AZ-104 Objective 3.3: Provision and Manage Containers in the Azure Portal
•40 min read•Microsoft Azure Administrator
AZ-104 Exam Focus: This objective covers container management in Azure, including Azure Container Registry (ACR), Azure Container Instances (ACI), and Azure Container Apps. Understanding container provisioning, registry management, scaling, and sizing is crucial for Azure administrators working with containerized applications. Master these concepts for both exam success and real-world container management in Azure.
Understanding Containers in Azure
Containers provide a lightweight, portable way to package and deploy applications with their dependencies. Azure offers several container services to meet different deployment scenarios, from simple container instances to fully managed container orchestration platforms. Containers can be deployed using ARM templates and Bicep and often require integration with Azure Virtual Networks for secure communication.
Azure Container Services Overview
- Azure Container Registry (ACR): Private Docker registry for storing container images
- Azure Container Instances (ACI): Serverless containers for simple, isolated workloads
- Azure Container Apps: Serverless container platform for microservices and event-driven applications
- Azure Kubernetes Service (AKS): Managed Kubernetes for complex container orchestration
1. Create and Manage an Azure Container Registry
Azure Container Registry (ACR) is a managed Docker registry service that allows you to store and manage container images. It integrates with Azure services and provides enterprise-grade features for container image management.
ACR Key Features
Core Capabilities:
- Private Registry: Secure storage for container images
- Geographic Replication: Multi-region image replication
- Webhooks: Automated triggers for image updates
- Content Trust: Image signing and verification
- Vulnerability Scanning: Security scanning of container images
- Azure Integration: Seamless integration with Azure services
Creating an Azure Container Registry
ACR Service Tiers:
- Basic: Cost-effective for development scenarios
- Standard: Most common tier for production workloads
- Premium: Advanced features like geo-replication and content trust
# Create Azure Container Registry az acr create --resource-group myResourceGroup --name myACR --sku Standard --admin-enabled true # Login to ACR az acr login --name myACR # Build and push an image az acr build --registry myACR --image myapp:latest . # Pull an image az acr import --name myACR --source docker.io/library/nginx:latest --image nginx:latest
ACR Management Operations
# List repositories az acr repository list --name myACR # List tags for a repository az acr repository show-tags --name myACR --repository myapp # Delete an image az acr repository delete --name myACR --image myapp:latest # Enable admin user az acr update --name myACR --admin-enabled true # Get login credentials az acr credential show --name myACR
ACR Security and Access Control
Security Features:
- Azure AD Integration: Role-based access control
- Managed Identity: Passwordless authentication
- Content Trust: Image signing and verification
- Vulnerability Scanning: Automated security scanning
- Network Rules: Restrict access by IP address or VNet
- Private Endpoints: Secure connectivity from VNets
2. Provision a Container by Using Azure Container Instances
Azure Container Instances (ACI) is the fastest and simplest way to run a container in Azure. It provides serverless containers without requiring you to manage any underlying infrastructure.
ACI Key Features
Core Capabilities:
- Serverless: No infrastructure management required
- Fast Startup: Containers start in seconds
- Pay-per-Second: Only pay for the time containers are running
- Hypervisor Isolation: Secure container isolation
- Custom Images: Use images from any registry
- Persistent Storage: Azure Files integration
Creating Container Instances
# Create a simple container instance az container create --resource-group myResourceGroup --name myContainer --image nginx --ports 80 --dns-name-label myapp # Create container with environment variables az container create \ --resource-group myResourceGroup \ --name myContainer \ --image myacr.azurecr.io/myapp:latest \ --registry-login-server myacr.azurecr.io \ --registry-username myacr \ --registry-password mypassword \ --environment-variables 'ENV=production' 'DEBUG=false' \ --ports 8080 # Create container with Azure Files mount az container create \ --resource-group myResourceGroup \ --name myContainer \ --image myapp:latest \ --azure-file-volume-share-name myshare \ --azure-file-volume-account-name mystorageaccount \ --azure-file-volume-account-key mykey \ --azure-file-volume-mount-path /mnt/azure
Container Instance Management
# List container instances az container list --resource-group myResourceGroup # Get container logs az container logs --resource-group myResourceGroup --name myContainer # Execute command in running container az container exec --resource-group myResourceGroup --name myContainer --exec-command "/bin/bash" # Restart container az container restart --resource-group myResourceGroup --name myContainer # Delete container az container delete --resource-group myResourceGroup --name myContainer
ACI Use Cases and Limitations
| Use Case | Suitable For | Limitations |
|---|---|---|
| Simple Applications | Web apps, APIs, batch jobs | Single container per instance |
| Development/Testing | Quick deployments, demos | No orchestration features |
| Event Processing | Data processing, ETL jobs | Limited networking options |
| Microservices | Simple microservices | No service discovery |
3. Provision a Container by Using Azure Container Apps
Azure Container Apps is a serverless container platform that enables you to run microservices and containerized applications without managing complex infrastructure. It's built on Kubernetes and provides advanced features for modern application development.
