MicrosoftDocs
diff --git a/‎articles/app-service/app-service-configuration-references.md‎
Lines changed: 59 additions & 9 deletions b/‎articles/app-service/app-service-configuration-references.md‎
Lines changed: 59 additions & 9 deletions
diff --git a/‎articles/app-service/scripts/terraform-secure-backend-frontend.md‎
Lines changed: 35 additions & 30 deletions b/‎articles/app-service/scripts/terraform-secure-backend-frontend.md‎
Lines changed: 35 additions & 30 deletions
diff --git a/‎articles/application-gateway/configuration-infrastructure.md‎
Lines changed: 6 additions & 6 deletions b/‎articles/application-gateway/configuration-infrastructure.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎articles/container-apps/opentelemetry-agents.md‎
Lines changed: 3 additions & 2 deletions b/‎articles/container-apps/opentelemetry-agents.md‎
Lines changed: 3 additions & 2 deletions
@@ -4,7 +4,7 @@ description: Set up Azure App Service and Azure Functions to use App Configurati
 author: muksvso
 
 ms.topic: how-to
-ms.date: 05/08/2025
+ms.date: 03/30/2026
 ms.author: mubatra
 
 #customer intent: As a developer, I want to use Azure App Configuration references so that I can make configuration key/value pairs available to code.  
@@ -17,6 +17,20 @@ ms.custom: sfi-ropc-nochange
 
 This article shows how to work with configuration data in Azure App Service or Azure Functions applications without making any code changes. [Azure App Configuration](../azure-app-configuration/overview.md) is an Azure service that you can use to centrally manage application configuration. It's also an effective tool for auditing your configuration values over time or across releases.
 
+## Important notes for Azure Functions local development
+
+App Configuration references (`@Microsoft.AppConfiguration(...)`) are resolved by the Azure App Service/Functions platform when your app runs in Azure.
+
+- **Azure (supported):** Put the reference in your function app's **Application settings** (for example, in the Azure portal, ARM/Bicep, or other deployment tooling).
+- **Local (not supported):** The Functions host running on your development machine doesn't resolve `@Microsoft.AppConfiguration(...)` values from *local.settings.json*.
+- **User secrets (not supported):** The Functions user secrets store (*secrets.json*) is also not processed for `@Microsoft.AppConfiguration(...)` references.
+- **SDK code (not required for this feature):** Calling `AddAzureAppConfiguration()` configures the App Configuration SDK for in-process resolution, but it doesn't make the platform resolve `@Microsoft.AppConfiguration(...)` references locally.
+
+If you want the same configuration values locally, use one of the following approaches:
+
+- Add the values directly to *local.settings.json* (for example, set `MySetting` to the literal value you want locally).
+- Use the App Configuration SDK in your app code (for example, by configuring `AddAzureAppConfiguration()` and connecting to your store with a connection string or credentials appropriate for local dev). This approach is separate from platform references.
+
 ## Grant app access to App Configuration
 
 To get started with using App Configuration references in App Service, first you create an App Configuration store. You then grant permissions to your app to access the configuration key/value pairs that are in the store.
@@ -78,20 +92,58 @@ An App Configuration reference has the form `@Microsoft.AppConfiguration({refere
 Here's an example of a complete reference that includes `Label`:
 
 ```json
-@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=myAppConfigKey; Label=myKeyLabel)
+@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=myAppConfigKey; Label=myKeyLabel)
 ```
 
 Here's an example that doesn't include `Label`:
 
 ```json
-@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=myAppConfigKey)
+@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=myAppConfigKey)
 ```
 
 Any configuration change to the app that results in a site restart causes an immediate refetch of all referenced key/value pairs from the App Configuration store.
 
 > [!NOTE]
 > Automatic refresh and refetch of these values when the key/value pairs are updated in App Configuration isn't currently supported.
 
+## Working example (Azure Functions)
+
+The following example shows where the `@Microsoft.AppConfiguration(...)` syntax goes for an Azure Functions app.
+
+### 1) Create a key/value in App Configuration
+
+In your App Configuration store, create a key/value pair:
+
+- **Key:** `Demo:Color`
+- **Label:** (optional) `dev`
+- **Value:** `Blue`
+
+### 2) Add an application setting to your function app in Azure
+
+In your Function App (in Azure), add an application setting named `Demo__Color` and set its value to an App Configuration reference.
+
+> [!NOTE]
+> Use double underscores (`__`) if you want .NET configuration binding to map to `Demo:Color`.
+
+**Application setting name**
+
+```text
+Demo__Color
+```
+
+**Application setting value**
+
+```text
+@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=Demo:Color; Label=dev)
+```
+
+### 3) Read the setting in your function code
+
+At runtime, your code reads `Demo:Color` like any other app setting.
+
+> [!TIP]
+> You don't need to call `AddAzureAppConfiguration()` for platform references. Use `AddAzureAppConfiguration()` only when you want to load configuration directly via the SDK.
+
 ## Source application settings from App Configuration
 
