Source from repo
Azure Cloud Migrate

GitHub Copilot for Azure plugin providing Azure service management and development assistance inside Claude Code and IDEs.
microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
177.7 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/services/container-apps/fargate-deployment-guide.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown217 linesFree
references/services/container-apps/fargate-deployment-guide.md
1# Deployment: Fargate to Container Apps
2 
3## Prerequisites
4 
5Azure CLI 2.53+ with `containerapp` extension, AWS CLI v2, Docker, ACR, Key Vault, Log Analytics
6 
7## Phase 1: Container Registry Migration
8 
9```bash
10set -euo pipefail
11aws ecr get-login-password --region "$AWS_REGION" | \
12  docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
13az acr login --name "$ACR_NAME"
14docker pull "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE}"
15docker tag "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE}" "${ACR_NAME}.azurecr.io/${IMAGE}"
16docker push "${ACR_NAME}.azurecr.io/${IMAGE}"
17```
18 
19```powershell
20$ErrorActionPreference = 'Stop'
21$ecrPassword = aws ecr get-login-password --region $env:AWS_REGION
22$ecrPassword | docker login --username AWS --password-stdin "$($env:AWS_ACCOUNT_ID).dkr.ecr.$($env:AWS_REGION).amazonaws.com"
23az acr login --name $env:ACR_NAME
24docker pull "$($env:AWS_ACCOUNT_ID).dkr.ecr.$($env:AWS_REGION).amazonaws.com/$($env:IMAGE)"
25docker tag "$($env:AWS_ACCOUNT_ID).dkr.ecr.$($env:AWS_REGION).amazonaws.com/$($env:IMAGE)" "$($env:ACR_NAME).azurecr.io/$($env:IMAGE)"
26docker push "$($env:ACR_NAME).azurecr.io/$($env:IMAGE)"
27```
28 
29## Phase 2: Infrastructure
30 
31> Choose ONE path: basic (without VNet) OR VNet-integrated.
32 
33### Basic (no VNet)
34 
35```bash
36set -euo pipefail
37az group create --name "$RG" --location "$LOCATION"
38az monitor log-analytics workspace create -g "$RG" -n "${RG}-logs" -l "$LOCATION"
39LOG_ID=$(az monitor log-analytics workspace show -g "$RG" -n "${RG}-logs" --query customerId -o tsv)
40# Keyless (recommended): avoids handling the shared key entirely
41az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
42  --logs-destination azure-monitor --logs-workspace-id "$LOG_ID"
43# Fallback: use shared key if azure-monitor destination is not available
44# LOG_KEY=$(az monitor log-analytics workspace get-shared-keys -g "$RG" -n "${RG}-logs" --query primarySharedKey -o tsv)
45# az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
46#   --logs-workspace-id "$LOG_ID" --logs-workspace-key "$LOG_KEY"
47```
48 
49```powershell
50$ErrorActionPreference = 'Stop'
51az group create --name $env:RG --location $env:LOCATION
52az monitor log-analytics workspace create -g $env:RG -n "$($env:RG)-logs" -l $env:LOCATION
53$logId = az monitor log-analytics workspace show -g $env:RG -n "$($env:RG)-logs" --query customerId -o tsv
54# Keyless (recommended): avoids handling the shared key entirely
55az containerapp env create -n "$($env:RG)-env" -g $env:RG -l $env:LOCATION `
56  --logs-destination azure-monitor --logs-workspace-id $logId
57# Fallback: use shared key if azure-monitor destination is not available
58# $logKey = az monitor log-analytics workspace get-shared-keys -g $env:RG -n "$($env:RG)-logs" --query primarySharedKey -o tsv
59# az containerapp env create -n "$($env:RG)-env" -g $env:RG -l $env:LOCATION `
60#   --logs-workspace-id $logId --logs-workspace-key $logKey
61```
62 
63### VNet-Integrated
64 
65```bash
66set -euo pipefail
67az group create --name "$RG" --location "$LOCATION"
68az monitor log-analytics workspace create -g "$RG" -n "${RG}-logs" -l "$LOCATION"
69LOG_ID=$(az monitor log-analytics workspace show -g "$RG" -n "${RG}-logs" --query customerId -o tsv)
