Windows Azure Web Sites vs Web Roles

Welcome! This is a post that covers in great detail the differences between Windows Azure Web Sites and Windows Azure Web Roles (azurewebsites.net vs cloudapp.net). It was first written a couple of days after Web Sites was first released, but I have been keeping it up to date as changes to Web Sites are announced. There is a change log of updates at the bottom of the post and I have struck out content that becomes out of date over time. There is also a good official Microsoft post that gives a similar comparison, but  not quite as comprehensive that you can also refer to.

Shameless Plug: If you are interested in using the power of Azure Web Roles with the nice deployment experience of Azure Web Sites then check out the AzureWebFarm and AzureWebFarm.OctopusDeploy libraries I work on.

Diagrammatic Overview

The Windows Azure Training Kit has a slide with a really nice overview of the three options for deploying web applications in Windows Azure (note: Virtual Machines are outside the scope of this post):

Azure Web Apps Options Overview
Options for deploying websites in Azure and comparison to on-premise hosting.

tl;dr

Azure Web Sites has the following advantages:

  • Out of the box support for ASP.NET, python, PHP, node.js and classic ASP
  • Out of the box support for near-instant Git, VSO, FTP, Web Deploy and Dropbox deployments
  • Out of the box support for configuring a VSO build that can compile code and run tests as part of the deployment
  • Instant roll-backs (when using Git or VSO deployments)
  • Free, out-of-the-box valid HTTPS when using default azurewebsites.net domain
  • Out-of-the-box manual and automated backup and restore
  • Much faster site provisioning and scaling
  • Simpler Visual Studio solution (no need for extra Cloud project)
  • One-click install of common open-source blog and CMS platforms
  • Friendlier, comprehensive in-built (read: one-click to activate) monitoring and diagnostics
  • Automatic configuration modification and config transforms on deploy
  • Multiple websites (deployed separately) on a single farm out of the box
  • Memory dumps via a REST API
  • Out-of-the-box support for remote debugging from Visual Studio
  • Ability to have staging environment with custom domain name and ability to change configuration settings at the same time
  • Always On Support to keep your application pool warmed up and (optionally) auto-heal any problems in your app pool
  • Multiple programming language support for periodic and continuous background jobs
  • Ability to view processes running the machine and their CPU and memory use from the Azure Portal and remotely kill rogue processes
  • Ability to add pre-packaged extensibility via Site Extensions
  • Ability to connect to on-premise resources securely without needing VPN via Hybrid connections

Azure Web Roles has the following advantages:

  • Use non-standard HTTP and/or TCP ports
  • Remote desktop into the VMs
  • Faster Windows Azure Virtual Network connection
  • Run arbitrary startup scripts with or without elevated privileges
  • Use Azure Drive to mount NTFS volumes from blob storage
  • More control over what diagnostic information you would like to collect
  • Full control to configure IIS
  • Perform complex autoscaling
  • Scale to hundreds of VM instances (max in Web Sites is currently 10)
  • Use Extra Small (low cost) and A4 (Extra Large) / A5 / A6 / A7 / A8 / A9 (intense workloads), D-series and G-series VM sizes
  • Install SSL for unlimited custom domain names for free
  • Resolve arbitrary domain names to your site without specifying them in the portal
  • Configure affinity groups and make use of upgrade and fault domains
  • Use the CDN against your web site content
  • In-role cache nodes
  • 99.95% SLA as opposed to a 99.9% SLA
  • You get more than 50GB of disk space
  • Ability to use GDI+, Report Viewer and DNS lookups in your code
  • Ability to make calls to localhost

Sometimes Virtual Machines are a valid choice – check out my whitepaper on deploying web applications in Azure for more information.

Conclusion

If you need enormous scale, a non-standard/complex configuration (e.g. full IIS customisation, non-standard ports, complex diagnostics or start up scripts / custom software installs), more than 50GB of disk space or RDP then you need Web Roles.

In most other scenarios Web Sites is the best choice since it’s the simplest option and is fully-managed. The Web Sites platform is being constantly innovated on with new features surfacing almost every month – Microsoft are investing a lot of resources into making sure it’s a state of the art platform. If your application grows in complexity over time and needs to migrate from Web Sites to Web Roles or Web Roles to Virtual Machines this is a relatively easy process so you should be able to start with the simplest option initially (Web Sites) with confidence you can change later if required.

