> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/knowledge-base/how-to-articles/devolutions-server-docker-deployment/devolutions-server-deployment-to-azure-app-service-using-a-container.md).
# Devolutions Server deployment to Azure App Service using a container
This guide covers deploying Devolutions Server to Azure App Service using a container, providing a fully managed platform with automatic scaling, built-in TLS, and Azure service integration.
### Azure Portal deployment
#### Prerequisites
* An Azure subscription.
* Azure CLI installed: `az --version` (or use Azure Cloud Shell).
* SQL Server administrator access (for database creation).
* Devolutions Server container image in registry (Docker Hub or Azure Container Registry).
#### Create an Azure SQL database
1. Navigate to the Azure portal.
2. Click **Create a resource**, and search for ***SQL Database*** – ***Create***.
3. In the ***Basics*** tab, fill the fields as follows:
| Fields | Suggested input |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Subscription** | Select your subscription. |
| **Resource Group** | Create a new group named `rg-dvls-prod`. |
| **Database name** | Enter `dvls`. |
| **Server** | Click on Create new and fill the fields as follows:
- Server name:
dvls-sql-server-\. The server name must be globally unique. - Location: select a region.
- Authentication: enter your SQL authentication.
- Server admin login:
sqladmin. - Password: choose a strong password.
Click on OK.
|
| **Workload environment** | Select ***Production***. |
| **Compute + storage** | Click on Configure database, and fill the fields like so:
- Service tier: choose Standard.
- DTUs: SO (10 DTUs) for testing, 20+ DTUs for production.
Click on Apply.
|
4. Then, for the ***Networking*** tab:
| Fields | Suggested input |
| ------------------------- | ------------------------------------------------------------- |
| **Connectivity method** | Select ***Public endpoint***. |
| **Allow Azure services** | Choose ***Yes***, as it is required for App service to work. |
| **Add current client IP** | Choose ***Yes***, as it is necessary for management purposes. |
5. And the ***Additional settings*** tab:
| Fields | Suggested input |
| --------------------- | --------------------- |
| **Use existing data** | Select ***None***. |
| **Collation** | Choose ***Default***. |
6. Click on ***Review + create*** – ***Create*** and wait for deployment. This should take about 3-5 minutes.
#### Create a database user for Devolutions Server
1. Navigate to your SQL database's ***Query editor*** and log in with server administrator credentials.
2. Run the following SQL query:
```sql
-- Create dedicated DVLS user
CREATE LOGIN dvls_user WITH PASSWORD = 'YourSecurePassword123!';
-- Switch to DVLS database
USE dvls;
-- Create user and grant permissions
CREATE USER dvls_user FOR LOGIN dvls_user;
ALTER ROLE db_owner ADD MEMBER dvls_user;
```
#### Create an App Service Plan
1. Click ***Create a resource*** – ***App Service Plan*** – ***Create***.
2. Fill in the ***Basics*** tab as follows:
| Fields | Suggested input |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Subscription** | Select your subscription. |
| **Resource Group** | Enter the same as the database's: `rg-dvls-prod`. |
| **Name** | Enter `asp-dvls-prod`. |
| **Operating System** | Select your desired operating system. |
| **Region** | Enter the same region as the one chosen for during SQL database configuration. |
| **Pricing tier** | Click Change size, then choose pricing tiers for:
- Production: POV3 (recommended minimum).
- Development: B2 (basic tier, lower cost).
Once your choice is made, click Apply.
|
3. Click ***Review + create*** – ***Create***.
#### Create the app service
1. Head over to ***Create a resource*** – ***Web App*** – ***Create***.
2. In the ***Basics*** tab, fill the fields as shown below:
| Fields | Suggested input |
| -------------------- | ---------------------------------------------------------------------------------- |
| **Subscription** | Select your subscription. |
| **Resource Group** | Enter `rg-dvls-prod`, as before. |
| **Name** | Enter `dvls-prod-`. It will become `dvls-prod-.azurewebsites.net`. |
| **Publish** | Choose ***Container***. |
| **Operating System** | Select your desired operating system. |
| **Region** | Enter the same region as for the SQL database and App Service Plan. |
| **Linux Plan** | Select `asp-dvls-prod` (created during the App Service Plan's creation). |
3. And the ***Container*** tab:
| Fields | Suggested input |
| ------------------- | ------------------------------------------------------------------------------------------------------- |
| **Image Source** | Choose ***Docker Hub*** or ***Azure Container Registry***. |
| **Image and tag** | Enter `devolutions/devolutions-server:release-20XX.X` (replace the version number with the latest one). |
