Container App Service Deep Dive by Mohammad Nofal

Classified as Microsoft Confidential
Container App Service Deep Dive
Mohammad Nofal

View Slide


View Slide

Scale with flexible
serverless containers
Run containers and scale in response to HTTP traffic or a
growing list of KEDA-supported scale triggers including
Azure Event Hub, Apache Kafka, RabbitMQ Queue,
MongoDB, MySQL, and PostgreSQL
Get robust autoscaling capabilities without the
overhead of managing complex infrastructure.
Scale to zero and pay for only what you use, by the second.
Run containers,
at scale
Accelerate developer
productivity
Build modern apps
on open-source

View Slide

productivity
Build microservices, APIs, event processing workers,
and background jobs using containers.
Write code in your favorite programming language
and accelerate development with built-in Distributed
Application Runtime (Dapr) integration to simplify common
tasks like event processing, pub/sub, and service invocation.
Set up a code-to-cloud pipeline using GitHub Actions.
Run containers,
at scale
productivity
Build modern apps
on open-source

View Slide

What can you build with Azure Container Apps?
Public API
endpoints
Background
processing
Event-driven
processing
Microservices
HTTP TRAFFIC
REVISION 2
REVISION 1
80% 20%
MICROSERVICE B
MICROSERVICE C
MICROSERVICE A
HTTP requests are split
between two revisions of
the app — the first
revision gets 80% of the
traffic, while a new
revision receives 20%.
E.g., continuously-running
background process that
transforms data in a
database.
E.g., queue reader
application that
processes messages as
they arrive in a queue.
Deploy and manage a
microservices architecture
with the option to
integrate with Dapr.
AUTO-SCALE CRITERIA
Scaling is determined
by the number of
concurrent HTTP requests
Scaling is determined by
the level of CPU or
memory load
by the number of
messages in the queue
Individual microservices can
scale independently using
any KEDA scale triggers
AUTO-SCALE CRITERIA AUTO-SCALE CRITERIA AUTO-SCALE CRITERIA AUTO-SCALE CRITERIA
Web
Applications
by the number of
concurrent HTTP requests
Deploy web apps with
custom domains, TLS
certificates, and
integrated authentication.

View Slide

Environments
Environments define an
isolation and observability
boundary around a
collection of container
apps deployed in the
same virtual network
Container app 1
Revision 1 Revision 2
Pod Pod
Container(s) Container(s)
Container app 2
Pod Pod
Environment (virtual network boundary)

View Slide

Containers
Containers in Azure
Container Apps can use
any and development
stack of your choice
Container app 1
Replica Replica
Container(s)
Container app 2
Replica Replica
Container(s) Container(s) Container(s)
Replica Replica

View Slide

Revisions
Revisions are
immutable version
snapshots of a
container app
Container app 1
Container app 2
Replica Replica
Replica Replica
Container(s) Container(s) Container(s) Container(s)
Replica Replica

View Slide

Ingress
Internal or external
visibility with TLS
termination and
support for HTTP/1.1
HTTP/2, and TCP
Container app 1
Ingress
80% 20%
Replica Replica
Replica Replica

View Slide

Environment SKUs
Consumption Consumption + Dedicated
(preview)
Billing Per App Per Node
Underlying Nodes Customization Provided/Not Configuragbel Configurable (*Workload Profiles)
Min. Subnet Requirements /23 /27
Number of IPs required per env. 2 X number of replicas + No. of
external services + min. 60
Platform IPs
No. of Nodes + No. of External
Services + 11 Platform IPs
User Defined Route (UDR) Support No Yes
Scale to Zero Yes Workload Profile should have at
least 1 node
Max CPU/MEM Per Container 2vCPU/4Gi 4vCPU/8Gi

View Slide

Workload Profiles
Display name Name Cores MemoryGiB Category Allocation
Consumption consumption 4 8 Consumption per replica
Dedicated-D4 D4 4 16 General purpose per node
Dedicated-E4 E4 4 32
Memory
optimized per node
Memory
optimized per node
Memory
optimized per node

View Slide

Workload Profile 1 Dedicated D4
Workload Profile Instances
APP1
Replicas
Consumption + Dedicated Env. View
APP2
Replicas
Workload Profile 2 Dedicated E4
Workload Profile Instances
APP1
Replicas
APP2
Replicas
Consumption Profile
Container Apps
APP1
Replicas
APP2
Replicas

View Slide

Default Quotas and Limits (can be configured)
 No limit on no. of apps per environement
 Replicas per app = 300
 Cores per environement = 100

