Rediger

Del via

Environment variables and app settings in Azure App Service

  • Artikel

Note

Starting June 1, 2024, newly created App Service apps can generate a unique default host name that uses the naming convention <app-name>-<random-hash>.<region>.azurewebsites.net. For example: myapp-ds27dh7271aah175.westus-01.azurewebsites.net. Existing app names remain unchanged.

For more information, see the blog post about creating a web app with a unique default host name.

In Azure App Service, certain settings are available to the deployment or runtime environment as environment variables. You can customize some of these settings when you set them manually as app settings. This reference shows the variables that you can use or customize.

App environment

The following environment variables are related to the app environment in general.

Setting name Description
WEBSITE_SITE_NAME Read-only. App name.
WEBSITE_RESOURCE_GROUP Read-only. Azure resource group name that contains the app resource.
WEBSITE_OWNER_NAME Read-only. Contains the Azure subscription ID that owns the app, the resource group, and the webspace.
REGION_NAME Read-only. Region name of the app.
WEBSITE_PLATFORM_VERSION Read-only. App Service platform version.
HOME Read-only. Path to the home directory (for example, D:\home for Windows).
SERVER_PORT Read-only. Port that the app should listen to.
WEBSITE_WARMUP_PATH Relative path to ping to warm up the app, beginning with a slash. The default is /robots933456.txt.

Whenever the platform starts up a container, the orchestrator makes repeated requests against this endpoint. The platform considers any response from this endpoint as an indication that the container is ready. When the platform considers the container to be ready, it starts forwarding organic traffic to the newly started container. Unless WEBSITE_WARMUP_STATUSES is configured, the platform considers any response from the container at this endpoint (even error codes such as 404 or 502) as an indication that the container is ready.

This app setting doesn't change the path that Always On uses.
WEBSITE_WARMUP_STATUSES Comma-delimited list of HTTP status codes that are considered successful when the platform makes warm-up pings against a newly started container. Used in conjunction with WEBSITE_WARMUP_PATH.

By default, any status code is considered an indication that the container is ready for organic traffic. You can use this app to require a specific response before organic traffic is routed to the container.

An example is 200,202. If pings against the app's configured warm-up path receive a response with a 200 or 202 status code, organic traffic is routed to the container. If a status code that isn't in the list is received (such as 502), the platform continues to make pings until a 200 or 202 is received, or until the container startup timeout limit is reached. (See WEBSITES_CONTAINER_START_TIME_LIMIT later in this table.)

If the container doesn't respond with an HTTP status code that's in the list, the platform eventually fails the startup attempt and retries, which results in 503 errors.
WEBSITE_COMPUTE_MODE Read-only. Specifies whether the app runs on dedicated (Dedicated) or shared (Shared) virtual machines (VMs).
WEBSITE_SKU Read-only. Pricing tier of the app. Possible values are Free, Shared, Basic, and Standard.
SITE_BITNESS Read-only. Shows whether the app is 32 bit (x86) or 64 bit (AMD64).
WEBSITE_HOSTNAME Read-only. Primary host name for the app. This setting doesn't account for custom host names.
WEBSITE_VOLUME_TYPE Read-only. Shows the storage volume type currently in use.
WEBSITE_NPM_DEFAULT_VERSION Default npm version that the app is using.
WEBSOCKET_CONCURRENT_REQUEST_LIMIT Read-only. Limit for concurrent WebSocket requests. For the Standard tier and higher, the value is -1, but there's still a per-VM limit based on your VM size. See Cross VM Numerical Limits.
WEBSITE_PRIVATE_EXTENSIONS Set to 0 to disable the use of private site extensions.
WEBSITE_TIME_ZONE By default, the time zone for the app is always UTC. You can change it to any of the valid values that are listed in Default time zones. If the specified value isn't recognized, the app uses UTC.

Example: Atlantic Standard Time
WEBSITE_ADD_SITENAME_BINDINGS_IN_APPHOST_CONFIG After slot swaps, the app might experience unexpected restarts. The reason is that after a swap, the host-name binding configuration goes out of sync, which by itself doesn't cause restarts. However, certain underlying storage events (such as storage volume failovers) might detect these discrepancies and force all worker processes to restart.

To minimize these types of restarts, set the app setting value to 1 on all slots. (The default is 0.) But don't set this value if you're running a Windows Communication Foundation application. For more information, see Troubleshoot swaps.
WEBSITE_PROACTIVE_AUTOHEAL_ENABLED By default, a VM instance is proactively corrected when it uses more than 90% of allocated memory for more than 30 seconds, or when 80% of the total requests in the last two minutes take longer than 200 seconds. If a VM instance triggers one of these rules, the recovery process is an overlapping restart of the instance.

Set to false to disable this recovery behavior. The default is true.

For more information, see the Introducing Proactive Auto Heal blog post.
WEBSITE_PROACTIVE_CRASHMONITORING_ENABLED Whenever the w3wp.exe process on a VM instance of your app crashes due to an unhandled exception for more than three times in 24 hours, a debugger process is attached to the main worker process on that instance. The debugger process collects a memory dump when the worker process crashes again. This memory dump is then analyzed, and the call stack of the thread that caused the crash is logged in your App Service logs.

Set to false to disable this automatic monitoring behavior. The default is true.

