What’s new for Windows Containers on Azure App Service?

Since launching support for Windows Containers in App Service back at Ignite in 2020, we’ve been working to close gaps in capabilities between code apps deployed to Windows app service plans and apps deployed in Windows Containers, and to improve the experience for customers who choose to deploy their apps in Windows Containers on Azure App Service.

Why host apps in Windows Containers on Azure App Service?

Customers choose to deploy applications in Windows Containers for a variety of reasons, including but not limited to:

• Company policy – some customers require all applications to be deployed as containers for policy and consistency requirements.
• Applications with dependencies – deploying an application in a Windows Container enables developers to bring along dependencies such as custom fonts, cultures, and GAC deployed assemblies.
• Migration from on-premises to PaaS – some customers choose to move to containers as part of their migration strategy, and further take advantage of the many productivity benefits of Azure App Service.
• Relaxed security restrictions – when deploying a containerized application, the Windows Container is an isolation and security boundary.  All Windows Containers in Azure App Service are hosted in Hyper-V Isolation.  As a result, calls to libraries that would normally be blocked by Azure App Service will instead succeed when running inside a Windows Container.  For example, many PDF generation libraries make calls to graphics device interface (GDI) APIs, within a Windows container these calls will succeed.

New Memory optimized Premium V3 SKUs

At BUILD 2023, we announced new Premium V3 SKUs and in particular memory optimized SKUs in App Service (Pmv3 series) and we are making these available to Windows Container customers also.  These provide you with configurations from P1mv3 – 2 vCPU and 16GB memory up to P5mv3 – 32 vCPU and 256GB memory.  Customers can achieve greater application density, per App Service Plan, with the increased memory SKUs. 

Note: P0v3 is not available for customers wishing to run Windows containers on Azure App Service

Updated Base image support

Customers can now deploy applications in Windows containers using Windows Server 2022 and 2019 as your base OS.  All Windows Containers running in App Service, run in Hyper-V isolation mode which means the platform can support multiple versions concurrently. 

Azure App Service caches a set of base images, to help with speeding up the time it can take to pull and expand your Windows Container image.  Customers can refer to the list of cached base images in our documentation.  Customers are free to use other base images, however it can take much longer to download and extract containers based off images not cached by the platform.  The image list and cache are regularly updated based on customer usage, to ensure we are catering for the most popular base images our customers use and to ensure the base images are regularly updated.

Use secrets from Key Vault

Customers deploying applications on Azure App Service, have long been able to use Key Vault references to source application settings and secrets from Key Vault, including in network-restricted vaults and customers deploying their applications in Windows Containers can do this too!

Use managed identities to pull images from ACR and pull images from network protected registries.

Customers now have the ability to use managed identities to pull Windows Container images from Azure Container Registry, and with recent updates, can also pull images from network protected registries, not only with App Service Environment v3, but in Azure App Service as well.

Application lifecycle and operation improvements

In addition to new capabilities when deploying your applications using Windows containers, we’ve also been working to bring other capabilities which can help with the day-to-day operation of your applications.

Application insights codeless integration for .NET Framework, .NET Core, Java, and Node

Application insights monitoring can be added during Web app creation or after creation without having to manually include and configure the Application Insights SDK with your containers.  Application insights provide detailed application performance monitoring (APM) features enabling monitoring of applications throughout development, test, and production.

Azure Monitor – app logs from containers

Azure App Service offers integration with Azure Monitor for both logs and metrics.  As part of the updates for Windows Container workloads, we’ve added the ability to not only send single line stdout and stderr logs out to Azure Monitor, but to also send other types of application log content out to Azure Monitor.  Examples include logs written to the application log channel in .NET core applications, stack traces and messages sent to trace listeners in .NET Framework applications.

Increase availability by using Health Check

Applications deployed in Windows Containers on App Service can now take advantage of Health check to monitor instance health.  Using the health check feature customers can configure paths on which App Service will check health of application instances at 1-minute intervals and if an instance doesn’t respond with a status code of 200-299 after 10 requests (this number is configurable), then the instance is deemed unhealthy and is removed.  Customers using this feature can increase their application’s availability.

Specific improvements for Windows Nano Server containers

Nano Server containers are an ultralight Windows offering for new application development and as such they have a significantly smaller API surface.  Some key features such as PowerShell, WMI and the Windows servicing stack are not included in the Nanoserver image.  Nanoserver images have just enough API surface to run apps that have a dependency on .NET core or other modern open-source frameworks.

Due to the limited API surface some features have been absent from our support in App Service until now:

• Metrics collected – we now collect metrics from Nanoserver containers, for example CPU and Memory resource utilization.
• Hydration of certifications in Windows Certificate store – public certificates (.cer) (Add and manage TLS/SSL certificates - Azure App Service | Microsoft Learn) uploaded to your application are hydrated into the Windows Certificate Store.

Allow setting of time zone

It was not previously possible to set the time zone for Nano server containers only Server Core.  Since Windows added support for this, customers can now set the time zone for their container.  To set the time zone in App Service, customers should set the WEBSITE_TIME_ZONE App Setting (Environment variables and app settings in Azure App Service | Microsoft Learn)

Further improvements coming soon.

We are always working hard to improve developer productivity and capabilities within Azure App Service across the entire service, and we have yet more updates coming for customers wishing to deploy their apps in Windows Containers.

Remote debugging using Visual Studio 2022

App Service has long supported customers wishing to debug their .NET applications running in App Service using Visual Studio, we will be adding support for customers wishing to debug their Windows Containers in Azure App Service in the coming months.

Diagnose and Solve Capabilities for Windows Containers

App Service has a rich set of diagnostic capabilities (Diagnostics and solve tool - Azure App Service | Microsoft Learn) available to customers to troubleshoot your applications with no configuration changes.  These help you to discover the issue(s) and guide you to the information and actions to troubleshoot the issue.  Several categories and diagnostic reports are already available for applications hosted in Windows containers and many more will be enabled in the coming months.