Slide 1

Slide 1 text

Classified as Microsoft Confidential Container App Service Deep Dive Mohammad Nofal

Slide 2

Slide 2 text

Classified as Microsoft Confidential

Slide 3

Slide 3 text

Classified as Microsoft Confidential Scale with flexible serverless containers Run containers and scale in response to HTTP traffic or a growing list of KEDA-supported scale triggers including Azure Event Hub, Apache Kafka, RabbitMQ Queue, MongoDB, MySQL, and PostgreSQL Get robust autoscaling capabilities without the overhead of managing complex infrastructure. Scale to zero and pay for only what you use, by the second. Run containers, at scale Accelerate developer productivity Build modern apps on open-source

Slide 4

Slide 4 text

Classified as Microsoft Confidential Accelerate developer productivity Build microservices, APIs, event processing workers, and background jobs using containers. Write code in your favorite programming language and accelerate development with built-in Distributed Application Runtime (Dapr) integration to simplify common tasks like event processing, pub/sub, and service invocation. Set up a code-to-cloud pipeline using GitHub Actions. Run containers, at scale Accelerate developer productivity Build modern apps on open-source

Slide 5

Slide 5 text

Classified as Microsoft Confidential What can you build with Azure Container Apps? Public API endpoints Background processing Event-driven processing Microservices HTTP TRAFFIC REVISION 2 REVISION 1 80% 20% MICROSERVICE B MICROSERVICE C MICROSERVICE A HTTP requests are split between two revisions of the app — the first revision gets 80% of the traffic, while a new revision receives 20%. E.g., continuously-running background process that transforms data in a database. E.g., queue reader application that processes messages as they arrive in a queue. Deploy and manage a microservices architecture with the option to integrate with Dapr. AUTO-SCALE CRITERIA Scaling is determined by the number of concurrent HTTP requests Scaling is determined by the level of CPU or memory load Scaling is determined by the number of messages in the queue Individual microservices can scale independently using any KEDA scale triggers AUTO-SCALE CRITERIA AUTO-SCALE CRITERIA AUTO-SCALE CRITERIA AUTO-SCALE CRITERIA Web Applications Scaling is determined by the number of concurrent HTTP requests Deploy web apps with custom domains, TLS certificates, and integrated authentication.

Slide 6

Slide 6 text

Classified as Microsoft Confidential Environments Environments define an isolation and observability boundary around a collection of container apps deployed in the same virtual network Container app 1 Revision 1 Revision 2 Pod Pod Container(s) Container(s) Container app 2 Revision 1 Revision 2 Pod Pod Container(s) Container(s) Environment (virtual network boundary)

Slide 7

Slide 7 text

Classified as Microsoft Confidential Containers Containers in Azure Container Apps can use any and development stack of your choice Container app 1 Revision 1 Revision 2 Replica Replica Container(s) Container app 2 Revision 1 Revision 2 Replica Replica Container(s) Container(s) Environment (virtual network boundary) Container(s) Container(s) Container(s) Replica Replica

Slide 8

Slide 8 text

Classified as Microsoft Confidential Revisions Revisions are immutable version snapshots of a container app Container app 1 Revision 1 Revision 2 Container app 2 Revision 1 Revision 2 Replica Replica Container(s) Container(s) Environment (virtual network boundary) Replica Replica Container(s) Container(s) Container(s) Container(s) Replica Replica

Slide 9

Slide 9 text

Classified as Microsoft Confidential Ingress Internal or external visibility with TLS termination and support for HTTP/1.1 HTTP/2, and TCP Container app 1 Revision 1 Revision 2 Ingress 80% 20% Environment (virtual network boundary) Replica Replica Container(s) Container(s) Container(s) Container(s) Replica Replica