| **Registry access** | Select ***Public*** (for Docker Hub). |
4. Click ***Review + create*** – ***Create***, and wait 2-3 minutes for deployment.
#### Configure the application's settings
1. Navigate to ***App Service*** – ***Configuration*** – ***Application settings***.
2. Click ***New application setting*** for each variable:
| Name | Value | Notes |
| ------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| `DATABASE_ENCRYPT` | `true` | Required for Azure SQL. Encrypts the SQL connection (TLS). Azure SQL always enforces encryption, so the connection fails without it. |
| `DATABASE_HOST` | `dvls-sql-server-.database.windows.net` | Your SQL Server hostname. |
| `DATABASE_NAME` | `dvls` | Your database name. |
| `DATABASE_USERNAME` | `dvls_user` | The dedicated SQL user. |
| `DATABASE_PASSWORD` | `YourSecurePassword123!` | Use Key Vault reference in production. |
| `WEB_SCHEME` | `http` | Protocol (App Service handles HTTPS termination). |
| `PORT` | `5000` | The container's listen port. |
| `DVLS_TELEMETRY` | `true` | Enable telemetry. |
| `WEBSITES_PORT` | `5000` | Azure-specific (tells App Service which port to forward). |
3. Click ***Save***, then ***Continue*** to confirm restart.
#### Initialize Devolutions Server and retrieve encryption configuration
{% tabs %}
{% tab title="Windows" %}
* Go to ***Configuration*** – ***Application settings***.
* Add new setting:
* **Name**: `DVLS_INIT`
* **Value**: `true`
* Click ***Save*** – ***Continue***. This restarts the app.
* Under ***Monitoring***, navigate to ***Log stream***, and wait 1-2 minutes for initialization to complete.
* Enable SSH access temporarily by heading to ***Development Tools*** – ***SSH***, and clicking on ***Go***.
* Extract the encryption configuration:
```powershell
cat /opt/devolutions/dvls/App_Data/encryption.config | base64
```
* Copy the base64 output.
* Go to ***Configuration*** – ***Application settings*** – ***New application setting***. Enter `DVLS_ENCRYPTION_CONFIG_B64` for the ***Name*** field and paste the base64 file's content copied during step #7 in the ***Value*** field. Click ***OK***.
* Find the `DVLS_INIT` setting and click ***Delete***.
* Click ***Save***, and then ***Continue***.
{% endtab %}
{% tab title="macOS" %}
* Go to ***Configuration*** – ***Application settings***.
* Add new setting:
* **Name**: `DVLS_INIT`
* **Value**: `true`
* Click ***Save*** – ***Continue***. This restarts the app.
* Under ***Monitoring***, navigate to ***Log stream***, and wait 1-2 minutes for initialization to complete.
* Enable SSH access temporarily by heading to ***Development Tools*** – ***SSH***, and clicking on ***Go***.
* Extract the encryption configuration:
```bash
cat /opt/devolutions/dvls/App_Data/encryption.config | base64
```
* Copy the base64 output.
* Go to ***Configuration*** – ***Application settings*** – ***New application setting***. Enter `DVLS_ENCRYPTION_CONFIG_B64` for the ***Name*** field and paste the base64 file's content copied during step #7 in the ***Value*** field. Click ***OK***.
* Find the `DVLS_INIT` setting and click ***Delete***.
* Click ***Save***, and then ***Continue***.
{% endtab %}
{% tab title="Linux" %}
* Go to ***Configuration*** – ***Application settings***.
* Add new setting:
* **Name**: `DVLS_INIT`
* **Value**: `true`
* Click ***Save*** – ***Continue***. This restarts the app.
* Under ***Monitoring***, navigate to ***Log stream***, and wait 1-2 minutes for initialization to complete.
* Enable SSH access temporarily by heading to ***Development Tools*** – ***SSH***, and clicking on ***Go***.
* Extract the encryption configuration:
```bash
cat /opt/devolutions/dvls/App_Data/encryption.config | base64
```
* Copy the base64 output.
* Go to ***Configuration*** – ***Application settings*** – ***New application setting***. Enter `DVLS_ENCRYPTION_CONFIG_B64` for the ***Name*** field and paste the base64 file's content copied during step #7 in the ***Value*** field. Click ***OK***.
* Find the `DVLS_INIT` setting and click ***Delete***.
* Click ***Save***, and then ***Continue***.
{% endtab %}
{% endtabs %}
#### Access Devolutions Server
1. Navigate to ***Overview*** – ***URL***.
2. Click the URL or visit: `https://devolutions-server-prod-.azurewebsites.net`
3. Login with default credentials:
* **Username**: `devolutions-server-admin`
* **Password**: `devolutions-server-admin`
{% hint style="danger" %}
Immediately after login, change the default password by heading to ***Administration*** – ***Users***, clicking on the vertical ellipsis button of the `devolutions-server-admin` user, and selecting ***Change password***.
