Introduction
I am currently the architect for a migration project for the Norwegian Airport Express Train called Flytoget. We are building and deploying a system consisting of multiple applications built using microservices on Kubernetes(K8s). Early on, we saw the need to centralize common configuration settings. Duplicating the configuration for all your applications as environment settings, for example, would make changes unnecessary and difficult. Configuration duplication is also error-prone.
To solve this problem, we wanted to investigate the Azure App Configuration service. I created a demo repository with a detailed explanation of our problem and how Azure App Configuration could solve it. This blog post looks at the service and how it fits into an application's configuration and secret setup.
Azure App Configuration
Azure App Configuration is a managed service provided by Microsoft Azure that offers a centralized storage location for application settings and feature flags.
Key features of Azure App Configuration include:
- A centralized management interface for storing and retrieving configuration settings
- Point-in-time snapshot of your configurations
- Built-in support for feature flags and A/B testing
- Native integration with Azure services and SDKs for various programming languages
- Role-based access control (RBAC) for secure configuration management
Alternative solutions exist, such as Hashicorp Vault. However, as we are already running multiple services in Azure, I wanted to see if we could leverage some synergies by also having the centralised configuration management tool there. One example is integrating Azure Key-Vault with configuration management. Another is to use a managed identity to avoid excessive secret management.
One area for improvement is the UI. It is sometimes difficult to see if the structure is correct. I edited it locally before copying and pasting it into the portal.
Demo repo
The demo repo is on GitHub. I have learned several lessons and conducted multiple experiments. One example is substituting an entry with a rather complex json structure. Another is to have multiple entries in Azure App Configuration, each changing part of the same entry only at different levels of depth. I highly appreciate the fact that it is possible to reference KeyVault entries to replace specific values in the configuration setting with only an Azure-managed identity in place.
When to use Azure App Configuration
Azure App Configuration fits nicely in scenarios where you want to centralize specific configuration settings across multiple applications. For non-common settings, I specify the secrets somehow in the pod configuration, using environment variables, mounting files, CSI Secrets Store Provider, or what have you. The point is that they are not stored in the Azure App Configuration. Another strategy is to utilize filters such as key-value compositions, which we only load in Azure App Configurations with a particular set of labels for an application. However, this would be prone to misconfigurations and give the application access to configuration and secrets for another application.
Summary
This article explored Azure App Configuration as a solution for centralized configuration management in microservice architectures. The service offers compelling features for organizations running on Azure, including seamless integration with Key Vault, managed identity support, and comprehensive configuration versioning. While the UI has some limitations and careful consideration is needed for application-specific settings, the benefits of centralized configuration management make it a valuable tool for complex cloud deployments like our Flytoget migration project.