Azure Container Apps: Fix Common Setup & Config Errors
Why This Is Happening
You've heard the pitch for Azure Container Apps: run containerized workloads without wrestling with Kubernetes clusters, node pools, or server provisioning. It sounds ideal. Then you actually try to deploy something and the container never starts, your app silently scales to zero and refuses to wake back up, or ingress just flat-out doesn't route traffic the way you expected. I've watched this exact scenario play out on teams ranging from solo developers to hundred-person engineering orgs , and the frustration is real.
Azure Container Apps is a serverless platform. That's both its strength and the source of most confusion. Because it abstracts away orchestration infrastructure, error messages tend to be vague. You won't get a Kubernetes pod describe output telling you ImagePullBackOff with a clear reason. Instead you get a revision stuck in "Provisioning" with no obvious next step. The platform is managing the container runtime for you, which is great , until something goes wrong and you can't see the levers you'd normally pull.
Most azure container apps deployment failures trace back to a handful of root causes. First: registry authentication. If your container image lives in Azure Container Registry (ACR) or Docker Hub with access controls, and the managed identity or credentials aren't wired up correctly, the environment simply can't pull your image. The container never starts, the revision fails, and the error message just says the deployment was unsuccessful, not why.
Second: ingress misconfiguration. Azure Container Apps lets you enable HTTPS or TCP ingress without managing load balancers or certificates yourself, which is genuinely useful. But if you set the wrong target port, forget to enable external ingress when you need public access, or mix up internal versus external traffic settings, your app will be unreachable. This is a common azure container apps networking problem that trips up even experienced cloud engineers.
Third: scaling rules. The platform can scale your app dynamically based on HTTP traffic, CPU load, memory load, or any KEDA-supported scaler. Applications that scale on CPU or memory cannot scale to zero, that's a hard platform rule. If you've set a minimum replica count of zero but your scaling trigger is CPU-based, you'll get a conflict that prevents the app from behaving as expected.
Fourth: environment variable and secret management. Secrets are stored directly in the container app and injected at runtime. If you reference a secret that doesn't exist yet, or you misconfigure the environment variable binding, your application will crash on startup in ways that look like app bugs but are actually platform configuration issues.
None of these problems are your fault, the azure container apps getting started experience doesn't make these failure modes obvious. That's what this guide is for. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into logs and configuration files, run this diagnostic sequence. It takes about five minutes and resolves the majority of azure container apps issues I see in the wild.
Open the Azure portal and navigate to your Container App resource. Click Revision management in the left-hand menu. Find your latest revision and check its status. If it shows Failed or is stuck in Provisioning, click on the revision name itself to open the revision details panel.
Inside the revision detail, scroll down to Replicas. If there are zero replicas and the status is not "Running," click on any replica entry to open the replica log view. Switch to the System tab in the log panel, this is where Azure Container Apps writes its own diagnostic events, separate from your application logs. Look for entries referencing image pull failures, credential errors, or port binding conflicts. These are the three most common root causes and they're surfaced here before anywhere else.
If the revision shows as Active and replicas are running, but you can't reach the app externally, go to Ingress in the left menu. Confirm that:
- Ingress is Enabled
- Traffic is set to Accepting traffic from anywhere (for public apps)
- The Target port matches the port your container actually listens on
This target port mismatch is the single most common azure container apps ingress problem. Your container might be listening on port 3000, but the portal defaults to 80. One number off and every request times out.
If everything looks correct in the portal but the app still won't respond, run this in Azure CLI:
az containerapp logs show \
--name YOUR_APP_NAME \
--resource-group YOUR_RG \
--followThis streams live logs from your running container. If the app is crashing on startup due to a missing environment variable or a failed database connection, you'll see it immediately here.
Azure Container Apps can pull images from any registry, public or private, including Docker Hub and Azure Container Registry. But getting the authentication right is where most azure container apps first deployment failures happen.
If you're using Azure Container Registry, the cleanest approach is enabling the managed identity on your Container App and assigning it the AcrPull role on the registry. In the Azure portal, navigate to your Container App → Identity → enable System assigned managed identity. Then go to your ACR resource → Access control (IAM) → Add role assignment → select AcrPull → assign it to your container app's managed identity.
