Source from repo
Azure Cloud Migrate

Assess and migrate workloads from AWS, GCP, or other clouds to Azure services.
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
177.6 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/services/container-apps/cloudrun-deployment-guide.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown214 linesFree
references/services/container-apps/cloudrun-deployment-guide.md
1# Deployment: Cloud Run to Container Apps
2 
3## Prerequisites
4 
5Azure CLI 2.53+, gcloud CLI, Docker, ACR, Key Vault, Log Analytics
6 
7## Phase 1: Image Migration
8 
9### Bash
10 
11```bash
12set -euo pipefail
13GCP_PROJECT="${GCP_PROJECT:-<project>}"
14GCP_REGION="${GCP_REGION:-<region>}"
15ACR_NAME="${ACR_NAME:-<acr>}"
16 
17gcloud auth configure-docker "${GCP_REGION}-docker.pkg.dev"
18az acr login --name "$ACR_NAME"
19for img in "app:v1" "worker:v1"; do
20  docker pull "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$img"
21  docker tag "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$img" "${ACR_NAME}.azurecr.io/$img"
22  docker push "${ACR_NAME}.azurecr.io/$img"
23done
24```
25 
26### PowerShell
27 
28```powershell
29$GCP_PROJECT = if ($env:GCP_PROJECT) { $env:GCP_PROJECT } else { "<project>" }
30$GCP_REGION = if ($env:GCP_REGION) { $env:GCP_REGION } else { "<region>" }
31$ACR_NAME = if ($env:ACR_NAME) { $env:ACR_NAME } else { "<acr>" }
32 
33gcloud auth configure-docker "${GCP_REGION}-docker.pkg.dev"
34az acr login --name $ACR_NAME
35@("app:v1", "worker:v1") | ForEach-Object {
36  docker pull "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$_"
37  docker tag "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$_" "${ACR_NAME}.azurecr.io/$_"
38  docker push "${ACR_NAME}.azurecr.io/$_"
39}
40```
41 
42## Phase 2: Infrastructure
43 
44> Choose ONE path: basic (without VNet) OR VNet-integrated.
45 
46### Basic (no VNet)
47 
48#### Bash
49 
50```bash
51set -euo pipefail
52az group create --name "$RG" --location "$LOCATION"
53az monitor log-analytics workspace create -g "$RG" -n "${RG}-logs" -l "$LOCATION"
54LOG_ID=$(az monitor log-analytics workspace show -g "$RG" -n "${RG}-logs" --query customerId -o tsv)
55LOG_KEY=$(az monitor log-analytics workspace get-shared-keys -g "$RG" -n "${RG}-logs" --query primarySharedKey -o tsv)
56az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
57  --logs-workspace-id "$LOG_ID" --logs-workspace-key "$LOG_KEY"
58```
59 
60#### PowerShell
61 
62```powershell
63az group create --name $RG --location $LOCATION
64az monitor log-analytics workspace create -g $RG -n "${RG}-logs" -l $LOCATION
65$workspace = az monitor log-analytics workspace show -g $RG -n "${RG}-logs" | ConvertFrom-Json
66$keys = az monitor log-analytics workspace get-shared-keys -g $RG -n "${RG}-logs" | ConvertFrom-Json
67az containerapp env create -n "${RG}-env" -g $RG -l $LOCATION `
68  --logs-workspace-id $workspace.customerId --logs-workspace-key $keys.primarySharedKey
69```
70 
71### VNet-Integrated
72 
73#### Bash
74 
75```bash
76set -euo pipefail
77az network vnet create -g "$RG" -n "${RG}-vnet" \
78  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
79SUBNET_ID=$(az network vnet subnet show -g "$RG" --vnet-name "${RG}-vnet" -n aca-subnet --query id -o tsv)
80az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
81  --logs-workspace-id "$LOG_ID" --logs-workspace-key "$LOG_KEY" \
82  --infrastructure-subnet-resource-id "$SUBNET_ID"
83```
84 
85#### PowerShell
86 
87```powershell
88az network vnet create -g $RG -n "${RG}-vnet" `
89  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
90$subnet = az network vnet subnet show -g $RG --vnet-name "${RG}-vnet" -n aca-subnet | ConvertFrom-Json
91az containerapp env create -n "${RG}-env" -g $RG -l $LOCATION `
92  --logs-workspace-id $workspace.customerId --logs-workspace-key $keys.primarySharedKey `
93  --infrastructure-subnet-resource-id $subnet.id
94```
95 
96## Phase 3: Secrets & Identity
97 
98### Bash
99 
100```bash
101set -euo pipefail
102az keyvault create --name "$KEY_VAULT" -g "$RG" -l "$LOCATION"
103IDENTITY_ID=$(az identity create -n "${RG}-id" -g "$RG" -l "$LOCATION" --query id -o tsv)
104PRINCIPAL_ID=$(az identity show --ids "$IDENTITY_ID" --query principalId -o tsv)
105 
106# Grant Key Vault access — use RBAC (recommended) or access policies
107# Option A: RBAC (default for new vaults)
108KV_ID=$(az keyvault show --name "$KEY_VAULT" --query id -o tsv)
109az role assignment create --assignee "$PRINCIPAL_ID" \
110  --role "Key Vault Secrets User" --scope "$KV_ID"
