Microsoft Azure Containers - An Architect Perspective

Firstly, designing a solution is often overlooked, underestimated and it is not just about creating a solution/diagram. It is the thoughts, the homework and the process involved to build at that solution/diagram.

So, we all know what a container is in Microsoft Azure, but how does it play a role in architecting the right solution for a startup, a small to mid-size business and an enterprise?

In this article, I would like to share my insights into this topic.

The different container technologies offered by Microsoft Azure are:

1. Azure App services.
2. Azure Functions
3. Azure Container Instances.
4. Azure Container Apps
5. Azure Kubernetes Service.

Let us briefly understand the 5 solutions at a high level with its pros and cons.

1. Azure App services.

Azure?App Service is a?Platform-as-a-Service?(PaaS) offering originally?designed to run web applications, including websites and web APIs, later Container hosting was added.?

Pros:

• Auto scaling – Both Vertical scaling, Built in metrics for horizontal scaling like CPU or memory or schedule based.
• Fully managed from Microsoft. So just can focus on our apps.
• Easy to do POC on legacy builds like dotnet 7.
• Integration with DevOps and Github.
• Supports Linux and Windows. Even though both are separate App Service plans.

Cons:

• Not Serverless.
• Horizontal scaling is not cloud native. Appservice plan just provisions additional instance without being aware of what is currently running or not which might not be feasible for higher requirements.
• Logging- tight integrations with solutions such as Application Insights and the Kudu console itself, Web Apps for Containers does not.
• Single Container solution – If there Is more than 1 API or container needed(example web app and API) require two different container running on 2 different web apps, it can still use Azure app service plan but incurs additional capacity.
• Only suitable for web solutions (websites and APIs)
• App Service only exposes ports 80 and 443. Customized ports if needed would require something like a Docker Compose.

2. Azure Functions

The technical definitions can be found on the internet, but to me functions are like the quickies in Containerization. These are the serverless containers, what does it mean? It is all about on-demand compute. They are offline when not needed and come to life when we need execution.

Comes with 3 payment plans:

• Consumption plan - automated scaling, and we only pay for the resources when they are running.?
• Premium plan -?hosted on pre-warmed workers means pay for runtime plus minimum vCPUs, memory needed to reduce the time for "cold start".
• Dedicated plan - It is ideal for long-running scenarios, but kind of defeats the point of serverless.

Pros:

• It solves the problem of unsupported code and dependencies in Azure Functions. So a win for running old school or legacy applications in a small scale.
• Consumption plan -only pay for them when we are actually consuming compute.
• If you already have an existing Azure Functions Premium Plan or the dedicated App Service plan, you can deploy your container alongside your existing functions, no need for an additional plan just for the containerized solution.
• Integrations with managed identities, Application Insights, Azure Container Registry, and CI/CD capabilities.

Cons:

• It is currently not supported to run Windows containers on Azure function apps
• It’s not the ideal solution to host containers as Command-line tools don’t support the full feature set

The last con,can be better explained if you see my github link to deploy functions. ContainersInAzure/DeployingContainersAzureFunctions at main · VishnuBharathR/ContainersInAzure (github.com)

3. Azure Container Instances (ACI).

Microsoft’s first?serverless container platform is?Azure Container Instances.?It is the fastest and simplest way to run both Linux and Windows containers in Azure. ACI even guarantees that your container is as isolated as it would be running in a VM. Unlike running a container in a VM, with ACI, you don’t have to manage any underlying operating system, hardware, or patching that comes with running servers. This is perfect for developers whose machines might not be up to the task of running multiple containers.

Pros:

• Integrates with other Azure services like AKS, Functions.
• Event driven.
• YAML language is standard for docker files, that builds containers, config files for kubernetes, azure container apps and Helm package manager.
• Consumption model - One of the biggest pros of ACI is that it is billed per second. As we can specify requests for CPU and memory, we are billed per GB of memory and per vCPU. This is perfect for when we need to run a container for a small duration or even just to burst from with AKS.
• Fast startup times, workflows, container groups and virtual network integration.

Cons:

• CPU and memory limits per container group
• VNet integration and external access don’t go well together. Networking - When it comes to networks, we can choose to deploy the containers the standard way, which will result in a public endpoint on which we can access our solution. However, ACI also supports integration with Azure Virtual Network for containing and isolating traffic. There is a downside to this. When we isolate the traffic using Azure Virtual Network integration, we lose access to our public endpoints. There is no and and; it is either private networking or a public endpoint. It can be overcome using application gateways though.
• Windows support is experimental and general availability is Linux primary.