For more information, see the Proactive Crash Monitoring in Azure App Service blog post.
WEBSITE_DAAS_STORAGE_SASURI During crash monitoring (proactive or manual), the memory dumps are deleted by default. To save the memory dumps to a storage blob container, specify the shared access signature (SAS) URI.
WEBSITE_CRASHMONITORING_ENABLED Set to true to enable crash monitoring manually. You must also set WEBSITE_DAAS_STORAGE_SASURI and WEBSITE_CRASHMONITORING_SETTINGS. The default is false.

This setting has no effect if remote debugging is enabled. Also, if this setting is set to true, proactive crash monitoring is disabled.
WEBSITE_CRASHMONITORING_SETTINGS JSON with the following format:{"StartTimeUtc": "2020-02-10T08:21","MaxHours": "<elapsed-hours-from-StartTimeUtc>","MaxDumpCount": "<max-number-of-crash-dumps>"}. Required to configure crash monitoring if WEBSITE_CRASHMONITORING_ENABLED is specified. To log the call stack without saving the crash dump in the storage account, add ,"UseStorageAccount":"false" in the JSON.
REMOTEDEBUGGINGVERSION Remote debugging version.
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING By default, App Service creates a shared storage for you at app creation. To use a custom storage account instead, set to the connection string of your storage account. For functions, see App settings reference for Azure Functions.

Example: DefaultEndpointsProtocol=https;AccountName=<name>;AccountKey=<key>
WEBSITE_CONTENTSHARE When you use specify a custom storage account with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, App Service creates a file share in that storage account for your app. To use a custom name, set this variable to the name that you want. If a file share with the specified name doesn't exist, App Service creates it for you.

Example: myapp123
WEBSITE_SCM_ALWAYS_ON_ENABLED Read-only. Shows whether Always On is enabled (1) or not (0).
WEBSITE_SCM_SEPARATE_STATUS Read-only. Shows whether the Kudu app is running in a separate process (1) or not (0).
WEBSITE_DNS_ATTEMPTS Number of times to try name resolution.
WEBSITE_DNS_TIMEOUT Number of seconds to wait for name resolution.
WEBSITES_CONTAINER_START_TIME_LIMIT Amount of time (in seconds) that the platform waits for a container to become ready on startup. This setting applies to both code-based and container-based apps on App Service for Linux. The default value is 230.

When a container starts up, repeated pings are made against the container to gauge its readiness to serve organic traffic. (See WEBSITE_WARMUP_PATH and WEBSITE_WARMUP_STATUSES.) These pings are continuously made until either a successful response is received or the start time limit is reached. If the container isn't deemed ready within the configured timeout, the platform fails the startup attempt and retries, which results in 503 errors.

For App Service for Windows containers, the default start time limit is 10 mins. You can change the start time limit by specifying a time span. For example, 00:05:00 indicates 5 minutes.

Variable prefixes

The following table shows environment variable prefixes that App Service uses for various purposes.

Setting name Description
APPSETTING_ Signifies that the customer sets a variable as an app setting in the app configuration. It's injected into a .NET app as an app setting.
MAINSITE_ Signifies that a variable is specific to the app itself.
SCMSITE_ Signifies that a variable is specific to the Kudu app.
SQLCONNSTR_ SQL Server connection string in the app configuration. It's injected into a .NET app as a connection string.
SQLAZURECONNSTR_ Azure SQL Database connection string in the app configuration. It's injected into a .NET app as a connection string.
POSTGRESQLCONNSTR_ PostgreSQL connection string in the app configuration. It's injected into a .NET app as a connection string.
CUSTOMCONNSTR_ Custom connection string in the app configuration. It's injected into a .NET app as a connection string.
MYSQLCONNSTR_ MySQL database connection string in the app configuration. It's injected into a .NET app as a connection string.
AZUREFILESSTORAGE_ Connection string to a custom share for a custom container in Azure Files.
AZUREBLOBSTORAGE_ Connection string to a custom storage account for a custom container in Azure Blob Storage.
NOTIFICATIONHUBCONNSTR_ Connection string to a notification hub in Azure Notification Hubs.
SERVICEBUSCONNSTR_ Connection string to an instance of Azure Service Bus.
EVENTHUBCONNSTR_ Connection string to an event hub in Azure Event Hubs.
DOCDBCONNSTR_ Connection string to a database in Azure Cosmos DB.
REDISCACHECONNSTR_ Connection string to a cache in Azure Cache for Redis.
FILESHARESTORAGE_ Connection string to a custom file share.

Deployment

The following environment variables are related to app deployment. For variables related to App Service build automation, see Build automation later in this article.

