Design 48: Serverless Microservices (Container Apps)

Summary

This design implements Azure Container Apps (ACA). It's "Kubernetes made simple".

Topology: ACA Environment is deployed in a Spoke VNet. It peers to the Hub for secure connectivity.

1. Key Design Decisions (ADR)

ADR-01: Platform

Decision: Azure Container Apps.
Rationale: KEDA-based autoscaling (scale to zero) without managing K8s upgrades.

ADR-02: Ingress

Decision: Internal Only.
Rationale: Expose apps only to the VNet. Use App Gateway (Design 18) if public access is needed.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  App Gateway |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Public)    |           |      (DNS Resolver)      |           |  (ACA Env)   |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Public IP   |           +------------+-------------+           +------+-------+
|              |---------->| Private DNS Zone         |<--------->|  Container   |
+--------------+           | (privatelink.azurecontainer)|        |  App       |
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Private DNS Zone      |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-aca-spoke (10.1.0.0/16)                              |
|   +-----------------------+                                           |
|   | Subnet: ACA           |                                           |
|   | (Delegated)           |                                           |
|   | [ACA Environment]     |                                           |
|   |   [App: Order]        |                                           |
|   |   [App: Inventory]    |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR SPOKE VNet                                                         |
|   +-----------------------+                                           |
|   | ACA Environment (DR)  |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

Environment: The boundary (like a K8s Namespace). Apps in the same Env can talk easily.
Dapr: Built-in sidecars for State Management and Pub/Sub.

5. Strategy: High Availability (HA)

SLA: 99.95%.
Zones: Zone Redundant by default in supported regions.

6. Strategy: Disaster Recovery (DR)

Implementation: Active-Passive.
Process: Deploy same Apps to West US Environment. Use Traffic Manager.

7. Strategy: Backup

Config: Revisions are immutable. Git is backup.

8. Strategy: Security

Secrets: Stored in the Environment, injected as Env Vars.
Network: Ingress set to "VNet Internal".

9. Well-Architected Framework Analysis

Reliability: High.
Security: High.
Cost Optimization: Excellent. Scales to zero (pay nothing) when idle.
Operational Excellence: High.
Performance Efficiency: High.

10. Detailed Traffic Flow

1. Request: App Gateway receives request.

2. Forward: Forwards to ACA Internal IP.

3. Wake: KEDA sees HTTP request.

4. Scale: Scales Replica from 0 to 1.

5. Serve: App serves request.

6. Sleep: After 300s idle, scales back to 0.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource Group: rg-aca-spoke.

3. Name: vnet-aca-spoke.

4. Region: East US.

5. Subnet: snet-aca (10.1.0.0/23).

* *Note: ACA requires a minimum /23 subnet.*

6. Create.

7. Peer to vnet-hub.

Phase 2: Create Container Apps Environment

1. Search: "Container Apps" -> + Create.

2. Resource Group: rg-aca-spoke.

3. Container App Name: app-hello.

4. Region: East US.

5. Container Apps Environment: Create new.

* Name: env-aca-corp.

* Networking:

* Use your own virtual network: Yes.

* Virtual network: vnet-aca-spoke.

* Infrastructure subnet: snet-aca.

* Virtual IP: Internal. (Critical for private access).

* Create.

6. App Settings:

* Use quickstart image: Yes (Simple Hello World).

* Ingress: Enabled.

* Ingress Traffic: Limited to VNet.

* Target Port: 80.

7. Create.

Phase 3: Configure Private DNS

1. After deployment, go to the Container App Environment.

2. Note the Default Domain (e.g., happy-river.eastus.azurecontainerapps.io).

3. Note the Static IP (e.g., 10.1.0.4).

4. Go to Private DNS Zones -> + Create.

5. Name: eastus.azurecontainerapps.io (Must match the region).

6. Create.

7. Link to vnet-hub.

8. Record Set:

* Name: * (Wildcard).

* Type: A.

* IP Address: 10.1.0.4.

* OK.

Phase 4: Verify Access

1. Login to a VM in the Hub VNet.

2. Open Browser.

3. URL: https://app-hello.happy-river.eastus.azurecontainerapps.io.

4. Result: You see the "Welcome to Azure Container Apps" page.

5. External Access: Try from your laptop. It should fail (Site can't be reached).