Skip to content

Governance Policies Azure Web Container Apps

Jump to bottom
Joshua Davis edited this page Apr 6, 2026 · 4 revisions

Container Apps

Governance policies for Container Apps

Domain: azure-web

Patterns

Name Description
Container App with Key Vault references Use Key Vault references for secrets instead of environment variables
Container App with health probes Always configure liveness and readiness probes for reliability

Anti-Patterns

Description Instead
Do not store secrets in environment variables or app settings Use Key Vault references with managed identity via the secrets array
Do not use admin credentials for container registry Use managed identity with AcrPull role assignment
Do not deploy Container Apps without VNet integration Always deploy in a VNet-integrated managed environment

References

Checks (5)

Check Severity Description
AZ-CA-001 Required Create Container Apps Environment with VNet integration and Log Analytics
AZ-CA-002 Required Create Container App with user-assigned managed identity, health probes, and Key Vault secret references
AZ-CA-003 Recommended Use consumption plan for dev/test, dedicated for production
AZ-CA-004 Recommended Set min replicas to 0 for non-critical services in dev
AZ-CA-005 Recommended Enable Container Apps system logs and console logs via environment logging

AZ-CA-001

Create Container Apps Environment with VNet integration and Log Analytics

Severity: Required
Rationale: Network isolation is mandatory; environment-level logging enables centralized observability
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.App/managedEnvironments

AZ-CA-002

Create Container App with user-assigned managed identity, health probes, and Key Vault secret references

Severity: Required
Rationale: User-assigned identity enables shared identity across services; probes ensure reliability; Key Vault refs eliminate secret sprawl
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.App/containerApps

Companion Resources

Resource Name Purpose
Microsoft.Authorization/roleAssignments AcrPull AcrPull role assignment (7f951dda-4ed3-4680-a7ca-43fe172d538d) granting the managed identity permission to pull container images from ACR. Without this, the Container App cannot start — the image pull fails silently.

AZ-CA-003

Use consumption plan for dev/test, dedicated for production

Severity: Recommended
Rationale: Cost optimization without sacrificing production reliability
Agents: cloud-architect, cost-analyst

Targets

  • Microsoft.App/containerApps

AZ-CA-004

Set min replicas to 0 for non-critical services in dev

Severity: Recommended
Rationale: Avoids unnecessary spend during idle periods
Agents: terraform-agent, bicep-agent, cost-analyst

Targets

  • Microsoft.App/containerApps

AZ-CA-005

Enable Container Apps system logs and console logs via environment logging

Severity: Recommended
Rationale: Container Apps require explicit log configuration for stdout/stderr capture
Agents: cloud-architect, terraform-agent, bicep-agent, monitoring-agent

Targets

  • Microsoft.App/managedEnvironments

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally