Environment variables and app settings in Azure App Service
Note
Starting June 1, 2024, all newly created App Service apps will have the option to generate a unique default hostname using the naming convention <app-name>-<random-hash>.<region>.chinacloudsites.cn
. Existing app names will remain unchanged.
Example: myapp-ds27dh7271aah175.westus-01.chinacloudsites.cn
In Azure App Service, certain settings are available to the deployment or runtime environment as environment variables. Some of these settings can be customized when you set them manually as app settings. This reference shows the variables you can use or customize.
App environment
The following environment variables are related to the app environment in general.
Setting name | Description | Example |
---|---|---|
WEBSITE_SITE_NAME |
Read-only. App name. | |
WEBSITE_RESOURCE_GROUP |
Read-only. Azure resource group name that contains the app resource. | |
WEBSITE_OWNER_NAME |
Read-only. Contains the Azure subscription ID that owns the app, the resource group, and the webspace. | |
REGION_NAME |
Read-only. Region name of the app. | |
WEBSITE_PLATFORM_VERSION |
Read-only. App Service platform version. | |
HOME |
Read-only. Path to the home directory (for example, D:\home for Windows). |
|
SERVER_PORT |
Read-only. The port the app should listen to. | |
WEBSITE_WARMUP_PATH |
A relative path to ping to warm up the app, beginning with a slash. The default is / , which pings the root path. The specific path can be pinged by an unauthenticated client, such as Azure Traffic Manager, even if App Service authentication is set to reject unauthenticated clients. (NOTE: This app setting doesn't change the path used by AlwaysOn.) |
|
WEBSITE_COMPUTE_MODE |
Read-only. Specifies whether app runs on dedicated (Dedicated ) or shared (Shared ) VM/s. |
|
WEBSITE_SKU |
Read-only. SKU of the app. Possible values are Free , Shared , Basic , and Standard . |
|
SITE_BITNESS |
Read-only. Shows whether the app is 32-bit (x86 ) or 64-bit (AMD64 ). |
|
WEBSITE_HOSTNAME |
Read-only. Primary hostname for the app. Custom hostnames aren't accounted for here. | |
WEBSITE_VOLUME_TYPE |
Read-only. Shows the storage volume type currently in use. | |
WEBSITE_NPM_DEFAULT_VERSION |
Default npm version the app is using. | |
WEBSOCKET_CONCURRENT_REQUEST_LIMIT |
Read-only. Limit for websocket's concurrent requests. For Standard tier and above, the value is -1 , but there's still a per VM limit based on your VM size (see Cross VM Numerical Limits). |
|
WEBSITE_PRIVATE_EXTENSIONS |
Set to 0 to disable the use of private site extensions. |
|
WEBSITE_TIME_ZONE |
By default, the time zone for the app is always UTC. You can change it to any of the valid values that are listed in Default Time Zones. If the specified value isn't recognized, UTC is used. | Atlantic Standard Time |
WEBSITE_ADD_SITENAME_BINDINGS_IN_APPHOST_CONFIG |
After slot swaps, the app may experience unexpected restarts. This is because after a swap, the hostname binding configuration goes out of sync, which by itself doesn't cause restarts. However, certain underlying storage events (such as storage volume failovers) may detect these discrepancies and force all worker processes to restart. To minimize these types of restarts, set the app setting value to 1 on all slots (default is0 ). However, don't set this value if you're running a Windows Communication Foundation (WCF) application. For more information, see Troubleshoot swaps |
|
WEBSITE_PROACTIVE_AUTOHEAL_ENABLED |
By default, a VM instance is proactively "autohealed" when it's using more than 90% of allocated memory for more than 30 seconds, or when 80% of the total requests in the last two minutes take longer than 200 seconds. If a VM instance has triggered one of these rules, the recovery process is an overlapping restart of the instance. Set to false to disable this recovery behavior. The default is true . For more information, see Proactive Auto Heal. |
|
WEBSITE_PROACTIVE_CRASHMONITORING_ENABLED |
Whenever the w3wp.exe process on a VM instance of your app crashes due to an unhandled exception for more than three times in 24 hours, a debugger process is attached to the main worker process on that instance, and collects a memory dump when the worker process crashes again. This memory dump is then analyzed and the call stack of the thread that caused the crash is logged in your App Service's logs. Set to false to disable this automatic monitoring behavior. The default is true . For more information, see Proactive Crash Monitoring. |
