You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/tutorial-dotnetcore-sqldb-app.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -229,6 +229,7 @@ The creation wizard generated the connectivity string for you already as [.NET c
229
229
1. In the App Service page, in the left menu, select **Settings > Service Connector**. There are already two connectors, which the app creation wizard created for you.
230
230
1. Select checkbox next to the SQL Database connector, then select **Edit**.
231
231
1. Select the **Authentication** tab.
232
+
1. In **Password**, paste the password you copied earlier.
232
233
1. Select **Store Secret in Key Vault**.
233
234
1. Under **Key Vault Connection**, select **Create new**.
234
235
A **Create connection** dialog is opened on top of the edit dialog.
@@ -277,7 +278,7 @@ The creation wizard generated the connectivity string for you already as [.NET c
277
278
:::row-end:::
278
279
:::row:::
279
280
:::column span="2":::
280
-
**Step 8:** To verify that your changes:
281
+
**Step 8:** To verify your changes:
281
282
1. From the left menu, select **Environment variables > Connection strings** again.
282
283
1. Next to **AZURE_SQL_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
283
284
1. To verify the Redis connection string, select the **App setting** tab. Next to **AZURE_REDIS_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)` too.
Copy file name to clipboardExpand all lines: articles/app-service/tutorial-java-spring-cosmosdb.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -255,7 +255,7 @@ The creation wizard generated the connectivity string for you already as an [app
255
255
:::row-end:::
256
256
:::row:::
257
257
:::column span="2":::
258
-
**Step 7:** To verify that you secured the secrets:
258
+
**Step 7:** To verify your changes:
259
259
1. From the left menu, select **Environment variables** again.
260
260
1. Make sure that the app setting **spring.data.mongodb.uri** exists. The default connector generated it for you, and your Spring Boot application already uses the variable.
261
261
1. Next to the app setting, select **Show value**. The value should be `@Microsoft.KeyValut(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
Copy file name to clipboardExpand all lines: articles/app-service/tutorial-java-tomcat-mysql-app.md
+94-6Lines changed: 94 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -155,20 +155,108 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
155
155
156
156
Having issues? Check the [Troubleshooting section](#troubleshooting).
157
157
158
-
## 3. Verify connection settings
158
+
## 3. Secure connection secrets
159
159
160
-
The creation wizard generated the connectivity string for you already as [app settings](configure-common.md#configure-app-settings). In this step, you learn where to find the app settings, and how you can create your own.
161
-
162
-
App settings are one way to keep connection secrets out of your code repository. When you're ready to move your secrets to a more secure location, you can use [Key Vault references](app-service-key-vault-references.md) instead.
160
+
The creation wizard generated the connectivity string for you already as an [app setting](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You'll move your secrets to key vault and change your app setting to a [Key Vault reference](app-service-key-vault-references.md) with the help of Service Connectors.
163
161
164
162
:::row:::
165
163
:::column span="2":::
166
-
**Step 1:** In the App Service page, in the left menu, select **Configuration**.
164
+
**Step 1:** In the App Service page,
165
+
1. In the left menu, select **Settings > Environment variables**.
166
+
1. Select **AZURE_MYSQL_CONNECTIONSTRING**. It contains a JDBC connection string. If you add an app setting that contains a valid Oracle, SQL Server, PostgreSQL, or MySQL connection string, App Service injects it as a Java Naming and Directory Interface (JNDI) data source in the Tomcat server's *context.xml* file.
167
+
1. In **Add/Edit application setting**, in the **Value** field, find the *password=* part at the end of the string.
168
+
1. Copy the password string after *Password=* for use later.
169
+
This app setting lets you connect to the MySQL database secured behind a private endpoint. However, the secret is saved directly in the App Service app, which isn't the best. You'll change this.
170
+
:::column-end:::
171
+
:::column:::
172
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-1.png" alt-text="A screenshot showing how to see the value of an app setting." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-1.png":::
173
+
:::column-end:::
174
+
:::row-end:::
175
+
:::row:::
176
+
:::column span="2":::