Web Sites

Long-story short: Convention-over-configuration IIS-as-a-service to get you up and running quickly in Azure with a minimum of fuss (kind of like App Harbor). Also, it allows you to use a certain amount of Azure resources for free (10 websites on shared instances with limited bandwidth), which is a welcome addition and will be great for proof of concepts or just playing around with stuff!

The advantages that Web Sites seems to have over Web Roles are:

  • Out of the box support for Git (including hosted within Azure, CodePlex, Github and Bitbucket), VSOFTP and Web Deploy and Dropbox deployments, which makes automated deployments and continuous delivery dead easy (not that it’s terribly difficult using PowerShell for Web Roles), and importantly, quick.
    • Annoyingly (unless I’ve missed something), the git publishing doesn’t use private keys so you have to keep typing in the password, although from watching David Ebbo’s Youtube video on publishing from Git there must be some way to make it remember the password (I wouldn’t know as I always use private keys). [See update at end of post for instructions]
    • It would be cool if some of these features were added to Web Roles and Worker Roles; I’m not sure if this tweet from David Ebbo is any indication that might happen!
    • It seems that Microsoft have open sourced their Git-IIS deployment library, Kudu, which is cool :)
    • I tried to deploy a solution that had multiple web projects, but no matter what I did it kept deploying the first web project that I had deployed. I’m not sure what conventions it uses, but if you need to configure which project is deployed then I imagine you can consult the relevant Kudu documentation (edit: looks like there are some ways to address it).
    • If you use the Git publishing model (and I assume the TFS publishing model) then you don’t have to commit your NuGet package binaries as they will automatically get resolved when you push (you do have to turn on Package Restore on the solution in Visual Studio for it to do it though – edit: package restore is being deprecated). This is great because it makes your deployment much faster. It does mean that if you use packages that aren’t in the official NuGet repository (e.g. in a private repository, or using a package service) then you will need to include those ones or update the nuget config – I haven’t tried seeing what happens when you do that though yet, so try with caution.
  • Gives you the ability to roll-back to previous deployments instantly via the management portal if you are using Git (and I assume TFS) deployments.
    Redeploy previous deployments
  • You can deploy almost instantly out of the box (with the above mentioned deployment methods), rather than in 8-12 minutes or having to set up something like Accelerator for Web Roles Azure Web Farm or AzureWebFarm.OctopusDeploy.
  • You can provision a new Web Site much faster than a Web Role (seconds rather than 8+ minutes); I’m guessing Microsoft will always have spare capacity spun up and ready at any point in time – their capacity management software must be fascinating!
  • For .NET web apps: You don’t have to set up a separate project in your Visual Studio solution to deploy to Azure – you can simply deploy a normal web app solution as-is.
    • This also means you don’t have to maintain two sets of configurations and set up a storage account for diagnostics so you can be up and running much quicker.
  • Out of the box support for installing ready-to-go, open source web applications (from a list of common ones; mainly CMS’s and blogs).Create Azure Web Site with CMS
  • Built-in monitoring from the management portal (Web Roles has CPU and (optionally) memory as well now, but this also includes HTTP errors, requests and data)Web Sites has out of the box support for per-minute diagnostics now, which you can get the data for with Web Roles, but it’s all in-built into the portal for Web Sites and easier to use / consume:
    Monitoring dashboard
  • Extra diagnostics options at the click of a button:
    Azure Web Sites Diagnostics Options
  • Ability to inject configuration variables to your web.config file rather than having to package the final version with the deployment.
    • This means you don’t have to use encrypted web.config files if you want to keep production configuration information in source control so you can do automated deployments, but still prevent developers from accessing the production environment.
    • It does mean you potentially need to be more careful about who you give access to the management portal for your instances because the connection strings will appear in plain text be accessible to them.
  • If you have a web.release.config file then the XDT transformations in this file will automatically be applied before deploying your site.
  • You can add multiple host names that your site responds to (if it’s using reserved instances standard or shared tier, but not for shared free tier).
    • It appears you have to do this if you want to point a CName record at the site – given there are multiple sites being hosted on the same IIS instances this makes sense.
    • Given Web Roles allow you to point as many domain names as you want at it and it will resolve for all of them (assuming you are trying to resolve the main web site that is deployed in the Azure package rather than using a solution like Accelerator for Web Roles Azure Web Farm, which does require you to specify the host name) this isn’t really an advantage that Web Sites has over Web Roles.
    • What it does mean though is that you can host multiple sites on a single set of reserved servers out of the box (which is why Web Sites deprecated Accelerator for Web Roles in combination with near-instant deployments).
    • There is an implication if you are using shared free tier rather than reserved standard or shared tiers that you can’t point custom domain names to your web site and thus have to use the azurewebsites.net domain name (which is probably fine if you are doing a prototype or proof of concept).
    • It seems that for a given subscription in a given region you can have either free/shared or reserved Web Sites and thus any web sites that you add for a given subscription / region that has reserved Web Sites will be shared on your reserved servers.
      • I can’t confirm this explicitly, but it’s the only thing that makes sense to me after seeing the management portal and reading between the lines in the documentation.Web Site ModeShared to ReservedReserved to Shared
      • I would suggest that it will be important to keep this in mind if you want to segregate the servers that certain combinations of web sites that you deploy. You might want to do this due to their load profiles conflicting with each other. This is important unless Microsoft provides an easy way in the future to segregate your reserved instances within a single subscription or provide an easy way to migrate a site to a different subscription or region (unless I am missing something!).
  • You can use MySQL (edit: You can use this with Web Roles easily too now by adding a MySQL database using Add-ons).
  • You only need one instance to get the SLA rather than 2 instances in Web Roles
  • It supports multiple programming languages out of the box
  • It takes seconds rather than minutes to scale up and out as well as changing tier.
  • You can host your “naked” domain name (i.e. without www.) in a supported way rather than having to resort to external services, clever programmatic solutions or being careful not to nuke your deployment.
  • You can get memory dumps via a REST API via Kudu
  • You can perform remote debugging from Visual Studio
  • You can keep your application pool constantly warmed up with Always On Support
  • As part of the Always On support you can define triggers that result in your app pool recycling automatically to auto-heal any problems in your website
  • You can run periodic or continuous background jobs in multiple languages out of the box and you can deploy them as part of deploying your web application
  • You can use a staging environment and immediately switch the files to production, while changing connection strings etc. plus you can assign a custom DNS name to your staging environment rather than the random <guid>.cloudapp.net domain name for the Web Role staging slot (see the below comment from joshka though)
  • You get free, valid HTTPS out-of-the-box with the azurewebsites.net domain
  • You get out-of-the-box support for manual and automated backup and restore
  • Ability to view processes running the machine and their CPU and memory use from the Azure Portal and remotely kill rogue processes
  • Ability to add pre-packaged extensibility to your web site at the click of a button via Site Extensions
  • You can connect to on-premise resources securely without needing a VPN using Hybrid Connections

