Stack Debate

Tag: Azure Container Apps

  • Kubernetes vs. Azure Container Apps: How to Choose the Right Container Platform for Your Team

    Kubernetes vs. Azure Container Apps: How to Choose the Right Container Platform for Your Team

    Containerization changed how teams build and ship software. But choosing how to run those containers is a decision that has major downstream effects on your team's operational overhead, cost structure, and architectural flexibility. Two options that come up most often in Azure environments are Azure Kubernetes Service (AKS) and Azure Container Apps (ACA). They both run containers. They both scale. And they both sit in Azure. So what actually separates them — and when does each one win?

    This post breaks down the key differences so you can make a clear, informed choice rather than defaulting to “just use Kubernetes” because it's familiar.

    What Each Platform Actually Is

    Azure Kubernetes Service (AKS) is Microsoft's managed Kubernetes offering. You still manage node pools, configure networking, handle storage classes, set up ingress controllers, and reason about cluster capacity. Azure handles the Kubernetes control plane, but everything from the node level down is on you. AKS gives you the full Kubernetes API — every knob, every operator, every custom resource definition.

    Azure Container Apps (ACA) is a fully managed, serverless container platform. Under the hood it runs on Kubernetes and KEDA (the Kubernetes-based event-driven autoscaler), but that entire layer is completely hidden from you. You deploy containers. You define scale rules. Azure takes care of everything else, including zero-scale when traffic drops to nothing.

    The simplest mental model: AKS is infrastructure you control; ACA is a platform that controls itself.

    Operational Complexity: The Real Cost of Kubernetes

    Kubernetes is powerful, but it does not manage itself. On AKS, someone on your team needs to own the cluster. That means patching node pools when new Kubernetes versions drop, right-sizing VM SKUs, configuring cluster autoscaler settings, setting up an ingress controller (NGINX, Application Gateway Ingress Controller, or another option), managing Persistent Volume Claims for stateful workloads, and wiring up monitoring with Azure Monitor or Prometheus.

    None of this is particularly hard if you have a dedicated platform or DevOps team. But for a team of five developers shipping a SaaS product, this is real overhead that competes with feature work. A misconfigured cluster autoscaler during a traffic spike does not just cause degraded performance — it can cascade into an outage.

    Azure Container Apps removes this entire layer. There are no nodes to patch, no ingress controllers to configure, no cluster autoscaler to tune. You push a container image, configure environment variables and scale rules, and the platform handles the rest. For teams without dedicated infrastructure engineers, this is a significant productivity multiplier.

    Scaling Behavior: When ACA's Serverless Model Shines

    Azure Container Apps was built from the ground up around event-driven autoscaling via KEDA. Out of the box, ACA can scale your containers based on HTTP traffic, CPU, memory, Azure Service Bus queue depth, Azure Event Hub consumer lag, or any custom metric KEDA supports. More importantly, it can scale all the way to zero replicas when there is nothing to process — and you pay nothing while scaled to zero.

    This makes ACA an excellent fit for workloads with bursty or unpredictable traffic patterns: background job processors, webhook handlers, batch pipelines, internal APIs that see low-to-moderate traffic. If your workload sits idle for hours at a time, the cost savings from zero-scale can be substantial.

    AKS supports horizontal pod autoscaling and KEDA as an add-on, but scaling to zero requires additional configuration, and you still pay for the underlying nodes even if no pods are scheduled on them (unless you are also using Virtual Nodes or node pool autoscaling all the way down to zero, which adds more complexity). For baseline-heavy workloads that always run, AKS's fixed node cost is predictable and can be cheaper than per-request ACA billing at high sustained loads.

    Networking and Ingress: AKS Wins on Flexibility

    If your architecture involves complex networking requirements — internal load balancers, custom ingress routing rules, mutual TLS between services, integration with existing Azure Application Gateway or Azure Front Door configurations, or network policies enforced at the pod level — AKS gives you the surface area to configure all of it precisely.

    Azure Container Apps provides built-in ingress with HTTPS termination, traffic splitting for blue/green and canary deployments, and Dapr integration for service-to-service communication. For many teams, that is more than enough. But if you need to bolt Container Apps into an existing hub-and-spoke network topology with specific NSG rules and UDRs, you will find the abstraction starts to fight you. ACA supports VNet integration, but the configuration surface is much smaller than what AKS exposes.

