App Service Plan and share its resources.
Internal Architecture: How Azure Deploys Your App
Understanding what happens "under the hood" is important for the AZ-104 exam.
1. Azure Resource Manager (ARM)
- Receives your deployment request
- Routes it to the internal Azure orchestration layer
2. Geo-Controller
- A global orchestrator that decides:
- Which Azure region handles the request
- Which scale unit gets the deployment
3. Scale Unit (Key Concept)
A scale unit is a cluster of worker nodes (VMs) that host App Service instances:
- Can contain up to 1,000 worker nodes
- Includes a front-end proxy that routes traffic to the correct workers
- Multiple App Services run within a single scale unit (multi-tenant model)
Scale unit components:
- Worker nodes — run your application code
- Front-end proxy — routes incoming requests to the right worker
- Shared infrastructure — networking layer shared between tenants (in Standard/Basic)
Hosting Models
Multi-tenant (Shared / Basic / Standard / Premium)
| Type | Compute | Network | Notes |
|---|---|---|---|
| Shared | Shared | Shared | Free/Shared tier; lowest isolation |
| Dedicated | Dedicated | Shared | Basic/Standard/Premium; most production apps |
Single-tenant (Isolated / App Service Environment)
- Dedicated compute and networking inside your own VNet
- Used for: financial services, healthcare, PCI-DSS compliance
- Most expensive; highest isolation
Networking Capabilities
1. VNet Integration (Outbound)
- App connects outbound to resources inside a VNet
- Example: App Service → private database in a VNet subnet
- Does not place the app inside the VNet — it adds an outbound route
2. Private Endpoint (Inbound)
- Gives the App Service a private IP inside a VNet
- Blocks public internet access when combined with firewall rules
- Enables private-only access from inside the VNet
3. Public Endpoint (Default)
- All App Services are internet-accessible by default
- Can be restricted using IP firewall rules
- Use private endpoints to disable public access entirely
High Availability
Azure App Service provides built-in HA:
- Deploy multiple instances of your app
- Azure automatically load balances traffic across instances
- No manual load balancer configuration needed
- Built-in fault tolerance across instances
Security Considerations
- App Service has a public endpoint by default — secure it
- Restrict access with:
- IP-based firewall rules (allow-list specific IPs)
- Private Endpoint (private IP only, no public traffic)
- Combination of VNet + NSG rules
Container Support
App Service can run containerized applications:
- Pull images from Azure Container Registry (ACR)
- Pull from Docker Hub or other registries
- Supports both Linux and Windows containers
Multi-Subscription Flexibility
- Multiple App Services → same App Service Plan
- Multiple App Service Plans → same subscription
- Multiple subscriptions → same Azure tenant
- Cross-tenant deployments are also possible
Key Exam Takeaways
- App Service = PaaS; you manage the app, Azure manages the infrastructure
- Architecture layers: ARM → geo-controller → scale unit → worker nodes
- Scale unit = cluster of up to 1,000 worker nodes
- Multi-tenant: Basic/Standard/Premium use dedicated compute but shared network
- Isolated: dedicated compute + dedicated network (inside VNet)
- VNet integration = outbound connectivity to VNet resources
- Private Endpoint = inbound private-only access
- Default = public internet access; must explicitly secure
Quick Revision Cheat Sheet
App Service = PaaS for apps
Plan = infrastructure
Scale unit = cluster of servers (up to 1000)
Geo-controller = global orchestrator
Multi-tenant = shared infra (Free/Basic/Standard/Premium)
Isolated = dedicated infra + VNet (App Service Environment)
Built-in load balancing across instances
VNet integration = outbound to VNet
Private Endpoint = inbound private access
Public by default → secure with private endpoints or IP rules