Slide 10

Slide 10 text

Classified as Microsoft Confidential Environment SKUs Consumption Consumption + Dedicated (preview) Billing Per App Per Node Underlying Nodes Customization Provided/Not Configuragbel Configurable (*Workload Profiles) Min. Subnet Requirements /23 /27 Number of IPs required per env. 2 X number of replicas + No. of external services + min. 60 Platform IPs No. of Nodes + No. of External Services + 11 Platform IPs User Defined Route (UDR) Support No Yes Scale to Zero Yes Workload Profile should have at least 1 node Max CPU/MEM Per Container 2vCPU/4Gi 4vCPU/8Gi

Slide 11

Slide 11 text

Classified as Microsoft Confidential Workload Profiles Display name Name Cores MemoryGiB Category Allocation Consumption consumption 4 8 Consumption per replica Dedicated-D4 D4 4 16 General purpose per node Dedicated-D8 D8 8 32 General purpose per node Dedicated-D16 D16 16 64 General purpose per node Dedicated-E4 E4 4 32 Memory optimized per node Dedicated-E8 E8 8 64 Memory optimized per node Dedicated-E16 E16 16 128 Memory optimized per node

Slide 12

Slide 12 text

Classified as Microsoft Confidential Workload Profile 1 Dedicated D4 Workload Profile Instances APP1 Replicas Environment (virtual network boundary) Consumption + Dedicated Env. View APP2 Replicas Workload Profile 2 Dedicated E4 Workload Profile Instances APP1 Replicas APP2 Replicas Consumption Profile Container Apps APP1 Replicas APP2 Replicas

Slide 13

Slide 13 text

Classified as Microsoft Confidential Default Quotas and Limits (can be configured)  No limit on no. of apps per environement  Replicas per app = 300  Cores per environement = 100

Slide 14

Slide 14 text

Classified as Microsoft Confidential Environment and Ingress Visibility Environement Ingress Result External External Ingress: Public IP Egress: Public IP External Internal Ingress: App only accessible within cluster Egress: Public IP Internal External Ingress: Private IP, app only accessable within connected networks Egress: Public IP (consumption) Egress: UDR* for Dedicated + Consumption Internal Internal Ingress: Apps only within cluster Egress: Public IP (consumption) Egress: UDR* for Dedicated + Consumption

Slide 15

Slide 15 text

Classified as Microsoft Confidential Init Containers - Preview  Runs before the primary app container and can be used to perform initialization tasks such as downloading data or preparing the environment. "initContainers": [ { "name": "init", "image": "[parameters('init_container_image')]", "resources": { "cpu": 0.25, "memory": "0.5Gi" }, "volumeMounts": [ { "mountPath": "/appsettings", "volumeName": "appsettings-volume" } ]

Slide 16

Slide 16 text

Classified as Microsoft Confidential Network & Security  Ingress and Egress Security  NSGs on the subnet can be used Securing a custom VNET in Azure Container Apps | Microsoft Learn  App to App communication  Using App Name (NEW)  Using Automatically provided FQDN  Using Custom Domain

Slide 17

Slide 17 text

Classified as Microsoft Confidential Network and Security  Ingress IP Restriction

Slide 18

Slide 18 text

Classified as Microsoft Confidential Network and Security  Session Affinity (Preview) AKA sticky sessions allows you to route all requests from a client to the same replica

Slide 19

Slide 19 text

Classified as Microsoft Confidential Networking With Dedicated + Consumption

Slide 20

Slide 20 text

Classified as Microsoft Confidential Policies  List of built-in policy definitions - Azure Policy | Microsoft Learn

Slide 21

Slide 21 text

Classified as Microsoft Confidential GitHub Actions integration Publish revisions as commits are pushed to your GitHub repository by triggering a GitHub Action to build a new container image Container app 1 Revision 1 Revision 2 Build container using GitHub Action GitHub repository Code check-in Azure Container Registry Environment (virtual network boundary) Replica Replica Container(s) Container(s) Container(s) Container(s) Replica Replica