Setting name Description
DEPLOYMENT_BRANCH For local Git or cloud Git deployment (such as GitHub), set to the branch in Azure that you want to deploy to. By default, it's master.
WEBSITE_RUN_FROM_PACKAGE Set to 1 to run the app from a local ZIP package, or set to an external URL to run the app from a remote ZIP package. For more information, see Run your app in Azure App Service directly from a ZIP package.
WEBSITE_USE_ZIP Deprecated. Use WEBSITE_RUN_FROM_PACKAGE.
WEBSITE_RUN_FROM_ZIP Deprecated. Use WEBSITE_RUN_FROM_PACKAGE.
SCM_MAX_ZIP_PACKAGE_COUNT Your app keeps five of the most recent ZIP files deployed via ZIP deploy. You can keep more or fewer by changing the app setting to a different number.
WEBSITE_WEBDEPLOY_USE_SCM Set to false for Web Deploy to stop using the Kudu deployment engine. The default is true. To deploy to Linux apps by using Visual Studio (Web Deploy/MSDeploy), set it to false.
MSDEPLOY_RENAME_LOCKED_FILES Set to 1 to attempt to rename DLLs if they can't be copied during a Web Deploy deployment. This setting isn't applicable if WEBSITE_WEBDEPLOY_USE_SCM is set to false.
WEBSITE_DISABLE_SCM_SEPARATION By default, the main app and the Kudu app run in different sandboxes. When you stop the app, the Kudu app is still running, and you can continue to use Git deployment and MSDeploy. Each app has its own local files. Turning off this separation (setting to true) is a legacy mode that's no longer fully supported.
WEBSITE_ENABLE_SYNC_UPDATE_SITE Set to 1 ensure that REST API calls to update site and siteconfig are completely applied to all instances before returning. The default is 1 if you're deploying with an Azure Resource Manager template (ARM template), to avoid race conditions with subsequent Resource Manager calls.
WEBSITE_START_SCM_ON_SITE_CREATION In an ARM template deployment, set to 1 in the ARM template to pre-start the Kudu app as part of app creation.
WEBSITE_START_SCM_WITH_PRELOAD For Linux apps, set to true to force preloading the Kudu app when Always On is enabled by pinging its URL. The default is false. For Windows apps, the Kudu app is always preloaded.

Build automation

Kudu build configuration applies to native Windows apps and is used to control the behavior of Git-based (or ZIP-based) deployments.

Setting name Description
SCM_BUILD_ARGS Add things at the end of the msbuild command line, such that it overrides any previous parts of the default command line.

For example, to do a clean build: -t:Clean;Compile.
SCM_SCRIPT_GENERATOR_ARGS Kudu uses the azure site deploymentscript command to generate a deployment script. It automatically detects the language framework type and determines the parameters to pass to the command. This setting overrides the automatically generated parameters.

For example, to treat your repository as plain content files: --basic -p <folder-to-deploy>.
SCM_TRACE_LEVEL Build trace level. The default is 1. Set to higher values, up to 4, for more tracing.
SCM_COMMAND_IDLE_TIMEOUT Timeout, in seconds, for each command that the build process runs to wait before producing any output. After that, the command is considered idle and stopped. The default is 60 (one minute).

In Azure, there's also a general idle request timeout that disconnects clients after 230 seconds. However, the command continues to run on the server side after that.
SCM_LOGSTREAM_TIMEOUT Timeout of inactivity, in seconds, before stopping log streaming. The default is 1800 (30 minutes).
SCM_SITEEXTENSIONS_FEED_URL URL of the site extensions gallery. The default is https://www.nuget.org/api/v2/. The URL of the old feed is http://www.siteextensions.net/api/v2/.
SCM_USE_LIBGIT2SHARP_REPOSITORY Set to 0 to use git.exe instead of libgit2sharp for Git operations.
WEBSITE_LOAD_USER_PROFILE In case of the error The specified user does not have a valid profile during ASP.NET build automation (such as during Git deployment), set this variable to 1 to load a full user profile in the build environment. This setting applies only when WEBSITE_COMPUTE_MODE is Dedicated.
WEBSITE_SCM_IDLE_TIMEOUT_IN_MINUTES Timeout, in minutes, for the Source Control Manager (Kudu) site. The default is 20.
SCM_DO_BUILD_DURING_DEPLOYMENT With ZIP deploy, the deployment engine assumes that a ZIP file is ready to run as is and doesn't run any build automation. To enable the same build automation as in Git deployment, set to true.

Language-specific settings

This section shows the configurable runtime settings for each supported language framework. Additional settings are available during build automation at deployment time.

Setting name Description
PORT Read-only. For Linux apps, the port that the .NET runtime listens to in the container.
WEBSITE_ROLE_INSTANCE_ID Read-only. ID of the current instance.
HOME Read-only. Directory that points to shared storage (/home).
DUMP_DIR Read-only. Directory for the crash dumps (/home/logs/dumps).
APP_SVC_RUN_FROM_COPY Linux apps only. By default, the app is run from /home/site/wwwroot, a shared directory for all scaled-out instances. Set this variable to true to copy the app to a local directory in your container and run it from there. When you use this option, be sure not to hard-code any reference to /home/site/wwwroot. Instead, use a path relative to /home/site/wwwroot.
MACHINEKEY_Decryption For native Windows apps or containerized Windows apps, this variable is injected into an app environment or container to enable ASP.NET cryptographic routines. (See machineKey Element.) To override the default decryption value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.
MACHINEKEY_DecryptionKey For native Windows apps or containerized Windows apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines. (See machineKey Element.) To override the automatically generated decryptionKey value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.
MACHINEKEY_Validation For native Windows apps or containerized Windows apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines. (See machineKey Element.) To override the default validation value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.
MACHINEKEY_ValidationKey For native Windows apps or containerized Windows apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines. (See machineKey Element.) To override the automatically generated validationKey value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.