    Multi-Container Architectures and Microservices

    Both platforms support multi-container deployments, but they model them differently. AKS uses Kubernetes Pods, which can contain multiple containers sharing a network namespace and storage volumes. This is the standard pattern for sidecar containers — log shippers, service mesh proxies, init containers for secret injection.

    Azure Container Apps supports multi-container configurations within an environment, and it has first-class support for Dapr as a sidecar abstraction. If you are building microservices that need service discovery, distributed tracing, and pub/sub messaging without wiring it all up manually, Dapr on ACA is genuinely elegant. The trade-off is that you are adopting Dapr's abstraction model, which may or may not align with how your team already thinks about inter-service communication.

    For teams building a large microservices estate with diverse inter-service communication requirements, AKS with a service mesh like Istio or Linkerd still offers the most control. For teams building five to fifteen services that need to talk to each other, ACA with Dapr is often simpler to operate at any given point in the lifecycle.

    Cost Considerations

    Cost is one of the most common decision drivers, and neither platform is universally cheaper. The comparison depends heavily on your workload profile:

    • Low or bursty traffic: ACA's scale-to-zero capability means you pay only for active compute. An API that handles 50 requests per hour costs nearly nothing on ACA. The same workload on AKS requires at least one running node regardless of traffic.
    • High, sustained throughput: AKS with right-sized reserved instances or spot node pools can be significantly cheaper than ACA per-vCPU-hour at high sustained load. ACA's consumption pricing adds up when you are running hundreds of thousands of requests continuously.
    • Operational cost: Do not forget the engineering time needed to manage AKS. Even at a conservative estimate of a few hours per week per cluster, that is a real cost that does not show up in the Azure bill.

    When to Choose AKS

    AKS is the right choice when your requirements push beyond what a managed platform can abstract cleanly. Choose AKS when you have a dedicated platform or DevOps team that can own the cluster, when you need custom Kubernetes operators or CRDs that do not exist as managed services, when your workload has complex stateful requirements with specific storage class needs, when you need precise control over networking at the pod and node level, or when you are running multiple teams with very different workloads that benefit from a shared cluster with namespace isolation and RBAC at scale.

    AKS is also the better choice if your organization has existing Kubernetes expertise and well-established GitOps workflows using tools like Flux or ArgoCD. The investment in that expertise has a higher return on a full Kubernetes environment than on a platform that abstracts it away.

    When to Choose Azure Container Apps

    Azure Container Apps wins when developer productivity and operational simplicity are the primary constraints. Choose ACA when your team does not have or does not want to staff dedicated Kubernetes expertise, when your workloads are event-driven or have variable traffic patterns that benefit from scale-to-zero, when you want built-in Dapr support for microservice communication without managing a service mesh, when you need fast time-to-production without cluster provisioning and configuration overhead, or when you are running internal tooling, staging environments, or background processors where operational complexity would be disproportionate to the workload value.

    ACA has also matured significantly since its initial release. Dedicated plan pricing, GPU support, and improved VNet integration have addressed many of the early limitations that pushed teams toward AKS by default. It is worth re-evaluating ACA even if you dismissed it a year or two ago.

    The Decision in One Question

    If you could only ask one question to guide this decision, ask this: Does your team want to operate a container platform, or use one?

    AKS is for teams that want — or need — to operate a platform. ACA is for teams that want to use one. Both are excellent tools. Neither is the wrong answer in the right context. The mistake is defaulting to one without honestly evaluating what your specific team, workload, and organizational constraints actually need.

  • How to Use Managed Identities in Azure Container Apps Without Leaking Secrets

    How to Use Managed Identities in Azure Container Apps Without Leaking Secrets

    Abstract illustration of cloud containers connecting to secured identity tokens and protected services

    Azure Container Apps give teams a fast way to run APIs, workers, and background services without managing the full Kubernetes control plane. That convenience is real, but it can create a dangerous illusion: if the deployment feels modern, the security model must already be modern too. In practice, many teams still smuggle secrets into environment variables, CI pipelines, and app settings even when the platform gives them a better option.

    The better default is to use managed identities wherever the workload needs to call Azure services. Managed identities do not eliminate every security decision, but they do remove a large class of avoidable secret handling problems. The key is to treat identity design as part of the application architecture, not as a last-minute checkbox after the container already works.

    Why Secret-Based Access Keeps Sneaking Back In

    Teams usually fall back to secrets because they are easy to understand in the short term. A developer creates a storage key, drops it into a configuration value, tests the app, and moves on. The same pattern then spreads to database connections, Key Vault access, service bus clients, and deployment scripts.

    The trouble is that secrets create long-lived trust. They get copied into local machines, build logs, variable groups, and troubleshooting notes. Once that happens, the question is no longer whether the app can reach a service. The real question is how many places now contain reusable credentials that nobody will rotate until something breaks.

    Managed Identity Changes the Default Trust Model

    A managed identity lets the Azure platform issue tokens to the workload when it needs to call another Azure resource. That means the application can request access at runtime instead of carrying a static secret around with it. For Azure Container Apps, this is especially useful because the app often needs to reach services such as Key Vault, Storage, Service Bus, Azure SQL, or internal APIs protected through Entra ID.

    This shifts the trust model in a healthier direction. Instead of protecting one secret forever, the team protects the identity boundary and the role assignments behind it. Tokens become short-lived, rotation becomes an Azure problem instead of an application problem, and accidental credential sprawl becomes much harder to justify.

    Choose System-Assigned or User-Assigned on Purpose

    Azure gives you both system-assigned and user-assigned managed identities, and the right choice depends on the workload design. A system-assigned identity is tied directly to one container app. It is simple, clean, and often the right fit when a single application has its own narrow access pattern.

    A user-assigned identity makes more sense when several workloads need the same identity boundary, when lifecycle independence matters, or when a platform team wants tighter control over how identity objects are named and reused. The mistake is not choosing one model over the other. The mistake is letting convenience decide without asking whether the identity should follow the app or outlive it.

    Grant Access at the Smallest Useful Scope

    Managed identity helps most when it is paired with disciplined authorization. If a container app only needs one secret from one vault, it should not receive broad contributor rights on an entire subscription. If it only reads from one queue, it should not be able to manage every messaging namespace in the environment.

    That sounds obvious, but broad scope is still where many implementations drift. Teams are under delivery pressure, a role assignment at the resource-group level makes the error disappear, and the temporary fix quietly becomes permanent. Good identity design means pushing back on that shortcut and assigning roles at the narrowest scope that still lets the app function.

    Do Not Confuse Key Vault With a Full Security Strategy

    Key Vault is useful, but it is not a substitute for proper identity design. Many teams improve from plain-text secrets in source control to secrets pulled from Key Vault at startup, then stop there. That is better than the original pattern, but it can still leave the application holding long-lived credentials it did not need to have in the first place.

    If the target Azure service supports Entra-based authentication directly, managed identity is usually the better path. Key Vault still belongs in the architecture for cases where a secret truly must exist, but it should not become an excuse to keep every integration secret-shaped forever.

    Plan for Local Development Without Undoing Production Hygiene

    One reason secret patterns survive is that developers want a simple local setup. That need is understandable, but the local developer experience should not quietly define the production trust model. The healthier pattern is to let developers authenticate with their own Entra identities locally, while the deployed container app uses its managed identity in Azure.

    This keeps environments honest. The code path stays aligned with token-based access, developers retain traceable permissions, and the team avoids inventing an extra pile of shared development secrets just to make the app start up on a laptop.

    Observability Matters After the First Successful Token Exchange

    Many teams stop thinking about identity as soon as the application can fetch a token and call the target service. That is too early to declare victory. You still need to know which identity the app is using, which resources it can access, how failures surface, and how role changes are reviewed over time.

    That is especially important in shared cloud environments where several apps, pipelines, and platform services evolve at once. If identity assignments are not documented and reviewable, a clean managed identity implementation can still drift into a broad trust relationship that nobody intended to create.

    Final Takeaway

    Managed identities in Azure Container Apps are not just a convenience feature. They are one of the clearest ways to reduce secret sprawl and tighten workload access without slowing teams down. The payoff comes when identity boundaries, scopes, and role assignments are designed deliberately instead of accepted as whatever finally made the deployment succeed.

    If your container app still depends on copied connection strings and long-lived credentials, the platform is already giving you a better path. Use it before those secrets become permanent infrastructure baggage.