Slide 22

Slide 22 text

Classified as Microsoft Confidential Persistance  Ephemeral  Azure Files

Slide 23

Slide 23 text

Classified as Microsoft Confidential ©Microsoft Corporation Azure Managed Identity Managed Identities • Enable managed identity for a container app • Can be system-assigned or user-assigned Use Cases • Identity-based connections in app (e.g., connect to SQL Server) • Pull images from Azure Container Registry • Key Vault references – preview • KEDA scaler configuration – planned

Slide 24

Slide 24 text

Classified as Microsoft Confidential Secret Management - Environement Variables "resources": [ { ... "properties": { "configuration": { "secrets": [ { "name": "queue-connection-string", "value": "" }], } } }

Slide 25

Slide 25 text

Classified as Microsoft Confidential Secret Management - Refrence from KeyVault (PREVIEW) "resources": [ { ... "properties": { "configuration": { "secrets": [ { "name": "queue-connection-string", "keyVaultUrl": "", "identity": "System" }], } } }

Slide 26

Slide 26 text

Classified as Microsoft Confidential Secret Management - DAPR SECRET STORE componentType: secretstores.azure.keyvault version: v1 metadata: - name: vaultName value: KEY_VAULT_NAME scopes: - CONTAINER_APP_NAME

Slide 27

Slide 27 text

Classified as Microsoft Confidential Logging Containers write logs to standard output or standard error streams surfaced via Log Analytics Container app 1 Revision 1 Revision 2 Replica Replica Container(s) Container(s) stderr/stdout stderr/stdout Log Analytics Environment

Slide 28

Slide 28 text

Classified as Microsoft Confidential Observability  Log options  Log analytics: default options, all logs are stored in Azure Log Analytics  Azure Monitor: route your logs to a destination configured in Diagnotics Settings (can be Azure Storage, Event Hub, Partners Soluiotns i.e. Data Dog)  None: no storage of logs (can be used if you have custom logging i.e. Telegraph  Custom Metrics -- PLANNED

Slide 29

Slide 29 text

Classified as Microsoft Confidential ACA on ARC Enabled K8S  Deploy ACA to an Arc connected k8s cluster  Young/limited features i.e. no managed identites  The way ahead for apps on Arc connected k8s clusters

Slide 30

Slide 30 text

Classified as Microsoft Confidential Using the Distributed Application Runtime (Dapr)

Slide 31

Slide 31 text

Classified as Microsoft Confidential Fully managed Dapr using the sidecar model Service-to-service invocation POST http://localhost:3500/v1.0/invoke/cart/method/neworder State management GET http://localhost:3500/v1.0/state/inventory/item67 Publish and subscribe POST http://localhost:3500/v1.0/publish/shipping/orders Containerized application sidecar Dapr API HTTP of gRPC

Slide 32

Slide 32 text

Classified as Microsoft Confidential Dapr components Swappable YAML files with resource connection details Over 70 components available Create components for your resource at: github.com/dapr/components-contrib Observability Prometheus AppInsights Jaeger Zipkin State Stores PubSub Brokers Containerized application sidecar

Slide 33

Slide 33 text

Classified as Microsoft Confidential AWS SQS GCP Pub/Sub Azure Event Hub POST http://localhost:3500/v1.0/state/corpdb [{ "key": “fruit", "value": “Orange" }] Cart app (Publish) Containerized app sidecar Dapr API HTTP of gRPC Publish and subscribe Create event-driven, loosely coupled architectures where producers send events to consumers via topics. Environment Any Dapr pub/sub Shipping app (Subscribe) Containerized app sidecar Dapr API HTTP of gRPC

Slide 34

Slide 34 text

Classified as Microsoft Confidential Microservices using any language or framework Any cloud or edge infrastructure Distributed Application Runtime Portable, event-driven, runtime for building distributed applications across cloud and edge dapr.io Application code Microsoft services written in any code or framework HTTP API gRPCz API Service-to- service invocation State management Publish and subscribe Resource bindings and triggers Actors Observability Extensible Secrets Hosting infrastructure Azure Arc On-premises