WordPress

Application setting Scope Value Maximum Description
WEBSITES_ENABLE_APP_SERVICE_STORAGE Web app true Not applicable When set to true, file contents are preserved during restarts.
WP_MEMORY_LIMIT WordPress 128M 512M Front-end or general WordPress PHP memory limit (per script). Can't be more than PHP_MEMORY_LIMIT.
WP_MAX_MEMORY_LIMIT WordPress 256M 512M Admin dashboard PHP memory limit (per script). Generally, the admin dashboard and back-end scripts take lot of memory compared to front-end scripts. Can't be more than PHP_MEMORY_LIMIT.
PHP_MEMORY_LIMIT PHP 512M 512M Memory limit for general PHP scripts. Can only be decreased.
FILE_UPLOADS PHP On Not applicable Enables or disables file uploads. Can be either On or Off. Note that values are case sensitive.
UPLOAD_MAX_FILESIZE PHP 50M 256M Size limit for file upload. Can be increased up to 256M.
POST_MAX_SIZE PHP 128M 256M Can be increased up to 256M. Generally should be more than UPLOAD_MAX_FILESIZE.
MAX_EXECUTION_TIME PHP 120 120 Can only be decreased. Break down the scripts if it takes more than 120 seconds. Added to avoid bad scripts from slowing the system.
MAX_INPUT_TIME PHP 120 120 Time limit for parsing input requests. Can only be decreased.
MAX_INPUT_VARS PHP 10000 10000 Maximum number of variables for input requests.
DATABASE_HOST Database Not applicable Not applicable Database host used to connect to WordPress.
DATABASE_NAME Database Not applicable Not applicable Database name used to connect to WordPress.
DATABASE_USERNAME Database Not applicable Not applicable Database username used to connect to WordPress.
DATABASE_PASSWORD Database Not applicable Not applicable Database password used to connect to the MySQL database. To change the MySQL database password, see Update admin password. Whenever the MySQL database password is changed, the application settings also need to be updated.
WORDPRESS_ADMIN_EMAIL Deployment only Not applicable Not applicable WordPress admin email.
WORDPRESS_ADMIN_PASSWORD Deployment only Not applicable Not applicable WordPress admin password. This setting is only for deployment purposes. Modifying this value has no effect on the WordPress installation. To change the WordPress admin password, see Reset your password.
WORDPRESS_ADMIN_USER Deployment only Not applicable Not applicable WordPress admin username.
WORDPRESS_ADMIN_LOCALE_CODE Deployment only Not applicable Not applicable Database username used to connect to WordPress.

Domain and DNS

Setting name Description
WEBSITE_DNS_SERVER IP address of the primary DNS server for outgoing connections (such as to a back-end service). The default DNS server for App Service is Azure DNS, whose IP address is 168.63.129.16. If your app uses virtual network integration or is in an App Service environment, it inherits the DNS server configuration from the virtual network by default.

Example: 10.0.0.1
WEBSITE_DNS_ALT_SERVER IP address of the fallback DNS server for outgoing connections. See WEBSITE_DNS_SERVER.
WEBSITE_ENABLE_DNS_CACHE Allows successful DNS resolutions to be cached. By default, expired DNS cache entries are flushed (in addition to the existing cache) every 4.5 minutes.

TLS/SSL

For more information, see Use a TLS/SSL certificate in your code in Azure App Service.

Setting name Description
WEBSITE_LOAD_CERTIFICATES Comma-separated thumbprint values to the certificate that you want to load in your code. Or use * to allow all certificates to be loaded in code. Only certificates added to your app can be loaded.
WEBSITE_PRIVATE_CERTS_PATH Read-only. Path in a Windows container to the loaded private certificates.
WEBSITE_PUBLIC_CERTS_PATH Read-only. Path in a Windows container to the loaded public certificates.
WEBSITE_INTERMEDIATE_CERTS_PATH Read-only. Path in a Windows container to the loaded intermediate certificates.
WEBSITE_ROOT_CERTS_PATH Read-only. Path in a Windows container to the loaded root certificates.

Deployment slots

For more information on deployment slots, see Set up staging environments in Azure App Service.

Setting name Description
WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS By default, the versions for site extensions are specific to each slot. This default prevents unanticipated application behavior due to changing extension versions after a swap. If you want the extension versions to also swap, set to 0 on all slots.
WEBSITE_OVERRIDE_PRESERVE_DEFAULT_STICKY_SLOT_SETTINGS Designates certain settings as sticky or not swappable by default. Default is true. Set this value to false or 0 for all deployment slots to make them swappable instead. There's no fine-grained control for specific setting types.
WEBSITE_SWAP_WARMUP_PING_PATH Path to ping to warm up the target slot in a swap, beginning with a slash. The default is /, which pings the root path over HTTP.

Example: /statuscheck
WEBSITE_SWAP_WARMUP_PING_STATUSES Valid HTTP response codes for the warm-up operation during a swap. If the returned status code isn't in the list, the warm-up and swap operations are stopped. By default, all response codes are valid.

