System Initiative

Official

Overview Schema Related Servers Score Discussions

si
app
docs
src
how-tos

azure-container-apps.md•33.9 kB

--- outline: level: [2, 3, 4] --- # How to Deploy an Application to Azure Container Apps with the AI Agent This how-to assumes: - A [System Initiative workspace with AWS Credentials](../tutorials/setup) - The [AI agent](../reference/ai-agent) initialized to your workspace - Basic familiarity with System Initiative - Basic familiarity with [Azure Container Apps](https://azure.microsoft.com/en-us/products/container-apps) It will teach you how to create a best practice deployment of an application to Azure Container Apps and manage it with System Initiative. ## Create the VPC ```prompt Deploy the following to Azure Container Apps - mcr.microsoft.com/azuredocs/aci-helloworld. The architecture needs to be best practice architecture for a production system ensuring the correct Network subnet delegation happens for the Container Apps Environment ``` ::: tip When using Claude Code for prompts with many steps, Claude will make a TODO to track progress. Use ctrl+t to see a nice view of it! ```prompt ⏺ I'll help you deploy the container to Azure Container Apps with production-grade architecture including proper subnet delegation. Let me start by creating a plan and checking your System Initiative setup. * Let me start by creating a task list and then set up the infrastructure: ⎿ ☒ Validate System Initiative credentials and check existing change sets ☒ Check existing components in HEAD ☒ Create new change set for Container Apps deployment ☒ Verify or create foundation components (Credential, Location, Subscription, Resource Group) ☒ Create Resource Group for Container Apps ☒ Create Virtual Network with appropriate address space and delegated subnet ☒ Create Microsoft ID Template for subnet resource ID ☒ Create Container Apps Environment in delegated subnet ☒ Create Container App with the specified image ☒ Create Microsoft ID Template for Container Apps Environment resource ID ☒ Update Container App with environment ID subscription ☒ Check qualifications for all components ☐ Apply change set to deploy infrastructure ``` ::: ```prompt ⏺ I'll help you deploy the container to Azure Container Apps with production-grade architecture including proper subnet delegation. Let me start by creating a plan and checking your System Initiative setup. ⏺ I've created a production-ready Azure Container Apps deployment in the change set "Azure Container Apps Production Deployment". Architecture Summary ┌───────────────────────┬──────────────────────────────────────────────────────────────────┐ │ Component │ Description │ ├───────────────────────┼──────────────────────────────────────────────────────────────────┤ │ container-apps-rg │ Resource Group in East US │ ├───────────────────────┼──────────────────────────────────────────────────────────────────┤ │ container-apps-vnet │ VNet with 10.0.0.0/16 address space │ ├───────────────────────┼──────────────────────────────────────────────────────────────────┤ │ container-apps-subnet │ Subnet 10.0.0.0/23 with delegation to Microsoft.App/environments │ ├───────────────────────┼──────────────────────────────────────────────────────────────────┤ │ container-apps-env │ Managed Environment with VNet integration and zone redundancy │ ├───────────────────────┼──────────────────────────────────────────────────────────────────┤ │ helloworld-app │ Container App running mcr.microsoft.com/azuredocs/aci-helloworld │ └───────────────────────┴──────────────────────────────────────────────────────────────────┘ Production Best Practices Implemented - Subnet Delegation: The subnet is delegated to Microsoft.App/environments (required for Container Apps) - /23 CIDR Range: Meets Azure's minimum subnet size requirement for Container Apps - Zone Redundancy: Enabled for high availability across availability zones - VNet Integration: Container Apps Environment is integrated with the dedicated subnet - Workload Profiles: Configured with Consumption profile for cost-effective scaling - Auto-scaling: Configured with min 1 / max 3 replicas - External Ingress: Enabled on port 80 for public access ``` ## Review the proposed architecture Review the new application your AI Agent has modeled by clicking on the link it provided. The AI Agent itself can help with the review as well, by answering powerful questions about the proposed setup. ```prompt Now perform a review of the infrastructure paying attention to cost and security. ``` ```prompt ⏺ I'll perform a comprehensive review of the