Container Instances and Container Registries

Lab Objective

In this hands-on lab, you will learn how to:

• Create Azure Container Registry to store and manage container images securely
• Build container images directly in ACR using cloud-based build capabilities
• Configure registry authentication with admin credentials and managed identity
• Deploy containers to ACI from your private registry with various configurations
• Manage container lifecycle including scaling, restarting, and monitoring
• Implement container networking with virtual network integration and DNS resolution
• Monitor container performance using Azure Monitor and log analytics

Scenario: Your organization needs to containerize legacy applications and deploy them in a scalable, managed environment. You’ll use Azure Container Registry to build and store container images, then deploy them using Azure Container Instances for development, testing, and lightweight production workloads.

---

Pre-Provisioned Environment

Container Lab Environment
├── Resource Group: ACR-ACI-Lab-RG
├── Azure Container Registry (acrlab[unique])
│   ├── SKU: Basic
│   ├── Admin User: Enabled
│   ├── Public Access: Enabled
│   └── Repository Webhooks: Ready for configuration
├── Virtual Network (container-vnet)
│   ├── Container Subnet (10.0.1.0/24)
│   └── Management Subnet (10.0.2.0/24)
├── Log Analytics Workspace (container-logs[unique])
│   ├── Data Retention: 30 days
│   └── Container Insights: Enabled
├── Application Insights (container-insights[unique])
│   └── Container monitoring configured
└── Storage Account (containerlogs[unique])
    ├── Container: build-logs
    └── Purpose: Store build artifacts and logs

Important: The Container Registry is pre-deployed and ready for building images. You’ll focus on image management, building, and container deployment workflows.

---

Lab Exercises

Part 1: Configure Container Registry Access

Step 1: Explore Container Registry Configuration

1. Navigate to Resource Groups → ACR-ACI-Lab-RG
2. Click on the Azure Container Registry acrlab[unique]
3. Review the Overview section:
   • Login server URL
   • Current image count
   • Storage usage
4. Go to “Access keys” and note the admin credentials

Step 2: Test Registry Authentication

1. Open Azure Cloud Shell (PowerShell)
2. Run the following command to login to your registry:

   az acr login --name acrlab[unique]

3. Verify successful authentication
4. List current repositories (should be empty initially):

   az acr repository list --name acrlab[unique]

Step 3: Configure Repository Permissions

1. Go to “Repository permissions” in the registry
2. Review the current access policies
3. Note how admin access vs. managed identity access differs
4. Check “Networking” to see public access configuration

Expected Results: Container registry is accessible and ready for image operations with proper authentication configured.

Part 2: Build and Push Container Images

Step 1: Create Sample Application

1. In Cloud Shell, create a new directory:

   mkdir webapp-demo
   cd webapp-demo

2. Create a simple Dockerfile:

   @"
   FROM nginx:alpine
   COPY index.html /usr/share/nginx/html/
   EXPOSE 80
   "@ | Out-File -FilePath Dockerfile -Encoding ascii

3. Create a custom web page:

   @"
   <!DOCTYPE html>
   <html><head><title>ACR Demo App</title></head>
   <body style='font-family: Arial; text-align: center; padding: 50px;'>
   <h1>Hello from Azure Container Registry!</h1>
   <p>Container Instance: <span id='hostname'></span></p>
   <script>document.getElementById('hostname').innerHTML = window.location.hostname;</script>
   </body></html>
   "@ | Out-File -FilePath index.html -Encoding utf8

Step 2: Build Image Using ACR Tasks

1. Build the image directly in Azure Container Registry:

   az acr build --registry acrlab[unique] --image webapp-demo:v1 .

2. Monitor the build progress in Cloud Shell
3. Watch for successful completion message
4. Verify the image was created:

   az acr repository show-tags --name acrlab[unique] --repository webapp-demo

Step 3: Build Variations and Tags

1. Modify the index.html to show version 2:

   (Get-Content index.html) -replace 'Hello from Azure Container Registry!', 'Hello from ACR - Version 2!' | Set-Content index.html

2. Build version 2:

   az acr build --registry acrlab[unique] --image webapp-demo:v2 .

3. Tag the latest version:

   az acr build --registry acrlab[unique] --image webapp-demo:latest .

4. List all tags:

   az acr repository show-tags --name acrlab[unique] --repository webapp-demo

Expected Results: Multiple tagged versions of your web application are stored in the container registry and ready for deployment.

Part 3: Deploy Containers with Azure Container Instances

Step 1: Deploy First Container Instance

1. Navigate to Home → Create a resource
2. Search for “Container Instances” and click “Create”
3. Configure basic settings:
   • Resource group: ACR-ACI-Lab-RG
   • Container name: webapp-demo-v1
   • Region: East US
   • Image source: Azure Container Registry
   • Registry: acrlab[unique]
   • Image: webapp-demo
   • Image tag: v1

Step 2: Configure Container Network Settings

1. Go to “Networking” tab
2. Configure networking:
   • Networking type: Public
   • DNS name label: webapp-demo-v1-[unique]
   • Ports: 80 (TCP)
3. Go to “Advanced” tab
4. Set restart policy: “Always”
5. Click “Review + create” → Create

Step 3: Test Container Deployment

1. Wait for deployment to complete
2. Go to the Container Instance webapp-demo-v1
3. Copy the FQDN from the Overview
4. Open browser and navigate to http://[your-fqdn]
5. Verify the web application loads correctly
6. Note the hostname displayed on the page

Expected Results: Container instance is running and serving the web application publicly with your custom content.