Example: 200,202
WEBSITE_SLOT_NUMBER_OF_TIMEOUTS_BEFORE_RESTART During a slot swap, maximum number of timeouts before a forced restart of the site on a specific VM instance. The default is 3.
WEBSITE_SLOT_MAX_NUMBER_OF_TIMEOUTS During a slot swap, maximum number of timeout requests for a single URL to make before giving up. The default is 5.
WEBSITE_SKIP_ALL_BINDINGS_IN_APPHOST_CONFIG Set to true or 1 to skip all bindings in applicationHost.config. The default is false. If your app triggers a restart because applicationHost.config is updated with the swapped host names of the slots, set this variable to true to avoid a restart of this kind. If you're running a Windows Communication Foundation app, don't set this variable.

Custom containers

For more information on custom containers, see Run a custom container in Azure.

Setting name Description
WEBSITES_ENABLE_APP_SERVICE_STORAGE For Linux containers, if this app setting is not specified, the /home directory is shared across scaled instances by default. You can set it to false to disable sharing.

For Windows containers, set to true to enable the c:\home directory to be shared across scaled instances. The default is true for Windows containers.
WEBSITES_CONTAINER_STOP_TIME_LIMIT Amount of time, in seconds, to wait for the container to terminate gracefully. Default is 5. You can increase to a maximum of 120.
DOCKER_REGISTRY_SERVER_URL URL of the registry server when you're running a custom container in App Service. For security, this variable isn't passed on to the container.

Example: https://<server-name>.azurecr.io
DOCKER_REGISTRY_SERVER_USERNAME Username to authenticate with the registry server at DOCKER_REGISTRY_SERVER_URL. For security, this variable isn't passed on to the container.
DOCKER_REGISTRY_SERVER_PASSWORD Password to authenticate with the registry server at DOCKER_REGISTRY_SERVER_URL. For security, this variable isn't passed on to the container.
DOCKER_ENABLE_CI Set to true to enable continuous deployment for custom containers. The default is false for custom containers.
WEBSITE_PULL_IMAGE_OVER_VNET Connect and pull from a registry inside a virtual network or on-premises. Your app needs to be connected to a virtual network through the virtual network integration feature. This setting is also needed for Azure Container Registry with a private endpoint.
WEBSITES_WEB_CONTAINER_NAME In a Docker Compose app, only one of the containers can be internet accessible. Set to the name of the container defined in the configuration file to override the default container selection. By default, the internet-accessible container is the first container to define port 80 or 8080. When no such container is found, the default is the first container defined in the configuration file.
WEBSITES_PORT For a custom container, the custom port number on the container for App Service to route requests to. By default, App Service attempts automatic port detection of ports 80 and 8080. This setting isn't injected into the container as an environment variable.
WEBSITE_CPU_CORES_LIMIT By default, a Windows container runs with all available cores for your chosen pricing tier. To reduce the number of cores, set a limit to the number of desired cores. For more information, see Customize the number of compute cores.
WEBSITE_MEMORY_LIMIT_MB By default, all Windows containers deployed in App Service have a memory limit configured, depending on the tier of the App Service plan. Set to the desired memory limit in megabytes. The cumulative total of this setting across apps in the same plan must not exceed the amount that the chosen pricing tier allows. For more information, see Customize container memory.

Scaling

Setting name Description
WEBSITE_INSTANCE_ID Read-only. Unique ID of the current VM instance, when the app is scaled out to multiple instances.
WEBSITE_IIS_SITE_NAME Deprecated. Use WEBSITE_INSTANCE_ID.
WEBSITE_DISABLE_OVERLAPPED_RECYCLING Overlapped recycling ensures that before the current VM instance of an app is shut down, a new VM instance starts. In some cases, it can cause file locking issues. You can try turning it off by setting to 1.
WEBSITE_DISABLE_CROSS_STAMP_SCALE By default, apps are allowed to scale across stamps if they use Azure Files or a Docker container. Set to 1 or true to disable cross-stamp scaling within the app's region. The default is 0. Custom Docker containers that set WEBSITES_ENABLE_APP_SERVICE_STORAGE to true or 1 can't scale cross-stamps because their content isn't completely encapsulated in the Docker container.

Logging

Setting name Description
WEBSITE_HTTPLOGGING_ENABLED Read-only. Shows whether the web server logging for native Windows apps is enabled (1) or not (0).
WEBSITE_HTTPLOGGING_RETENTION_DAYS Retention period (in days) of web server logs, if web server logs are enabled for a native Windows or Linux app.

Example: 10
WEBSITE_HTTPLOGGING_CONTAINER_URL SAS URL of the blob storage container to store web server logs for native Windows apps, if web server logs are enabled. If it isn't set, web server logs are stored in the app's file system (default shared storage).
DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS Retention period (in days) of application logs for native Windows apps, if application logs are enabled.

Example: 10
DIAGNOSTICS_AZUREBLOBCONTAINERSASURL SAS URL of the blob storage container to store application logs for native Windows apps, if application logs are enabled.
APPSERVICEAPPLOGS_TRACE_LEVEL Minimum log level to ship to Log Analytics for the AppServiceAppLogs log type.
DIAGNOSTICS_LASTRESORTFILE File name to create, or relative path to the log directory, for logging internal errors for troubleshooting the listener. The default is logging-errors.txt.
DIAGNOSTICS_LOGGINGSETTINGSFILE Path to the log settings file, relative to D:\home or /home. The default is site\diagnostics\settings.json.
DIAGNOSTICS_TEXTTRACELOGDIRECTORY Log folder, relative to the app root (D:\home\site\wwwroot or /home/site/wwwroot).

