Recipes¶
Practical patterns for common Azure App Service scenarios in Python and Flask.
flowchart TD
A[Python Flask Recipes] --> B[Identity and Secrets]
A --> C[Data and Cache]
A --> D[Runtime and Deployment]
B --> E[Managed Identity / Key Vault / Easy Auth]
C --> F[Azure SQL / Cosmos DB / Redis]
D --> G[Custom Container / Native Deps / Slots]Prerequisites¶
- A deployed App Service web app running Python 3.11+
- Azure CLI logged in (
az login) - Access to the resource group that contains your app
Step-by-Step Guide¶
Step 1: Choose the scenario¶
Pick the recipe that matches your immediate requirement:
- Azure SQL with Managed Identity
- Cosmos DB with
azure-cosmos - Redis cache with
redis-py - Custom container with Gunicorn + SSH
- Native dependencies on Linux App Service
- Easy Auth
- mTLS Client Certificates
- Managed Identity
- Private Network Deployment
- Key Vault References
- Bring Your Own Storage
Step 2: Apply in a safe order¶
Use this rollout order for production apps:
- Enable Managed Identity and least-privilege RBAC.
- Move secrets to Key Vault or Key Vault References.
- Add data/cache integrations (SQL, Cosmos DB, Redis).
- Move to custom container or native dependency optimization only when needed.
Complete Example¶
# Recommended baseline settings
az webapp identity assign --resource-group "$RG" --name "$APP_NAME"
az webapp config appsettings set \
--resource-group "$RG" \
--name "$APP_NAME" \
--settings \
APP_ENV=production \
LOG_LEVEL=INFO
Troubleshooting¶
- If identity-based connections fail, verify role assignments and wait a few minutes for token/RBAC propagation.
- If configuration changes are not reflected, restart the app:
Advanced Topics¶
- Use deployment slots to validate recipe changes before production swap.
- Combine Easy Auth + app-level authorization (role checks) for defense in depth.
- Use managed identities for all supported Azure SDK connections to remove static credentials.