Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable and Configure Azure Container Apps Resiliency

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Enable and configure Azure Container Apps resiliency to proactively prevent, detect, and recover from service request failures using simple resiliency policies.

Reliability
Performance
efficiency

Enabling and configuring resiliency for Microsoft Azure Container Apps ensures high availability, fault tolerance, and rapid recovery during failures, enhancing application reliability and user experience. Resiliency policies enable your Container Apps to handle failures effectively by incorporating features such as retries, timeouts, circuit breakers, and connection pools for service-to-service calls.

Audit

To determine if resiliency policies are enabled for your Azure Container Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, select Resiliency (preview) to access the resiliency policies enabled for the selected Container App.

07 On the Resiliency (preview) page, inspect the checkboxes corresponding to each resiliency policy supported by Microsoft Azure Container Apps. If no checkboxes are selected (i.e., no resiliency policies are enabled), application resiliency is not configured for the selected Azure Container App.

08 Repeat steps no. 5 - 7 for each Azure Container App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Container App available in the selected subscription: 

az containerapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Container App names: 

Name                        ResourceGroup
-------------------------   ------------------------------
tm-project5-container-app   cloud-shell-storage-westeurope
tm-project5-openai-app      cloud-shell-storage-westeurope

06 Run extension update command (Windows/macOS/Linux) to ensure that you have the latest version of the Azure Container App extension: 

az extension update --name containerapp

07 Run containerapp resiliency list command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to list the resiliency policies enabled and configured for the selected Container App: 

az containerapp resiliency list
	--container-app-name tm-project5-container-app
	--resource-group cloud-shell-storage-westeurope

08 The command output should return the list of active (enabled) resiliency policies: 

[]

If the containerapp resiliency list command output returns an empty array (i.e., []), there are no active resiliency policies. Therefore, application resiliency is not configured for the selected Azure Container App.

09 Repeat step no. 7 and 8 for each Azure Container App available within the current Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure resiliency policies for your Microsoft Azure Container Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to configure.

06 In the resource navigation panel, under Settings, select Resiliency (preview), and perform the following actions to enable and configure resiliency policies for your Container App:

  1. To enable the timeout policy, check the Timeouts policy checkbox and enter the duration in seconds for the connection timeout and the response timeout.
  2. To enable the HTTP retry policy, check the HTTP retries policy checkbox, and provide values for the number of maximum retries, delay between first error and first retry in milliseconds, and maximum delay between retries (milliseconds). For Errors, configure the errors that will trigger a retry of the failed HTTP request.
  3. To enable the TCP retry policy, check the TCP retries policy checkbox, and set the maximum connection attempts to retry on failed connections.
  4. To enable the Circuit Breaker policy, check the Circuit Breaker policy checkbox, and configure the policy parameters according to your app specifications. The Circuit Breaker policy specifies whether an Azure Container App replica is temporarily removed from the load balancing pool, based on triggers such as the number of consecutive errors.
  5. To enable the HTTP connection pool policy, check the HTTP connection pools policy checkbox, and set the maximum number of open connections/concurrent requests to the Container App. Azure Container Apps service use connection pooling to reuse established connections, reducing setup overhead. Connection pools manage concurrent connection limits, preventing new ones when limits are reached. This ensures efficient resource usage and prevents services from being overwhelmed by requests.
  6. To enable the TCP connection pool policy, check the TCP connection pools policy checkbox, and set the maximum number of concurrent connections to the Container App.
  7. Select Apply to apply the configuration changes.
  8. Choose Continue to save the resiliency settings.

07 Repeat steps no. 5 and 6 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Container App available in the selected subscription: 

az containerapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Container App names: 

Name                        ResourceGroup
-------------------------   ------------------------------
tm-project5-container-app   cloud-shell-storage-westeurope
tm-project5-openai-app      cloud-shell-storage-westeurope

06 Run extension update command (Windows/macOS/Linux) to ensure that you have the latest version of the Azure Container App extension: 

az extension update --name containerapp

07 Run containerapp resiliency create command (Windows/macOS/Linux) to create a resiliency policy with recommended settings for timeouts, retries, and circuit breakers, for the selected Azure Container App. To enable specific resiliency policies replace the --recommended parameter with the desired policy parameters. For example, to enable the timeout resiliency policy, use the --timeout and --timeout-connect parameters. For more resiliency policy parameters, see containerapp resiliency create command: 

az containerapp resiliency create
	--container-app-name tm-project5-container-app
	--resource-group cloud-shell-storage-westeurope
	--name tm-project5-resiliency-policy
	--recommended

08 The command output should return the resiliency settings available for the modified Container App: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerApps/tm-project5-container-app/resiliencyPolicies/tm-project5-resiliency-policy",
	"name": "tm-project5-resiliency-policy",
	"properties": {
		"circuitBreakerPolicy": {
			"consecutiveErrors": 5,
			"intervalInSeconds": 10,
			"maxEjectionPercent": 100
		},
		"httpRetryPolicy": {
			"matches": {
			"errors": [
				"5xx"
			]
			},
			"maxRetries": 3,
			"retryBackOff": {
				"initialDelayInMilliseconds": 1000,
				"maxIntervalInMilliseconds": 10000
			}
		},
		"timeoutPolicy": {
			"connectionTimeoutInSeconds": 5,
			"responseTimeoutInSeconds": 60
		}
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.App/containerApps/resiliencyPolicies"
}

09 Repeat steps no. 7 and 8 for each Azure Container App that you want to configure, available within the current subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 20, 2024

Related ContainerApps rules