Source from repo
Azure Cloud Migrate

Assess and migrate workloads from AWS, GCP, or other clouds to Azure services.
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
177.6 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/services/container-apps/fargate-deployment-guide.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown217 linesFree
references/services/container-apps/fargate-deployment-guide.md
1# Deployment: Fargate to Container Apps
2 
3## Prerequisites
4 
5Azure CLI 2.53+ with `containerapp` extension, AWS CLI v2, Docker, ACR, Key Vault, Log Analytics
6 
7## Phase 1: Container Registry Migration
8 
9```bash
10set -euo pipefail
11aws ecr get-login-password --region "$AWS_REGION" | \
12  docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
13az acr login --name "$ACR_NAME"
14docker pull "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE}"
15docker tag "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE}" "${ACR_NAME}.azurecr.io/${IMAGE}"
16docker push "${ACR_NAME}.azurecr.io/${IMAGE}"
17```
18 
19```powershell
20$ErrorActionPreference = 'Stop'
21$ecrPassword = aws ecr get-login-password --region $env:AWS_REGION
22$ecrPassword | docker login --username AWS --password-stdin "$($env:AWS_ACCOUNT_ID).dkr.ecr.$($env:AWS_REGION).amazonaws.com"
23az acr login --name $env:ACR_NAME
24docker pull "$($env:AWS_ACCOUNT_ID).dkr.ecr.$($env:AWS_REGION).amazonaws.com/$($env:IMAGE)"
25docker tag "$($env:AWS_ACCOUNT_ID).dkr.ecr.$($env:AWS_REGION).amazonaws.com/$($env:IMAGE)" "$($env:ACR_NAME).azurecr.io/$($env:IMAGE)"
26docker push "$($env:ACR_NAME).azurecr.io/$($env:IMAGE)"
27```
28 
29## Phase 2: Infrastructure
30 
31> Choose ONE path: basic (without VNet) OR VNet-integrated.
32 
33### Basic (no VNet)
34 
35```bash
36set -euo pipefail
37az group create --name "$RG" --location "$LOCATION"
38az monitor log-analytics workspace create -g "$RG" -n "${RG}-logs" -l "$LOCATION"
39LOG_ID=$(az monitor log-analytics workspace show -g "$RG" -n "${RG}-logs" --query customerId -o tsv)
40# Keyless (recommended): avoids handling the shared key entirely
41az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
42  --logs-destination azure-monitor --logs-workspace-id "$LOG_ID"
43# Fallback: use shared key if azure-monitor destination is not available
44# LOG_KEY=$(az monitor log-analytics workspace get-shared-keys -g "$RG" -n "${RG}-logs" --query primarySharedKey -o tsv)
45# az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
46#   --logs-workspace-id "$LOG_ID" --logs-workspace-key "$LOG_KEY"
47```
48 
49```powershell
50$ErrorActionPreference = 'Stop'
51az group create --name $env:RG --location $env:LOCATION
52az monitor log-analytics workspace create -g $env:RG -n "$($env:RG)-logs" -l $env:LOCATION
53$logId = az monitor log-analytics workspace show -g $env:RG -n "$($env:RG)-logs" --query customerId -o tsv
54# Keyless (recommended): avoids handling the shared key entirely
55az containerapp env create -n "$($env:RG)-env" -g $env:RG -l $env:LOCATION `
56  --logs-destination azure-monitor --logs-workspace-id $logId
57# Fallback: use shared key if azure-monitor destination is not available
58# $logKey = az monitor log-analytics workspace get-shared-keys -g $env:RG -n "$($env:RG)-logs" --query primarySharedKey -o tsv
59# az containerapp env create -n "$($env:RG)-env" -g $env:RG -l $env:LOCATION `
60#   --logs-workspace-id $logId --logs-workspace-key $logKey
61```
62 
63### VNet-Integrated
64 
65```bash
66set -euo pipefail
67az group create --name "$RG" --location "$LOCATION"
68az monitor log-analytics workspace create -g "$RG" -n "${RG}-logs" -l "$LOCATION"
69LOG_ID=$(az monitor log-analytics workspace show -g "$RG" -n "${RG}-logs" --query customerId -o tsv)
