Machine Keys on an Azure App Service, machineKey multiple, different data centers, regions on Azure

I wrote this article some time ago, Machine Keys on an Azure App Service, machineKey multiple instances Azure, which describes how and why there are no problems running on multiple instances of your App Service Plan, so long as they are in the same region or datacenter.  This is because, as part of the App Service offering, your Web App configuration is securely stored and used when building a new instance of your Web App when scaling is required, for example.  This configuration contains the Machine Key.  However, the storage of the configuration is constrained to a tenant.  I discuss what a tenant is here, but in summary it is a virtual boundary between numerous groupings of Web Apps, you would find that multiple tenants exist within a region or datacenter.

This means if your App Service Plan needs to exist in different tenants or regions, usually for redundancy and failover scenarios, if your application has a dependency on needing the same Machine Key, then the article I referred to above would not work.  But there is a solution which is achieved by setting the machine key in an Application Setting, appSetting.  The appSetting names are:

  • MACHINEKEY_ValidationKey
  • MACHINEKEY_DecryptionKey

You can read more about them here.

Storing information like this as an app setting might encounter some security concerns.  This is based on your application requirements.  You might consider storing these values in an Azure Key Vault protected by Managed Identity.  This results in the Keys being stored as a secret which is accessed via a REST API protected by the identity of the app.  Have a read of this article for more information “Use Key Vault references for App Service and Azure Functions”.