Container Apps Key Features
Core Capabilities:
- Serverless Containers: No infrastructure management
- Auto-scaling: Scale from 0 to many instances
- Event-driven: Trigger scaling based on events
- Multiple Revisions: Blue-green and canary deployments
- Ingress: Built-in load balancing and SSL termination
- Dapr Integration: Microservices building blocks
- Environment Variables: Secure configuration management
Creating Container Apps Environment
# Create Container Apps environment az containerapp env create \ --name myContainerAppEnv \ --resource-group myResourceGroup \ --location eastus # Create a container app az containerapp create \ --name myContainerApp \ --resource-group myResourceGroup \ --environment myContainerAppEnv \ --image myacr.azurecr.io/myapp:latest \ --target-port 8080 \ --ingress external \ --registry-server myacr.azurecr.io \ --registry-username myacr \ --registry-password mypassword \ --env-vars 'ENV=production' 'DEBUG=false'
Container Apps Scaling Configuration
# Configure scaling rules az containerapp update \ --name myContainerApp \ --resource-group myResourceGroup \ --min-replicas 1 \ --max-replicas 10 \ --scale-rule-name http-rule \ --scale-rule-type http \ --scale-rule-metadata concurrentRequests=30 # Configure CPU-based scaling az containerapp update \ --name myContainerApp \ --resource-group myResourceGroup \ --scale-rule-name cpu-rule \ --scale-rule-type cpu \ --scale-rule-metadata type=Utilization value=70
Container Apps Deployment Strategies
Deployment Options:
- Blue-Green Deployment: Instant switch between versions
- Canary Deployment: Gradual traffic shifting
- Revision Management: Multiple active revisions
- Traffic Splitting: Distribute traffic across revisions
- Rollback Capability: Quick reversion to previous versions
# Deploy new revision az containerapp update \ --name myContainerApp \ --resource-group myResourceGroup \ --image myacr.azurecr.io/myapp:v2 # Configure traffic splitting az containerapp revision set-mode \ --name myContainerApp \ --resource-group myResourceGroup \ --mode multiple \ --traffic-weight myContainerApp--v1=70 myContainerApp--v2=30
4. Manage Sizing and Scaling for Containers
Proper sizing and scaling configuration is crucial for optimizing performance and costs. Both Azure Container Instances and Azure Container Apps offer different scaling mechanisms to meet various workload requirements.
