|
| 1 | +--- |
| 2 | +title: Deployment overview |
| 3 | +titleSuffix: Azure App Configuration |
| 4 | +description: Learn how to use Azure App Configuration in deployment. |
| 5 | +author: maud-lv |
| 6 | +ms.author: haiyiwen |
| 7 | +ms.date: 03/15/2024 |
| 8 | +ms.service: azure-app-configuration |
| 9 | +ms.topic: quickstart |
| 10 | +ms.custom: subject-armqs, mode-arm, devx-track-bicep |
| 11 | +--- |
| 12 | + |
| 13 | +# Deployment |
| 14 | + |
| 15 | +Azure App Configuration supports following methods to read and manage your configuration for deployment: |
| 16 | +- [ARM template](./quickstart-resource-manager.md) |
| 17 | +- [Bicep](./quickstart-bicep.md) |
| 18 | +- Terraform |
| 19 | + |
| 20 | +## Manage Azure App Configuration resources |
| 21 | +Azure App Configuration resources can be managed during deployment. |
| 22 | + |
| 23 | +### Authorization |
| 24 | +You must have permissions to manage Azure App Configuration resources. Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.AppConfiguration/configurationStores/write or Microsoft.AppConfiguration/configurationStores/* action. Built-in roles with this action include: |
| 25 | +- The Azure Resource Manager Owner role |
| 26 | +- The Azure Resource Manager Contributor role |
| 27 | + |
| 28 | +To learn more about Azure RBAC and Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concetp-enable-rbac.md) |
| 29 | + |
| 30 | +## Manage Azure App Configuration data |
| 31 | +Azure App Configuration data, such as key-values and snapshots, can be managed during deployment. |
| 32 | + |
| 33 | +### ARM authentication mode |
| 34 | +# [Azure portal](#tab/portal) |
| 35 | + |
| 36 | +To configure ARM authentication mode of Azure App Configuration resource in the Azure portal, follow these steps: |
| 37 | + |
| 38 | +1. Navigate to your Azure App Configuration resource in the Azure portal. |
| 39 | +2. Locate the **Access settings** setting under **Settings**. |
| 40 | + |
| 41 | + :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access settings blade"::: |
| 42 | + |
| 43 | +3. Select the recommended **Pass-through** authentication mode under **Azure Resouce Manager Authentication Mode**. |
| 44 | + |
| 45 | + :::image type="content" border="true" source="./media/quickstarts/deployment/select-passthrough-authentication-mode.png" alt-text="Screenshot showing pass-through authentication mode being selected under Azure Resource Manager Authentication Mode"::: |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +> [!NOTE] |
| 50 | +> Local authentication mode is for backward compatibility and has several limitations. Local authentication mode does not support proper auditing for accessing data during deployment. Key-value data access inside an ARM template/Bicep/Terraform is disabled if access key authentication is disabled under local authentication mode. For more information, see [disable access we key authentication](./howto-disable-access-key-authentication.md#limitations). Azure App Configuration data plane permissions are not required for accessing data under local authentication mode. |
| 51 | +
|
| 52 | +### Authorization |
| 53 | +You must have permissions to read and manage Azure App Configuration data during deployment. In addition to the permissions required for Azure App Configuration resource, which are provided by built-in Owner or Contributor roles, Azure App Configuration data plane permissions including Microsoft.AppConfiguration/configurationStores/keyValues/read and Microsoft.AppConfiguration/configurationStores/snapshots/read are also required under pass-through authentication mode. Built-in roles with this action include: |
| 54 | +- App Configuration Data Owner |
| 55 | +- App Configuration Data Reader |
| 56 | + |
| 57 | +To learn more about Azure RBAC and Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concetp-enable-rbac.md) |
| 58 | + |
| 59 | +### ARM prviate access |
| 60 | +[Azure Resource Management Private Link]() can be set up to restrict access for managing resources in your virtual network. Azure App Configuration supports ARM Private Link access to the App Configuration data with pass-through authentication mode and ARM private access enabled. |
| 61 | + |
| 62 | +# [Azure portal](#tab/portal) |
| 63 | + |
| 64 | +To configure ARM private access of Azure App Configuration resource in the Azure portal, follow these steps: |
| 65 | + |
| 66 | +1. Navigate to your Azure App Configuration resource in the Azure portal. |
| 67 | +2. Locate the **Networkinng** setting under **Settings**. |
| 68 | + |
| 69 | + :::image type="content" border="true" source="./media/networking-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources networking blade"::: |
| 70 | + |
| 71 | +3. Check **Enable Azure Resource Manager Private Access** under **Private Access**. |
| 72 | + |
| 73 | + :::image type="content" border="true" source="./media/quickstarts/deployment/enable-arm-private-access.png" alt-text="Screenshot showing pass-through authentication mode being selected under Azure Resource Manager Authentication Mode"::: |
| 74 | + |
| 75 | +> [!NOTE] |
| 76 | +> ARM private access can only be enabled with pass-through authentication mode. |
| 77 | +
|
| 78 | +## Next steps |
| 79 | + |
| 80 | +To learn about adding feature flag and Key Vault reference to an App Configuration store, check out the ARM template examples. |
| 81 | + |
| 82 | +- [app-configuration-store-ff](https://azure.microsoft.com/resources/templates/app-configuration-store-ff/) |
| 83 | +- [app-configuration-store-keyvaultref](https://azure.microsoft.com/resources/templates/app-configuration-store-keyvaultref/) |
0 commit comments