MicrosoftDocs
diff --git a/‎articles/app-service/configure-language-python.md
Lines changed: 2 additions & 2 deletions b/‎articles/app-service/configure-language-python.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-1.png
51.6 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-1.png
51.6 KB
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-2.png
43.6 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-2.png
43.6 KB
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-3.png
60.7 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-3.png
60.7 KB
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-4.png
88.4 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-4.png
88.4 KB
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-5.png
17.7 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-5.png
17.7 KB
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-6.png
37.8 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-6.png
37.8 KB
diff --git a/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-7.png
37 KB b/‎articles/app-service/media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-7.png
37 KB
diff --git a/‎articles/app-service/tutorial-python-postgresql-app.md
Lines changed: 59 additions & 43 deletions b/‎articles/app-service/tutorial-python-postgresql-app.md
Lines changed: 59 additions & 43 deletions
@@ -108,7 +108,7 @@ Existing web applications can be redeployed to Azure as follows:
 1. **App service resources**: Create a resource group, App Service plan, and App Service web app to host your application. You can do this easily by running the Azure CLI command [`az webapp up`](/cli/azure/webapp#az-webapp-up). Or, you can create and deploy resources as shown in [Tutorial: Deploy a Python (Django or Flask) web app with PostgreSQL](tutorial-python-postgresql-app.md). Replace the names of the resource group, App Service plan, and web app to be more suitable for your application.
 
 1. **Environment variables**: If your application requires any environment variables, create equivalent [App Service application settings](configure-common.md#configure-app-settings). These App Service settings appear to your code as environment variables, as described in [Access environment variables](#access-app-settings-as-environment-variables).
-    - Database connections, for example, are often managed through such settings, as shown in [Tutorial: Deploy a Django web app with PostgreSQL - verify connection settings](tutorial-python-postgresql-app.md#2-verify-connection-settings).
+    - Database connections, for example, are often managed through such settings, as shown in [Tutorial: Deploy a Django web app with PostgreSQL - verify connection settings](tutorial-python-postgresql-app.md#2-secure-connection-secrets).
     - See [Production settings for Django apps](#production-settings-for-django-apps) for specific settings for typical Django apps.
 
 1. **App startup**: Review the section [Container startup process](#container-startup-process) later in this article to understand how App Service attempts to run your app. App Service uses the Gunicorn web server by default, which must be able to find your app object or *wsgi.py* folder. If you need to, you can [Customize the startup command](#customize-startup-command).
@@ -430,7 +430,7 @@ When attempting to run database migrations with a Django app, you might see "sql
 
 Check the `DATABASES` variable in the app's *settings.py* file to ensure that your app is using a cloud database instead of SQLite.
 
-If you're encountering this error with the sample in [Tutorial: Deploy a Django web app with PostgreSQL](tutorial-python-postgresql-app.md), check that you completed the steps in [Verify connection settings](tutorial-python-postgresql-app.md#2-verify-connection-settings).
+If you're encountering this error with the sample in [Tutorial: Deploy a Django web app with PostgreSQL](tutorial-python-postgresql-app.md), check that you completed the steps in [Verify connection settings](tutorial-python-postgresql-app.md#2-secure-connection-secrets).
 
 #### Other issues
 
 
@@ -244,94 +244,110 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
 
 -----
 
-## 2. Verify connection settings
+## 2. Secure connection secrets
 
-The creation wizard generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings). App settings are one way to keep connection secrets out of your code repository. When you're ready to move your secrets to a more secure location, here's an [article on storing in Azure Key Vault](/azure/key-vault/certificates/quick-create-python).
-
-### [Flask](#tab/flask)
+The creation wizard generated the database connectivity string for you already as an [app setting](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You move your secrets to a key vault and change your app setting to a [Key Vault reference](app-service-key-vault-references.md) with the help of Service Connectors.
 
