Editing App Service settings one row at a time in the portal does not scale. The Advanced edit blade takes a single JSON array, and so does the CLI — which means your whole environment can live in source control.
The shape
Every entry is three fields:
{ "name": "NODE_ENV", "value": "production", "slotSetting": false }
name— the key, exposed to your app as an environment variable.value— the value.slotSetting— whether the value is pinned to the deployment slot.
slotSetting: the one that trips people up
Set slotSetting: true for anything that must not follow a slot swap — the database URL, the API base URL, environment-specific endpoints:
{ "name": "DATABASE_URL", "value": "...", "slotSetting": true }
Now swapping staging into production keeps each slot pointed at its own database.
Keep secrets out
Never paste a raw secret. Reference Key Vault instead — App Service resolves it at runtime:
{
"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
"value": "@Microsoft.KeyVault(SecretUri=https://my-vault.vault.azure.net/secrets/appinsights-conn/)",
"slotSetting": false
}
Platform toggles
WEBSITE_* keys change platform behavior — WEBSITE_RUN_FROM_PACKAGE for immutable deploys, WEBSITE_NODE_DEFAULT_VERSION to pin the runtime.
Security notes
- Settings are encrypted at rest but visible to anyone with portal access — scope RBAC tightly.
- Prefer a managed identity over connection strings that embed credentials.
Open the App Service settings template and ask the workspace to "mark the database connection string as a slot setting" or "add Application Insights connection string", then diff the result.