177
+
**Step 2:** Create a key vault for secure management of secrets.
178
+
1. In the top search bar, type "*key vault*", then select **Marketplace** > **Key Vault**.
179
+
1. In **Resource Group**, select **msdocs-tomcat-mysql-tutorial**.
180
+
1. In **Key vault name**, type a name that consists of only letters and numbers.
181
+
1. In **Region**, set it to the sample location as the resource group.
182
+
:::column-end:::
183
+
:::column:::
184
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-2.png" alt-text="A screenshot showing how to create a key vault." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-2.png":::
185
+
:::column-end:::
186
+
:::row-end:::
187
+
:::row:::
188
+
:::column span="2":::
189
+
**Step 3:**
190
+
1. Select the **Networking** tab.
191
+
1. Unselect **Enable public access**.
192
+
1. Select **Create a private endpoint**.
193
+
1. In **Resource Group**, select **msdocs-tomcat-mysql-tutorial**.
194
+
1. In **Key vault name**, type a name that consists of only letters and numbers.
195
+
1. In **Region**, set it to the sample location as the resource group.
196
+
1. In the dialog, in **Location**, select the same location as your App Service app.
197
+
1. In **Resource Group**, select **msdocs-tomcat-mysql-tutorial**.
198
+
1. In **Name**, type **msdocs-tomcat-mysql-XYZVaultEndpoint**.
199
+
1. In **Virtual network**, select **msdocs-tomcat-mysql-XYZVnet**.
200
+
1. In **Subnet**, **msdocs-tomcat-mysql-XYZSubnet**.
201
+
1. Select **OK**.
202
+
1. Select **Review + create**, then select **Create**. Wait for the key vault deployment to finish. You should see "Your deployment is complete."
203
+
:::column-end:::
204
+
:::column:::
205
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-3.png" alt-text="A screenshot showing how secure a key vault with a private endpoint." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-3.png":::
206
+
:::column-end:::
207
+
:::row-end:::
208
+
:::row:::
209
+
:::column span="2":::
210
+
**Step 4:**
211
+
1. In the top search bar, type *msdocs-tomcat-mysql*, then the App Service resource called **msdocs-tomcat-mysql-XYZ**.
212
+
1. In the App Service page, in the left menu, select **Settings > Service Connector**. There's already a connector, which the app creation wizard created for you.
213
+
1. Select checkbox next to the connector, then select **Edit**.
214
+
1. In the **Basics** tab, set **Client type** to **Java**.
215
+
1. Select the **Authentication** tab.
216
+
1. In **Password**, paste the password you copied earlier.
217
+
1. Select **Store Secret in Key Vault**.
218
+
1. Under **Key Vault Connection**, select **Create new**.
219
+
A **Create connection** dialog is opened on top of the edit dialog.
220
+
:::column-end:::
221
+
:::column:::
222
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-4.png" alt-text="A screenshot showing how to edit a service connector with a key vault connection." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-4.png":::
223
+
:::column-end:::
224
+
:::row-end:::
225
+
:::row:::
226
+
:::column span="2":::
227
+
**Step 5:** In the **Create connection** dialog for the Key Vault connection:
228
+
1. In **Key Vault**, select the key vault you created earlier.
229
+
1. Select **Review + Create**. You should see that **System assigned managed identity** is set to **Selected**.
230
+
1. When validation completes, select **Create**.
231
+
:::column-end:::
232
+
:::column:::
233
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-5.png" alt-text="A screenshot showing how to configure a key vault service connector." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-5.png":::
234
+
:::column-end:::
235
+
:::row-end:::
236
+
:::row:::
237
+
:::column span="2":::
238
+
**Step 6:** You're back in the edit dialog for **defaultConnector**.
239
+
1. In the **Authentication** tab, wait for the key vault connector to be created. When it's finished, the **Key Vault Connection** dropdown automatically selects it.
240
+
1. Select **Next: Networking**.
241
+
1. Select **Save**. Wait until the **Update succeeded** notification appears.
242
+
:::column-end:::
243
+
:::column:::
244
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-6.png" alt-text="A screenshot showing the key vault connection selected in the defaultConnector." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-6.png":::
245
+
:::column-end:::
246
+
:::row-end:::
247
+
:::row:::
248
+
:::column span="2":::
249
+
**Step 7:** To verify your changes:
250
+
1. From the left menu, select **Environment variables > Connection strings** again.
251
+
1. Next to **AZURE_MYSQL_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
167
252
:::column-end:::
168
253
:::column:::
169
-
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-get-connection-string-1.png" alt-text="A screenshot showing how to open the configuration page in App Service." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-get-connection-string-1.png":::
254
+
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-7.png" alt-text="A screenshot showing how to see the value of the MySQL environment variable in Azure." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-7.png":::
170
255
:::column-end:::
171
256
:::row-end:::
257
+
258
+
Having issues? Check the [Troubleshooting section](#troubleshooting).
0 commit comments