{% endhint %}
### Azure CLI Deployment
Azure CLI is also available for automated or repeatable deployments.
#### Prerequisites
{% tabs %}
{% tab title="Windows" %}
```
# Login to Azure
az login
# Set subscription
az account set --subscription "Your Subscription Name"
# Verify Azure CLI version (2.50+ recommended)
az --version
```
{% endtab %}
{% tab title="macOS" %}
```
# Login to Azure
az login
# Set subscription
az account set --subscription "Your Subscription Name"
# Verify Azure CLI version (2.50+ recommended)
az --version
```
{% endtab %}
{% tab title="Linux" %}
```
# Login to Azure
az login
# Set subscription
az account set --subscription "Your Subscription Name"
# Verify Azure CLI version (2.50+ recommended)
az --version
```
{% endtab %}
{% endtabs %}
#### Custom domain and TLS
**Add custom domain**
1. Navigate to ***App Service*** – ***Custom domains*** – ***Add custom domain***.
2. Enter your domain: `devolutions-server.company.com`
3. Follow DNS configuration instructions:
* **CNAME**: `devolutions-server.company.com` → `devolutions-server-prod-.azurewebsites.net`.
* Or **A record** + TXT record for apex domain.
4. Click on ***Validate***, then ***Add***.
**Add managed certificate (free and renews automatically)**
1. Navigate to ***Certificates*** – ***Managed certificates*** – ***Add certificate***.
2. Select your custom domain.
3. Click on ***Validate***, then ***Add***.
4. Navigate to ***Custom domains***, select your domain, and click on ***Add binding***.
5. For the ***Certificate***, select ***Managed certificate***.
6. For the ***TLS/SSL type***, choose ***SNI SSL***.
7. Click ***Add***.
**Force HTTPS**
1. Navigate to ***Configuration*** – ***General settings***.
2. Set ***HTTPS Only*** to ***On***, and click on ***Save***.
### Monitoring
#### Enable Application Insights
**Portal**
1. Navigate to ***App Service*** – ***Application Insights*** – ***Turn on Application Insights***.
2. ***Create new*** or ***Select existing*** Application Insights resources.
3. Click ***Apply***.
**CLI**
{% tabs %}
{% tab title="Windows" %}
```powershell
# Create Application Insights
az monitor app-insights component create `
--app dvls-insights `
--location eastus `
--resource-group rg-dvls-prod `
--application-type web
# Get connection string
$CONN_STRING = az monitor app-insights component show `
--app dvls-insights `
--resource-group rg-dvls-prod `
--query connectionString -o tsv
# Configure App Service
az webapp config appsettings set `
--resource-group rg-dvls-prod `
--name dvls-prod- `
--settings "APPLICATIONINSIGHTS_CONNECTION_STRING=$CONN_STRING"
```
{% endtab %}
{% tab title="macOS" %}
```bash
# Create Application Insights
az monitor app-insights component create \
--app dvls-insights \
--location eastus \
--resource-group rg-dvls-prod \
--application-type web
# Get connection string
CONN_STRING=$(az monitor app-insights component show \
--app dvls-insights \
--resource-group rg-dvls-prod \
--query connectionString -o tsv)
# Configure App Service
az webapp config appsettings set \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--settings \
APPLICATIONINSIGHTS_CONNECTION_STRING="$CONN_STRING"
```
{% endtab %}
{% tab title="Linux" %}
```bash
# Create Application Insights
az monitor app-insights component create \
--app dvls-insights \
--location eastus \
--resource-group rg-dvls-prod \
--application-type web
# Get connection string
CONN_STRING=$(az monitor app-insights component show \
--app dvls-insights \
--resource-group rg-dvls-prod \
--query connectionString -o tsv)
# Configure App Service
az webapp config appsettings set \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--settings \
APPLICATIONINSIGHTS_CONNECTION_STRING="$CONN_STRING"
```
{% endtab %}
{% endtabs %}
{% hint style="info" %}
The location is set to East US as an example here. Make sure to change the value to your region.