If you'd rather use admin credentials, you'll need to grab them from ACR and store them as a secret in your Container App. Go to your ACR → Access keys → enable Admin user. Copy the username and one of the passwords. Then in your Container App → Secrets, add two new secrets: one for the registry username, one for the password. Reference these when configuring your registry in the Container App settings.
For Docker Hub or other external registries with private images, navigate to your Container App → Containers → edit the container → under Image source, select Docker Hub or other registries → set Image type to Private → fill in the server URL, username, and password. The password field accepts a direct value or a reference to an existing secret (the secret reference format is secretref:YOUR_SECRET_NAME).
After saving, go to Revision management → Create new revision to force a fresh deployment that picks up the new credentials. Watch the replica status, if the image pull succeeds, you'll see replicas transition from Pending to Running within 60–90 seconds for most images.
If it still fails, run:
az containerapp revision show \
--name YOUR_APP_NAME \
--resource-group YOUR_RG \
--revision YOUR_REVISION_NAMELook for "provisioningState": "Failed" and a message field that will spell out the pull error verbatim.
One of the genuine advantages of Azure Container Apps is that it handles HTTPS termination and ingress without requiring you to manage certificates or load balancer rules yourself. But you have to configure it precisely, or traffic never reaches your container.
In the Azure portal, go to your Container App → Ingress in the left menu. You'll see these key settings:
- HTTP Ingress, toggle this on if your app serves HTTP/HTTPS traffic
- Ingress traffic, set to Accepting traffic from anywhere for public internet exposure, or Limited to Container Apps Environment for internal microservice communication only
- Target port, this must exactly match the port number your container process binds to
- Transport, choose HTTP/1, HTTP/2, or auto depending on your app's protocol
The target port is where things go wrong most often with azure container apps ingress not working. If your Node.js app does app.listen(3000), your target port must be 3000. If your ASP.NET app listens on 8080 (common in containers), set 8080. The platform doesn't inspect your container to figure this out, you have to tell it.
For TCP ingress (non-HTTP protocols), the setup is slightly different. You'll need to set Transport to TCP and specify the exposed port. This is useful for things like Redis, PostgreSQL proxies, or custom socket-based services.
Once ingress is configured, save the settings and your app gets an auto-generated FQDN in the format YOUR_APP_NAME.RANDOM_ID.REGION.azurecontainerapps.io. You'll find this URL on the Container App overview page under Application Url. Test it immediately with:
curl -I https://YOUR_APP_NAME.REGION.azurecontainerapps.io/healthA 200 response means ingress is working. A connection timeout means your target port is wrong. A 502 means the container is running but returning errors, check your application logs.
For internal service-to-service communication inside a Container Apps environment, you don't need external ingress at all. Azure Container Apps provides built-in DNS-based service discovery, so other apps in the same environment can reach your service at http://YOUR_APP_NAME directly.
Azure Container Apps scales dynamically based on a variety of signals: HTTP request volume, CPU load, memory pressure, or any KEDA-compatible event source like Azure Service Bus queue depth, Event Hub lag, or a custom metric. Understanding how these scaling dimensions interact prevents a whole category of azure container apps scaling problems.
Here's the rule that catches people off guard: apps that scale based on CPU or memory load cannot scale to zero. This is a platform constraint, not a bug. If you set your minimum replica count to 0 but your only scaling rule is CPU-based, the platform will reject or override your configuration. You need at least 1 minimum replica for CPU/memory-triggered scaling.
To view and edit scaling rules, go to your Container App → Scale and replicas in the left menu. Here you'll see:
- Min replicas, the floor. Set to 0 to allow scale-to-zero for HTTP/event-driven apps.
- Max replicas, the ceiling. Default is 10; increase this if you expect high concurrency bursts.
- Scale rules, the triggers that drive scaling decisions
For HTTP traffic scaling, click Add under scale rules → select HTTP scaling → set your concurrent requests threshold. A common starting point is 100 concurrent requests per replica, which tells the platform to spin up an additional replica for each additional 100 concurrent connections.