111# Option B: Access policies (if vault uses access-policy mode)
112# az keyvault set-policy --name "$KEY_VAULT" --object-id "$PRINCIPAL_ID" --secret-permissions get list
113 
114# Migrate secrets without writing them to disk
115az keyvault secret set --vault-name "$KEY_VAULT" --name <secret-name> \
116  --value "$(gcloud secrets versions access latest --secret=<secret-id> --project="$GCP_PROJECT")"
117 
118# ACR pull access
119ACR_ID=$(az acr show --name "$ACR_NAME" --query id -o tsv)
120az role assignment create --assignee "$PRINCIPAL_ID" --role AcrPull --scope "$ACR_ID"
121```
122 
123### PowerShell
124 
125```powershell
126az keyvault create --name $KEY_VAULT -g $RG -l $LOCATION
127$identity = az identity create -n "${RG}-id" -g $RG -l $LOCATION | ConvertFrom-Json
128$principalId = (az identity show --ids $identity.id | ConvertFrom-Json).principalId
129 
130# Grant Key Vault access — RBAC (recommended)
131$kvId = (az keyvault show --name $KEY_VAULT | ConvertFrom-Json).id
132az role assignment create --assignee $principalId `
133  --role "Key Vault Secrets User" --scope $kvId
134 
135# Migrate secrets without writing them to disk
136$secretValue = gcloud secrets versions access latest --secret=<secret-id> --project=$GCP_PROJECT
137az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value $secretValue
138Remove-Variable secretValue
139 
140# ACR pull access
141$acrId = (az acr show --name $ACR_NAME | ConvertFrom-Json).id
142az role assignment create --assignee $principalId --role AcrPull --scope $acrId
143```
144 
145## Phase 4: Deploy Container App
146 
147### Bash
148 
149```bash
150set -euo pipefail
151SECRET_URI=$(az keyvault secret show --vault-name "$KEY_VAULT" --name db-pw --query id -o tsv)
152az containerapp create \
153  --name <app-name> -g "$RG" --environment "${RG}-env" \
154  --image "${ACR_NAME}.azurecr.io/app:v1" --target-port 8080 --ingress external \
155  --cpu 1.0 --memory 1Gi --min-replicas 0 --max-replicas 10 \
156  --user-assigned "$IDENTITY_ID" --registry-identity "$IDENTITY_ID" \
157  --registry-server "${ACR_NAME}.azurecr.io" \
158  --secrets db-pw=keyvaultref:"${SECRET_URI}",identityref:"${IDENTITY_ID}" \
159  --env-vars ENV=prod DB_PASSWORD=secretref:db-pw \
160  --scale-rule-name http --scale-rule-type http --scale-rule-http-concurrency 80
161```
162 
163### PowerShell
164 
165```powershell
166$secret = az keyvault secret show --vault-name $KEY_VAULT --name db-pw | ConvertFrom-Json
167az containerapp create `
168  --name <app-name> -g $RG --environment "${RG}-env" `
169  --image "${ACR_NAME}.azurecr.io/app:v1" --target-port 8080 --ingress external `
170  --cpu 1.0 --memory 1Gi --min-replicas 0 --max-replicas 10 `
171  --user-assigned $identity.id --registry-identity $identity.id `
172  --registry-server "${ACR_NAME}.azurecr.io" `
173  --secrets "db-pw=keyvaultref:$($secret.id),identityref:$($identity.id)" `
174  --env-vars "ENV=prod" "DB_PASSWORD=secretref:db-pw" `
175  --scale-rule-name http --scale-rule-type http --scale-rule-http-concurrency 80
176```
177 
178### Configuration Mapping
179 
180| Cloud Run | Container Apps |
181|-----------|----------------|
182| `--min-instances 0` | `--min-replicas 0` |
183| `--max-instances 10` | `--max-replicas 10` |
184| `--concurrency 80` | `--scale-rule-http-concurrency 80` |
185| `--cpu 1` | `--cpu 1.0` |
186| `--memory 512Mi` | `--memory 1Gi` |
187 
188## Phase 5: Validation
189 
190### Bash
191 
192```bash
193FQDN=$(az containerapp show --name <app-name> -g "$RG" --query properties.configuration.ingress.fqdn -o tsv)
194curl -I "https://$FQDN/health"
195az containerapp logs show --name <app-name> -g "$RG" --tail 100
196```
197 
198### PowerShell
199 
200```powershell
201$app = az containerapp show --name <app-name> -g $RG | ConvertFrom-Json
202Invoke-WebRequest -Uri "https://$($app.properties.configuration.ingress.fqdn)/health"
203az containerapp logs show --name <app-name> -g $RG --tail 100
204```
205 
206## Troubleshooting
207 
208| Issue | Solution |
209|-------|----------|
210| Image pull fails | Verify ACR role: `az role assignment list --assignee $PRINCIPAL_ID --scope $ACR_ID -o table` |
211| App won't start | Check logs: `az containerapp logs show --name <app> -g $RG --tail 100` |
212| Secret not accessible | Verify RBAC: `az role assignment list --assignee $PRINCIPAL_ID --scope $KV_ID -o table` |
213| Scaling not working | Check config: `az containerapp show --name <app> --query properties.template.scale` |
214
Preparing the source view

Azure Cloud Migrate

references/services/container-apps/cloudrun-deployment-guide.md