Example: ..\..\LogFiles\Application
DIAGNOSTICS_TEXTTRACEMAXLOGFILESIZEBYTES Maximum size of the log file in bytes. The default is 131072 (128 KB).
DIAGNOSTICS_TEXTTRACEMAXLOGFOLDERSIZEBYTES Maximum size of the log folder in bytes. The default is 1048576 (1 MB).
DIAGNOSTICS_TEXTTRACEMAXNUMLOGFILES Maximum number of log files to keep. The default is 20.
DIAGNOSTICS_TEXTTRACETURNOFFPERIOD Timeout, in milliseconds, to keep application logging enabled. The default is 43200000 (12 hours).
WEBSITE_LOG_BUFFERING By default, log buffering is enabled. Set to 0 to disable it.
WEBSITE_ENABLE_PERF_MODE For native Windows apps, set to TRUE to turn off IIS log entries for successful requests returned within 10 seconds. This is a quick way to do performance benchmarking by removing extended logging.

Performance counters

The following are "fake" environment variables that don't exist if you enumerate them, but they return their value if you look them up individually. The value is dynamic and can change on every lookup.

Setting name Description
WEBSITE_COUNTERS_ASPNET JSON object that contains ASP.NET performance counters.
WEBSITE_COUNTERS_APP JSON object that contains sandbox counters.
WEBSITE_COUNTERS_CLR JSON object that contains Common Language Runtime counters.
WEBSITE_COUNTERS_ALL JSON object that contains the combination of the other three variables.

Caching

Setting name Description
WEBSITE_LOCAL_CACHE_OPTION Whether local cache is enabled. Available options are:

- Default: Inherit the stamp-level global setting.
- Always: Enable for the app.
- OnStorageUnavailability
- Disabled: Disable for the app.
WEBSITE_LOCAL_CACHE_READWRITE_OPTION Read/write options of the local cache. Available options are:

- ReadOnly: Cache is read-only.
- WriteButDiscardChanges: Allow writes to the local cache but discard changes made locally.
WEBSITE_LOCAL_CACHE_SIZEINMB Size of the local cache in megabytes. Default is 1000 (1 GB).
WEBSITE_LOCALCACHE_READY Read-only flag that indicates if the app is using the local cache.
WEBSITE_DYNAMIC_CACHE Due to the network file share's nature to allow access for multiple instances, the dynamic cache improves performance by caching the recently accessed files locally on an instance. The cache is invalidated when file is modified. The cache location is %SYSTEMDRIVE%\local\DynamicCache. (The same %SYSTEMDRIVE%\local quota is applied.)

To enable full content caching, set to 1, which includes both file content and directory/file metadata (time stamps, size, directory content). To conserve local disk use, set to 2 to cache only directory/file metadata (time stamps, size, directory content). To turn off caching, set to 0.

For Windows apps and for Linux apps created with the WordPress template, the default is 1. For all other Linux apps, the default is 0.
WEBSITE_READONLY_APP When you use a dynamic cache, you can disable write access to the app root (D:\home\site\wwwroot or /home/site/wwwroot) by setting this variable to 1. Except for the App_Data directory, no exclusive locks are allowed so that locked files don't block deployments.

Networking

The following environment variables are related to hybrid connections and virtual network integration.

Setting name Description
WEBSITE_RELAYS Read-only. Data needed to configure the hybrid connection, including endpoints and service bus data.
WEBSITE_REWRITE_TABLE Read-only. Used at runtime to do the lookups and rewrite connections appropriately.
WEBSITE_VNET_ROUTE_ALL By default, if you use regional virtual network integration, your app routes only RFC1918 traffic into your virtual network. Set to 1 to route all outbound traffic into your virtual network and be subject to the same network security groups and user-defined routes. The setting lets you access non-RFC1918 endpoints through your virtual network, secure all outbound traffic leaving your app, and force tunnel all outbound traffic to a network appliance of your own choosing.
WEBSITE_PRIVATE_IP Read-only. IP address associated with the app that's integrated with a virtual network. For regional virtual network integration, the value is an IP from the address range of the delegated subnet. For gateway-required virtual network integration, the value is an IP from the address range of the point-to-site address pool configured on the virtual network gateway.

The app uses this IP to connect to the resources through the virtual network. Also, it can change within the described address range.
WEBSITE_PRIVATE_PORTS Read-only. In virtual network integration, shows which ports the app can use to communicate with other nodes.
WEBSITE_CONTENTOVERVNET If you're mounting an Azure file share on App Service and the storage account is restricted to a virtual network, enable this setting with a value of 1.

Key vault references

The following environment variables are related to key vault references.

Setting name Description
WEBSITE_KEYVAULT_REFERENCES Read-only. Contains information (including statuses) for all key vault references that are currently configured in the app.
WEBSITE_SKIP_CONTENTSHARE_VALIDATION If you set the shared storage connection of your app (by using WEBSITE_CONTENTAZUREFILECONNECTIONSTRING) to a key vault reference, the app can't resolve the key vault reference at app creation or update if one of the following conditions is true:

- The app accesses the key vault by using a system-assigned identity.
- The app accesses the key vault by using a user-assigned identity, and the key vault is locked with a virtual network.