Web Roles

With all that in mind, this is what I see as the advantages of / situations you would use Web Roles (a lot of those also apply to Virtual Machines, but that is outside the scope of this post):

  • If you need to create an application that has non standard HTTP ports open (or frankly ports open for non-HTTP traffic) you can’t use Web Sites.
  • You can’t RDP into the server for debugging or other purposes when using Web Sites.
  • If you want surety about network / virtual machine isolation of your application for security reasons you may not want to use (at the very least free/shared) Web Sites. This is a bit of conjecture though because without knowing the internals of how Web Sites is implemented it’s hard to say what kind of isolation it provides. (edit: VM isolation will be the same for standard tier, see next point about network isolation)
  • You can use Windows Azure Virtual Networks to get network isolation of your Web Roles, but this can’t be used with Web Sites (edit: you can connect an Azure Web Site to a Virtual Network using a Point-To-Site VPN connection, which is limited to 100 Mbps, whereas Web Roles can be directly connected to the network)
  • If you want to deploy a worker role to perform background processing alongside your web site via a worker role then you can do it using the same instance with a Web Role (thus costing less money; also, Azure Web Farm has the ability to support execution of console applications packaged with your web application providing the same kind of benefit). (edit: Web Sites now supports Web Jobs so this point is no longer relevant)
  • You can run elevated start up scripts with a Web Role that then allow you to install any software you want or configure it in any way you desire.
  • You can mount a NTFS filesystem stored in blob storage using Azure Drive
  • You have full control over what diagnostic information is collected from a Web Role, which you may want to use for auto scaling, or customised monitoring solutions.
  • You have full control over how IIS is configured in a Web Role; note: it’s worth noting that Microsoft are consistently opening up IIS configuration options from web.config.
  • Your Web Role endpoint resolves to a static IP address assuming you don’t nuke your deployment.  edit: the fact you can have A Record support means this can be achieved with Web Sites too. edit: both Web Sites and Web Roles allow for A-record support, with Web Roles you can reserve a static IP address.
  • You can automatically scale your web site using Web Roles. You can perform much more complex auto-scaling with Web Roles – the slider-based auto-scaling in the portal is much more comprehensive and allows CPU and Azure Storage Queue based scaling and time schedules (edit: Web Sites now has the ability to scale using time schedules in the portal) and if you want even more complex auto-scaling you can use the Autoscaling Application Block (aka WASABi)