For KEDA-based scaling (Azure Service Bus, Storage Queue, Event Hubs, etc.), select Custom in the rule type dropdown. You'll need to provide the KEDA scaler name and metadata in JSON format. For example, for an Azure Storage Queue:
{
"type": "azure-queue",
"metadata": {
"queueName": "my-queue",
"queueLength": "5",
"accountName": "mystorageaccount"
},
"auth": [
{
"secretRef": "azure-storage-connection-string",
"triggerParameter": "connection"
}
]
}After saving new scaling rules, create a new revision to apply them. Monitor replica count over the next few minutes under Scale and replicas → Replicas to confirm the rules are firing as expected. If replicas aren't scaling up under load, check that your KEDA auth references point to valid secrets in the Container App.
Azure Container Apps gives you a built-in secret store that injects values into your container at runtime. No Key Vault required, though Key Vault integration is available if you want it. Getting this right means your app starts clean across every environment. Getting it wrong means startup crashes that look like application bugs but are actually missing configuration.
To add a secret, navigate to your Container App → Secrets in the left menu → Add. Give the secret a name (use lowercase with hyphens, like db-connection-string) and paste in the value. Secrets are stored encrypted and are not visible in plaintext after saving, even to admins in the portal.
Once a secret exists, you reference it in environment variables. Go to Containers → edit your container → scroll to Environment variables. Click Add. Set the Name to whatever your application expects (e.g., DATABASE_URL). For the Source, select Reference a secret and pick your secret from the dropdown. This binds the secret value to the environment variable at container startup.
A common azure container apps secrets error happens when developers add a new secret but forget to create a new revision. Secrets changes take effect only in new revisions, not in-place on the current running revision. After adding or changing secrets, always go to Revision management → Create new revision.
For environment-specific configuration (development vs. staging vs. production), the cleanest pattern is using separate Container Apps environments per stage. Each environment gets its own secrets with the appropriate values. This directly answers the question many developers have about managing settings between different deployment environments, the answer is separate environments, not complex naming conventions.
To verify your environment variables are being injected correctly, run a quick exec into the container:
az containerapp exec \
--name YOUR_APP_NAME \
--resource-group YOUR_RG \
--command "/bin/sh -c 'echo $DATABASE_URL'"If the variable is empty or missing, the secret reference isn't wired up properly. Double-check that the secret name in the binding exactly matches the secret name you created, these are case-sensitive.
One of the best features of Azure Container Apps is revision management. Every time you deploy a new container image or change configuration, the platform creates a new revision, a snapshot of that exact deployment state. If something breaks in production, you can switch traffic back to a previous revision in about 30 seconds. No redeployment required.
Go to your Container App → Revision management. You'll see a list of all revisions with their status, creation time, and traffic weight. Each revision shows how much of your incoming traffic is routed to it (as a percentage).
To roll back, find a previously working revision in the list. Click the three-dot menu next to it → Activate. Once it's active, set its traffic weight to 100% and set the broken revision's traffic weight to 0%. The platform routes all traffic to the working revision immediately, no downtime.
Azure Container Apps supports multiple active revisions simultaneously, which is what enables traffic splitting for blue/green deployments and A/B testing. You could run a new revision at 10% traffic weight, watch your error rate, and gradually shift to 100% if metrics look good. If something goes wrong, set it back to 0% without touching the stable revision at all.
To list all revisions via CLI:
az containerapp revision list \
--name YOUR_APP_NAME \
--resource-group YOUR_RG \
--output tableTo set traffic weights programmatically:
az containerapp ingress traffic set \
--name YOUR_APP_NAME \
--resource-group YOUR_RG \
--revision-weight \
STABLE_REVISION_NAME=100 \
BROKEN_REVISION_NAME=0After executing the rollback, immediately check Monitoring → Log stream to confirm the stable revision is receiving and handling requests correctly. You should see your application's normal startup log output and healthy request logs within 30–60 seconds of the traffic shift.
This revision system is one of the core answers to the question of how to reliably deploy your application, you never replace a working deployment, you add a new one alongside it and shift traffic only when you're confident.
