Gap-3: Container Apps Operate (C → A) — Revisions, day-2 ops, networking#1637
Open
Gap-3: Container Apps Operate (C → A) — Revisions, day-2 ops, networking#1637
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds operational reference documentation for Azure Container Apps covering revision management, day-2 operations, and networking/custom domains to support “operate (C → A)” readiness.
Changes:
- Introduces revision management guidance (modes, traffic splitting, rollback) with Bicep/Terraform/CLI examples
- Adds day-2 operational runbooks (restart/exec/logs/env updates/secrets & rotation)
- Documents networking patterns (ingress modes, VNet integration, custom domains/TLS, IP restrictions)
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| plugin/skills/azure-prepare/references/services/container-apps/revisions.md | New doc for revision modes, traffic splitting patterns, rollback, and IaC examples |
| plugin/skills/azure-prepare/references/services/container-apps/networking.md | New doc for ingress/VNet/custom domain/TLS/IP restriction guidance |
| plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md | New doc for day-2 ops tasks including logs, exec, env/secret updates, rotation workflow |
plugin/skills/azure-prepare/references/services/container-apps/revisions.md
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/revisions.md
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/revisions.md
Outdated
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/networking.md
Outdated
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/networking.md
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md
Show resolved
Hide resolved
Contributor
Details# 🔍 Token Analysis Report
fatal: path 'plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md' exists on disk, but not in 'origin/main' 📊 Token Change ReportComparing Summary
Changed Files
📊 Token Limit Check ReportChecked: 546 files
|
| File | Tokens | Limit | Over By |
|---|---|---|---|
.github/skills/analyze-test-run/SKILL.md |
2471 | 500 | +1971 |
.github/skills/file-test-bug/SKILL.md |
628 | 500 | +128 |
.github/skills/sensei/README.md |
3531 | 2000 | +1531 |
.github/skills/sensei/SKILL.md |
3026 | 500 | +2526 |
.github/skills/sensei/references/EXAMPLES.md |
3701 | 2000 | +1701 |
.github/skills/sensei/references/LOOP.md |
4181 | 2000 | +2181 |
.github/skills/sensei/references/SCORING.md |
4200 | 2000 | +2200 |
.github/skills/skill-authoring/SKILL.md |
839 | 500 | +339 |
plugin/skills/appinsights-instrumentation/SKILL.md |
908 | 500 | +408 |
plugin/skills/azure-ai/SKILL.md |
817 | 500 | +317 |
plugin/skills/azure-aigateway/SKILL.md |
1258 | 500 | +758 |
plugin/skills/azure-aigateway/references/policies.md |
2342 | 2000 | +342 |
plugin/skills/azure-cloud-migrate/references/services/functions/lambda-to-functions.md |
2600 | 2000 | +600 |
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/javascript.md |
2181 | 2000 | +181 |
plugin/skills/azure-compliance/SKILL.md |
1185 | 500 | +685 |
plugin/skills/azure-compute/SKILL.md |
755 | 500 | +255 |
plugin/skills/azure-compute/workflows/vm-recommender/vm-recommender.md |
2393 | 2000 | +393 |
plugin/skills/azure-cost/SKILL.md |
1861 | 500 | +1361 |
plugin/skills/azure-deploy/SKILL.md |
1643 | 500 | +1143 |
plugin/skills/azure-deploy/references/pre-deploy-checklist.md |
2204 | 2000 | +204 |
plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md |
2006 | 2000 | +6 |
plugin/skills/azure-deploy/references/recipes/azd/errors.md |
3429 | 2000 | +1429 |
plugin/skills/azure-deploy/references/troubleshooting.md |
2038 | 2000 | +38 |
