Merge pull request #286619 from cephalin/tomcat-convert

steps for Key Vault secrets

Author: JamesJBarnett

articles/app-service/media/tutorial-java-tomcat-mysql-app/azure-portal-deploy-sample-code-1.png

@@ -112,7 +112,7 @@ Having issues? Check the [Troubleshooting section](#troubleshooting).
 
 ::: zone pivot="azure-portal"  
 
-## 1. Create App Service, database, and cache
+## 2. Create App Service, database, and cache
 
 In this step, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service, Azure SQL Database, and Azure Cache. For the creation process, you'll specify:
 
@@ -176,9 +176,12 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
 
 The creation wizard generated the connectivity string for you already as [.NET connection strings](configure-common.md#configure-connection-strings) and [app settings](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You'll move your secrets to key vault and change your app setting to [Key Vault references](app-service-key-vault-references.md) with the help of Service Connectors.
 
+> [!TIP]
+> To use passwordless authentication, see [How do I change the SQL Database connection to use a managed identity instead?](#how-do-i-change-the-sql-database-connection-to-use-a-managed-identity-instead)
+
 :::row:::
     :::column span="2":::
-        **Step 1:** In the App Service page, 
+        **Step 1:** In the App Service page:
         1. In the left menu, select **Settings > Environment variables > Connection strings**. 
         1. Select **AZURE_SQL_CONNECTIONSTRING**.
         1. In **Add/Edit connection string**, in the **Value** field, find the *Password=* part at the end of the string.
@@ -229,6 +232,7 @@ The creation wizard generated the connectivity string for you already as [.NET c
         1. In the App Service page, in the left menu, select **Settings > Service Connector**. There are already two connectors, which the app creation wizard created for you.
         1. Select checkbox next to the SQL Database connector, then select **Edit**.
         1. Select the **Authentication** tab.
+        1. In **Password**, paste the password you copied earlier.
         1. Select **Store Secret in Key Vault**.
         1. Under **Key Vault Connection**, select **Create new**. 
         A **Create connection** dialog is opened on top of the edit dialog.
@@ -277,7 +281,7 @@ The creation wizard generated the connectivity string for you already as [.NET c
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 8:** To verify that your changes: 
+        **Step 8:** To verify your changes: 
         1. From the left menu, select **Environment variables > Connection strings** again.
         1. Next to **AZURE_SQL_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
         1. To verify the Redis connection string, select the **App setting** tab. Next to **AZURE_REDIS_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)` too.
@@ -287,7 +291,7 @@ The creation wizard generated the connectivity string for you already as [.NET c
     :::column-end:::
 :::row-end:::
 
-## 3. Deploy sample code
+## 4. Deploy sample code
 
 In this step, you configure GitHub deployment using GitHub Actions. It's just one of many ways to deploy to App Service, but also a great way to have continuous integration in your deployment process. By default, every `git push` to your GitHub repository kicks off the build and deploy action.
 
@@ -406,7 +410,7 @@ In this step, you configure GitHub deployment using GitHub Actions. It's just on
     :::column-end:::
 :::row-end:::
 
-## 4. Generate database schema
+## 5. Generate database schema
 
 With the SQL Database protected by the virtual network, the easiest way to run [dotnet database migrations](/ef/core/managing-schemas/migrations/?tabs=dotnet-core-cli) is in an SSH session with the App Service container. 
 
@@ -433,7 +437,7 @@ In the SSH session, only changes to files in `/home` can persist beyond app rest
 
 Having issues? Check the [Troubleshooting section](#troubleshooting).
 
-## 5. Browse to the app
+## 6. Browse to the app
 
 :::row:::
     :::column span="2":::
@@ -458,7 +462,7 @@ Having issues? Check the [Troubleshooting section](#troubleshooting).
 > [!TIP]
 > The sample application implements the [cache-aside](/azure/architecture/patterns/cache-aside) pattern. When you visit a data view for the second time, or reload the same page after making data changes, **Processing time** in the webpage shows a much faster time because it's loading the data from the cache instead of the database.
 
-## 6. Stream diagnostic logs
+## 7. Stream diagnostic logs
 
 Azure App Service captures all messages logged to the console to assist you in diagnosing issues with your application. The sample app outputs console log messages in each of its endpoints to demonstrate this capability.
 
@@ -481,7 +485,7 @@ Azure App Service captures all messages logged to the console to assist you in d
     :::column-end:::
 :::row-end:::
 
-## 7. Clean up resources
+## 8. Clean up resources
 
 When you're finished, you can delete all of the resources from your Azure subscription by deleting the resource group.
 
@@ -550,7 +554,7 @@ The dev container already has the [Azure Developer CLI](/azure/developer/azure-d
     azd up
     ```  
 
-    The `azd up` command takes about 15 minutes to complete (the Redis cache take the most time). It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application.
+    The `azd up` command takes about 15 minutes to complete (the Redis cache takes the most time). It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application.
 
