The cloud modernization journey for Windows web applications has just taken a giant leap forward. Microsoft has introduced Managed Instance on Azure App Service (preview), a new hosting option that bridges the gap between legacy dependency-rich workloads and modern platform-as-a-service (PaaS) fundamentals. This capability helps organizations migrate and modernize with minimal code changes while retaining the familiar Azure App Service experience.
In this blog, we’ll dive into what Managed Instance is, why it matters, how you can deploy it, and best practices for configuring and managing it, complete with practical guidance to get you started.
What Is Managed Instance on Azure App Service?
Managed Instance on Azure App Service (preview) is a plan-scoped hosting option for Windows web applications that require deeper operating system customization, dedicated network isolation, and legacy infrastructure support, while retaining the core benefits of App Service, such as scaling, patching, diagnostics, and identity.
This new hosting option is designed specifically for workloads that traditional App Service plans struggle with, for example:
- Apps requiring COM components, Windows registry access, or MSI installers
- Apps with strict network boundaries or private networking needs
- Workloads that need drive mapping, persistent configuration, or OS-level components not supported in standard PaaS plans
Managed Instance enables these apps to run in the cloud as PaaS, often avoiding costly refactoring or lift-and-shift to Infrastructure as a Service (IaaS).
Key Capabilities and Features
Managed Instance blends traditional PaaS simplicity with infrastructure control. Here’s what it offers:
Plan-Level Isolation & Networking
-
Virtual Network Integration
Managed Instances can be deployed into virtual networks with support for private endpoints, NSGs, NAT gateways, route tables, and customized DNS, enabling secure integration with private services. -
Dedicated Compute Boundaries
Unlike shared App Service plans, Managed Instances have dedicated compute resources, enabling predictable performance and stricter isolation.
OS Customization and Component Support
-
Configuration (Install) Scripts
You can upload PowerShell scripts that run at startup, enabling installation of libraries, custom IIS configuration, COM components, registry keys, and Windows features. -
Registry Adapters & Storage Flexibility
Use Key Vault-backed registry values and Azure Files or UNC storage mounts to support legacy file system dependencies.
Visibility & Diagnostics
-
Just-In-Time RDP via Azure Bastion
For troubleshooting, you can access the instance GUI through RDP — helpful if you need deeper inspection or logs beyond App Service console output. -
Logging and Monitoring
Configuration script results and instance events can be streamed to Azure Monitor and Log Analytics.
Identity & Runtime Support
-
Managed and System-Assigned Identity
Simplifies secure connectivity to Azure resources without embedded secrets. -
Preinstalled Runtimes
.NET Framework versions and .NET 8 are available out of the box, with additional runtimes installable via scripts.
Deploying Managed Instance – A Quick Start
Microsoft provides a step-by-step quickstart to deploy a Managed Instance plan and sample application using the Azure portal or Azure Developer CLI (azd). The high-level flow looks like this:
1. Prerequisites
- Azure subscription and access to supported regions (East US, North Europe, West Central US, East Asia, etc.)
- Managed identity and Azure storage account with your configuration script zip uploaded
- Pv4 or Pmv4 plan SKU quota for preview usage
2. Deploy Resources
Using Azure Developer CLI (azd), you can deploy:
- A resource group
- A user-assigned Managed Identity
- A storage container with your install scripts
- The Managed Instance plan itself
- Create a new directory and initialize the local project from a GitHub template.
2. Set up the environment location, run “azd up” to run the Bicep
You may encounter an error like the one below due to an authentication issue. Just run “azd auth login” and authenticate your credentials accordingly. And then run again “azd up”.
During granting storage blob data owner to your current account, you may encounter an error similar to the one below. Grant one of the given roles to your current account manually to the storage account.
Then run the “azd up” command again.
3. Configure a Managed Instance Plan
In the Azure portal:
-
Create a managed instance plan
Search for Managed Instance from the Marketplace
Provide the necessary details when creating the Web App (for Managed Instance) as below.
-
Select your storage account that was created by Bicep and attach your configuration script zip, and assign the managed identity
-
Optionally configure network integration and private endpoints
- Review screen
4. Deploy a Web App
Once the plan exists, you create a standard web app tied to that plan, deploy your code, and verify that the application runs with your OS-level customizations applied.
How to Configure Managed Instances
The Configure Managed Instance documentation breaks down practical configuration topics for real-world usage:
Managed Identity
A plan-level managed identity is required to securely access Azure Storage (for scripts) and Key Vault (for registry and storage credentials).
Install Scripts
Configuration scripts in a ZIP file (root containing Install.ps1) allow:
- Windows feature installs
- COM and MSI installs
- Environment variable and IIS configurations
Best practices:
- Make scripts idempotent
- Avoid destructive operations against system paths
Deploying the application to new app service,
Browse the application,
Storage Mounts
Use Azure Files or custom UNC paths for persistent shared storage — ideal for legacy apps that rely on file system access.
Registry Keys
Registry adapters let you populate required registry values using credentials stored in Key Vault, a must for apps with deep Windows integration.
RDP Configuration
Enable Bastion-based RDP for support cases where in-depth investigation of the instance is required.
When to Use It
Managed Instance is an excellent fit when you need:
- Minimal refactoring for legacy .NET apps
- OS customization via install scripts
- Network isolation and private endpoint support
- Persistent storage access beyond typical App Service file system limits
Conversely, standard App Service plans are preferable when:
- You’re building cloud-native modern applications
- You don’t require OS customizations
- You need Linux or container support
Preview Limitations
Remember: Managed Instance is currently in preview. Some limitations to note:
- Windows only — no Linux/containers
- Not available in App Service Environment (ASE)
- Requires select Pv4/Pmv4 pricing plans
- Workloads limited to web apps (no WebJobs or TCP/NetPipes)
Final Thoughts
Managed Instance on Azure App Service moves the needle for customers stuck between legacy dependencies and modern cloud platforms. It marries platform-managed scaling and DevOps integration with the flexibility to customize the OS, network, and environment — all in a managed PaaS experience.
Whether you’re modernizing critical Windows apps or simply want to lift them to the cloud without heavy rewrites, Managed Instance deserves a close look. As Microsoft expands regional availability and adds features, this preview offering could become a staple in enterprise migration strategies.