70az network vnet create -g "$RG" -n "${RG}-vnet" \
71  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
72SUBNET_ID=$(az network vnet subnet show -g "$RG" --vnet-name "${RG}-vnet" -n aca-subnet --query id -o tsv)
73az containerapp env create -n "${RG}-env" -g "$RG" -l "$LOCATION" \
74  --logs-destination azure-monitor --logs-workspace-id "$LOG_ID" \
75  --infrastructure-subnet-resource-id "$SUBNET_ID"
76```
77 
78```powershell
79$ErrorActionPreference = 'Stop'
80az group create --name $env:RG --location $env:LOCATION
81az monitor log-analytics workspace create -g $env:RG -n "$($env:RG)-logs" -l $env:LOCATION
82$logId = az monitor log-analytics workspace show -g $env:RG -n "$($env:RG)-logs" --query customerId -o tsv
83az network vnet create -g $env:RG -n "$($env:RG)-vnet" `
84  --address-prefix 10.0.0.0/16 --subnet-name aca-subnet --subnet-prefix 10.0.0.0/23
85$subnet = az network vnet subnet show -g $env:RG --vnet-name "$($env:RG)-vnet" -n aca-subnet | ConvertFrom-Json
86az containerapp env create -n "$($env:RG)-env" -g $env:RG -l $env:LOCATION `
87  --logs-destination azure-monitor --logs-workspace-id $logId `
88  --infrastructure-subnet-resource-id $subnet.id
89```
90 
91## Phase 3: Secrets & Identity
92 
93```bash
94set -euo pipefail
95az keyvault create --name "$KEY_VAULT" -g "$RG" -l "$LOCATION" \
96  --enable-rbac-authorization true
97IDENTITY_ID=$(az identity create -n "${RG}-id" -g "$RG" -l "$LOCATION" --query id -o tsv)
98PRINCIPAL_ID=$(az identity show --ids "$IDENTITY_ID" --query principalId -o tsv)
99 
100# Grant Key Vault access — use RBAC (recommended) or access policies
101# Option A: RBAC (enabled on the vault created above)
102KV_ID=$(az keyvault show --name "$KEY_VAULT" --query id -o tsv)
103az role assignment create --assignee "$PRINCIPAL_ID" \
104  --role "Key Vault Secrets User" --scope "$KV_ID"
105# Option B: Access policies (if vault uses access policy mode)
106# az keyvault set-policy --name "$KEY_VAULT" --object-id "$PRINCIPAL_ID" --secret-permissions get list
107 
108# Migrate secrets more safely: avoid passing the secret as a CLI argument.
109# Use a locked-down temporary file, import with --file, and remove it immediately.
110# Do not run this in shared, monitored, or recorded environments.
111umask 077
112secret_file="$(mktemp)"
113trap 'rm -f "$secret_file"' EXIT
114aws secretsmanager get-secret-value --secret-id <secret-id> --region <region> \
115  --query SecretString --output text > "$secret_file"
116az keyvault secret set --vault-name "$KEY_VAULT" --name <secret-name> \
117  --file "$secret_file"
118rm -f "$secret_file"
119trap - EXIT
120 
121# ACR pull access
122ACR_ID=$(az acr show --name "$ACR_NAME" --query id -o tsv)
123az role assignment create --assignee "$PRINCIPAL_ID" --role AcrPull --scope "$ACR_ID"
124```
125 
126```powershell
127$ErrorActionPreference = 'Stop'
128az keyvault create --name $env:KEY_VAULT -g $env:RG -l $env:LOCATION --enable-rbac-authorization true
129$identityId = az identity create -n "$($env:RG)-id" -g $env:RG -l $env:LOCATION --query id -o tsv
130$principalId = az identity show --ids $identityId --query principalId -o tsv
131 
132# Grant Key Vault access — use RBAC (recommended) or access policies
133# Option A: RBAC (enabled on the vault created above)
134$kvId = az keyvault show --name $env:KEY_VAULT --query id -o tsv
135az role assignment create --assignee $principalId `
136  --role "Key Vault Secrets User" --scope $kvId
137# Option B: Access policies (if vault uses access policy mode)
138# az keyvault set-policy --name $env:KEY_VAULT --object-id $principalId --secret-permissions get list
139 
140# Migrate secrets more safely: use a temp file instead of passing as CLI argument.
141# Do not run this in shared, monitored, or recorded environments.
