App Service on Azure Stack Hub 2022 H1 release notes

These release notes describe the improvements and fixes in Azure App Service on Azure Stack Hub 2022 H1 release notes and any known issues. Known issues are divided into issues directly related to the deployment, update process, and issues with the build (post-installation).

Important

Update Azure Stack Hub to a supported version (or deploy the latest Azure Stack Development Kit) if necessary, before deploying or updating the App Service resource provider (RP). Be sure to read the RP release notes to learn about new functionality, fixes, and any known issues that could affect your deployment.

Supported Azure Stack Hub version App Service RP version
2206.2.52 2022.H1 Installer (release notes)
2108.2.127 2022.H1 Installer (release notes)
2108 2021.Q3 Installer (release notes)
2102 2021.Q1 Installer (release notes)

Build reference

The App Service on Azure Stack Hub 2022 H1 build number is 98.0.1.699

What's new?

Azure App Service on Azure Stack Hub 2022 H1 brings many new capabilities to Azure Stack Hub

  • All roles are now powered by Windows Server 2022 Datacenter.
  • Administrators can isolate the platform image for use by App Service on Azure Stack Hub, by setting the SKU to AppService.
  • Network design update for all worker virtual machine scale sets, addressing customers faced with SNAT port exhaustion issues.
  • Increased number of outbound addresses for all applications. The updated list of outbound addresses can be discovered in the properties of an application in the Azure Stack Hub portal.
  • Administrators can set a three character deployment prefix for the individual instances in each Virtual Machine Scale Set that are deployed, useful when managing multiple Azure Stack Hub instances.
  • Deployment Center is now enabled for tenants, replacing the Deployment Options experience. IMPORTANT: Operators will need to reconfigure their deployment sources as the Redirect URLs have changed with this update, in addition tenants will need to reconnect their apps to their source control providers.

Prerequisites

Refer to the Before You Get Started documentation before beginning deployment.

Before you begin the upgrade of Azure App Service on Azure Stack to 2022 H1:

  • Ensure your Azure Stack Hub is updated to 1.2108.2.127 or 1.2206.2.52.

  • Ensure all roles are Ready in the Azure App Service Administration in the Azure Stack Hub Admin Portal

  • Backup App Service Secrets using the App Service Administration in the Azure Stack Hub Admin Portal

  • Back up the App Service and SQL Server Master Databases:

    • AppService_Hosting;
    • AppService_Metering;
    • Master
  • Back up the Tenant App content file share

    Important

    Cloud operators are responsible for the maintenance and operation of the File Server and SQL Server. The resource provider does not manage these resources. The cloud operator is responsible for backing up the App Service databases and tenant content file share.

  • Syndicate the Custom Script Extension version 1.9.3 from the Marketplace

Updates

Azure App Service on Azure Stack Update 2022 H1 includes the following improvements and fixes:

  • Updates to App Service Tenant, Admin, Functions portals and Kudu tools. Consistent with Azure Stack Portal SDK version.

  • Updates Azure Functions runtime to v1.0.13154.

  • Updates to core service to improve reliability and error messaging enabling easier diagnosis of common issues.

  • Updates to the following application frameworks and tools:

    • 2022-09 Cumulative Update for .NET Framework 3.5 and 4.8 for Microsoft server operating system version 21H2 for x64 (KB5017028)
    • ASP.NET Core
      • 3.1.18
      • 3.1.23
      • 6.0.2
      • 6.0.3
    • Eclipse Temurin OpenJDK 8
      • 8u302
      • 8u312
      • 8u322
    • Microsoft OpenJDK 11
      • 11.0.12.7.1
      • 11.0.13.8
      • 11.0.14.1
      • 17.0.1.12
      • 17.0.2.8
    • MSBuild
      • 16.7.0
      • 17.1.0
    • MSDeploy 3.5.100608.567
    • NodeJS
      • 14.18.1
      • 16.9.1
      • 16.13.0
    • NPM
      • 6.14.15
      • 7.21.1
      • 8.1.0
    • Tomcat
      • 8.5.69
      • 8.5.72
      • 8.5.78
      • 9.0.52
      • 9.0.54
      • 9.0.62
      • 10.0.12
      • 10.0.20
    • Updated Kudu to 97.40427.5713
  • Updates to underlying operating system of all roles:

  • Cumulative Updates for Windows Server are now applied to Controller roles as part of deployment and upgrade

Issues fixed in this release

  • Automatically clean up SiteDataRecord and TraceMessages tables within the App Service Resource Provider database(s).
  • Private certificate now shows in sites with deployment slot(s).
  • Improved reliability of upgrade process, by verifying all roles are ready.

Pre-Update steps

Azure App Service on Azure Stack Hub 2022 H1 is a significant update and as such can take multiple hours to complete as the whole deployment is updated and all roles are recreated with the Windows Server 2022 Datacenter OS. Therefore we recommend informing end customers of planned update ahead of applying the update.

Review the known issues for update and take any action prescribed.

Post-deployment steps

Important

If you have provided the App Service resource provider with a SQL Always On Instance you MUST add the appservice_hosting and appservice_metering databases to an availability group and synchronize the databases to prevent any loss of service in the event of a database failover.

