---
title: Azure App Service Site Extension
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/azure-app-service
---

> **IMPORTANT:** The Next-Gen WAF site extension for Azure App Service does not support Azure Functions.

The Azure site extension adds the Next-Gen WAF to any IIS web application hosted on Azure App Service.

The Azure site extension downloads and installs the Next-Gen WAF agent and IIS module. The extension also registers the IIS module to the IIS web server in Azure App Service by generating the XML transformation file, `applicationHost.xdt`. XML transformations are currently the only way to edit the IIS configuration file, `applicationHost.config`.

The Next-Gen WAF agent and module for IIS are configured by using environment variables. Environment variables are set in the web app configuration in the Azure Portal.

Module and agent binaries are extracted into a directory in the App Service environment with the name derived from the downloaded zip file. Agent and module binaries may not be deleted if the site is running.

## Prerequisites

[Copy the agent keys](/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys) for the site that you want the agent to be able to access. You will use the agent keys when configuring the Next-Gen WAF agent package.

## Access Keys configuration

Before adding the Next-Gen WAF site extension, you must first set the Access Key and Secret Key for the Next-Gen WAF agent by setting environment variables in the application settings on <https://portal.azure.com/>.

1. Log in to the Azure Portal.

2. Click **App Services**.

3. Select your web app.

4. Search for `environment` in the Search header bar.

5. Click **Environment variables**, which should be under the Settings header.

6. Click **Add** to include a new App setting.

7. In the New Application Setting menu page, add your site's (workspace's) [agent keys](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys) as two name/value pairs:

   ```text
   $ Name: SIGSCI_ACCESSKEYID
   $ Value: <accesskeyid from the Next-Gen WAF control panel or Fastly control panel>

   $ Name: SIGSCI_SECRETACCESSKEY
   $ Value:<secretaccesskey from the Next-Gen WAF control panel or Fastly control panel>
   ```

   Optionally, add the following variable to provide a unique agent name if using the same agent keys for multiple web apps.

   ```text
   $ Name: SIGSCI_SERVER_HOSTNAME
   $ Value: <unique value/name for the agent>
   ```

8. Click **Save**.

9. Click on **Overview** in the side bar.

10. Click **Stop** and then **Start** to restart the web app.

## Install the WAF site extension

> **HINT:** The site extension will take a few minutes to download and install. During this time, the web application may be unavailable or display a `502` error until the site extension is installed.

1. Log in to the Azure Portal.
2. Click **App Services**.
3. Select your web app.
4. Search for `extension` in the Search header bar.
5. Click **Extensions**, which should be under the Development Tools header.
6. Click **Add**.
7. Filter for **Signal Sciences WAF** within the Add site extension menu and confirm the acknowledgement to add.

## Managing the WAF site extension

Follow these steps when managing the WAF site extension.

### Upgrading the Next-Gen WAF agent and module

There are two methods for upgrading the Next-Gen WAF agent and module:

- reinstalling the extension
- using the Azure CLI

#### Reinstalling the WAF site extension

In the Azure Portal, delete and [reinstall](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/azure-app-service#install-the-waf-site-extension) the WAF site extension. When the extension is reinstalled, the latest version of the Next-Gen WAF agent and IIS module will be downloaded and installed.

#### Using the Azure CLI

Open the Azure CLI and run the `install.cmd` script in the site extension directory. This method can also be used in a PowerShell script for automating the upgrade of multiple agents.

1. Log in to the Azure Portal.
2. Click **App Services**.
3. Select your web app.
4. Search for `Console`, in the Search header bar.
5. Click **Console**, which should be under the Development Tools header.
6. In the Windows `cmd` shell run the install script:

   ```cmd
   cd %SystemDrive%\home\SiteExtensions\SignalSciences.Azure.Site.Extension
   install.cmd
   ```
7. The web app will need to be restarted for the updates to be reflected.

#### Enabling agent auto-update

Create a WebJob and an Azure Automation runbook to look for a new version of the agent and update the agent when a new version is available.

To create the WebJob:

1. Using command prompt, copy the following commands to locally create a bash script with extension (\*.sh) that will be uploaded to the Azure Portal.

   ```cmd
   cd D:\\home\\SiteExtensions\\SignalSciences.Azure.Site.Extension
   ./install.bash
   ```
2. Navigate to the [Azure portal](https://portal.azure.com/).
3. Under **Settings**, click **WebJobs**
4. From the WebJobs page, click **Add**.
5. Fill out the fields to create a new WebJob as follows:
   - **Name** - enter a name for the WebJob.
   - **File Upload** - click **Browse** to browse to navigate to the bash script you created on your system using the file picker.
   - **Type** - select **Triggered**.
   - **Triggers** - enter **Manual**.
6. Click **Create WebJob**.
7. Run the WebJob to ensure successful execution.

To create an Azure Automation runbook:

1. Using the [Azure portal](https://portal.azure.com/), navigate to your Azure Automation account or [create an account](https://portal.azure.com/#create/Microsoft.AutomationAccount) if you don't already have one.

2. Under **Account Settings**, click **Identity**.

3. Click **Azure role assignments**.

4. Click **Add role assignment**.

5. Fill out the fields to create a new role assignment as follows:
   - **Scope** - select **Resource group**
   - **Resource group** - select a resource group.
   - **Role** - select **Contributor**.

6. Click **Save**.

7. Under **Process Automation**, click **Runbooks**.

8. Click **Create a runbook**.

9. Fill out the fields to create a new runbook as follows:
   - **Name** - enter a name for the runbook.
   - **Runbook type** - select **PowerShell**.
   - **Runtime version** - select version 5.1.

10. Click **Create**.

11. Copy the code below and paste in the editor pane, being sure to update with your resource group and web app names:

    ```text
    Connect-AzAccount -Identity
    Start-AzWebAppTriggeredWebJob -ResourceGroupName MyResourceGroupName -AppName MyWebAppName -Name MyWebAppWebJobName
    Restart-AzWebApp -ResourceGroupName MyResourceGroupName -Name MyWebAppName
    ```

    > **NOTE:** The web app will need to be restarted for the updates to be reflected.

12. _(Optional)_ Open the Test pane to run a test.

13. Click **Publish**.

14. Under **Resources**, click **Schedules**.

15. Click **Add a schedule**.

16. To link a schedule to your runbook, click **Add a schedule**.

17. Fill out the fields to create a schedule as follows:
    - **Name** - enter a name for the schedule.
    - **Field name** - set the time you want it to run each month
    - Click **Recurring** and select **Day** from the menu.

18. Click **Create**.

## Troubleshooting

- To enable debug logging for the extension, add the following environment variable, **SIGSCI_MODULE_DEBUG** to `1`.

- Windows event log can be viewed gathered in the KuduPlus environment. Search for `Advanced` in the Search header bar—`Advanced Tools` should be under Development Tools.

   Click on **Go** and select **Debug Console** from the menu.

   Click on **LogFiles** and select **eventlog.xml**.

## Related content

- [PaaS overview](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/paas-install-intro)
- [Getting started with the agent](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/getting-started-with-the-agent)