Part 4: Advanced Container Instance Configurations

Step 1: Deploy Multi-Container Group

1. Create another container instance: webapp-demo-v2
2. Use the same configuration but:
   • Image tag: v2
   • DNS name label: webapp-demo-v2-[unique]
3. Deploy and test both versions side by side
4. Compare the content differences

Step 2: Configure Environment Variables

1. Go to Container Instance webapp-demo-v1
2. Click “Containers” under Settings
3. Click on the container name
4. Add environment variables:
   • Name: APP_VERSION, Value: 1.0
   • Name: ENVIRONMENT, Value: Development
5. Restart the container to apply changes

Step 3: Configure Resource Limits

1. Edit the container configuration
2. Set resource requests and limits:
   • CPU: 0.5 cores
   • Memory: 1 GB
3. Save the configuration
4. Monitor resource usage in the metrics section

Expected Results: Multiple container instances are running with different configurations, demonstrating various deployment scenarios.

Part 5: Container Networking and Security

Step 1: Deploy with Virtual Network Integration

1. Create a new container instance: webapp-secure
2. Configure with VNet integration:
   • Networking type: Private
   • Virtual network: container-vnet
   • Subnet: Container Subnet
3. Deploy the container

Step 2: Test Private Networking

1. Note that the private container has no public IP
2. Create a simple test container with public access:

   az container create \
     --resource-group ACR-ACI-Lab-RG \
     --name test-client \
     --image mcr.microsoft.com/azure-cli \
     --restart-policy Never \
     --command-line "sleep 3600"

3. Connect to the test container and ping the private container

Step 3: Configure Container Registry Authentication

1. Go to Container Instance settings
2. Review how registry authentication is configured
3. Note the use of managed identity vs admin credentials
4. Test pulling images from the private registry

Expected Results: Containers are deployed in both public and private network configurations with secure registry access.

Part 6: Monitor and Manage Container Lifecycle

Step 1: Monitor Container Performance

1. Go to any running container instance
2. Click “Metrics” under Monitoring
3. Add metrics:
   • CPU Usage
   • Memory Usage
   • Network In/Out
4. Set time range to “Last hour”
5. Observe resource consumption patterns

Step 2: View Container Logs

1. Go to “Logs” under Monitoring
2. Run this query to see container logs:

   ContainerInstanceLog_CL
   | where ContainerGroup_s == "webapp-demo-v1"
   | order by TimeGenerated desc
   | take 50

3. Review application and system logs
4. Create a custom dashboard for monitoring

Step 3: Manage Container Lifecycle

1. Test container restart functionality:
   • Stop a running container
   • Start it again
   • Verify it maintains configuration
2. Update container image:
   • Change image tag to latest
   • Apply the update
   • Verify new version is running
3. Scale container groups (if using container groups)

Expected Results: Complete visibility into container performance, logs, and lifecycle management capabilities.

---

Troubleshooting Guide

Container Registry Issues

• Build failures: Check Dockerfile syntax and base image availability
• Authentication errors: Verify ACR admin credentials or managed identity permissions
• Push/pull failures: Check network connectivity and registry public access settings
• Image not found: Verify repository name and tag spelling

Container Instance Issues

• Deployment failures: Check resource quotas and region availability
• Container won’t start: Review container logs for application errors
• Network connectivity: Verify NSG rules and VNet configuration
• Resource constraints: Check CPU/memory limits and adjust as needed

Performance Issues

• Slow container startup: Optimize Dockerfile layers and base image size
• High resource usage: Review application code and resource allocations
• Network latency: Consider container placement and network topology
• Build time issues: Use multi-stage builds and layer caching

---

Key Takeaways

After completing this lab, you should understand:

• Azure Container Registry provides secure, private container image storage with cloud-based building capabilities
• ACR Tasks enable automated container builds without requiring local Docker installation
• Azure Container Instances offer serverless container hosting for development and lightweight production scenarios
• Container networking can be configured for both public internet access and private VNet integration
• Registry authentication supports both admin credentials and managed identity for secure access
• Container monitoring provides insights into performance, logs, and resource utilization

---

Decision Matrix: When to Use ACR and ACI

Scenario	ACR + ACI	ACR + AKS	ACR + App Service	Local Development
Development/Testing	✅ Recommended	⚠️ Complex setup	✅ Good option	✅ Simple
Lightweight production	✅ Recommended	❌ Overkill	✅ Good option	❌ Not scalable
Microservices architecture	⚠️ Limited orchestration	✅ Recommended	⚠️ Service complexity	❌ Not suitable
Batch processing	✅ Recommended	⚠️ May be overkill	❌ Not suitable	❌ Limited resources
Enterprise applications	❌ Limited features	✅ Recommended	✅ Good option	❌ Not production-ready
CI/CD integration	✅ Good	✅ Excellent	✅ Good	❌ Limited

Key Decision Factors:

• Orchestration needs: Use AKS for complex container orchestration
• Scaling requirements: ACI provides basic scaling, AKS offers advanced scaling
• Cost considerations: ACI is pay-per-use, AKS has baseline costs
• Management complexity: ACI is simpler, AKS requires more operational knowledge

---

Cleanup Instructions

1. Navigate to Resource Groups in Azure portal
2. Click on “ACR-ACI-Lab-RG”
3. Click “Delete resource group”
4. Type the resource group name to confirm
5. Click “Delete”

Estimated cleanup time: 5-10 minutes

---

Additional Resources

• Azure Container Registry Documentation
• Azure Container Instances Documentation
• Container Security Best Practices