     This AZD template contains files (*azure.yaml* and the *infra* directory) that generate a secure-by-default architecture with the following Azure resources:
 
@@ -632,7 +636,7 @@ Before you deploy these changes, you still need to generate a migration bundle.
 
 Having issues? Check the [Troubleshooting section](#troubleshooting).
 
-## 4. Generate database schema
+## 5. Generate database schema
 
 With the SQL Database protected by the virtual network, the easiest way to run database migrations is in an SSH session with the App Service container. However, the App Service Linux containers don't have the .NET SDK, so the easiest way to run database migrations is to upload a self-contained migrations bundle.
 

articles/app-service/media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-1.png

@@ -157,6 +157,7 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
         - **App Service**: Represents your app and runs in the App Service plan.
         - **Virtual network**: Integrated with the App Service app and isolates back-end network traffic.
         - **Azure Cosmos DB**: Accessible only from behind its private endpoint. A database is created for you on the database account.
+        - **Private endpoints**: Access endpoints for the database server and the Redis cache in the virtual network.
         - **Private DNS zones**: Enable DNS resolution of the database server and the Redis cache in the virtual network.
     :::column-end:::
     :::column:::
@@ -172,7 +173,7 @@ The creation wizard generated the connectivity string for you already as an [app
 
 :::row:::
     :::column span="2":::
-        **Step 1:** In the App Service page, 
+        **Step 1:** In the App Service page:
         1. In the left menu, select **Settings > Environment variables**. 
         1. Next to **AZURE_COSMOS_CONNECTIONSTRING**, select **Show value**.
         This connection string lets you connect to the Cosmos DB database secured behind a private endpoint. However, the secret is saved directly in the App Service app, which isn't the best. You'll change this.
@@ -255,7 +256,7 @@ The creation wizard generated the connectivity string for you already as an [app
 :::row-end:::
 :::row:::
     :::column span="2":::
-        **Step 7:** To verify that you secured the secrets: 
+        **Step 7:** To verify your changes: 
         1. From the left menu, select **Environment variables** again.
         1. Make sure that the app setting **spring.data.mongodb.uri** exists. The default connector generated it for you, and your Spring Boot application already uses the variable.
         1. Next to the app setting, select **Show value**. The value should be `@Microsoft.KeyValut(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
@@ -321,7 +322,7 @@ Like the Tomcat convention, if you want to deploy to the root context of Tomcat,
     :::column span="2":::
         **Step 5 (Option 1: with GitHub Copilot):**  
         1. Start a new chat session by selecting the **Chat** view, then selecting **+**.
-        1. Ask, "*@workspace why do i get the error in GitHub actions: The string 'java21' is not valid SemVer notation for a Java version.*" Copilot might give you an explanation and even give you the link to the workflow file that you need to fix.
+        1. Ask, "*@workspace Why do I get the error in GitHub actions: The string 'java21' is not valid SemVer notation for a Java version.*" Copilot might give you an explanation and even give you the link to the workflow file that you need to fix.
         1. Open *.github/workflows/starter-no-infra_msdocs-spring-cosmosdb-123.yaml* in the explorer and make the suggested fix.
         GitHub Copilot doesn't give you the same response every time, you might need to ask more questions to fine-tune its response. For tips, see [What can I do with GitHub Copilot in my codespace?](#what-can-i-do-with-github-copilot-in-my-codespace).
     :::column-end:::
@@ -497,7 +498,7 @@ The dev container already has the [Azure Developer CLI](/azure/developer/azure-d
     azd up
     ```  
 
-    The `azd up` command takes about 15 minutes to complete (the Redis cache take the most time). It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application.
+    The `azd up` command takes about 15 minutes to complete (the Redis cache takes the most time). It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application.
 
     This AZD template contains files (*azure.yaml* and the *infra* directory) that generate a secure-by-default architecture with the following Azure resources:
 
@@ -508,6 +509,7 @@ The dev container already has the [Azure Developer CLI](/azure/developer/azure-d
     - **Azure Cosmos DB account with MongoDB API**: Accessible only from behind its private endpoint. A database is created for you on the server.
     - **Azure Cache for Redis**: Accessible only from within the virtual network.
     - **Key vault**: Accessible only from behind its private endpoint. Used to manage secrets for the App Service app.
+    - **Private endpoints**: Access endpoints for the key vault, the database server, and the Redis cache in the virtual network.
     - **Private DNS zones**: Enable DNS resolution of the Cosmos DB database, the Redis cache, and the key vault in the virtual network.
     - **Log Analytics workspace**: Acts as the target container for your app to ship its logs, where you can also query the logs.