 You can use App Configuration references as values for [application settings](configure-common.md#configure-app-settings) so you can keep configuration data in App Configuration instead of in the site configuration settings. Application settings and App Configuration key/value pairs are both securely encrypted at rest. If you need centralized configuration management capabilities, add configuration data to App Configuration.
@@ -162,8 +214,8 @@ Here's a sample template for a function app that has App Configuration reference
                         "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))]"
                     ],
                     "properties": {
-                        "WEBSITE_FONTNAME": "[concat('@Microsoft.AppConfiguration(Endpoint=', reference(resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))).endpoint,'; Key=',variables('FontNameKey'),'; Label=',variables('myLabel'), ')')]",
-                        "WEBSITE_FONTCOLOR": "[concat('@Microsoft.AppConfiguration(Endpoint=', reference(resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))).endpoint,'; Key=',variables('FontColorKey'),'; Label=',variables('myLabel'), ')')]",
+                        "WEBSITE_FONTNAME": "[concat('@Microsoft.AppConfiguration(Endpoint=', reference(resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))).endpoint,'; Key=',variables('FontNameKey'),'; Label=',variables('myLabel'), ')]",
+                        "WEBSITE_FONTCOLOR": "[concat('@Microsoft.AppConfiguration(Endpoint=', reference(resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))).endpoint,'; Key=',variables('FontColorKey'),'; Label=',variables('myLabel'), ')]",
                         "WEBSITE_ENABLE_SYNC_UPDATE_SITE": "true"
                         //...
                     }
@@ -202,7 +254,6 @@ Here's a sample template for a function app that has App Configuration reference
                     //...
                     "dependsOn": [
                         "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))]"
-
                     ],
                     "properties": {
                         "value": "Calibri",
@@ -216,7 +267,6 @@ Here's a sample template for a function app that has App Configuration reference
                     //...
                     "dependsOn": [
                         "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))]"
-
                     ],
                     "properties": {
                         "value": "Blue",
@@ -226,8 +276,8 @@ Here's a sample template for a function app that has App Configuration reference
             ]
         },
         {
-            "scope": "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName'))]",
-            "type": "Microsoft.Authorization/roleAssignments",
+            "scope": "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('appConfigStoreName')]
+            ,"type": "Microsoft.Authorization/roleAssignments",
             "apiVersion": "2020-04-01-preview",
             "name": "[parameters('roleNameGuid')]",
             "properties": {
 
@@ -4,43 +4,45 @@ description: Learn how to use terraform provider for App Service to deploy two w
 author: ericgre
 ms.assetid: 3e5d1bbd-5581-40cc-8f65-bc74f1802156
 ms.topic: sample
-ms.date: 12/06/2022
+ms.date: 03/30/2026
 ms.author: ericg
 ms.service: azure-app-service
 ms.custom: devx-track-terraform
 ---
 
 # Create two web apps connected securely with Private Endpoint and VNet integration
 
-This article illustrates an example use of [Private Endpoint](../networking/private-endpoint.md) and regional [VNet integration](../overview-vnet-integration.md) to connect two web apps (frontend and backend) securely with the following terraform configuration:
-- Deploy a VNet
-- Create the first subnet for the integration
-- Create the second subnet for the private endpoint, you have to set a specific parameter to disable network policies
-- Deploy one App Service plan of type Basic, Standard, PremiumV2, PremiumV3, IsolatedV2, Functions Premium (sometimes referred to as the Elastic Premium plan), required for Private Endpoint feature
-- Create the frontend web app with specific app settings to consume the private DNS zone, [more details](../overview-vnet-integration.md#azure-dns-private-zones)
-- Connect the frontend web app to the integration subnet
-- Create the backend web app
-- Create the DNS private zone with the name of the private link zone for web app privatelink.azurewebsites.net
-- Link this zone to the VNet
-- Create the private endpoint for the backend web app in the endpoint subnet, and register DNS names (website and SCM) in the previously created DNS private zone
+This article illustrates an example use of [Private Endpoint](../networking/private-endpoint.md) and regional [VNet integration](../overview-vnet-integration.md) to connect two web apps (frontend and backend) securely with the following Terraform configuration:
+
+1. Deploy a VNet
+1. Create the first subnet for the integration
+1. Create the second subnet for the private endpoint, and disable subnet network policies for private endpoints (set `private_endpoint_network_policies_enabled = false`)
+1. Deploy one App Service plan of type Basic, Standard, PremiumV2, PremiumV3, IsolatedV2, Functions Premium (sometimes referred to as the Elastic Premium plan), required for the Private Endpoint feature
+1. Create the frontend web app with specific app settings to consume the private DNS zone. For more information, see [Azure DNS private zones](../overview-vnet-integration.md#azure-dns-private-zones).
+1. Connect the frontend web app to the integration subnet
+1. Create the backend web app
+1. Create the DNS private zone with the name of the private link zone for web apps (`privatelink.azurewebsites.net`)
+1. Link this zone to the VNet
+1. Create the private endpoint for the backend web app in the endpoint subnet, and register DNS names (site and SCM) in the previously created DNS private zone
 
