How to manage application configuration for Containerized Azure Functions - recommended best practices

Question

Hi team,

I deployed my first azure function from a docker image.
I have my application configuration variables which are defined as ENV variables inside Dockerfile. However, they didn't appear in Settings -> Environmental variables for my azure function. Do you know why I couldn't see them?

Could you please share your recommendations on:

1. where to store application configuration (some of values can be secrets)
2. how to deal with updates in application configuration that would trigger re-deployment of docker container without the need to release new image version? example of manual change for testing purposes + how to do this in IaC approach?

I've read all the docs related to this topic but I'm struggling to find answers to my questions as they're specific to containerized azure functions.

Thanks a lot!
Maria

Answer 1

Why you don't see ENV variables in Azure Function settings When you define environment variables inside a Dockerfile, they exist only within the container at runtime and do not appear in the Azure Function App Settings. Azure Functions (when running in a container) do not automatically extract environment variables from the container itself into the Function App settings. To properly manage configuration, it's recommended to set environment variables at the Azure Function App level rather than embedding them inside the Dockerfile.

Where to store application configuration (including secrets) For a containerized Azure Function, consider the following best practices:

1. Azure Function App settings (best for non-sensitive configuration)
   • Go to Azure Portal → Your Function App → Configuration → Application settings.
   • Add environment variables manually here.
   • These values override any variables defined in the Dockerfile.
2. Azure Key Vault (best for secrets & sensitive data)
   • Store secrets (like API keys, connection strings) in Azure Key Vault.
   • Reference Key Vault secrets in Function App Settings using a Managed Identity.
   • This ensures secrets are securely retrieved at runtime without being stored in the container.
3. Azure App configuration (best for dynamic configuration management)
   • Azure App Configuration allows externalized configuration management for cloud-native applications.
   • It supports feature flags, dynamic settings updates, and Key Vault integration.

How to Update Configuration Without Releasing a New Image Since embedding environment variables in the Docker image is not ideal for updates, you should externalize configuration to the Azure Function App settings.

Manual update for testing

1. In Azure Portal:
   • Go to Function App → Configuration → Application settings.
   • Add or update an environment variable.
   • Click Save → This will restart the function and apply the changes.
2. Via Azure CLI:

      az functionapp config appsettings set --name <FunctionAppName> --resource-group <ResourceGroupName> --settings "MY_SETTING=value"
   

How to automate configuration updates using Infrastructure as Code (IaC) If you want to manage configuration updates as code, use Terraform, Bicep, or ARM templates.

Example: Terraform

resource "azurerm_function_app" "example" {
  name                = "example-function-app"
  resource_group_name = "example-rg"
  location            = "East US"
  app_settings = {
    "APP_ENV"        = "staging"
    "DATABASE_URL"   = "https://my-db-url"
    "STORAGE_ACCOUNT" = "mystorageaccount"
  }
}

To update the configuration:

terraform apply -auto-approve

This redeploys the configuration without requiring a new image build.

Example: Bicep

resource functionApp 'Microsoft.Web/sites@2021-02-01' = {
  name: 'myFunctionApp'
  location: resourceGroup().location
  properties: {
    siteConfig: {
      appSettings: [
        { name: 'APP_ENV', value: 'staging' }
        { name: 'DATABASE_URL', value: 'https://my-db-url' }
      ]
    }
  }
}

Use az deployment group create to deploy the changes.

To summarize

• Store secrets in Azure Key Vault and reference them in Function App settings.
• Keep non-sensitive configs in Function App settings for easy updates.
• Use Azure App Configuration for dynamic settings.
• Manage updates via IaC (Terraform/Bicep) to ensure consistency.
• Avoid storing configs inside the Dockerfile to keep images immutable.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

When you define environment variables in your Dockerfile, they're baked into the container image. Azure Functions doesn't surface these in the portal because:

(1) They're part of the immutable container image.

(2) Azure expects runtime configuration to be managed through its configuration system.

(3) The portal only shows variables set at the Function App level.

To dynamically override or set environment variables, use Azure Function App settings instead of defining them in the Dockerfile.

(1) Where to Store Application Configuration?

For non-secret configuration:

Azure Function App Settings (Recommended for most app configs)

Azure App Configuration service (centralized management)

Find: https://learn.microsoft.com/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet

For secrets:

Azure Key Vault (most secure option)

Also see: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli

(2) How to Handle Updates in Application Configuration Without Rebuilding the Image?

This can be done via manual change for testing Purposes. Find steps:

Go to Azure Portal → Function App → Configuration.

Add/update the environment variable in Application settings.

Click Save → Azure automatically restarts the function app to apply changes.

Verify using Kudu Console (/env endpoint) or logs.

You can also use Azure CLI or the Infrastructure as Code (IaC) approach

For best practices, ensure that the configuration is separate from the code. You can use key vaults for secrets or Azure app configuration for shared settings across multiple functions.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Obinna.