Azure Container Instances Sizing
ACI Resource Allocation:
- CPU: 0.1 to 4 cores per container group
- Memory: 0.1 to 16 GB per container group
- GPU: Available for specific VM sizes
- Storage: 20 GB temporary storage included
- Networking: Public or private IP addresses
# Create ACI with specific resource allocation az container create \ --resource-group myResourceGroup \ --name myContainer \ --image myapp:latest \ --cpu 2 \ --memory 4 \ --ports 8080 # Create ACI with GPU support az container create \ --resource-group myResourceGroup \ --name myGPUContainer \ --image tensorflow/tensorflow:latest-gpu \ --cpu 2 \ --memory 8 \ --gpu-count 1 \ --gpu-sku K80
Azure Container Apps Scaling
Scaling Triggers:
- HTTP Requests: Scale based on concurrent requests
- CPU Utilization: Scale based on CPU percentage
- Memory Utilization: Scale based on memory usage
- Custom Metrics: Scale based on application metrics
- Event-driven: Scale based on message queue length
# Configure comprehensive scaling az containerapp update \ --name myContainerApp \ --resource-group myResourceGroup \ --min-replicas 0 \ --max-replicas 20 \ --scale-rule-name http-scale \ --scale-rule-type http \ --scale-rule-metadata concurrentRequests=50 \ --scale-rule-name cpu-scale \ --scale-rule-type cpu \ --scale-rule-metadata type=Utilization value=80
Scaling Comparison
| Feature | Azure Container Instances | Azure Container Apps |
|---|---|---|
| Scaling Type | Manual, scheduled | Automatic, event-driven |
| Scale to Zero | Yes (stop/start) | Yes (automatic) |
| Max Instances | Limited by subscription | Configurable (up to 300) |
| Scaling Triggers | Manual, time-based | HTTP, CPU, memory, custom |
| Startup Time | Seconds | Seconds to minutes |
Cost Optimization Strategies
Best Practices:
- Right-size Resources: Match CPU and memory to actual needs
- Scale to Zero: Use minimum replicas of 0 for intermittent workloads
- Use Spot Instances: For fault-tolerant, batch workloads
- Optimize Images: Use smaller base images to reduce startup time
- Monitor Usage: Track resource utilization and adjust accordingly
- Reserved Capacity: Consider reserved instances for predictable workloads
Container Security Best Practices
Security Considerations:
- Image Security: Use trusted base images and scan for vulnerabilities
- Registry Security: Enable content trust and vulnerability scanning
- Network Security: Use private endpoints and network security groups
- Identity Management: Use managed identities for authentication
- Secrets Management: Use Azure Key Vault for sensitive configuration
- Runtime Security: Implement proper RBAC and least privilege access
Monitoring and Troubleshooting
# Monitor container instances az monitor metrics list --resource myContainer --resource-group myResourceGroup # Get container app logs az containerapp logs show --name myContainerApp --resource-group myResourceGroup # Monitor scaling events az monitor activity-log list --resource-group myResourceGroup --resource-type Microsoft.ContainerInstance/containerGroups # Check container health az container show --resource-group myResourceGroup --name myContainer --query "instanceView.state"
Exam Tips and Key Points
Critical Exam Knowledge:
- ACR: Understand registry creation, image management, and security features
- ACI: Know use cases, resource allocation, and limitations
- Container Apps: Understand scaling, deployment strategies, and Dapr integration
- Scaling: Know different scaling triggers and configuration options
- Security: Understand authentication, network security, and image scanning
- Cost Management: Know optimization strategies and pricing models
- Monitoring: Understand logging, metrics, and troubleshooting approaches
Common Scenarios and Solutions
Real-World Scenarios:
- Microservices Architecture: Use Container Apps with Dapr for service communication
- Batch Processing: Use ACI for short-lived, compute-intensive tasks
- Web Applications: Use Container Apps with auto-scaling for variable traffic
- Development/Testing: Use ACI for quick container deployments
- Event Processing: Use Container Apps with event-driven scaling
- CI/CD Integration: Use ACR with Azure DevOps for image management
Summary
Azure provides comprehensive container services to meet different application requirements. This objective covers the essential container management capabilities in Azure:
- Azure Container Registry for secure image storage and management
- Azure Container Instances for simple, serverless container deployments
- Azure Container Apps for advanced microservices and event-driven applications
- Proper sizing and scaling configuration for optimal performance and cost
- Security best practices for containerized applications
- Monitoring and troubleshooting container workloads
Understanding these container services and their appropriate use cases is essential for Azure administrators to effectively deploy and manage containerized applications in Azure environments.
Next Steps: Practice creating container registries, deploying container instances, and setting up container apps with auto-scaling. Experiment with different scaling triggers and deployment strategies to understand the full capabilities of Azure container services.
Related Topics
Continue your Azure administration learning journey with these related topics:
- Automate Deployment with ARM Templates and Bicep - Deploy container infrastructure with IaC
- Configure and Manage Virtual Networks - Connect containers to secure networks
- Create and Configure Azure App Service - Compare containers with App Service for web applications
- Configure and Manage Storage Accounts - Set up persistent storage for containers
- Configure Secure Access to Virtual Networks - Secure container network access
- Monitor Resources in Azure - Monitor container performance and health
- Manage Access to Azure Resources - Control access to container resources