    Azure Web Roles CPU portal autoscaling
    Web Roles CPU autoscaling
    Azure Web Roles Storage Queue portal autoscaling
    Web Roles queue autoscaling

    Azure Web Sites CPU portal autoscaling
    Web Sites CPU autoscaling
  • You can scale out to a very large number of instances for extremely high load web sites (I know of a situation where at least 250 instances were used). Web Sites (at least at the moment, and with the default configuration when you first get it – it’s potentially possible to increase this) seems to have a maximum of three instances has a maximum of 6 shared or 10 reserved standard instances.
  • Furthermore, as per above screen shot and at least for the moment, Web Sites doesn’t have Extra Small (great for cost effective hosting of low load web sites – but the free and shared instances make up for this) or A4 (Extra Large) / A5 / A6 / A7 / A8 / A9 / D-series / G-series (if you need extreme vertical scale – but you probably only need this for intense Worker Role processing rather than for web sites [unless you are doing something very wrong/weird with your web application :P]).
  • At the moment you can only have SSL connections to your custom domain name by using Web Roles since there is no ability to upload Security Certificates to your Web Site instances, but this will probably be added soon. There is SSL for the azurewebsites.net domain name that you get though. edit: SSL for custom domain names in Azure Web Sites has been released, but it comes at a cost, whereas you can install SSL to your Web Role for free.
  • If you want securely managed Security Certificates for any other purpose than SSL e.g. config encryption, authentication, etc. then you will need to use Web Roles (for now at least). edit: you can now use Azure Web Sites for arbitrary certificates.
  • Apparently, during the preview there is a limit of 1GB of space per subscription that can be used with Web Sites and you can have a maximum of 10 web sites. I found this in a Stack Overflow answer from a Microsoft employee working on Azure. Free and paid shared instances have a limit of 1GB of space with free instances having a limit of 10 websites and shared instances having a limit of 100 websites (reserved standard instances have 10GB of space and a 500 website limit [I wonder if this is an IIS limit otherwise why would it be there since you have a complete VM(s) at your disposal?]). With Accelerator for Web Roles Azure Web Farm and AzureWebFarm.OctopusDeploy there is no limit on the number of sites, and depending on your role size you can certainly have more than 1 GB of storage (apart from the fact you have have more than one hosted service, each with more than 1 GB of space).
  • If you want to have any domain name you want to resolve against your web site using a CName without having to specify those domain names explicitly in the management portal then you will need to use Web Roles (see the comments section below for explanation).
  • You have the option of using VIP swap as a deployment option – this allows you to fully test the deployment you are about to make and then switch between old and new very quickly (and more usefully, vice versa if something goes wrong) (edit: Web Sites now has a staging environment with similar (but more advanced) functionality)
    • While I think this is very useful in some circumstances, particularly if the act of deploying is accompanied by separate, long-running processes that could go wrong (e.g. complex database changes that are triggered before the vip swap) I think in general if you can simplify your deployment process such that it’s not required (and simply make it really quick and easy to rollback to the last version) then that’s better (Web Sites enables this due to it’s out-of-the-box deployment options)
  • Affinity groups to allow you to ensure that Web Roles are close to storage accounts and potentially other roles within the datacentre (decreasing latency and increasing performance).
    • I suspect that Web Sites may well do this behind the scenes for the storage account you associate with the Web Site, but of course you can only do it with that storage account and not with multiple ones or other sites / roles
    • You can create linked resources, which may (I can’t verify or find any information to back this up) provide the same effect – you can do this for Azure SQL Databases and storage accounts:
      Azure Web Sites Add Linked Resource Dialog
  • Explicit upgrade and fault domains
    • Web Sites makes upgrade domains redundant given the deployment options (see note above about VIP swap) and I assume that fault domains are likely transparently implemented for you, but that could be wrong
  • In-role cache nodes
  • The cscfg file and ability to edit in the portal
    • You can edit web.config variables and connection strings within the portal for Web Sites so this makes it somewhat redundant
  • If you want to use Traffic Manager to distribute your application in multiple data centres across the globe then you can’t use Web Sites, however you can get a similar affect using an Azure Virtual Machine and IIS ARR as per http://stackoverflow.com/questions/13697863/is-it-possible-to-provision-the-same-domain-name-on-multiple-azure-websites
  • If you want to use the Content Delivery Network against your web site rather than a static Storage Account then you need a Cloud Service and can’t use Web Sites.
  • Windows Azure Web Roles has an SLA (99.95%), but Web Sites has no SLA. Web Sites has a 99.9% SLA whereas Web Roles has a 99.95% SLA.
  • Web Roles can be easily deleted and redeployed from a package in blob storage so if you only need your site functioning for part of the day you could delete the deployment when it’s not needed and have a significant cost saving.
    • Web Roles are charged by the minute – I can’t work out if Web Sites are the same or not though, but I assume so since the pricing page talks about converting the usage to Compute hour equivalents.
  • Web Roles have 64-bit app pools by default – Web Sites are 32-bit by default and in fact you have to upgrade to standard mode to get a 64-bit app pool; it is possible to downgrade the Web Role app pool to 32-bit
  • If you want to use GDI+ or report viewer then that is not currently supported in Web Sites (but does work on Web Roles) – it is in the long term plan to add support and you can keep track of progress via the MSDN forums
  • If you want to use DNS lookups in code then that isn’t possible in Azure Web Sites (sorry – I can’t find a link for this one)
  • The regions that you can deploy Web Sites to are currently restricted while this feature is in preview, but there are probably plans to roll out wider (see point 3 in the link) (edit: it’s available in all regions except South East Asia – I can’t find any reason why it’s not available in that region).
  • You can make calls to localhost on the role, which isn’t possible in Azure Web Sites since it doesn’t use a * binding in IIS – instead you have to use the domain name of the site, which will go out through the Azure load balancer

