Cloud Native Briefing — Azure Container Apps General Availability
Azure Container Apps reached general availability in May 2022, offering a serverless container platform built on AKS, KEDA, Dapr, and Envoy—organisations must align deployment, networking, security, and cost governance to capitalise on the service.
Executive briefing: Microsoft announced the general availability of Azure Container Apps (ACA) on 24 May 2022. ACA is a serverless container platform built on Azure Kubernetes Service (AKS), KEDA (Kubernetes-based Event Driven Autoscaling), Dapr, and Envoy, enabling developers to run microservices, APIs, and event-driven workloads without managing Kubernetes infrastructure. The GA release adds enterprise-grade features including managed certificate support, enhanced networking, diagnostics, and integration with Azure Monitor. Organisations evaluating serverless containers should assess ACA’s operational model, pricing, and governance controls alongside existing PaaS and container offerings.
Platform architecture
Azure Container Apps abstracts AKS clusters into a managed environment where users deploy container revisions defined by container images and declarative YAML or Azure Resource Manager templates. Each environment hosts one or more container apps composed of revisions that run on Azure-managed Kubernetes nodes. ACA leverages KEDA for scale-to-zero and event-driven scaling, Dapr for service invocation, state management, and pub/sub, and Envoy for ingress, traffic splitting, and mTLS between services. Developers interact via Azure CLI, Bicep, ARM, or the Azure portal.
Operational capabilities
ACA supports HTTP-based applications, background workers, and event-driven processing triggered by Azure Functions-compatible bindings (Service Bus, Event Hubs, Storage Queues) through KEDA scalers. Autoscaling policies define minimum and maximum replicas, target concurrency, and scale rules based on HTTP traffic, CPU/memory, or event queue depth. Scale-to-zero reduces costs for idle workloads. GA introduces custom domain bindings with managed certificates, Azure Key Vault integration, and VNET ingress/egress controls (via internal load balancers and private endpoints).
Deployments use revisions, enabling blue/green or canary rollouts. Traffic can be split by percentage across revisions, facilitating gradual releases and rollback. Dapr components allow microservices to leverage state stores (Cosmos DB, Redis), bindings, and publish/subscribe patterns without boilerplate code. Developers can enable revisions for versioned APIs, while background jobs can run as non-HTTP workloads triggered by timers or events.
Observability and security
ACA integrates with Azure Monitor for logging and metrics, streaming container stdout/stderr and system logs to Log Analytics workspaces. Azure Monitor Application Insights supports distributed tracing when Dapr sidecars emit OpenTelemetry spans. GA adds diagnostics for network ingress, scaling events, and revision status. For security, ACA supports managed identities for authentication to other Azure services, secrets stored in ACA or Key Vault, and built-in TLS termination. Private networking allows deployment into customer-managed VNets with restricted ingress and service-to-service communication via internal load balancers.
Role-based access control (RBAC) leverages Azure AD. Administrators can delegate management of environments, apps, or revisions through Azure RBAC roles (Container Apps Reader/Contributor). Audit logs integrate with Azure Activity Log for governance. ACA supports compliance inheritances from underlying Azure services; organisations should review regional availability and compliance certifications (ISO, SOC, PCI) to ensure suitability for regulated workloads.
Pricing model
ACA pricing is consumption-based, charging for active vCPU-seconds and memory-seconds when containers run, plus per-execution costs for scale-to-zero activations. Dedicated workload profiles are expected post-GA to support predictable performance. Compare ACA costs with Azure Functions (per-execution), App Service (per-instance), and AKS (node-based). For workloads with sporadic traffic, scale-to-zero can offer significant savings; for steady workloads, evaluate whether AKS or App Service provides better cost-performance. Use Azure Cost Management budgets and tags to track ACA expenditures, and consider reserved capacity or savings plans as Microsoft expands pricing options.
Comparison with alternative platforms
ACA targets developers needing container flexibility without managing Kubernetes. Compared with Azure Functions, ACA offers greater control over runtimes, custom images, and long-running processes. Compared with AKS, ACA reduces operational overhead by abstracting cluster management, upgrades, and scaling. Evaluate whether your organisation requires access to Kubernetes APIs (CustomResourceDefinitions, operators) or advanced networking (Calico policies) that ACA does not expose. Consider Azure App Service for traditional web apps with integrated deployment pipelines and scaling, and Azure Spring Apps for JVM workloads. Multi-cloud teams should compare ACA with AWS App Runner, AWS Fargate with ECS, and Google Cloud Run, assessing latency, scaling behaviour, and governance features.
