I'm using Azure App Configuration in my .NET application to load configuration settings at startup. However, I've encountered two issues that I'd like help with:
When the app starts, it takes about 10 seconds to load Azure App Configuration. That's fine, however, during this time, there's no visibility into what's happening. Is there a way to enable logging for AddAzureAppConfiguration, so we know when it is connecting, reconnecting, etc.?
Is there a way to cache the configuration so the app doesn't have to wait for 10 seconds everytime it is restarted?
Here's the code I’m using to add Azure App Configuration:
using Azure.Identity;
using Microsoft.Extensions.Configuration.AzureAppConfiguration;
namespace Api.Azure;
public static class AzureAppConfiguration
{
public static WebApplicationBuilder AddAzureAppConfiguration(this WebApplicationBuilder builder)
{
ArgumentNullException.ThrowIfNull(builder);
var endpoint = builder.Configuration["Azure:AppConfiguration:Endpoint"];
if (string.IsNullOrEmpty(endpoint))
{
// Azure App Configuration endpoint is not set, using local configuration...
return builder;
}
builder.Configuration.AddAzureAppConfiguration(options =>
{
options.Connect(new Uri(endpoint), new DefaultAzureCredential())
.Select(KeyFilter.Any)
.ConfigureKeyVault(vaultOptions => vaultOptions.SetCredential(new DefaultAzureCredential()));
});
return builder;
}
}
Assuming the app and the config service are in the same dc, the delay could be caused by DefaultAzureCredential. As it's officially stated -
Simplifies authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development. In production, it's better to use something else
And this one -
Performance overhead: The process of sequentially trying multiple credentials can introduce performance overhead. For example, when running on a local development machine, managed identity is unavailable. Consequently, ManagedIdentityCredential always fails in the local development environment, unless explicitly disabled via its corresponding Exclude-prefixed property.
Add the next piece to see if it's true -
using AzureEventSourceListener listener = new((args, message) =>
{
Console.WriteLine(message); //TODO: replace with a relevant output destination
}, EventLevel.LogAlways);
From the logs you should be able to see when the creds have been resolved and the time it took to fetch the config data.
Update
As the key vault seems to be the root cause, here are some ideas -
As per Configure Applications with App Configuration and Key Vault, store as many items as possible in the app config. Like make sure that the secrets you're pulling out are ought to be key vault secrets.
See if you could squeeze your secrets into a single json object to reduce the number of calls.
AzureAppConfigurationProvider processes keys one by one, so each item is a separate call to SecretClient. So use "options" parameter in ConfigureKeyVault to register your own SecretClient that will be used to retrieve data from the key vault(options.Register(new MySecretClient())). You could modify the original SecretClient's code to retrieve and cache all the secrets at once in advance. See How to get all secrets in one call Azure key vault.
Finally, same as in #3, build your custom SecretClient, but this time just use a co-located source to replace SecretClient's internal cache, like Redis or whatever. You can encrypt cached values via the DataProtection service.