Azure Container Apps

Lab Objective

In this hands-on lab, you will learn how to:

• Deploy Container Apps with serverless scaling and auto-scaling capabilities
• Configure microservices communication using service discovery and internal networking
• Implement traffic splitting for blue-green deployments and A/B testing
• Set up ingress and custom domains with SSL termination and external access
• Configure environment variables and secrets using managed identity and Key Vault integration
• Monitor applications with built-in observability tools and custom metrics
• Scale applications based on HTTP requests, CPU, memory, and custom metrics

Scenario: Your organization is modernizing applications using a microservices architecture. You need to deploy multiple interconnected services that can scale independently, communicate securely, and handle varying traffic loads. Azure Container Apps provides the serverless container platform perfect for this modern application architecture.

---

Pre-Provisioned Environment

Container Apps Lab Environment
├── Resource Group: ContainerApps-Lab-RG
├── Container Apps Environment (ca-environment-lab)
│   ├── Virtual Network: Consumption plan with subnet delegation
│   ├── Log Analytics Workspace: Integrated logging
│   ├── Application Insights: Performance monitoring
│   └── Managed Environment Certificate: Ready for custom domains
├── Azure Container Registry (acrlab[unique])
│   ├── SKU: Basic
│   ├── Admin User: Enabled
│   ├── Sample Images: Pre-built demo applications
│   └── Managed Identity: Configured for Container Apps access
├── Key Vault (kv-containerlab[unique])
│   ├── Managed Identity Access: Configured
│   ├── Sample Secrets: Database connection strings
│   └── SSL Certificates: Ready for custom domain configuration
├── Azure Database for PostgreSQL (postgres-lab[unique])
│   ├── Tier: Burstable
│   ├── Database: sampledb
│   └── Connection configured for Container Apps
└── Storage Account (storage[unique])
    ├── Container: uploads
    └── Blob access configured with managed identity

Important: The Container Apps Environment is ready with networking, monitoring, and security configured. You’ll focus on deploying applications, configuring scaling, and implementing microservices patterns.

---

Lab Exercises

Part 1: Deploy Your First Container App

Step 1: Explore Container Apps Environment

1. Navigate to Resource Groups → ContainerApps-Lab-RG
2. Click on Container Apps Environment ca-environment-lab
3. Review the environment configuration:
   • Networking configuration
   • Log Analytics integration
   • Custom domain settings
4. Note the environment FQDN for later use

Step 2: Deploy a Simple Web Application

1. Click “Create” in the Container Apps Environment
2. Configure the basic container app:
   • Name: web-frontend
   • Container image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest
   • Target port: 80
3. Configure ingress:
   • Ingress: Enabled
   • Ingress traffic: Accepting traffic from anywhere
   • Target port: 80
4. Click “Create”

Step 3: Test the Deployed Application

1. Wait for deployment to complete
2. Go to the web-frontend container app
3. Copy the Application URL from Overview
4. Open the URL in a browser
5. Verify the hello world application loads
6. Note the container instance information displayed

Expected Results: A working web application is deployed and accessible via HTTPS with automatic SSL certificate provisioning.

Part 2: Configure Application Scaling and Resources

Step 1: Configure Auto-scaling Rules

1. Go to web-frontend container app
2. Click “Scale and replicas” under Application
3. Configure HTTP scaling:
   • Min replicas: 1
   • Max replicas: 10
   • HTTP concurrent requests: 50
4. Add CPU scaling rule:
   • Scale rule name: cpu-scaling
   • Type: CPU
   • CPU Utilization: 70%
5. Save the configuration

Step 2: Configure Resource Allocation

1. Go to “Containers” under Application
2. Edit the container configuration:
   • CPU: 0.5 cores
   • Memory: 1 GB
3. Configure health probes:
   • Liveness probe: HTTP GET on /
   • Readiness probe: HTTP GET on /
4. Save changes and wait for revision deployment

Step 3: Test Scaling Behavior

1. Open Azure Cloud Shell
2. Generate load to test scaling:

   # Replace with your app URL
   $appUrl = "https://web-frontend.xxx.azurecontainerapps.io"
   
   # Generate load
   for ($i = 1; $i -le 100; $i++) {
       Invoke-RestMethod -Uri $appUrl -Method GET
       Start-Sleep -Milliseconds 100
   }

3. Monitor scaling in the portal under “Metrics”
4. Observe new replicas being created

Expected Results: Container app automatically scales based on traffic and resource utilization with configurable scaling rules.

Part 3: Deploy Microservices Architecture

Step 1: Deploy API Backend Service

1. Create a new container app: api-backend
2. Configure the backend service:
   • Container image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest
   • Target port: 80
   • Ingress: Internal only (for service-to-service communication)
3. Configure environment variables:
   • DATABASE_URL: Connection string to PostgreSQL
   • STORAGE_ACCOUNT: Name of the storage account
4. Deploy the backend service

Step 2: Configure Service Discovery

1. Go to web-frontend container app
2. Edit the container configuration
3. Add environment variable:
   • API_BACKEND_URL: http://api-backend
4. Save and redeploy
5. Verify internal service communication works

Step 3: Deploy Data Processing Service

1. Create container app: data-processor
2. Configure as background service:
   • Container image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest
   • Ingress: Disabled (background processing)
   • Min replicas: 1
   • Max replicas: 5
3. Configure CPU-based scaling for processing workloads
4. Add managed identity for secure resource access

Expected Results: Multiple microservices deployed with internal communication and secure service discovery working between components.

