Developing container based apps with Azure Container Apps

co-written with Mor Yosef

So what is Azure Container Apps:

Azure Container Apps is a versatile solution within the Azure ecosystem, designed to streamline the deployment of containerized applications. This service offers a serverless platform for hosting and scaling container-based workloads, eliminating the need for complex infrastructure management while offering seamless integration with other Azure services such as VMs, Functions and Databases.

The distinctive features of the service (from the documentation) are:

• Optimized for running general purpose containers, especially for applications that span many microservices deployed in containers.
• Powered by Kubernetes and open-source technologies like Dapr, KEDA, and Envoy.
• Supports Kubernetes-style apps and microservices with features like service discovery and traffic splitting.
• Enables event-driven application architectures by supporting scale based on traffic and pulling from event sources like queues, including scale to zero.
• Supports running on demand, scheduled, and event-driven jobs.

It is important to note, that it is not possible to access the underlying K8S API, so if such access is required, you should look into using AKS instead.

So let's take a look at one of our recent use cases:

One of our customers approached us to help his development teams with creating development environments for 2 new applications. Each of the applications has 3 main components: 1. Client — which can run as a static website 2. Server — running on a container 3. SQL database. The customer requirements were as follows:

1. The development team should be able to deploy new environments effortlessly when needed.
2. The environment infrastructure should require no to minimal maintenance and management.
3. Developers should be able to access the environment securely from anywhere.
4. The database should not be accessible over the Internet.
5. Mono code repository (due to shared components between the Apps)
6. CI/CD with integration to Azure DevOps Boards.
7. Minimize environment costs as much as possible.
8. The different environments should be isolated from each other and adhere to standard security and cloud best practices.

Our solution

Infrastructure:

In order to meet the requirements, we designed our solution to utilize the Hub & Spoke architecture. The Hub hosts a VPN gateway for client to site VPN connectivity of the developers, and each development environment is deployed on a different spoke. The entire deployment is managed in IaaC using Terraform.

Authentication with all of the components is done using Microsoft Entra ID as the identity provider, and Azure resources access is done using RBAC with least privilege methodology.

architecture diagram of the solution

For the Client side of the application, we decided to use Azure Static Web App as the solution, since it has deployment slots which allows the developers to test the changes in the code before swapping it with the active deployment slot.

The containers for the server side are saved to Azure Container Registry and deployed to Azure Container Apps with VNET integration, this allows for both public connectivity and private connectivity via the VPN.

The database is hosted on Azure SQL Database (DTU model) with a private endpoint in the spoke VNET for private access and public access disallowed. The Database credentials are encrypted and saved in Azure Key Vault.

CI/CD:

For Continuous Integration/Deployment, we employed Github Actions. Each PR/PR update by the developers triggers a GitHub Action for security scanning (using Trivy). Failed scans are marked red at the PR level allowing the developers to re-bundle and mitigate any CVEs discovered during the scan.

Approved PRs are deployed to the Container Apps and/or Static Web Apps via Azure made Github Actions called azure/container-apps-deploy-action@v1 and Azure/static-web-apps-deploy@v1, these are very effective and robust GH-Action based deployments module which allowed us to focus more on the logic and less on the bits and bytes of the actual deployment process.

- name: Build and deploy Container App
        uses: azure/container-apps-deploy-action@v1
        with:
          appSourcePath: "${{ github.workspace }}/${{env.APP_PATH}}"
          acrName: "${{env.ACR}}"
          containerAppName: "${{env.APP_NAME}}"
          resourceGroup: "${{env.APP_RG}}"
          imageToBuild: ${{env.ACR}}.azurecr.io/${{env.APP_NAME}}:${{ github.sha }}

Summary

Azure Container Apps is a comprehensive solution for modern application development. It offers unique advantages when compared to other Azure services. While Azure Functions are excellent for event-driven scenarios, Azure Container Apps provide greater flexibility for running entire containerized applications. On the other hand, Azure Kubernetes Service (AKS) offers more control over container orchestration, but it comes with increased complexity. Azure Container Apps strike a balance between simplicity and functionality, making them a suitable choice for a wide range of use cases, from microservices to serverless applications.