To avoid errors at create or update time, set this variable to 1.
WEBSITE_DELAY_CERT_DELETION Setting this environment variable to 1 ensures that a certificate that a worker process depends on isn't deleted until it exits.

CORS

The following environment variables are related to cross-origin resource sharing (CORS) configuration.

Setting name Description
WEBSITE_CORS_ALLOWED_ORIGINS Read-only. Shows the allowed origins for CORS.
WEBSITE_CORS_SUPPORT_CREDENTIALS Read-only. Shows whether setting the Access-Control-Allow-Credentials header to true is enabled (True) or not (False).

Authentication and authorization

The following environment variables are related to App Service authentication.

Setting name Description
WEBSITE_AUTH_DISABLE_IDENTITY_FLOW When set to true, disables assigning the thread principal identity in ASP.NET-based web applications (including v1 function apps). This capability allows developers to protect access to their site with authentication, but still have it use a separate sign-in mechanism within their app logic. The default is false.
WEBSITE_AUTH_HIDE_DEPRECATED_SID true or false. The default value is false. This is a setting for the legacy Mobile Apps integration for Azure App Service. Setting the value to true resolves an issue where the security ID generated for authenticated users might change if the user changes their profile information.

Changing this value might cause existing Azure Mobile Apps user IDs to change. Most apps don't need to use this setting.
WEBSITE_AUTH_NONCE_DURATION A time-span value in the form hours:minutes:seconds. The default value is 00:05:00, or 5 minutes. This setting controls the lifetime of the cryptographic nonce generated for all browser-driven sign-ins. If a sign-in fails to finish in the specified time, the sign-in flow is retried automatically.

This application setting is intended for use with the V1 (classic) configuration experience. If you're using the V2 authentication configuration schema, you should instead use the login.nonce.nonceExpirationInterval configuration value.
WEBSITE_AUTH_PRESERVE_URL_FRAGMENT When set to true and users select app links that contain URL fragments, the sign-in process ensures that the URL fragment part of your URL doesn't get lost in the sign-in redirect process. For more information, see Customize sign-in and sign-out in Azure App Service authentication.
WEBSITE_AUTH_USE_LEGACY_CLAIMS To maintain backward compatibility across upgrades, the authentication module uses the legacy claims mapping of short to long names in the /.auth/me API, so certain mappings are excluded (for example, "roles"). To get the more modern version of the claims mappings, set this variable to False. In the "roles" example, it would be mapped to the long claim name http://schemas.microsoft.com/ws/2008/06/identity/claims/role.
WEBSITE_AUTH_DISABLE_WWWAUTHENTICATE true or false. The default value is false. When it's set to true, it removes the WWW-Authenticate HTTP response header from module-generated HTTP 401 responses.

This application setting is intended for use with the V1 (classic) configuration experience. If you're using the V2 authentication configuration schema, you should instead use the identityProviders.azureActiveDirectory.login.disableWwwAuthenticate configuration value.
WEBSITE_AUTH_STATE_DIRECTORY Local file system's directory path where tokens are stored when the file-based token store is enabled. The default value is %HOME%\Data\.auth.

This application setting is intended for use with the V1 (classic) configuration experience. If you're using the V2 authentication configuration schema, you should instead use the login.tokenStore.fileSystem.directory configuration value.
WEBSITE_AUTH_TOKEN_CONTAINER_SASURL Fully qualified blob container URL. Instructs the authentication module to store and load all encrypted tokens to the specified blob storage container instead of using the default local file system.
WEBSITE_AUTH_TOKEN_REFRESH_HOURS Any positive decimal number. The default value is 72 (hours). This setting controls the amount of time after a session token expires that the /.auth/refresh API can be used to refresh it. Refresh attempts after this period fail, and users are required to sign in again.

This application setting is intended for use with the V1 (classic) configuration experience. If you're using the V2 authentication configuration schema, you should instead use the login.tokenStore.tokenRefreshExtensionHours configuration value.
WEBSITE_AUTH_TRACE_LEVEL Controls the verbosity of authentication traces written to application logging. Valid values are Off, Error, Warning, Information, and Verbose. The default value is Verbose.
WEBSITE_AUTH_VALIDATE_NONCE true or false. The default value is true. This value should never be set to false except when you're temporarily debugging cryptographic nonce validation failures that occur during interactive logins.

This application setting is intended for use with the V1 (classic) configuration experience. If you're using the V2 authentication configuration schema, you should instead use the login.nonce.validateNonce configuration value.
WEBSITE_AUTH_V2_CONFIG_JSON Azure App Service automatically populates this environment variable. This variable is used to configure the integrated authentication module. Its value corresponds to the V2 (non-classic) authentication configuration for the current app in Azure Resource Manager. It's not intended to be configured explicitly.
WEBSITE_AUTH_ENABLED Read-only. Injected into a Windows or Linux app to indicate whether App Service authentication is enabled.
WEBSITE_AUTH_ENCRYPTION_KEY By default, the automatically generated key is used as the encryption key. To override, set to a desired key. We recommend this environment variable if you want to share tokens or sessions across multiple apps. If you specify it, it supersedes the MACHINEKEY_DecryptionKey setting.
WEBSITE_AUTH_SIGNING_KEY By default, the automatically generated key is used as the signing key. To override, set to a desired key. We recommend this environment variable if you want to share tokens or sessions across multiple apps. If you specify it, it supersedes the MACHINEKEY_ValidationKey setting.