{% endhint %}
### View logs
{% tabs %}
{% tab title="Windows" %}
**Stream logs**
```powershell
az webapp log tail `
--resource-group rg-dvls-prod `
--name dvls-prod-
```
**Download logs**
```powershell
az webapp log download `
--resource-group rg-dvls-prod `
--name dvls-prod- `
--log-file dvls-logs.zip
```
{% endtab %}
{% tab title="macOS" %}
**Stream logs**
```bash
az webapp log tail \
--resource-group rg-dvls-prod \
--name dvls-prod-
```
**Download logs**
```bash
az webapp log download \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--log-file dvls-logs.zip
```
{% endtab %}
{% tab title="Linux" %}
**Stream logs**
```bash
az webapp log tail \
--resource-group rg-dvls-prod \
--name dvls-prod-
```
**Download logs**
```bash
az webapp log download \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--log-file dvls-logs.zip
```
{% endtab %}
{% endtabs %}
### Security
#### Use Azure Key Vault for secrets
{% tabs %}
{% tab title="Windows" %}
1. Enable ***Managed Identity***:
```powershell
az webapp identity assign `
--resource-group rg-dvls-prod `
--name dvls-prod-
PRINCIPAL_ID=$(az webapp identity show `
--resource-group rg-dvls-prod `
--name dvls-prod- `
--query principalId -o tsv)
```
2. Create a Key Vault and store secret:
```powershell
az keyvault create `
--name kv-dvls-prod `
--resource-group rg-dvls-prod `
--location eastus
az keyvault secret set `
--vault-name kv-dvls-prod `
--name dvls-db-password `
--value 'YourSecurePassword123!'
```
3. Grant access:
```powershell
az keyvault set-policy `
--name kv-dvls-prod `
--object-id "$PRINCIPAL_ID" `
--secret-permissions get
```
4. Reference in ***App Settings***:
```powershell
SECRET_URI=$(az keyvault secret show `
--vault-name kv-dvls-prod `
--name dvls-db-password `
--query id -o tsv)
az webapp config appsettings set `
--resource-group rg-dvls-prod `
--name dvls-prod- `
--settings `
DATABASE_PASSWORD="@Microsoft.KeyVault(SecretUri=${SECRET_URI})"
```
{% endtab %}
{% tab title="macOS" %}
1. Enable ***Managed Identity***:
```bash
az webapp identity assign \
--resource-group rg-dvls-prod \
--name dvls-prod-
PRINCIPAL_ID=$(az webapp identity show \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--query principalId -o tsv)
```
2. Create a Key Vault and store secret:
```bash
az keyvault create \
--name kv-dvls-prod \
--resource-group rg-dvls-prod \
--location eastus
az keyvault secret set \
--vault-name kv-dvls-prod \
--name dvls-db-password \
--value 'YourSecurePassword123!'
```
3. Grant access:
```bash
az keyvault set-policy \
--name kv-dvls-prod \
--object-id "$PRINCIPAL_ID" \
--secret-permissions get
```
4. Reference in ***App Settings***:
```bash
SECRET_URI=$(az keyvault secret show \
--vault-name kv-dvls-prod \
--name dvls-db-password \
--query id -o tsv)
az webapp config appsettings set \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--settings \
DATABASE_PASSWORD="@Microsoft.KeyVault(SecretUri=${SECRET_URI})"
```
{% endtab %}
{% tab title="Linux" %}
1. Enable ***Managed Identity***:
```bash
az webapp identity assign \
--resource-group rg-dvls-prod \
--name dvls-prod-
PRINCIPAL_ID=$(az webapp identity show \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--query principalId -o tsv)
```
2. Create a Key Vault and store secret:
```bash
az keyvault create \
--name kv-dvls-prod \
--resource-group rg-dvls-prod \
--location eastus
az keyvault secret set \
--vault-name kv-dvls-prod \
--name dvls-db-password \
--value 'YourSecurePassword123!'
```
3. Grant access:
```bash
az keyvault set-policy \
--name kv-dvls-prod \
--object-id "$PRINCIPAL_ID" \
--secret-permissions get
```
4. Reference in ***App Settings***:
```bash
SECRET_URI=$(az keyvault secret show \
--vault-name kv-dvls-prod \
--name dvls-db-password \
--query id -o tsv)
az webapp config appsettings set \
--resource-group rg-dvls-prod \
--name dvls-prod- \
--settings \
DATABASE_PASSWORD="@Microsoft.KeyVault(SecretUri=${SECRET_URI})"
```
{% endtab %}
{% endtabs %}
#### See also
* [Advanced Docker configuration for Devolutions Server](https://docs.devolutions.net/server/kb/how-to-articles/devolutions-server-docker-deployment/advanced-docker-configuration/)
* [Deploy Devolutions Server with Docker](https://docs.devolutions.net/server/kb/how-to-articles/devolutions-server-docker-deployment/)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.devolutions.net/server/knowledge-base/how-to-articles/devolutions-server-docker-deployment/devolutions-server-deployment-to-azure-app-service-using-a-container.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.