|
WEBSITE_DAAS_STORAGE_SASURI |
During crash monitoring (proactive or manual), the memory dumps are deleted by default. To save the memory dumps to a storage blob container, specify the SAS URI. | |
WEBSITE_CRASHMONITORING_ENABLED |
Set to true to enable crash monitoring manually. You must also set WEBSITE_DAAS_STORAGE_SASURI and WEBSITE_CRASHMONITORING_SETTINGS . The default is false . This setting has no effect if remote debugging is enabled. Also, if this setting is set to true , proactive crash monitoring is disabled. |
|
WEBSITE_CRASHMONITORING_SETTINGS |
A JSON with the following format:{"StartTimeUtc": "2020-02-10T08:21","MaxHours": "<elapsed-hours-from-StartTimeUtc>","MaxDumpCount": "<max-number-of-crash-dumps>"} . Required to configure crash monitoring if WEBSITE_CRASHMONITORING_ENABLED is specified. To only log the call stack without saving the crash dump in the storage account, add ,"UseStorageAccount":"false" in the JSON. |
|
REMOTEDEBUGGINGVERSION |
Remote debugging version. | |
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING |
By default, App Service creates a shared storage for you at app creation. To use a custom storage account instead, set to the connection string of your storage account. For functions, see App settings reference for Functions. | DefaultEndpointsProtocol=https;AccountName=<name>;AccountKey=<key> |
WEBSITE_CONTENTSHARE |
When you use specify a custom storage account with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING , App Service creates a file share in that storage account for your app. To use a custom name, set this variable to the name you want. If a file share with the specified name doesn't exist, App Service creates it for you. |
myapp123 |
WEBSITE_SCM_ALWAYS_ON_ENABLED |
Read-only. Shows whether Always On is enabled (1 ) or not (0 ). |
|
WEBSITE_SCM_SEPARATE_STATUS |
Read-only. Shows whether the Kudu app is running in a separate process (1 ) or not (0 ). |
|
WEBSITE_DNS_ATTEMPTS |
Number of times to try name resolve. | |
WEBSITE_DNS_TIMEOUT |
Number of seconds to wait for name resolve |
Variable prefixes
The following table shows environment variable prefixes that App Service uses for various purposes.
Setting name | Description |
---|---|
APPSETTING_ |
Signifies that a variable is set by the customer as an app setting in the app configuration. It's injected into a .NET app as an app setting. |
MAINSITE_ |
Signifies a variable is specific to the app itself. |
SCMSITE_ |
Signifies a variable is specific to the Kudu app. |
SQLCONNSTR_ |
Signifies a SQL Server connection string in the app configuration. It's injected into a .NET app as a connection string. |
SQLAZURECONNSTR_ |
Signifies an Azure SQL Database connection string in the app configuration. It's injected into a .NET app as a connection string. |
POSTGRESQLCONNSTR_ |
Signifies a PostgreSQL connection string in the app configuration. It's injected into a .NET app as a connection string. |
CUSTOMCONNSTR_ |
Signifies a custom connection string in the app configuration. It's injected into a .NET app as a connection string. |
MYSQLCONNSTR_ |
Signifies a MySQL Database connection string in the app configuration. It's injected into a .NET app as a connection string. |
AZUREFILESSTORAGE_ |
A connection string to a custom share for a custom container in Azure Files. |
AZUREBLOBSTORAGE_ |
A connection string to a custom storage account for a custom container in Azure Blob Storage. |
NOTIFICATIONHUBCONNSTR_ |
Signifies a connection string to a notification hub in Azure Notification Hubs. |
SERVICEBUSCONNSTR_ |
Signifies a connection string to an instance of Azure Service Bus. |
EVENTHUBCONNSTR_ |
Signifies a connection string to an event hub in Azure Event Hubs. |
DOCDBCONNSTR_ |
Signifies a connection string to a database in Azure Cosmos DB. |
REDISCACHECONNSTR_ |
Signifies a connection string to a cache in Azure Cache for Redis. |
FILESHARESTORAGE_ |
Signifies a connection string to a custom file share. |
Deployment
The following environment variables are related to app deployment. For variables related to App Service build automation, see Build automation.
Setting name | Description |
---|---|
DEPLOYMENT_BRANCH |
For local Git or cloud Git deployment (such as GitHub), set to the branch in Azure you want to deploy to. By default, it's master . |
WEBSITE_RUN_FROM_PACKAGE |
Set to 1 to run the app from a local ZIP package, or set to the URL of an external URL to run the app from a remote ZIP package. For more information, see Run your app in Azure App Service directly from a ZIP package. |
WEBSITE_USE_ZIP |
Deprecated. Use WEBSITE_RUN_FROM_PACKAGE . |
WEBSITE_RUN_FROM_ZIP |
Deprecated. Use WEBSITE_RUN_FROM_PACKAGE . |
SCM_MAX_ZIP_PACKAGE_COUNT |
Your app keeps 5 of the most recent zip files deployed using zip deploy. You can keep more or less by setting the app setting to a different number. |
WEBSITE_WEBDEPLOY_USE_SCM |
Set to false for WebDeploy to stop using the Kudu deployment engine. The default is true . To deploy to Linux apps using Visual Studio (WebDeploy/MSDeploy), set it to false . |
MSDEPLOY_RENAME_LOCKED_FILES |
Set to 1 to attempt to rename DLLs if they can't be copied during a WebDeploy deployment. This setting isn't applicable if WEBSITE_WEBDEPLOY_USE_SCM is set to false . |
WEBSITE_DISABLE_SCM_SEPARATION |
By default, the main app and the Kudu app run in different sandboxes. When you stop the app, the Kudu app is still running, and you can continue to use Git deploy and MSDeploy. Each app has its own local files. Turning off this separation (setting to true ) is a legacy mode that's no longer fully supported. |
WEBSITE_ENABLE_SYNC_UPDATE_SITE |
Set to 1 ensure that REST API calls to update site and siteconfig are completely applied to all instances before returning. The default is 1 if deploying with an ARM template, to avoid race conditions with subsequent ARM calls. |
WEBSITE_START_SCM_ON_SITE_CREATION |
In an ARM template deployment, set to 1 in the ARM template to pre-start the Kudu app as part of app creation. |
WEBSITE_START_SCM_WITH_PRELOAD |
For Linux apps, set to true to force preloading the Kudu app when Always On is enabled by pinging its URL. The default is false . For Windows apps, the Kudu app is always preloaded. |
Build automation
Kudu build configuration applies to native Windows apps and is used to control the behavior of Git-based (or ZIP-based) deployments.
Setting name | Description | Example |
---|---|---|
SCM_BUILD_ARGS |
Add things at the end of the msbuild command line, such that it overrides any previous parts of the default command line. | To do a clean build: -t:Clean;Compile |
SCM_SCRIPT_GENERATOR_ARGS |
Kudu uses the azure site deploymentscript command described here to generate a deployment script. It automatically detects the language framework type and determines the parameters to pass to the command. This setting overrides the automatically generated parameters. |
To treat your repository as plain content files: --basic -p <folder-to-deploy> |
SCM_TRACE_LEVEL |
Build trace level. The default is 1 . Set to higher values, up to 4, for more tracing. |
4 |
SCM_COMMAND_IDLE_TIMEOUT |
Time out in seconds for each command that the build process launches to wait before without producing any output. After that, the command is considered idle and killed. The default is 60 (one minute). In Azure, there's also a general idle request timeout that disconnects clients after 230 seconds. However, the command will still continue running server-side after that. |
|
SCM_LOGSTREAM_TIMEOUT |
Time-out of inactivity in seconds before stopping log streaming. The default is 1800 (30 minutes). |
|
SCM_SITEEXTENSIONS_FEED_URL |
URL of the site extensions gallery. The default is https://www.nuget.org/api/v2/ . The URL of the old feed is http://www.siteextensions.net/api/v2/ . |
|
SCM_USE_LIBGIT2SHARP_REPOSITORY |
Set to 0 to use git.exe instead of libgit2sharp for git operations. |
|
WEBSITE_LOAD_USER_PROFILE |
In case of the error The specified user does not have a valid profile. during ASP.NET build automation (such as during Git deployment), set this variable to 1 to load a full user profile in the build environment. This setting is only applicable when WEBSITE_COMPUTE_MODE is Dedicated . |
|
WEBSITE_SCM_IDLE_TIMEOUT_IN_MINUTES |
Time out in minutes for the SCM (Kudu) site. The default is 20 . |
|
SCM_DO_BUILD_DURING_DEPLOYMENT |
With ZIP deploy, the deployment engine assumes that a ZIP file is ready to run as-is and doesn't run any build automation. To enable the same build automation as in Git deploy, set to true . |
Language-specific settings
This section shows the configurable runtime settings for each supported language framework. Additional settings are available during build automation at deployment time.
Setting name | Description |
---|---|
PORT |
Read-only. For Linux apps, port that the .NET runtime listens to in the container. |
WEBSITE_ROLE_INSTANCE_ID |
Read-only. ID of the current instance. |
HOME |
Read-only. Directory that points to shared storage (/home ). |
DUMP_DIR |
Read-only. Directory for the crash dumps (/home/logs/dumps ). |
APP_SVC_RUN_FROM_COPY |
Linux apps only. By default, the app is run from /home/site/wwwroot , a shared directory for all scaled-out instances. Set this variable to true to copy the app to a local directory in your container and run it from there. When using this option, be sure not to hard-code any reference to /home/site/wwwroot . Instead, use a path relative to /home/site/wwwroot . |
MACHINEKEY_Decryption |
For Windows native apps or Windows containerized apps, this variable is injected into app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the default decryption value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file. |
MACHINEKEY_DecryptionKey |
For Windows native apps or Windows containerized apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the automatically generated decryptionKey value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file. |
MACHINEKEY_Validation |
For Windows native apps or Windows containerized apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the default validation value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file. |
MACHINEKEY_ValidationKey |
For Windows native apps or Windows containerized apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the automatically generated validationKey value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file. |
Domain and DNS
Setting name | Description | Example |
---|---|---|
WEBSITE_DNS_SERVER |
IP address of primary DNS server for outgoing connections (such as to a back-end service). The default DNS server for App Service is Azure DNS, whose IP address is 168.63.129.16 . If your app uses VNet integration or is in an App Service environment, it inherits the DNS server configuration from the VNet by default. |
10.0.0.1 |
WEBSITE_DNS_ALT_SERVER |
IP address of fallback DNS server for outgoing connections. See WEBSITE_DNS_SERVER . |
|
WEBSITE_ENABLE_DNS_CACHE |
Allows successful DNS resolutions to be cached. By Default expired DNS cache entries will be flushed & in addition to the existing cache to be flushed every 4.5 mins. |
TLS/SSL
For more information, see Use a TLS/SSL certificate in your code in Azure App Service.
