02 - First Deploy to Azure Container Apps¶

In this step, you provision the core Azure resources, build your image in Azure Container Registry, and deploy your first revision to Azure Container Apps.

flowchart TD
    INET[Internet] -->|HTTPS| CA["Container App\nConsumption\nLinux Node 18 LTS"]

    subgraph VNET["VNet 10.0.0.0/16"]
        subgraph ENV_SUB["Environment Subnet 10.0.0.0/23\nDelegation: Microsoft.App/environments"]
            CAE[Container Apps Environment]
            CA
        end
        subgraph PE_SUB["Private Endpoint Subnet 10.0.2.0/24"]
            PE_ACR[PE: ACR]
            PE_KV[PE: Key Vault]
            PE_ST[PE: Storage]
        end
    end

    PE_ACR --> ACR[Azure Container Registry]
    PE_KV --> KV[Key Vault]
    PE_ST --> ST[Storage Account]

    subgraph DNS[Private DNS Zones]
        DNS_ACR[privatelink.azurecr.io]
        DNS_KV[privatelink.vaultcore.azure.net]
        DNS_ST[privatelink.blob.core.windows.net]
    end

    PE_ACR -.-> DNS_ACR
    PE_KV -.-> DNS_KV
    PE_ST -.-> DNS_ST

    CA -.->|System-Assigned MI| ENTRA[Microsoft Entra ID]
    CAE --> LOG[Log Analytics]
    CA --> AI[Application Insights]

    style CA fill:#107c10,color:#fff
    style VNET fill:#E8F5E9,stroke:#4CAF50
    style DNS fill:#E3F2FD

Deployment Workflow¶

graph LR
    BICEP[Bicep Deploy] --> ACR[ACR Build]
    ACR --> UPDATE[Container App Update]
    UPDATE --> VERIFY[Verify URL]

Prerequisites¶

• Completed 01 - Run Locally with Docker
• Azure CLI logged in
• Bicep template at infra/main.bicep

Step-by-step¶

1. Set standard variables

   RG="rg-nodejs-guide"
   BASE_NAME="nodejs-guide"
   LOCATION="koreacentral"
   DEPLOYMENT_NAME="main"
   

2. Create a resource group

   az group create --name "$RG" --location "$LOCATION"
   

   Expected output

   {
     "id": "/subscriptions/<subscription-id>/resourceGroups/rg-nodejs-guide",
     "location": "koreacentral",
     "name": "rg-nodejs-guide",
     "properties": {
       "provisioningState": "Succeeded"
     }
   }
   

3. Deploy infrastructure (environment, Log Analytics, ACR, Container App)

   az deployment group create \
     --name "$DEPLOYMENT_NAME" \
     --resource-group "$RG" \
     --template-file infra/main.bicep \
     --parameters baseName="$BASE_NAME" location="$LOCATION"
   

   Expected output

   This command takes 2-3 minutes to complete. When successful, it returns a JSON object containing the deployment details.

   {
     "id": "/subscriptions/<subscription-id>/resourceGroups/rg-nodejs-guide/providers/Microsoft.Resources/deployments/main",
     "name": "main",
     "properties": {
       "provisioningState": "Succeeded",
       "outputs": {
         "containerAppName": { "type": "String", "value": "ca-nodejs-guide-<unique-suffix>" },
         "containerAppUrl": { "type": "String", "value": "https://ca-nodejs-guide-<unique-suffix>.<hash>.<region>.azurecontainerapps.io" }
       }
     }
   }
   

   Initial revision health can appear unhealthy

   The Bicep template creates the Container App before your custom image is built and pushed. Until you complete Step 5 and update the app image, the initial revision may show as unhealthy. This is expected.

4. Capture generated resource names from Bicep outputs

   APP_NAME=$(az deployment group show \
     --name "$DEPLOYMENT_NAME" \
     --resource-group "$RG" \
     --query "properties.outputs.containerAppName.value" \
     --output tsv)
   
   ENVIRONMENT_NAME=$(az deployment group show \
     --name "$DEPLOYMENT_NAME" \
     --resource-group "$RG" \
     --query "properties.outputs.containerAppEnvName.value" \
     --output tsv)
   
   ACR_NAME=$(az deployment group show \
     --name "$DEPLOYMENT_NAME" \
     --resource-group "$RG" \
     --query "properties.outputs.containerRegistryName.value" \
     --output tsv)
   
