Devolutions Server deployment to Azure App Service using a container

This guide covers deploying Devolutions Server to Azure App Service using a container, providing a fully managed platform with automatic scaling, built-in TLS, and Azure service integration.

An Azure subscription.
Azure CLI installed: az --version (or use Azure Cloud Shell).
SQL Server administrator access (for database creation).
Devolutions Server container image in registry (Docker Hub or Azure Container Registry).

Navigate to the Azure portal.
Click Create a resource, and search for SQL Database – Create.

In the Basics tab, fill the fields as follows:

Fields	Suggested input
Subscription	Select your subscription.
Resource Group	Create a new group named `rg-dvls-prod`.
Database name	Enter `dvls`.
Server	Click on Create new and fill the fields as follows: Server name: `dvls-sql-server-<unique>`. The server name must be globally unique. Location: select a region. Authentication: enter your SQL authentication. Server admin login: `sqladmin`. Password: choose a strong password. Click on OK.
Workload environment	Select Production.
Compute + storage	Click on Configure database, and fill the fields like so: Service tier: choose Standard. DTUs: SO (10 DTUs) for testing, 20+ DTUs for production. Click on Apply.

Then, for the Networking tab:

Fields	Suggested input
Connectivity method	Select Public endpoint.
Allow Azure services	Choose Yes, as it is required for App service to work.
Add current client IP	Choose Yes, as it is necessary for management purposes.

And the Additional settings tab:

Fields Suggested input

Use existing data Select None.

Collation Choose Default.
Click on Review + create – Create and wait for deployment. This should take about 3-5 minutes.

Fields	Suggested input
Use existing data	Select None.
Collation	Choose Default.

Navigate to your SQL database's Query editor and log in with server administrator credentials.
Run the following SQL query:

-- Create dedicated DVLS user
CREATE LOGIN dvls_user WITH PASSWORD = 'YourSecurePassword123!';

-- Switch to DVLS database
USE dvls;

-- Create user and grant permissions
CREATE USER dvls_user FOR LOGIN dvls_user;
ALTER ROLE db_owner ADD MEMBER dvls_user;

Click Create a resource – App Service Plan – Create.

Fill in the Basics tab as follows:

Fields	Suggested input
Subscription	Select your subscription.
Resource Group	Enter the same as the database's: `rg-dvls-prod`.
Name	Enter `asp-dvls-prod`.
Operating System	Select your desired operating system.
Region	Enter the same region as the one chosen for during SQL database configuration.
Pricing tier	Click Change size, then choose pricing tiers for: Production: POV3 (recommended minimum). Development: B2 (basic tier, lower cost). Once your choice is made, click Apply.

Click Review + create – Create.

Head over to Create a resource – Web App – Create.

In the Basics tab, fill the fields as shown below:

Fields	Suggested input
Subscription	Select your subscription.
Resource Group	Enter `rg-dvls-prod`, as before.
Name	Enter `dvls-prod-<unique>`. It will become `dvls-prod-<unique>.azurewebsites.net`.
Publish	Choose Container.
Operating System	Select your desired operating system.
Region	Enter the same region as for the SQL database and App Service Plan.
Linux Plan	Select `asp-dvls-prod` (created during the App Service Plan's creation).

And the Container tab:

Fields	Suggested input
Image Source	Choose Docker Hub or Azure Container Registry.
Image and tag	Enter `devolutions/devolutions-server:release-20XX.X` (replace the version number with the latest one).
Registry access	Select Public (for Docker Hub).

Click Review + create – Create, and wait 2-3 minutes for deployment.

Navigate to App Service – Configuration – Application settings.

Click New application setting for each variable:

Name	Value	Notes
`DATABASE_HOST`	`dvls-sql-server-<unique>.database.windows.net`	Your SQL Server hostname.
`DATABASE_NAME`	`dvls`	Your database name.
`DATABASE_USERNAME`	`dvls_user`	The dedicated SQL user.
`DATABASE_PASSWORD`	`YourSecurePassword123!`	Use Key Vault reference in production.
`WEB_SCHEME`	`http`	Protocol (App Service handles HTTPS termination).
`PORT`	`5000`	The container's listen port.
`DVLS_TELEMETRY`	`true`	Enable telemetry.
`WEBSITES_PORT`	`5000`	Azure-specific (tells App Service which port to forward).

Click Save, then Continue to confirm restart.

Go to Configuration – Application settings.
Add new setting:
- Name: DVLS_INIT
- Value: true
Click Save – Continue. This restarts the app.
Under Monitoring, navigate to Log stream, and wait 1-2 minutes for initialization to complete.
Enable SSH access temporarily by heading to Development Tools – SSH, and clicking on Go.