4. Azure Container Apps

Started in 2021, this Out-of-the-box Azure Container?Apps comes with?support for open source services such as?Kubernetes Event Driven Autoscaling?(KEDA),?Distributed Application Runtime?(Dapr), and a fully managed Ingress controller. This solution is not in GA atleast for now, but will be soon. So watch out.

Let us understand some of these terminologies to better explain Azure Container Apps.

KEDA is used to automatically scale?your workloads.It uses a concept of scalers, which include message queues, SQL queries, and even Azure DevOps pipelines.

Dapr is used to help?with communication?between workloads, publisher/subscriber messaging systems such as Azure Service Bus, and more.?

Envoy is used to enable Ingress?for your workload. You can think of an Ingress as the router that contains the rules that allow traffic to your workload. Traffic from the outside world to your solution needs to be controlled. An Ingress does just that.

Pods come from Kubernetes and are the smallest deployable unit.

Pros:

• Speed - Azure Container Apps is fast! Going from zero to an environment with a container running inside of it takes less than a couple of minutes and merely a few commands. If Azure Container Apps is not your production platform, it is definitely a platform to use for testing the functionality of your container in the Microsoft Azure cloud.
• Microservices
• Control with Ingress.
• KEDA and Dapr.

Cons:

• Cold Starts
• YAML programming makes migration to other container groups a tad complex.
• Supports only 80 and 443 ports by default. So customization of ports not an option for now.

5. Azure Kubernetes Service.

This is the Managed solution from Microsoft for Container Orchestration. The ones for the big bucks and all the features that containers can offer.

Pros:

• Managed Control Plane - This where the pros can build and control from scratch for large scale deployments.
• Multiple integrations within Azure - like Azure Active Directory, Key vaults etc.
• Upgrades/Updates - The best in class.

Cons:

• If learning curve is a con, i probably would not add here. But to deploy this solution, a full scall understanding is recommended to understand the wealth of features this solution provides.
• To be fair, there isn't many i found to stand out.

With a fair understanding of the solutions offered, let me try to fit in its use cases in real world scenarios.

1. Startups.

If i am a solution architect for a startup, i would ask a couple of questions. The business requirements, the objective, the expected customers growth for next 6-12 months, green field or brown field and budget. Evaluate the pros and cons of all the 5 containers based on the requirement and come up with a solution.

My recommended solution would be to an average startup, Azure Container Apps which supports virtual network integration and is essentially a fully managed solution from Microsoft.?We can provide the Ops team with a lot of options without the management burden. Additionally, providing a set of container apps per customer also helps with scaling per customer and determining the infrastructure costs for customers. Also there is Security, financial cost savings incurred and gives room for future growth when it can make a unicorn without having to redeploy from scratch.

2. Small and Medium Sized Enterprises

Once a startup becomes more successful and business growing, its scaling up, and soon will be a small- or medium-sized business. This means there is a solid customer base and have been servicing those customers for some time now.

Now Governance and Security will need to be added to the solutions. Customers now need absolute isolation while providing services, network connectivity to the business unit for secure transactions.

This is where Azure Kubernetes Services will shine.

AKS can deliver on the security side, governance, traffic routing, scalability and beyond.

3. Enterprise Networks.

Now with all the features above Compliance will also be expected as a company becomes an Enterprise. This includes monitoring, logs, secure network connectivity including access via private networks along with Security, isolation between customers among many other features becomes a necessary.

• Azure Monitor/Container insights

Even if had 100 customers, that’s 200 Pods, By using Container insights, you?can store not only the AKS cluster logs in a central place but also your application logs. This makes troubleshooting a lot easier with Azure Monitor

• Role Based Access control

Who is doing what, RBAC answers it and helps in all forms of audits.

• Managed Identity and Azure AD authentications - Adds the additional security in the user access.
• There is also auto key rotations, Certificate renewals.

Visualizing our solutions looks like this.

This makes Azure Kubernetes a reliable platform for an enterprise (customer) to run their containerized solutions on.

Well, the inputs provided here cannot be cut and paste anywhere as is, because the inputs to derive at a real-life solution will solely be on a situation-to-situation basis and the role of a solution architect and their expertise when given a chance, can make the right decisions in the first place for the organizations be it an upcoming startup, small-medium enterprises or large-scale enterprises and help in deploying along the way both for green field and brown field solutions accordingly.

Here is my github link with the Azure CLI commands to create the different container solutions discussed here. VishnuBharathR/ContainersInAzure: Here are the Azure CLI commands with example to create different containers in Microsoft Azure (github.com)

Please feel free to reach out if any questions i can answer with.