Advanced Troubleshooting
When the standard fixes don't resolve your azure container apps issues, it's time to go deeper. Here are the scenarios that require more involved investigation.
Diagnosing with Azure Log Analytics
Every Container Apps environment is connected to an Azure Log Analytics workspace. This is where system-level events, console logs, and container crashes are stored long-term. To query them, go to your Container Apps Environment (not the individual app) → Logs in the left menu. This opens a Kusto query editor.
To see all crash events for a specific app in the last hour:
ContainerAppConsoleLogs_CL
| where ContainerAppName_s == "YOUR_APP_NAME"
| where TimeGenerated > ago(1h)
| where Log_s contains "error" or Log_s contains "exception"
| order by TimeGenerated descTo see system-level events (image pulls, scaling actions, replica failures):
ContainerAppSystemLogs_CL
| where ContainerAppName_s == "YOUR_APP_NAME"
| where TimeGenerated > ago(24h)
| order by TimeGenerated descThese queries are the difference between guessing and knowing. I've seen teams spend hours on a container app that wouldn't start, only to find a single line in Log Analytics saying the image digest had changed and the cached credentials were stale.
Networking and Virtual Network Issues
If your Container Apps environment was deployed into an existing virtual network (VNet), network security groups (NSGs) on that VNet can silently block traffic. Azure Container Apps requires specific ports to be open for the control plane to communicate with your containers. Microsoft's documentation specifies that environments using a custom VNet must allow outbound access to the Azure Container Apps infrastructure on ports 443 and 5671/5672 for AMQP.
Check your NSG rules: go to the VNet associated with your Container Apps environment → Subnets → find the Container Apps delegated subnet → click its associated NSG → review Outbound security rules. If you see overly restrictive deny rules, that's your problem. Add an allow rule for the required ports and retest.
Dapr Integration Errors
If you're running microservices with Dapr enabled on your container apps, sidecar failures are a distinct category of issue. When Dapr is enabled, a sidecar container runs alongside your app container in every replica. If the Dapr sidecar can't initialize, typically due to misconfigured component configuration or missing secrets, your main container may also fail to start or fail health checks.
Check Dapr sidecar logs by filtering Log Analytics queries on ContainerName_s == "daprd". Common errors include component not found, invalid credentials for a state store, or Pub/Sub topic subscription failures. These are all fixable at the Dapr component configuration level without touching your application code.
Job Failures
Azure Container Apps supports scheduled and event-driven jobs. If your jobs aren't executing, first check the job's execution history: navigate to your Container App Job → Execution history. Each execution entry shows its status and exit code. An exit code of 0 means success; any non-zero exit code means the job's container process returned an error. Check the logs for that specific execution to see what went wrong.
requestId values from portal error dialogs. Microsoft's Azure Container Apps engineering team responds to these and the resource IDs dramatically speed up their internal investigation.
Prevention & Best Practices
The best azure container apps troubleshooting session is the one you never have to do. Here are the practices that keep things running reliably from the start.
Always pin your image tags. Using myimage:latest in production is asking for trouble. When you push a new build, the latest tag moves, but your Container App revision still references the same tag string. Depending on your pull policy, you might get the old image, the new image, or inconsistent behavior across replicas. Use specific version tags or image digest references (myimage@sha256:abc123...) for every production revision. This makes your deployments fully reproducible and is one of the key answers to "how can I be confident that what works on my machine works in production."
Use separate Container Apps environments per stage. Development, staging, and production workloads should live in separate environments, ideally separate subscriptions or at minimum separate resource groups with separate Log Analytics workspaces. This gives you genuine isolation: a runaway dev workload doesn't affect production scaling budgets, and staging secrets never bleed into production.
Set health probes on every app. Azure Container Apps supports liveness, readiness, and startup probes. Configure at minimum a readiness probe pointing to a lightweight health endpoint in your app. This tells the platform when your container is actually ready to serve traffic, not just when the process has started. Without a readiness probe, the platform might route traffic to a container that's still warming up its connection pool or loading a large ML model.