Setting name | Description |
---|---|
WEBSITE_LOAD_CERTIFICATES |
Comma-separate thumbprint values to the certificate you want to load in your code, or * to allow all certificates to be loaded in code. Only certificates added to your app can be loaded. |
WEBSITE_PRIVATE_CERTS_PATH |
Read-only. Path in a Windows container to the loaded private certificates. |
WEBSITE_PUBLIC_CERTS_PATH |
Read-only. Path in a Windows container to the loaded public certificates. |
WEBSITE_INTERMEDIATE_CERTS_PATH |
Read-only. Path in a Windows container to the loaded intermediate certificates. |
WEBSITE_ROOT_CERTS_PATH |
Read-only. Path in a Windows container to the loaded root certificates. |
Deployment slots
For more information on deployment slots, see Set up staging environments in Azure App Service.
Setting name | Description | Example |
---|---|---|
WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS |
By default, the versions for site extensions are specific to each slot. This prevents unanticipated application behavior due to changing extension versions after a swap. If you want the extension versions to swap as well, set to 0 on all slots. |
|
WEBSITE_OVERRIDE_PRESERVE_DEFAULT_STICKY_SLOT_SETTINGS |
Designates certain settings as sticky or not swappable by default. Default is true . Set this setting to false or 0 for all deployment slots to make them swappable instead. There's no fine-grain control for specific setting types. |
|
WEBSITE_SWAP_WARMUP_PING_PATH |
Path to ping to warm up the target slot in a swap, beginning with a slash. The default is / , which pings the root path over HTTP. |
/statuscheck |
WEBSITE_SWAP_WARMUP_PING_STATUSES |
Valid HTTP response codes for the warm-up operation during a swap. If the returned status code isn't in the list, the warmup and swap operations are stopped. By default, all response codes are valid. | 200,202 |
WEBSITE_SLOT_NUMBER_OF_TIMEOUTS_BEFORE_RESTART |
During a slot swap, maximum number of timeouts after which we force restart the site on a specific VM instance. The default is 3 . |
|
WEBSITE_SLOT_MAX_NUMBER_OF_TIMEOUTS |
During a slot swap, maximum number of timeout requests for a single URL to make before giving up. The default is 5 . |
|
WEBSITE_SKIP_ALL_BINDINGS_IN_APPHOST_CONFIG |
Set to true or 1 to skip all bindings in applicationHost.config . The default is false . If your app triggers a restart because applicationHost.config is updated with the swapped hostnames of th slots, set this variable to true to avoid a restart of this kind. If you're running a Windows Communication Foundation (WCF) app, don't set this variable. |
Custom containers
For more information on custom containers, see Run a custom container in Azure.
Setting name | Description | Example |
---|---|---|
WEBSITES_ENABLE_APP_SERVICE_STORAGE |
For Linux custom containers: set to true to enable the /home directory to be shared across scaled instances. The default is false for Linux custom containers.For Windows containers: set to true to enable the c:\home directory to be shared across scaled instances. The default is true for Windows containers. |
|
WEBSITES_CONTAINER_START_TIME_LIMIT |
Amount of time in seconds to wait for the container to complete start-up before restarting the container. Default is 230 . You can increase it up to the maximum of 1800 . |
|
WEBSITES_CONTAINER_STOP_TIME_LIMIT |
Amount of time in seconds to wait for the container to terminate gracefully. Default is 5 . You can increase to a maximum of 120 |
|
DOCKER_REGISTRY_SERVER_URL |
URL of the registry server, when running a custom container in App Service. For security, this variable isn't passed on to the container. | https://<server-name>.azurecr.cn |
DOCKER_REGISTRY_SERVER_USERNAME |
Username to authenticate with the registry server at DOCKER_REGISTRY_SERVER_URL . For security, this variable isn't passed on to the container. |
|
DOCKER_REGISTRY_SERVER_PASSWORD |
Password to authenticate with the registry server at DOCKER_REGISTRY_SERVER_URL . For security, this variable isn't passed on to the container. |
|
DOCKER_ENABLE_CI |
Set to true to enable the continuous deployment for custom containers. The default is false for custom containers. |
|
WEBSITE_PULL_IMAGE_OVER_VNET |
Connect and pull from a registry inside a Virtual Network or on-premises. Your app will need to be connected to a Virtual Network using VNet integration feature. This setting is also needed for Azure Container Registry with Private Endpoint. | |
WEBSITES_WEB_CONTAINER_NAME |