View Slide

Environment and Ingress Visibility
Environement Ingress Result
External External Ingress: Public IP
Egress: Public IP
External Internal Ingress: App only accessible within cluster
Egress: Public IP
Internal External Ingress: Private IP, app only accessable within
connected networks
Egress: Public IP (consumption)
Egress: UDR* for Dedicated + Consumption
Internal Internal Ingress: Apps only within cluster
Egress: Public IP (consumption)
Egress: UDR* for Dedicated + Consumption

View Slide

Init Containers - Preview
 Runs before the primary app
container and can be used to
perform initialization tasks such as
downloading data or preparing the
environment.
"initContainers": [
{
"name": "init",
"image": "[parameters('init_container_image')]",
"resources": {
"cpu": 0.25,
"memory": "0.5Gi"
},
"volumeMounts": [
{
"mountPath": "/appsettings",
"volumeName": "appsettings-volume"
}
]

View Slide

Network & Security
 Ingress and Egress Security
 NSGs on the subnet can be used
Securing a custom VNET in Azure Container Apps | Microsoft Learn
 App to App communication
 Using App Name (NEW)
 Using Automatically provided FQDN
 Using Custom Domain

View Slide

Network and Security
 Ingress IP Restriction

View Slide

Network and Security
 Session Affinity (Preview) AKA sticky sessions allows you to route
all requests from a client to the same replica

View Slide

Networking With Dedicated + Consumption

View Slide

Policies
 List of built-in policy definitions - Azure Policy | Microsoft Learn

View Slide

GitHub Actions
integration
Publish revisions as
commits are pushed to
your GitHub repository
by triggering a GitHub
Action to build a new
container image
Container app 1
Build container
using GitHub Action
GitHub repository
Code check-in
Azure Container Registry
Replica Replica
Replica Replica

View Slide

Persistance
 Ephemeral
 Azure Files

View Slide

©Microsoft Corporation
Azure
Managed Identity
Managed Identities
• Enable managed identity for a container app
• Can be system-assigned or user-assigned
Use Cases
• Identity-based connections in app (e.g., connect to SQL Server)
• Pull images from Azure Container Registry
• Key Vault references – preview
• KEDA scaler configuration – planned

View Slide

Secret
Management -
Environement
Variables
"resources": [
{
...
"properties": {
"configuration": {
"secrets": [
{
"name": "queue-connection-string",
"value": ""
}],
}
}
}

View Slide

Secret
Management -
Refrence from
KeyVault
(PREVIEW)
"resources": [
{
...
"properties": {
"configuration": {
"secrets": [
{
"name": "queue-connection-string",
"keyVaultUrl": "",
"identity": "System"
}],
}
}
}

View Slide

Secret
Management -
DAPR SECRET
STORE
componentType: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: KEY_VAULT_NAME
scopes:
- CONTAINER_APP_NAME

View Slide

Logging
Containers write logs to
standard output or
standard error streams
surfaced via Log
Analytics
Container app 1
Replica Replica
stderr/stdout stderr/stdout
Log Analytics
Environment

View Slide

Observability
 Log options
 Log analytics: default options, all logs are stored in Azure Log Analytics
 Azure Monitor: route your logs to a destination configured in Diagnotics Settings (can be
Azure Storage, Event Hub, Partners Soluiotns i.e. Data Dog)
 None: no storage of logs (can be used if you have custom logging i.e. Telegraph
 Custom Metrics -- PLANNED

View Slide

ACA on ARC Enabled K8S
 Deploy ACA to an Arc connected k8s cluster
 Young/limited features i.e. no managed identites
 The way ahead for apps on Arc connected k8s clusters

View Slide

Using the Distributed
Application Runtime (Dapr)

View Slide

Fully managed Dapr using the sidecar model
Service-to-service invocation
POST http://localhost:3500/v1.0/invoke/cart/method/neworder
State management
GET http://localhost:3500/v1.0/state/inventory/item67
Publish and subscribe
POST http://localhost:3500/v1.0/publish/shipping/orders
Containerized application sidecar
Dapr API
HTTP of gRPC

View Slide

Dapr components
Swappable YAML files with
resource connection details
Over 70 components available
Create components for your resource at:
github.com/dapr/components-contrib
Observability
Prometheus AppInsights Jaeger
Zipkin
State
Stores
PubSub
Brokers