Known issues (update)

  • In situations where a customer has converted the appservice_hosting and appservice_metering databases to contained database, upgrade may fail if logins haven't been successfully migrated to contained users

Customers that have converted the appservice_hosting and appservice_metering databases to contained database post deployment, and haven't successfully migrated the database logins to contained users, may experience upgrade failures.

Customers must execute the following script against the SQL Server hosting appservice_hosting and appservice_metering before upgrading your Azure App Service on Azure Stack Hub installation to 2020 Q3. This script is non-destructive and will not cause downtime.

This script must be run under the following conditions

  • By a user that has the system administrator privilege, for example the SQL SA Account;

  • If using SQL Always on, ensure the script is run from the SQL instance that contains all App Service logins in the form:

    • appservice_hosting_FileServer
    • appservice_hosting_HostingAdmin
    • appservice_hosting_LoadBalancer
    • appservice_hosting_Operations
    • appservice_hosting_Publisher
    • appservice_hosting_SecurePublisher
    • appservice_hosting_WebWorkerManager
    • appservice_metering_Common
    • appservice_metering_Operations
    • All WebWorker logins - which are in the form WebWorker_<instance ip address>
        USE appservice_hosting
        IF EXISTS(SELECT * FROM sys.databases WHERE Name=DB_NAME() AND containment = 1)
        BEGIN
        DECLARE @username sysname ;  
        DECLARE user_cursor CURSOR  
        FOR
            SELECT dp.name
            FROM sys.database_principals AS dp  
            JOIN sys.server_principals AS sp
                ON dp.sid = sp.sid  
                WHERE dp.authentication_type = 1 AND dp.name NOT IN ('dbo','sys','guest','INFORMATION_SCHEMA');
            OPEN user_cursor  
            FETCH NEXT FROM user_cursor INTO @username  
                WHILE @@FETCH_STATUS = 0  
                BEGIN  
                    EXECUTE sp_migrate_user_to_contained
                    @username = @username,  
                    @rename = N'copy_login_name',  
                    @disablelogin = N'do_not_disable_login';  
                FETCH NEXT FROM user_cursor INTO @username  
            END  
            CLOSE user_cursor ;  
            DEALLOCATE user_cursor ;
            END
        GO

        USE appservice_metering
        IF EXISTS(SELECT * FROM sys.databases WHERE Name=DB_NAME() AND containment = 1)
        BEGIN
        DECLARE @username sysname ;  
        DECLARE user_cursor CURSOR  
        FOR
            SELECT dp.name
            FROM sys.database_principals AS dp  
            JOIN sys.server_principals AS sp
                ON dp.sid = sp.sid  
                WHERE dp.authentication_type = 1 AND dp.name NOT IN ('dbo','sys','guest','INFORMATION_SCHEMA');
            OPEN user_cursor  
            FETCH NEXT FROM user_cursor INTO @username  
                WHILE @@FETCH_STATUS = 0  
                BEGIN  
                    EXECUTE sp_migrate_user_to_contained
                    @username = @username,  
                    @rename = N'copy_login_name',  
                    @disablelogin = N'do_not_disable_login';  
                FETCH NEXT FROM user_cursor INTO @username  
            END  
            CLOSE user_cursor ;  
            DEALLOCATE user_cursor ;
            END
        GO

Known issues (post-installation)

  • Workers are unable to reach file server when App Service is deployed in an existing virtual network and the file server is only available on the private network, as called out in the Azure App Service on Azure Stack deployment documentation.

    If you chose to deploy into an existing virtual network and an internal IP address to connect to your file server, you must add an outbound security rule, enabling SMB traffic between the worker subnet and the file server. Go to the WorkersNsg in the Admin Portal and add an outbound security rule with the following properties:

    • Source: Any
    • Source port range: *
    • Destination: IP Addresses
    • Destination IP address range: Range of IPs for your file server
    • Destination port range: 445
    • Protocol: TCP
    • Action: Allow
    • Priority: 700
    • Name: Outbound_Allow_SMB445
  • To remove latency when workers are communicating with the file server we also advise adding the following rule to the Worker NSG to allow outbound LDAP and Kerberos traffic to your Active Directory Controllers if securing the file server using Active Directory, for example if you've used the Quickstart template to deploy a HA File Server and SQL Server.

    Go to the WorkersNsg in the Admin Portal and add an outbound security rule with the following properties:

    • Source: Any
    • Source port range: *
    • Destination: IP Addresses
    • Destination IP address range: Range of IPs for your AD Servers, for example with the Quickstart template 10.0.0.100, 10.0.0.101
    • Destination port range: 389,88
    • Protocol: Any
    • Action: Allow
    • Priority: 710
    • Name: Outbound_Allow_LDAP_and_Kerberos_to_Domain_Controllers

Known issues for Cloud Admins operating Azure App Service on Azure Stack

  • Custom domains aren't supported in disconnected environments

App Service performs domain ownership verification against public DNS endpoints, as a result custom domains aren't supported in disconnected scenarios.

Next steps