plugin/skills/azure-diagnostics/SKILL.md |
1132 | 500 | +632 |
plugin/skills/azure-diagnostics/aks-troubleshooting/networking.md |
2147 | 2000 | +147 |
plugin/skills/azure-diagnostics/aks-troubleshooting/node-issues.md |
2003 | 2000 | +3 |
plugin/skills/azure-enterprise-infra-planner/SKILL.md |
991 | 500 | +491 |
plugin/skills/azure-enterprise-infra-planner/references/constraints/compute-apps.md |
2022 | 2000 | +22 |
plugin/skills/azure-hosted-copilot-sdk/SKILL.md |
966 | 500 | +466 |
plugin/skills/azure-kubernetes/SKILL.md |
2266 | 500 | +1766 |
plugin/skills/azure-kusto/SKILL.md |
2149 | 500 | +1649 |
plugin/skills/azure-messaging/SKILL.md |
967 | 500 | +467 |
plugin/skills/azure-prepare/SKILL.md |
2767 | 500 | +2267 |
plugin/skills/azure-prepare/references/aspire.md |
4003 | 2000 | +2003 |
plugin/skills/azure-prepare/references/plan-template.md |
2559 | 2000 | +559 |
plugin/skills/azure-prepare/references/recipes/azd/aspire.md |
3069 | 2000 | +1069 |
plugin/skills/azure-prepare/references/recipes/azd/terraform.md |
3012 | 2000 | +1012 |
plugin/skills/azure-prepare/references/research.md |
2217 | 2000 | +217 |
plugin/skills/azure-prepare/references/resources-limits-quotas.md |
3322 | 2000 | +1322 |
plugin/skills/azure-prepare/references/security.md |
2133 | 2000 | +133 |
plugin/skills/azure-prepare/references/services/functions/bicep.md |
3065 | 2000 | +1065 |
plugin/skills/azure-prepare/references/services/functions/templates/SPEC-composable-templates.md |
6187 | 2000 | +4187 |
plugin/skills/azure-prepare/references/services/functions/templates/recipes/composition.md |
4649 | 2000 | +2649 |
plugin/skills/azure-prepare/references/services/functions/terraform.md |
3358 | 2000 | +1358 |
plugin/skills/azure-quotas/SKILL.md |
3445 | 500 | +2945 |
plugin/skills/azure-quotas/references/commands.md |
2644 | 2000 | +644 |
plugin/skills/azure-resource-lookup/SKILL.md |
1288 | 500 | +788 |
plugin/skills/azure-resource-visualizer/SKILL.md |
2054 | 500 | +1554 |
plugin/skills/azure-storage/SKILL.md |
1180 | 500 | +680 |
plugin/skills/azure-upgrade/SKILL.md |
1001 | 500 | +501 |
plugin/skills/azure-upgrade/references/services/functions/automation.md |
3463 | 2000 | +1463 |
plugin/skills/azure-upgrade/references/services/functions/consumption-to-flex.md |
2773 | 2000 | +773 |
plugin/skills/azure-validate/SKILL.md |
906 | 500 | +406 |
plugin/skills/entra-app-registration/SKILL.md |
2067 | 500 | +1567 |
plugin/skills/entra-app-registration/references/api-permissions.md |
2545 | 2000 | +545 |
plugin/skills/entra-app-registration/references/cli-commands.md |
2211 | 2000 | +211 |
plugin/skills/entra-app-registration/references/console-app-example.md |
2752 | 2000 | +752 |
plugin/skills/entra-app-registration/references/oauth-flows.md |
2375 | 2000 | +375 |
plugin/skills/microsoft-foundry/SKILL.md |
2870 | 500 | +2370 |
plugin/skills/microsoft-foundry/foundry-agent/create/create.md |
3016 | 2000 | +1016 |
plugin/skills/microsoft-foundry/foundry-agent/deploy/deploy.md |
5555 | 2000 | +3555 |
plugin/skills/microsoft-foundry/foundry-agent/eval-datasets/eval-datasets.md |
2342 | 2000 | +342 |
plugin/skills/microsoft-foundry/foundry-agent/eval-datasets/references/trace-to-dataset.md |
4268 | 2000 | +2268 |
plugin/skills/microsoft-foundry/foundry-agent/observe/observe.md |
2547 | 2000 | +547 |
plugin/skills/microsoft-foundry/foundry-agent/trace/references/kql-templates.md |
2701 | 2000 | +701 |
plugin/skills/microsoft-foundry/foundry-agent/troubleshoot/troubleshoot.md |
2164 | 2000 | +164 |
plugin/skills/microsoft-foundry/models/deploy-model/SKILL.md |