infrastructure focusing on cost optimization and security hardening. --- 🔴 SECURITY FINDINGS 1. Network Security (HIGH PRIORITY) ┌─────────────────────────────────┬──────────┬───────────────────┬─────────────────────────────────────────────────────────────────┐ │ Issue │ Severity │ Current State │ Recommendation │ ├─────────────────────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────────────┤ │ No Network Security Group (NSG) │ High │ Subnet has no NSG │ Add NSG with explicit allow/deny rules │ ├─────────────────────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────────────┤ │ External environment │ Medium │ internal: false │ Consider internal: true with Application Gateway for production │ ├─────────────────────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────────────┤ │ No private endpoint policies │ Medium │ Not configured │ Enable for enhanced isolation │ └─────────────────────────────────┴──────────┴───────────────────┴─────────────────────────────────────────────────────────────────┘ 2. Container Apps Environment (MEDIUM PRIORITY) ┌─────────────────────────┬──────────┬──────────────────┬────────────────────────────────────────────────────────────────────────────────┐ │ Issue │ Severity │ Current State │ Recommendation │ ├─────────────────────────┼──────────┼──────────────────┼────────────────────────────────────────────────────────────────────────────────┤ │ mTLS disabled │ Medium │ Not configured │ Enable peerAuthentication/mtls/enabled: true for service-to-service encryption │ ├─────────────────────────┼──────────┼──────────────────┼────────────────────────────────────────────────────────────────────────────────┤ │ Peer traffic encryption │ Medium │ Not configured │ Enable peerTrafficConfiguration/encryption/enabled: true │ ├─────────────────────────┼──────────┼──────────────────┼────────────────────────────────────────────────────────────────────────────────┤ │ No logging │ Medium │ No Log Analytics │ Add appLogsConfiguration with Log Analytics workspace │ └─────────────────────────┴──────────┴──────────────────┴────────────────────────────────────────────────────────────────────────────────┘ 3. Container App (HIGH PRIORITY) ┌─────────────────────────────┬──────────┬─────────────────────────┬────────────────────────────────────────────────────────┐ │ Issue │ Severity │ Current State │ Recommendation │ ├─────────────────────────────┼──────────┼─────────────────────────┼────────────────────────────────────────────────────────┤ │ Public internet exposure │ High │ external: true │ Add IP restrictions or use internal ingress │ ├─────────────────────────────┼──────────┼─────────────────────────┼────────────────────────────────────────────────────────┤ │ No IP security restrictions │ High │ Not configured │ Add ipSecurityRestrictions to limit access │ ├─────────────────────────────┼──────────┼─────────────────────────┼────────────────────────────────────────────────────────┤ │ Insecure traffic allowed │ Medium │ Not explicitly disabled │ Set allowInsecure: false to force HTTPS │ ├─────────────────────────────┼──────────┼─────────────────────────┼────────────────────────────────────────────────────────┤ │ No health probes │ Medium │ Not configured │ Add liveness/readiness probes │ ├─────────────────────────────┼──────────┼─────────────────────────┼────────────────────────────────────────────────────────┤ │ No managed identity │ Low │ Not configured │ Add system-assigned identity for Azure resource access │ └─────────────────────────────┴──────────┴─────────────────────────┴────────────────────────────────────────────────────────┘ --- 💰 COST ANALYSIS Current Configuration Costs (Estimated) ┌────────────────────────────┬──────────────────────────────┬───────────────────────────┐ │ Component │ Configuration │ Monthly Cost Estimate │ ├────────────────────────────┼──────────────────────────────┼───────────────────────────┤ │ VNet │ 10.0.0.0/16 │ Free │ ├────────────────────────────┼──────────────────────────────┼───────────────────────────┤ │ Container Apps Environment │ Zone-redundant, Consumption │ ~$0 base (pay per use) │ ├────────────────────────────┼──────────────────────────────┼───────────────────────────┤ │ Container App │ 0.5 vCPU, 1Gi, min 1 replica │ ~$15-30/month (always-on) │ └────────────────────────────┴──────────────────────────────┴───────────────────────────┘ Cost Optimization Opportunities ┌──────────────────────┬────────────────┬─────────────────────────────────────┬──────────────────────────────┐ │ Opportunity │ Current │ Recommended │ Savings │ ├──────────────────────┼────────────────┼─────────────────────────────────────┼──────────────────────────────┤ │ Scale to zero │ minReplicas: 1 │ minReplicas: 0 │ ~$15-25/month if low traffic │ ├──────────────────────┼────────────────┼─────────────────────────────────────┼──────────────────────────────┤ │ Zone redundancy │ Enabled │ Keep for prod, disable for dev/test │ Variable │ ├──────────────────────┼────────────────┼─────────────────────────────────────┼──────────────────────────────┤ │ Right-size resources │ 0.5 vCPU, 1Gi │ Review after load testing │ Potential 20-50% │ └──────────────────────┴────────────────┴─────────────────────────────────────┴──────────────────────────────┘ --- 📋 RECOMMENDED CHANGES Would you like me to implement these security and cost improvements? Security Improvements: 1. Add a Network Security Group to the Container Apps subnet 2. Enable mTLS and peer traffic encryption on the environment 3. Add IP security restrictions to the Container App 4. Set allowInsecure: false to enforce HTTPS 5. Add health probes to the container Cost Improvements: 1. Set minReplicas: 0 for scale-to-zero capability (if cold starts are acceptable) ``` I told Claude to accept all security and cost fixes. So it made the right changes: ```prompt ⏺ All security and cost improvements have been applied successfully. Summary of Changes Applied Network Security (VNet) ┌───────────────────┬──────────┬───────────┬────────┬────────────────┬────────────────┬──────┐ │ Rule │ Priority │ Direction │ Action │ Source │ Destination │ Port │ ├───────────────────┼──────────┼───────────┼────────┼────────────────┼────────────────┼──────┤ │ AllowHTTPS │ 100 │ Inbound │ Allow │ Internet │ * │ 443 │ ├───────────────────┼──────────┼───────────┼────────┼────────────────┼────────────────┼──────┤ │ AllowHTTP │ 110 │ Inbound │ Allow │ Internet │ * │ 80 │ ├───────────────────┼──────────┼───────────┼────────┼────────────────┼────────────────┼──────┤ │ AllowVNetInternal │ 120 │ Inbound │ Allow │ VirtualNetwork │ VirtualNetwork │ * │ ├───────────────────┼──────────┼───────────┼────────┼────────────────┼────────────────┼──────┤ │ DenyAllInbound │ 4096 │ Inbound │ Deny │ * │ * │ * │ └───────────────────┴──────────┴───────────┴────────┴────────────────┴────────────────┴──────┘ Container Apps Environment ┌────────────────────────────┬────────────────┬─────────┐ │ Setting │ Before │ After │ ├────────────────────────────┼────────────────┼─────────┤ │ mTLS (peer authentication) │ Not configured │ Enabled │ ├────────────────────────────┼────────────────┼─────────┤ │ Peer traffic encryption │ Not configured │ Enabled │ └────────────────────────────┴────────────────┴─────────┘ Container App (helloworld-app) ┌────────────────────────┬─────────┬──────────────────────────────────────┐ │ Setting │ Before │ After │ ├────────────────────────┼─────────┼──────────────────────────────────────┤ │ Allow insecure traffic │ Not set │ false (HTTPS enforced) │ ├────────────────────────┼─────────┼──────────────────────────────────────┤ │ Liveness probe │ None │ HTTP GET / on port 80 (30s interval) │ ├────────────────────────┼─────────┼──────────────────────────────────────┤ │ Readiness probe │ None │ HTTP GET / on port 80 (10s interval) │ ├────────────────────────┼─────────┼──────────────────────────────────────┤ │ Min replicas │ 1 │ 0 (scale-to-zero) │ └────────────────────────┴─────────┴──────────────────────────────────────┘ --- Updated Cost Estimate ┌─────────────────────────────┬───────────────┬─────────────────────┬───────────────┐ │ Component │ Before │ After │ Savings │ ├─────────────────────────────┼───────────────┼─────────────────────┼───────────────┤ │ Container App (idle) │ ~$15-30/month │ $0 (scales to zero) │ ~$15-30/month │ ├─────────────────────────────┼───────────────┼─────────────────────┼───────────────┤ │ Total monthly (low traffic) │ ~$15-30 │ ~$0-5 │ Up to 80% │ └─────────────────────────────┴───────────────┴─────────────────────┴───────────────┘ --- Security Posture Improvement ┌───────────────────────────────┬──────────────┬─────────────────────────────┐ │ Category │ Before │ After │ ├───────────────────────────────┼──────────────┼─────────────────────────────┤ │ Network filtering │ None │ NSG with explicit rules │ ├───────────────────────────────┼──────────────┼─────────────────────────────┤ │ Service-to-service encryption │ None │ mTLS enabled │ ├───────────────────────────────┼──────────────┼─────────────────────────────┤ │ Traffic encryption │ None │ Peer traffic encrypted │ ├───────────────────────────────┼──────────────┼─────────────────────────────┤ │ HTTPS enforcement │ Not enforced │ Required │ ├───────────────────────────────┼──────────────┼─────────────────────────────┤ │ Health monitoring │ None │ Liveness + Readiness probes │ └───────────────────────────────┴──────────────┴─────────────────────────────┘ View updated configuration: https://app.systeminit.com/n/01KEW0N8NN48SE11XHMEWT2HZN/01KEW3F0QFRM5DPA5DDGNHPK0K/h?map=1 The infrastructure is now production-ready with defense-in-depth security and cost-optimized scaling. Would you like me to apply this change set to deploy to Azure? ``` Another great question to ask is "Can you explain the choices you made to me?" ## Apply your Change Set ```prompt [Apply the Change Set] > Apply the change set. ``` :::info You may be asked by the AI agent for permission to apply the change set here. By default, System Initiative configures agents to confirm major operations like apply. ::: ```prompt ⏺ The change set has been applied to HEAD. Let me check the action status. ⏺ Change set applied successfully. The actions are now queued for execution on HEAD. Deployment Status ┌─────────────────────┬─────────┬────────┐ │ Component │ Action │ Status │ ├─────────────────────┼─────────┼────────┤ │ container-apps-rg │ Refresh │ Queued │ ├─────────────────────┼─────────┼────────┤ │ container-apps-vnet │ Create │ Queued │ ├─────────────────────┼─────────┼────────┤ │ container-apps-env │ Create │ Queued │ ├─────────────────────┼─────────┼────────┤ │ helloworld-app │ Create │ Queued │ └─────────────────────┴─────────┴────────┘ The actions will execute in order: 1. Resource Group - Refresh (verifying existence) 2. Virtual Network - Create with NSG rules and subnet delegation 3. Container Apps Environment - Create with VNet integration, mTLS, and encryption 4. Container App - Create with health probes and scale-to-zero ... ⏺ Deployment Complete! Your Azure Container Apps infrastructure has been successfully deployed. Here's the summary: Deployed Resources ┌─────────────────────────────────────────────────┬─────────┐ │ Resource │ Status │ ├─────────────────────────────────────────────────┼─────────┤ │ Resource Group (container-apps-rg) │ Created │ ├─────────────────────────────────────────────────┼─────────┤ │ VNet (container-apps-vnet) │ Created │ ├─────────────────────────────────────────────────┼─────────┤ │ NSG (container-apps-nsg) │ Created │ ├─────────────────────────────────────────────────┼─────────┤ │ Container Apps Environment (container-apps-env) │ Created │ ├─────────────────────────────────────────────────┼─────────┤ │ Container App (helloworld-app) │ Running │ └─────────────────────────────────────────────────┴─────────┘ Application Details - Application URL: https://helloworld-app.kindplant-0bd9fcf1.eastus.azurecontainerapps.io - Status: Running - Latest Revision: helloworld-app--ufr55pj Production Best Practices Implemented Security: - Network Security Group with controlled inbound rules (HTTPS/HTTP only) - mTLS enabled for service-to-service communication - Peer traffic encryption enabled - allowInsecure: false on ingress Availability: - Zone redundancy enabled on the environment - Liveness and readiness health probes configured Cost Optimization: - Scale-to-zero enabled (minReplicas: 0, maxReplicas: 3) - Consumption workload profile You can access your application at the URL above. The container is running the mcr.microsoft.com/azuredocs/aci-helloworld image with proper health monitoring and auto-scaling configured. ``` On the right hand side of the System Initiative UI, you will now see actions running, creating the architecture for the application. ## Explore your resources You can review the completed Azure resources by clicking into your Components and viewing the `Resource` sub-panel for each of your new resources. ## Clean Up ```prompt [Clean up resources] Delete all Azure components (except the foundation components) and apply the change set. ``` :::info You may be asked by the AI agent for permission to delete components here. By default, System Initiative configures agents to confirm major operations like component delete. ::: ```prompt ⏺ I'll create a change set to delete all the deployed components except the foundation ones (credentials, subscription, and location). ⏺ All components marked for deletion. Now applying the change set. ``` Some of these resources can take some time to delete but they will all be deleted from your Azure account.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/systeminit/si'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

azure-container-apps.md•33.9 kB