In a Docker Compose app, only one of the containers can be internet accessible. Set to the name of the container defined in the configuration file to override the default container selection. By default, the internet accessible container is the first container to define port 80 or 8080, or, when no such container is found, the first container defined in the configuration file. | |
WEBSITES_PORT |
For a custom container, the custom port number on the container for App Service to route requests to. By default, App Service attempts automatic port detection of ports 80 and 8080. This setting isn't injected into the container as an environment variable. | |
WEBSITE_CPU_CORES_LIMIT |
By default, a Windows container runs with all available cores for your chosen pricing tier. To reduce the number of cores, set to the number of desired cores limit. For more information, see Customize the number of compute cores. | |
WEBSITE_MEMORY_LIMIT_MB |
By default all Windows Containers deployed in Azure App Service have a memory limit configured depending on the App Service Plan SKU. Set to the desired memory limit in MB. The cumulative total of this setting across apps in the same plan must not exceed the amount allowed by the chosen pricing tier. For more information, see Customize container memory. |
Scaling
Setting name | Description |
---|---|
WEBSITE_INSTANCE_ID |
Read-only. Unique ID of the current VM instance, when the app is scaled out to multiple instances. |
WEBSITE_IIS_SITE_NAME |
Deprecated. Use WEBSITE_INSTANCE_ID . |
WEBSITE_DISABLE_OVERLAPPED_RECYCLING |
Overlapped recycling makes it so that before the current VM instance of an app is shut down, a new VM instance starts. In some cases, it can cause file locking issues. You can try turning it off by setting to 1 . |
WEBSITE_DISABLE_CROSS_STAMP_SCALE |
By default, apps are allowed to scale across stamps if they use Azure Files or a Docker container. Set to 1 or true to disable cross-stamp scaling within the app's region. The default is 0 . Custom Docker containers that set WEBSITES_ENABLE_APP_SERVICE_STORAGE to true or 1 can't scale cross-stamps because their content isn't completely encapsulated in the Docker container. |
Logging
Setting name | Description | Example |
---|---|---|
WEBSITE_HTTPLOGGING_ENABLED |
Read-only. Shows whether the web server logging for Windows native apps is enabled (1 ) or not (0 ). |
|
WEBSITE_HTTPLOGGING_RETENTION_DAYS |
Retention period in days of web server logs, if web server logs are enabled for a Windows native or Linux app. | 10 |
WEBSITE_HTTPLOGGING_CONTAINER_URL |
SAS URL of the blob storage container to store web server logs for Windows native apps, if web server logs are enabled. If not set, web server logs are stored in the app's file system (default shared storage). | |
DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS |
Retention period in days of application logs for Windows native apps, if application logs are enabled. | 10 |
DIAGNOSTICS_AZUREBLOBCONTAINERSASURL |
SAS URL of the blob storage container to store application logs for Windows native apps, if application logs are enabled. | |
APPSERVICEAPPLOGS_TRACE_LEVEL |
Minimum log level to ship to Log Analytics for the AppServiceAppLogs log type. | |
DIAGNOSTICS_LASTRESORTFILE |
The filename to create, or a relative path to the log directory, for logging internal errors for troubleshooting the listener. The default is logging-errors.txt . |
|
DIAGNOSTICS_LOGGINGSETTINGSFILE |
Path to the log settings file, relative to D:\home or /home . The default is site\diagnostics\settings.json . |
|
DIAGNOSTICS_TEXTTRACELOGDIRECTORY |
The log folder, relative to the app root (D:\home\site\wwwroot or /home/site/wwwroot ). |
..\..\LogFiles\Application |
DIAGNOSTICS_TEXTTRACEMAXLOGFILESIZEBYTES |
Maximum size of the log file in bytes. The default is 131072 (128 KB). |
|
DIAGNOSTICS_TEXTTRACEMAXLOGFOLDERSIZEBYTES |
Maximum size of the log folder in bytes. The default is 1048576 (1 MB). |
|
DIAGNOSTICS_TEXTTRACEMAXNUMLOGFILES |
Maximum number of log files to keep. The default is 20 . |
|
DIAGNOSTICS_TEXTTRACETURNOFFPERIOD |
Time out in milliseconds to keep application logging enabled. The default is 43200000 (12 hours). |
|
WEBSITE_LOG_BUFFERING |
By default, log buffering is enabled. Set to 0 to disable it. |
|
WEBSITE_ENABLE_PERF_MODE |
For native Windows apps, set to TRUE to turn off IIS log entries for successful requests returned within 10 seconds. This is a quick way to do performance benchmarking by removing extended logging. |
Performance counters
The following are 'fake' environment variables that don't exist if you enumerate them, but return their value if you look them up individually. The value is dynamic and can change on every lookup.