Extract the encryption configuration:

cat /opt/devolutions/dvls/App_Data/encryption.config | base64

Copy the base64 output.
Go to Configuration – Application settings – New application setting. Enter DVLS_ENCRYPTION_CONFIG_B64 for the Name field and paste the base64 file's content copied during step #7 in the Value field. Click OK.
Find the DVLS_INIT setting and click Delete.
Click Save, and then Continue.

Go to Configuration – Application settings.
Add new setting:
- Name: DVLS_INIT
- Value: true
Click Save – Continue. This restarts the app.
Under Monitoring, navigate to Log stream, and wait 1-2 minutes for initialization to complete.
Enable SSH access temporarily by heading to Development Tools – SSH, and clicking on Go.

Extract the encryption configuration:

cat /opt/devolutions/dvls/App_Data/encryption.config | base64

Copy the base64 output.
Go to Configuration – Application settings – New application setting. Enter DVLS_ENCRYPTION_CONFIG_B64 for the Name field and paste the base64 file's content copied during step #7 in the Value field. Click OK.
Find the DVLS_INIT setting and click Delete.
Click Save, and then Continue.

Go to Configuration – Application settings.
Add new setting:
- Name: DVLS_INIT
- Value: true
Click Save – Continue. This restarts the app.
Under Monitoring, navigate to Log stream, and wait 1-2 minutes for initialization to complete.
Enable SSH access temporarily by heading to Development Tools – SSH, and clicking on Go.

Extract the encryption configuration:

cat /opt/devolutions/dvls/App_Data/encryption.config | base64

Copy the base64 output.
Go to Configuration – Application settings – New application setting. Enter DVLS_ENCRYPTION_CONFIG_B64 for the Name field and paste the base64 file's content copied during step #7 in the Value field. Click OK.
Find the DVLS_INIT setting and click Delete.
Click Save, and then Continue.

Navigate to Overview – URL.
Click the URL or visit: https://dvls-prod-<unique>.azurewebsites.net
Login with default credentials:
- Username: dvls-admin
- Password: dvls-admin

Immediately after login, change the default password by heading to Administration – Users, clicking on the vertical ellipsis button of the dvls-admin user, and selecting Change password.

Azure CLI is also available for automated or repeatable deployments.

# Login to Azure
az login

# Set subscription
az account set --subscription "Your Subscription Name"

# Verify Azure CLI version (2.50+ recommended)
az --version

# Login to Azure
az login

# Set subscription
az account set --subscription "Your Subscription Name"

# Verify Azure CLI version (2.50+ recommended)
az --version

# Login to Azure
az login

# Set subscription
az account set --subscription "Your Subscription Name"

# Verify Azure CLI version (2.50+ recommended)
az --version

Navigate to App Service – Custom domains – Add custom domain.
Enter your domain: dvls.company.com
Follow DNS configuration instructions:
- CNAME: dvls.company.com → dvls-prod-<unique>.azurewebsites.net.
- Or A record + TXT record for apex domain.
Click on Validate, then Add.

Navigate to Certificates – Managed certificates – Add certificate.
Select your custom domain.
Click on Validate, then Add.
Navigate to Custom domains, select your domain, and click on Add binding.
For the Certificate, select Managed certificate.
For the TLS/SSL type, choose SNI SSL.
Click Add.

Navigate to Configuration – General settings.
Set HTTPS Only to On, and click on Save.

Navigate to App Service – Application Insights – Turn on Application Insights.
Create new or Select existing Application Insights resources.
Click Apply.

# Create Application Insights
az monitor app-insights component create `
  --app dvls-insights `
  --location eastus `
  --resource-group rg-dvls-prod `
  --application-type web

# Get connection string
$CONN_STRING = az monitor app-insights component show `
  --app dvls-insights `
  --resource-group rg-dvls-prod `
  --query connectionString -o tsv

# Configure App Service
az webapp config appsettings set `
  --resource-group rg-dvls-prod `
  --name dvls-prod-<unique> `
  --settings "APPLICATIONINSIGHTS_CONNECTION_STRING=$CONN_STRING"

# Create Application Insights
az monitor app-insights component create \
  --app dvls-insights \
  --location eastus \
  --resource-group rg-dvls-prod \
  --application-type web

# Get connection string
CONN_STRING=$(az monitor app-insights component show \
  --app dvls-insights \
  --resource-group rg-dvls-prod \
  --query connectionString -o tsv)

# Configure App Service
az webapp config appsettings set \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --settings \
    APPLICATIONINSIGHTS_CONNECTION_STRING="$CONN_STRING"

