Azure Application Configuration & Key Vault for Centralized & Secure Storage of Configuration

This blog discusses best practices to store the application configuration data effectively on the Azure cloud. The contents include:

• Storing the configuration before the Cloud era and associated problems
• How does 'Cloud' solve the problems that we might face if we store configuration in the traditional way?
  • Azure App Configuration
  • Azure Key Vault
• How can we use app config and key vault effectively to store our configuration data?
  • Steps to create App Configuration on Azure portal
  • Steps to create Key Vault on Azure portal
• Potential use cases
• Conclusion

Storing the Configuration before the Cloud Era and Associated Problems

Traditional ways that we used to store the application configuration before the cloud era included the following:

• config file
• Database
• Variables
• Text files

Web.config example:

Storing application configuration data in the traditional way can lead to the following situations:

• Re-deployment of the whole application
• Security breach
• Difficulty to share across different applications

How Does the 'Cloud' Solve the Problems We Might Face if We Store Configuration the Traditional Way?

Today, with Microsoft Azure we can get rid of those hardcoded configurations by using Azure App Configuration and Azure Key Vault Service.

We do not have to worry about the security of our configuration data as it is fully managed by Microsoft Azure, and it also provides complete data encryption at rest or while in transit.

App Configuration

App configuration is an independent store for application configuration settings with security. App Configuration is not tied to any application or a continuous integration platform. It is simply tied to Azure.

It is a very flexible key/value pair store that manages application settings and controls their access centrally. It also simplifies deployment tasks and eases the burden of dealing with permutations of configurations created by multiple applications, dependencies, and environments.

App Configuration also allows adding labels that can be used to maintain values of different environments (such as dev, stage & prod) for a single config property.

Labels are optional fields for a key-value pair, that can be used to differentiate key values with the same key. For instance, a key APIBaseURL with labels staging and prod, is two separate keys in an App Configuration store.

Key Vaults

Key Vaults is a service that allows storing confidential values/secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. As an example, we can store API keys, database hostnames, and database passwords on Azure Key Vault.

Azure Key Vault also allows storing third-party/self-signed certificates that can be accessed from the application for third-party authentication/authorization purposes.

How Can We Use App Config and Key Vault Effectively to Store Configuration Data?

We are going to create a configuration for our application which has two config properties:

• APIBaseURL (value will be stored directly in app config)
• ClientId (will read its value from key vault as it contains sensitive information)

Steps to Create App Configuration on Azure Portal

Ensure that you have adequate permissions to create Azure app config and key vault on Azure portal.

Search for App Configuration service on Azure portal, select it, and you will be presented with the following screen showing a list of App Configurations that already exist. To create a new one, click the “create” button and make the appropriate selections:

Next, select the “Review + Create” button.

Click on TestAppConfig and go to configuration explorer which will allow the creation of new key-value pairs.

Different ways to define key-values on App Configuration:

• Directly define the values of keys which do not contain sensitive information
• Read the value from Key Vault in case the value for a key contains sensitive information like password, clientId, client-secret, API Key etc.
• Import key/values using JSON file containing config data

Please see the below screenshot where two configuration keys have been created:

Key with direct value:

Key with value being referenced from key vault secret:

TestApplicationConfig:APISettings:APIBaseURL has four different values for different environments. 

TestApplicationConfig:APISettings:ClientId has three different values that are read from three different secrets of Azure key vault as it contains sensitive information.

C# class for this configuration would look like:

Steps to Create Key Vault on Azure Portal

The following section outlines the creation of secrets on Azure key vault (please see the prior section related to TestApplicationConfig:APISettings:ClientId):

Search & select Key Vault service on Azure portal. You will be presented with a screen showing a list of Key Vaults that already exist and a button that allows you to create a new one.

Click on the create button to create a new key vault. Define the resource group, name of your key vault, and pricing tier:

Click on the “Review + Create” button.

Click on testapplication-kv key vault from the list and go to the Secrets section to create and store the secrets of the application. 

To create a new secret, click on Generate/Import button and define the name and value of your secret. You can also set the expiration date of that particular secret by setting an expiration date.

Potential Use Cases

Often Cloud-based applications run on multiple virtual machines or containers in multiple regions and use multiple external services. Creating a robust and scalable application in a distributed environment presents a significant challenge.

While any application can use Azure App Configuration, the following types of applications benefit most:

• Microservices based on Azure Kubernetes Service, Azure Service Fabric, or other containerized apps deployed in one or more regions.
• Serverless apps, which include Azure Functions or other event-driven stateless computation apps.
• Apps that use a continuous deployment (CD) pipeline.

Conclusion

That’s it! Here we discussed the problems that can arise if we store our application configuration in a traditional way and we also discussed how two Azure services can help us to overcome those problems as well as offer other advantages in terms of security and accessibility, given that these are fully managed by Microsoft Azure.

References

https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-best-practices

https://azure.microsoft.com/en-in/blog/simplify-the-management-of-application-configurations-with-azure-app-configuration/

About Encora

Encora accelerates enterprise modernization and innovation through award-winning digital engineering across cloud, data, AI, and other strategic technologies. With robust nearshore and India-based capabilities, we help industry leaders and digital natives capture value through technology, human-centric design, and agile delivery.