Back in November we first heard about Azure Container Apps, the serverless alternative to AKS for running containers in Azure, and I wrote about WTH are Azure Container Apps. If you want an overview of what ACA is and why you might want to use it take a look at that article, as it’s all still valid.
Today (24th May 2022) at Microsoft’s Build conference, the General Availability of ACA was announced, so this service can now be used for production workloads! The move to GA involved a lot of new features being added to the platform that were really required before it could be considered production-ready, and there’s been a steady flow of new features over the last few months. Here’s a summary of some of the new features:
Custom VNet Support
You can now join your ACA environments to your own vNet so that it can access network resources, use Private Endpoints etc. Further changes also mean that the requirements for this have now dropped from two /21 subnets to one /23 subnet, which is much more palatable.
Managed Identity Support
This was a big request for anyone wanting to have their container app talk to Azure resources. In AKS you needed to use and manage Pod Identity for this, but in ACA it’s baked into the platform. You can now assign a User Assigned or System Assigned managed identity to your Azure Container App, and each app can have a different identity.
There are some limitations on ACA Managed identity at the moment:
- You cannot use this identity to grant the app access to a container registry to pull images
- The managed identity cannot be used in KEDA scaling rules
Logs and Console
This is a big quality of life update. Prior to this change, the only way to get ACA container logs was to pipe them to Log Analytics and read them there. This was painful.
With this update, you can firstly get logs for your ACA app directly in the portal blade or from the Azure CLI. This gives you immediate access to the latest logs. With console access, you can also exec directly into an ACA app to debug issues with a running application.
Custom Domains and Certificates
Up until a few weeks ago, you could only use the default Microsoft URL for accessing your container apps. This was never going to work for production workloads, so MS has now added the ability to add custom domains and HTTPS certificates. Unfortunately, currently, you need to supply your own cert, rather than have MS supply one. That said, there is a great article here about how to use Let’s Encrypt to generate certs for ACA here.
If you want users to have to authenticate to your ACA app you can do this at the infrastructure level new with built-in authentication for Azure AD and the usual B2C providers.
You can now mount storage to your ACA from a few sources:
- Temporary Storage, equivalent to EmptyDir which is unique to each instance
- Azure Files, for more persistent storage which can be mounted across multiple containers
Availability Zone Support
Container Apps can now be deployed across multiple availability zones, assuming you run multiple instances of your containers.
Custom Health Probes
You can now configure custom liveness, readiness and start-up probes for your container applications so that the ACA environment knows when your applications are ready or having problems.