1640 | 500 | +1140 |
plugin/skills/microsoft-foundry/models/deploy-model/capacity/SKILL.md |
1739 | 500 | +1239 |
plugin/skills/microsoft-foundry/models/deploy-model/customize/SKILL.md |
2235 | 500 | +1735 |
plugin/skills/microsoft-foundry/models/deploy-model/customize/references/customize-workflow.md |
3335 | 2000 | +1335 |
plugin/skills/microsoft-foundry/models/deploy-model/preset/SKILL.md |
1226 | 500 | +726 |
plugin/skills/microsoft-foundry/models/deploy-model/preset/references/preset-workflow.md |
5534 | 2000 | +3534 |
plugin/skills/microsoft-foundry/quota/quota.md |
2288 | 2000 | +288 |
plugin/skills/microsoft-foundry/quota/references/capacity-planning.md |
2080 | 2000 | +80 |
plugin/skills/microsoft-foundry/references/sdk/foundry-sdk-py.md |
2162 | 2000 | +162 |
Consider moving content to
references/subdirectories.
Automated token analysis. See skill authoring guidelines for best practices.
This was referenced Apr 3, 2026
- Fix: replace non-existent 'az containerapp stop/start' with update --min/max-replicas - Fix: subnet size table now shows /27 for workload profiles (default) and /23 for consumption-only (legacy) - Fix: subnet delegation note for consumption-only (must NOT delegate) - Fix: IP restrictions remove invalid Allow+Deny mix (docs say cannot combine) - Fix: internal ingress description corrected - Fix: Bicep traffic config uses latestRevision:true instead of non-existent revision names - Fix: blue/green queries actual revision name from revision list - Fix: rollback uses label-based routing or explicit revision name - Fix: remove plaintext password, add CLI secret exposure warning All fixes validated against official Microsoft ACA documentation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rences - Bump metadata.version 1.1.1 → 1.1.7 (main is 1.1.6) - Link day2-operations.md, networking.md, revisions.md from container-apps README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Addresses Copilot review comment — rules need deterministic evaluation order. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
plugin/skills/azure-prepare/references/services/container-apps/revisions.md
Outdated
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/revisions.md
Outdated
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md
Outdated
Show resolved
Hide resolved
plugin/skills/azure-prepare/references/services/container-apps/networking.md
Outdated
Show resolved
Hide resolved
- Blue/green: capture NEW_REV from update output instead of assuming list order - Canary: use actual revision names from revision list, not placeholders - Resume: use <previous-min>/<previous-max> instead of hard-coded values - Troubleshooting: fix env var guidance to focus on traffic routing - Networking: clarify VNet-injected caveat for internal microservice Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
plugin/skills/azure-prepare/references/services/container-apps/day2-operations.md
Outdated
Show resolved
Hide resolved
…/day2-operations.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Comment on lines
44
to
+49
| - [Scaling Patterns](scaling.md) | ||
| - [Health Probes](health-probes.md) | ||
| - [Environment Variables](environment.md) | ||
| - [Day-2 Operations](day2-operations.md) | ||
| - [Networking & Ingress](networking.md) | ||
| - [Revisions & Traffic Splitting](revisions.md) |
There was a problem hiding this comment.
The PR description states '3 files', but this PR also updates the Container Apps README to add links. Please update the PR description to reflect 4 files (or clarify that README was updated as an index change).
