Azure App Configuration FAQ

This article answers frequently asked questions about Azure App Configuration.

How is App Configuration different from Azure Key Vault?

App Configuration helps developers manage application settings and control feature availability. It aims to simplify many of the tasks of working with complex configuration data.

App Configuration supports:

  • Hierarchical namespaces
  • Labeling
  • Extensive queries
  • Batch retrieval
  • Specialized management operations
  • A feature-management user interface

App Configuration complements Key Vault, and the two should be used side by side in most application deployments.

Should I store secrets in App Configuration?

Although App Configuration provides hardened security, Key Vault is still the best place for storing application secrets. Key Vault provides hardware-level encryption, granular access policies, and management operations such as certificate rotation.

You can create App Configuration values that reference secrets stored in Key Vault. For more information, see Use Key Vault references in an ASP.NET Core app.

Does App Configuration encrypt my data?

Yes. App Configuration always encrypts all data in transit and at rest. All network communication is over TLS 1.2 or TLS 1.3. App Configuration supports encryption at rest with either Microsoft-managed keys or customer-managed keys.

How is App Configuration different from Azure App Service settings?

Azure App Service allows you to define app settings for each App Service instance. These settings are passed as environment variables to the application code. You can associate a setting with a specific deployment slot, if you want. For more information, see Configure app settings.

In contrast, Azure App Configuration allows you to define settings that can be shared among multiple apps. This includes apps running in App Service, as well as other platforms. Your application code accesses these settings through the configuration providers for .NET and Java, through the Azure SDK, or directly via REST APIs.

You can add references to your App Configuration data in the Application settings of your App Service. You can also import and export settings between App Service and App Configuration. This capability allows you to quickly set up a new App Configuration store based on existing App Service settings. You can also share configuration with an existing app that relies on App Service settings.

Are there any size limitations on keys and values stored in App Configuration?

There's a limit of 10 KB for a single key-value, including attributes such as label, content-type, tags, and other metadata.

This limit should be sufficient for a single setting in most applications. If you find that your setting is larger than this limit, you may consider storing your data elsewhere and add a reference of that data in App Configuration.

How should I store configurations for multiple environments (test, staging, production, and so on)?

You control who can access App Configuration at a per-store level. Use a separate store for each environment that requires different permissions. This approach provides the best security isolation.

If you do not need security isolation between environments, you can use labels to differentiate between configuration values. Use labels to enable different configurations for different environments provides a complete example.

How much does App Configuration cost?

There are two pricing tiers:

  • Free tier
  • Standard tier

If you created a store prior to the introduction of the Standard tier, it automatically moved to the Free tier upon general availability. You can choose to upgrade to the Standard tier or remain on the Free tier.

You can't downgrade a store from the Standard tier to the Free tier. You can create a new store in the Free tier and then import configuration data into that store.

Which App Configuration tier should I use?

Both App Configuration tiers offer core functionality, including config settings, feature flags, Key Vault references, basic management operations, metrics, and logs.

The following are considerations for choosing a tier.

  • Resources per subscription: A resource consists of a single configuration store. Each subscription is limited to one configuration store in the free tier. Subscriptions can have an unlimited number of configuration stores in the standard tier.

  • Storage per resource: In the free tier, each configuration store is limited to 10 MB of storage. In the standard tier, each configuration store can use up to 1 GB of storage.

  • Revision history: App Configuration stores a history of all changes made to keys. In the free tier, this history is stored for seven days. In the standard tier, this history is stored for 30 days.

  • Requests quota: Free tier stores are limited to 1,000 requests per day. When a store reaches 1,000 requests, it returns HTTP status code 429 for all requests until midnight UTC.

    Standard tier stores are limited to 30,000 requests per hour. When the hourly quota is exhausted, requests may return HTTP status code 429 indicating too many requests until end of the hour. As more requests are sent which are above quota, a higher percentage of them may return status code 429.

  • Service level agreement: The standard tier has an SLA of 99.9% availability. The free tier doesn't have an SLA.

  • Security features: Both tiers include basic security functionality, including encryption with Microsoft-managed keys, authentication via HMAC or Azure Active Directory, Azure RBAC support, managed identity, and service tags. The Standard tier offers more advanced security functionality, including Private Link support and encryption with customer-managed keys.

  • Cost: Standard tier stores have a daily usage charge. The first 200,000 requests each day are included in the daily charge. There's also an overage charge for requests past the daily allocation. There's no cost to use a free tier store.

Can I upgrade a store from the Free tier to the Standard tier? Can I downgrade a store from the Standard tier to the Free tier?

You can upgrade from the Free tier to the Standard tier at any time.

You can't downgrade a store from the Standard tier to the Free tier. You can create a new store in the Free tier and then import configuration data into that store.

Where does data stored in App Configuration reside?

Customer data stored in App Configuration reside in the region where the customer's App Configuration store was created. Customer data will be replicated to another region only if the customer enables geo-replication for that region. This applies to all available regions. Customers may move, copy, or access their data from any location globally.

How does App Configuration ensure high data availability?

Azure App Configuration supports geo-replication for enhanced resiliency to regional outages.

Azure App Configuration supports Azure availability zones to protect your application and data from single datacenter failures. All availability zone enabled regions consist of a minimum of 3 availability zones, where each is a physically independent datacenter. For resiliency, this support in App Configuration is enabled for all customers at no extra cost. Following are regions that App Configuration has enabled availability zone support. For more information, see Regions and Availability Zones in Azure.

Following are regions where App Configuration has enabled availability zone support.

Americas Europe Middle East Africa Asia Pacific
Brazil South France Central Qatar Central Australia East
Canada Central Germany West Central Central India
Central US North Europe Japan East
East US Norway East Korea Central
East US 2 UK South Southeast Asia
South Central US West Europe East Asia
West US 2 Sweden Central China North 3
West US 3

Are there any limits on the number of requests made to App Configuration?

Configuration stores in the Free tier are limited to 1,000 requests per day. Configuration stores in the Standard tier may experience temporary throttling when the request rate exceeds 30,000 requests per hour.

When a store reaches its limit in the standard tier, it may return HTTP status code 429 for some requests made until the end of the hour. The retry-after-ms header in the response gives a suggested wait time (in milliseconds) before retrying the request.

If your application regularly experiences HTTP status code 429 responses, consider redesigning it to reduce the number of requests made. For more information, see Reduce requests made to App Configuration

My application receives HTTP status code 429 responses. Why?

You'll receive an HTTP status code 429 response under these circumstances:

  • Exceeding the daily request limit for a store in the Free tier.
  • Exceeding the hourly request limit for a store in the standard tier.
  • Momentary throttling due to a large burst of requests†.
  • Excessive bandwidth usage.
  • Attempting to create or modify a key when the storage quota is exceeded.

Check the body of the 429 response for the specific reason why the request failed.

†A configuration store may experience momentary throttling if it receives a large burst of requests. App Configuration clients, such as the Azure SDK, configuration provider libraries, and Azure Pipeline tasks, automatically retry on throttled requests. For any applications using one of these clients, or a custom client that retries on throttled requests, this momentary throttling should go unnoticed, should it occur.

Why can't I create an App Configuration store with the same name as one that I just deleted?

All App Configuration stores in the standard tier have automatically enabled the soft-delete feature. When a standard tier App Configuration store is deleted, its name is reserved for the retention period. To recreate a store with the same name before the retention period expires, you need to purge the soft-deleted store first, provided the store doesn't have purge protection enabled. If the purge protection is enabled, you must wait for the retention period to elapse. Use the purge function or set a shorter retention period if you often need to recreate a store with the same name.

How can I restore an App Configuration store that I deleted mistakenly?

All App Configuration stores in the standard tier support the soft-delete feature, which cannot be disabled. You can recover a deleted store within its retention period. Follow these instructions to recover a mistakenly deleted App Configuration store.

Can I create and update feature flags or Key Vault references programmatically?

Yes. While you can manage feature flags and Key Vault references in App Configuration through the Azure portal or CLI, you can also create and update them programmatically using App Configuration SDKs. Therefore, you can write your customized management portal or manage them in your CI/CD programmatically. The feature flag and Key Vault reference APIs are available in SDKs of all supported languages. Check out the sample links for examples in each supported language.

Evaluating and consuming feature flags in your application requires the App Configuration provider and feature management libraries, which are available in .NET and Java Spring. Check out the Feature management section under Quickstarts and Tutorials for more information.

How to use Java Spring profiles in App Configuration?

Spring profiles provide a way to separate parts of your application, including configuration, and make it only available in certain environments or when specific libraries are used.

You are recommended to set the label of your key-values to match your Spring profiles. By default, the App Configuration Spring provider library will load the key-values with the label(s) matching the current active Spring profile(s) (${spring.profiles.active}) if the label filter isn't set explicitly. If there is no active Spring profile set, key-values with "no label" will be loaded.

For example, with profiles dev and prod, you create key-values accordingly with the following labels.

Key Label Value
/application/config.message dev Hello from dev
/application/config.message prod Hello from prod

When the Spring profile is set to dev, the value of config.message will be Hello from dev. When the Spring profile is set to prod, the value of config.message will be Hello from prod.

This default behavior can be overridden by setting the label filter in your bootstrap file. The Spring provider library will load key-values with the specified label(s) regardless of the active Spring profile.

spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter: my-label

To select other labels and your Spring profile(s), you can use selects like ',${spring.profiles.active}' which will select all keys without a label and the ones matching your Spring profiles. The rightmost label(s) take priority when duplicate keys are found.

Subscribe to our GitHub announcements repo.

How can I report an issue or give a suggestion?

You can reach us directly on GitHub.

Next steps