While reading up on this post I found out something about Web Roles that I didn’t know – apparently you can deploy a Web Role package that contains multiple web sites (by specifying their host headers), but it does mean that you have to always deploy all the websites at the same time and keep them all in the same Visual Studio solution.

Updates

Update (10 June 2012)

David Ebbo send me a message via Twitter to let me know the solution he is using to remember his Git password. Also, I found a post that describes how to point to other NuGet feeds than the official one when using package restore.

Update (28 August 2012)

I read a truly excellent post yesterday about Virtual Networks and it made the point that you can’t join a Web Site to a Virtual Network, but of course you can join a VM or Web/Worker Role. Thus I added that as another limitation above.

Update (15 September 2012)

West US Azure data centres now support Web Sites.

Update (18 September 2012)

There were a few big announcements today about Azure Web Sites and I’ve updated this post with some minor corrections accordingly.

Update (9 October 2012)

Added some rather obvious differences I originally missed thanks to the comment below from Roland.

Update (1 January 2013)

Updated to reflect the fact that East Asia is now supported for Azure Web Sites (as per this announcement) and the fact you can now have up to 6 shared and 10 reserved instances rather than the original 3 (as per this announcement).

Update (27 April 2013)

Updated to add the fact that Traffic Manager isn’t supported for Web Sites.

Update (25 May 2013)

Updated to add a note about CDN support as pointed out by Teo below.

Update (17 July 2013)

Overhaul of the post to get it up to date with recent changes to Web Sites and Web Roles as well as a general tidy up and making it more friendly (e.g. added diagram, new intro and tl;dr section and moved around some of the points that were in the wrong section).

Update (8 September 2013)

Added information about GDI+/Report Viewer as pointed out by Travis below.

Update (26 January 2014)

Added information about Web Sites staging environment, Always On Support, DNS lookups, AzureWebFarm.OctopusDeploy and In-role cache and emphasised the 10GB limit for Azure Web Sites.

Update (29 January 2014)

Added note about the web.config options for configuring IIS that are increasingly being opened up for Azure Web Sites.