70az network vnet create -g "$RG" -n "${RG}-vnet" \
71  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
72SUBNET_ID=$(az network vnet subnet show -g "$RG" --vnet-name "${RG}-vnet" -n aca-subnet --query id -o tsv)
73az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
74  --logs-destination azure-monitor --logs-workspace-id "$LOG_ID" \
75  --infrastructure-subnet-resource-id "$SUBNET_ID"
76```
77 
78```powershell
79$ErrorActionPreference = 'Stop'
80az group create --name $env:RG --location $env:LOCATION
81az monitor log-analytics workspace create -g $env:RG -n "$($env:RG)-logs" -l $env:LOCATION
82$logId = az monitor log-analytics workspace show -g $env:RG -n "$($env:RG)-logs" --query customerId -o tsv
83az network vnet create -g $env:RG -n "$($env:RG)-vnet" `
84  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
85$subnet = az network vnet subnet show -g $env:RG --vnet-name "$($env:RG)-vnet" -n aca-subnet | ConvertFrom-Json
86az containerapp env create -n "$($env:RG)-env" -g $env:RG -l $env:LOCATION `
87  --logs-destination azure-monitor --logs-workspace-id $logId `
88  --infrastructure-subnet-resource-id $subnet.id
89```
90 
91## Phase 3: Secrets & Identity
92 
93```bash
94set -euo pipefail
95az keyvault create --name "$KEY_VAULT" -g "$RG" -l "$LOCATION" \
96  --enable-rbac-authorization true
97IDENTITY_ID=$(az identity create -n "${RG}-id" -g "$RG" -l "$LOCATION" --query id -o tsv)
98PRINCIPAL_ID=$(az identity show --ids "$IDENTITY_ID" --query principalId -o tsv)
99 
100# Grant Key Vault access — use RBAC (recommended) or access policies
101# Option A: RBAC (enabled on the vault created above)
102KV_ID=$(az keyvault show --name "$KEY_VAULT" --query id -o tsv)
103az role assignment create --assignee "$PRINCIPAL_ID" \
104  --role "Key Vault Secrets User" --scope "$KV_ID"
105# Option B: Access policies (if vault uses access policy mode)
106# az keyvault set-policy --name "$KEY_VAULT" --object-id "$PRINCIPAL_ID" --secret-permissions get list
107 
108# Migrate secrets more safely: avoid passing the secret as a CLI argument.
109# Use a locked-down temporary file, import with --file, and remove it immediately.
110# Do not run this in shared, monitored, or recorded environments.
111umask 077
112secret_file="$(mktemp)"
113trap 'rm -f "$secret_file"' EXIT
114aws secretsmanager get-secret-value --secret-id <secret-id> --region <region> \
115  --query SecretString --output text > "$secret_file"
116az keyvault secret set --vault-name "$KEY_VAULT" --name <secret-name> \
117  --file "$secret_file"
118rm -f "$secret_file"
119trap - EXIT
120 
121# ACR pull access
122ACR_ID=$(az acr show --name "$ACR_NAME" --query id -o tsv)
123az role assignment create --assignee "$PRINCIPAL_ID" --role AcrPull --scope "$ACR_ID"
124```
125 
126```powershell
127$ErrorActionPreference = 'Stop'
128az keyvault create --name $env:KEY_VAULT -g $env:RG -l $env:LOCATION --enable-rbac-authorization true
129$identityId = az identity create -n "$($env:RG)-id" -g $env:RG -l $env:LOCATION --query id -o tsv
130$principalId = az identity show --ids $identityId --query principalId -o tsv
131 
132# Grant Key Vault access — use RBAC (recommended) or access policies
133# Option A: RBAC (enabled on the vault created above)
134$kvId = az keyvault show --name $env:KEY_VAULT --query id -o tsv
135az role assignment create --assignee $principalId `
136  --role "Key Vault Secrets User" --scope $kvId
137# Option B: Access policies (if vault uses access policy mode)
138# az keyvault set-policy --name $env:KEY_VAULT --object-id $principalId --secret-permissions get list
139 
140# Migrate secrets more safely: use a temp file instead of passing as CLI argument.
141# Do not run this in shared, monitored, or recorded environments.