View Slide

AWS SQS
GCP
Pub/Sub
Azure Event
Hub
POST
http://localhost:3500/v1.0/state/corpdb
[{
"key": “fruit",
"value": “Orange"
}]
Cart app (Publish)
Containerized app sidecar
Dapr API
HTTP of gRPC
Publish and subscribe
Create event-driven,
loosely coupled
architectures where
producers send events
to consumers via topics.
Environment
Any Dapr
pub/sub
Shipping app (Subscribe)
Containerized app sidecar
Dapr API
HTTP of gRPC

View Slide

Microservices using any language or framework
Any cloud or edge infrastructure
Distributed Application
Runtime
Portable, event-driven, runtime for
building distributed applications
across cloud and edge
dapr.io
Application code
Microsoft services written in any code or framework
HTTP API gRPCz API
Service-to-
service
invocation
State
management
Publish
and
subscribe
Resource
bindings
and triggers
Actors Observability Extensible
Secrets
Hosting infrastructure
Azure Arc On-premises

View Slide

Output Binding
Virtual
Worker
Order
Service
UI
Virtual
Customer
Makeline
Service
Loyalty
Service
Receipt
Service
State Store
Entity Framework
State Store
Accounting
Service
Container Apps

View Slide

Service to service
invocation
Fully managed Dapr
APIs provide a rich set
of capabilities and
productivity gains
Container app 1
Dapr API
HTTP of gRPC
Container app 2
Dapr API
HTTP of gRPC
Service to
service call
POST
http://localhost:3500
/v1.0/invoke/app2
Environment

View Slide

POST
http://localhost:3500/v1.0/state/corpdb
[{
"key": “fruit",
"value": “Orange"
}]
Container app 1
Dapr API
HTTP of gRPC
Firebase
Redis cache
Azure
Cosmos DB
Any Dapr
state store
State management
Dapr provide apps with
state management
capabilities for CRUD
operations, transactions
and more
Environment

View Slide

Observability
Intercept traffic and
extract tracing, metrics,
and logging information.
Configure Azure
Application Insights for
distributed tracing across
your services
Container app 1
Containerized
application
sidecar Service to
service call
Environment
Collector
Container app 2
sidecar Containerized
application
Azure Application Insights

View Slide

Scaling and using the
Kubernetes Event Driven
Autoscaling (KEDA)

View Slide

Application autoscaling made simple
Open-source, extensible, and vendor agnostic
Kubernetes-based Event
Driven Autoscaler
Drive the scaling of any container
based on a growing list of 35+
event sources, known as: scalers
keda.sh
Intelligently scale your event-driven
applications
Out-of-the-box scalers for various vendors,
databases, messaging systems, telemetry
systems, CI/CD, and more
Event-driven Built-in scalers
Support for triggers across variety of cloud
providers & products
Bring rich scaling to every workload
Vendor-agnostic Rich capabilities
Metrics Adapter | Controller | Scaler

View Slide

Scaling
HTTP
{
"name": "http-rule",
"http": {
"metadata": {
"concurrentRequests": 50
}
}
}
CPU
{
"name": "cpu-rule",
"custom": {
"type": "cpu",
"metadata": {
"type": "Utilization",
"value": "50"
}
}
}
Memory
{
"name": "mem-rule",
"custom": {
"type": "memory",
"metadata": {
"type": "AverageValue",
"value": "512"
}
}
}
Event-driven
artemis-queue, kafka,
aws-cloudwatch, aws-
kinesis-stream, aws-sqs-
queue, azure-blob, azure-
eventhub, azure-
servicebus, azure-queue,
cron, external, gcp-
pubsub, huawei-cloudeye,
ibmmq, influxdb, mongodb,
mssql, mysql, postgresql,
rabbitmq, redis, redis-
streams, selenium-grid,
solace-event-queue, ..
Support for scale to zero and specifying minimum/maximum replicas Support for specifying minimum/maximum replicas

View Slide

AKS vs ACA

View Slide

Summary
 Roadmap
Azure Container Apps Roadmap (github.com)
 Docs
Azure Container Apps overview | Microsoft Learn
 Community Standups
Azure Developers | Microsoft Learn
 Useful workshops
Azure Container Apps - Workshop

View Slide


View Slide

Container App Service Deep Dive by Mohammad Nofal

Container App Service Deep Dive by Mohammad Nofal

Azure Zurich User Group
PRO

More Decks by Azure Zurich User Group

Other Decks in Technology

Featured

Transcript

Container App Service Deep Dive by Mohammad Nofal

Container App Service Deep Dive by Mohammad Nofal

Azure Zurich User Group PRO

More Decks by Azure Zurich User Group

Other Decks in Technology

Featured

Transcript

Azure Zurich User Group
PRO