142$secretFile = [System.IO.Path]::GetTempFileName()
143try {
144    aws secretsmanager get-secret-value --secret-id <secret-id> --region <region> `
145      --query SecretString --output text | Set-Content -Path $secretFile -NoNewline
146    az keyvault secret set --vault-name $env:KEY_VAULT --name <secret-name> `
147      --file $secretFile
148} finally {
149    Remove-Item -Path $secretFile -Force -ErrorAction SilentlyContinue
150}
151 
152# ACR pull access
153$acrId = az acr show --name $env:ACR_NAME --query id -o tsv
154az role assignment create --assignee $principalId --role AcrPull --scope $acrId
155```
156 
157## Phase 4: Deploy
158 
159```bash
160set -euo pipefail
161SECRET_URI=$(az keyvault secret show --vault-name "$KEY_VAULT" --name db-password --query id -o tsv)
162az containerapp create --name <app-name> -g "$RG" --environment "${RG}-env" \
163  --image "${ACR_NAME}.azurecr.io/<image>:<tag>" --target-port 8080 --ingress external \
164  --cpu 0.5 --memory 1Gi --min-replicas 1 --max-replicas 10 \
165  --user-assigned "$IDENTITY_ID" --registry-identity "$IDENTITY_ID" \
166  --registry-server "${ACR_NAME}.azurecr.io" \
167  --secrets db-pass=keyvaultref:"${SECRET_URI}",identityref:"${IDENTITY_ID}" \
168  --env-vars ENV=production DB_PASSWORD=secretref:db-pass
169```
170 
171```powershell
172$ErrorActionPreference = 'Stop'
173$secretUri = az keyvault secret show --vault-name $env:KEY_VAULT --name db-password --query id -o tsv
174az containerapp create --name <app-name> -g $env:RG --environment "$($env:RG)-env" `
175  --image "$($env:ACR_NAME).azurecr.io/<image>:<tag>" --target-port 8080 --ingress external `
176  --cpu 0.5 --memory 1Gi --min-replicas 1 --max-replicas 10 `
177  --user-assigned $identityId --registry-identity $identityId `
178  --registry-server "$($env:ACR_NAME).azurecr.io" `
179  --secrets "db-pass=keyvaultref:$($secretUri),identityref:$($identityId)" `
180  --env-vars ENV=production DB_PASSWORD=secretref:db-pass
181```
182 
183### Configuration Mapping
184 
185| ECS Task Definition | Container Apps CLI |
186|---------------------|--------------------|
187| `cpu: "512"` (0.5 vCPU) | `--cpu 0.5` |
188| `memory: "1024"` (1 GB) | `--memory 1Gi` |
189| `containerPort: 8080` | `--target-port 8080` |
190| `desiredCount: 2` | `--min-replicas 2` |
191| `secrets` (Secrets Manager ARN) | `--secrets name=keyvaultref:URI,identityref:ID` |
192| `environment` (env vars) | `--env-vars KEY=value` |
193 
194## Phase 5: Validate
195 
196```bash
197set -euo pipefail
198FQDN=$(az containerapp show --name <app-name> -g "$RG" --query properties.configuration.ingress.fqdn -o tsv)
199curl -f -I "https://$FQDN/health" || { echo "Health check failed"; exit 1; }
200az containerapp logs show --name <app-name> -g "$RG" --tail 100
201```
202 
203```powershell
204$ErrorActionPreference = 'Stop'
205$fqdn = az containerapp show --name <app-name> -g $env:RG --query properties.configuration.ingress.fqdn -o tsv
206Invoke-WebRequest -Uri "https://$fqdn/health" -Method Head
207az containerapp logs show --name <app-name> -g $env:RG --tail 100
208```
209 
210## Troubleshooting
211 
212| Issue | Solution |
213|-------|----------|
214| Image pull fails | Verify ACR role: `az role assignment list --assignee $(az identity show --ids <identity-resource-id> --query principalId -o tsv) --scope $(az acr show -n <acr-name> --query id -o tsv)` |
215| App won't start | Check logs: `az containerapp logs show --name <app-name> -g <resource-group> --tail 100` |
216| Secret not accessible | Verify RBAC: `az role assignment list --assignee $(az identity show --ids <identity-resource-id> --query principalId -o tsv) --scope $(az keyvault show -n <vault-name> --query id -o tsv)` |
217
Preparing the source view

Azure Cloud Migrate

references/services/container-apps/fargate-deployment-guide.md