Part 4: Implement Advanced Traffic Management

Step 1: Create Blue-Green Deployment

1. Go to web-frontend container app
2. Create a new revision with updated configuration:
   • Container image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest
   • Environment variable: VERSION=green
3. Configure traffic splitting:
   • Blue revision: 80% traffic
   • Green revision: 20% traffic
4. Save and monitor traffic distribution

Step 2: Test Traffic Splitting

1. Visit the application URL multiple times
2. Observe different versions being served
3. Monitor performance metrics for both revisions
4. Gradually shift traffic to the green revision
5. Complete the deployment by routing 100% to green

Step 3: Configure Custom Domain

1. Go to Container Apps Environment
2. Click “Custom domains”
3. Add a custom domain (you can use a test domain):
   • Domain: app.yourdomain.com
   • Certificate: Upload or use managed certificate
4. Configure DNS records as instructed
5. Bind the domain to your web-frontend app

Expected Results: Advanced traffic management with blue-green deployments and custom domain configuration working properly.

Part 5: Configure Security and Identity

Step 1: Enable Managed Identity

1. Go to api-backend container app
2. Click “Identity” under Settings
3. Enable system-assigned managed identity
4. Copy the Principal ID for later use

Step 2: Configure Key Vault Integration

1. Go to the Key Vault kv-containerlab[unique]
2. Add access policy for the managed identity:
   • Principal: Container app managed identity
   • Secret permissions: Get, List
3. Go back to api-backend container app
4. Add Key Vault reference:
   • Name: DATABASE_CONNECTION
   • Value: Key Vault secret reference

Step 3: Configure Secure Storage Access

1. Go to Storage Account
2. Assign “Storage Blob Data Reader” role to container app identity
3. Update data-processor app:
   • Remove connection string environment variable
   • Add managed identity authentication code
4. Test secure access to storage without connection strings

Expected Results: Container apps authenticate securely using managed identity without storing credentials in configuration.

Part 6: Monitor and Troubleshoot Applications

Step 1: Configure Application Insights

1. Go to Container Apps Environment
2. Review Application Insights integration
3. Navigate to Application Insights resource
4. Explore application map showing service dependencies
5. Review performance metrics and request telemetry

Step 2: Configure Custom Metrics and Alerts

1. Go to web-frontend container app
2. Click “Metrics” under Monitoring
3. Create custom metric charts:
   • HTTP requests per second
   • Response time percentiles
   • Active replicas
4. Create alert rules:
   • High response time alert
   • Scaling event notifications

Step 3: Analyze Logs and Troubleshoot

1. Go to “Logs” under Monitoring
2. Run queries to analyze application behavior:

   ContainerAppConsoleLogs_CL
   | where ContainerAppName_s == "web-frontend"
   | where TimeGenerated > ago(1h)
   | order by TimeGenerated desc

3. Create custom dashboard for monitoring
4. Set up log-based alerts for error conditions
5. Practice troubleshooting common container issues

Expected Results: Comprehensive monitoring and troubleshooting capabilities with custom dashboards and proactive alerting configured.

---

Troubleshooting Guide

Deployment Issues

• Container app won’t start: Check container image availability and port configuration
• Ingress not working: Verify target port matches container listening port
• Environment issues: Check Container Apps Environment health and networking
• Resource constraints: Review CPU/memory limits and scaling configuration

Scaling Issues

• Apps not scaling: Verify scaling rules and metrics collection
• Slow scaling response: Check scaling rule thresholds and cooldown periods
• Resource quota errors: Review subscription limits and environment capacity
• Cold start delays: Consider minimum replica configuration

Networking Issues

• Service discovery failures: Verify internal ingress configuration and DNS resolution
• External access issues: Check ingress settings and custom domain configuration
• SSL certificate problems: Verify domain ownership and certificate binding
• Database connectivity: Check managed identity permissions and connection strings

Security Issues

• Managed identity failures: Verify RBAC assignments and Key Vault access policies
• Secret access errors: Check Key Vault references and secret names
• Authentication issues: Review managed identity configuration and API permissions
• Network security: Verify NSG rules and virtual network configuration

---

Key Takeaways

After completing this lab, you should understand:

• Azure Container Apps provides serverless container hosting with automatic scaling and traffic management
• Microservices architecture benefits from service discovery, internal networking, and independent scaling
• Traffic splitting enables safe deployments with blue-green and canary deployment patterns
• Managed identity eliminates the need for connection strings and provides secure Azure resource access
• Built-in observability offers comprehensive monitoring without additional configuration
• Scaling flexibility supports HTTP, CPU, memory, and custom metric-based auto-scaling

---

Decision Matrix: When to Use Container Apps

Scenario	Container Apps	AKS	App Service	Container Instances
Microservices	✅ Recommended	✅ Good	⚠️ Monolith focus	❌ No orchestration
Event-driven apps	✅ Recommended	⚠️ Complex setup	❌ Limited scaling	⚠️ Manual scaling
API backends	✅ Recommended	✅ Good	✅ Good	⚠️ Basic features
Batch processing	✅ Recommended	✅ Good	❌ Not suitable	✅ Simple jobs
Enterprise apps	✅ Good	✅ Recommended	✅ Good	❌ Limited features
Development/Testing	✅ Recommended	⚠️ Complex	✅ Good	✅ Simple

Key Decision Factors:

• Serverless scaling: Container Apps scales to zero and handles traffic spikes automatically
• Simplicity: Less operational overhead than AKS with similar container capabilities
• Cost efficiency: Pay only for resources used with automatic scaling
• Integration: Native integration with Azure services and managed identity

---

Cleanup Instructions

1. Navigate to Resource Groups in Azure portal
2. Click on “ContainerApps-Lab-RG”
3. Click “Delete resource group”
4. Type the resource group name to confirm
5. Click “Delete”

Estimated cleanup time: 5-10 minutes

---

Additional Resources

• Azure Container Apps Documentation
• Container Apps Microservices Patterns
• Container Apps Security Best Practices