Comment on lines
+41
to
+49
| Container Apps run inside an environment that can be injected into a VNet subnet. | ||
|
|
||
| ### Subnet Requirements | ||
|
|
||
| | Requirement | Workload Profiles (default) | Consumption-only (legacy) | | ||
| |------------|---------------------------|--------------------------| | ||
| | Minimum subnet size | `/27` (32 addresses) | `/23` (512 addresses) | | ||
| | Delegation | `Microsoft.App/environments` | None (do not delegate) | | ||
| | Dedicated | Subnet must be exclusive to the Container Apps environment | Same | |
There was a problem hiding this comment.
The 'Delegation' guidance for 'Consumption-only (legacy)' is incorrect/misleading: VNet-injected Container Apps environments require subnet delegation to Microsoft.App/environments as well. Please correct the table entry (and any surrounding text) so readers don’t create an incompatible subnet configuration.
Suggested change
| Container Apps run inside an environment that can be injected into a VNet subnet. | |
| ### Subnet Requirements | |
| | Requirement | Workload Profiles (default) | Consumption-only (legacy) | | |
| |------------|---------------------------|--------------------------| | |
| | Minimum subnet size | `/27` (32 addresses) | `/23` (512 addresses) | | |
| | Delegation | `Microsoft.App/environments` | None (do not delegate) | | |
| | Dedicated | Subnet must be exclusive to the Container Apps environment | Same | | |
| Container Apps run inside an environment that can be injected into a VNet subnet. For VNet-injected environments, use a dedicated subnet that meets the requirements below. | |
| ### Subnet Requirements | |
| | Requirement | Workload Profiles (default) | Consumption-only (legacy) | | |
| |------------|---------------------------|--------------------------| | |
| | Minimum subnet size | `/27` (32 addresses) | `/23` (512 addresses) | | |
| | Delegation | `Microsoft.App/environments` | `Microsoft.App/environments` | | |
| | Dedicated | Subnet must be exclusive to the Container Apps environment | Subnet must be exclusive to the Container Apps environment | |
| |----------|----------------------|-------------------|--------| | ||
| | Public app | `false` | `true` | Internet + VNet | | ||
| | Internal microservice | `false` | `false` | Same environment; VNet if environment is VNet-injected | | ||
| | Fully private | `true` | `true` or `false` | VNet only (no public IP) | |
There was a problem hiding this comment.
The 'Fully private' row is ambiguous: in an internal: true environment there’s no public ingress endpoint, so ingress.external: true can be misconstrued as making the app internet-accessible. Please reword this row to explicitly state that external: true does not create a public endpoint in an internal environment (or recommend external: false for clarity).
Suggested change
| | Fully private | `true` | `true` or `false` | VNet only (no public IP) | | |
| | Fully private | `true` | `false` (recommended); `true` still remains VNet-only in an internal environment | VNet only (no public endpoint) | |
| } | ||
| ``` | ||
|
|
||
| > 💡 **Tip:** At deploy time only one revision exists. Use `latestRevision: true` in Bicep. Configure traffic splitting via CLI after deploying additional revisions. |
There was a problem hiding this comment.
The statement 'At deploy time only one revision exists' isn’t generally true beyond first creation (apps in Multiple mode can already have multiple active revisions). Consider rephrasing to the underlying constraint: Bicep/ARM templates typically can’t target specific revision names predictably, so use latestRevision: true during deployment and adjust traffic weights/labels after the new revision is created.
Suggested change
| > 💡 **Tip:** At deploy time only one revision exists. Use `latestRevision: true` in Bicep. Configure traffic splitting via CLI after deploying additional revisions. | |
| > 💡 **Tip:** In Bicep/ARM deployments, you typically can't predictably target a specific new revision name. Use `latestRevision: true` in Bicep, then configure traffic splitting or labels via CLI after the new revision is created. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1611 | Parent: #1608
3 files: revisions.md (traffic splitting, rollback), day2-operations.md (restart, exec, log streaming), networking.md (VNet, ingress, custom domains).