05 - Containerized Solutions

Storage features of Azure Container Registry

-Encryption at rest -Regional storage -Geo-replication -Zone redundancy -Scalable storage

Schedule a task

Setting up one or more timer triggers when you create or update the task.

Inner-loop development cycle

The iterative process of writing code, building, and testing your application before committing to source control. The beginning of container lifecycle management.

Source code context

The location of a set of source files used by ACR Tasks to build a container image or other artifact, like a Git repository or local filesystem

What is the benefit of quick tasks?

They let you verify automated build definitions and catch potential problems before committing code.

How are individual container apps deployed?

To a single Container Apps environment, which acts as a secure boundary around groups of container apps.

When should you deploy container apps to different environment?

To ensure: - Two applications never share the same compute resources - Two Dapr applications can't communicate via the Dapr service invocation API

What are container registries used for?

To store and manage container images and related artifacts.

Are Azure Container Instance stateless?

Yes, if the container crashes or stops, all of its state is lost.

ACI: Persistent storage

Azure File shares can be mounted directly to a container to retrieve and persist state.

Azure Container Apps limitations: Operating system

Linux-based (linux/amd64) container images are required.

ACR service tier: Basic

Has the same programmatic capabilities as Standard and Premium but storage and image throughput meant for low usage scenarios

What content formats are supported by Azure Container Registry?

Helm charts, images built to OCI Image Format Specification

ACR service tier: Premium

Highest storage, throughput, and concurrent operations for high-volume scenarios, plus geo-replication, content trust for image tag signing, and private link with private endpoints to restrict access to the registry.

How are multi-step tasks defined?

In a YAML file.

How can multiple containers be defined in a single container app?

In a sidecar pattern, sharing hard disk and network resources and experiencing the same application lifecycle. This is an advanced use case and in most situations it's fine to deploy each service as a separate container app.

Where are configuration options in a container app resource template located?

In the properties.template section. Changes trigger a new container app revision.

How are multiple container apps in the same environment deployed?

In the same virtual network, writing logs to the same Log Analytics workspace. You can provide an existing virtual network when you create an environment.

ACR Tasks: Quick Task

Build and push a single container image to a container registry on-demand in Azure without a local Docker Engine installation. docker build/docker push

How does ACI allocate resources?

By adding up the resource requests (CPU, memory, GPUs) of each instance in the group. If you create a container group with two instances, each requesting one CPU, then the container group is allocated two CPUs.

How do you persist state beyond the lifetime of the container?

By mounting a volume from an external store, Azure Files.

How do you deploy images hosted on private registries?

By providing credentials in the Container Apps configuration, defining the registry in the registries array in the *properties.configuration* section of the container app resource template.

How are container instances billed?

By the second, charging only for compute resources used while the task is being executed.

What deployment target can images be pushed to an Azure Container Registry for?

Container development workflows, such as targeting a container registry from a continuous integration and delivery tool

What are the restart policies for container groups?

- Always - Never - On Failure

How do you deploy a container group and mount a volume in a container?

- Azure CLI - YAML template (preferred)

How do you mount multiple volumes in a container instance?

- Azure Resource Manager template - YAML file

What storage volumes are supported by container groups?

- Azure file share - Secret - Empty directory - Cloned git repo

What is contained in a Dockerfile?

- Base/parent image - Commands to update the OS and install software - Build artifacts to include (such as applications) - Services to expose (such as storage and network configuration) - Command to run when the container is launched

What are the limitations of mounting Azure Files to a container?

- Can only be mounted to Linux containers - Requires the Linux container run as root - Limited to CIFS support

Common uses of Azure Container Apps

- Deploying API endpoints - Hosting background processing applications - Handling event-driven processing - Running microservices

What prerequisites are required for running built-in authentication and authorization to Azure Container Apps?

- HTTPS only - Ensure allowInsecure is disabled in container app ingress configuration

How do Azure Container Apps support microservices?

- Independent scaling, versioning, and upgrades - Service discovery - Native Dapr integration

What are the limitations of Azure Container Apps?

- Privileged containers - Operating system

What deployment targets can images from an Azure Container Registry be pulled to?

-*Scalable orchestration systems* that manage containerized applications across clusters of hosts -*Azure services* that support building and running applications at scale

What are the Azure Container Registry service tiers

-Basic -Standard -Premium

How do container groups perform networking?

Container groups share an IP address and a port namespace on that IP address. For external clients to reach a container within the group, you must expose the port on both the IP address and the container.

What languages do Azure Container Apps support?

Containers in Azure Container Apps can use any runtime, programming language, or development stack of your choice.

Azure Container Registry (ACR)

Managed registry service based on Docker Registry 2.0.

What are the ACR task scenarios?

-Quick Task -Automatically triggered tasks -Multi-step task

How can a multi-container group be deployed?

-Resource manager template -YAML file

Container restart policy: Always

Containers in the container group are always restarted. Default setting.

Container group

A collection of containers that get scheduled on the same host machine. Top-level resource in Azure Container Instances.

Dockerfile

A script that contains a series of instructions used to build a Docker image.

Azure Container Instances (ACI)

A solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs.

ACR Tasks

A suite of features that: -Provide cloud-based container image building -Extend application development lifecycles to the cloud -Enable trigger-automated builds

Container restart policy: Never

Containers in the container group are never restarted. Containers run *at most* once.

ACI: Custom sizes

ACI allows exact specifications of CPU cores and memory, providing optimum utilization.

ACI: Fast startup

ACI can start containers in Azure in seconds, without the need to create or manage a VM.

ACI: Container access

ACI enables exposing container groups directly to the internet with an IP address and FQDN.

