In the previous post about Azure Container Apps, I wrote about the serverless alternative to AKS for running containers in Azure. If you want an overview of what ACA is and why you might want to use it take a look at that article, as it’s all still valid.
At Microsoft’s Build conference in May 2022, the General Availability of ACA was announced, so this service can now be used for production workloads! The move to GA involved a lot of new features being added to the platform that were really required before it could be considered production-ready, and there’s been a steady flow of new features over the last few months. Here’s a summary of some of the new features:
Custom VNet Support
You can now join your ACA environments to your own vNet so that it can access network resources, use Private Endpoints etc. Further changes also mean that the requirements for this have now dropped from two /21 subnets to one /23 subnet, which is much more palatable.
Managed Identity Support
This was a big request for anyone wanting to have their container app talk to Azure resources. In AKS you needed to use and manage Pod Identity for this, but in ACA it’s baked into the platform. You can now assign a User Assigned or System Assigned managed identity to your Azure Container App, and each app can have a different identity.
There are some limitations on ACA Managed identity at the moment:
- You cannot use this identity to grant the app access to a container registry to pull images
- The managed identity cannot be used in KEDA scaling rules
Logs and Console
This is a big quality of life update. Prior to this change, the only way to get ACA container logs was to pipe them to Log Analytics and read them there. This was painful.
With this update, you can firstly get logs for your ACA app directly in the portal blade or from the Azure CLI. This gives you immediate access to the latest logs. With console access, you can also exec directly into an ACA app to debug issues with a running application.
Authentication
If you want users to have to authenticate to your ACA app you can do this at the infrastructure level new with built-in authentication for Azure AD and the usual B2C providers.
Custom Domains and Certificates
Up until a few weeks ago, you could only use the default Microsoft URL for accessing your container apps. This was never going to work for production workloads, so MS has now added the ability to add custom domains and HTTPS certificates. Unfortunately, currently, you need to supply your own cert, rather than have MS supply one.
Storage Mounts
You can now mount storage to your ACA from a few sources:
- Temporary Storage, equivalent to EmptyDir which is unique to each instance
- Azure Files, for more persistent storage which can be mounted across multiple container
Availability Zone Support
Container Apps can now be deployed across multiple availability zones, assuming you run multiple instances of your containers.
Custom Health Probes
You can now configure custom liveness, readiness and start-up probes for your container applications so that the ACA environment knows when your applications are ready or having problems.
Further Reading:
How to quickly setup a Let’s Encrypt certificate in Azure Container Apps
Provide a virtual network to an external Azure Container Apps environment
Managed identities in Azure Container Apps
Disaster recovery guidance for Azure Container Apps | Microsoft Docs