Source from repo
Azure Cloud Migrate

GitHub Copilot for Azure plugin providing Azure service management and development assistance inside Claude Code and IDEs.
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
177.7 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/services/container-apps/cloudrun-deployment-guide.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown214 linesFree
references/services/container-apps/cloudrun-deployment-guide.md
1# Deployment: Cloud Run to Container Apps
2 
3## Prerequisites
4 
5Azure CLI 2.53+, gcloud CLI, Docker, ACR, Key Vault, Log Analytics
6 
7## Phase 1: Image Migration
8 
9### Bash
10 
11```bash
12set -euo pipefail
13GCP_PROJECT="${GCP_PROJECT:-<project>}"
14GCP_REGION="${GCP_REGION:-<region>}"
15ACR_NAME="${ACR_NAME:-<acr>}"
16 
17gcloud auth configure-docker "${GCP_REGION}-docker.pkg.dev"
18az acr login --name "$ACR_NAME"
19for img in "app:v1" "worker:v1"; do
20  docker pull "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$img"
21  docker tag "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$img" "${ACR_NAME}.azurecr.io/$img"
22  docker push "${ACR_NAME}.azurecr.io/$img"
23done
24```
25 
26### PowerShell
27 
28```powershell
29$GCP_PROJECT = if ($env:GCP_PROJECT) { $env:GCP_PROJECT } else { "<project>" }
30$GCP_REGION = if ($env:GCP_REGION) { $env:GCP_REGION } else { "<region>" }
31$ACR_NAME = if ($env:ACR_NAME) { $env:ACR_NAME } else { "<acr>" }
32 
33gcloud auth configure-docker "${GCP_REGION}-docker.pkg.dev"
34az acr login --name $ACR_NAME
35@("app:v1", "worker:v1") | ForEach-Object {
36  docker pull "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$_"
37  docker tag "${GCP_REGION}-docker.pkg.dev/${GCP_PROJECT}/<repo>/$_" "${ACR_NAME}.azurecr.io/$_"
38  docker push "${ACR_NAME}.azurecr.io/$_"
39}
40```
41 
42## Phase 2: Infrastructure
43 
44> Choose ONE path: basic (without VNet) OR VNet-integrated.
45 
46### Basic (no VNet)
47 
48#### Bash
49 
50```bash
51set -euo pipefail
52az group create --name "$RG" --location "$LOCATION"
53az monitor log-analytics workspace create -g "$RG" -n "${RG}-logs" -l "$LOCATION"
54LOG_ID=$(az monitor log-analytics workspace show -g "$RG" -n "${RG}-logs" --query customerId -o tsv)
55LOG_KEY=$(az monitor log-analytics workspace get-shared-keys -g "$RG" -n "${RG}-logs" --query primarySharedKey -o tsv)
56az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
57  --logs-workspace-id "$LOG_ID" --logs-workspace-key "$LOG_KEY"
58```
59 
60#### PowerShell
61 
62```powershell
63az group create --name $RG --location $LOCATION
64az monitor log-analytics workspace create -g $RG -n "${RG}-logs" -l $LOCATION
65$workspace = az monitor log-analytics workspace show -g $RG -n "${RG}-logs" | ConvertFrom-Json
66$keys = az monitor log-analytics workspace get-shared-keys -g $RG -n "${RG}-logs" | ConvertFrom-Json
67az containerapp env create -n "${RG}-env" -g $RG -l $LOCATION `
68  --logs-workspace-id $workspace.customerId --logs-workspace-key $keys.primarySharedKey
69```
70 
71### VNet-Integrated
72 
73#### Bash
74 
75```bash
76set -euo pipefail
77az network vnet create -g "$RG" -n "${RG}-vnet" \
78  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
79SUBNET_ID=$(az network vnet subnet show -g "$RG" --vnet-name "${RG}-vnet" -n aca-subnet --query id -o tsv)
80az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
81  --logs-workspace-id "$LOG_ID" --logs-workspace-key "$LOG_KEY" \
82  --infrastructure-subnet-resource-id "$SUBNET_ID"
83```
84 
85#### PowerShell
86 
87```powershell
88az network vnet create -g $RG -n "${RG}-vnet" `
89  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
90$subnet = az network vnet subnet show -g $RG --vnet-name "${RG}-vnet" -n aca-subnet | ConvertFrom-Json
91az containerapp env create -n "${RG}-env" -g $RG -l $LOCATION `
92  --logs-workspace-id $workspace.customerId --logs-workspace-key $keys.primarySharedKey `
93  --infrastructure-subnet-resource-id $subnet.id
94```
95 
96## Phase 3: Secrets & Identity
97 
98### Bash
99 
100```bash
101set -euo pipefail
102az keyvault create --name "$KEY_VAULT" -g "$RG" -l "$LOCATION"
103IDENTITY_ID=$(az identity create -n "${RG}-id" -g "$RG" -l "$LOCATION" --query id -o tsv)
104PRINCIPAL_ID=$(az identity show --ids "$IDENTITY_ID" --query principalId -o tsv)
105 
106# Grant Key Vault access — use RBAC (recommended) or access policies
107# Option A: RBAC (default for new vaults)
108KV_ID=$(az keyvault show --name "$KEY_VAULT" --query id -o tsv)
109az role assignment create --assignee "$PRINCIPAL_ID" \
110  --role "Key Vault Secrets User" --scope "$KV_ID"