Setting name | Description |
---|---|
WEBSITE_COUNTERS_ASPNET |
A JSON object containing the ASP.NET perf counters. |
WEBSITE_COUNTERS_APP |
A JSON object containing sandbox counters. |
WEBSITE_COUNTERS_CLR |
A JSON object containing CLR counters. |
WEBSITE_COUNTERS_ALL |
A JSON object containing the combination of the other three variables. |
Caching
Setting name | Description |
---|---|
WEBSITE_LOCAL_CACHE_OPTION |
Whether local cache is enabled. Available options are: - Default : Inherit the stamp-level global setting.- Always : Enable for the app.- OnStorageUnavailability - Disabled : Disabled for the app. |
WEBSITE_LOCAL_CACHE_READWRITE_OPTION |
Read-write options of the local cache. Available options are: - ReadOnly : Cache is read-only.- WriteButDiscardChanges : Allow writes to local cache but discard changes made locally. |
WEBSITE_LOCAL_CACHE_SIZEINMB |
Size of the local cache in MB. Default is 1000 (1 GB). |
WEBSITE_LOCALCACHE_READY |
Read-only flag indicating if the app using local cache. |
WEBSITE_DYNAMIC_CACHE |
Due to network file shared nature to allow access for multiple instances, the dynamic cache improves performance by caching the recently accessed files locally on an instance. Cache is invalidated when file is modified. The cache location is %SYSTEMDRIVE%\local\DynamicCache (same %SYSTEMDRIVE%\local quota is applied). To enable full content caching, set to 1 , which includes both file content and directory/file metadata (timestamps, size, directory content). To conserve local disk use, set to 2 to cache only directory/file metadata (timestamps, size, directory content). |
WEBSITE_READONLY_APP |
When using dynamic cache, you can disable write access to the app root (D:\home\site\wwwroot or /home/site/wwwroot ) by setting this variable to 1 . Except for the App_Data directory, no exclusive locks are allowed, so that deployments don't get blocked by locked files. |
Networking
The following environment variables are related to hybrid connections and VNET integration.
Setting name | Description |
---|---|
WEBSITE_RELAYS |
Read-only. Data needed to configure the Hybrid Connection, including endpoints and service bus data. |
WEBSITE_REWRITE_TABLE |
Read-only. Used at runtime to do the lookups and rewrite connections appropriately. |
WEBSITE_VNET_ROUTE_ALL |
By default, if you use regional VNet Integration, your app only routes RFC1918 traffic into your VNet. Set to 1 to route all outbound traffic into your VNet and be subject to the same NSGs and UDRs. The setting lets you access non-RFC1918 endpoints through your VNet, secure all outbound traffic leaving your app, and force tunnel all outbound traffic to a network appliance of your own choosing. |
WEBSITE_PRIVATE_IP |
Read-only. IP address associated with the app when integrated with a VNet. For Regional VNet Integration, the value is an IP from the address range of the delegated subnet, and for Gateway-required VNet Integration, the value is an IP from the address range of the point-to-site address pool configured on the Virtual Network Gateway. This IP is used by the app to connect to the resources through the VNet. Also, it can change within the described address range. |
WEBSITE_PRIVATE_PORTS |
Read-only. In VNet integration, shows which ports are useable by the app to communicate with other nodes. |
WEBSITE_CONTENTOVERVNET |
If you are mounting an Azure File Share on the App Service and the Storage account is restricted to a VNET, ensure to enable this setting with a value of 1 . |
Key vault references
The following environment variables are related to key vault references.
Setting name | Description |
---|---|
WEBSITE_KEYVAULT_REFERENCES |
Read-only. Contains information (including statuses) for all Key Vault references that are currently configured in the app. |
WEBSITE_SKIP_CONTENTSHARE_VALIDATION |
If you set the shared storage connection of your app (using WEBSITE_CONTENTAZUREFILECONNECTIONSTRING ) to a Key Vault reference, the app can't resolve the key vault reference at app creation or update if one of the following conditions is true: - The app accesses the key vault with a system-assigned identity. - The app accesses the key vault with a user-assigned identity, and the key vault is locked with a VNet. To avoid errors at create or update time, set this variable to 1 . |
WEBSITE_DELAY_CERT_DELETION |
This env var can be set to 1 by users in order to ensure that a certificate that a worker process is dependent upon isn't deleted until it exits. |
CORS
The following environment variables are related to Cross-Origin Resource Sharing (CORS) configuration.
Setting name | Description |
---|---|
WEBSITE_CORS_ALLOWED_ORIGINS |
Read-only. Shows the allowed origins for CORS. |
WEBSITE_CORS_SUPPORT_CREDENTIALS |
Read-only. Shows whether setting the Access-Control-Allow-Credentials header to true is enabled (True ) or not (False ). |
Authentication & Authorization
The following environment variables are related to App Service authentication.