Migration and deployment strategy
To adopt ACA, start with stateless microservices, APIs, or background jobs currently running on AKS, Azure Functions, or App Service where containerisation brings flexibility. Container images must be stored in Azure Container Registry (ACR) or compatible registries with pull secrets. Use CI/CD pipelines (GitHub Actions, Azure DevOps) to build images, push to registries, and deploy via Azure CLI or Bicep templates. Configure environment variables, secrets, and Dapr components through configuration files under source control. Implement infrastructure-as-code patterns to manage ACA environments consistently across dev/test/prod.
For blue/green deployments, leverage revision-based traffic splitting. Automate deployment pipelines to create new revisions, run smoke tests, and shift traffic incrementally. Integrate with Azure Monitor alerts to trigger rollback on error rate spikes. Document runbooks for incident response, including steps to scale manually, inspect logs, and restart revisions.
Networking and integration
ACA environments can be connected to VNets using internal load balancers, enabling private ingress and egress to on-premises networks via VPN or ExpressRoute. Configure network security groups and Azure Firewall to enforce traffic policies. For outbound connectivity, manage access to storage accounts, databases, and APIs via private endpoints and service endpoints. Use Dapr service discovery for internal calls, or configure custom domains and API gateways (Azure API Management) for external exposure.
Integrate ACA with Azure Event Grid, Service Bus, and Event Hubs for event-driven workloads. KEDA scalers support metrics from Prometheus, Kafka, RabbitMQ, and custom REST endpoints, allowing hybrid event sources. For data persistence, pair ACA with Azure SQL, Cosmos DB, or PostgreSQL Flexible Server, leveraging managed identities for authentication. When handling sensitive data, ensure data-at-rest encryption configurations meet compliance requirements and that network paths are secured.
Governance and compliance
Incorporate ACA into cloud governance frameworks. Define landing zone standards that cover ACA environment provisioning, role assignments, naming conventions, logging, and policy enforcement. Azure Policy can enforce resource configurations (e.g., requiring diagnostics, restricting public ingress). Establish tagging standards for cost allocation and compliance reporting. For regulated industries, verify ACA support for required certifications and implement compensating controls (WAF, DDoS Protection) as needed.
Implement security baselines: enforce private networking for sensitive services, enable mTLS between Dapr-enabled services, rotate secrets, and use vulnerability scanning for container images (ACR Tasks, Microsoft Defender for Cloud). Conduct threat modeling for container workloads, considering supply chain risks and dependency management.
Operational excellence
Develop SRE practices tailored to ACA. Define service-level objectives (SLOs) for latency, availability, and error rates. Use Azure Monitor metrics (request counts, replica counts, CPU/memory usage) and custom application metrics to track performance. Configure alerts for scaling anomalies, failed revisions, or KEDA scaler errors. Schedule chaos engineering exercises by simulating replica failures or network outages to validate resilience. Document incident response procedures and post-incident review processes.
Plan capacity and scaling strategies. Understand ACA’s limits on concurrent revisions, environment size, and container resources. Coordinate with Microsoft support for quotas and region availability. Use load testing (Azure Load Testing, k6) to validate autoscaling thresholds before production launches.
Cost optimisation and FinOps
Monitor consumption metrics to identify idle services and tune scale-to-zero thresholds. Use Azure Advisor and Cost Management recommendations to right-size resources and eliminate unused environments. Implement lifecycle policies for container images to reduce registry costs. Evaluate reserved capacity or savings plans as Microsoft introduces them for ACA, and consider multi-region deployments’ cost implications (traffic manager, data egress).
Roadmap and ecosystem
Microsoft signalled ongoing investments, including build-from-source workflows, GitHub integration for revision management, support for Jobs (scheduled/batch workloads), and deeper Dapr feature parity. Track Azure updates, release notes, and community calls to stay informed. Engage with the Dapr and KEDA communities to influence roadmap and share best practices.
By leveraging Azure Container Apps, organisations can run microservices and event-driven workloads with reduced operational overhead while maintaining flexibility through containerisation. Successful adoption hinges on integrating ACA into governance, CI/CD, observability, and cost management frameworks.
Continue in the Infrastructure pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Edge Resilience Infrastructure Guide — Zeph Tech
Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented by Zeph Tech.
-
Infrastructure Resilience Guide — Zeph Tech
Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered by Zeph Tech.
-
Infrastructure Sustainability Reporting Guide — Zeph Tech
Produce audit-ready infrastructure sustainability disclosures aligned with CSRD, IFRS S2, and sector-specific benchmarks curated by Zeph Tech.