111# Option B: Access policies (if vault uses access-policy mode)
112# az keyvault set-policy --name "$KEY_VAULT" --object-id "$PRINCIPAL_ID" --secret-permissions get list
113 
114# Migrate secrets without writing them to disk
115az keyvault secret set --vault-name "$KEY_VAULT" --name <secret-name> \
116  --value "$(gcloud secrets versions access latest --secret=<secret-id> --project="$GCP_PROJECT")"
117 
118# ACR pull access
119ACR_ID=$(az acr show --name "$ACR_NAME" --query id -o tsv)
120az role assignment create --assignee "$PRINCIPAL_ID" --role AcrPull --scope "$ACR_ID"
121```
122 
123### PowerShell
124 
125```powershell
126az keyvault create --name $KEY_VAULT -g $RG -l $LOCATION
127$identity = az identity create -n "${RG}-id" -g $RG -l $LOCATION | ConvertFrom-Json
128$principalId = (az identity show --ids $identity.id | ConvertFrom-Json).principalId
129 
130# Grant Key Vault access — RBAC (recommended)
131$kvId = (az keyvault show --name $KEY_VAULT | ConvertFrom-Json).id
132az role assignment create --assignee $principalId `
133  --role "Key Vault Secrets User" --scope $kvId
134 
135# Migrate secrets without writing them to disk
136$secretValue = gcloud secrets versions access latest --secret=<secret-id> --project=$GCP_PROJECT
137az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value $secretValue
138Remove-Variable secretValue
139 
140# ACR pull access
141$acrId = (az acr show --name $ACR_NAME | ConvertFrom-Json).id
142az role assignment create --assignee $principalId --role AcrPull --scope $acrId
143```
144 
145## Phase 4: Deploy Container App
146 
147### Bash
148 
149```bash
150set -euo pipefail
151SECRET_URI=$(az keyvault secret show --vault-name "$KEY_VAULT" --name db-pw --query id -o tsv)
152az containerapp create \
153  --name <app-name> -g "$RG" --environment "${RG}-env" \
154  --image "${ACR_NAME}.azurecr.io/app:v1" --target-port 8080 --ingress external \
155  --cpu 1.0 --memory 1Gi --min-replicas 0 --max-replicas 10 \
156  --user-assigned "$IDENTITY_ID" --registry-identity "$IDENTITY_ID" \
157  --registry-server "${ACR_NAME}.azurecr.io" \
158  --secrets db-pw=keyvaultref:"${SECRET_URI}",identityref:"${IDENTITY_ID}" \
159  --env-vars ENV=prod DB_PASSWORD=secretref:db-pw \
160  --scale-rule-name http --scale-rule-type http --scale-rule-http-concurrency 80
161```
162 
163### PowerShell
164 
165```powershell
166$secret = az keyvault secret show --vault-name $KEY_VAULT --name db-pw | ConvertFrom-Json
167az containerapp create `
168  --name <app-name> -g $RG --environment "${RG}-env" `
169  --image "${ACR_NAME}.azurecr.io/app:v1" --target-port 8080 --ingress external `
170  --cpu 1.0 --memory 1Gi --min-replicas 0 --max-replicas 10 `
171  --user-assigned $identity.id --registry-identity $identity.id `
172  --registry-server "${ACR_NAME}.azurecr.io" `
173  --secrets "db-pw=keyvaultref:$($secret.id),identityref:$($identity.id)" `
174  --env-vars "ENV=prod" "DB_PASSWORD=secretref:db-pw" `
175  --scale-rule-name http --scale-rule-type http --scale-rule-http-concurrency 80
176```
177 
178### Configuration Mapping
179 
180| Cloud Run | Container Apps |
181|-----------|----------------|
182| `--min-instances 0` | `--min-replicas 0` |
183| `--max-instances 10` | `--max-replicas 10` |
184| `--concurrency 80` | `--scale-rule-http-concurrency 80` |
185| `--cpu 1` | `--cpu 1.0` |
186| `--memory 512Mi` | `--memory 1Gi` |
187 
188## Phase 5: Validation
189 
190### Bash
191 
192```bash
193FQDN=$(az containerapp show --name <app-name> -g "$RG" --query properties.configuration.ingress.fqdn -o tsv)
194curl -I "https://$FQDN/health"
195az containerapp logs show --name <app-name> -g "$RG" --tail 100
196```
197 
198### PowerShell
199 
200```powershell
201$app = az containerapp show --name <app-name> -g $RG | ConvertFrom-Json
202Invoke-WebRequest -Uri "https://$($app.properties.configuration.ingress.fqdn)/health"
203az containerapp logs show --name <app-name> -g $RG --tail 100
204```
205 
206## Troubleshooting
207 
208| Issue | Solution |
209|-------|----------|
210| Image pull fails | Verify ACR role: `az role assignment list --assignee $PRINCIPAL_ID --scope $ACR_ID -o table` |
211| App won't start | Check logs: `az containerapp logs show --name <app> -g $RG --tail 100` |
212| Secret not accessible | Verify RBAC: `az role assignment list --assignee $PRINCIPAL_ID --scope $KV_ID -o table` |
213| Scaling not working | Check config: `az containerapp show --name <app> --query properties.template.scale` |
214
Preparing the source view

Azure Cloud Migrate

references/services/container-apps/cloudrun-deployment-guide.md