   ACR_LOGIN_SERVER=$(az deployment group show \
     --name "$DEPLOYMENT_NAME" \
     --resource-group "$RG" \
     --query "properties.outputs.containerRegistryLoginServer.value" \
     --output tsv)
   
   APP_URL=$(az deployment group show \
     --name "$DEPLOYMENT_NAME" \
     --resource-group "$RG" \
     --query "properties.outputs.containerAppUrl.value" \
     --output tsv)
   

   Expected output

   These commands capture the values silently. You can verify them by running:

   echo "APP_NAME=$APP_NAME"
   echo "ENVIRONMENT_NAME=$ENVIRONMENT_NAME"
   echo "ACR_NAME=$ACR_NAME"
   echo "ACR_LOGIN_SERVER=$ACR_LOGIN_SERVER"
   echo "APP_URL=$APP_URL"
   

   Output:

   APP_NAME=ca-nodejs-guide-<unique-suffix>
   ENVIRONMENT_NAME=cae-nodejs-guide-<unique-suffix>
   ACR_NAME=<acr-name>
   ACR_LOGIN_SERVER=<acr-name>.azurecr.io
   APP_URL=https://ca-nodejs-guide-<unique-suffix>.<hash>.<region>.azurecontainerapps.io
   

5. Build and push container image with ACR Tasks

   az acr build \
     --registry "$ACR_NAME" \
     --image "$BASE_NAME:v1" \
     ./apps/nodejs
   

   Expected output (az acr build)

   The build output shows the Docker build progress. The last few lines should look like this:

   Step 5/5 : CMD ["node", "src/app.js"]
    ---> Running in abc123
    ---> def456
   Successfully built def456
   Successfully tagged nodejs-guide:v1
   

   az containerapp update \
     --name "$APP_NAME" \
     --resource-group "$RG" \
     --image "$ACR_LOGIN_SERVER/$BASE_NAME:v1"
   

   Expected output (az containerapp update)

   {
     "latestRevision": "<your-app-name>--xxxxxxx",
     "name": "ca-nodejs-guide-<unique-suffix>",
     "provisioningState": "Succeeded"
   }
   

6. Verify deployment state and URL

   az containerapp show \
     --name "$APP_NAME" \
     --resource-group "$RG" \
     --query "{state:properties.provisioningState,url:properties.configuration.ingress.fqdn}"
   

   Expected output

   {
     "state": "Succeeded",
     "url": "ca-nodejs-guide-<unique-suffix>.<hash>.<region>.azurecontainerapps.io"
   }
   

   Verify the /health endpoint with curl:

   curl "$APP_URL/health"
   

   Expected output (health check)

   {"status":"healthy","timestamp":"2026-04-05T10:30:00.000Z"}
   

7. Deploy an update (creates a new revision)

   az acr build --registry "$ACR_NAME" --image "$BASE_NAME:v2" ./apps/nodejs
   
   az containerapp update \
     --name "$APP_NAME" \
     --resource-group "$RG" \
     --image "$ACR_LOGIN_SERVER/$BASE_NAME:v2"
   

   Expected output

   {
     "name": "<your-app-name>",
     "provisioningState": "Succeeded",
     "latestRevisionName": "<your-app-name>--0000002"
   }
   

   Confirm revision status — you should now see two revisions (the original v1 and the new v2). In single-revision mode, the old revision is retained but inactive:

   az containerapp revision list \
     --name "$APP_NAME" \
     --resource-group "$RG" \
     --query "[].{name:name,active:properties.active,trafficWeight:properties.trafficWeight,replicas:properties.replicas,healthState:properties.healthState,runningState:properties.runningState}"
   

   Expected output (revision list)

   [
     {
       "name": "<your-app-name>--0000001",
       "active": false,
       "trafficWeight": 0,
       "replicas": 0,
       "healthState": "Healthy",
       "runningState": "Running"
     },
     {
       "name": "<your-app-name>--0000002",
       "active": true,
       "trafficWeight": 100,
       "replicas": 1,
       "healthState": "Healthy",
       "runningState": "Running"
     }
   ]
   

What to validate¶

• Image exists in ACR: $BASE_NAME:v1 and $BASE_NAME:v2
• App endpoint responds with HTTP 200 for /health
• A new revision appears after az containerapp update

Advanced Topics¶

• Move to internal ingress for private APIs and pair with VNet integration.
• Add workload profiles and min/max replicas for predictable performance.
• Use managed identity-based ACR pull for stronger credential hygiene.