Setting name | Description |
---|---|
WEBSITE_AUTH_DISABLE_IDENTITY_FLOW |
When set to true , disables assigning the thread principal identity in ASP.NET-based web applications (including v1 Function Apps). This is designed to allow developers to protect access to their site with auth, but still have it use a separate sign-in mechanism within their app logic. The default is false . |
WEBSITE_AUTH_HIDE_DEPRECATED_SID |
true or false . The default value is false . This is a setting for the legacy Azure Mobile Apps integration for Azure App Service. Setting this to true resolves an issue where the SID (security ID) generated for authenticated users might change if the user changes their profile information. Changing this value may result in existing Azure Mobile Apps user IDs changing. Most apps don't need to use this setting. |
WEBSITE_AUTH_NONCE_DURATION |
A timespan value in the form _hours_:_minutes_:_seconds_ . The default value is 00:05:00 , or 5 minutes. This setting controls the lifetime of the cryptographic nonce generated for all browser-driven logins. If a sign-in fails to complete in the specified time, the sign-in flow will be retried automatically. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.nonce.nonceExpirationInterval configuration value. |
WEBSITE_AUTH_PRESERVE_URL_FRAGMENT |
When set to true and users select on app links that contain URL fragments, the sign-in process will ensure that the URL fragment part of your URL doesn't get lost in the sign-in redirect process. |
WEBSITE_AUTH_USE_LEGACY_CLAIMS |
To maintain backward compatibility across upgrades, the authentication module uses the legacy claims mapping of short to long names in the /.auth/me API, so certain mappings are excluded (e.g. "roles"). To get the more modern version of the claims mappings, set this variable to False . In the "roles" example, it would be mapped to the long claim name "http://schemas.microsoft.com/ws/2008/06/identity/claims/role". |
WEBSITE_AUTH_DISABLE_WWWAUTHENTICATE |
true or false . The default value is false . When set to true , removes the WWW-Authenticate HTTP response header from module-generated HTTP 401 responses. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the identityProviders.azureActiveDirectory.login.disableWwwAuthenticate configuration value. |
WEBSITE_AUTH_STATE_DIRECTORY |
A local file system directory path where tokens are stored when the file-based token store is enabled. The default value is %HOME%\Data\.auth . This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.tokenStore.fileSystem.directory configuration value. |
WEBSITE_AUTH_TOKEN_CONTAINER_SASURL |
A fully qualified blob container URL. Instructs the auth module to store and load all encrypted tokens to the specified blob storage container instead of using the default local file system. |
WEBSITE_AUTH_TOKEN_REFRESH_HOURS |
Any positive decimal number. The default value is 72 (hours). This setting controls the amount of time after a session token expires that the /.auth/refresh API can be used to refresh it. Refresh attempts after this period will fail and end users will be required to sign-in again. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.tokenStore.tokenRefreshExtensionHours configuration value. |
WEBSITE_AUTH_TRACE_LEVEL |
Controls the verbosity of authentication traces written to Application Logging. Valid values are Off , Error , Warning , Information , and Verbose . The default value is Verbose . |
WEBSITE_AUTH_VALIDATE_NONCE |
true or false . The default value is true . This value should never be set to false except when temporarily debugging cryptographic nonce validation failures that occur during interactive logins. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.nonce.validateNonce configuration value. |
WEBSITE_AUTH_V2_CONFIG_JSON |
This environment variable is populated automatically by the Azure App Service platform and is used to configure the integrated authentication module. The value of this environment variable corresponds to the V2 (non-classic) authentication configuration for the current app in Azure Resource Manager. It's not intended to be configured explicitly. |
WEBSITE_AUTH_ENABLED |
Read-only. Injected into a Windows or Linux app to indicate whether App Service authentication is enabled. |
WEBSITE_AUTH_ENCRYPTION_KEY |
By default, the automatically generated key is used as the encryption key. To override, set to a desired key. This is recommended if you want to share tokens or sessions across multiple apps. If specified, it supersedes the MACHINEKEY_DecryptionKey setting. |
WEBSITE_AUTH_SIGNING_KEY |
By default, the automatically generated key is used as the signing key. To override, set to a desired key. This is recommended if you want to share tokens or sessions across multiple apps. If specified, it supersedes the MACHINEKEY_ValidationKey setting. |
Managed identity
The following environment variables are related to managed identities.
Setting name | Description |
---|---|
IDENTITY_ENDPOINT |
Read-only. The URL to retrieve the token for the app's managed identity. |
MSI_ENDPOINT |
Deprecated. Use IDENTITY_ENDPOINT . |
IDENTITY_HEADER |
Read-only. Value that must be added to the X-IDENTITY-HEADER header when making an HTTP GET request to IDENTITY_ENDPOINT . The value is rotated by the platform. |
MSI_SECRET |
Deprecated. Use IDENTITY_HEADER . |
Health check
The following environment variables are related to health checks.
