Recipes: Integration Patterns for Azure Container Apps (Python)¶
Use these practical recipes to implement common production patterns for Python apps running on Azure Container Apps.
Prerequisites¶
- Azure CLI 2.57+ with the Container Apps extension
- Existing Azure Container Apps environment (
$ENVIRONMENT_NAME) and app ($APP_NAME) - Resource group (
$RG) and region ($LOCATION) variables set
Recipe Catalog¶
These recipes are intentionally task-oriented: each page solves a specific production integration problem without changing the core tutorial sequence.
Recipe Selection Guide¶
| Recipe | Complexity | Key Concept | Prerequisites |
|---|---|---|---|
| Custom Container | Medium | Docker hardening, non-root runtime | Docker build basics, Step 01 |
| Native Dependencies | Medium | System libraries in Python images | Dockerfile familiarity |
| Container Registry | Low | ACR auth and pull flow | $ACR_NAME, $RG, $APP_NAME |
| Revision Validation | Medium | 0% traffic validation and promotion | Step 07 revisions concepts |
| Cosmos DB | Medium | Managed identity + RBAC for NoSQL | Identity basics, role assignment rights |
| Azure SQL | Medium | Entra-based auth for relational access | SQL server/database provisioned |
| Redis | Low | Cache integration and connection configuration | Redis instance available |
| Storage | Medium | Blob SDK + Azure Files mounts | Storage account and share |
| Bring Your Own Storage | Medium | Persistent volume mounting patterns | Azure Files share + mount path plan |
| Managed Identity | Low | Secretless auth with DefaultAzureCredential | User/system-assigned identity enabled |
| Key Vault Reference | Medium | secretref and externalized secret management | Key Vault access policy / RBAC |
| Easy Auth | Medium | Built-in auth and claims consumption | Identity provider configuration |
| Dapr Integration | High | Sidecar-based service invocation/state/pubsub | Dapr concepts and component config |
| Custom Domains | Medium | DNS + certificate binding for ingress | Domain ownership and DNS control |
Choose by operational bottleneck
If your immediate issue is deployment safety, start with Revision Validation. If your issue is security posture, start with Managed Identity and Key Vault Reference. If your issue is integration velocity, start with data recipes (Cosmos DB, Azure SQL, Redis, Storage).
Integration Dependency Map¶
flowchart TD
BASE[Baseline app deployed<br/>Steps 01-07] --> ID[Managed Identity]
BASE --> REV[Revision Validation]
ID --> KV[Key Vault Reference]
ID --> COSMOS[Cosmos DB]
ID --> SQL[Azure SQL]
ID --> ACR[Container Registry]
BASE --> REDIS[Redis]
BASE --> STORAGE[Storage]
STORAGE --> BYOS[Bring Your Own Storage]
BASE --> DAPR[Dapr Integration]
REV --> DOMAIN[Custom Domains]Apply prerequisites before recipe commands
Most recipe failures come from missing baseline resources or missing role assignments. Confirm $RG, $APP_NAME, $ENVIRONMENT_NAME, and (when needed) $ACR_NAME are already set and valid in your current subscription context before you run recipe commands.
Container & Runtime¶
- Custom Container: Build optimized Python images with non-root runtime and probe-ready configuration.
- Native Dependencies: Package and run Python dependencies that require system libraries or compilation.
Deployment & Revisions¶
- Container Registry: Pull private images from Azure Container Registry with managed identity.
- Revision Validation: Validate new revisions at 0% traffic and promote safely with canary routing.
Data & Storage¶
- Cosmos DB: Connect to Azure Cosmos DB with managed identity and RBAC.
- Azure SQL: Access Azure SQL using Microsoft Entra authentication.
- Redis: Integrate Azure Cache for Redis from Python apps.
- Storage: Use Blob SDK patterns and Azure Files mounts.
- Bring Your Own Storage: Mount Azure Files shares as persistent volumes.
Security & Identity¶
- Managed Identity: Use
DefaultAzureCredentialand RBAC to access Azure services. - Key Vault Reference: Reference Key Vault secrets in Container Apps configuration.
- Easy Auth: Enable built-in authentication and consume identity claims in Flask.
Integration¶
- Dapr Integration: Add pub/sub, service invocation, and state API patterns.
- Custom Domains: Configure custom domains and certificates for ingress.
Verification Steps¶
Confirm your app is healthy before applying any recipe:
az containerapp show \
--name "$APP_NAME" \
--resource-group "$RG" \
--query "{name:name,provisioningState:properties.provisioningState,runningStatus:properties.runningStatus}" \
--output json