 :::row:::
     :::column span="2":::
-        **Step 1:** In the App Service page, in the left menu, select **Configuration**.
+        **Step 1: Retrieve the existing connection string** 
+        1. In the left menu of the App Service page, select **Settings > Environment variables**. 
+        1. Select **AZURE_POSTGRESQL_CONNECTIONSTRING**. 
+        1. In **Add/Edit application setting**, in the **Value** field, find the *password=* part at the end of the string.
+        1. Copy the password string after *Password=* for use later.
+        This app setting lets you connect to the Postgres database secured behind a private endpoint. However, the secret is saved directly in the App Service app, which isn't the best. You'll change this.
     :::column-end:::
     :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-1.png" alt-text="A screenshot showing how to open the configuration page in App Service (Flask)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-1.png":::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-1.png" alt-text="A screenshot showing how to see the value of an app setting." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-1.png":::
     :::column-end:::
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 2:** In the **Application settings** tab of the **Configuration** page, verify that `AZURE_POSTGRESQL_CONNECTIONSTRING` is present. That will be injected into the runtime environment as an environment variable.
+        **Step 2:  Create a key vault for secure management of secrets**
+        1. In the top search bar, type "*key vault*", then select **Marketplace** > **Key Vault**.
+        1. In **Resource Group**, select **msdocs-python-postgres-tutorial**.
+        1. In **Key vault name**, type a name that consists of only letters and numbers.
+        1. In **Region**, set it to the same location as the resource group.
     :::column-end:::
     :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-2.png" alt-text="A screenshot showing how to see the autogenerated connection string (Flask)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-2.png":::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-2.png" alt-text="A screenshot showing how to create a key vault." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-2.png":::
     :::column-end:::
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 3:** In a terminal or command prompt, run the following Python script to generate a unique secret: `python -c 'import secrets; print(secrets.token_hex())'`. Copy the output value to use in the next step.
+        **Step 3: Secure the key vault with a Private Endpoint**
+        1. Select the **Networking** tab.
+        1. Unselect **Enable public access**.
+        1. Select **Create a private endpoint**.
+        1. In **Resource Group**, select **msdocs-python-postgres-tutorial**.
+        1. In **Name**, type a name for the private endpoint that consists of only letters and numbers.
+        1. In **Region**, set it to the same location as the resource group.
+        1. In the dialog, in **Location**, select the same location as your App Service app.
+        1. In **Resource Group**, select **msdocs-python-postgres-tutorial**.
+        1. In **Name**, type **msdocs-python-spostgres-XYZVaultEndpoint**.
+        1. In **Virtual network**, select **msdocs-python-postgres-XYZVnet**.
+        1. In **Subnet**, **msdocs-python-postgres-XYZSubnet**.
+        1. Select **OK**.
+        1. Select **Review + create**, then select **Create**. Wait for the key vault deployment to finish. You should see "Your deployment is complete."
     :::column-end:::
     :::column:::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-3.png" alt-text="A screenshot showing how to secure a key vault with a private endpoint." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-3.png":::
     :::column-end:::
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 4:** Back in the **Configuration** page, select **New application setting**. Name the setting `SECRET_KEY`. Paste the value from the previous value. Select **OK**.
+        **Step 4: Configure the Service Connector**
+        1. In the top search bar, type *msdocs-python-postgres*, then select the App Service resource called **msdocs-python-postgres-XYZ**.
+        1. In the App Service page, in the left menu, select **Settings > Service Connector**. There's already a connector, which the app creation wizard created for you.
+        1. Select checkbox next to the connector, then select **Edit**.
+        1. In the **Basics** tab, under **PostgreSQL database** select the PostgreSQL database that was created.
+        1. Select the **Authentication** tab.
+        1. In **Password**, paste the password you copied earlier.
+        1. Select **Store Secret in Key Vault**.
+        1. Under **Key Vault Connection**, select **Create new**. 
+        A **Create connection** dialog is opened on top of the edit dialog.
     :::column-end:::