142$secretFile = [System.IO.Path]::GetTempFileName()
143try {
144    aws secretsmanager get-secret-value --secret-id <secret-id> --region <region> `
145      --query SecretString --output text | Set-Content -Path $secretFile -NoNewline
146    az keyvault secret set --vault-name $env:KEY_VAULT --name <secret-name> `
147      --file $secretFile
148} finally {
149    Remove-Item -Path $secretFile -Force -ErrorAction SilentlyContinue
150}
151 
152# ACR pull access
153$acrId = az acr show --name $env:ACR_NAME --query id -o tsv
154az role assignment create --assignee $principalId --role AcrPull --scope $acrId
155```
156 
157## Phase 4: Deploy
158 
159```bash
160set -euo pipefail
161SECRET_URI=$(az keyvault secret show --vault-name "$KEY_VAULT" --name db-password --query id -o tsv)
162az containerapp create --name <app-name> -g "$RG" --environment "${RG}-env" \
163  --image "${ACR_NAME}.azurecr.io/<image>:<tag>" --target-port 8080 --ingress external \
164  --cpu 0.5 --memory 1Gi --min-replicas 1 --max-replicas 10 \
165  --user-assigned "$IDENTITY_ID" --registry-identity "$IDENTITY_ID" \
166  --registry-server "${ACR_NAME}.azurecr.io" \
167  --secrets db-pass=keyvaultref:"${SECRET_URI}",identityref:"${IDENTITY_ID}" \
168  --env-vars ENV=production DB_PASSWORD=secretref:db-pass
169```
170 
171```powershell
172$ErrorActionPreference = 'Stop'
173$secretUri = az keyvault secret show --vault-name $env:KEY_VAULT --name db-password --query id -o tsv
174az containerapp create --name <app-name> -g $env:RG --environment "$($env:RG)-env" `
175  --image "$($env:ACR_NAME).azurecr.io/<image>:<tag>" --target-port 8080 --ingress external `
176  --cpu 0.5 --memory 1Gi --min-replicas 1 --max-replicas 10 `
177  --user-assigned $identityId --registry-identity $identityId `
178  --registry-server "$($env:ACR_NAME).azurecr.io" `
179  --secrets "db-pass=keyvaultref:$($secretUri),identityref:$($identityId)" `
180  --env-vars ENV=production DB_PASSWORD=secretref:db-pass
181```
182 
183### Configuration Mapping
184 
185| ECS Task Definition | Container Apps CLI |
186|---------------------|--------------------|
187| `cpu: "512"` (0.5 vCPU) | `--cpu 0.5` |
188| `memory: "1024"` (1 GB) | `--memory 1Gi` |
189| `containerPort: 8080` | `--target-port 8080` |
190| `desiredCount: 2` | `--min-replicas 2` |
191| `secrets` (Secrets Manager ARN) | `--secrets name=keyvaultref:URI,identityref:ID` |
192| `environment` (env vars) | `--env-vars KEY=value` |
193 
194## Phase 5: Validate
195 
196```bash
197set -euo pipefail
198FQDN=$(az containerapp show --name <app-name> -g "$RG" --query properties.configuration.ingress.fqdn -o tsv)
199curl -f -I "https://$FQDN/health" || { echo "Health check failed"; exit 1; }
200az containerapp logs show --name <app-name> -g "$RG" --tail 100
201```
202 
203```powershell
204$ErrorActionPreference = 'Stop'
205$fqdn = az containerapp show --name <app-name> -g $env:RG --query properties.configuration.ingress.fqdn -o tsv
206Invoke-WebRequest -Uri "https://$fqdn/health" -Method Head
207az containerapp logs show --name <app-name> -g $env:RG --tail 100
208```
209 
210## Troubleshooting
211 
212| Issue | Solution |
213|-------|----------|
214| Image pull fails | Verify ACR role: `az role assignment list --assignee $(az identity show --ids <identity-resource-id> --query principalId -o tsv) --scope $(az acr show -n <acr-name> --query id -o tsv)` |
215| App won't start | Check logs: `az containerapp logs show --name <app-name> -g <resource-group> --tail 100` |
216| Secret not accessible | Verify RBAC: `az role assignment list --assignee $(az identity show --ids <identity-resource-id> --query principalId -o tsv) --scope $(az keyvault show -n <vault-name> --query id -o tsv)` |
217
Preparing the source view

Azure Cloud Migrate

references/services/container-apps/fargate-deployment-guide.md
