Azure App Service Not Always On
Description
Azure App Service has a built-in mechanism to unload apps that haven't received traffic for some time. This unloading helps optimize resources, especially when multiple apps share a single App Services Plan. However, there's a trade-off: once an app is unloaded, the subsequent request can trigger a "cold start," leading to potential performance lags and request timeouts.
For applications that rely on continuous WebJobs or WebJobs triggered with a CRON expression, having the "Always On" feature enabled is critical, as it ensures the app remains loaded and ready to start without any cold starts.
This policy ensures that the Azure App Service's "Always On" feature is enabled. By enabling "Always On," you ensure better availability and consistent performance, as the service avoids app unloading and its associated cold starts.
Code Example
resource "azurerm_linux_web_app" "example" {
name = "example-app-service"
# ... other configurations ...
site_config {
+ always_on = true # Ensure the app is always on and ready to handle requests.
# ... other configurations ...
}
# ... other configurations ...
}Remediation
Terraform
Resources:
- azurerm_linux_web_app
- azurerm_windows_web_app
Arguments:
- site_config/[0]/always_on/[0]
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0721 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV_AZURE_214 |