You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/tutorial-java-tomcat-mysql-app.md
+16-14Lines changed: 16 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -142,7 +142,7 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
142
142
1. *Name*: **msdocs-tomcat-mysql-XYZ**, where *XYZ* is any three random characters.
143
143
1. *Runtime stack*: **Java 17**.
144
144
1. *Java web server stack*: **Apache Tomcat 10.1**.
145
-
1. **MySQL - Flexible Server** is selected for you by default as the database engine. If not, select it. Azure Database for MySQL is a fully managed MySQL database as a service on Azure, compatible with the latest community editions.
145
+
1. *Engine*: **MySQL - Flexible Server** is selected for you by default as the database engine. If not, select it. MySQL - Flexible Server runs on Azure Database for MySQL. It's a fully managed MySQL database as a service on Azure, compatible with the latest community editions.
146
146
1. *Hosting plan*: **Basic**. When you're ready, you can [scale up](manage-scale-up.md) to a production pricing tier.
147
147
1. Select **Review + create**.
148
148
1. After validation completes, select **Create**.
@@ -171,12 +171,12 @@ Having issues? Check the [Troubleshooting section](#troubleshooting).
171
171
172
172
## 3. Secure connection secrets
173
173
174
-
The creation wizard generated the connectivity string for you already as an [app setting](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You'll move your secrets to a key vault and change your app setting to a [Key Vault reference](app-service-key-vault-references.md) with the help of Service Connectors.
174
+
The creation wizard generated the database connectivity string for you already as an [app setting](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You'll move your secrets to a key vault and change your app setting to a [Key Vault reference](app-service-key-vault-references.md) with the help of Service Connectors.
175
175
176
176
:::row:::
177
177
:::column span="2":::
178
-
**Step 1:** In the App Service page:
179
-
1. In the left menu, select **Settings > Environment variables**.
178
+
**Step 1: Retrieve the existing connection string**
179
+
1. In the left menu of the App Service page, select **Settings > Environment variables**.
180
180
1. Select **AZURE_MYSQL_CONNECTIONSTRING**. It contains a JDBC connection string. If you add an app setting that contains a valid Oracle, SQL Server, PostgreSQL, or MySQL connection string, App Service injects it as a Java Naming and Directory Interface (JNDI) data source in the Tomcat server's *context.xml* file.
181
181
1. In **Add/Edit application setting**, in the **Value** field, find the *password=* part at the end of the string.
182
182
1. Copy the password string after *Password=* for use later.
@@ -188,25 +188,25 @@ The creation wizard generated the connectivity string for you already as an [app
188
188
:::row-end:::
189
189
:::row:::
190
190
:::column span="2":::
191
-
**Step 2:**Create a key vault for secure management of secrets.
191
+
**Step 2:Create a Key Vault for secure management of secrets.**
192
192
1. In the top search bar, type "*key vault*", then select **Marketplace** > **Key Vault**.
193
193
1. In **Resource Group**, select **msdocs-tomcat-mysql-tutorial**.
194
194
1. In **Key vault name**, type a name that consists of only letters and numbers.
195
-
1. In **Region**, set it to the sample location as the resource group.
195
+
1. In **Region**, set it to the same location as the resource group.
196
196
:::column-end:::
197
197
:::column:::
198
198
:::image type="content" source="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-2.png" alt-text="A screenshot showing how to create a key vault." lightbox="./media/tutorial-java-tomcat-mysql-app/azure-portal-secure-connection-secrets-2.png":::
199
199
:::column-end:::
200
200
:::row-end:::
201
201
:::row:::
202
202
:::column span="2":::
203
-
**Step 3:**
203
+
**Step 3: Secure the Key Vault with a Private Endpoint**
204
204
1. Select the **Networking** tab.
205
205
1. Unselect **Enable public access**.
206
206
1. Select **Create a private endpoint**.
207
207
1. In **Resource Group**, select **msdocs-tomcat-mysql-tutorial**.
208
-
1. In **Key vault name**, type a name that consists of only letters and numbers.
209
-
1. In **Region**, set it to the sample location as the resource group.
208
+
1. In **Name**, type a name for the Private Endpoint that consists of only letters and numbers.
209
+
1. In **Region**, set it to the same location as the resource group.
210
210
1. In the dialog, in **Location**, select the same location as your App Service app.
211
211
1. In **Resource Group**, select **msdocs-tomcat-mysql-tutorial**.
212
212
1. In **Name**, type **msdocs-tomcat-mysql-XYZVaultEndpoint**.
@@ -221,7 +221,7 @@ The creation wizard generated the connectivity string for you already as an [app
221
221
:::row-end:::
222
222
:::row:::
223
223
:::column span="2":::
224
-
**Step 4:**
224
+
**Step 4: Configure the Service Connector**
225
225
1. In the top search bar, type *msdocs-tomcat-mysql*, then the App Service resource called **msdocs-tomcat-mysql-XYZ**.
226
226
1. In the App Service page, in the left menu, select **Settings > Service Connector**. There's already a connector, which the app creation wizard created for you.
227
227
1. Select checkbox next to the connector, then select **Edit**.
@@ -238,8 +238,8 @@ The creation wizard generated the connectivity string for you already as an [app
238
238
:::row-end:::
239
239
:::row:::
240
240
:::column span="2":::
241
-
**Step 5:** In the **Create connection**dialog for the Key Vault connection:
242
-
1. In **Key Vault**, select the key vault you created earlier.
241
+
**Step 5: Establish the Key Vault connection**
242
+
1. In the **Create connection** dialog for the Key Vault connection, in **Key Vault**, select the key vault you created earlier.
243
243
1. Select **Review + Create**. You should see that **System assigned managed identity** is set to **Selected**.
244
244
1. When validation completes, select **Create**.
245
245
:::column-end:::
@@ -249,7 +249,7 @@ The creation wizard generated the connectivity string for you already as an [app
249
249
:::row-end:::
250
250
:::row:::
251
251
:::column span="2":::
252
-
**Step 6:** You're back in the edit dialog for **defaultConnector**.
252
+
**Step 6: Finalize the Service Connector configuration** You're back in the edit dialog for **defaultConnector**.
253
253
1. In the **Authentication** tab, wait for the key vault connector to be created. When it's finished, the **Key Vault Connection** dropdown automatically selects it.
254
254
1. Select **Next: Networking**.
255
255
1. Select **Save**. Wait until the **Update succeeded** notification appears.
@@ -260,7 +260,7 @@ The creation wizard generated the connectivity string for you already as an [app
260
260
:::row-end:::
261
261
:::row:::
262
262
:::column span="2":::
263
-
**Step 7:** To verify your changes:
263
+
**Step 7: Verify the Key Vault integration**
264
264
1. From the left menu, select **Environment variables > Connection strings** again.
265
265
1. Next to **AZURE_MYSQL_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyVault(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.
266
266
:::column-end:::
@@ -269,6 +269,8 @@ The creation wizard generated the connectivity string for you already as an [app
269
269
:::column-end:::
270
270
:::row-end:::
271
271
272
+
To summarize, the process involved retrieving the MySQL connection string from the App Service's environment variables, creating an Azure Key Vault for secure secret management with private access, and updating the service connector to store the password in the Key Vault. A secure connection between the App Service and Key Vault was established using a system-assigned managed identity, and the setup was verified by confirming the connection string referenced the Key Vault.
273
+
272
274
Having issues? Check the [Troubleshooting section](#troubleshooting).
0 commit comments