Slide 35

Slide 35 text

Classified as Microsoft Confidential Output Binding Virtual Worker Order Service UI Virtual Customer Makeline Service Loyalty Service Receipt Service State Store Entity Framework State Store Accounting Service Container Apps

Slide 36

Slide 36 text

Classified as Microsoft Confidential Service to service invocation Fully managed Dapr APIs provide a rich set of capabilities and productivity gains Container app 1 Containerized application sidecar Dapr API HTTP of gRPC Container app 2 Containerized application sidecar Dapr API HTTP of gRPC Service to service call POST http://localhost:3500 /v1.0/invoke/app2 Environment

Slide 37

Slide 37 text

Classified as Microsoft Confidential POST http://localhost:3500/v1.0/state/corpdb [{ "key": “fruit", "value": “Orange" }] Container app 1 Containerized application sidecar Dapr API HTTP of gRPC Firebase Redis cache Azure Cosmos DB Any Dapr state store State management Dapr provide apps with state management capabilities for CRUD operations, transactions and more Environment

Slide 38

Slide 38 text

Classified as Microsoft Confidential Observability Intercept traffic and extract tracing, metrics, and logging information. Configure Azure Application Insights for distributed tracing across your services Container app 1 Containerized application sidecar Service to service call Environment Collector Container app 2 sidecar Containerized application Azure Application Insights

Slide 39

Slide 39 text

Classified as Microsoft Confidential Scaling and using the Kubernetes Event Driven Autoscaling (KEDA)

Slide 40

Slide 40 text

Classified as Microsoft Confidential Application autoscaling made simple Open-source, extensible, and vendor agnostic Kubernetes-based Event Driven Autoscaler Drive the scaling of any container based on a growing list of 35+ event sources, known as: scalers keda.sh Intelligently scale your event-driven applications Out-of-the-box scalers for various vendors, databases, messaging systems, telemetry systems, CI/CD, and more Event-driven Built-in scalers Support for triggers across variety of cloud providers & products Bring rich scaling to every workload Vendor-agnostic Rich capabilities Metrics Adapter | Controller | Scaler

Slide 41

Slide 41 text

Classified as Microsoft Confidential Scaling HTTP { "name": "http-rule", "http": { "metadata": { "concurrentRequests": 50 } } } CPU { "name": "cpu-rule", "custom": { "type": "cpu", "metadata": { "type": "Utilization", "value": "50" } } } Memory { "name": "mem-rule", "custom": { "type": "memory", "metadata": { "type": "AverageValue", "value": "512" } } } Event-driven artemis-queue, kafka, aws-cloudwatch, aws- kinesis-stream, aws-sqs- queue, azure-blob, azure- eventhub, azure- servicebus, azure-queue, cron, external, gcp- pubsub, huawei-cloudeye, ibmmq, influxdb, mongodb, mssql, mysql, postgresql, rabbitmq, redis, redis- streams, selenium-grid, solace-event-queue, .. Support for scale to zero and specifying minimum/maximum replicas Support for specifying minimum/maximum replicas

Slide 42

Slide 42 text

Classified as Microsoft Confidential AKS vs ACA

Slide 43

Slide 43 text

Classified as Microsoft Confidential Summary  Roadmap Azure Container Apps Roadmap (github.com)  Docs Azure Container Apps overview | Microsoft Learn  Community Standups Azure Developers | Microsoft Learn  Useful workshops Azure Container Apps - Workshop

Slide 44

Slide 44 text

Classified as Microsoft Confidential

Slide 45

Slide 45 text

Classified as Microsoft Confidential

Slide 46

Slide 46 text

Classified as Microsoft Confidential © Copyright Microsoft Corporation. All rights reserved.