ACR storage: Scalable storage

ACR lets you create as many repositories, images, layers, or tags as you need up to the registry storage limit.

Which architectures does Windows support?

AMD64

Which architectures does Linux support?

AMD64, Arm, Arm64, 386

ACR storage: Encryption at rest

All container images and artifacts in the registry are encrypted at rest and decrypted on-the-fly when accessed.

What images do Azure Container Apps support?

Any Linux-based x64-x86 (linux/amd64) container image. There's no required base container image, and if a container crashes it automatically restarts.

ACI: Hypervisor-level security

Applications are isolated as completely as they would in a VM.

Azure Container Apps limitations: Privileged containers

Azure Container Apps can't run privileged containers. If your program attempts to run a process that requires root access, the application inside the container experiences a runtime error.

Container restart policy: OnFailure

Containers in the container group are restarted only if the process being executed fails (terminated with a nonzero exit code). Containers run *at least* once.

Which Azure Container Registry service tier is recommended as an entry point for developers?

Basic

Why don't container groups support port mapping?

Because all containers in the group share a port namespace.

Which image types are supported by Azure Container Registry?

Both Windows and Linux

ACI: Linux and Windows

Both Windows and Linux containers can be scheduled with the same API.

What regions does ACR not support region pairs in?

Brazil South and Southeast Asia due to data residency requirements.

Trigger on base image update

Set up an ACR task to track a dependency on a base image when it builds an application image, so when the updated base image is pushed to your registry or updated in a public repo, ACR Tasks will automatically build an application image based on it.

What scenarios are multi-container groups good for?

Cases where you want to divide a single functional task into a few container images. An image might be delivered by different teams and have separate resource requirements.

What key can be used to add extra encryption to an Azure Container Registry?

Customer-managed key

Azure Container Apps

Lets you run microservices and containerized applications on a serverless platform that runs on top of Azure Kubernetes Service.

What resources are shared in a container group?

Lifecycle, resources, local network, and storage volumes.

What image platforms are supported by ACR Tasks?

Linux OS and amd64 architecture.

Which containers are supported by multi-container groups?

Linux only. For Windows containers, ACI only supports deployment of a single instance.

What is ACI unsuitable for?

Full container orchestration, service discovery across multiple containers, automatic scaling, and coordinated application upgrades. These are recommended for AKS/Azure Container Apps.

ACR storage: Regional storage

Data in ACR is stored in the region it was created in to help customers meet data residency and compliance requirements.

How can registry performance be improved?

Delete unused repositories, tags, and images. Deleted registry resources cannot be recovered.

How do applications built on Azure Container Apps scale?

Dynamically based on HTTP traffic, event-driven processing, CPU/memory load, and any KEDA-supported scaler.

How can customers avoid losing data in a regional outage?

Enable geo-replication so registry data is stored in multiple regions for better performance and resiliency.

ACR storage: Geo-replication

Ensures high availability in the case of a regional failure, plus network-close image storage for faster pushes and pulls in distributed development or deployment scenarios. Premium only.

ACR Tasks: Multi-step task

Extend the image build-and-push capability of ACR tasks with multi-step, multi-container based workflows.

Can images in a repository be edited?

No, each one is a read-only snapshot of a Docker-compatible container.

--restart-policy

Parameter used to specify a restart policy when you call `az container create`

What resources can be mapped to separate containers in a container group?

Ports and storage volumes.

Which Azure Container Registry service tier can be used to manage a single registry across multiple regions?

Premium, using geo-replication

ACR Tasks: Quick task

Provides an integrated development experience by offloading container image builds to Azure.

What is scheduling a task good for?

Running container workloads on a defined schedule, or running maintenance operations or tests on images pushed regularly to your registry.

ACR service tier: Standard

Same capabilities as Basic with increased storage and image throughput, suitable for most production scenarios.

Multi-step tasks

Specifies individual build and push operations for container images or other artifacts. Can define the execution of one or more containers, each step using the container as its execution environment.

What is the purpose of a configurable restart policy?

Specify that containers stop when their processes are completed

How do you mount an Azure File share to a container in the CLI?

Specify the share and volume mount point when creating a container with 'az container create'.

What status is a container set to when ACI stops it with a restart policy of Never or OnFailure?

Terminated

"DNS name label" error message

The --dns-name-label value must be unique within the Azure region where you create the container instance.

ACI: Customer data

The ACI service stores the minimum customer data required to ensure container groups run as expected.

How are quick tasks performed?

The az acr build command from Azure CLI takes a context (the set of files to build), sends it to ACR tasks and, by default, pushes the built image to the registry on completion.

Why should you deploy container apps to the same environment?

When you need to: - Manage related services - Deploy different applications to the same virtual network - Instrument Dapr applications that communicate via the Dapr service invocation API - Have applications to share the same Dapr configuration - Have applications to share the same log analytics workspace

Trigger task on source code update

Trigger a container image build or multi-step task when code is committed or a pull request is made/updated to GitHub or Azure DevOps.

ACR Tasks: Automatically triggered tasks

Triggers build an image based on source code update, base image update, or on a schedule

ACR storage: Zone redundancy

Uses Azure availability zones to replicate your registry to a minimum of three separate zones in each enabled region. Premium only.

How can an image platform be specified in ACR Tasks?

Using the --platform tag. ex: --platform Linux/arm64/v8

How do containers within a group reach each other?

Via localhost on the ports they expose, even if they aren't exposed externally on the group IP address.

When are YAML files recommended for deploying a multi-container group?

When a deployment only includes container instances (due to its more concise format).

When are Resource Manager templates recommended for deploying a multi-container group?

When you need to deploy additional Azure service resources with the container instances.

When deploying container groups consisting of multiple containers, which method is preferred?

YAML templates