 ## How to use terraform in Azure
 
 Browse to the [Azure documentation](/azure/developer/terraform/) to learn how to use terraform with Azure.
 
 ## The complete terraform file
 
-To use this file, replace the placeholders _\<unique-frontend-app-name>_ and _\<unique-backend-app-name>_ (app name is used to form a unique DNS name worldwide). 
+To use this file, replace the placeholders _\<unique-frontend-app-name>_ and _\<unique-backend-app-name>_ (app name is used to form a unique DNS name worldwide).
 
 ```hcl
 terraform {
   required_providers {
     azurerm = {
-      source = "hashicorp/azurerm"
-      version = "~>3.0"
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
     }
   }
 }
+
 provider "azurerm" {
   features {}
 }
@@ -62,8 +64,10 @@ resource "azurerm_subnet" "integrationsubnet" {
   resource_group_name  = azurerm_resource_group.rg.name
   virtual_network_name = azurerm_virtual_network.vnet.name
   address_prefixes     = ["10.0.1.0/24"]
+
   delegation {
     name = "delegation"
+
     service_delegation {
       name = "Microsoft.Web/serverFarms"
     }
@@ -75,7 +79,8 @@ resource "azurerm_subnet" "endpointsubnet" {
   resource_group_name  = azurerm_resource_group.rg.name
   virtual_network_name = azurerm_virtual_network.vnet.name
   address_prefixes     = ["10.0.2.0/24"]
-  private_endpoint_network_policies_enabled = true
+
+  private_endpoint_network_policies_enabled = false
 }
 
 resource "azurerm_service_plan" "appserviceplan" {
@@ -90,25 +95,26 @@ resource "azurerm_windows_web_app" "frontwebapp" {
   name                = "<unique-frontend-app-name>"
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
-  service_plan_id = azurerm_service_plan.appserviceplan.id
+  service_plan_id     = azurerm_service_plan.appserviceplan.id
 
   site_config {}
+
   app_settings = {
-    "WEBSITE_DNS_SERVER": "168.63.129.16",
-    "WEBSITE_VNET_ROUTE_ALL": "1"
+    "WEBSITE_DNS_SERVER"     = "168.63.129.16"
+    "WEBSITE_VNET_ROUTE_ALL" = "1"
   }
 }
 
 resource "azurerm_app_service_virtual_network_swift_connection" "vnetintegrationconnection" {
-  app_service_id  = azurerm_windows_web_app.frontwebapp.id
-  subnet_id       = azurerm_subnet.integrationsubnet.id
+  app_service_id = azurerm_windows_web_app.frontwebapp.id
+  subnet_id      = azurerm_subnet.integrationsubnet.id
 }
 
 resource "azurerm_windows_web_app" "backwebapp" {
   name                = "<unique-backend-app-name>"
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
-  service_plan_id = azurerm_service_plan.appserviceplan.id
+  service_plan_id     = azurerm_service_plan.appserviceplan.id
 
   site_config {}
 }
@@ -119,10 +125,10 @@ resource "azurerm_private_dns_zone" "dnsprivatezone" {
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "dnszonelink" {
-  name = "dnszonelink"
-  resource_group_name = azurerm_resource_group.rg.name
+  name                  = "dnszonelink"
+  resource_group_name   = azurerm_resource_group.rg.name
   private_dns_zone_name = azurerm_private_dns_zone.dnsprivatezone.name
-  virtual_network_id = azurerm_virtual_network.vnet.id
+  virtual_network_id    = azurerm_virtual_network.vnet.id
 }
 
 resource "azurerm_private_endpoint" "privateendpoint" {
@@ -132,20 +138,19 @@ resource "azurerm_private_endpoint" "privateendpoint" {
   subnet_id           = azurerm_subnet.endpointsubnet.id
 
   private_dns_zone_group {
-    name = "privatednszonegroup"
+    name                 = "privatednszonegroup"
     private_dns_zone_ids = [azurerm_private_dns_zone.dnsprivatezone.id]
   }
 
   private_service_connection {
-    name = "privateendpointconnection"
+    name                           = "privateendpointconnection"
     private_connection_resource_id = azurerm_windows_web_app.backwebapp.id
-    subresource_names = ["sites"]
-    is_manual_connection = false
+    subresource_names              = ["sites"]
+    is_manual_connection           = false
   }
 }
 ```
 