Managed identity

The following environment variables are related to managed identities.

Setting name Description
IDENTITY_ENDPOINT Read-only. URL to retrieve the token for the app's managed identity.
MSI_ENDPOINT Deprecated. Use IDENTITY_ENDPOINT.
IDENTITY_HEADER Read-only. Value that must be added to the X-IDENTITY-HEADER header when you're making an HTTP GET request to IDENTITY_ENDPOINT. The platform rotates the value.
MSI_SECRET Deprecated. Use IDENTITY_HEADER.

Health check

The following environment variables are related to health checks.

Setting name Description
WEBSITE_HEALTHCHECK_MAXPINGFAILURES Maximum number of failed pings before removing the instance. Set to a value between 2 and 100. When you're scaling up or out, App Service pings the health check's path to ensure that new instances are ready. For more information, see Health check.
WEBSITE_HEALTHCHECK_MAXUNHEALTHYWORKERPERCENT To avoid overwhelming healthy instances, no more than half of the instances are excluded. For example, if an App Service plan is scaled to four instances and three are unhealthy, at most two are excluded. The other two instances (one healthy and one unhealthy) continue to receive requests. In the worst-case scenario where all instances are unhealthy, none are excluded.

To override this behavior, set to a value between 1 and 100. A higher value means more unhealthy instances are removed. The default is 50 (50%).

Push notifications

The following environment variables are related to the push notifications feature.

Setting name Description
WEBSITE_PUSH_ENABLED Read-only. Added when push notifications are enabled.
WEBSITE_PUSH_TAG_WHITELIST Read-only. Contains the tags in the notification registration.
WEBSITE_PUSH_TAGS_REQUIRING_AUTH Read-only. Contains a list of tags in the notification registration that require user authentication.
WEBSITE_PUSH_TAGS_DYNAMIC Read-only. Contains a list of tags in the notification registration that were added automatically.

Note

The preceding table refers to whitelist, a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article.

WebJobs

The following environment variables are related to WebJobs.

Setting name Description
WEBJOBS_RESTART_TIME For continuous jobs, delay in seconds when a job's process goes down for any reason before it's restarted.
WEBJOBS_IDLE_TIMEOUT For triggered jobs, timeout in seconds. After this timeout, the job is stopped if it's idle, has no CPU time, or has no output.
WEBJOBS_HISTORY_SIZE For triggered jobs, maximum number of runs kept in the history directory per job. The default is 50.
WEBJOBS_STOPPED Set to 1 to disable running any job and stop all currently running jobs.
WEBJOBS_DISABLE_SCHEDULE Set to 1 to turn off all scheduled triggering. Jobs can still be manually invoked.
WEBJOBS_ROOT_PATH Absolute or relative path of WebJob files. For a relative path, the value is combined with the default root path (D:/home/site/wwwroot/ or /home/site/wwwroot/).
WEBJOBS_LOG_TRIGGERED_JOBS_TO_APP_LOGS Set to true to send output from triggered WebJobs to the pipeline of application logs (which supports file systems, blobs, and tables).
WEBJOBS_SHUTDOWN_FILE File that App Service creates when a shutdown request is detected. It's the WebJob process's responsibility to detect the presence of this file and initiate shutdown. When you use the WebJobs SDK, this part is handled automatically.
WEBJOBS_PATH Read-only. Root path of currently running job, under a temporary directory.
WEBJOBS_NAME Read-only. Current job name.
WEBJOBS_TYPE Read-only. Current job type (triggered or continuous).
WEBJOBS_DATA_PATH Read-only. Metadata path to contain the current job's logs, history, and artifacts.
WEBJOBS_RUN_ID Read-only. For triggered jobs, current run ID of the job.

Functions

Setting name Description
WEBSITE_FUNCTIONS_ARMCACHE_ENABLED Set to 0 to disable the functions cache.
WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT See App settings reference for Azure Functions.
AzureWebJobsSecretStorageType See App settings reference for Azure Functions.
FUNCTIONS_EXTENSION_VERSION See App settings reference for Azure Functions.
FUNCTIONS_WORKER_RUNTIME See App settings reference for Azure Functions.
AzureWebJobsStorage See App settings reference for Azure Functions.
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING See App settings reference for Azure Functions.
WEBSITE_CONTENTSHARE See App settings reference for Azure Functions.
WEBSITE_CONTENTOVERVNET See App settings reference for Azure Functions.
WEBSITE_ENABLE_BROTLI_ENCODING See App settings reference for Azure Functions.
WEBSITE_USE_PLACEHOLDER See App settings reference for Azure Functions.
WEBSITE_PLACEHOLDER_MODE Read-only. Shows whether the function app is running on a placeholder host (generalized) or its own host (specialized).
WEBSITE_DISABLE_ZIP_CACHE When your app runs from a ZIP package ( WEBSITE_RUN_FROM_PACKAGE=1), the five most recently deployed ZIP packages are cached in the app's file system (D:\home\data\SitePackages). Set this variable to 1 to disable this cache. For Linux consumption apps, the ZIP package cache is disabled by default.