# Create Application Insights
az monitor app-insights component create \
  --app dvls-insights \
  --location eastus \
  --resource-group rg-dvls-prod \
  --application-type web

# Get connection string
CONN_STRING=$(az monitor app-insights component show \
  --app dvls-insights \
  --resource-group rg-dvls-prod \
  --query connectionString -o tsv)

# Configure App Service
az webapp config appsettings set \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --settings \
    APPLICATIONINSIGHTS_CONNECTION_STRING="$CONN_STRING"

The location is set to East US as an example here. Make sure to change the value to your region.

az webapp log tail `
  --resource-group rg-dvls-prod `
  --name dvls-prod-<unique>

az webapp log tail \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique>

az webapp log tail \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique>

az webapp log download `
  --resource-group rg-dvls-prod `
  --name dvls-prod-<unique> `
  --log-file dvls-logs.zip

az webapp log download \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --log-file dvls-logs.zip

az webapp log download \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --log-file dvls-logs.zip

Enable Managed Identity:

az webapp identity assign `
  --resource-group rg-dvls-prod `
  --name dvls-prod-<unique>

PRINCIPAL_ID=$(az webapp identity show `
  --resource-group rg-dvls-prod `
  --name dvls-prod-<unique> `
  --query principalId -o tsv)

Create a Key Vault and store secret:

az keyvault create `
  --name kv-dvls-prod `
  --resource-group rg-dvls-prod `
  --location eastus

az keyvault secret set `
  --vault-name kv-dvls-prod `
  --name dvls-db-password `
  --value 'YourSecurePassword123!'

Grant access:

az keyvault set-policy `
  --name kv-dvls-prod `
  --object-id "$PRINCIPAL_ID" `
  --secret-permissions get

Reference in App Settings:

SECRET_URI=$(az keyvault secret show `
  --vault-name kv-dvls-prod `
  --name dvls-db-password `
  --query id -o tsv)

az webapp config appsettings set `
  --resource-group rg-dvls-prod `
  --name dvls-prod-<unique> `
  --settings `
    DATABASE_PASSWORD="@Microsoft.KeyVault(SecretUri=${SECRET_URI})"

Enable Managed Identity:

az webapp identity assign \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique>

PRINCIPAL_ID=$(az webapp identity show \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --query principalId -o tsv)

Create a Key Vault and store secret:

az keyvault create \
  --name kv-dvls-prod \
  --resource-group rg-dvls-prod \
  --location eastus

az keyvault secret set \
  --vault-name kv-dvls-prod \
  --name dvls-db-password \
  --value 'YourSecurePassword123!'

Grant access:

az keyvault set-policy \
  --name kv-dvls-prod \
  --object-id "$PRINCIPAL_ID" \
  --secret-permissions get

Reference in App Settings:

SECRET_URI=$(az keyvault secret show \
  --vault-name kv-dvls-prod \
  --name dvls-db-password \
  --query id -o tsv)

az webapp config appsettings set \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --settings \
    DATABASE_PASSWORD="@Microsoft.KeyVault(SecretUri=${SECRET_URI})"

Enable Managed Identity:

az webapp identity assign \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique>

PRINCIPAL_ID=$(az webapp identity show \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --query principalId -o tsv)

Create a Key Vault and store secret:

az keyvault create \
  --name kv-dvls-prod \
  --resource-group rg-dvls-prod \
  --location eastus

az keyvault secret set \
  --vault-name kv-dvls-prod \
  --name dvls-db-password \
  --value 'YourSecurePassword123!'

Grant access:

az keyvault set-policy \
  --name kv-dvls-prod \
  --object-id "$PRINCIPAL_ID" \
  --secret-permissions get

Reference in App Settings:

SECRET_URI=$(az keyvault secret show \
  --vault-name kv-dvls-prod \
  --name dvls-db-password \
  --query id -o tsv)

az webapp config appsettings set \
  --resource-group rg-dvls-prod \
  --name dvls-prod-<unique> \
  --settings \
    DATABASE_PASSWORD="@Microsoft.KeyVault(SecretUri=${SECRET_URI})"

Devolutions Server deployment to Azure App Service using a container

Azure Portal deployment

Prerequisites

Create an Azure SQL database

Create a database user for Devolutions Server

Create an App Service Plan

Create the app service

Configure the application's settings

Initialize Devolutions Server and retrieve encryption configuration

Access Devolutions Server

Azure CLI Deployment

Prerequisites

Custom domain and TLS

Add custom domain

Add managed certificate (free and renews automatically)

Force HTTPS

Monitoring

Enable Application Insights

Portal

CLI

View logs

Stream logs

Download logs

Security

Use Azure Key Vault for secrets

See also