Azure App Service Deployment (Node.js)
This skill outlines the flawless, best-practice path to deploy a Node.js application to Azure App Service (Linux) while securely connecting to an Azure AI Foundry agent via Managed Identity.
1. Cloud Infrastructure Setup
- App Service Plan: Always choose a dedicated tier (e.g., Basic B1) for production. Free (F1) tiers have strict 60-minute daily CPU quotas that will forcefully shut down the application (Resulting in a
403 Stoppederror).
2. Authentication & Managed Identity (Passwordless)
- Code: Use
DefaultAzureCredentialfrom@azure/identityin the Node.js backend. - Enable Identity: In the Azure App Service portal, go to Settings > Identity and enable System assigned.
- IAM Permissions: In the target Azure AI Project, go to Access control (IAM) and assign the Azure AI Developer role to the App Service's Managed Identity. (Note:
Cognitive Services OpenAI Useris not sufficient for Azure Foundry Orchestration Agents).
3. Environment Variables (The Frontend vs Backend Trap)
When deploying a full-stack app (React/Vite + Node.js) via GitHub Actions, environment variables must be split logically:
The Frontend (Vite)
- Variables prefixed with
VITE_(e.g., Supabase keys) are baked into the static HTML/JS at build time. - Where to set them: They MUST be stored in GitHub Secrets and explicitly mapped in your
.github/workflowsfile under theenv:block for thenpm run buildstep. - Danger: If they are only in Azure and not in GitHub Actions, Vite will build the frontend with empty variables.
The Backend (Node.js)
- The live
server.jsfile reads environment variables at runtime from the cloud container. - Where to set them: Configure variables (e.g., Azure AI endpoints, Backend Supabase keys) directly in the Azure Portal under Settings > Environment variables.
- Danger: The Azure App Service backend does NOT inherit your GitHub Actions secrets. You must set them in the Azure Portal manually.
- Crucial: Variables are loaded into memory exactly once when the Node.js process starts. If a variable is added or changed, you must explicitly click Restart on the App Service Overview page.
- To trust the Azure Load Balancer (required for
express-rate-limit), ensure the Express app hasapp.set('trust proxy', 1);.
4. GitHub Actions CI/CD Pipeline
The safest deployment strategy avoids conflicting build engines (GitHub vs. Azure Oryx). Let GitHub do 100% of the building and packaging.
Workflow Best Practices:
- GitHub runs
npm installand the frontend build (npm run build). - GitHub uploads an artifact containing the compiled output (
dist), backend files (server.js), and crucially, thenode_modulesfolder.- Why? If
node_modulesis omitted, Azure's Oryx engine attempts to build the app itself by executingnpm run build, which will crash because the raw source files (index.html) were not uploaded.
- Why? If
- Use
azure/webapps-deploy@v3with a Publish Profile stored as a GitHub Secret.