update with FAQ

cephalin · cephalin · commit 314ca32df174 · 2023-03-22T11:12:46.000+01:00
diff --git a/articles/app-service/configure-common.md b/articles/app-service/configure-common.md
@@ -4,7 +4,7 @@ description: Learn to configure common settings for an App Service app. App sett
 keywords: azure app service, web app, app settings, environment variables
 ms.assetid: 9af8a367-7d39-4399-9941-b80cbc5f39a0
 ms.topic: article
-ms.date: 07/11/2022
+ms.date: 04/21/2023
 ms.custom: devx-track-csharp, seodec18, devx-track-azurecli, devx-track-azurepowershell
 ms.devlang: azurecli
 ---
@@ -433,16 +433,18 @@ Here, you can configure some common settings for the app. Some settings require
     ![General settings for Linux containers](./media/configure-common/open-general-linux.png)
 
 - **Platform settings**: Lets you configure settings for the hosting platform, including:
+    - **Platform bitness**: 32-bit or 64-bit. For Windows apps only. 
     - **FTP state**: Allow only FTPS or disable FTP altogether.
-    - **Bitness**: 32-bit or 64-bit. For Windows apps only. 
-    - **WebSocket protocol**: For [ASP.NET SignalR] or [socket.io](https://socket.io/), for example.
-    - **Always On**: Keeps the app loaded even when there's no traffic. When **Always On** is not turned on (default), the app is unloaded after 20 minutes without any incoming requests. The unloaded app can cause high latency for new requests because of its warm-up time. When **Always On** is turned on, the front-end load balancer sends a GET request to the application root every five minutes. The continuous ping prevents the app from being unloaded.
-    
-        Always On is required for continuous WebJobs or for WebJobs that are triggered using a CRON expression.
     - **HTTP version**: Set to **2.0** to enable support for [HTTPS/2](https://wikipedia.org/wiki/HTTP/2) protocol.
     > [!NOTE]
     > Most modern browsers support HTTP/2 protocol over TLS only, while non-encrypted traffic continues to use HTTP/1.1. To ensure that client browsers connect to your app with HTTP/2, secure your custom DNS name. For more information, see [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md).
+    - **Web sockets**: For [ASP.NET SignalR] or [socket.io](https://socket.io/), for example.
+    - **Always On**: Keeps the app loaded even when there's no traffic. When **Always On** is not turned on (default), the app is unloaded after 20 minutes without any incoming requests. The unloaded app can cause high latency for new requests because of its warm-up time. When **Always On** is turned on, the front-end load balancer sends a GET request to the application root every five minutes. The continuous ping prevents the app from being unloaded.
+    
+        Always On is required for continuous WebJobs or for WebJobs that are triggered using a CRON expression.
     - **ARR affinity**: In a multi-instance deployment, ensure that the client is routed to the same instance for the life of the session. You can set this option to **Off** for stateless applications.
+    - **HTTPS Only**: When enabled, all HTTP traffic are redirected to HTTPS.
+    - **Minimum TLS version**: Select the minimum TLS encryption version required by your app.
 - **Debugging**: Enable remote debugging for [ASP.NET](troubleshoot-dotnet-visual-studio.md#remotedebug), [ASP.NET Core](/visualstudio/debugger/remote-debugging-azure), or [Node.js](configure-language-nodejs.md#debug-remotely) apps. This option turns off automatically after 48 hours.
 - **Incoming client certificates**: require client certificates in [mutual authentication](app-service-web-configure-tls-mutual-auth.md).
 
diff --git a/articles/app-service/configure-ssl-bindings.md b/articles/app-service/configure-ssl-bindings.md
@@ -16,8 +16,6 @@ This article shows you how to secure the [custom domain](app-service-web-tutoria
 
 ## Prerequisites
 
-To follow this how-to guide:
-
 - [Scale up your App Service app](manage-scale-up.md) to one of the supported pricing tiers: **Basic**, **Standard**, **Premium**.
 - [Map a domain name to your app](app-service-web-tutorial-custom-domain.md) or [buy and configure it in Azure](manage-custom-dns-buy-domain.md).
 
@@ -82,39 +80,38 @@ Your application code can inspect the protocol via the "x-appservice-proto" head
 >
 > If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.
 
-## Prevent IP changes
+## Frequently asked questions
+
+- [How do I make sure that the app's IP address doesn't change when I make changes to the certificate binding?](#how-do-i-make-sure-that-the-apps-ip-address-doesnt-change-when-i-make-changes-to-the-certificate-binding)
+- [Can I disable the forced redirect from HTTP to HTTPS?](#can-i-disable-the-forced-redirect-from-http-to-https)
+- [How can I change the minimum TLS versions for the app?](#how-can-i-change-the-minimum-tls-versions-for-the-app)
+- [How do I handle TLS termination in App Service?](#how-do-i-handle-tls-termination-in-app-service)
+
+<a name="prevent-ip-changes" />
+
+#### How do I make sure that the app's IP address doesn't change when I make changes to the certificate binding?
 
 Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps in order:
 
 1. Upload the new certificate.
 2. Bind the new certificate to the custom domain you want without deleting the old one. This action replaces the binding instead of removing the old one.
 3. Delete the old certificate. 
 
-## Enforce HTTPS
-
-In your app page, in the left navigation, select **TLS/SSL settings**. Then, in **HTTPS Only**, select **On**.
-
-If selected **HTTPS Only**, **Off** It means anyone can still access your app using HTTP. You can redirect all HTTP requests to the HTTPS port by selecting **On**. 
-
-![Enforce HTTPS](./media/configure-ssl-bindings/enforce-https.png)
-
-When the operation is complete, navigate to any of the HTTP URLs that point to your app. For example:
+<a name="enforce-https" />
 
-- `http://<app_name>.azurewebsites.net`
-- `http://contoso.com`
-- `http://www.contoso.com`
+#### Can I disable the forced redirect from HTTP to HTTPS?
 
-## Enforce TLS versions
+By default, App Service forces a redirect from HTTP requests to HTTPS. To disable this behavior, see [Configure general settings](configure-common.md#configure-general-settings).
 
-Your app allows [TLS](https://wikipedia.org/wiki/Transport_Layer_Security) 1.2 by default, which is the recommended TLS level by industry standards, such as [PCI DSS](https://wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard). To enforce different TLS versions, follow these steps:
+<a name="enforce-tls-versions">
 
-In your app page, in the left navigation, select **TLS/SSL settings**. Then, in **TLS version**, select the minimum TLS version you want. This setting controls the inbound calls only. 
+#### How can I change the minimum TLS versions for the app?
 
-![Enforce TLS 1.1 or 1.2](./media/configure-ssl-bindings/enforce-tls1-2.png)
+Your app allows [TLS](https://wikipedia.org/wiki/Transport_Layer_Security) 1.2 by default, which is the recommended TLS level by industry standards, such as [PCI DSS](https://wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard). To enforce different TLS versions, see [Configure general settings](configure-common.md#configure-general-settings).
 
-When the operation is complete, your app rejects all connections with lower TLS versions.
+<a name="handle-tls-termination">
 
-## Handle TLS termination
+#### How do I handle TLS termination in App Service?
 
 In App Service, [TLS termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the `X-Forwarded-Proto` header.
 
