Are you able to postpone / delay updates to the App Service? Such as PHP, WordPress etc?

Ross Armstrong 21 Reputation points
2022-12-28T10:06:05.753+00:00

Hi

I understand that as a PaaS service, the Azure App Service (using a WebApp) will automatically update software versions, such as PHP and WordPress.

There is a concern that automatic updates without testing make break website functionality. Is there a way to delay / postpone an update, so that it can be tested? Are you alerted when the update will be made?

I.e. an ideal scenario would be to have an alert that an update was coming and then a UAT environment be made available where the software updates could be applied and then testing take place over a few days, or weeks as required, and the automatic update held back on the Live environment until testing and any necessary code changes were completed.

Is this possible, or do we need to go down a more manual IaaS VM route for this level of cotrol?

Thanks
Ross

Azure App Services
Azure App Services
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,340 questions
No comments
{count} votes

Accepted answer
  1. TP 11,106 Reputation points
    2022-12-28T17:38:57.39+00:00

    Hi Ross,

    In addition to the information provided by AndriyBilous.

    They do not update WordPress. They do update underlying Linux, PHP, Nginx. Excerpt from article (link below excerpt):

    The updates for Linux, PHP, and Nginx are installed automatically. New WordPress versions will be available for new deployments within two weeks of release. For existing deployments, you will have to upgrade your WordPress version yourself.

    WordPress on Azure App Service - Top features you must know about

    https://techcommunity.microsoft.com/t5/apps-on-azure-blog/wordpress-on-azure-app-service-top-features-you-must-know-about/ba-p/3697873

    This is old/outdated article, but contains some helpful information in regards to PHP update policy:

    https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md

    In regards to notification/alerts/lead time, in general it is 7 days for multi-tenant app service, and 15 days for App Service Environment v3. Please see articles below:

    Routine Planned Maintenance Notifications for Azure App Service

    https://azure.github.io/AppService/2022/02/01/App-Service-Planned-Notification-Feature.html

    Upgrade preference for App Service Environment planned maintenance

    https://learn.microsoft.com/en-us/azure/app-service/environment/how-to-upgrade-preference?pivots=experience-azp#manual-upgrade-preference

    For more control you may consider running a custom container or using IaaS VM (as you mentioned).

    https://learn.microsoft.com/en-us/azure/app-service/quickstart-custom-container

    Thanks.

    -TP

    No comments

4 additional answers

Sort by: Most helpful
  1. Andriy Bilous 8,121 Reputation points
    2022-12-28T13:01:47.78+00:00

    Hello @Ross Armstrong

    According to Shared responsibility in the cloud concept Microsoft is responsible for patch management, antimalware, and baseline configuration of the underlying hardware.
    The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.
    274548-image.png

    There following cases when Updates are applied:
    New major and minor versions - When a new major or minor version is added, it is installed side by side with the existing versions. You can manually upgrade your app to the new version and it is your responsibility to configure Azure PaaS services in a secure manner.
    Microsoft does not update major, minor versions of PHP, WordPress or other stack version by their own in Azure Web Apps.

    New patch updates - Patch updates to .NET, PHP, Java SDK, or Tomcat version are applied automatically by overwriting the existing installation with the latest version.

    Significant vulnerabilities - When severe vulnerabilities require immediate patching, such as zero-day vulnerabilities, the high-priority updates are handled on a case-by-case basis.

    https://learn.microsoft.com/en-us/azure/app-service/overview-patch-os-runtime

    You can monitor latest Azure Updates using the link


  2. Ross Armstrong 21 Reputation points
    2022-12-29T08:05:27.173+00:00

    Many thanks for the answers! Will go back to the website developers and confirm this is acceptable.

    No comments

  3. Ross Armstrong 21 Reputation points
    2022-12-29T11:03:52.823+00:00

    Hi again

    Just read through some of the links in more detail and it's still not 100% clear.

    AndriyBilous, you stated:

    "It is not possible to to "stop" or "delay" automatic patch updates of PHP but major and minor versions you update by your own"

    I.e. this suggests minor versions (which would include 7.3 -> 7.4 for example) are NOT automatic.

    "patch updates of PHP" - I believe refer to the 'release' version, e.g. 7.3.2 over 7.3.1. Is that automatically patched, but minor releases not?

    However, TP-MVP provided the link to the GitHib page on PHP on App Service and this states:

    "End of Extended Support
    Once a version of PHP has reached it's end of extended support your application will be upgraded to the next recommended supported minor version.

    For example on February 01, 2020 any application running on PHP 7.0 or PHP 7.1 will be upgraded to PHP 7.3"

    -so that DOES suggest that a minor upgrade (for example, 7.3 -> 7.4 WOULD be automatically updated)?

    Is there a way to confirm for certain please what is and isn't automatically upgraded?

    Many thanks
    Ross


  4. Ross Armstrong 21 Reputation points
    2022-12-30T08:25:42.077+00:00

    Thank you, the logic makes sense!

    No comments