Update (8 February 2014)

Added notes about A8 and A9 VM sizes, 32-bit vs 64-bit app pools and auto healing.

Update (22 October 2014)

Updated post to reflect the following:

  • Out-of-the-box HTTPS with Azure Web Sites
  • Azure Web Sites Backup
  • Azure Web Sites Processes
  • D-series and G-series VMs for Azure Web Roles
  • VPN connection to a Virtual Network for Azure Web Sites
  • South East Asia available for Azure Web Sites and TFS support is now VSO support with a build as per Josh’s comment
  • Can’t make localhost calls on Azure Web Sites
  • Site Extensions for Azure Web Sites
  • Clarified that you can reserve a static IP for Web Roles for A record support now
  • Out-of-the-box Remote Debugging with Azure Web Sites

Update (31 October 2014)

Updated post to mention Hybrid Connections support in Azure Web Sites and the fact that you can use custom certificates in Azure Web Sites now.

24 thoughts on “Windows Azure Web Sites vs Web Roles”

  1. There haven’t been any comments as to whether or not wildcard CNAME’s will be supported. [BTW: I did testing in Resevered mode yesterday (6/8), but I got nothing but 500 server errors when trying to add hostnames, and test CNAME’s did NOT work (pointed to mywebsitename.azurewebsites.net). I kept getting 404’s from IIS … yes … in Reserved mode as they called for.] A one-line hack by Ben Foster to the Accelerator made Nate’s software work beautifully with wildcard subdomains (and a little help from DynDNS, since GoDaddy nameservers don’t support wildcard CNAMES). In order for several of us requiring this spec using the Accelerator to migrate, we’re going to have to have wildcard CNAME support in Azure Websites. btw- I hope that if enough of us are still going to have to use the Accelerator that Nate/MS would allow a handful of devs to keep it going in some coordinated format. The Accelerator is a GREAT piece of software. It also allows deployment of websites running within it to deploy in less than a minute.

    1. Interesting. I guess as long as it allows you the ability to add a wildcard domain name into the host names fields for reserved Web Sites then it should be fine. Sounds like you’ve had some trouble trying that out to see if it’s supported though…

      Given Accelerator is open source there is nothing stopping a group of devs maintaining it. Frankly, I was considering doing some serious work on it myself!

  2. Indeed, no, I couldn’t get it to work. It wouldn’t accept any hostname in Reserved mode … just kept getting 500 errors from the server.

    It’s also unclear exactly why one would even have to enter a new hostname: Shouldn’t I just be able to point my CNAME (test1.mydomain.com) to website.azurewebsites.net while in Reserved mode and get it to work. Looks like two bugs: (1) Can’t add hostnames in Reserved mode … getting 500’s. (2) Can’t point CNAME to given website hostname anyway … getting 404’s.

    Even in preview, I’m a bit shocked to see such fundamental errors. I hope their engineers saw the exceptions, and I filed it via their feedback link at the top of the console. I’ve also reported it to Nate.

    If anybody else has any luck getting CNAME’s to work, please post back here to confirm that they’ve gotten the bugs out. I’m not going to test again until I hear some good news from someone else. I did this testing in Reserved mode on my own dime — I don’t like having to pay money to MS to test THEIR buggy software. I think that they should be paying ME!!

    1. I’m not surprised that there are an error or two in there; it is preview software. The real test will be how quickly they can deploy fixes. If the tweet I got sent the other day is anything to go by it should be fixed soon.

      As per the second part, I wouldn’t say it’s a bug as much as it is a technical limitation of IIS. When in reserved mode you can have multiple Web Sites pointing to the same set of reserved servers running IIS. IF you want any CName pointing to those IIS servers how can they tell which of your sites to serve up without you explicitly providing the hostnames? If you have a single web site on reserved then it could be possible, but that would mean that the first web site you create will always be “special”, which is weird behaviour. If that is a feature you need then I think it’s actually another limitation of Web Sites that means you should use Web Roles (in fact I’m going to change my post above to reflect that).

  3. Hi
    Great post. In don’t get one thing. in the advantages of an Azure website you state that the need to encrypt your web.config is no longer needed because you can set the values in te managment portal. This is true for the AppSettings en Connection strings. I have made a AzureWebsite with an fedrated login. The problem here is that the decribtion of the token signature fails. The cause is the loadbalancer that has so I am not sure on whicht machine i will return resulting in a diferent machine key. The solution is to set the machinekey in the webconfig. This key wil now be used. This key is information the you would put in an encrypted section of the web config. This can not be done in the managment console.