 ## Next steps
 
-
 > [Learn more about using Terraform in Azure](/azure/developer/terraform/)
@@ -84,13 +84,13 @@ Depending on whether you're creating new resources or using existing ones, add t
 
 | Resource | Resource status | Required Azure permissions |
 | --- | --- | --- |
-| Subnet | Create new | `Microsoft.Network/virtualNetworks/subnets/write` <br> 'Microsoft.Network/virtualNetworks/subnets/join/action` |
-| Subnet | Use existing | `Microsoft.Network/virtualNetworks/subnets/read` <br> `Microsoft.Network/virtualNetworks/subnets/join/action` |
-| IP addresses | Create new | `Microsoft.Network/publicIPAddresses/write` <br> `Microsoft.Network/publicIPAddresses/join/action` |
-| IP addresses | Use existing | `Microsoft.Network/publicIPAddresses/read` <br> `Microsoft.Network/publicIPAddresses/join/action` |
-| ApplicationGatewayWebApplicationFirewallPolicies | Create new / Update existing | `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write` <br> `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read` <br> `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action` |
+| Subnet | Create new | - Microsoft.Network/virtualNetworks/subnets/write<br>- Microsoft.Network/virtualNetworks/subnets/join/action|
+| Subnet | Use existing | - Microsoft.Network/virtualNetworks/subnets/read<br>- Microsoft.Network/virtualNetworks/subnets/join/action|
+| IP addresses | Create new |- Microsoft.Network/publicIPAddresses/write<br>- Microsoft.Network/publicIPAddresses/join/action|
+| IP addresses | Use existing |- Microsoft.Network/publicIPAddresses/read<br>- Microsoft.Network/publicIPAddresses/join/action|
+| ApplicationGatewayWebApplicationFirewallPolicies | Create new / Update existing |- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write<br>-Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read<br>- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action|
 
-For more information, see [Azure permissions for Networking](../role-based-access-control/permissions/networking.md) and [Virtual network permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
+For mo re information, see [Azure permissions for Networking](../role-based-access-control/permissions/networking.md) and [Virtual network permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
 
 > [!NOTE]
 > When deploying an Application Gateway as part of an [Azure Managed Application](../azure-resource-manager/managed-applications/overview.md), ensure that any deny assignments do not conflict with the RBAC Owner role assignment, as deny assignments take precedence over RBAC permissions.
 
@@ -4,7 +4,7 @@ description: Learn to record and query data collected using OpenTelemetry in Azu
 services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
-ms.date: 12/09/2025
+ms.date: 03/30/2026
 ms.author: cshoe
 ms.topic: how-to
 ms.custom:
@@ -756,14 +756,15 @@ In the event of a messaging inturruptions to an endpoint, the OpenTelemetry agen
 
 The OpenTelemetry agent automatically injects a set of environment variables into your application at runtime.
 
-The first two environment variables follow standard OpenTelemetry exporter configuration and are used in OTLP standard software development kits. If you explicitly set the environment variable in the container app specification, your value overwrites the automatically injected value.
+The first three environment variables follow standard OpenTelemetry configuration and are used in OTLP standard software development kits. If you explicitly set the environment variable in the container app specification, your value overwrites the automatically injected value.
 
 Learn about the OTLP exporter configuration see, [OTLP Exporter Configuration](https://opentelemetry.io/docs/languages/sdk-configuration/otlp-exporter/).
 
 | Name | Description |
 |---|---|
 | `OTEL_EXPORTER_OTLP_ENDPOINT` | A base endpoint URL for any signal type, with an optionally specified port number. This setting is helpful when you’re sending more than one signal to the same endpoint and want one environment variable to control the endpoint. Example:  `http://otel.service.k8se-apps:4317/` |
 | `OTEL_EXPORTER_OTLP_PROTOCOL` | Specifies the OTLP transport protocol used for all telemetry data. The managed agent only supports `grpc`. Value: `grpc`. |
+| `OTEL_RESOURCE_ATTRIBUTES` | A comma-separated list of key-value pairs that define [resource attributes](https://opentelemetry.io/docs/specs/otel/resource/sdk/) attached to all telemetry data. The managed agent populates this variable with container app attributes such as the app name and environment. Some OpenTelemetry SDK implementations require you to explicitly enable environment-based resource detection to use these attributes. If you set this variable in the container app specification, your value overwrites the automatically injected value. |
 
 The other three environment variables are specific to Azure Container Apps, and are always injected. These variables hold agent’s endpoint URLs for each specific data type (logs, metrics, traces).