Store all secrets in the Container Apps secret store, never in environment variables as plaintext. Even for non-sensitive configuration values, getting into the habit of using secrets means you'll never accidentally log a connection string or expose a key in a revision diff.
Set revision mode to Multiple for production. Single revision mode means every new deployment immediately replaces the old one. Multiple revision mode lets you control traffic splitting manually. For production workloads that serve real users, multiple revision mode is non-negotiable, it's your safety net for bad deployments.
- Pin container image tags to specific versions or SHA digests, never use
:latestin production revisions - Enable multiple-revision mode before your first production deployment so rollbacks are always available
- Configure a readiness probe on every container app to prevent traffic routing to unhealthy replicas
- Set up a Log Analytics alert rule on
ContainerAppSystemLogs_CLfor revision failure events so you're notified before users report problems
Frequently Asked Questions
What is Azure Container Apps and when should I use it instead of AKS?
Azure Container Apps is a serverless platform for running containerized applications where Microsoft manages the underlying cluster infrastructure, scaling, and security for you. Use it when you want to deploy containers quickly without managing Kubernetes, it's ideal for API endpoints, background processors, event-driven workloads, and microservices. Azure Kubernetes Service (AKS) makes more sense when you need direct Kubernetes API access, custom admission controllers, or very specific node pool configurations. For most teams shipping web services and background jobs, Container Apps gets you 90% of Kubernetes's value at 20% of the operational overhead.
How can I be confident that what works on my machine will work in Azure Container Apps?
The short answer: containers. When you package your application in a container image, the runtime environment, dependencies, OS libraries, language runtime version, travels with the code. Azure Container Apps runs that exact image, not a approximation of it. To maximize consistency, build your image in CI (not on your laptop) using a Dockerfile that matches your production base image, pin all dependency versions, and test the exact image artifact locally with docker run using the same environment variables you'll set in Container Apps. If it works locally with those env vars, it'll work in Azure.
How do I manage settings and configuration across development, staging, and production environments?
Use separate Container Apps environments, one per stage, with environment-specific secrets configured in each. Your container image stays identical across all stages; only the secrets and environment variables differ. In practice, your dev environment's DATABASE_URL secret points to a dev database, staging points to the staging database, and production to production. This way you never change the application code between environments, which means any behavior difference you see is a configuration issue you can track down, not a mystery. Pair this with environment-specific resource groups and you get clean cost tracking per stage too.
How do I reliably deploy my application to Azure Container Apps without downtime?
Set your Container App to Multiple revision mode and use traffic splitting during deployments. Deploy your new container image as a new revision with 0% traffic, run smoke tests against its direct revision URL, then gradually shift traffic from the old revision to the new one, 10%, 50%, 100%, while watching your error rates. If anything looks wrong, set the new revision back to 0% in seconds. This zero-downtime deployment pattern is built into the platform and costs nothing extra. It's far safer than the default approach of deploying and hoping.
Why does my Azure Container App scale to zero but never scale back up when traffic comes in?
This usually happens when there's no HTTP scaling rule configured, or when the scaling rule exists but the first incoming request times out before a replica has time to start. Azure Container Apps has a cold start latency when scaling from zero, typically 5–30 seconds depending on your image size and app startup time. HTTP clients with short timeouts will see errors during this window. To mitigate it: configure a startup probe so the platform knows when your container is ready, set your HTTP client timeouts generously (at least 60 seconds), and if cold starts are unacceptable for your use case, set a minimum replica count of 1 to keep at least one warm instance running at all times.
My Container App revision keeps failing provisioning, how do I find out why?
Go to your Container App → Revision management → click the failed revision name → scroll to Replicas → click any replica → open the System log tab. This tab shows platform-level events like image pull failures, port binding errors, and health probe timeouts, separate from your application's own log output. Alternatively, query Log Analytics with ContainerAppSystemLogs_CL | where ContainerAppName_s == "YOUR_APP_NAME" | order by TimeGenerated desc. The error message in those logs is almost always specific enough to tell you exactly what to fix, image credential expired, target port mismatch, or resource quota exceeded.