CLI Alternative (No Bicep)¶

Use these commands to deploy without Bicep templates. This creates the same resources imperatively.

Step 1: Set variables¶

RG="rg-express-containerapp"
APP_NAME="ca-express-demo"
BASE_NAME="express-app"
ENVIRONMENT_NAME="cae-express-demo"
ACR_NAME="crexpressdemo"
LOG_NAME="log-express-demo"
LOCATION="koreacentral"

Variables set for RG=rg-express-containerapp, APP_NAME=ca-express-demo, and LOCATION=koreacentral.

Step 2: Create resource group¶

az group create --name "$RG" --location "$LOCATION"

{
  "id": "/subscriptions/<subscription-id>/resourceGroups/rg-express-containerapp",
  "location": "koreacentral",
  "name": "rg-express-containerapp",
  "properties": {
    "provisioningState": "Succeeded"
  }
}

Step 3: Create Log Analytics workspace¶

az monitor log-analytics workspace create --resource-group "$RG" --workspace-name "$LOG_NAME" --location "$LOCATION"

LOG_ID=$(az monitor log-analytics workspace show --resource-group "$RG" --workspace-name "$LOG_NAME" --query customerId --output tsv)

{
  "id": "/subscriptions/<subscription-id>/resourceGroups/rg-express-containerapp/providers/Microsoft.OperationalInsights/workspaces/log-express-demo",
  "location": "koreacentral",
  "name": "log-express-demo",
  "properties": {
    "customerId": "11111111-2222-3333-4444-555555555555",
    "provisioningState": "Succeeded"
  }
}

Step 4: Create Azure Container Registry¶

az acr create --resource-group "$RG" --name "$ACR_NAME" --sku Basic

{
  "id": "/subscriptions/<subscription-id>/resourceGroups/rg-express-containerapp/providers/Microsoft.ContainerRegistry/registries/crexpressdemo",
  "location": "koreacentral",
  "loginServer": "crexpressdemo.azurecr.io",
  "name": "crexpressdemo",
  "provisioningState": "Succeeded",
  "sku": {
    "name": "Basic"
  }
}

Step 5: Create Container Apps environment¶

az containerapp env create --resource-group "$RG" --name "$ENVIRONMENT_NAME" --location "$LOCATION" --logs-workspace-id "$LOG_ID"

{
  "id": "/subscriptions/<subscription-id>/resourceGroups/rg-express-containerapp/providers/Microsoft.App/managedEnvironments/cae-express-demo",
  "location": "koreacentral",
  "name": "cae-express-demo",
  "properties": {
    "provisioningState": "Succeeded"
  }
}

Step 6: Build and push image with ACR Tasks¶

az acr build --registry "$ACR_NAME" --image "$BASE_NAME:v1" ./apps/nodejs

Queued a build with ID: acb_default_1700000000000
Successfully built image: express-app:v1
Successfully pushed image: crexpressdemo.azurecr.io/express-app:v1

Step 7: Create Container App¶

az containerapp create --resource-group "$RG" --name "$APP_NAME" --environment "$ENVIRONMENT_NAME" --image "$ACR_NAME.azurecr.io/$BASE_NAME:v1" --target-port 8000 --ingress external --query "properties.configuration.ingress.fqdn"

"ca-express-demo.gentlehill-1a2b3c4d.koreacentral.azurecontainerapps.io"

Step 8: Verify deployment¶

APP_FQDN=$(az containerapp show --resource-group "$RG" --name "$APP_NAME" --query "properties.configuration.ingress.fqdn" --output tsv)

az containerapp show --resource-group "$RG" --name "$APP_NAME" --query "{state:properties.provisioningState,fqdn:properties.configuration.ingress.fqdn,image:properties.template.containers[0].image}"

curl "https://$APP_FQDN/health"

{
  "state": "Succeeded",
  "fqdn": "ca-express-demo.gentlehill-1a2b3c4d.koreacentral.azurecontainerapps.io",
  "image": "crexpressdemo.azurecr.io/express-app:v1"
}

{"status":"healthy","timestamp":"2026-04-09T10:30:00.000Z"}

See Also¶

• 05 - Infrastructure as Code with Bicep
• 07 - Revisions and Traffic Splitting
• Networking VNet Recipe

Sources¶

• Get started (Microsoft Learn)
• az containerapp up reference (Microsoft Learn)