Deploy Data API builder to Azure App Service

This guide shows you how to deploy Data API builder (DAB) to Azure App Service using a code-based deployment model, without building or managing container images. App Service provides built-in support for TLS, custom domains, scaling, monitoring, and Microsoft Entra authentication.

Diagram of the overall architecture after deployment to Azure App Service is complete.

Tip

If your environment uses containers, see Deploy to Azure Container Apps or Deploy to Azure Kubernetes Service instead.

Prerequisites

An Azure account with an active subscription. Create an account for free.
Data API builder CLI. Install the CLI.
Azure CLI. Install the Azure CLI.
.NET 8 or later installed locally.
Existing supported database addressable from Azure.

Build the configuration file

Build a DAB configuration file to connect to your existing database.

Create an empty directory on your local machine to store the configuration file and deployment artifacts.
Initialize a new base configuration file using dab init. Use the @env() function to reference the DATABASE_CONNECTION_STRING environment variable so credentials aren't stored in the configuration file.
```
dab init --database-type "<database-type>" --connection-string "@env('DATABASE_CONNECTION_STRING')"
```
Important

Replace <database-type> with a supported database type, such as mssql, postgresql, mysql, or cosmosdb_nosql. Some database types require extra configuration settings on initialization.
Add at least one database entity to the configuration. Use the dab add command to configure an entity. Repeat dab add as many times as you need for your entities.
```
dab add "<entity-name>" --source "<schema>.<table>" --permissions "anonymous:*"
```
Open and review the contents of the dab-config.json file. Verify that:
- data-source.connection-string uses @env('DATABASE_CONNECTION_STRING')
- Your entities and permissions are correct
Important

Don't embed literal connection strings or secrets in dab-config.json. Use the @env() function so values are resolved from environment variables at runtime.

Create a local tool manifest

Use a local .NET tool manifest so the deployment package includes DAB as a project dependency. This approach avoids relying on a globally installed tool inside App Service.

Create a .NET local tool manifest in your project directory.
```
dotnet new tool-manifest
```

Install Data API builder as a local tool.

dotnet tool install microsoft.dataapibuilder --prerelease

Verify the manifest exists at .config/dotnet-tools.json.

Note

The --prerelease flag installs the latest Data API builder prerelease version. Remove the flag to install the latest stable release instead.

Test locally

Before deploying to Azure, confirm the runtime starts and your endpoints work.

Set the connection string as a local environment variable.

PowerShell
Bash

$env:DATABASE_CONNECTION_STRING = "<your-connection-string>"

export DATABASE_CONNECTION_STRING="<your-connection-string>"

Start the DAB runtime locally.
```
dab start
```
Test the REST endpoint by navigating to the Swagger UI or making a request to /api/<entity-name>.
Test the GraphQL endpoint at /graphql.
Stop the runtime after verifying all endpoints.

Create the App Service resources

Create the Azure resources required to host DAB on App Service.

Create a new resource group. You use this resource group for all new resources in this guide.
```
az group create \
  --name <resource-group-name> \
  --location <location>
```
Tip

Consider naming the resource group msdocs-dab-appservice.

Create an App Service plan.

az appservice plan create \
  --name <plan-name> \
  --resource-group <resource-group-name> \
  --sku B1 \
  --is-linux

Note

This guide uses the B1 (Basic) tier on Linux.

Create the web app with the .NET 8 runtime.

az webapp create \
  --name <app-name> \
  --resource-group <resource-group-name> \
  --plan <plan-name> \
  --runtime "DOTNETCORE:8.0"

Tip

Validate available runtimes for your plan with az webapp list-runtimes --os linux.

Configure App Service settings

Configure the environment variables and startup command that App Service needs to run DAB.

Configure the authentication provider for App Service. This setting tells DAB to trust App Service's built-in authentication (Easy Auth) for identity information.
```
dab configure --runtime.host.authentication.provider AppService
```
Set the database connection string as an App Service application setting.
```
az webapp config appsettings set \
  --name <app-name> \
  --resource-group <resource-group-name> \
  --settings DATABASE_CONNECTION_STRING="<your-connection-string>"
```
Tip

Use a connection string that doesn't include secrets. Instead, use managed identities and Microsoft Entra authentication to manage access between your database and App Service. For more information, see Azure services that use managed identities.
Create a startup script that restores the local tool manifest and starts DAB. Create a file named startup.sh in your project directory.
```
#!/bin/sh
dotnet tool restore
dotnet tool run dab start
```
Important

Ensure startup.sh uses LF (Unix) line endings, not CRLF. Windows editors may save with CRLF by default, which causes the script to fail on the Linux App Service host.

Set the startup command in App Service.

az webapp config set \
  --name <app-name> \
  --resource-group <resource-group-name> \
  --startup-file "startup.sh"

Deploy to App Service

Package your project files and deploy them to App Service using ZIP deploy.

Create a deployment package containing your project files. At a minimum, include:
- dab-config.json
- .config/dotnet-tools.json
- startup.sh
- PowerShell
- Bash
```
Compress-Archive -Path dab-config.json, .config, startup.sh -DestinationPath deploy.zip -Force
```
```
zip -r deploy.zip dab-config.json .config startup.sh
```
Important

The ZIP must contain files at the root level. Don't zip a parent folder that contains the files. The archive root should include dab-config.json, .config/, and startup.sh directly.

Deploy the ZIP package to App Service.

az webapp deploy \
  --resource-group <resource-group-name> \
  --name <app-name> \
  --src-path deploy.zip \
  --type zip

Verify the deployment

After deployment, confirm that DAB starts successfully on App Service.

Open the App Service URL.
```
https://<app-name>.azurewebsites.net
```

Check the health endpoint.

https://<app-name>.azurewebsites.net/health

Test REST and GraphQL endpoints using the same entity paths you tested locally. The deployed app uses the same dab-config.json, so endpoint behavior should match your local runtime.

If any endpoint returns an unexpected error, enable application logging and review the logs.

az webapp log config \
  --name <app-name> \
  --resource-group <resource-group-name> \
  --application-logging filesystem \
  --level information

az webapp log tail \
  --name <app-name> \
  --resource-group <resource-group-name>

Configure authentication (optional)

Protect your App Service endpoint with Microsoft Entra ID for production use.

For detailed steps, see Configure App Service authentication.

Important

The AppService authentication provider in dab-config.json trusts headers injected by App Service authentication. Make sure App Service authentication is enabled when using this provider in production. For more information, see Easy Auth (App Service).

Note

App Service authentication protects ingress to your endpoint. DAB entity permissions still govern what operations the runtime allows. If you want role-based access, update your entity permissions to use specific roles instead of anonymous:*.

Clean up resources

When you no longer need the sample application or resources, remove the corresponding deployment and all resources.

az group delete \
  --name <resource-group-name> \
  --yes \
  --no-wait

Feedback

Was this page helpful?

Last updated on 2026-05-05