     :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting.png" alt-text="A screenshot showing how to set the SECRET_KEY app setting in the Azure portal (Django)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting.png":::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-4.png" alt-text="A screenshot showing how to edit a service connector with a key vault connection." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-4.png":::
     :::column-end:::
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 5:** Select **Save**.
+        **Step 5: Establish the Key Vault connection**        
+        1. In the **Create connection** dialog for the Key Vault connection, in **Key Vault**, select the key vault you created earlier.
+        1. Select **Review + Create**.
+        1. When validation completes, select **Create**.
     :::column-end:::
     :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting-save.png" alt-text="A screenshot showing how to save the SECRET_KEY app setting in the Azure portal (Django)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting-save.png":::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-5.png" alt-text="A screenshot showing how to configure a key vault service connector." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-5.png":::
     :::column-end:::
 :::row-end:::
-
-### [Django](#tab/django)
-
 :::row:::
     :::column span="2":::
-        **Step 1:** In the App Service page, in the left menu, select **Configuration**.
+        **Step 6: Finalize the Service Connector configuration** 
+        1. You're back in the edit dialog for **defaultConnector**. In the **Authentication** tab, wait for the key vault connector to be created. When it's finished, the **Key Vault Connection** dropdown automatically selects it.
+        1. Select **Next: Networking**.
+        1. Select **Save**. Wait until the **Update succeeded** notification appears.
     :::column-end:::
     :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-1.png" alt-text="A screenshot showing how to open the configuration page in App Service (Django)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-1.png":::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-6.png" alt-text="A screenshot showing the key vault connection selected in the defaultConnector." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-6.png":::
     :::column-end:::
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 2:** In the **Application settings** tab of the **Configuration** page, verify that `AZURE_POSTGRESQL_CONNECTIONSTRING` and `AZURE_REDIS_CONNECTIONSTRING` are present. They will be injected into the runtime environment as an environment variable.
+        **Step 7: Verify the Key Vault integration**
+        1. From the left menu, select **Settings > Environment variables** again.
+        1. Next to **AZURE_POSTGRESQL_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyVault(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
     :::column-end:::
     :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-2-django.png" alt-text="A screenshot showing how to see the autogenerated connection string (Django)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-2.png":::
-    :::column-end:::
-:::row-end:::
-:::row:::
-    :::column span="2":::
-        **Step 3:** In a terminal or command prompt, run the following Python script to generate a unique secret: `python -c 'import secrets; print(secrets.token_hex())'`. Copy the output value to use in the next step.
-    :::column-end:::
-    :::column:::
-    :::column-end:::
-:::row-end:::
-:::row:::
-    :::column span="2":::
-        **Step 4:** Back in the **Configuration** page, select **New application setting**. Name the setting `SECRET_KEY`. Paste the value from the previous value. Select **OK**.
-    :::column-end:::
-    :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting.png" alt-text="A screenshot showing how to set the SECRET_KEY app setting in the Azure portal (Django)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting.png":::
-    :::column-end:::
-:::row-end:::
-:::row:::
-    :::column span="2":::
-        **Step 5:** Select **Save**.
-    :::column-end:::
-    :::column:::
-        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting-save.png" alt-text="A screenshot showing how to save the SECRET_KEY app setting in the Azure portal (Django)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting-save.png":::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-7.png" alt-text="A screenshot showing how to see the value of the MySQL environment variable in Azure." lightbox="./media/tutorial-python-postgresql-app/azure-portal-secure-connection-secrets-7.png":::
     :::column-end:::
 :::row-end:::
 
+To summarize, the process involved retrieving the MySQL connection string from the App Service's environment variables, creating an Azure Key Vault for secure secret management with private access, and updating the service connector to store the password in the key vault. A secure connection between the App Service app and key vault was established using a system-assigned managed identity, and the setup was verified by confirming the connection string uses a Key Vault reference.
+
+Having issues? Check the [Troubleshooting section](#troubleshooting).
+
 -----
 
 ## 3. Deploy sample code