    Michiel van Buuren

    1. Michiel – that’s a good point. I never thought of that because I’ve never bothered encrypting the section. I guess at the end of the day I think it’s easy enough to justify or not worry that the development team has access to the machineKey depending on the app. Most of the time I didn’t explicitly specify it anyway given that for on-premise deployments or Azure web role deployments it’s not needed. I have found I needed it when using App Accelerator for Azure though.

      In the case of Azure Web Sites you either need to trust the development team or you can’t use Web Sites and you should use App Accelerator instead, since you can encrypt that section and include the Certificate for decryption in the Web Role.

      For anyone wondering about the web.config encryption, go to these links: http://msdn.microsoft.com/en-us/library/dtkwfdky(v=vs.100).aspx and http://blogs.msdn.com/b/sqlazure/archive/2010/09/09/10059889.aspx.

      I published a NuGet package with the PKCS12ProtectedConfigurationProvider dll at http://nuget.org/packages/Pkcs12ProtectedConfigurationProvider

  4. Hi

    This is really an excellent post. A few more things I observed:

    – Websites seems to have a sticky load balancer, WebRoles don’t (which is not nessesary an advantage of websites, regarding to scalability)
    – WebRoles have VIP-Swap
    – WebRoles have Affinity Groups
    – WebRoles have Upgrade- and Fault-Domains
    – WebRoles have a role-wide Configuration File that can be configured (overwritten) in the management portal

    Roland

    1. Good call – of course these are things that have essentially always been there and are obvious, but I never thought of them when I was originally doing the comparison (one of those staring you in the face moments I guess :P). Thanks for the info – I’ll update the post accordingly!

  5. Also, you must use web roles if you need to cache dynamic content via CDN.
    In my case I am using ImageResizer.net setup in website reserved instance; ImageResizer.net generates thumbnails. I am forced to migrate to web roles in order to cache the “dynamic” context using CDN.

  6. I wanted to add to this, since you seem to keep it updated, that if you want to use anything that incorporates the GDI engine (i.e. local reporting, RDLC style) or other more protected libraries then you’ll need to use a Web Role. I’m just learning them myself but have had some serious pains with Websites.

    Also, Websites seems to suffer from Out of Memory exceptions, also when using Reporting. Trying to generate a small report (a few thousand records) throws this exception. Printing or exporting PDF directly from a ReportViewer control is impossible on Websites due to requiring the GDI engine.

    Thanks for the great info! Very helpful.

  7. if I scale a website to few instances, will it automatically be setup like a webfarm? Ie. Shared Sessions ?

    but for webrole, it cannot create a webfarm right ?

    1. No – you have to configure session state to connect to a shared datasource. Check out the reply I added to the MSDN forums the other day for a list of the options.

      I should note this is no different if you are using Web Sites or Web Roles – shared session state is nothing to do with the infrastructure, but rather an application configuration responsibility (as is other considerations for whether the application can scale across multiple instances).

  8. “If you only need your site “on” for small periods of time, but you don’t want to have to redeploy then you can stop the Web Roles and not be charged until you start them again”

    Its only virtual machines that are not billed when stopped.
    We have had 3 small webroles in the stopped mode for a month to find out that they got billed :)

  9. Extremely valuable information! Thank you all for your time and contribution. I am new to the azure world but am looking forward to taking advantage of it. Spent days finding out that I couldn’t produce a PDF file from an RDLC through reportviewer using websites. Also chased the infamous “an error occurred trying to render report 0x080004005″ in preview of reportviewer before finding this information that it doesn’t work on Azure Websites. Headed to Web Roles:/

  10. Hi Robb,
    A couple of updates:

    ‘Deploy to the South East Asia region’ This is now available in websites.
    VSO -> Azure websites hook is setup with a TFS build. This takes about 3 minutes. Slower than github integration, but does more things.

    I’d be wary of calling it a staging slot, as switching brings along appSettings and connectionStrings from the other slot, so this should be seen as blue/green deployment, not pre-prod-testing/prod. For the latter spinning up a second website is a fairly simple alternative. This can cause some complication on the staging slot in situations where you care about the url / hostname (e.g. STS redirects, OAuth redirects, CORS etc.).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>