Setting name | Description |
---|---|
WEBSITE_HEALTHCHECK_MAXPINGFAILURES |
The maximum number of failed pings before removing the instance. Set to a value between 2 and 100 . When you're scaling up or out, App Service pings the Health check path to ensure new instances are ready. For more information, see Health check. |
WEBSITE_HEALTHCHECK_MAXUNHEALTHYWORKERPERCENT |
To avoid overwhelming healthy instances, no more than half of the instances will be excluded. For example, if an App Service Plan is scaled to four instances and three are unhealthy, at most two will be excluded. The other two instances (one healthy and one unhealthy) will continue to receive requests. In the worst-case scenario where all instances are unhealthy, none will be excluded. To override this behavior, set to a value between 1 and 100 . A higher value means more unhealthy instances will be removed. The default is 50 (50%). |
Push notifications
The following environment variables are related to the push notifications feature.
Setting name | Description |
---|---|
WEBSITE_PUSH_ENABLED |
Read-only. Added when push notifications are enabled. |
WEBSITE_PUSH_TAG_WHITELIST |
Read-only. Contains the tags in the notification registration. |
WEBSITE_PUSH_TAGS_REQUIRING_AUTH |
Read-only. Contains a list of tags in the notification registration that requires user authentication. |
WEBSITE_PUSH_TAGS_DYNAMIC |
Read-only. Contains a list of tags in the notification registration that were added automatically. |
Note
This article contains references to a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article.
Webjobs
The following environment variables are related to WebJobs.
Setting name | Description |
---|---|
WEBJOBS_RESTART_TIME |
For continuous jobs, delay in seconds when a job's process goes down for any reason before relaunching it. |
WEBJOBS_IDLE_TIMEOUT |
For triggered jobs, timeout in seconds, after which the job is aborted if it's in idle, has no CPU time or output. |
WEBJOBS_HISTORY_SIZE |
For triggered jobs, maximum number of runs kept in the history directory per job. The default is 50 . |
WEBJOBS_STOPPED |
Set to 1 to disable running any job, and stop all currently running jobs. |
WEBJOBS_DISABLE_SCHEDULE |
Set to 1 to turn off all scheduled triggering. Jobs can still be manually invoked. |
WEBJOBS_ROOT_PATH |
Absolute or relative path of webjob files. For a relative path, the value is combined with the default root path (D:/home/site/wwwroot/ or /home/site/wwwroot/ ). |
WEBJOBS_LOG_TRIGGERED_JOBS_TO_APP_LOGS |
Set to true to send output from triggered WebJobs to the application logs pipeline (which supports file system, blobs, and tables). |
WEBJOBS_SHUTDOWN_FILE |
File that App Service creates when a shutdown request is detected. It's the web job process's responsibility to detect the presence of this file and initiate shutdown. When using the WebJobs SDK, this part is handled automatically. |
WEBJOBS_PATH |
Read-only. Root path of currently running job (will be under some temporary directory). |
WEBJOBS_NAME |
Read-only. Current job name. |
WEBJOBS_TYPE |
Read-only. Current job type (triggered or continuous ). |
WEBJOBS_DATA_PATH |
Read-only. Current job metadata path to contain the job's logs, history, and any artifact of the job. |
WEBJOBS_RUN_ID |
Read-only. For triggered jobs, current run ID of the job. |
Functions
Setting name | Description |
---|---|
WEBSITE_FUNCTIONS_ARMCACHE_ENABLED |
Set to 0 to disable the functions cache. |
WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT |
App settings reference for Azure Functions |
AzureWebJobsSecretStorageType |
App settings reference for Azure Functions |
FUNCTIONS_EXTENSION_VERSION |
App settings reference for Azure Functions |
FUNCTIONS_WORKER_RUNTIME |
App settings reference for Azure Functions |
AzureWebJobsStorage |
App settings reference for Azure Functions |
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING |
App settings reference for Azure Functions |
WEBSITE_CONTENTSHARE |
App settings reference for Azure Functions |
WEBSITE_CONTENTOVERVNET |
App settings reference for Azure Functions |
WEBSITE_ENABLE_BROTLI_ENCODING |
App settings reference for Azure Functions |
WEBSITE_USE_PLACEHOLDER |
App settings reference for Azure Functions |
WEBSITE_PLACEHOLDER_MODE |
Read-only. Shows whether the function app is running on a placeholder host (generalized ) or its own host (specialized ). |
WEBSITE_DISABLE_ZIP_CACHE |
When your app runs from a ZIP package ( WEBSITE_RUN_FROM_PACKAGE=1 ), the five most recently deployed ZIP packages are cached in the app's file system (D:\home\data\SitePackages). Set this variable to 1 to disable this cache. For Linux consumption apps, the ZIP package cache is disabled by default. |